Founder and C.E.O., Cyber Special Ops, LLC
Mr. Suhs serves as the Founder and C.E.O. of Cyber Special Ops, LLC, a cyber risk company that provides Concierge Cyber®, a low-cost membership that guarantees members emergency response to a cyberattack or data breach through a team of highly respected third-party service providers, on a pay-as-you-go basis, at pre-negotiated and substantially discounted rates.
Every organization that evaluates and purchases standalone cyber insurance has addressed their cyber risk, correct? One might think so, but one needs to know exactly what an organization has… or does not have, by looking at the bigger insurance picture. Cyber risk is truly unique in that a cyber claim could theoretically trigger every line of insurance. Today, the more astute insurers have examined how a cyber claim could impact each and every line of property and casualty (P&C) insurance across their entire book. Specifically, what P&C policies 1) define cyber and affirmatively provide coverage on a full or sub-limited basis, 2) define cyber and affirmatively exclude coverage or 3) neither define nor affirmatively offer or exclude coverage (aka silent cyber). And most importantly, how do all the insureds’ P&C policies work together to respond to a cyber claim.
Most insurance agencies either have an internal cyber resource or outsource cyber placement to a wholesaler with cyber expertise. Generally, those cyber experts only evaluate the standalone cyber insurance product and do not evaluate the entirety of the insured’s insurance program. Even Fortune 250 companies often assign the property insurance to one broker and the casualty/professional insurance to another broker. Whether the insured is a small or large organization, both scenarios may result in a costly insurance agent’s E&O claim and leave the insured, who purchased standalone cyber insurance, in a precarious position.
This blog addresses 1) case law that has affirmed cyber coverage, 2) case law that has deemed no cyber coverage and 3) key insurance policy terms, conditions and endorsements for insurance agents to examine when evaluating cyber risk.
A property policy is triggered by physical damage to tangible property. Is data considered tangible property under a property policy? Courts are split on whether a property policy provides coverage for electronic data. Some Courts have found coverage in a property policy. In American Guaranty & Liability Insurance V. Ingram Micro, Inc., 2000 WL 726789 (D. Ariz. 2000), the Court held that the loss of the use and functionality of its computers as a result of a power outage constitutes “direct physical loss or damage” within the meaning of a property policy. The Court reached this conclusion notwithstanding the fact that the computers in question retained the inherent ability after the power outage to perform the same functions as previously. The loss of use was caused instead by the loss of custom programming contained in the computers’ read access memory (RAM) as a result of the power outage.
Other courts, however, have found there to be no coverage for data under a property policy. In Ward General Insurance Services v. Employer’s Fire Insurance Company, 114 Cal. App. 4th. 548, the Court found that electronic data was not tangible, and thus loss of data is not property damage.
While most property markets exclude coverage for the loss of electronic data, two markets provide optional endorsements with affirmative cyber coverage. One insurer offers an optional three-part coverage cyber endorsement that encompasses information asset protection, cyber extortion coverage and network business interruption. Another insurer offers an optional two-part coverage cyber endorsement that provides information asset protection and network business interruption. An insured has the option to choose whether the Cyber Optimal Recovery endorsement is primary, contributing or is in excess to a cyber policy—in order to maximize recovery under both a property and standalone cyber policy.
Commercial General Liability (CGL):
Prior to 2001, courts were inconsistent on whether electronic data constituted tangible property under Coverage A. Bodily Injury and Property Damage.
Since 2001, ISO CGL policies specifically provide that electronic data is not tangible property.
Since 2004, ISO CGL policies eliminate coverage for damages arising out of the loss of, loss of use of, damage to, corruption of, inability to access, or inability to manipulate electronic data.
Coverage A. Bodily Injury and Property Damage:
Courts are split on whether Coverage A. Bodily Injury and Property Damage Liability under a CGL policy provides coverage for electronic data. In Eyeblaster, Inc. v. Federal Ins. Co., 613 F.3d 797, 801 (8th Cir. 2010), the Court held that an online marketing company was entitled to a defense under its CGL policy in a claim alleging that spyware installed by the insured damaged the claimant’s computer and thereby coverage was afforded on that basis.
In Computer Corner v. Fireman’s Fund Ins. Co., 46 P. 3d 1264 (N.M. Ct. App. 2002), the New Mexico Court of Appeals held that a CGL policy provided coverage for liability arising from the loss of data stored on a computer hard drive, relying on the finding of fact that computer data is “tangible” property. The Court of Appeals made this determination despite: (1) the district court’s finding that the insured, Computer Corner, had expected and/or intended that the data would be lost; and (2) the district court’s conclusion that coverage under the policy was excluded pursuant to standard “business risk/work product” exclusions found in most CGL policies.
Other courts have held that electronic data is not tangible and thus the loss of electronic data is not property damage. An example of such a finding is found in America Online, Inc. v. St. Paul Mercury Insurance. Co., 347 F. 3d 89 (4th Cir. 2003), where the Court held the insurer had no duty to defend under the CGL policy because computer data and software were not “tangible property”.
Coverage B. Personal and Advertising Injury:
Courts are also divided on whether Coverage B. Personal and Advertising Injury under a CGL policy provides coverage for a claim alleging that the breach of electronic data violates a person’s right to privacy.
In Hartford Casualty Insurance v. Corcino & Associates 2013 WL 5687525 (C.D. CA 2013), the Court required the insurer provide coverage when an insured posted private, confidential and sensitive medical and/or psychiatric information on a public website which remained online for almost a full year.
In Travelers Indemnity v. Portal Healthcare Solutions, LLC (4th Circuit April 2016) (unpublished), the Court held the insurer owed a duty to defend where the insured allegedly failed to safeguard confidential medical records from being viewed on a public website and two patients alleged that they were able to access their own records by way of a Google search.
Other courts, however, have deemed there to be no coverage under Coverage B. of a CGL policy. In Zurich American Insurance Co. v. Sony Corporation of America No. 651982/2001 (NY Sup Ct Feb 2014), the Court found no coverage arising from the PlayStation hack because the alleged “publication” was not an intentional act committed by the insured, but instead was the result of a criminal act of a third-party hacker.
In Recall Total Management, Inc. v. Federal Insurance Co. 115 A. 3d 458 (Conn. 2015), the Connecticut Supreme Court found no coverage when a transport vendor allegedly lost data tapes containing sensitive data on a large number of employees. The Court ruled that there was no “publication” absent evidence that the information on the tapes was ever accessed, and the triggering of a breach notification statute does not demonstrate personal injury.
In May 2014, ISO exclusions were created to preclude coverage for claims “arising out of any access to or disclosure of any person’s or organization’s confidential or personal information.” Nonetheless, even where these exclusions appear, policyholders will continue to litigate their scope.
Environmental insurance policies in the marketplace are generally silent around cyber risk related to a covered environmental loss. Consequently, depending upon the type and nature of a claim, an environmental policy may provide coverage for defense, indemnity, business interruption and “other expenses” such as forensics, legal and public relations.
Professional Liability (E&O):
E&O insurance policies in the marketplace are generally silent around cyber risk. Consequently, depending upon the type and nature of a claim, an E&O policy may provide coverage for a cyber claim tied to the rendering of professional services. Coverage might include defense, indemnity, business interruption and “other expenses” such as forensics, legal and public relations.
Many E&O insurers offer an optional cyber endorsement and provide coverage on a sub-limited basis.
Hospital Professional Liability (HPL) and Miscellaneous Facility E&O:
HPL and Miscellaneous Facilities E&O insurance policies in the marketplace are generally silent around cyber risk. Consequently, depending upon the type and nature of a claim, a HPL or Miscellaneous Facilities E&O policy may provide coverage for a cyber claim tied to the rendering of professional services. Coverage might include defense, indemnity, business interruption and “other expenses” such as forensics, legal and public relations.
Management Liability (D&O):
The majority of D&O policies are silent around cyber risk. Defense and indemnity of shareholder derivative and regulatory investigations may have coverage. Some courts have found coverage in a management liability policy. In Sterling v. Stratfor Enterprises, LLC et al., Case No. 2:12-cv-00297-DRH-ARL (E.D.N.Y.), the Court ordered Stratfor to offer class members who opt in, one month of free access to its service, worth $29.08, and an electronic book published by Stratfor called “The Blue Book,” priced at $12.99. The two together may cost Stratfor approximately $1.75 million, according to estimates in the settlement. In addition, a $400,000 lump sum was paid to plaintiff attorneys.
Other prominent shareholder derivative suits against directors and officers, including Home Depot, Target and Wyndham Hotels have been dismissed. Derivative lawsuits are particularly challenging for claimants, owing to the procedural hurdles, like the demand requirement, and the substantive defenses, like the business judgment rule.
Courts are split on whether a crime policy provides coverage for theft of monies by use of a computer. Some Courts have found coverage in a crime policy. In Medidata Solutions, Inc. v. Federal Insurance Co., No. 15-CV-907 (U.S.D.C., S.D.N.Y. July 21, 2017), the New York Federal Court found coverage under a crime policy for social engineering induced fraudulent funds transfer when a computer code was used to alter emails. The case was affirmed under an appeal.
Other courts, however, have found that the crime policy does not provide coverage. In Taylor & Lieberman v. Federal Ins. Co., 2017 WL 929211 (9th Cir. Mar. 9, 2017) (unpublished), the Ninth Circuit held that an accounting and business management firm that fell victim to a social engineering fraud did not have coverage under any of the insuring agreements of a crime policy.
In InComm Holdings, Inc. v. Great American Ins. Co., 2017 WL 1021749 (U.S.D.C., D. Ga. Mar. 16, 2017), the Court found no coverage under a Computer Fraud policy for claims arising from a scheme involving a Prepaid Debit Card Plan.
In American Tooling Center, Inc. v. Travelers Casualty and Surety Company of America, Case No. 16-11208 (U.S.D.C., E.D. Mich. Aug. 1, 2017), a Michigan Federal Court found no coverage under a crime policy for social engineering-induced fraudulent funds transfer.
Call to Action:
Insurance agents need to review each and every insurance policy of a client for cyber coverage. Specifically, what P&C policies 1) define cyber and affirmatively provide coverage on a full or sub-limited basis, 2) define cyber and affirmatively exclude coverage or 3) have silent cyber. Start first with the insuring agreements and definitions and then examine what is excluded in each base form along with all the policy’s endorsements.
And most importantly, take a look at the “Other Insurance” provision for each policy. Standard language in most policies read as follows,
“This insurance will be excess over any other insurance which also provides coverage for any claim, including any deductible provisions. However, any insurance specifically arranged by you to apply in excess of this insurance will not be deemed other insurance”.
This language is really problematic because a claim may erode any and all other lines of insurance on a quota share basis if each policy’s “Other Insurance” provisions is on an excess basis, therefore, insurance agents should ensure that the “Other Insurance” provision in the cyber policy reads as follows,
“If an Insured is entitled to coverage under one or more valid and collectible bonds or other policies of insurance, then the coverage under this Policy will apply as primary insurance”.
To provide color on why the above is important, I will share a real-life scenario. I recently reviewed a professional service firm’s insurance policies. The firm maintained both an E&O and Cyber insurance policy.
The professional services firm’s E&O policy had a cyber coverage endorsement. The “Other Insurance” provision was explicitly excess of any valid and collectible insurance.
However, the professional service firm’s cyber insurance policy had the following endorsement, effectively causing the professional liability policy to erode as primary even for a cyber event, while the cyber insurance policy, which they specifically purchased for such risk, sat idle as excess coverage:
- Section II, Definitions, is amended by adding the following:
Professional Liability Insurance means any valid and collectible insurance which covers liability arising out of the Insured’s professional services as an accountant, architect, civil engineer, financial service provider, healthcare provider, insurance agent or broker, insurance carrier, lawyer, medical professional, real estate agent or broker, securities agent or broker, structural engineer, surveyor, or any other profession for which the Insured has obtained a policy specifically to cover liabilities arising out of such professional services. Professional Liability Insurance policies may be commonly referred to in the marketplace as Errors and Omissions policies, Miscellaneous Professional Liability policies, Professional Indemnity policies, Malpractice policies, or other related terms.
- Section XII, Other Insurance, is amended by adding the following:
Notwithstanding anything to the contrary, if any Costs, Damages, or Claims Expenses under this Policy are also covered under any other Professional Liability Insurance, or any policy stated to be specifically excess of such policy (collectively “Other Policies”), then this Policy shall specifically be treated as excess insurance over such Other Policies with respect to such Costs, Damages, or Claims Expenses. This Policy shall cover such Costs, Damages, or Claims Expenses, subject to the Policy terms and conditions, only to the extent that the amount of such Costs, Damages, or Claims Expenses are in excess of the amount afforded under the Other Policies, whether such Other Policies are stated to be primary, excess, contributory, contingent or otherwise.
Just like insurers, insurance agents need to evaluate each and every policy for cyber risk, how each policy interacts with other policies and which policy will first respond to a cyber claim. The last thing you want is for an insured to purchase standalone cyber insurance, only to see other lines of insurance erode first while the cyber insurance sits on the sideline.