Guidance on Insurance Coverage for Cyber Attacks: CGL Property Damage Claims

February 20, 2014

Insurance LawA standard form CGL policy’s “Coverage A” obligates the insurer to defend and indemnify against liability for “bodily injury” or “property damage” caused by an accidental occurrence. In cyber attack cases, coverage will turn on whether the claimants suffered “property damage” within the meaning of the policy. Standard CGL policies uniformly define “property damage” as “[p]hysical injury to tangible property, including all resulting loss of use of that property” and “[l]oss of use of tangible property that is not physically injured.”

Data Breaches

The underlying claimants in data breach cases will rarely suffer property damage triggering coverage under the Coverage A part of the policy. After all, if the data breach merely results in an invasion of privacy, and leaves the data where it is supposed to be on the insured’s computers without alteration or corruption, and does not cause damage to, or loss of use of, those computers, it is difficult to argue that the breach fits the policy’s definition of property damage.

Bits and Bytes

The potential for coverage under a CGL policy’s property damage provisions improves significantly when an insured’s failure to secure its computer systems results in the invasion of malicious code (such as viruses, worms, Trojans, malware, spyware, or “cookies” that surreptitiously track browsing history or personal computers) that infects and corrupts data not just on the insured’s computers but on the computers of its customers. Sometimes malicious code will corrupt data on a computer without damaging the device on which the data is stored. Computers store data in a binary language known as “bits and bytes” in the form of magnetic patterns on a storage device, usually a hard drive. Malware destroys data by erasing or rearranging these magnetic patterns without damaging the storage device itself.  The question then becomes whether the magnetic patterns are a “physical” component of the storage device. Sometimes the malicious code will do more than corrupt the arrangement of data. The code will damage the computer hardware itself, or at least render it useless, making the case for coverage under the CGL policy’s property damage provisions even more compelling. For example, in the litigation to determine insurance coverage for the breach of Sony’s PlayStation network the underlying plaintiffs class sought damage for the “loss (both temporary and permanent) of use of their PlayStation consoles.” Zurich American Insurance Co., et al. v. Sony Corp. of America, et al., No. 651982/2011 (N.Y. Sup. Ct. New York Cty.) (filed July 20, 2011).

Hardware Damage

The Eight Circuit found coverage under a CGL policy’s property damage provisions for allegations that the insured’s website uploaded malware onto the claimant’s computer in Eyeblaster, Inc. v. Federal Ins. Co., 613 F.3d 797 (8th Cir. 2010). In finding that the complaint alleged potentially covered property damage, the Eighth Circuit held that the alleged computer freezes, random error messages, slowed performance and crashes, and pop-up ads based on the plaintiff’s internet browsing history constituted loss of use of tangible property within the meaning of the policy.

A potential obstacle to coverage is that CGL policy’s now commonly exclude “electronic data” from the definition of “property damage” and some policies exclude coverage for “[damages arising out of the loss of, loss of use of, damage to, corruption of, inability to access, or inability to manipulate electronic data.” Significantly, the Eighth Circuit in Eyeblaster found potential coverage despite the policy’s exclusion from the definition of “tangible property” of “any software, data or other information that is in electronic form.” Notwithstanding the express exclusion, the court held that the insurer was obligated to defend because the complaint alleged “loss of use of tangible property that is not physically injured” under the second prong of the “property damage” definition. The court explained that the complaint alleged loss of use of the computer itself, not just the computer’s software. As the court put it, “The plain meaning of tangible property includes computers, and the [underlying] complaint alleges repeatedly the ‘loss of use’ of his computer.

Data Damage

When a complaint alleges damage only to the plaintiff’s software, and not to the hardware containing the software, courts are much less likely to find covered property damage. In America Online, Incorporated v. St. Paul Mercury Insurance Company, 347 F.3d 89 (4th Cir.2003), America Online, Inc. (“AOL”) attempted to require its insurer to defend against claims that AOL’s proprietary software package had “altered the customers’ existing software, disrupted their network connections, caused them loss of stored data, and caused their operating systems to crash.” The Fourth Circuit rejected AOL’s argument because its insurance policy covered liability for “physical damage to tangible property,” and the court identified the configuration instructions, data, and information as intangible and abstract.

My next post will discuss first-party property insurance coverages.