As the number of data breaches and disclosure of personally
identifiable information (“PII”) increases, courts are being asked to decide
whether such claims for data breach and disclosure of PII are covered by
traditional commercial general liability (CGL) policies. Most often, companies
who have only traditional CGL policies, argue that such claims should fall
under their policies’ coverage for “personal and advertising injury,” which is
typically defined as injuries arising out of the oral or written publication of
material that violates a person’s right of privacy.
Sony made this same argument in the recent case of Zurich American Insurance v. Sony
Corporation of America. Sony argued that coverage for a consumer class
action filed against Sony for a 2011 data breach of Sony’s Playstation network
should fall under its CGL policy’s coverage for “personal and advertising
injury” which included the typical definition. A New York trial judge
disagreed, finding that the definition required “some kind of act or conduct by
the policyholder in order for coverage to be present.” Because the data breach
was committed by third-party hackers who broke into Sony’s security system,
rather than by an “act or conduct perpetuated by Sony,” the trial court held
that the policy did not provide coverage for the data breach claims against
Sony.
Courts in other jurisdictions have held otherwise, finding
that coverage under a CGL policy extended to claims for data breach and
disclosure of PII based upon each policy’s definition of “personal injury.” See e.g. Netscape Communications Corp. v.
Federal Ins. Co., 343 Fed.Appx. 271 (9th Cir. 2009); Tamm v. Hartford Fire Ins. Co., 16
Mass.L.Rptr. 535, 2003 Mass. Super. LEXIS 214 (Mass. Super. Ct. 2003).
In response to the rising number of claims for data breach
and cyber coverage being filed, Insurance Services Offices, Inc. (ISO) filed in
many jurisdictions a new set of exclusionary endorsements. These exclusionary endorsements,
which effect provisions under a CGL’s policy for “Bodily Injury and Property Damage”
(Coverage A) and “Personal and Advertising Injury Liability” (Coverage B), are
scheduled to take effect this month.
Insurers who issue these exclusionary endorsements will
likely argue that these provisions apply to and, therefore, exclude coverage
for any cyber liability or data breach claims. However, insurers will have to
prove that they do so. If insurers do not issue these exclusionary
endorsements, policyholders will likely argue that their traditional CGL
policies cover such claims; otherwise their insurers would have issued the
exclusionary endorsements based upon the ISO’s guidance. Only time will tell
how the varying jurisdictions will decide these issues.
