ISO's Newly-Filed Data Breach Exclusions Provide Yet Another Reason To Consider "Cyber" Insurance

September 26, 2013 The text of this article was first published by Law360 on September 23, 2013. ISO's Newly-Filed Data Breach Exclusions Provide Yet Another Reason To Consider "Cyber" Insurance By Roberta D. Anderson Here a breach, there a breach, everywhere a data breach. Verizon s most recent 2013 Data Breach Investigations Report remarks that [p]erhaps more so than any other year, the large scale and diverse nature of data breaches and other network attacks took center stage this year. 1 And no organization is immune from a breach. The last two years have seen some of the world s most sophisticated corporate giants fall victim to some of the largest data breaches in history. It is clear that cyber attacks -- including data breaches -- are on the rise with unprecedented frequency, sophistication and scale. They are pervasive across industries and geographical boundaries. And they represent an everincreasing threat. 2 The problem of cyber risks is exacerbated, not only by increasingly sophisticated cyber criminals and evolving malware, but also by the trend in outsourcing of data handling, processing and/or storage to third-party vendors, including cloud providers, and by the simple reality of the modern business world, which is full of portable devices such as cell phones, laptops, ipads, USB drives, jump drives, media cards, tablets and other devices that may facilitate the loss of sensitive information. While data breaches and other types of cyber risks are increasing, laws and regulations governing data security and privacy are proliferating. In its most recent 2013 Cost of Data Breach Study, the Ponemon Institute reports that U.S. organizations spend on average $565,020 on post-breach notification alone. 3 Companies may also face lawsuits seeking damages for invasion of privacy, as well as governmental and regulatory investigations, fines and penalties, damage to brand and reputation, and other negative repercussions from a data breach, including those resulting from breaches of Payment Card Industry Data Security Standards. The Ponemon Institute s recent study reports that the average organizational cost of a data breach in 2012 was $188 per record for U.S. organizations ($277 in the case of malicious attacks) and the average number of breached records was 28,765, for a total of $5,407,820.00. 4 The study does not include organizations that had data breaches in excess of 100,000 records, 5 although large-scale breaches clearly are on the rise. In the face of these daunting facts and figures, it is abundantly clear that network security alone cannot entirely address the issue; no firewall is unbreachable, no security system impenetrable. Insurance can play a vital role in a company s efforts to mitigate cyber risk. This fact has the attention of the Securities and Exchange Commission. In the wake of more frequent and severe cyber incidents, the SEC s Division of Corporation Finance has issued guidance on cybersecurity disclosures under the federal securities laws. The guidance advises that companies should review, on 1 Verizon, 2013 Data Breach Investigations Report, at 1 (2013). 2 PwC State of Cybercrime Survey, at 1 (June 2013). 3 2013 Cost of Data Breach Study: Global Analysis, Ponemon Institute LLC, at 16 (May 2013). 4 Id. at 1-2. 5 Id. at 1.

an ongoing basis, the adequacy of their disclosure relating to cybersecurity risks and cyber incidents and that appropriate disclosures may include a [d]escription of relevant insurance coverage. 6 While some companies carry specialty cyber insurance policies that are specifically designed to afford coverage for cyber risk, most companies have various forms of traditional insurance policies that may cover cyber risks, including Insurance Services Office, Inc. (ISO) 7 standard-form commercial general liability (CGL) policies. There may be significant coverage under CGL policies, including for data breaches that result in disclosure of personally identifiable information (commonly termed PII ) and other claims alleging violation of a right to privacy. For example, there is significant potential coverage under the Personal And Advertising Injury Liability coverage section (Coverage B) of the standard-form ISO CGL policy, which currently states that the insurer will pay those sums that the insured becomes legally obligated to pay as damages because of personal and advertising injury. 8 Personal and advertising injury is defined to include a list of specifically enumerated offenses, which include the offense of [o]ral or written publication, in any manner, of material that violates a person s right of privacy. 9 Coverage disputes generally focus on whether there has been a publication that violates the claimant s right of privacy both terms are left undefined in standard-form ISO policies and courts generally have construed the language favorably to insureds and have found coverage for a wide variety of claims alleging misuse of customer information and breach of privacy laws and regulations. 10 There may also be coverage under the Bodily Injury And Property Damage section of the standard CGL form (Coverage A), which states that the insurer will pay those sums that the insured becomes legally obligated to pay as damages because of bodily injury that occurs during the policy period. 11 As courts have found coverage for various types of cyber risks, however, ISO has added limitations and exclusions purporting to cut off CGL lines of coverage. For example, in response to a number of cases upholding coverage for breach of the Telephone Consumer Protection Act, the Fair Credit Reporting Act and other privacy laws, the current ISO standard form contains the following exclusion, which is applicable to both Coverage A and Coverage B: 6 SEC Division of Corporation Finance, CF Disclosure Guidance: Topic No. 2, Cybersecurity (Oct. 13, 2011). 7 ISO is an insurance industry organization whose role is to develop standard insurance policy forms and to have those forms approved by state insurance commissioners. 8 ISO Form CG 00 01 04 13 (2012), Section I, Coverage B, 1.a. 9 Id. 14.e. 10 See, e.g., Park Univ. Enters., Inc. v. American Cas. Co. Of Reading, PA, 442 F.3d 1239, 1251 (10th Cir. 2006) (Kansas law) (upholding coverage for alleged violations of the TCPA and rejecting the insurer s attempt to ascribe narrow meaning to the undefined terms privacy and publication ); Zurich American Ins. Co. v. Fieldstone Mortgage Co., 2007 WL 3268460, at *5 (D.Md. Oct. 26, 2007) (Maryland law) (upholding coverage for FCRA claims and noting that [o]f the circuits to examine publication in the context of an advertising injury provision, the majority have found that the publication need not be to a third party ); Pietras v. Sentry Ins. Co., 2007 WL 715759, at *2-3 (N.D.Ill. Mar. 6, 2007) (upholding coverage for alleged violations of the FCRA, noting that publication in a policy providing coverage for advertising injury includes communication to as few as one person, thereby resulting in coverage for violations of a statute invoking privacy interests, such as the FPCA ) (following Valley Forge Ins. Co. v. Swiderski Elec., Inc., 860 N.E.2d 307 (Ill. 2006)); Columbia Cas. Co. v. HIAR Holding, L.L.C., --- S.W.3d ----, 2013 WL 4080770, at *9 (Mo. Aug. 13, 2013) (upholding coverage alleging violations of the TCPA, concluding that a reasonable interpretation of [the] policy can include that coverage is available for the privacy rights claims of the class ); Penzer v. Transportation Ins. Co., 29 So.3d 1000, 1008 (Fla. 2010) (holding that an advertising injury provision in a commercial liability policy that provides coverage for an oral or written publication of material that violates a person s right of privacy provides coverage for blast-faxing in violation of the TCPA ). See also Netscape Commc nscorp. v. Federal Ins. Co., 343 Fed.Appx. 271 (9th Cir. 2009), aff g 2007 WL 1288192 (N.D. Cal. Apr. 27, 2007) (upholding coverage for claims alleging that the insured s SmartDownload software violated the Electronic Communications Privacy Act and the Computer Fraud and Abuse Act by, among other things, collecting, storing, and disclosing claimants Internet usage, which was used to create opportunities for targeted advertising ). 11 ISO Form CG 00 01 04 13 (2012), Section I, Coverage A, 1.a., 1.b.(2). 2

This insurance does not apply to: p. Recording And Distribution Of Material Or Information In Violation Of Law Personal and advertising injury arising directly or indirectly out of any action or omission that violates or is alleged to violate: (1) The Telephone Consumer Protection Act (TCPA), including any amendment of or addition to such law; (2) The CAN-SPAM Act of 2003, including any amendment of or addition to such law; (3) The Fair Credit Reporting Act (FCRA), and any amendment of or addition to such law, including the Fair and Accurate Credit Transactions Act (FACTA); or (4) Any federal, state or local statute, ordinance or regulation, other than the TCPA, CAN-SPAM Act of 2003 or FCRA and their amendments and additions, that addresses, prohibits, or limits the printing, dissemination, disposal, collecting, recording, sending, transmitting, communicating or distribution of material or information. 12 Insurers have raised this exclusion, among others, in recent privacy breach cases. 13 More sweepingly, as part of its April 2013 revisions to the CGL policy forms, ISO introduced a new endorsement, entitled Amendment Of Personal And Advertising Injury Definition, which entirely eliminates the key offense of [o]ral or written publication, in any manner, of material that violates a person s right of privacy (found at Paragraph 14.e of the Definitions section of Coverage B): With respect to Coverage B Personal And Advertising Injury Liability, Paragraph 14.e. of the Definitions section does not apply. 14 And the latest: ISO has just filed a number of data breach exclusionary endorsements for use with its standard-form primary, excess and umbrella CGL policies. These are to become effective in May 2014. By way of example, one of the endorsements, entitled Exclusion - Access Or Disclosure Of Confidential Or Personal Information And Data-Related Liability - Limited Bodily Injury Exception Not Included, adds the following exclusion to Coverage A: This insurance does not apply to: p. Access Or Disclosure Of Confidential Or Personal Information And Data-related Liability Damages arising out of: (1) Any access to or disclosure of any person's or organization's confidential or personal information, including patents, trade secrets, processing methods, customer lists, financial information, credit card information, health information or any other type of nonpublic information; or 12 ISO Form CG 00 01 04 13 (2012), Section I, Coverage B, 2.p. 13 See, e.g., Nationwide Mut.Fire Ins. Co. v. First Citizens Bank and Trust Co. Inc., et al., No. 4:13cv598 (D.S.C.), Complaint 23, 55 (filed Mar. 6, 2013); Hartford Fire Ins. Co. v. Euromarket Designs, Inc., No. 1:11-cv-03008 (N.D. Ill.), Complaint 9, 35 (filed May 5, 2011). 14 CG 24 13 04 13 (2012). 3

(2) The loss of, loss of use of, damage to, corruption of, inability to access, or inability to manipulate electronic data. This exclusion applies even if damages are claimed for notification costs, credit monitoring expenses, forensic expenses, public relations expenses or any other loss, cost or expense incurred by you or others arising out of that which is described in Paragraph (1) or (2) above. 15 The endorsement also adds the following exclusion to Coverage B: This insurance does not apply to: Access Or Disclosure Of Confidential Or Personal Information Personal and advertising injury arising out of any access to or disclosure of any person s or organization's confidential or personal information, including patents, trade secrets, processing methods, customer lists, financial information, credit card information, health information or any other type of non public information. This exclusion applies even if damages are claimed for notification costs, credit monitoring expenses, forensic expenses, public relations expenses or any other loss, cost or expense incurred by you or others arising out of any access to or disclosure of any person's or organization's confidential or personal information. 16 ISO states that when this endorsement is attached, it will result in a reduction of coverage due to the deletion of an exception with respect to damages because of bodily injury arising out of loss of, loss of use of, damage to, corruption of, inability to access, or inability to manipulate electronic data and that [t]o the extent that any access or disclosure of confidential or personal information results in an oral or written publication that violates a person's right of privacy, this revision may be considered a reduction in personal and advertising injury coverage. 17 While acknowledging that coverage for data breaches is currently available under its standard forms, ISO explains that [a]t the time the ISO CGL and [umbrella] policies were developed, certain hacking activities or data breaches were not prevalent and, therefore, coverages related to the access to or disclosure of personal or confidential information and associated with such events were not necessarily contemplated under the policy. 18 The scope of this exclusion ultimately will be determined by judicial review. Although it may take some time for the new (or similar) exclusions to make their way into general liability policies, and the full reach of the exclusions remains unclear, they provide another reason for companies to carefully consider specialty cyber insurance products. Even where insurance policies do not contain the newer limitations or exclusions, insurers may argue that cyber risks are not covered under traditional policies. The brewing legal dispute between Sony and its insurers concerning the PlayStation Network data breach highlights the challenges that companies can face in getting insurance companies to cover losses arising from cyber risks under CGL policies. In its recent motion for partial summary judgment, Sony argues that there is data breach coverage because [t]he MDL Amended Complaint alleges that plaintiffs suffered the loss of privacy as the result of the improper disclosure of their Personal Information [which] has been held to constitute material that 15 CG 21 07 05 14 (2013). Electronic data is defined as information, facts or programs stored as or on, created or used on, or transmitted to or from computer software, including systems and applications software, hard or floppy disks, CD-ROMS, tapes, drives, cells, data processing devices or any other media which are used with electronically controlled equipment. Id. 16 Id. 17 ISO Commercial Lines Forms Filing CL-2013-0DBFR, at p. 8. 18 Id. at p. 3. 4

violates a person s right of privacy. 19 However, the insurers seek a declaration that there is no coverage under the CGL policies at issue, among other reasons, on the basis that the underlying lawsuits do not assert claims for personal and advertising injury. 20 The Sony coverage suit does not represent the first time that insurers have refused to voluntarily pay claims resulting from a network security breach or other cyber-related liability under CGL policies. Nor will it be the last. Even where there is a good claim for coverage, insurers can be expected to continue to argue that cyber risks are not covered under CGL or other traditional policies. As far as data breaches are concerned, cyber policies usually provide some form of privacy coverage. This coverage would typically provide defense and indemnity coverage for claims arising out of a data breach that actually or potentially compromises PII. By way of example, the AIG Specialty Risk Protector specimen policy 21 states that the insurer will pay all Loss that the Insured is legally obligated to pay resulting from a Claim alleging a Privacy Event. Privacy Event 22 includes: (1) any failure to protect Confidential Information (whether by phishing, other social engineering technique or otherwise) including, without limitation, that which results in an identity theft or other wrongful emulation of the identity of an individual or corporation; (2) failure to disclose an event referenced in Sub-paragraph (1) above in violation of any Security Breach Notice Law; or (3) violation of any federal, state, foreign or local privacy statute alleged in connection with a Claim for compensatory damages, judgments, settlements, prejudgment and post-judgment interest from Sub-paragraphs (1) or (2) above. 23 Confidential Information is defined as follows: Confidential Information means any of the following in a Company s or Information Holder s care, custody and control or for which a Company or Information Holder is legally responsible: (1) information from which an individual may be uniquely and reliably identified or contacted, including, without limitation, an individual s name, address, telephone number, social security number, account relationships, account numbers, account balances, account histories and passwords; (2) information concerning an individual that would be considered nonpublic personal information within the meaning of Title V of the Gramm-Leach Bliley Act of 1999 (Public Law 106-102, 113 Stat. 1338) (as amended) and its implementing regulations; 19 Memorandum of Law in Support of the Motion of Sony Corporation of America and Sony Computer Entertainment America LLC for Partial Summary Judgment Declaring That Zurich and Mitshui Have a Duty to Defend, at p. 14, filed May 10, 2013 in Zurich Am. Ins.Co., et al. vs. Sony Corp. of Am., et al., No. 651982/2011 (N.Y. Sup. Ct. New York Cty.). 20 Complaint at 71. 21 See AIG Specialty Risk Protector Specimen Policy Form 101014 (11/09), Security and Privacy Coverage Section. 22 Id. Section 1. 23 Id. Section 2.(d). Security Breach Notice Law includes any statute or regulation that requires an entity storing Confidential Information on its Computer System, or any entity that has provided Confidential Information to an Information Holder, to provide notice of any actual or potential unauthorized access by others to Confidential Information stored on such Computer System, including but not limited to, the statute known as California SB 1386 ( 1798.82, et. al. of the California Civil Code). Id. Section 2.(m). 5

(3) information concerning an individual that would be considered protected health information within Health Insurance Portability and Accountability Act of 1996 (as amended) and its implementing regulations; (4) information used for authenticating customers for normal business transactions; (5) any third party s trade secrets, data, designs, interpretations, forecasts, formulas, methods, practices, processes, records, reports or other item of information that is not available to the general public[.] There are numerous specialty cyber products on the market that generally respond to data breaches. A policy offering the privacy coverage will often offer coverage for civil, administrative and regulatory investigations, fines and penalties and, importantly, will commonly offer remediation coverage (sometimes termed crisis management or notification coverage) to address costs associated with a security breach, including: costs associated with post-data breach notification credit monitoring services forensic investigation to determine cause and scope of a breach public relations efforts and other crisis management expenses legal services to determine an insured s indemnification rights where a third party s error or omission has caused the problem. Cyber insurance policies offer other types coverages as well, including media liability coverage (for claims for alleging, for example, infringement of copyright and other intellectual property rights and misappropriation of ideas or media content), first party property and network interruption coverage, and cyber extortion coverage. The cyber policies can be extremely valuable. But selecting and negotiating the right cyber insurance product presents a real and significant challenge. There is a dizzying array of cyber products on the marketplace, each with their own insurer-drafted terms and conditions, which vary dramatically from insurer to insurer even from policy to policy underwritten by the same insurer. Because of the nature of the product and the risks that it is intended to cover, successful placement requires the involvement and input, not only of a capable risk management department and a knowledgeable insurance broker, but also of in-house legal counsel and IT professionals, resources and compliance personnel and experienced insurance coverage counsel. Author: Roberta D. Anderson roberta.anderson@klgates.com +1.412.355.6222 Anchorage Austin Beijing Berlin Boston Brisbane Brussels Charleston Charlotte Chicago Dallas Doha Dubai Fort Worth Frankfurt Harrisburg Hong Kong Houston London Los Angeles Melbourne Miami Milan Moscow Newark New York Orange County Palo Alto Paris Perth Pittsburgh Portland Raleigh Research Triangle Park San Diego San Francisco São Paulo Seattle Seoul Shanghai Singapore Spokane Sydney Taipei Tokyo Warsaw Washington, D.C. Wilmington 6

K&L Gates practices out of 48 fully integrated offices located in the United States, Asia, Australia, Europe, the Middle East and South America and represents leading global corporations, growth and middle-market companies, capital markets participants and entrepreneurs in every major industry group as well as public sector entities, educational institutions, philanthropic organizations and individuals. For more information about K&L Gates or its locations, practices and registrations, visit www.klgates.com. This publication is for informational purposes and does not contain or convey legal advice. The information herein should not be used or relied upon in regard to any particular facts or circumstances without first consulting a lawyer. 2013 K&L Gates LLP. All Rights Reserved. 7