Does your company have ‘Data Breach’ insurance?


By The Inside Counsel

According to the Ponemon Institute, the average total organizational cost for a data breach in the United States in 2014 is $5.85 million. Forbes reports that Target has incurred costs of $236 million related to the December 2013 breach, with some analysts predicting the total cost of the breach including attorneys’ fees and liability from lawsuits to exceed $1 billion. Some of Target’s costs will be offset by applicable insurance policies, but the financial impact will be prodigious. The frequency and cost of data breaches is growing exponentially, yet cyber insurance premiums make up only a fraction (less than 1/600) of the world’s total non-life insurance premiums. In light of the recent tidal wave of breaches, it is essential that your company has adequate insurance to cover a data breach.

Many companies have comprehensive general liability (CGL) insurance policies and assume that they are protected. While there are circumstances under which CGL polices cover losses related to a data breach, courts have been inconsistent on deciding whether these policies cover data breach losses. There are limited court decisions on this issue; however, the courts have gradually shifted from favoring the policyholders to favoring the insurance carriers. It is therefore important to understand how the courts have recently ruled on questions of insurance coverage for cyber losses.

In February 2014, a New York state court ruled that Zurich American Insurance Company did not have a duty to defend Sony under a CGL policy for liability arising out of the hacking of Sony’s PlayStation online services. The court analyzed the portion of the CGL policy providing coverage for “oral or written publication in any manner of material that violates a person’s right of privacy.” The court found that the hackers’ act of taking personal information constituted a “publication,” but coverage did not apply because the hackers, not Sony, were the actual “publishers.” The court ultimately concluded that “publication in any manner” did not include the actions of the third-party hackers.

CGL coverage for a data breach was denied in a 2014 Washington case on different grounds. A class action was filed against Coinstar for the marketing and dissemination of customers’ personal information, alleging that this use of customers’ personal information by a Coinstar subsidiary constituted a violation of the federal Video Privacy Protection Act. Coinstar’s insurer, National Union Fire Insurance Company, filed a declaratory judgment action asking the court to find that there was no insurance coverage. The Washington District Court ruled that an exclusion in the CGL policy for violation of a statute “that addresses or applies to the sending, transmitting or communicating of any material or information, by any means whatsoever” precluded coverage for the allegations concerning the Act.

Read More!

Leave a Reply

Your email address will not be published. Required fields are marked *