Given the recent significant data breaches at numerous retailers in the United States, multiple cases have addressed whether commercial general liability (CGL) insurance policies provide coverage for data breaches. Companies such as Target have already incurred significant expenses at the hands of a massive data breach. Any company subject to a similar situation faces the risk of incurring millions of dollars in fees and expenses. Generally, CGL policies provide coverage for damages for which the insured is liable due to bodily injury and/or property damage.
However, the foundation for data breach coverage under the CGL policy is often the coverage for personal and advertising injury, which includes injury from a “publication” that violates a person’s right of privacy. Questions for courts to determine are whether there was a publication, and whether the insured is required to have made the publication or whether a third party may do so. Overall, courts have been inconsistent on deciding whether these policies cover data breach losses.
In February 2014, a New York state court ruled that Zurich American Insurance Company did not have a duty to defend Sony under a CGL policy for liability arising out of the hacking of Sony’s PlayStation online services. The court analyzed the portion of the CGL policy providing coverage for “oral or written publication in any manner of material that violates a person’s right of privacy.” The court found that the hackers’ act of taking personal information constituted a publication, but coverage did not apply because the hackers, not Sony, were the actual publishers. Contrast that decision with decisions from courts in Maryland and California that have found that GCL coverage applied to insured’s liability for data breaches under the same publication provision.
With the growing frequency of data breaches and the increasing costs associated therewith, many insurance companies are revisiting their CGL policy forms and specifically excluding coverage for cyber-attacks and data breaches. As insurance companies move toward express exclusion of data breach coverage, GCL coverage will likely no longer be sufficient. If you need more information on this subject, contact Leslie Pescia, a lawyer in our Consumer Fraud Section, at 800-898-2034 or by email at Leslie.Pescia@beasleyallen.com.
Sources: Inside Counsel, National Law Review, and Law360
Contact us today for a free legal consultation with an experienced attorney.
Fields marked *may be required for submission.
If you would like to subscribe to the Jere Beasley Report digital edition, simply visit our Subscriptions page and provide the necessary information or call us at 800-898-2034.
Attorney Advertising - Prior results do not guarantee a similar outcome.