For several decades, coverage for personal injury and advertising injury has been standard in commercial general liability (CGL) insurance policies. But in recent years, issues have arisen over whether personal and advertising injury coverage extends to cyber-related losses. While this area of the law is still developing, courts have already weighed in on many cyber-related matters, and outcomes have largely depended on the facts of the case and the policy language.
“Publication” of Confidential Information
The perils covered under personal and advertising injury provisions typically include losses resulting from “publication of material that violates a person’s right to privacy.” When private information is released through a cyber breach, whether intentional or accidental, courts commonly examine whether “publication” of material containing private information has taken place.
Was the Information Accessed by a Third Party?
Many courts have found that if the information is not accessed by a third party, then publication has not occurred and therefore coverage does not apply. For instance, in a spyware case, the Ninth Circuit found that insurers had no duty to defend lawsuits against the policyholder because, among other reasons, there was no “publication” of material.1 An underlying complaint had alleged that the policyholder had secretly installed spyware on consumers’ computers, enabling it to recover keystrokes, take screenshots and take photos with the webcam without the users’ knowledge. The court held that the complaint did not allege “publication” since there were no allegations that the data was transmitted to a third party.
Conversely, some courts have found that publication occurs when private information is made accessible to the public, regardless of whether anyone reads it. In a case involving the accidental release of confidential medical records online, the Fourth Circuit held that the insurer was obligated to defend a class action lawsuit that was filed against its policyholder. The insurer argued that there was no publication because the policyholder did not intend to expose the materials to the public and because no third party was alleged to have viewed the information. In rejecting these arguments, the court wrote that publication occurs when information is “placed before the public” regardless of whether a member of the public actively looks at the information.2
Who Caused the Breach?
In some cases involving the release of private information, the outcome has hinged on who caused the breach. After computer hackers accessed personal information of Sony PlayStation customers, the customers sued Sony, and Sony sought coverage from its CGL insurers. The insurers argued that cyber attack claims fell outside the scope of their personal and advertising injury provisions, which provided coverage for “oral and written publication in any manner of the material that violates a person’s right to privacy,” and that they therefore had no duty to defend. In siding with the insurer, a New York court concluded that in order for the coverage to be triggered, the publication of private information would have had to have been perpetrated by the policyholder itself. In this case, it was the hackers who committed the invasion of privacy, not Sony.3 Similarly, a Florida court held that a hotel’s insurer had no duty to defend claims against the hotel after hackers stole customers’ credit card information. The policy’s personal injury provision covered losses from “[m]aking known to any person or organization covered material that violates a person’s right to privacy.” The court agreed with the insurer that the wording “making known” requires that the privacy violation result from the policyholder’s (hotel’s) own conduct. Since hackers’ actions caused the breach, the court said coverage was not triggered. “Construing the policy to include the acts of third parties would be expanding coverage beyond what the insurance carriers were…knowingly entering into,”” the court said. 4
Cyber Exclusions
Cyber-specific exclusions have not yet become standard in CGL policies. But as cyber crimes become increasingly sophisticated and the costs associated with cyber breaches continue to escalate, insurance companies are beginning to incorporate cyber exclusions into their policies. As with other types of insurance policy exclusions, how courts interpret the application of the exclusion will depend on the policy language and the facts of the case.
If you are involved in a dispute with your business insurance company, contact us. We have the expertise, experience and tenacity to make insurance companies keep their promises to you and your business.
1 Am. Econ. Ins. Co. v. Hartford Fire Ins. Co., 2017 WL 2323440 (9th Cir. May 26, 2017)
2 Travelers Indem. Co. of Am. v. Portal Healthcare Solutions, L.L.C., 2016 WL 1399517 (4th Cir. Apr. 11, 2016)
3 Zurich American Ins. Co. v. Sony Corp. of America, No. 651982/2011 (N.Y. Sup. Ct. New York Cnty. Feb. 21, 2014)
4 St. Paul Fire & Marine Ins. Co. v. Rosen Millennium, Inc., 337 F. Supp. 3d 1176 (M.D. Fla. 2018)