Cyber-Insurance: Latest Developments
A year ago, we published an article highlighting the growing number of cyber attacks and the insurance industry’s somewhat cautious response to the pace of these trends.(1) In the year since that article was published, cyber attacks have become, if anything, more frequent and more damaging. According to the latest report by the Ponemon Institute, the average cost of data theft is approximately $3.8 million, representing a 23% increase compared with data from the previous year.(2)In this way, many of the arguments regarding the necessity for cyber insurance have only been bolstered. The insurance industry has responded, with more carriers than ever now offering cyber-specific policies. Despite this, however, much remains unclear in the industry, on both the legal and underwriting sides. To the extent that courts are finding that Commercial General Liability (CGL) policies do not provide coverage for cyber attacks, insurers continue to look for areas to craft wording that is both responsive to the emerging threats while staying true to proven risk management constructs.
This article provides an overview of the developments in the case law in the past year, specifically those cases which have dealt with a CGL policy and its implications when an insured seeks coverage for a cyber hack. Secondly, the article will examine one of the first cases to deal explicitly with coverage sought under a cyber specific policy and the potential lessons that can be learned from it. Finally, the article will examine the motivations behind some of the cyber hacks which have occurred in the past year, and the potential ramifications from these attacks.
In Zurich American Insurance Company v. Sony Corporation of America,(3) the case that served as the starting point for the previous article, Sony sought coverage from its insurers under its CGL policy. The trial court ruled that the acts of third-party hackers did not constitute “oral or written publication in any manner of the material that violates a person’s right of privacy.” This summer, the case settled before the appellate court could reach a decision. As the terms of the settlement were not released, it is difficult to assess any potential impact Sony will have going forward. Despite the trial court’s ruling that coverage was not triggered, policyholders likely will continue to look for any available coverage, including under CGL policies, in the face of the severity and frequency of cyber attacks.
While not a “cyber attack” in the sense that there was no online breach, a recent case in the Connecticut Supreme Court is instructive and notable for addressing CGL coverage for a data breach. In Recall Total Information Management Inc. v. Federal Insurance Co.,(4) Recall Total Information Management, a data management firm, had an agreement with IBM Corporation to store tapes containing private information regarding current and former IBM employees. The insurance companies in the case issued CGL policies to Recall’s subcontractor, a trucking company, who transported the tapes. In 2007, a cart on a transport van holding tapes which contained private information for hundreds of thousands of IBM employees fell out of the back of the van where they subsequently were retrieved by an unknown individual. Although there was no evidence that anyone accessed the content of the tapes, IBM spent $6 million in an attempt to mitigate damages, including purchasing identity theft services for the affected individuals. IBM subsequently sought reimbursement from Recall Total.
Similar to the Sony case, IBM alleged that the loss of the computer tapes constituted a ‘‘personal injury,’’ defined as ‘‘injury . . . caused by an offense of . . . electronic, oral, written or other publication of material that . . . violates a person’s right of privacy . . . .’’ The trial court held, and the appellate and Supreme courts affirmed, that IBM’s losses were not covered by the personal injury clauses of the CGL policies because there had been no “publication” of the information stored on the tapes. In a sense, it is unclear if Recall offers any guiding principles for regular cyber hacking scenarios. However, it is notable for the fact that another court, in addition to Sony, has found that the negligent actions of the insured did not constitute a “publication” and are thus not covered under the policies.
Another pending case that involves CGL coverage and is emblematic of this ongoing legal battle is Travelers Indemnity Company of Connecticut v. P.F. Chang’s China Bistro Inc. (5) Three class-action lawsuits were filed after a security breach of the restaurant chain’s card processing systems, which was later determined to have occurred between October 2013 and June 2014. P.F. Chang’s was alerted to the breach by the Secret Service and worked with federal officials and third-party forensic experts to determine the cause and extent of the breach. It was determined that thousands of credit card and debit card numbers were stolen, along with the cards’ magnetic stripe information. The three class-action lawsuits, two filed in Illinois (later consolidated into one) and one in Washington, allege that P.F. Chang’s failed to implement sufficient security measures in an effort to save money, and that the failure to do so was the proximate cause of the data breach. P.F. Chang’s gave notice to Travelers, who had issued CGL policies to the restaurant. Travelers filed its declaratory action in federal court in Connecticut and has alleged that: “The lawsuits fail to trigger coverage under the policies because they do not allege ‘bodily injury’ or ‘property damage’ caused by an ‘occurrence,’ nor do they allege ‘advertising injury’ or ‘personal injury’ as the policies expressly and unambiguously define those terms.”
If anything, these cases highlight the general understanding within the insurance industry, as stated by Robert Hartwig, an economist and president of the Insurance Information Institute, that the costs associated with “these types of breaches are not covered under a standard general liability policy.” (6) As noted previously, in light of this fact, from industry to industry, companies are ever increasingly making cyber-insurance policies a priority in their risk management strategies, seeking “cyber coverage” that is, by necessity, more narrowly tailored to fit their specific needs. Indeed, the policies themselves are drafted to cover a variety of potential costs, including notification, forensic investigations, public relations, potential litigation, credit monitoring, and crisis management, to name a few.
As more and more companies purchase cyber-specific insurance, then, the disputes over whether hacks are covered under a CGL policy will become more infrequent and insignificant. The next wave of cases, as exemplified in Columbia Casualty Company v. Cottage Health System (7) will focus on the specific grants of coverage within the wordings of cyber policies themselves and the parties’ respective understandings of the risk insured.
Columbia Casualty and Cyber-Specific Coverage Disputes
The litigation in Columbia Casualty arose from a breach to the servers of Cottage Health System. A class action was filed alleging a violation of California’s Confidentiality of Medical Information Act and stated “the confidential medical records of approximately 32,500 patients at the hospitals affiliated with [Cottage] were negligently disclosed and released to the public on the Internet.” The class action settled for approximately $4 million in April 2015.
As background, Cottage had purchased CNA’s NetProtect360 cyber insurance policy with limits of $10 million, which provides coverage for “privacy injury claims.” CNA funded the settlement pursuant to a reservation of rights and then sought reimbursement from Cottage, declaring that it is not obligated to provide Cottage with any defense or indemnification payments. According to CNA’s complaint, Cottage represented to CNA that they would implement procedures and risk controls to check and maintain security measures. CNA apparently believed that Cottage failed to do so, and is basing its denial of coverage on two main premises: 1) an exclusion for “Failure to Follow Minimum Required Practices” and 2) a defense based on misrepresentation, namely that Cottage misrepresented materials facts in its application for coverage. The exclusion dictates that the insurer shall not be liable for “any failure of an Insured to continuously implement the procedures and risk controls identified in the Insured’s application . . .”
In particular, CNA alleges that Cottage failed to “continuously implement the procedures and risk controls identified in its application,” to “regularly check and maintain security patches on its systems,” and to “enhance risk controls,” in addition to “other things.” Regarding the misrepresentation defense, CNA alleges that “Cottage’s application for coverage under the [policy] contained misrepresentations and/or omissions of material fact” and that “the data breach at issue . . . was caused by Cottage’s failure to maintain the risk controls identified in its application . . .”
The Columbia Cottage litigation was recently dismissed without prejudice because the NetProtect360 policy included following mandatory Alternative Dispute Resolution provision for disputes between the insured and insurer. The federal judge granted Cottage’s motion to dismiss, holding that CNA failed to exhaust all of the non-judicial remedies, including the ADR provision, before filing its declaratory judgment action. Nonetheless, the original pleaded action is instructive concerning the type of issues that may arise in future litigation.
One of the greatest developments over the past year has been an acknowledgment of the changing motives of the hackers and what this means to the industry at large. When discussing recent cyber attacks, Amica CISO Gil Bishop recently stated, “perhaps the greatest impact of these events is the confirmation that we’re no longer dealing with just profit-motivated cyber threats.” As a result, he says, “risk analysis has to become more sophisticated and move beyond simply considering the ‘street value’ of given customer data.” (8) As noted above, because of the inherent complexities in cyber attacks, cookie cutter, or “off the shelf” cyber policies are highly inadvisable. Recent cyber hacks, including those on health insurers Anthem and Premera, which were allegedly state-sponsored Chinese perpetrators potentially operating as part of a broad intelligence gathering mission, further highlight the need to tailor policies to deal with an insured’s specific needs.
More famously, in July, adult cheating website Ashley Madison suffered a devastating cyber attack that resulted in hackers publishing private details of close to 40 million users. The information included names, phone numbers, email addresses, and other highly personal information. Also in July, hackers, self-described as “social justice warriors,” twice attempted to infiltrate the servers of the Planned Parenthood in order to gain access to internal emails and procedures. While these attacks are just two of hundreds over the last year, they stand out for one reason: motive. The Ashley Madison attack was carried out by an organization called the “Impact Team”, which took issue with the site’s pricing system. Planned Parenthood, in a statement, said the hackers responsible for their attack were “extremists who oppose Planned Parenthood’s mission and services.” (9) These two hacks signal a potential move away from hackers attempting to infiltrate a system for pure profit, to attacking an organization in an attempt to destroy it, a practice also known as “hacktivism.” Organizations that may have enemies, real or perceived, must take a look at ways to protect their data.
Along these lines, a potential side effect from these types of attacks is the loss in brand value and consumer confidence affecting these assureds more than the mere financial losses. According to a survey from AIG, 85% of corporate risk managers and other executives in the United States are more concerned about reputational damages than any other risk. (10) Another report from Deloitte echoes these sentiments, with 41% of companies saying that the most significant consequence from a reputation-damaging event was loss of revenue.(11) In light of this information, perhaps the biggest remaining question is: is this an insurable risk? In other words, is it possible to quantify the loss of reputation into an insurable event? It will be interesting to see how the industry responds to the changing motivations of hackers and the losses that occur from these breaches.
If there are any takeaways from the past year in developments in the cyber-insurance industry, it is that the challenges continue but the industry continues to look for opportunities. The CGL cases, initially viewed as important benchmarks, potentially are receding in importance due to the purchasing of cyber-specific insurance. However, disputes surrounding these cyber policies, as exemplified by Columbia Cottage, appear to be the next large swell in a growing squall of litigation. Further, with the rise in hacktivism, insureds will be looking to further tailor their policies to cover specific and varied risks, further complicating an already diverse and developing industry. Over the next few years, insureds and their insurers will keep a close watch on the variations in the types of attacks, the coverages available and purchased, and how the courts handle what could be the next wave of disputes as the cyber security vulnerabilities put pressure on the cyber insurance coverages.
(1) Robert M. Flannery & Douglas Giombarrese, Cyber-insurance takes off, International Law Office, available at, http://www.internationallawoffice.com/Newsletters/Insurance/USA/Mendes-Mount-LLP/Cyber-insurance-takes-off.
(2) IBM, “Security Services Research,” available at, http://www-03.ibm.com/security/data-breach/.
(3) Zurich Am. Ins. v. Sony Corp. of Am., 2014 N.Y. Misc. LEXIS 5141 (N.Y. Sup. Ct. 2015).
(4) Recall Total Information Management Inc. v. Federal Insurance Co., 2015 WL 2371957 (Conn. May 26, 2015).
(5) Travelers Indemnity Company of Connecticut v. P.F. Chang’s China Bistro, No. 3:14-cv-01458-VLB (D. Conn. 2014).
(6) Matthew Sturdevant, Travelers Says Liability Policy Doesn’t Cover P.F. Chang’s Data Breach, Hartford Courant, Oct. 10, 2014, available at, http://www.courant.com/business/connecticut-insurance/hc-travelers-p-f-chang-data-breach-20141009-story.html.
(7) Columbia Casualty Co. v. Cottage Health System, case no. 2:15-cv-03432 (C.D. Cal. 2015).
(8) Sharon Goldman, Cybersecurity: What Insurers Are Getting Right… Or Not, Insurance Networking News, Aug. 18, 2015, available at, http://www.insurancenetworking.com/news/risk-management/cybersecurity-what-insurers-are-getting-right-or-not-36299-1.html.
(9) Abby Olheiser and Andrea Peterson, Planned Parenthood’s Web site on the defense after hacking claims, The Washington Post, July 27, 2015, available at, https://www.washingtonpost.com/news/the-switch/wp/2015/07/27/planned-parenthoods-web-site-on-the-defense-following-hacking-claims/.
(10) Caitlin Bronson, Ashley Madison hack heightens what’s at stake for cyber liability, Insurance Business America, July 21, 2015, available at, http://www.ibamag.com/news/ashley-madison-hack-heightens-whats-at-stake-for-cyber-liability-23283.aspx.