Reducing Cyber-anxiety: Insurance Coverage for Cyber Risks

• Publication year: 2016
• Pages: 0012

Reducing Cyber-Anxiety: Insurance Coverage for Cyber Risks Vol. 21 No. 6 Pg. 12 Georgia Bar Journal April, 2016

A Look at the Law

Reducing Cyber-Anxiety: Insurance Coverage for Cyber Risks

By John L. Watkins

On Nov. 10, 2015, prosecutors in New York and Atlanta unsealed indictments accusing three men and hundreds of accomplices of stealing data on more than 100 million people from a national bank and other companies and a host of related crimes.^[1] Unfortunately, such announcements have become routine, with a national retailer reporting in 2013 that 40 million debit and credit cards were compromised in a breach.^[2] Even the federal government cannot keep the most sensitive data secure, and it recently announced a breach affecting the information of 21.5 million persons contained in security clearance files maintained by the Office of Personnel Management.^[3]

As huge cyber breaches become routine, many businesses and organizations believe — with a false sense of security — they are not big or interesting enough for cyber threats, or that they do not possess the type of information sought by cyber criminals. However, an insurance industry expert recently reported that 50 percent of businesses reported being the victim of a cyber attack, and that 60 percent of recent attacks struck small and medium-sized businesses.^[4] Although the specific statistics may be debatable, it is beyond dispute that small and medium-sized businesses also face cyber risks.

Typical Cyber Risks

Although a comprehensive catalog of cyber risks is beyond the scope of this article, the most common ones include the following:

• theft or exposure of personally identifiable information (PII) of customers, users or employees;^[5]

• denial of, or limiting access to, computer resources;

• exposure of a business' own confidential information or trade secrets;

• exposure of a third party's confidential information or trade secrets;

• risks posed by viruses, Trojans or malware; and

• ransomware.^[6]

Resulting Losses and Claims

Cyber risks can result in substantial losses directly to a business (first-party loss) as well as liability claims by others (third-party claims). Some of the potential losses and claims include the following.

First-Party Losses

A data breach or other cyber event likely will cause a business to incur substantial costs. These costs may include fees of computer forensic experts to determine the extent and source of the breach; fees of computer experts to restore data and electronic files; legal fees for determining legal obligations and strategies; costs of notifying potentially affected persons (required by many statutory provisions); costs of establishing and maintaining call centers to answer inquiries from affected persons; costs of third-party credit monitoring and related services; costs of hiring media and public relations consultants; costs of repairing or replacing computers, drives and other hardware; and costs of ransom payments.

In addition to these potentially significant costs, a cyber event may well put a company out of business for a significant period of time. The resulting loss of business income may be substantial. Further, a company may incur unplanned extra expenses in attempting to resume business.

Third-Party Claims

Many potential third-party claims may result from cyber events. For example, if a cyber attack results in unauthorized access to a person's bank account or credit card, there may be direct monetary loss. If a virus damages a customer's computer or server, there may be a claim for replacing tangible property. If a third party's confidential information and trade secrets are disclosed as a result of a cyber event, the third party has a potentially substantial claim for the resulting damages. Such a claim might be based on breach of a non-disclosure agreement, negligence or trade secret statutes. If a customer relies on access to the affected party's computer system or information maintained on that system to operate, lack of access may result in a claim for lost income or profit. A customer's own customers may be affected and demand refunds or compensation, all of which may in turn be passed on as additional claims. Statutes may provide separate or overlapping statutory remedies.

The scope of the risk of third-party claims depends in large part on the nature of the business and the number of potentially affected persons. Businesses handling large amounts of consumer or health information are naturally at greater risk. Large businesses with PII for many persons can expect a plethora of individual claims as well as potential class action litigation by affected users^[7] and other affected parties.^[8] Publicly traded companies face additional risks, as a data breach not only exposes a company to the aforementioned liabilities, but may also expose the company to shareholder lawsuits.

Other Potential Liabilities

Breaches often attract the interest of regulators and other governmental authorities. At a minimum, a business may need to respond to subpoenas and other requests for information, which can be costly. Governmental actors may seek to require the business to undertake responsive action and may also impose fines and penalties.

Coverage Under Traditional BusinessPolicies

A business facing a cyber-based first-party loss or a third-party claim should immediately evaluate possible coverage under all of its existing business policies. These will generally include a commercial general liability (CGL) policy and a commercial property insurance policy. Businesses and their counsel should remember that insurers frequently attempt to deny claims—particularly in Georgia—for late notice, and should thus act diligently.^[9]

Whether a cyber-related claim will be covered under a traditional business policy depends on many factors, including the basis of the claim and the policy language. As a general matter, however, it may be difficult to find coverage under traditional policies. The insurance industry is moving quickly to adopt new policy endorsements aiming to curtail or eliminate such coverage.

Coverage Under CGL Policies

Traditional CGL policies are usually written on forms prepared by the Insurance Services Office (ISO), an organization that prepares form policy language used by the insurance industry. CGL policies have two primary grants of coverage: Coverage A and Coverage B. Coverage A provides coverage for damages the insured is legally obligated to pay "because of 'bodily injury' or 'property damage.'"^[10] Coverage B provides coverage for damages the insured is legally obligated to pay for "personal and advertising injury."^[11] These coverages are discussed in more detail below.

Coverage A

Damages Because of "Bodily Injury

"Bodily injury" is defined to mean "bodily injury, sickness or disease sustained by a person, including death resulting from any of these at any time."^[12] Most cyber claims to date have not involved physical injury, but it is certainly possible that a plaintiff could allege suffering severe emotional distress as a result of disclosure of sensitive PII. However, Georgia case law indicates that purely emotional harm does not constitute "bodily injury" under a CGL policy.^[13]

There is growing concern, however, about cyber attacks affecting not only information, but the operation of machinery, equipment and vehicles. Wired magazine recently reported that hackers were able to gain remote control of a late-model Jeep Cherokee, even to the point of disabling the car's transmission and brakes.^[14] There are also concerns about cyber attacks affecting, for example, utilities and the power grid. If such incidents occur, they will likely lead to claims for bodily injury. In such instances, coverage for damages because of bodily injury, subject to possible exclusions, would come into play.

Damages Because of "Property Damage

"Property damage is generally defined in CGL policies to mean (a) "Physical injury to tangible property, including all resulting loss of use of that property, or (b) "Loss of use of tangible property that is not physically injured.^[15] Further, "for the purposes of this insurance, electronic data is not tangible property, with electronic data including "information, facts or programs stored as or on, created or used on, or transmitted to or from computer software, including systems and applications software, hard and floppy disks, CD-ROMs, tapes, drives . . . or any other media which are used with electronically controlled equipment.^[16]

Despite the "electronic data limitation in the definition of "property damage, insureds have had some success in seeking coverage. The Eighth Circuit recently found coverage in a case alleging the defendant's web-based advertising services had caused the claimant's computer to be "taken over and could not operate, to freeze up and to "stop running or operate so slowly that it would, in essence, become inoperable.^[17] The court found that there was no damage to the computer itself, but that there was coverage under the second part of the policy definition for "loss of use of tangible property that is not physically injured.^[18]

There is, however, little indication in the case law that many cyber-related claims are being covered under CGL policies as property damage. Currently, most damages regarding reported cyber losses appear to be economic. In other contexts, the Georgia courts have ruled that purely economic loss is not property damage.^[19] As noted, however, there are growing concerns about cyber attacks causing physical damage, so it is certainly possible there will be more cyber claims involving damages to tangible property.

Coverage B

Coverage B typically provides that the insurer "will pay those sums that the insured becomes legally obligated to pay because of 'personal and advertising injury' to which this...