The Comprehensive Environmental Response, Compensation, and Liability Act (also known as CERCLA or Superfund) was passed in 1980, and almost immediately produced a huge wave of environmental litigation. That wave gave rise to an equal if not greater wave of environmental insurance litigation. That insurance litigation wave has now declined.
Numerous mega data breaches demonstrate that the age of cyber litigation is here. The question is whether cyber litigation will produce a wave of cyber insurance litigation. There are two sources of insurance for data breaches and other cyber events — general liability policies and cyber policies.
Traditional general liability policies usually (but not always) provide coverage for “oral or written publication, in any manner, of material that violates a person’s right of privacy.” Substantial litigation has ensued over whether violations of the Telephone Consumer Protection Act (TCPA or Junk Fax Prevention Act) and other privacy statutes are covered by this privacy provision. New Jersey, specifically, has reached conflicting results in reviewing similar, but distinct policy language. In Myron Corp. v. Atlantic Mutual, Docket No. BER-L-5539-06, 2007 N.J.Super. LEXIS 3012 (Law Div. Jan. 22, 2007), rev’d on other grounds, the court found that the insurance company had to defend the policyholder against a junk fax suit, where the policy defined advertising injury to include oral or written publication “that violates a person’s right of privacy.” In St. Paul Fire & Marine Ins. Co. v. Brother Int’l Corp., 319 Fed. Appx. 121 (3d Cir. 2009), the insurance policy contained unusual language, and defined “advertising injury offense” as “making known to any person or organization covered material that violates a person’s right to privacy.” The court found that “making known” required an invasion of secrecy and found no coverage. General liability policies have dramatically cut back their privacy coverage, frequently excluding any violation of statute. See Hartford Cas. Ins. Co. v. Corcino & Assocs., Docket No. CV 13-3728, 2013 U.S. Dist. LEXIS 152836 (C.D. Ca. Oct. 7, 2013) (“This insurance does not apply to . . . Personal And Advertising Injury . . . arising out of
the violation of a person’s right to privacy created by any state or federal act.”).
Litigation over this language has now moved to the data breach arena. In Zurich American Insurance Company v. Sony Corporation of America, the parties battled over insurance coverage for the first Zurich data breach. Index No. 651982/2011, 2014 N.Y. Misc. LEXIS 5141 (N.Y. App. Div. Feb. 24, 2014). Sony argued that the data breach was a publication of the data. Zurich countered that publication required an affirmative action by the policyholder. The court agreed with Zurich, and held that a data breach by a third party was not covered by the privacy provision of a general liability policy. The case is currently on appeal. The court in Recall Total Information Management, Inc. v. Federal Insurance Co., 83 A.3d 664 (Conn. App. 2014), cert. granted, 311 Conn. 925, 86 A.3d 469 (2014),involving computer tapes that fell off of a truck, reached the same conclusion — finding there was no publication where there was no evidence that anyone accessed information on the tapes. That case is now pending before the Connecticut Supreme Court.
Many companies are now purchasing cyber insurance. Growth has been about 30% a year, with annual premiums last year of $2 billion. Over 30 insurance companies are
now selling cyber insurance. By most accounts, the policies are affordable. Recent data breaches should fuel the corporate appetite for cyber insurance. To speak of “cyber insurance” is a misnomer. No standard policy form exists, and different policies can differ dramatically. Most importantly, nine categories of cyber insurance currently exist, and each company must decide which components it needs. The key coverages include:
- coverage against privacy lawsuits by individuals;
- coverage against governmental privacy investigations;
- cyber-business interruption coverage;
- cyber-extortion;
- media coverage, such as defamation, trademark and copyright;
- network disruption;
- crisis response costs;
- network loss or damage; and
- electronic theft.
It is difficult to predict the evolution of cyber coverage in the next few years. Certainly, companies can expect that hackers will continue to exhibit creativity and find new ways to attack. The insurance industry is responding with new, sweeping cyber exclusions on general liability policies, and a broad array of cyber policies. Sony has heightened concerns over cyber extortion, which is currently covered under many cyber policies. Concern is being expressed over hacker attacks on operating systems, causing physical damage and shutting down systems. Cyber insurance will need to adapt quickly to changes in the cyber landscape to keep customers satisfied and prevent coverage litigation.