Introduction
In 2014 "Cyber-insurance takes off" examined the growing number of cyber-attacks and the insurance industry's somewhat cautious response to the pace of these trends. In the year since the update was published, cyber-attacks have become even more frequent and damaging. According to the latest report by the Ponemon Institute, the average cost of data theft is approximately $3.8 million, a 23% increase compared with the previous year.(1) Consequently, many of the arguments regarding the need for cyber-insurance have been bolstered. The insurance industry has responded, with more carriers than ever now offering cyber-specific policies. Despite this, much remains unclear in the industry, on both the legal and underwriting sides. To the extent that courts are finding that commercial general liability (CGL) policies do not cover cyber-attacks, insurers continue to look for areas to craft wording that is responsive to the emerging threats while staying true to proven risk management structures.
This update:
- provides an overview of the case law developments in the past year – specifically, those cases which dealt with a CGL policy and its implications when an insured seeks coverage for a cyber-attack;
- examines one of the first cases to deal explicitly with coverage sought under a cyber-specific policy and the potential lessons that can be learned from it; and
- examines the motivations behind some of the cyber-attacks which have occurred in the past year and the potential ramifications of these attacks.
In Zurich American Insurance Company v Sony Corporation of America, Sony sought coverage from its insurers under its CGL policy.(2) The trial court ruled that the acts of third-party hackers did not constitute "oral or written publication in any manner of the material that violates a person's right of privacy". This summer, the case settled before the appeal court could reach a decision. As the terms of the settlement were not released, it is difficult to assess Sony's potential impact. Despite the trial court's ruling that coverage was not triggered, policyholders will likely continue to look for any available coverage, including under CGL policies, in the face of the severity and frequency of cyber-attacks.
While not a cyber-attack in the sense that there was no online breach, a recent case in the Connecticut Supreme Court is instructive for addressing CGL coverage for a data breach. In Recall Total Information Management Inc v Federal Insurance Co, data management company Recall Total Information Management had an agreement with IBM Corporation to store tapes containing private information regarding current and former IBM employees.(3) The insurers in the case issued CGL policies to Recall's subcontractor, a trucking company, which transported the tapes. In 2007 a cart on a transport van, holding tapes which contained private information for hundreds of thousands of IBM employees, fell out of the back of the van and was subsequently retrieved by an unknown individual. Although there was no evidence that anyone accessed the content of the tapes, IBM spent $6 million in an attempt to mitigate damages, including purchasing identity theft services for the affected individuals. IBM subsequently sought reimbursement from Recall Total.
Similar to Sony, IBM alleged that the loss of the computer tapes constituted a personal injury, defined as "injury... caused by an offense of... electronic, oral, written or other publication of material that... violates a person's right of privacy". The trial court held (and the appeal and supreme courts affirmed) that IBM's losses were not covered by the personal injury clauses of the CGL policies because the information stored on the tapes was not published. It is unclear whether Recall Total offers any guiding principles for ordinary cyber-attack scenarios. However, the case is notable for the fact that – as in Sony – the court found that the negligent actions of the insured did not constitute a publication and were thus not covered under the policies.
Another pending case that involves CGL coverage and is emblematic of the ongoing legal battle is Travelers Indemnity Company of Connecticut v PF Chang's China Bistro Inc.(4) Three class actions were filed after a security breach of the restaurant chain's card processing systems, which was later determined to have occurred between October 2013 and June 2014. PF Chang's was alerted to the breach by the Secret Service and worked with federal officials and third-party forensic experts to determine the cause and extent of the breach. Thousands of credit card and debit card numbers had been stolen, along with the cards' magnetic stripe information. The three class actions – two filed in Illinois (later consolidated into one) and one in Washington – allege that PF Chang's failed to implement sufficient security measures in an effort to save money, and that the failure to do so was the proximate cause of the data breach. PF Chang's gave notice to Travelers, which had issued CGL policies to the restaurant. Travelers filed its declaratory action in federal court in Connecticut, alleging that:
"The lawsuits fail to trigger coverage under the policies because they do not allege 'bodily injury' or 'property damage' caused by an 'occurrence,' nor do they allege 'advertising injury' or 'personal injury' as the policies expressly and unambiguously define those terms."
If anything, these cases highlight the general understanding within the insurance industry, as stated by Insurance Information Institute President Robert Hartwig, that the costs associated with "these types of breaches are not covered under a standard general liability policy".(5) In light of this fact, from industry to industry, companies are increasingly making cyber-insurance policies a priority in their risk management strategies, seeking cyber-coverage that is, by necessity, more narrowly tailored to fit their specific needs. Indeed, the policies themselves are drafted to cover a variety of potential costs, including notification, forensic investigations, public relations, potential litigation, credit monitoring and crisis management.
As more companies purchase cyber-specific insurance, disputes over whether cyber-attacks are covered under a CGL policy will become more infrequent and insignificant. The next wave of cases, as exemplified in Columbia Casualty Company v Cottage Health System, will focus on the specific coverage within the wordings of cyber-policies themselves and the parties' respective understandings of the risk insured.(6)
Columbia Casualty and cyber-specific coverage disputes
The litigation in Columbia Casualty arose from a breach to the servers of Cottage Health System. A class action was filed alleging a violation of California's Confidentiality of Medical Information Act and stating that "the confidential medical records of approximately 32,500 patients at the hospitals affiliated with [Cottage] were negligently disclosed and released to the public on the Internet". The class action settled for approximately $4 million in April 2015.
As background, Cottage had purchased CNA Financial's NetProtect360 cyber-insurance policy with limits of $10 million, which provided coverage for 'privacy injury claims'. CNA funded the settlement pursuant to a reservation of rights and then sought reimbursement from Cottage, declaring that it was not obligated to provide Cottage with any defence or indemnification payments. According to CNA's complaint, Cottage represented to CNA that it would implement procedures and risk controls to check and maintain security measures. CNA apparently believed that Cottage failed to do so and denied coverage, based on:
- an exclusion for "Failure to Follow Minimum Required Practices"; and
- a defence based on misrepresentation – namely, that Cottage misrepresented materials facts in its application for coverage.
The exclusion dictated that the insurer would not be liable for "any failure of an Insured to continuously implement the procedures and risk controls identified in the Insured's application".
CNA alleged that, among other omissions, Cottage failed to:
- "continuously implement the procedures and risk controls identified in its application";
- "regularly check and maintain security patches on its systems"; or
- "enhance risk controls".
Regarding the misrepresentation defence, CNA alleged that "Cottage's application for coverage under the [policy] contained misrepresentations and/or omissions of material fact", and that "the data breach at issue... was caused by Cottage's failure to maintain the risk controls identified in its application".
The Columbia Cottage litigation was recently dismissed without prejudice because the NetProtect360 policy included a mandatory alternative dispute resolution (ADR) provision for disputes between the insured and insurer. The federal judge granted Cottage's motion to dismiss, holding that CNA had failed to exhaust all non-judicial remedies, including the ADR provision, before filing its declaratory judgment action. Nonetheless, the original pleaded action is instructive concerning the types of issue that may arise in future litigation.
One of the greatest developments over the past year has been an acknowledgment of the changing motives of hackers and what this means to the industry at large. When discussing recent cyber-attacks, Amica's chief information security officer, Gil Bishop, recently stated: "perhaps the greatest impact of these events is the confirmation that we're no longer dealing with just profit-motivated cyber threats." As a result, he says: "risk analysis has to become more sophisticated and move beyond simply considering the 'street value' of given customer data."(7) As noted above, because of the inherent complexities in cyber-attacks, use of off-the-shelf cyber-policies is highly inadvisable. Recent cyber-attacks, including those on health insurers Anthem and Premera – which were allegedly carried out by state-sponsored Chinese perpetrators, potentially operating as part of a broad intelligence-gathering mission – further highlight the need to tailor policies to deal with an insured's specific needs.
More famously, in July adult cheating website Ashley Madison suffered a devastating cyber-attack that resulted in hackers publishing private details of close to 40 million users. The information included names, phone numbers, email addresses and other highly personal information. Also in July, hackers – self-described as "social justice warriors" – twice attempted to infiltrate the servers of Planned Parenthood in order to gain access to internal emails and procedures. While these attacks are just two of hundreds that took place over the last year, they stand out for one reason: motive. The Ashley Madison attack was carried out by an organisation called the Impact Team, which took issue with the site's pricing system. Planned Parenthood, in a statement, said that the hackers responsible for their attack were "extremists who oppose Planned Parenthood's mission and services".(8) These two attacks signal a potential move away from hackers attempting to infiltrate a system for pure profit to attacking an organisation in an attempt to destroy it – a practice also known as 'hacktivism'. Organisations that may have enemies must take a look at ways to protect their data.
A potential side effect from these types of attack is the loss in brand value and consumer confidence that can affect the insured more than the financial losses. According to a survey from American International Group, 85% of corporate risk managers and other executives in the United States are more concerned about reputational damage than any other risk.(9) Another report from Deloitte echoes these sentiments, with 41% of companies saying that the most significant consequence of a reputation-damaging event was loss of revenue.(10) In light of this information, perhaps the biggest remaining question is: is this an insurable risk? In other words, is it possible to quantify the loss of reputation into an insurable event? It will be interesting to see how the industry responds to the changing motivations of hackers and the losses that occur from these breaches.
If there are any takeaways from the past year in developments in the cyber-insurance industry, one is that challenges continue, but the industry continues to look for opportunities. The CGL cases, initially viewed as important benchmarks, are potentially receding in importance due to the purchase of cyber-specific insurance. However, disputes surrounding these cyber-polices, as exemplified by Columbia Cottage, appear to be the next front in a growing squall of litigation.
Further, with the rise in hacktivism, insureds will be looking to tailor their policies to cover specific and varied risks, further complicating an already diverse and developing industry. Over the next few years, insureds and their insurers will keep a close watch on the variations in the types of attack, the coverage available and purchased, and how the courts handle what could be the next wave of disputes as cyber-security vulnerabilities put pressure on cyber-insurance coverages.
For further information on this topic please contact Margaret Reetz, Robert M Flannery or Douglas Giombarrese at Mendes & Mount LLP by telephone (+1 212 261 8000), fax (+1 212 261 8750) or email ([email protected], [email protected] or [email protected]). The Mendes & Mount website can be accessed at www.mendes.com.
Endnotes
(1) IBM, "Security Services Research," available at www-03.ibm.com/security/data-breach/.
(2) Zurich Am Ins v Sony Corp of Am, 2014 NY Misc LEXIS 5141 (NY Sup Ct 2015).
(3) Recall Total Information Management Inc v Federal Insurance Co, 2015 WL 2371957 (Conn May 26 2015).
(4) Travelers Indemnity Company of Connecticut v PF Chang's China Bistro, 3:14-cv-01458-VLB (D Conn 2014).
(5) Matthew Sturdevant, "Travelers Says Liability Policy Doesn't Cover P.F. Chang's Data Breach", Hartford Courant, October 10 2014, available at www.courant.com/business/connecticut-insurance/hc-travelers-p-f-chang-data-breach-20141009-story.html.
(6) Columbia Casualty Co v Cottage Health System, 2:15-cv-03432 (CD Cal 2015).
(7) Sharon Goldman, "Cybersecurity: What Insurers Are Getting Right... Or Not", Insurance Networking News, August 18 2015, available at www.insurancenetworking.com/news/risk-management/cybersecurity-what-insurers-are-getting-right-or-not-36299-1.html.
(8) Abby Olheiser and Andrea Peterson, "Planned Parenthood's Web site on the defense after hacking claims", The Washington Post, July 27 2015, available at www.washingtonpost.com/news/the-switch/wp/2015/07/27/planned-parenthoods-web-site-on-the-defense-following-hacking-claims/.
(9) Caitlin Bronson, "Ashley Madison hack heightens what's at stake for cyber liability", Insurance Business America, July 21 2015, available at www.ibamag.com/news/ashley-madison-hack-heightens-whats-at-stake-for-cyber-liability-23283.aspx.
This article was first published by the International Law Office, a premium online legal update service for major companies and law firms worldwide. Register for a free subscription.
