In the past two years, there have been two very interesting lawsuits over the question of whether or not commercial general liability insurance policies contain coverage for cyber liability. The two lawsuits had very different outcomes which may appear to muddy the waters regarding when cyber liability is covered and when it is not covered by a general liability policy. Let’s take a look at both lawsuits and where I think this may go.
Portal vs Travelers: Recently a federal appeals court in Virginia ruled Travelers is obligated to defend Portal Healthcare Solutions against a class action lawsuit brought against it for a data breach when the medical records of individuals who’d been treated at Glens Falls Hospital in New York were made public on the internet.
Travelers originally contented they were not liable as their commercial general liability policy (CGL) policy did not contain language in it stating cyber liability claims were covered. The court determined they were liable under their Personal and Advertising Injury coverage because of an advertising or website injury arising from the “electronic publication of material that… gives unreasonable publicity to a person’s private life.”
Sony vs Zurich: In 2014, a New York court ruled that Zurich American Insurance had no duty to defend Sony Corp. of America and Sony Computer Entertainment in litigation arising from a 2011 data breach of Sony’s PlayStation online service. The New York Supreme Court determined acts by hackers do not constitute “oral or written publication in any manner of the material that violates a person’s right to privacy.
In this case, the data breach was not considered to be a Personal and Advertising Injury which would be coved by Sony’s CGL policy. The bottom line for Sony is they needed cyber liability insurance to cover losses stemming from their data breach.
The interesting question is what does the mean to business owners regardless of the size of their business? I believe there are several directions possible, but only one that’s realistic.
Option 1: Commercial insurance companies will broaden coverage in their CGL policies to cover cyber liability. I think this is the least likely option as insurance companies are in fact tightening their policy language each year to protect themselves from cyber liability.
Option 2: CGL policies offer an option at an additional cost to provide cyber liability coverage. This is plausible, but I think unlikely. In cases where this may occur, I expect the coverage to be highly limited in the amount of damages it will pay and scope of coverage. The result will be like attempting to use a band aid to fix a broken bone.
Option 3: Insurance companies continue to tighten policy language or outright exclude cyber liability coverage within them. In these instances, business owners need to purchase separate cyber liability policies to protect themselves and their companies from a data breach and the cost to mitigate one.
What do you think? Share your thoughts, questions, and experiences with me on my Facebook, Google +, or LinkedIn page. I’d love to hear from you!