Recent Cases Highlight Need for, and Potential Limitations of, Cyber Insurance Policies. Although the July 2015 hack of the Ashley Madison adultery-oriented online dating service has brought issues regarding the protection of customer data to the popular forefront, insurance coverage law as it relates to cybersecurity and privacy is still in its nascent stage. Litigation surrounding third-party data breaches is often extremely fact-specific, with outcomes varying wildly depending on the nature of the cyberattack and the harm suffered. This raises interesting issues with respect to the scope of insurance coverage, especially given that coverage in this area is not generally issued on standard forms. Three recent cases may prove to be important for both insurers issuing such coverage and for businesses seeking to insure themselves and their customers against privacy incursions.
First, as exemplified by Travelers Indem. Co. of Conn. V. P.F. Chang’s China Bistro, Inc., No. 3:14-cv-01458 (D. Conn., filed Oct. 2, 2014), a general commercial liability policy may not provide coverage when hackers have breached customer data in the possession of the insured business. In that action, Travelers sought a declaratory judgment that three class action lawsuits brought by P.F. Chang’s customers following the theft of their credit and debit card information fell outside the scope of its coverage. Travelers argued that the explicit terms of the general liability policy maintained by P.F. Chang’s covered only “bodily injury” or damage to “tangible property.” Because the stolen electronic data did not involve physical or tangible injury, Travelers claimed it had no duty to defend. While the case was stayed by order, on April 28, 2015, until resolution of all appeals regarding the underlying class action lawsuits (which were dismissed on standing grounds), it illustrates that policyholders’ likely need to purchase a separate cyber insurance policy that expressly covers technology-related risks.
Even if cyber insurance is purchased, businesses need to be mindful of the terms and conditions of such policies, which are not uniform throughout the insurance industry. In Columbia Cas. Co. v. Cottage Health Sys., No. 2:15-cv-03432 (C.D. Cal., filed May 7, 2015), Columbia Casualty (“CNA”) argued that it had no obligation to defend or indemnify Cottage Health against a class action and regulatory investigation tied to a data breach that exposed patients’ medical records—despite the presence of a cyber insurance policy. As alleged by CNA, the policy maintained by Cottage Health required that it follow certain “Minimum Required Practices” and “maintain all risk controls” identified in connection with its insurance application. Because Cottage Health purportedly stored medical records on a system that was fully accessible to the internet but failed to utilize encryption software or regularly maintain security patches on its systems, CNA claimed that coverage was properly denied under policy’s exclusions.
Before these arguments could be resolved, Cottage Health successfully moved to dismiss the action without prejudice due to CNA’s failure to participate in a mandatory alternative dispute resolution process prior to the filing of its lawsuit. See 2015 WL 4497730 (C.D. Cal. July 17, 2015). Because virtually every cybersecurity incident results from a failure to maintain sufficient security, the substance of CNA’s argument will likely reappear in future litigation even if the case is not revived following the mediation.
Moreover, cyber insurance coverage could be negated in the event that the losses result from the type of intentional conduct that was at issue in Travelers Prop. & Cas. Co. of Am. v. Fed. Recovery Servs., Inc., No. 2:14-cv-170 (D. Utah, filed March 7, 2014). The cyber insurance policy in that action provided coverage against only “error, omission or negligent act.” Because the insured had intentionally withheld customer data that it was required to produce as part of an asset transfer agreement, leading to the underlying lawsuit, the district court ruled that its conduct did not “sound in negligence” and thus fell outside of the cyber insurance policy it had purchased. See --- F. Supp. 3d ----, 2015 WL 2201797, at *4 (D. Utah May 11, 2015). This result further illustrates the need for a careful eye when evaluating potential cyber insurance policies and the need for measured conduct when addressing cybersecurity and data privacy issues.