Guidance on Insurance Coverage for Cyber Attacks: “Advertising and Personal Injury”

February 13, 2014

Insurance LawFollowing a cyber attack, insureds look primarily to their policy’s coverage for “advertising and personal injuries,” known as “Coverage B” in their CGL policies. “Personal injury” and “advertising injury” both cover injury resulting from certain specified “offenses.” They previously had separate definitions, but revisions to the standard form CGL policy in 1998 merged the terms into one consolidated set of enumerated offenses. Policyholders equate a data breach with the offense of “oral or written publication, in any manner, of material that violates a person’s right of privacy.” Thus, in order to obtain CGL coverage for a data, policyholders must establish that a hacker’s unauthorized invasion of the policyholder’s computer data base and theft of customers’ personal data constituted (1) a publication of that data, and (2) a violation of a right of privacy. Neither “publication” nor “right of privacy” is defined in the policy, so the task of sorting out their meaning is left to the courts.

The Publication Requirement

A threshold issue after cyber thieves download customer data from a business’s computers is whether such downloads can be characterized as a “publication” for insurance coverage purposes. Insurers will argue that the download and subsequent use of the information by a cyber thief, who is not insured under the policy, is not a publication.  Although no court has addressed whether a theft of data from a putatively secure computer system qualifies as a “publication” under the Coverage B, courts applying the publication offense in other contexts have ruled that the publication must be by the insured.

Policyholders may challenge the authority of these cases as inconsistent with the language of the policy. Nowhere does the policy state unambiguously that the publication must be by the insured. Moreover, the version of Coverage B before the court in the cases cited in the previous paragraph has since been revised to cover “any manner” of publication. It remains to be seen whether courts will construe the phrase “in any manner” to encompass publication by others or merely to expand the types of publication to include non-traditional methods such as e-mails. At the least, the “in any manner” language probably obviates the need to establish widespread dissemination to the public.

Courts have not hesitated to find a publication based on limited distribution of private information when the insured, rather than a third party, is responsible for the disclosures. In such circumstances, courts have held that intra-corporate disclosures among employees and agents of the same company constitute publications for purposes of an invasion of privacy. For example, in Netscape Communications Corp. v. Federal Ins.Co., the underlying plaintiffs alleged that the insured’s “SmartDownload [software] violated the claimants’ privacy by, among other things, collecting, storing, and disclosing to Plaintiffs and their engineers claimants’ Internet usage.” The insurance policy obligated the insurer to “pay amounts [the insured] is legally required to pay as damages for covered personal injury that … is caused by a personal injury offense.” The policy defined “personal injury offense” to include the offense of “[m]aking known to any person or organization written or spoken material that violates a person’s right to privacy.” In finding the insurer had a duty to defend, the court reasoned that “when [the insured] received information from SmartDownload, it was making it known to AOL by transmitting it to its parent company. Similarly, individual [insured] employees made the information known to each other by circulating files among themselves with the information gained from SmartDownload.”

Right of Privacy Requirement

Once the publication requirement is satisfied, insured businesses should have little difficulty establishing  the second coverage prong—an invasion of customers’ or employees’ “right of privacy.” The more difficult hurdle will be convincing a court that the exclusion for statutorily created privacy rights and statutory penalties that now appear in many CGL policies does not apply. A federal district court in California recently addressed this questions in Hartford Casualty Insurance Co. v. Corcino & Associates, 2013 WL 5687527 (C.D. Cal. Oct. 7, 2013). There, the court held that exclusion barred coverage only for violations of privacy rights “created” by statute. Since the statutes on which the underlying plaintiffs relied merely codified preexisting statutory and constitutional privacy rights that would have been available even without the statutes, the court concluded that the exclusion did not apply. The court also held that neither exclusion precluded coverage for the statutory remedies, which the court determined were created as an incentive to enforce already existing privacy rights. The court concluded, therefore, that while amounts paid for violation of the statutes might be labeled as “statutory penalties,” such amounts were nevertheless “damages” due to “personal and advertising injury” and, thus, they would be covered under the policy.

Practitioners, however, should recognize that not all types of personal data are private, and courts have reached varying results on what they consider to be within a person’s right of privacy. See, e.g., A & B Ingredients, Inc. v. Hartford Fire Ins. Co. (finding absence of Coverage B coverage, in part, on the basis that the jurisdiction in which the underlying claims arose apparently did not recognize common law privacy violations).

My next post will discuss coverage under the property damage provisions of a CGL policy.