Guidance on Insurance Coverage for Cyber Attacks: First-party coverages

February 27, 2014

Insurance LawPolicyholders may also seek coverage under their commercial property insurance for property damage and loss of income resulting from malicious code or a data breach. Coverage for damage to the policyholder’s computers, software, and data will require proof of a “direct physical loss.” Coverage for loss of income also will depend on proof of a “direct physical loss” but also requires proof a resulting loss of income due to a “necessary suspension of operations” during a “period of restoration.”

“BI” and “CBI” Coverages

Business income coverages are sometimes referred to as “time element” coverages because they are designed to cover businesses income losses for a limited amount of time while the business gets back on its feet. The two most important types of coverage for business income losses are Business Interruption or “BI” coverage and “Contingent” Business Interruption or “CBI” Coverage. Businesses that suffered physical damage to their own covered property will file BI claims under their commercial property policies. Businesses that lose customers or critical supplies as a consequence of physical damage to the property of others will seek coverage under the CBI provisions of their commercial property insurance policies. CBI coverage is likely to become increasingly important as more business outsource the maintenance of their data to third-party “cloud” services.

Direct Physical Loss

In attempting to establish “direct physical loss” under first party property insurance policies, policyholders will face the same hurdles they face in arguing that the corruption of computer data qualifies as property damage under a CGL policy’s Coverage A. When a cyber attack damages the data on a computer without damaging the device on which the data is stored, insurers will argue that the erasure or rearranging of magnetic patterns through which “bits and bytes” are recorded does not cause “physical” damage component of the storage device and therefore does not trigger coverage. At least one court has adopted the insurance industry’s argument in the context of a first-party property damage claim. Ward General Ins. Services, Inc. v. Employers Fire Ins. Co., 114 Cal. App. 4th 548, 7 Cal. Rptr. 3d 844 (4th Dist. 2003).  However, a significant number of decisions have adopted the policyholder’s position in the context of BI and CBI claims. For example, in NMS Services Inc. v. The Hartford, 62 Fed.Appx. 511 (4th Cir. 2003), the court found “no question” that a former employee who hacked into the insured company’s computer network and erased vital computer files caused “direct physical loss” within the meaning of the policy. A concurring justice went out of his way to explain how otherwise ephemeral information takes on physical characteristics when stored on a computer. He described how a computer stores information by “rearrang[ing] the atoms or molecules of a disc or tape to effect the formation of a particular order of magnetic impulses,” and observed that a “meaningful sequence of magnetic impulses cannot float in space.”

My next post will introduce specialty coverage tailored specifically to cyber risks.