BreachExchange mailing list archives
Cracking Coverage Issues in Data Breach Cases
From: Audrey McNeil <audrey () riskbasedsecurity com>
Date: Tue, 2 Sep 2014 18:04:07 -0600
http://www.thelegalintelligencer.com/latest-news/id=1202667788611/Cracking-Coverage-Issues-in-Data-Breach-Cases Five years ago, data breaches were a blip on the risk-management radar screen. Now, they can send a cold shiver down the spine of any corporate board. If a company suffers a data breach, we are talking about significant exposure, including lawsuits, agency enforcement actions and damage to reputation and brand name. Cyberrisk insurance is available, yet relatively few companies seem to purchase it. Not surprisingly, as data breaches become more commonplace, companies have looked to traditional insurance as a source of coverage for first- and third-party liability. General liability policies are the most popular candidate. The policies define "personal and advertising injury" in part as injury arising out of "oral or written publication, in any manner, of material that violates a person's right of privacy," as in ISO Form CG 00 01 12 07, Section V.17. Whether a data breach implicates personal and advertising injury coverage thus depends upon whether there has been a "publication" that violates the "right of privacy." Easy? Well, no. These issues are not always straightforward. Different courts define "publication" in different ways. In noncyber risk contexts, Pennsylvania courts require a dissemination to the public, or one that makes the information generally known, in order to satisfy the meaning of publication, as in Whole Enchilada v. Travelers Property Casualty Co. of America, 581 F. Supp. 2d 677 (W.D. Pa. 2008). Other courts have used similar constructions of the term, such as in Penzer v. Transportation Insurance, 29 So.3d 1000 (Fla. 2010). However, some jurisdictions have been reluctant to require a public dissemination. Instead, some courts have interpreted "publication" only to require conveyance to a third party, which is the standard for publication in the context of defamation. When confronted with more personal or objectionable invasions, such as electronic surveillance or secret recordings, some courts even have eschewed the requirement that there be a communication to a third party at all, as in Encore Receivable Management v. ACE Property and Casualty Insurance, No. 12-297 (S.D. Ohio July 3, 2013). Given the disparity of interpretations of the word "publication," it should come as no surprise that the few reported decisions addressing its meaning in the context of data breaches are inconsistent. In Zurich American Insurance v. Sony, No. 651982/2011 (N.Y. Supr. Ct. Feb. 21, 2014), which involved a data breach in Sony's PlayStation network, the New York trial court held that the actual breach into Sony's network constituted a publication. Analogizing the issue to Greek mythology and Pandora's box, the court stated: "Because, I look at this as a Pandora's box. Once it is opened, it doesn't matter who does what with it. It is out there. It is out there in the world, that information. And whether or not it's actually used later on to get any benefit by the hackers, that in my mind is not the issue." According to the court, "When you open up the box, it's the Pandora's box. Everything comes out." The court ultimately determined that coverage did not exist because the underlying actions did not contend that Sony had published the stolen data. Yet, the holding assigned a very broad meaning to "publication." In Recall Total Information Management v. Federal Insurance, 83 A.3d 664 (Conn. App. Ct. 2013), cert. granted in part, 86 A.3d 469 (Conn. 2014), which involved the loss of 130 computer tapes containing data of 500,000 IBM employees, the Connecticut Appellate Court was not as extreme. There, the loss of data did not constitute a publication. The court concluded that because there was no evidence that the information on the tapes had been accessed, there was no publication: "Regardless of the precise definition of publication, we believe that access is a necessary prerequisite to the communication or disclosure of personal information." The court, however, declined to determine the exact meaning of publication, so the issue was left unresolved. Galaria v. Nationwide Mutual Insurance, No. 13-118 (S.D. Ohio Feb. 10, 2014), a data breach case, employed a narrower definition. There, the court dismissed two putative class action lawsuits on the basis that neither alleged publication because the complaints alleged only that the stolen information was "in the hands of the hacker(s), not the general public." The issue of whether data breaches involve a violation of a right of privacy has been litigated less. Sony concluded without substantive discussion that the data breach was a violation of the right of privacy. Recall Total never addressed the issue, although the court rejected the argument that triggering notification statutes following a data breach, by itself, was a privacy claim to implicate coverage. Galaria concluded that the loss of personal data constituted a "loss of privacy." In noncyber contexts, some courts hold that the collection of personal data is a violation of privacy for insurance purposes, such as in Big 5 Sporting Goods v. Zurich American Insurance, 957 F. Supp. 2d 1135, 1148 (C.D. Cal. 2013). Yet the issue of what constitutes privacy should not be neglected. Galaria held that the loss or theft of personally identifiable information alone did not allege a sufficient claim for invasion of privacy to withstand dismissal. The Delaware federal court in In re Google Cookie Placement Consumer Privacy Litigation, No. 12-2358 (D. Del. Oct. 9, 2013), held that the collection of Internet cookies and Internet-user information did not violate privacy rights under the California Constitution. Such holdings could have a ripple effect in coverage litigation. Furthermore, for purposes of insurance, some courts, including Pennsylvania courts, interpret "privacy" to mean rights of secrecy, not seclusion, such as Telecommunications Network Design v. Brethren Mutual Insurance, 5 A.3d 331 (Pa. Super. Ct. 2010), appeal denied, 38 A.3d 826 (Pa. 2011), and State Farm General Insurance v. JT'S Frames, 104 Cal. Rptr. 3d 573 (Cal. Ct. App. 2010). In such jurisdictions, the nature of the stolen data can be relevant. For instance, if the underlying actions allege a data breach that results in unwanted marketing, there is no alleged privacy violation to implicate coverage because the privacy right at issue is the right of seclusion. The limited construction of privacy also leads to the question of whether the theft of publicly available information can implicate coverage. Public information, such as contact information, is not private to implicate rights of secrecy, as in Boring v. Google, 362 Fed. App'x 273 (3d Cir. 2010), which held that a home appearing on Google Maps is not the publication of a private fact. Accordingly, how can the theft of publicly available information involve rights of secrecy to implicate coverage? The identity of the victim is relevant, too. In noncyber contexts, some courts have held that the incident must violate a person's privacy, not a company's privacy, to implicate coverage, as in Sportsfield Specialties v. Twin City Fire Insurance, 984 N.Y.S.2d 447 (N.Y.A.D. 2014). Cybertechnology can evolve quickly; the law, not so much. Yet threshold issues for determining coverage have been established as courts begin to grapple with the complexities of cyber liability in noncyber insurance. Types of data can have an effect, as can the data's use. Expected ISO endorsements for cyberrisk will alter the landscape further. The one item courts appear to be uniform on is that determining whether there is coverage is not so simple.
_______________________________________________ Dataloss Mailing List (dataloss () datalossdb org) Archived at http://seclists.org/dataloss/ Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss For inquiries regarding use or licensing of data, e-mail sales () riskbasedsecurity com Supporters: Risk Based Security (http://www.riskbasedsecurity.com/) YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus on the right security. If you need security help or want to provide real risk reduction for your clients contact us!
Current thread:
- Cracking Coverage Issues in Data Breach Cases Audrey McNeil (Sep 05)