United States: Data Security Breaches: Are You Covered?

Data security breaches can have a significant impact a company's bottom line. While larger corporations may be able to sustain the financial hit, small to mid-size corporations can be significantly impacted from the financial blow. A corporation may think that its first line of defense to negate these costs is its Commercial General Liability Insurance policy ("CGL policy"). Coverage for such losses, however, is not guaranteed.

Whether data breaches are covered by a company's CGL policy has been regularly litigated over the last few years without producing clear results. Indeed, in April of this year, while pending on appeal, Zurich Am. Ins. Co. settled a lawsuit with its insured, Sony Corporation of America, where Sony sought coverage for a data breach. See Zurich Am. Ins. Co., et al. v. Sony Corp. of Am., et al., Index No. 651982/2011 (N.Y. Sup. Ct. February 21, 2014).

A standard-form CGL policy typically provides coverage for sums that an insured is required to pay as damages due to property damage, bodily injury, and personal and advertising injury. Often times, electronic data is specifically excluded from the definition of property damage. Indeed, ISO Form CG 00 01 04 13 (2012), Section V, § 17 provides:

For the purposes of this insurance, electronic data is not tangible property. As used in this definition, electronic data means information, facts or programs stored as or on, created or used on, or transmitted to or from computer software, including systems and applications software, hard or floppy disks, CD-ROMS, tapes, drives, cells, data processing devices or any other media which are used with electronically controlled equipment.

When litigated, these exclusions have routinely been upheld. See, e.g., Liberty Corp. Capital Ltd. v. Sec. Safe Outlet, Inc., 937 F. Supp. 2d 891 (E.D. Ky. Mar. 27, 2013); Recall Total Info. Mgmt. v. Fed. Ins. Co., 2012 Conn. Super. LEXIS 227, at *1, 5 (Super. Ct. Conn. January 12, 2012), aff'd, May 26, 2015.

In addition, many CGL-policies contain an electronic data exclusion. Under the exclusion, damages "arising out of the loss of, loss of use of, damage to, corruption of, inability to access, or inability to manipulate electronic data", are specifically excluded from coverage. See ISO General Liability Form, CG 00 01 04 13 (2012), Section I, Coverage A, § 2.p. As a result, the majority of data breach claims are not covered by a traditional CGL-policy.

Understanding insurance coverage is key to protecting a company against the financial injury that can result from a cyber-attack. In order to help ensure insurance coverage in the event of a data breach, companies should start by reviewing their CGL-policies. Companies should then contact their insurance company and ask whether certain types of cyber-attacks are covered.   Companies should also discuss whether adding an electronic data liability endorsement and/or an electronic data liability coverage form is right for them.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.