Cyber risk is a hot and evolving topic in risk management. With available coverage products and the law still emerging, policyholders need to be vigilant to ensure they’re adequately protected.

KCIC recently discussed this expansive topic with individuals offering two different perspectives: Lon Berk, Partner at Hunton & Williams, and Laura Foggan, Partner at Wiley Rein, LLP.

Together, they gave a presentation that I attended in May at the 2015 Annual Meeting of the American College of Coverage and Extracontractual Counsel (ACCEC). I enjoyed it so much that I wrote about in a previous post.

In this first of two installments, we talked about cyber coverage issues in the context of general liability policies:

Elizabeth: What are some things a policyholder needs to be aware of if you’re relying on a current Commercial General Liability (CGL) for cyber and data breach coverage?

Lon: Look for any exclusions. The insurance industry is trying to insert them to narrow the scope of cyber and data breach coverage available under traditional policies, which were meant to cover your business risks – first-party losses and third-party responsibilities. The question is: where do cyber risks fit into this scheme? By inserting exclusions for cyber coverage into traditional policies, insurers are trying to transfer coverage for that risk into other products.

Thus, we’re seeing new cyber-specific policies, but that’s a new area. There aren’t many standard forms yet. Policyholders should be aware that what’s covered under a cyber policy may dictate how broadly exclusions in traditional policies are interpreted — and conversely.

Laura: That’s an interesting observation. As a practical matter, we see instances where specialized coverage doesn’t cover every exposure, so then policyholders attempt to fall back on their CGL. I agree you need to look for exclusions. Also, be mindful that even CGL policies without exclusions weren’t written for cyber coverage.

Elizabeth: What have the courts decided on some of these issues — in favor or against coverage on traditional policy language?

Laura: Policyholders seek to obtain CGL coverage not only for private suits following a data breach, but also for their substantial exposures under agreements that may allow credit card processors to impose charges on them in the event of a data breach. Courts have split on these issues, but some high-profile cases recently have found no coverage. Both Coverage A (Third-Party Property Damage) and Coverage B (Personal and Advertising Liability) are being tested in litigation.

Lon: Under First-Party Property Policies, there’s always been coverage for data loss (from a fire, for example) and computer crime. But with so many headlines about hackers, that threat has become, perhaps, the prevalent source of concern and led to exclusions and emergence of specialized products for all cyber-related loss. If a policyholder experiences a breach, and clients sue for loss of data, the question becomes: is data stored on your computers considered tangible property such that Coverage A of CGL applies? To me, I think the better answer is “yes” — because what’s been destroyed is a physical configuration that represented your customers’ data. I know Laura would argue that it’s not, and the courts have been split on the issue. There are a lot of philosophical and legal arguments. We also see cases that address this in other contexts — for example, copyright and some recent Fourth Amendment cases that treat data or code as tangible.

Laura: Since 2001, most CGL policies have specifically provided that “electronic data is not tangible property”. A number of cases have upheld that same conclusion about the meaning of “property damage” under polices issued before 2001, but some have ruled that data is tangible. This is another area where insurers are clarifying intent in more recent CGL polices.

Elizabeth: What other kinds of cyber-related limitations or exclusions are common in CGL policies?

Laura: Since 2004, coverage has been eliminated by an exclusion in most CGL policies for “[d]amages arising out of the loss of, loss of use of, damage to, corruption of, inability to access, or inability to manipulate electronic data.” Assuming this is applied as written, Coverage A should not afford coverage under post-2004 policies with this exclusion regardless of how the definition of “property damage” is construed.

Lon: The 2004 exclusion can be an obstacle. But, surprisingly, not every policy since then includes that exclusion.

Elizabeth: What about Coverage B?

Laura: This is where we’ve seen action in the courts. Policyholders are testing whether claims arising from a data breach can fall under the “personal or advertising injury” coverage found in CGL policies. There are many coverage issues posed by these cases, and the early court rulings are mixed. An interesting one was the Recall Total Management Case in Connecticut. Tapes containing private information of IBM employees (Recall Total is an IBM contractor) fell out the back of a truck. The claims were to regain costs associated with notification and remedial measures, and the decision was that Coverage B was not implicated.

Going forward, most policies will also have an exclusion that makes clear there is no coverage under Coverage B. In May 2014, the Insurance Services Office, Ltd. (ISO) issued a set of exclusions to be included in CGL policies to bar coverage for claims “arising out of any access to or disclosure of any person’s or organization’s confidential or personal information”. These are meant to confirm the intent that CGL policies are not written to cover suits arising from data breaches. However, it may take a while before this exclusion makes its way into policies. Even after it does, policyholders undoubtedly will seek to litigate its scope in specific instances.

Elizabeth: Final words of advice?

Lon: Continually evaluate your risk, read all of your existing policies carefully — paying particular attention to exclusions — and consult regularly with a broker, risk manager and insurance coverage counsel to be sure you’re getting the coverage you need.

Laura: I think we can agree:  “read your policy” is fundamental to any advice. In CGL policies, limitations in coverage grants, as well as exclusions, may bar coverage in cyber loss settings.

In our next post, we’ll discuss what you need to consider when evaluating coverage written specifically for cyber liabilities.