Insurance Coverage Law Report

Transcription

1 September 2013 Insurance Coverage Law Report From the Editor Our Industry News, and Why It Matters By Steven A. Meyerowitz Feature Articles Data Breaches and the General Liability Policy in a Cyber-World By Seema A. Misra and Lauren V. DiLeonardo Hurricane Season is Here Is Your Insurance Program Ready for the Next Storm? By James P. Bobotek Case Law Developments Homeowner s Insurance Excess Health Insurance Commercial General Liability Life Insurance Worker s Compensation Legislative/Regulatory Developments Alternative Risk and Captives In the States Reinsurance Focus On: Directors & Officers Commercial Property Subrogation Trial Practice Professional Liability Insurance Umbrella Worker s Compensation Terrorism Risk Insurance Farm When Health and Auto Insurance Collide: Michigan Supreme Court Limits Insured s Right to Double Recovery Industry News People News Thought Leaders New Products Awards & Honors Calendar The Insurance Coverage Law Information Center

2 Data Breaches and the General Liability Policy in a Cyber-World By Seema A. Misra and Lauren V. DiLeonardo The authors explain the foundations for a claim under a commercial general liability insurance policy for data breach and provide a sampling of the types of laws and regulations addressing data breaches. Headlines announcing cyber-attacks that have resulted in data breaches are commonplace. No organization, whether large or small, is immune to the risk that its confidential information will be damaged, inadvertently disclosed or even stolen. Companies that have suffered a data breach confront the costs associated with both remedying the breach and defending the litigation that often arises from such a breach. Moreover, public concern over cyber-attacks has resulted in increasing regulation at both the federal and state level. Seema A. Misra Although cyber liability insurance is increasingly available, many companies have not purchased such policies, and data breaches are likely to result in a claim under their commercial general liability ( CGL ) policies. This article explains the foundations for a claim under a CGL policy for data breach and also provides a sampling of the types of laws and regulations addressing data breaches. The Foundation for COVERAGE OF CYBER attacks UNDER commercial GENERAL LIABILITY POLICIES A data breach can result in a myriad of lawsuits, with claims ranging from breach of privacy, defamation, and injury to property. When an insured seeks defense or indemnity for such claims under a CGL policy, the threshold issue is whether a cyber-attack has resulted in either personal and advertising injury or property damage as required by the standard CGL policy. Personal and advertising injuries CGL policies provide coverage for damages relating to personal and advertising injury, a term which is generally defined as an injury arising out of a list of enumerated offenses. Defense and/or indemnity is often sought for data breach claims on the basis that the breach has resulted in injury arising out of the offense of an oral or written publication, in any manner, of material that violates a person s right of privacy. 1 The issue that then arises is whether there has been a publication and, if so, the connection to a violation of a right of privacy. In Netscape Communications Corp. v. Federal Insurance Co, 2 Netscape and its parent company, AOL, sought coverage for multiple lawsuits commenced by users of Netscape s SmartDownload software, who alleged that their right to privacy had been violated because the software had provided Netscape with information about users internet activities, which Netscape and AOL used for targeted advertising. 3 In the coverage action, the insurer, argued that the underlying claims did not involve an oral or written publication of material that violates a person s right of privacy because AOL and Netscape were related entities who had shared consumer information only with each other. 4 The District Court for the Northern District of California held that a personal injury offense had been alleged because Netscape had made known the consumers private information to employees of AOL and Netscape and also because files were circulated among employees of the insureds, and any person meant any person, regardless of whether that person was a related entity. Significantly, although an insured may be able to satisfy the threshold issue of a publication, an exclusion may nonetheless preclude coverage. A standard provision in many CGL policies, including Netscape s policy, is an exclusion for online activities. 5 Seema A. Misra is a litigation partner with Stroock & Stroock & Lavan LLP who represents clients in a wide variety of business disputes, before state and federal courts, as well as arbitral tribunals. Lauren V. DiLeonardo is an associate at the firm. The authors can be reached at smisra@ stroock.com and ldileonardo@stroock.com, respectively. INSURANCE COVERAGE LAW REPORT. September

3 The issue of publication will soon be addressed again in the well-publicized case of Zurich American Insurance Co., et al. v. Sony Corp. of America, et al., pending in New York state court. In April 2011, computer hackers gained access to the personal identification and financial information of thousands of customers using the Sony Online Entertainment Network and the Sony PlayStation Network, forcing those networks to go offline for a period of time while the breach was corrected. 6 Sony s customers filed dozens of putative class actions, alleging that Sony had violated privacy rights and negligently failed to protect their personal information. 7 After Sony requested defense and indemnification, the insurers sought a declaration that they had neither a duty to defend nor indemnify Sony. Although the insurers alleged that Sony had established neither property damage nor personal and advertising injury, 8 Sony s recent motion for partial summary judgment focuses on whether there had been a personal and advertising injury. 9 In that motion, Sony argues that the class actions allege that consumers lost sensitive personal and financial information, and that their information was published because it was placed in the hands of cyber criminals who could use the information to commit credit fraud, which could result in an obligation to pay damages. 10 Zurich has yet to file a response. However, possible arguments that may be raised include whether customer information obtained by a hacker can be said to have been published and whether customers who put their information online have a right to privacy. Property Damage Attacks on electronically stored data also often result in claims that the data breach resulted in the damage to hardware and software. CGL policies provide coverage if there has been property damage, which is often defined as either physical injury to tangible property or the loss of use of tangible property that is not physically injured. 11 The question of whether losses stemming from damage to a computer network, electronic data and/or software are covered often turns on whether the damage is held to be physical and tangible. For example, in America Online, Inc. v. St. Paul Mercury Ins. Co., 12 America Online ( AOL ) was faced with numerous class actions alleging that its AOL 5.0 software caused damage to, and loss of use of, customers computers, computer data, software and systems. 13 AOL s claim under its CGL policy was denied, with the insurer arguing that it had no duty to defend because the underlying lawsuits did not allege either physical damage to tangible property or loss of use of tangible property. 14 In the subsequent coverage action, the District Court for the District of Virginia held that computer data, software and systems are not tangible property and the underlying claims went to the brains of the computer, not its physical make-up. 15 However, the court also held that there had been alleged loss of use of tangible property because computers themselves constitute tangible property. 16 The Fourth Circuit affirmed both these holdings, finding (i) damage to computer software is not to tangible property because tangible means capable of being touched 17 and (ii) the loss of use of computers constituted loss of use of tangible property Significantly, some courts have come out the other way, finding that damage to software or data was covered by a CGL policy because it was physical, tangible property. 19 In short, each policy must be examined individually, and exclusions may come into play even if the definition of property damage is satisfied. For example, many CGL policies written in the last decade contain an exclusion for damages arising out of the loss of use of use or damage to electronic data. INCREASING REGULATION OF THE CYBER WORLD Although there may have been a time when certain data breaches went unreported, due to both federal and state regulations, companies are increasingly obligated to report data breaches. The following is an analysis of some of these statutes and regulations, which are indicative of the wide range of entities that are impacted by such laws. The Health Insurance Portability and Accountability Act of 1996 The privacy and security of patient health care information is protected by the Health Insurance Portability and Accountability Act of 1996 ( HIPAA ), which regulates health care providers, health insurers and contractors and subcontractors that receive patient information. 20 HIPAA authorizes the Department of Health and Human Services ( HHS ) to promulgate privacy standards for patients health care data. To that end, HSS promulgated (i) the HIPAA Privacy Rule, 21 which protects the privacy of individually identifiable health information (ii) the HIPAA Security Rule, 22 which sets national standards for the security of electronic protected health information ; and (iii) the HIPAA Breach Notification Interim Final Rule, 23 which requires entities to provide notification following a breach of unsecured protected health information. As recently as January 2013, HHS modified the HIPAA Privacy Rule 4. September INSURANCE COVERAGE LAW REPORT

4 and HIPAA Security Rule to strengthen the privacy and security protection for individuals health information and modified the Breach Notification Interim Final Rule. 24 As amended, the HIPAA Rules together require not only covered entities but also their business associates to notify patients of the impermissible use or disclosure of their protected health information unless it is demonstrated that there is a low probability that the protected health information has been compromised. 25 In evaluating whether notification is required, covered entities and business associates should consider the following factors: (1) [t]he nature and extent of the protected health information involved (2) the unauthorized person who used the protected health information or to whom the disclosure was made; (3) whether the protected health information was actually acquired or viewed and (4) the extent to which the risk to the protected health information has been mitigated. 26 If notification is required under the rules, patients must be notified without unreasonable delay but in no case later than 60 calendar days from the discovery of the breach The notification must include a brief description of what happened, the types of patient data that was lost, steps that patients should take to protect their identity, a description of what the covered entity involved is doing to investigate the breach and protect against further harm, and contact information patients can use to learn more. 28 Applicable civil penalties are based on the organization s degree of negligence, with a maximum penalty of $1.5 million. 29 The Gramm-Leach-Bliley Act / FTC Rules Section 504 of the Gramm Leach Bliley Act (the GLB Act ) required the Federal Trade Commission ( FTC ) and other federal regulatory agencies to issue regulations implementing notice requirements and restrictions on a financial institution s ability to disclose nonpublic personal information about consumers to nonaffiliated third parties. 30 In accordance with the GLB Act, the FTC promulgated the Safeguard Rule and the Privacy Rule. The Privacy Rule requires financial institutions to give their customers a clear and conspicuous written notice describing how they collect, disclose and protect nonpublic personal information about customers. Unless certain exceptions apply, financial institutions must also give consumers notice of their right to optout in the event that those institutions share customers nonpublic personal information with non-affiliated third parties. 31 Under the Safeguard Rule, financial institutions must implement measures to keep customer information secure. 32 Specifically, institutions must develop a written information security plan that identifies and evaluates risks to customer information and design[s] and implement[s] a safeguards program, and regularly monitor[s] and test[s] it. 33 FISMA The Federal Information Security Management Act of 2002 ( FISMA ) protects the security of information maintained by U.S. federal government agencies (in the executive or legislative branches), or by contractors or other organizations acting on their behalf. Under FISMA, the National Institute of Standards and Technology ( NIST ) creates security standards and guidelines that each agency must implement. 34 In addition, FISMA establishes a central federal information security incident center to, among other things, provide timely technical assistance to operators of agency information systems, compile and analyze information about incidents that threaten information security and consult with the NIST. 35 Under FISMA, agencies are required to develop procedures for detecting, reporting and responding to security incidents Agencies must have a plan to minimize the damage when a breach occurs, 37 and to notify the federal information security incident center after an incident occurs. 38 Agencies must also develop a plan to notify law enforcement agencies, the Office of the Inspector General and other agencies that the President directs to oversee security breaches. 39 The Cybersecurity Act of 2012 and Executive Order 13,636 Although the Cybersecurity Act of 2012 ( Cybersecurity Act ) was not passed, the bill reflects the increasing public interest in establishing a nationwide cybersecurity framework. The Cybersecurity Act would have created a comprehensive security framework for entities considered to provide critical infrastructure, such as power plants and financial institutions. 40 The Cybersecurity Act also would have established the National Cybersecurity Council, which would perform risk assessments, including determining which private entities were considered critical to infrastructure, and developing a voluntary cybersecurity program for owners of such critical infrastructure. 41 To encourage participation from private owners, participating entities would have been entitled to benefits such as liability INSURANCE COVERAGE LAW REPORT. September

5 protection from any punitive damages arising from an incident related to a cybersecurity risk where the owner is in substantial compliance with the cybersecurity practices at the time of the incident. 42 In conjunction with industry groups, the Council also would have developed cybersecurity best practices. 43 In February 2013, President Obama issued Executive Order 13,636 on Improving Critical Infrastructure Cybersecurity. 44 Like the Cybersecurity Act, Executive Order 13,636 endeavors to create a publicprivate program to encourage adoption of improved cybersecurity practices. 45 The Executive Order mandates creation of incentives for owners of critical industry and other interested entities to join a Voluntary Critical Infrastructure Cybersecurity Program. 46 These incentives are not specified in the executive order, however, so it is unclear whether the new liability protection incentives will be similar to those provided for in the Cybersecurity Act. State Regulations At the state level, all but four states have passed data breach notification laws, which require private, and, in some instances, public entities 47 to report the theft or unintentional disclosure of private information, such as social security numbers and credit card numbers. 48 Although there are variations among these laws, most states require notice of a data breach to be issued promptly, either electronically or in writing, to those whose information has been compromised by the breach, and provide alternatives if the breach affects more than 500,000 people or notice would cost more than $250, Most states also require that notice be given to either the state Attorney General or credit reporting agencies if the breach involves a certain number of data records. 50 It is also common for state data breach laws to impose daily fines on any entity that fails to provide the requisite notice. 51 Significantly, state laws vary with respect to whether they create a private right of action for victims of a data breach. 52 Conclusion In an electronic age, no company is immune from cyber risk. Companies considering whether to purchase cyber liability insurance should consider that there may not be coverage under their CGL policies for the losses imposed by a data breach. In assessing the risk of a cyber attack, both insurers and insureds should consider the obligations imposed by the wide variety of federal and state regulations applicable in the event of a data breach. 1. Section V(14)(e), Commercial General Liability Coverage Form, ISO Properties, Inc. 2. Netscape Communications Corp. v. Federal Ins. Co., 2007 WL (N.D. Ca. Oct. 10, 2007), aff d in part, rev d in part, 343 Fed.Appx. 271 (9th Cir. 2009). 3. Id. at *1. 4. Id. at *5. 5. Id. at *6. The district court found that the insurer had no duty to defend because the policy had an exclusion for online activities. The Ninth Circuit affirmed the holding that the underlying claimants had alleged a personal injury offense. However, the Ninth Circuit reversed the district court based on its finding that the online activity exclusion did not preclude coverage because AOL did not use the SmartDownload software to provide internet access to third parties. 6. Complaint for Declaratory Judgment 24-26, Zurich Am. Ins. Co., et al. v. Sony Corp. of America, et al., No /2011 (Sup Ct N.Y. County July 20, 2011). 7. Sony s Memorandum of Law in Support of Motion for Partial Summary Judgment Declaring that Zurich and Mitsui Have Duty to Defend, dated May 10, 2013, ( Sony s SJ Brief ), at Id., Sony s SJ Brief at Sony s SJ Brief at Cite. 12. America Online, Inc. v. St. Paul Mercury Ins. Co., 207 F. Supp. 2d 459 (E.D. Va. 2002) aff d, 347 F.3d 89 (4th Cir. 2003). 13. Id. at Id. at Id. at Id. at 470. Although the definition of property damage was satisfied, the court found there was no coverage based on the impaired property exclusion, which excluded coverage where there is injury to a third party resulting from the incorporation of the insured s faulty product. 17. America Online, Inc. v. St. Paul Mercury Ins. Co., 347 F.3d 89, (4th Cir. 2003). 18. Id. at 98. Like the district court, the Fourth Circuit found that the impaired property exclusion barred coverage for claimants loss of use of the computers because the exclusion precluded coverage for loss of use claims made by plaintiffs whose property was not physically damaged by the insured s defective product. 19. Landmark American Ins. Co. v. Gulf Coast Analytical Labs, Inc., 2012 U.S. Dist. LEXIS (M.D. La. March 30, 2012) (finding that loss of electronic data constituted physical loss or damage because tangibility is not a defining quality of physicality ); American Guaranty & Liability Ins. Co. v. Ingram Micro, Inc., 2000 WL at *2 (D. Ariz. Apr. 18, 2000) (finding that physical damage is not restricted to the physical destruction or harm of computer circuitry but includes loss of access, loss of use, and loss of functionality. ). 20. See Press Release, U.S. Department of Health & Human Services, New Rule Protects Patient Privacy, Secures Health Information (January 17, 2013), available at September INSURANCE COVERAGE LAW REPORT

6 21. The HIPAA Privacy Rule is located at 45 CFR Part 160 and Subparts (A) and (E) of Part The HIPAA Security Rule is located at 45 CFR Part 160 and Subparts (A) and (C) of Part The HIPAA Breach Notification Interim Final Rule is located at 74 Fed. Reg It was issued in August 2009 with a request for public comment and implemented provisions of the Health Information Technology for Economic and Clinical Health Act (the HITECH Act ), which was passed as part of the American Recovery and Reinvestment Act of Id. 24. Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules Under the Health Information Technology for Economic and Clinical Health Act and the Genetic Information Nondiscrimination Act; Other Modifications to the HIPAA Rules, 78 Fed. Reg (Jan. 15, 2013). 25. Id. at Id C.F.R (b) C.F.R (c) Fed. Reg ; 45 C.F.R C.F.R. Part 313. The GLB Act defines financial institutions to be all institutions covered by Rule 4(k) of the Bank Holding Company Act, including anyone significantly engaged in lending or exchanging money or securities, loan brokers and servicers, debt collectors and others. See How To Comply with the Privacy of Consumer Financial Information Rule of the Gramm-Leach-Bliley Act, Federal Trade Commission, available at business.ftc.gov/documents/bus67-how-comply-privacyconsumer-financial-information-rule-gramm-leach-blileyact. 31. Id. 32. Id. 33. Id. 34. FISMA FAQs, National Institute of Standards and Technology, faqs.html U.S.C. 3546(a)(1) (2) U.S.C. 3541(b)(7) U.S.C. 3541(b)(7)(A) U.S.C. 3541(b)(7)(B) U.S.C. 3541(b)(7)(C). 40. Summary, The Revised Cybersecurity Act Of 2012 S. 3414, Senate.gov, summary-of-revised-cybersecurity-act-of-2012-s Id. 42. Id. at Id. 44. Exec. Order 13,636, available at fdsys/pkg/fr /pdf/ pdf. 45. Exec. Order 13,636 at Sec Exec. Order 13,636 at Sec. 8(d). 47. For example, New York General Business Law 899-aa applies to businesses, and New York State Technology Law 208 regulates state entities. 48. Only Alabama, Kentucky, New Mexico and South Dakota lack data breach notification laws. State Security Breach Notification Laws, The Nat l Conf. of State Legislatures (Aug. 20, 2012), issues-research/telecom/security-breach-notificationlaws.aspx. 49. See e.g., N.Y. Gen Bus. Law 899-aa 2 and 5; Cal. Civ. Code (a), (d) and (j)(1) (3); Tex. Bus. & Com. Code (h), (e) and (f); Fl. Stat. Tit. XLVI, Ch. 817, 5681(6). It should be noted that Texas s data breach notification law only requires notification of (i) victims who are Texas residents and (ii) victims who are residents of states that do not have their own data breach notification laws. Tex. Bus. & Com. Code (b-1). 50. N.Y. Gen Bus. Law 899-aa 8; Cal. Civ. Code (e); Tex. Bus. & Com. Code (h); Fl. Stat. Tit. XLVI, Ch. 817, 5681(12). 51. N.Y. Gen Bus. Law 899-aa 6; Tex. Bus. & Com. Code (a); Fl. Stat. Tit. XLVI, Ch. 817, 5681(1)(b)(1), (10)(b). 52. In New York and Texas, data breach laws do not create a private right of action, but the state Attorney General may bring suit on behalf of victims of a data breach. N.Y. Gen Bus. Law 899-aa 6(a); Tex. Bus. & Com. Code (a). In Florida, the law does not create a private right of action, but the Department of Legal Affairs is authorized to assess and collect fines. Fl. Stat. Tit. XLVI, Ch. 817, 5681(11). California law creates a private right of action for victims. Cal. Civ. Code (b). INSURANCE COVERAGE LAW REPORT. September