Cybersecurity Insurance – Part 3: Scope of Coverage for Cybersecurity Incidents Under General Liability Policies & Recent Case Law

September 29, 2015

Data privacyIt is important for companies to ascertain to what degree their current policies provide cybersecurity coverage. Insurers are becoming increasingly willing to litigate the issue of whether commercial general liability (“CGL”) policies provide insurance coverage for the theft of electronic data and harm to intangible property because the damages in such claims often do not fit cleanly into CGL policy coverage provisions.

For instance, in the aftermath of the Sony data breach, Sony’s insurer, Zurich American Insurance Company (Zurich), filed an action for declaratory judgment in the Supreme Court of the State of New York, seeking “declaratory relief to settle important questions concerning Sony Defendants’ claims for insurance coverage relating to numerous class action lawsuits, miscellaneous claims, and potential actions …arising out of one or more of the cyber-attacks perpetrated by computer ‘hackers’ on the PlayStation Network.” Zurich asserted that they were not obligated to indemnify Sony under their CGL policy because the claims related to the data breach “do not allege injury of damages covered under Coverage A – Bodily Injury or Property Damage Liability or Coverage B – Personal and Advertising Injury Liability.” The court wound up ruling that Zurich was not required to indemnify Sony under the provisions of the CGL policy.

West LegalEdCenter CLE WebinarThere is, however, some federal case law supporting coverage for cybersecurity breaches under CGL policies and under the property damage provisions of some policies. The court in Eyeblaster, Inc. v. Fed. Ins. Co., for instance, held that the insurer was liable for litigation costs that the insured sustained in a lawsuit brought by a computer user whose computer performance was substantially impaired due to the insured’s failure to protect against spyware. The court found that the impaired computer performance was covered under the General Liability policy for “loss of use of tangible property that was not physically injured,” even though the policy excluded coverage for “software, data or other information that was in electronic form.”

While the insurer in Eyeblaster failed to succeed with its software/electronic damage exclusion argument, it is important to be aware of these types of exclusions in CGL policies, as they are now common. Provisions such as these along with the more general inapplicability of traditional CGL coverage to cybersecurity breaches have given rise to a gap in coverage for cyber-risks that is only widening as businesses and individuals increasingly rely on technology.

In the next installment of the article I will go over the current general state of the cybersecurity insurance market.

Titles by Daniel Garrie