Cracking Coverage Issues in Data Breach Cases

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.thelegalintelligencer.com/latest-news/id=1202667788611/Cracking-Coverage-Issues-in-Data-Breach-Cases

Five years ago, data breaches were a blip on the risk-management radar
screen. Now, they can send a cold shiver down the spine of any corporate
board. If a company suffers a data breach, we are talking about significant
exposure, including lawsuits, agency enforcement actions and damage to
reputation and brand name. Cyberrisk insurance is available, yet relatively
few companies seem to purchase it. Not surprisingly, as data breaches
become more commonplace, companies have looked to traditional insurance as
a source of coverage for first- and third-party liability.

General liability policies are the most popular candidate. The policies
define "personal and advertising injury" in part as injury arising out of
"oral or written publication, in any manner, of material that violates a
person's right of privacy," as in ISO Form CG 00 01 12 07, Section V.17.
Whether a data breach implicates personal and advertising injury coverage
thus depends upon whether there has been a "publication" that violates the
"right of privacy." Easy? Well, no. These issues are not always
straightforward.

Different courts define "publication" in different ways. In noncyber risk
contexts, Pennsylvania courts require a dissemination to the public, or one
that makes the information generally known, in order to satisfy the meaning
of publication, as in Whole Enchilada v. Travelers Property Casualty Co. of
America, 581 F. Supp. 2d 677 (W.D. Pa. 2008). Other courts have used
similar constructions of the term, such as in Penzer v. Transportation
Insurance, 29 So.3d 1000 (Fla. 2010). However, some jurisdictions have been
reluctant to require a public dissemination. Instead, some courts have
interpreted "publication" only to require conveyance to a third party,
which is the standard for publication in the context of defamation. When
confronted with more personal or objectionable invasions, such as
electronic surveillance or secret recordings, some courts even have
eschewed the requirement that there be a communication to a third party at
all, as in Encore Receivable Management v. ACE Property and Casualty
Insurance, No. 12-297 (S.D. Ohio July 3, 2013).

Given the disparity of interpretations of the word "publication," it should
come as no surprise that the few reported decisions addressing its meaning
in the context of data breaches are inconsistent. In Zurich American
Insurance v. Sony, No. 651982/2011 (N.Y. Supr. Ct. Feb. 21, 2014), which
involved a data breach in Sony's PlayStation network, the New York trial
court held that the actual breach into Sony's network constituted a
publication. Analogizing the issue to Greek mythology and Pandora's box,
the court stated: "Because, I look at this as a Pandora's box. Once it is
opened, it doesn't matter who does what with it. It is out there. It is out
there in the world, that information. And whether or not it's actually used
later on to get any benefit by the hackers, that in my mind is not the
issue."

According to the court, "When you open up the box, it's the Pandora's box.
Everything comes out."

The court ultimately determined that coverage did not exist because the
underlying actions did not contend that Sony had published the stolen data.
Yet, the holding assigned a very broad meaning to "publication."

In Recall Total Information Management v. Federal Insurance, 83 A.3d 664
(Conn. App. Ct. 2013), cert. granted in part, 86 A.3d 469 (Conn. 2014),
which involved the loss of 130 computer tapes containing data of 500,000
IBM employees, the Connecticut Appellate Court was not as extreme. There,
the loss of data did not constitute a publication. The court concluded that
because there was no evidence that the information on the tapes had been
accessed, there was no publication: "Regardless of the precise definition
of publication, we believe that access is a necessary prerequisite to the
communication or disclosure of personal information." The court, however,
declined to determine the exact meaning of publication, so the issue was
left unresolved.

Galaria v. Nationwide Mutual Insurance, No. 13-118 (S.D. Ohio Feb. 10,
2014), a data breach case, employed a narrower definition. There, the court
dismissed two putative class action lawsuits on the basis that neither
alleged publication because the complaints alleged only that the stolen
information was "in the hands of the hacker(s), not the general public."

The issue of whether data breaches involve a violation of a right of
privacy has been litigated less. Sony concluded without substantive
discussion that the data breach was a violation of the right of privacy.
Recall Total never addressed the issue, although the court rejected the
argument that triggering notification statutes following a data breach, by
itself, was a privacy claim to implicate coverage. Galaria concluded that
the loss of personal data constituted a "loss of privacy." In noncyber
contexts, some courts hold that the collection of personal data is a
violation of privacy for insurance purposes, such as in Big 5 Sporting
Goods v. Zurich American Insurance, 957 F. Supp. 2d 1135, 1148 (C.D. Cal.
2013). Yet the issue of what constitutes privacy should not be neglected.

Galaria held that the loss or theft of personally identifiable information
alone did not allege a sufficient claim for invasion of privacy to
withstand dismissal. The Delaware federal court in In re Google Cookie
Placement Consumer Privacy Litigation, No. 12-2358 (D. Del. Oct. 9, 2013),
held that the collection of Internet cookies and Internet-user information
did not violate privacy rights under the California Constitution. Such
holdings could have a ripple effect in coverage litigation.

Furthermore, for purposes of insurance, some courts, including Pennsylvania
courts, interpret "privacy" to mean rights of secrecy, not seclusion, such
as Telecommunications Network Design v. Brethren Mutual Insurance, 5 A.3d
331 (Pa. Super. Ct. 2010), appeal denied, 38 A.3d 826 (Pa. 2011), and State
Farm General Insurance v. JT'S Frames, 104 Cal. Rptr. 3d 573 (Cal. Ct. App.
2010). In such jurisdictions, the nature of the stolen data can be
relevant. For instance, if the underlying actions allege a data breach that
results in unwanted marketing, there is no alleged privacy violation to
implicate coverage because the privacy right at issue is the right of
seclusion.

The limited construction of privacy also leads to the question of whether
the theft of publicly available information can implicate coverage. Public
information, such as contact information, is not private to implicate
rights of secrecy, as in Boring v. Google, 362 Fed. App'x 273 (3d Cir.
2010), which held that a home appearing on Google Maps is not the
publication of a private fact.

Accordingly, how can the theft of publicly available information involve
rights of secrecy to implicate coverage? The identity of the victim is
relevant, too. In noncyber contexts, some courts have held that the
incident must violate a person's privacy, not a company's privacy, to
implicate coverage, as in Sportsfield Specialties v. Twin City Fire
Insurance, 984 N.Y.S.2d 447 (N.Y.A.D. 2014).

Cybertechnology can evolve quickly; the law, not so much. Yet threshold
issues for determining coverage have been established as courts begin to
grapple with the complexities of cyber liability in noncyber insurance.
Types of data can have an effect, as can the data's use. Expected ISO
endorsements for cyberrisk will alter the landscape further. The one item
courts appear to be uniform on is that determining whether there is
coverage is not so simple.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!