Over the last couple of years, courts have struggled with whether cyber claims could trigger coverage under commercial general liability (CGL) insurance policies. While courts have found most cyber claims will not be covered as “bodily injury” or “property damage” under the typical CGL policy, some courts have struggled with whether cyber claims constitute “publication” under the advertising and personal injury coverage of a typical CGL policy.

Travelers Indemnity Co. v. Portal Healthcare Decision

On April 11, 2016, the 4th U.S. Circuit Court of Appeals issued its unpublished decision in Travelers Indemnity Co. of America v. Portal Healthcare Solutions, L.L.C. In Portal, the 4th Circuit held medical records posted on the Internet could potentially give rise to coverage under a CGL policy.

This coverage action originates with a class action complaint filed against Travelers’ insured, Portal, alleging that Portal’s conduct resulted in the underlying plaintiffs’ medical records being posted on the Internet for more than four months. Travelers initiated the declaratory judgment action seeking a determination that there was no coverage for the class action complaint under two CGL policies it issued to Portal.

In affirming the decision by the U.S. District Court for the Eastern District of Virginia, the 4th Circuit held “that the class-action complaint ‘at least potentially or arguably’ alleges a ‘publication’ of private medical information by Portal that constitutes conduct covered under the Policies.” The 4th Circuit further held “[s]uch conduct, if proven, would have given ‘unreasonable publicity to and disclose[d] information about patients’ private lives,’ because any member of the public with an Internet connection could have viewed the plaintiffs’ private medical records during the time the records were available online.”

Based on this reasoning, the 4th Circuit held Travelers had a duty to defend Portal in the class action. This decision highlights the importance of what happens to the sensitive information and whether there is a “publication” as that term is defined under the typical CGL policy.

Putting the Portal Decision in Context

In contrast, on May 18, 2015, the Connecticut Supreme Court affirmed a lower court’s decision finding there was no insurance coverage for more than $6 million in losses related to the exposure of private information belonging to nearly 500,000 IBM employees. In Recall Total Info. Management, Inc. v. Federal Ins. Co., the insured sought coverage under its CGL policy when it lost data storage tapes storing its customer’s private information. The tapes fell off the back of the insured’s van and it was believed that about 130 of the tapes were taken from the road by an unknown person. The CGL policy at issue provided coverage for “personal injury” which included “publication of material that…violates a person’s right to privacy.”

In analyzing this provision and the facts of this case, the Recall Total court first held there was no dispute that the information on the tapes was private, and, second, that the threshold was whether the information on the tapes had been “published.” In finding there was no coverage, the lower court held there was no evidence that the information on the tapes had been found or used after the tapes fell off the van. In reviewing the evidence, the Court found “[t]here is nothing in the record suggesting that the information on the tapes was ever accessed by anyone.” Specifically, the Recall Total lower court decision addressed the personal injury provision in the following manner:

On the basis of our review of the policy, we conclude that personal injury presupposes publication of the personal information contained on the tapes. Thus, the dispositive issue is not loss of the physical tapes themselves; rather, it is whether the information in them has been published. The plaintiffs contend that the mere loss of the tapes constitutes a publication, and has alleged that the information was published to a thief. The plaintiffs have failed to cite any evidence that the information was published and thereby failed to take their allegation beyond the realm of speculation. See, e.g., Norse Systems, Inc. v. Tingley Systems, Inc., supra, 49 Conn.App. at 591, 715 A.2d 807 (speculation or conjecture will not overcome motion for summary judgment). As the complaint and affidavits are entirely devoid of facts suggesting that the personal information actually was accessed, there has been no publication.

In its concise decision, the Connecticut Supreme Court said there was no purpose in repeating the discussion in the superior court’s “well-reasoned” January 2014 ruling.

While these decisions may arguably not involve a data breach or a classic cyber claim, many commentators believed that the Recall Total court’s reasoning would shed light on how data breach might be viewed from a coverage perspective when there is no evidence that the private or confidential information was actually published to third parties.

Portal’s Contribution to Current State of the Law

Undoubtedly, the Portal decision provides significant guidance on the issue of whether data breaches will be covered under traditional CGL policies. Prior to this decision, the body of law was limited to the reasoning of the Recall Total decision, which was in harmony with the trial court’s decision in Sony’s coverage action against Zurich. In the Sony case, which was settled before the appellate court could render its decision, the New York trial court ruled Zurich had no duty to defend because there was no “publication” under Coverage B of the CGL policy.

When the dust settles, we may see that the Portal decision has little impact with extent to medical records placed on the internet. Not all cyber claims result in information or data posted on the Internet, or in another manner, to third parties. Rather, many cyber claims involve information being taken and used for criminal acts. That is, a court may not find the information taken in the Target breach (credit card information stolen) or similar cyber incidents includes this “publication” element required to trigger CGL coverage.

The post Early Observations in Portal Healthcare Decision: CGL Coverage for Cyber Claims? appeared first on Privacy Risk Report.

Ashley Madison members who had their hacked information disclosed are not the only people that have had a bad month. Last week, Noel Biderman, the CEO of Ashley Madison, stepped down because of the damage done by the data breach. Ashley Madison’s parent company, Avid Life Media, did not provide reasons for Mr. Biderman’s departure beyond a company statement that read:  “This change is in the best interest of the company and allows us to continue to provide support to our members and dedicated employees. We are steadfast in our commitment to our customer base.”  The Ashley Madison breach raises concerns for corporate executives related to cybersecurity.

The Cybersecurity Buck Stops with Executives

If it had not been clear already, executives are typically held responsible for a data breach at their company. In addition to the Ashley Madison breach, a number of other corporate executives have recently seen their careers abruptly ended by a data breach. For example, the co-chairwoman of Sony Pictures, Amy Pascal, resigned in February 2015 after Sony’s massive breach. Likewise, Gregg Steinhafel, Target’s chairman and chief executive, resigned from Target after Target’s data breach. These incidents demonstrate that accountability for a data breach rests squarely with corporate leaders.

A Breach Can Also Disclose the Corporation’s Dirty Secrets

If accountability for cybersecurity is not enough to keep executives up at night, the troubles at Ashley Madison demonstrate that a breach is not limited to sensitive customer information but can also disclose private corporate information. It is reported that Mr. Biderman’s demise at Ashley Madison is also tied to corporate information and emails indicating Ashley Madison engaged in questionable business practices. Similarly, the departure of Amy Pascal from Sony Pictures is tied to the fact that emails in which she reportedly joked about President Obama may have called her leadership into question.

While there are many lessons to be learned from the Ashley Madison breach, corporate executives should use this breach as a guide to what can go wrong if they don’t make cybersecurity a priority. The obvious concern is making sure data stored by their corporation is protected from outside hackers as well as from threats inside the company. And, as Mr. Biderman learned the hard way, executives should limit the amount of valuable data stored by the company. This latest breach provides another reason for executives and their employees to read each email before they hit send and each document before they hit save.

The post Corporate Affairs: Recent Ashley Madison Breach Illustrates Cybersecurity Must Be a Priority for Corporate Executives appeared first on Privacy Risk Report.

The post Following 2014’s “Year of the Breach,” 2015 is Shaping Up to Be the “Year of Data Breach Litigation” appeared first on Privacy Risk Report.

Early reports indicate that Sony Corp. of America and Zurich American Insurance Company (along with other insurers) have reached settlement terms today in their data breach case involving a hack of the online services for the Sony PlayStation in April 2011. These data breaches, which were unrelated to the Sony Pictures cyber attack, resulted in hackers accessing personal information for nearly 100 million individuals. The PlayStation hacks gave rise to at least 55 putative class-action lawsuits filed against Sony in the U.S with expectations that the breaches would cost Sony nearly $180 million in the next year.

This insurance coverage case, which many anticipated would be one of the most important decisions in 2015, gave rise to a ruling by a New York trial court that Zurich had no duty to defend under a commercial general liability policy issued to Sony. The New York trial court held Sony’s insurers did not owe a defense to Sony under CGL policies because there was no “publication” under Coverage B of the CGL policy. Specifically, the court held that while a wide-scale data breach represents a “publication” of private information within the meaning of the “personal and advertising injury” coverage, the PlayStation  breach did not fall within coverage of Sony’s CGL policy because the policy covered only publications by the insured itself—not by third-party hackers. That is, while the trial court held the breach was arguably a publication under Coverage B of the Zurich policies, it was not a “publication” by Sony, the insured under the policy.

This decision was widely considered to be the best opportunity to get a glimpse into how appellate courts would treat data breach claims under CGL policies. Unfortunately, as data breaches and cybersecurity issues become more prevalent, we can expect to see litigation of these issues continue despite this settlement. Coincidently, this settlement comes on the heels of another important potential settlement in the Target litigation. Nevertheless, the need for guidance on this issue may be diminished as more CGL policies include cyber liability exclusions.

The post Sony and Zurich Settle Data Breach Case Before Appellate Court Can Decide Coverage Issues Under CGL Policy appeared first on Privacy Risk Report.

On January 21, 2015, Travelers Casualty and Surety of America (Travelers) sued Ignition Studio Inc. (Ignition) based on professional negligence and breach of contract claims in the District Court for the Northern District of Illinois. Travelers filed the action based on its subrogated interest and on behalf of its insured, Alpine Bank. Ignition was hired to design and service Alpine’s website. However, the complaint alleges that Ignition “negligently allowed one or more hackers to access Alpine Bank’s website through lax Internet security on the server where the website was hosted. Because of Defendant’s negligence, Alpine Bank had to expend substantial funds to comply with data breach notification obligations.” The complaint also seeks damages related to the significant funds to notify bank customers of the unauthorized access to their private information.” Count I of the complaint, entitled professional negligence, asserts Ignition breached its duty to perform website maintenance and servicing work. Count II of the complaint, entitled breach of contract, asserts Ignition breached its agreement with Alpine to provide maintenance for Alpine’s website.

The data breach was first reported in September 2012 when Alpine bank notified a small number of its customers that their social security numbers and account numbers may have been compromised. Alpine also informed their customers to be cautious and monitor their credit and other financial accounts. Additionally, Alpine provided affected customers with one year of free credit monitoring.

Alpine Bank has less than 20 branches in northern Illinois. It is not a Home Depot, Target or Sony. Thus, data breaches are no longer just a concern for large retailers or other large corporations. Rather, hackers are targeting smaller, regional businesses. These smaller-scale hacks can be just as devastating to smaller corporations as the larger hacks are to larger businesses. Even more devastating is the fact that a smaller business may not have proper protection or insurance in place. Admittedly, banks have been the best prepared against data breaches. Unfortunately, it is only a matter of time before we see hacks take place at smaller businesses that are not as well-equipped to handle these attacks.

The post Lawsuit Involving Regional Bank Should Serve as a Warning to Smaller Businesses appeared first on Privacy Risk Report.

At this point, we have been bombarded with many of the details and a lot of speculation related to the November 2014 Sony Pictures hack. In short, hackers stole sensitive information and data including everything from private employee information, emails sent inside and outside the company and unreleased films. In addition to the damage caused by the hack, Sony Pictures potentially suffered damages from extortion attempts and lost revenue from the limited release of the film The Interview.

While the details related to this hack are widely available in newspapers and entertainment magazines, the information publicly known at this time can provide insight for anyone considering cyberliability insurance.

• An insured may have more information at risk beyond that included in the statutorily-defined “personal information.”

A number of states base their data breach notification laws on whether “personal information” has been compromised. In general, “personal information” includes social security numbers, drivers’ license numbers and credit/debit card information. However, in addition to taking some of this information, the Sony hackers also obtained confidential information such as unreleased films. Therefore, while many states provide a concise definition of the information potentially at risk, insureds should consider whether their data and other information includes items beyond the short list of items in the definition of “personal information.”

• An insured’s defenses against a hack or breach will be at issue.

Recently, the pre-breach strength of a party’s security systems has become a central issue in data breach litigation. For example, in the lawsuit filed by banks against Target for its breach in December 2013, the banks claimed Target was liable for failing to disclose “material weaknesses” in its data security systems. Likewise, there were claims that Home Depot’s data breach could have resulted from Home Depot’s failure to perform regular tests on its Point of Sale systems, hiring their Senior IT security architect after he sabotaged his former employer’s network, and running an outdated version of Symantec Antivirus software from 2007. Therefore, underwriters will need to take an applicant’s overall defenses against hacks into account when assessing the risk prior to issuing a policy.

• The strength of this insurance will start with the underwriting process.

In light of the recent cyber attacks and data breaches, there should be little question that cyberliability insurance can provide valuable protection. Of course, a “cookie-cutter” approach using standard policy forms may not work for every insured. The Sony breach involved a substantial amount of information that only a movie studio would be expected to be storing on its systems. Obviously, a hospital would not need cyberliability coverage for unreleased motion pictures. The utility of this insurance will be limited by how closely the insurance applicant and the underwriters work together before a policy is issued. The key will be for insureds to disclose the specific data they want to protect and for underwriters to understand the insured’s business.

The post Early Observations Concerning the Sony Hack and Cyberliability Insurance appeared first on Privacy Risk Report.