Insurance Coverage Issues Implicated in Data Breach Claims

Transcription

1 Insurance Coverage Issues Implicated in Data Breach Claims Alex E. Potente Sedgwick LLP San Francisco, CA (415) James H. Kallianis, Jr. Meckler Bulger Tilson Marick & Pearson LLP Chicago, IL (312) Kimberly Jackanich Sedgwick LLP San Francisco, CA (415)

2 Alex E. Potente is a trial lawyer who represents insurers and reinsurers in complex commercial insurance litigation matters. His coverage-litigation practice focuses on disputes pertaining to general liability, D&O, and professional liability policies, specifically extra-contractual coverage for claims arising from long-tail environmental, personal and advertising injury, and product-defect litigation. He is currently representing a national insurer in its cyber-liability and privacy-related business tort matters. Over the past twenty years, James H. Kallianis, Jr. has represented corporations and individuals in matters ranging from employment disputes to multimillion dollar securities and consumer fraud class actions. Jim also has represented insurers in matters involving directors and officers, cyber, general liability, employment practices and professional liability policies. Jim has tried cases in state and federal courts around the country and has argued appeals before state and federal appellate courts. He also frequently speaks and writes on developing areas of law, including director and officer liability, cyber liability and managed care liability. Jim has been selected as a Super Lawyer and a Leading Lawyer in Illinois. Jim is Chair of the Directors & Officers Subcommittee for DRI s Insurance Committee. Kimberly Jackanich handles complex insurance coverage disputes and litigation matters on behalf of insurer clients concerning professional liability, directors and officers liability, employment practices liability, errors and omissions coverage, and commercial general liability policies. Kimberly also focuses her practice on product liability and toxic tort litigation, including the defense of claims involving energy companies, automobile manufacturers, and construction companies. She participates in all aspects of litigation, including case analysis and strategy, discovery and depositions, motion practice and trial preparation.

3 Insurance Coverage Issues Implicated in Data Breach Claims Table of Contents I. Coverage Issues Presented by CGL Policies A. CGL Policies: Coverage Part A B. CGL Policies: Coverage Part B What Constitutes a Publication Issues Related to Intentional Conduct, Knowing Violation, and Expected or Intended Injury Policy Provisions C. CGL Policy Changes II. Cyber Risk Policies III. Defense and Other Practical Considerations for Insurers Insurance Coverage Issues Implicated in Data Breach Claims Potente et al. 403

4

5 Insurance Coverage Issues Implicated in Data Breach Claims Nearly every day customers receive s notifying them of the need to change their passwords and monitor their accounts due to a recent compromise of a company s data. When hackers and customers financial data are not in the news, the stories are filled with government leaks and sensitive secrets being blast across the internet and around the globe. Mentions of Target, Heartbleed, Wikileaks, Edward Snowden, and PlayStation immediately bring to mind compromises of data and the abundance of monitoring and prevention costs that come along with those compromises. These incidents have profound criminal, financial and reputational implications. According to recent reports, the average cost of a data breach incident is estimated at $5.4 million dollars. Target s data breach alone resulted in shareholder derivative litigation and roughly 70 class action lawsuits. Cyber risks permeate daily business for many companies and most consumers. Tracking software, hackers, malware, viruses, wiretapping, eavesdropping, robocalls, and solicitation can lead to identity theft and compromised financial, personal, and health information. Potential targets for unauthorized access of information include retail merchandisers, hospital/medical facilities, law firms, accounting firms and financial institutions, educational institutions, government, the energy sector and manufacturers. As the number of these incidents grows, so does the number of affected individuals pursuing legal action to remedy their injuries. Affected individuals pursue a variety of different legal theories, including (1) common law privacy, tort, and contract claims; (2) constitutional privacy claims; (3) state and federal statutory claims; and (4) and failure to notify claims under state data breach notification statutes. Importantly, even when there is no evidence that the compromised data has been used or otherwise disseminated, companies still are potentially subject to notification requirements, resulting in significant costs, including those set forth by HIPAA, the Gramm-Leach Bliley Act, and the Federal Information Security Management Act. Currently, 46 states have notification statutes, generally requiring at a minimum prompt notice to those affected and to the State Attorney General. Moreover, many of these statutes impose substantial daily fines for late notice or confer a private-right of action for failure to comply. So called, acquisition-based triggered data breach notification statutes do not even require an unauthorized person to have acquired the breached data. For example, California requires notification after any data breach merely if the data was, or is reasonably believed to have been, acquired by an unauthorized person. Disclosure under these statutes must be made in the most expedient time possible and without unreasonable delay. At least 16 states have acquisition trigger statutes, including California, Delaware, Florida, Georgia, Hawaii, Illinois, Indiana, Maine, Minnesota, Nevada, New York, North Dakota, Oklahoma, Rhode Island, Tennessee, and Texas. The alternative risk-based data-breach notification trigger requires assessing whether a danger exists to those whose records were breached, which equally can result in significant costs to a company. For example, the Ohio model of the risk-based trigger requires notification when the breached company has both a reasonable belief that information was acquired and the acquisition of such information will cause a material risk of identity theft or other fraud. Another example New Jersey s Identity Theft Prevention Act does not require notification when the business or public entity establishes that misuse of the information is not reasonably possible. These notification statutes raise issues of who will perform the requisite risk assessments and notifications and, more importantly, who will pay for the costs associated with the assessment and notification. States with risk-based triggers include: Arkansas, Arizona, Colorado, Connecticut, Idaho, Kansas, Louisiana, Montana, Nebraska, New Hampshire, New Jersey, North Carolina, Pennsylvania, Utah, Washington and Wisconsin. Insurance Coverage Issues Implicated in Data Breach Claims Potente et al. 405

6 Not surprisingly, the frequency and costs of data breaches inexorably lead to thorny questions of insurance coverage under general liability (CGL) policies, particularly when an insured either has not purchased any or has not purchased enough cyber-specific insurance to cover the potentially significant costs associated with a breach. Faced with lawsuits and the sometimes sizeable costs incurred in connection with a breach, insureds have attempted to secure coverage under CGL policies and, more recently, under specially-tailored, cyber-risk policies to help cover those costs. This paper addresses some of the issues confronted when an insured attempts to secure coverage under a CGL policy for the costs associated with a data breach and discusses the availability of specific cyber-related insurance products, as well as issues that the involved parties, particularly insurers, must consider when considering insurance coverage for the costs related to a data breach. I. Coverage Issues Presented by CGL Policies The CGL policy, a traditional insurance policy, was originally designed to protect businesses against liability for claims of bodily injury, property damage, and personal and advertising injury. The standard Coverage A Bodily Injury and Property Damage Liability part provides typically provides coverage for those sums that the insured becomes legally obligated to pay as damages because of bodily injury or property damage to which this insurance applies. The standard Coverage B Personal and Advertising Liability Injury typically provides coverage for those sums that the insured becomes legally obligated to pay as damages because of personal and advertising injury to which this insurance applies. The question of coverage for the costs associated with a data breach under these policies ultimately turns on how property damage and/or personal and advertising injury are defined by the insurance policy at issue and, possibly, how a court interprets those terms in a coverage dispute. A. CGL Policies: Coverage Part A Most CGL policies define property damage to require physical damage to tangible property, and specifically exclude coverage for any information, data or facts stored in an electronic format from the definition of tangible property. Damage or loss of electronic data does not fall within the definition of tangible property under Coverage A unless physical damage to or loss of use of a tangible object, such as loss of use of a computer, occurred. See Eyeblaster, Inc. v. Federal Insurance Co., 613 F.3d 797 (8th Cir. 2010) (finding that property damage occurred because underlying plaintiff had alleged loss of use of his computer). Many CGL policies also contain an electronic data exclusion that precludes coverage for lost data. An electronic data exclusion typically provides as follows: Damages arising out of the loss of, loss of use of, damage to, corruption of, inability to access, or inability to manipulate electronic data. As used in this exclusion, electronic data means information, facts or programs stored as or on, created or used on, or transmitted to or from computer software, including systems and applications software, hard or floppy disks, CD-ROMS, tapes, drives, cells data processing devices or any other media which are used with electronically controlled equipment. Because Coverage A policy definitions and electronic data exclusions make coverage under side-a of a CGL policy less tenable, insureds often turn to Coverage B or specially tailored cyber-risk policies to secure coverage for their cyber risk incidents. B. CGL Policies: Coverage Part B Cyber risk coverage under Coverage B typically turns on the definition of personal and advertising injury. The current ISO (Insurance Services Office, Inc.) form Coverage B language provides coverage for 406 Data Breach and Privacy Law September 2014

7 personal and advertising injury defined to include oral or written publication, in any manner, of material that violates a person s right of privacy. In the context of a cyber breach, the pertinent coverage question often is whether theft of private identifying information constitutes publication. Recently, a New York trial court held that a data breach, committed by a third party, does not satisfy the publication requirement under Coverage B. In Zurich American Insurance Co. v. Sony Corp. of America, hackers stole personally identifiable information of PlayStation users after they bypassed the security protecting this information. Faced with users suits, Sony turned to its CGL insurer for coverage asserting that the hackers unauthorized access to the personal information had constituted a publication that had violated its users right of privacy. In 2014, in a major victory for insurers, a New York trial court judge found that the policy could only be triggered by the actions of Sony itself, not by the actions of third parties who hacked its network. But as the future appeal of the Sony action illustrates, the scope of coverage under Coverage B for cyber incidents is still very much in dispute. When presented with a request for coverage for the costs related to a cyber breach, Insurers are likely to raise a variety of coverage defenses including the following: (1) the lack of a publication in many cyber incidents; (2) the lack of a claim for a violation of privacy; (3) the insured or third party s knowing/intentional violations of the law and corresponding policy exclusions; (4) the insured s expected or intended injury and corresponding policy exclusions; (5) the insured or third party s criminal activity and corresponding policy exclusions; (6) the insured s liability for fines, penalties or other non-monetary relief that does not fall within the policy s definition of covered Loss; and (7) online activity or intellectual property exclusions. Two significant issues that often determine whether coverage exists for a data breach related claim or the costs associated with a breach include the issue of publication as required by most CGL policies and the exclusion or exclusions found in CGL policies related to intentional or knowing conduct. 1. What Constitutes a Publication When a breach occurs and information has been compromised, but there is no proof of anyone s use of the compromised information, the question in the insurance coverage context becomes whether there has been a publication of the information such that there can be a legitimate claim for violation of privacy. The issue in dispute in these scenarios usually becomes what constitutes a publication and raises a variety of questions, including: How many people must see the information in order to constitute a publication of that information? Do the individuals seeing the information have to be third parties or can unauthorized access or intra-company communications constitute a publication? Does publication require an affirmative act by the insured or can negligent displacement or failure to secure information lead to a publication? Courts across the country have found no publication in a variety of data breach incidents. For example, in Butts v. Royal Vendors, Inc., 202 W.Va. 448 (1998), the West Virginia Supreme Court found no coverage for publication of material that violates another person s right or privacy. In Butts, the insured allegedly induced a physician to breach his fiduciary duty to a patient a temporarily disabled employee whom the insured believed to be malingering by disclosing the patient s private health information. Similarly, in Recall Total Info Management v. Federal Ins. Co., 2012 WL (Conn. Super. Jan. 17, 2012), a Connecticut court found that theft of computer tapes was not a publication of material that violates a person s right of privacy. The Recall Total court found no potential for coverage because there was no evidence that the information on the tapes was ever communicated to a third person. Likewise, in Duff Supply Co. v. Crum & Forster Inc. Co., 1997 WL (E.D.Pa. 1997), the Eastern District of Pennsylvania held that monitoring of telephone calls did not trigger a potential for coverage for a privacy claim because there were no allegations that the insured disclosed any information it learned by monitoring the calls. Insurance Coverage Issues Implicated in Data Breach Claims Potente et al. 407

8 The Restatement of Torts addresses the issue of publication in the context of defamation and could be considered analogous to publication in the cyber risk context. According to the Restatement, accidental communication to a third person of defamatory matter is not a publication if there is no negligence. An act not intended to be communicated to a third person, and which does not create an unreasonable risk of communication, is not published. For example, a publication for the purposes of libel does not occur in the following scenario: A writes a letter to B containing defamatory statements about C. He puts the letter in his desk and locks it up. A thief breaks open the desk and reads the letter. Under this example, there would be no publication or making known of material when the compromise of data results from unauthorized access or theft of electronic data by a third party. Thus, the instances of hacking and other unauthorized intrusions by third parties would not be covered under the oral or written publication portion of personal and advertising injury. A publication could occur, however, if the insured was negligent in securing the information, creating an unreasonable risk that the material would be stolen. This is consistent with California law, which holds that a publication of defamatory or disparaging material may give rise to liability if it is either intentional or negligent. See Haley v. Casa Del Rey Homeowners Ass n, 153 Cal.App.4th 863, (2007). Similarly, an exclusion known as the prior publication exclusion may preclude or limit coverage for cyber risks. Under this exclusion, content first published before the policy period is not covered. When hacking or unauthorized access occurs over a period of time, and the first access to the data occurred before the policy period, all future access of that same data is not covered. The issue then becomes what constitutes first access or publication of this data: does the hacker have to affirmatively use the information, or is unauthorized access alone sufficient? When insureds are subject to hacking or unauthorized access over an extended period of time, and wait to file a claim until discovery of the access, arguably any access that occurred before the policy period could constitute a prior publication. In such a case, all damage asserted from that same unauthorized access during the policy period should be precluded by the prior publication exclusion. 2. Issues Related to Intentional Conduct, Knowing Violation, and Expected or Intended Injury Policy Provisions Based on policy language, statutes, and public policy restrictions, insurers may be shielded from providing coverage in instances where the damage is caused by the insured s intentional conduct, knowing violation of the law, criminal conduct, or other expected and intended injury. With regard to intentional or knowing violations of the law, CGL policies provide that their insurance does not apply to personal and advertising injury caused by or at the direction of the insured with the knowledge that the act would violate the rights of another and would inflict personal and advertising injury. Similarly, CGL policies also contain an exclusion for criminal acts, which provide that the insurance does not apply to personal and advertising injury arising out of a criminal act committed by or at the direction of the insured. Further, in addition to policy language, many states have provisions (or a body of case law) like California Insurance Code Section 533, which provides that an insurer will not be liable for the willful act of its insured. When the unauthorized access, disclosure or criminal activity is undertaken by the insured or by an agent or employee of the insured, these exclusions call into question the availability of coverage. CGL policies also typically preclude coverage for expected or intended injury, providing that the carriers will not be liable for injury expected or intended from the standpoint of the insured. Where unauthorized access to sensitive data occurs over a period of time, the question becomes when the insured first had knowledge that its systems were compromised. When companies are aware of the threats and choose to utilize inadequate security and monitoring methods for its data, the question arises when should the insured have been aware that unauthorized access to its data was occurring. The application of these exclusions should be clear in situations where insureds fail to take security measures or fail to monitor their systems such that 408 Data Breach and Privacy Law September 2014

9 hackers gain unfettered access to their data. Of course, many of these situations involve a series of breaches where the insured only learns of the unauthorized access after a certain amount of data is compromised. Arguably, an insurer should only be held liable, if at all, for the first unauthorized access because an insured was then sufficiently on notice of the injury such that any future injury caused by the insured s failure to take preventative action was expected or intended by the insured. In addition, the standard of when an insured should be aware of unauthorized access such that the insured s inaction in preventing further unauthorized access constitutes an expected or intended injury may vary from industry to industry. C. CGL Policy Changes Presently, insurance companies are adding new definitions and exclusions to their policy forms to reinforce the proposition that the policies do not afford coverage for massive data breaches. Some commercial general liability policies now include the 2014 ISO form entitled Access or Disclosure of Confidential or Personal Information Exclusion. This exclusion, which expressly limits Coverage B personal and advertising injury in data breach situations, provides as follows: Access Or Disclosure Of Confidential Or Personal Information Personal and advertising injury arising out of any access to or disclosure of any person s or organization s confidential or personal information, including patents, trade secrets, processing methods, customer lists, financial information, credit card information, health information or any other type of nonpublic information. This exclusion applies even if damages are claimed for notification costs, credit monitoring expenses, forensic expenses, public relations expenses or any other loss, cost or expense incurred by you or others arising out of any access to or disclosure of any person s or organization s confidential or personal information. Similarly, insurers also are adding an exclusion for Coverage A Bodily Injury and Property Damage insurance, which provides that the insurance does not apply to access to or disclosure of information or the loss of, loss use of, damage to, corruption of, inability to access, or inability to manipulate electronic data. Along with the addition of these exclusions, the definition of Personal and Advertising Injury itself is evolving. As part of its April 2013 revisions to the CGL policy forms, Insurance Services Office Inc. introduced an endorsement entitled Amendment Of Personal And Advertising Injury Definition, which eliminates the linchpin argument oral or written publication in any manner, of material that violates a person s right of privacy from application to Coverage B. Specifically, the endorsement states: With respect to Coverage B Personal and Advertising Injury Liability, Paragraph 14.e. of the Definitions section does not apply. As the policies evolve to limit or otherwise preclude coverage for cyber related incidents, it remains unclear whether insureds will continue to seek coverage under traditional CGL policies or turn to the newlyemerging cyber risk policies. II. Cyber Risk Policies With CGL insurers changing the terms of their policies to respond to cyber risks, specially-tailored cyber policies are becoming an attractive option to companies wanting to protect themselves from the uncertainty of insurance coverage. Cyber risk policies are a relatively new product, introduced by insurers in the early 2000s. Designed to fill in the gaps of traditional first and third party insurance policies, cyber risk policies typically offer both first and third party coverage. First-party coverage may include the following: (1) Insurance Coverage Issues Implicated in Data Breach Claims Potente et al. 409

10 electronic theft and fraud coverage; (2) business interruption and extra expense; (3) computer and data loss restoration; (4) forensic investigation; (5) public relations expenses; and (6) notification costs and credit monitoring. Third party coverage may include (1) privacy liability, (2) network security liability; (3) internet media liability; and (4) employee privacy liability. The language for cyber risk policies varies from carrier to carrier, and there is no standard cyber risk form. The variance in policy language offers insureds the ability to choose language that is most favorable to their potential risks and desired coverage. However, the variation in language also allows for variation in interpreting the scope of such coverage. Given the relatively new existence of these policies, the scope of coverage and potential coverage defenses remains to be determined. Nevertheless, potential coverage issues for cyber risk policies include claims-made and reporting issues, multiple insurers and/or issues of other insurance, policy exclusions, definition of loss, coverage for regulatory investigations, and control of the defense. A purchaser of cyber risk insurance should consider whether the policy it is considering covers not just its own errors and omissions, but the errors and omissions of its vendors. Similarly, if the insured is a vendor, it will want to consider whether any cyber risk policy it considers affords coverage for claims related to customer data and not just the vendor s own data. As the cyber risk policies solidify their language and the popularity of cyber risk policies grows, these and other coverage issues will come to light and shape what may be the future of insurance coverage for cyber related incidents. III. Defense and Other Practical Considerations for Insurers With all of the coverage defenses potentially applicable to cyber incidents and the scope of cyber risk policies to be determined, insurers must carefully consider the appropriate reservation of rights to assert before assuming the defense of a cyber-related incident. An important issue for insurers providing a defense becomes whether they are entitled to reimbursement of a settlement payment if a court later determines that there is no coverage. In Blue Ridge Ins. Co. v. Jacobsen, 25 Cal.4th 489 (2001), the California Supreme court endorsed the view that an insurer should settle claims within policy limits even when the liability is not covered. The insurer in Blue Ridge was faced with a policy limits demand from the plaintiff, which it viewed as reasonable in light of the liability of the insured and probable damages that would be awarded, but that the insurer believed would not be covered. The insureds refused to contribute or to assume their defense. The insurer therefore unilaterally reserved its rights, settled and then sued for reimbursement. In the appeal of a subsequent coverage action, the California Supreme Court held that under these circumstances, an insurer may unilaterally reserve its rights to reimbursement when it settles a claim over the insured s objections. Thus, when the liability for these cyber risk incidents is significant and insurance coverage appears questionable, insurers may still want to consider contributing to a settlement under reservation of rights and then, if possible, seeking reimbursement to avoid the potentially larger costs that could result from the class action suits. Critically, an insurer should consider the law from the relevant jurisdictions when deciding how best to proceed under such circumstances. Further, as the impact of many cyber incidents can be widespread and lead to large class action lawsuits, insurers are faced with significant defense costs that quickly approach the policy limits of liability. Insurers are then faced with practical and strategic decisions regarding the intersection of costs and defense. The expense of matters such as motions for class certification, class notice, class administration, and attorney fees for prevailing parties can reach into the millions in potential exposure for insureds. If insureds are ultimately found responsible for these costs, they are likely to turn to their insurers for reimbursement. Thus, insurers must carefully consider these potential costs and evaluate whether these costs qualify as defense costs or sup- 410 Data Breach and Privacy Law September 2014

11 plementary payments under the terms of their respective policies. If these costs are considered damages or defense costs, they are likely to be deemed as falling within the indemnity limit, thus protecting the insurers from significant costs in excess of the policy limit of liability. However, if they are deemed supplementary payments, an insurer may be obligated to pay those amounts outside the indemnity limits of the policy. * * * It remains to be seen whether and how CGL policies will respond to the exposures caused by data breaches and what the impact the market for cyber risk policies will have in the context of data breaches. As the law develops and the market for cyber risk policies continues to expand, both CGL insurers and cyber risk insurers should carefully consider the potential consequences of their actions in handling data breach claims to avoid exposure to overwhelming and possibly unintended costs. Similarly, insureds would be best advised to evaluate their insurance program and consider how the policies currently in place potentially would respond to a data breach incident and whether the insured would be better protected by a separate cyber risk policy. Insurance Coverage Issues Implicated in Data Breach Claims Potente et al. 411

12