As the number of data breaches and disclosure of personally identifiable information (“PII”) increases, courts are being asked to decide whether such claims for data breach and disclosure of PII are covered by traditional commercial general liability (CGL) policies. Most often, companies who have only traditional CGL policies, argue that such claims should fall under their policies’ coverage for “personal and advertising injury,” which is typically defined as injuries arising out of the oral or written publication of material that violates a person’s right of privacy.
Sony made this same argument in the recent case of Zurich American Insurance v. Sony Corporation of America. Sony argued that coverage for a consumer class action filed against Sony for a 2011 data breach of Sony’s Playstation network should fall under its CGL policy’s coverage for “personal and advertising injury” which included the typical definition. A New York trial judge disagreed, finding that the definition required “some kind of act or conduct by the policyholder in order for coverage to be present.” Because the data breach was committed by third-party hackers who broke into Sony’s security system, rather than by an “act or conduct perpetuated by Sony,” the trial court held that the policy did not provide coverage for the data breach claims against Sony.
Courts in other jurisdictions have held otherwise, finding that coverage under a CGL policy extended to claims for data breach and disclosure of PII based upon each policy’s definition of “personal injury.” See e.g. Netscape Communications Corp. v. Federal Ins. Co., 343 Fed.Appx. 271 (9th Cir. 2009); Tamm v. Hartford Fire Ins. Co., 16 Mass.L.Rptr. 535, 2003 Mass. Super. LEXIS 214 (Mass. Super. Ct. 2003).
In response to the rising number of claims for data breach and cyber coverage being filed, Insurance Services Offices, Inc. (ISO) filed in many jurisdictions a new set of exclusionary endorsements. These exclusionary endorsements, which effect provisions under a CGL’s policy for “Bodily Injury and Property Damage” (Coverage A) and “Personal and Advertising Injury Liability” (Coverage B), are scheduled to take effect this month.
Insurers who issue these exclusionary endorsements will likely argue that these provisions apply to and, therefore, exclude coverage for any cyber liability or data breach claims. However, insurers will have to prove that they do so. If insurers do not issue these exclusionary endorsements, policyholders will likely argue that their traditional CGL policies cover such claims; otherwise their insurers would have issued the exclusionary endorsements based upon the ISO’s guidance. Only time will tell how the varying jurisdictions will decide these issues.