PLUS CyberIn this preview of an article from Issue XXIV, Volume 12 of the PLUS Journal (December 2011) authors Richard J Bortnick and Abby J Sher look at how intangible cyber losses are not typically covered under a CGL policy.

PLUS is offering exclusive cyber liability and data security sessions as part of the upcoming Medical PL and Professional Risk Symposia, March 29 & 30 in Chicago.

From the Journal article:

A typical CGL policy defines “property damage” as “physical injury to tangible property, including all resulting loss of use of that property.” Although this definition would apply to traditional property damage losses (such as those arising from fires, impaired property and the like), many policyholders and brokers might incorrectly assume that it also extends to technology and cyber privacy losses involving intangible property, such as electronic data. Such an interpretation, however, may be regarded as contrary to the plain and ordinary meaning of the policy language, which specifies that “property damage” is premised upon ” physical injury to tangible property.”

This misconception perhaps is based upon the intuition of policyholders and brokers that traditional policy forms should adapt to protect against evolving risks.  While this assumption may seem reasonable to policyholders, it is not one ratified either by policy drafters or the courts, as will be discussed more fully below.

Prior to the widespread use of technology and paperless systems, the disclosure of confidential information and destruction or theft of client or employee records would, generally speaking, have involved paper documents – that is to say, “tangible” property – and thereby possibly would have been covered by a CGL and/or fidelity policy. At the same time, prior to the advent of the internet and the widespread use of computers, the possibility that a company might  be damaged by the electronic “equivalent” of a data theft or computer breakdown was largely unimaginable, and surely not contemplated by underwriters, brokers or their policyholders.  Thus, CGL policies were not drafted with the thought that such risks would exist – or be covered.

Oddly, it is sheer coincidence that a typical CGL policy specifically carves out intangible property damage from its definition of “property damage.”   Indeed, ISO’s addition of the word “tangible” to its standard CGL form in 1966 was in response to efforts by policyholders to obtain coverage for rights, obligations, and other forms of economic loss.  Prior to 1966, “property damage” was defined as “injury to or destruction to property.”  The 1966 definition, which defined “property damage” as “injury to or destruction of tangible property” was “misleadingly simple.” Laurie Vasichek, Liability Coverage for “Damage Because of Property Damage” Under the Comprehensive General Liability Policy, 68 Minn. L. Rev. 795, 801 (1984).  In view of this and other criticisms of the 1966 revision, ISO further clarified the definition in 1973 so as to require “physical injury to tangible property.”  Like the 1966 amendment, this change was designed to limit coverage to the intended categories of loss, and to preclude coverage for diminution in value and other intangible losses.

It nonetheless remains that CGL policies were not drafted in contemplation of cyber losses and were not rated to address their potential breadth, as the scope of a cyber loss can easily exceed the loss resulting from a typical property damage claim. In the course of a data breach, a large quantity of data can be remotely accessed, duplicated, and disseminated within a fraction of a second; certainly far more permanent damage can be done in a nano-second than in the case of a defective product or a natural catastrophe involving traditional brick and mortar property damage.  Moreover, if stolen personal or confidential corporate information is circulated on the Internet, the harm becomes both permanent and widespread.  The potential implications of this loss extend far beyond the scope of traditional tangible property damage. Cyber breach remediation requires time, intelligence and a significantly more advanced means of reparation, if any such repairs are even achievable when it comes to personal and confidential corporate information.

PLUS members can read the entire article on must log in to the website to view this content.