An emerging topic in insurance coverage litigation circles is insurance coverage for cyber loss. This article explains what exactly cyber loss is and the evolution of claims for cyber loss, from claims under traditional liability policies, leading up to the creation of new coverages that are specifically tailored to cyber loss.
It goes without saying that our world is becoming more electronic by the day. Not only are our social interactions moving the way of text messages and Twitter, but our work interactions are becoming more electronic, with the pencil and paper all but obsolete, giving way to our phone, our keyboard and our tablets. Similarly, in the last ten years our retail interactions have greatly changed, with trips to the store being replaced by trips to a website, even for items of everyday living. With each of these changing interactions, the risk of cyber loss and data breach increases. We all read the stories when they happened:
2011 — Sony Playstation is hacked with 102 million records compromised
2013 — Target is hacked with 110 million customer records compromised
2014 — Home Depot has 56 million point of sale payment processors compromised
2014 — Sony Pictures is hacked and millions of bytes of internal data – private information to financial information – are leaked
2015 — Anthem is hacked with up to 80 million records compromised
These stories were terrifying, not only for the multi-million dollar companies who were the victims, but also for the mid-size and small companies that were increasingly relying on electronic means to run their companies in the most cost efficient way.
In my world of insurance coverage litigation, these stories led lawyers – both representing policy holders and insurance companies – to one question: are these incidents covered under a typical business liability policy? The answer to that question is not so straight forward.
What is Cyber Loss?
Let’s start at the beginning – what is a “cyber loss,” and how is that term defined in the context of insurance coverage? The term and the concept are still, relatively speaking, in its infant stages when you talk about litigation. While so-called cyber policies have been around for several years, even dating back to the late 1990s and the Y2K phenomenon, there is a general lack of case law interpreting these policies and risks as compared to other, more traditional, insurance coverage topics.
Cyber loss is generally defined as any loss that arises out of the use of information technology or electronic equipment. The most well-known type of cyber loss are the examples we just spoke about – a data breach compromising company information or customer information. But there are other types of cyber loss as well.
A virus that is injected into a company’s server that causes a loss of electronic data and ceases the company’s operations for hours, days or longer. A lightning strike or electronic surge that causes loss of data and disruption to operations. With every change interaction that makes us more dependent on computers and electronics in general, these risks become more important to insure against.
The damages that can be caused by these types of issues are more than you might initially think. The damage that everyone thinks of is the loss of business income because of the downtime caused by the interruption. But what about the reimbursement to the customers whose data is breached? What about the attorney fees expended in defending claims brought by those customers? What about the cost to repair hardware? What about the cost to replace software and data? What about the administrative expenses associated with these breaches? All of these losses are potentially losses that could be covered by insurance.
Does Traditional General Liability Cover This?
So you might be thinking – does my traditional general liability policy cover this loss? If it doesn’t, why doesn’t it? Well, the answer to those questions have evolved over the years, and continue to evolve. The majority of cases nationwide follow a traditional view of the law, and hold that your typical general liability policy does not cover these types of losses. While many courts have looked at this issue and taken different avenues to the same result, the general thought process is very similar and very simple.
If you open your typical general liability policy and look at the first party insuring agreement, more than likely you’re going to see some variation of the following language, “This policy coverage provides coverage for direct physical loss or damage that has occurred to property located at the premises described in the policy.”
Most courts, typically early courts — early to mid-2000s — looking at cyber loss held that loss of electronic data was not recoverable unless you had some associated loss to tangible property. In other words, you’re not going to have coverage for loss of data stored on your server unless you can show me that your server – tangible property that I can touch – was scratched, broken, or in some way tangibly damaged.
In a famous case on this issue, the 4th circuit made the analogy to a combination lock. If you forget the combination to your lock, the lock becomes useless. But that doesn’t mean the lock has been physically damaged, and if you retrieve or reset the combination, that lock can be used again. The early courts saw no difference when talking about data loss or damage to software. If the hardware hasn’t been damaged, then there’s no reason you can’t reconfigure or retrieve data and make it operate properly again. Thus, there is no property damage and thus, no loss under the liability policy.
Later courts have taken a more progressive view. Loss of use and loss of function was property damage. And those courts, by and large, looked to the criminal code where there are statutes authorizing prosecution for theft of this information. Those courts reasoned that if you can charge someone with a crime for taking this information, then it stands to reason that you can call it property damage when it’s lost. If you treat it as property criminally, you should treat it that way for insurance purposes as well.
That progressive view is the minority when talking about general liability policies, however, that discussion has been somewhat trumped by the introduction of a new insurance product – cyber coverage. Most insurers now offer coverage against loss of electronic data or other cyber loss in some form or another. Many times, the loss that the insurer is protecting against is loss occurring by computer fraud. But more recently, the insuring terms are broader and increasingly protect against loss of data or loss of revenue by accidental outages or events.
This is a rapidly evolving area of the law. The early returns are that courts are looking at these coverages broadly, and are particularly concerned about affording coverage for the loss that was contemplated when the policy holder bought the coverage. For instance, some courts have found that the loss of customer data is not excluded by a “proprietary information” exclusion. These courts reason that customer data is not “proprietary information” to the retailer who took out the policy, and in fact, is the exact type of loss that the policy was intended to cover against.
However, these issues are rapidly evolving.