Data Security Breaches: Are you covered?

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.jdsupra.com/legalnews/data-security-breaches-are-you-covered-50323/

Data security breaches can have a significant impact a company’s bottom
line. While larger corporations may be able to sustain the financial hit,
small to mid-size corporations can be significantly impacted from the
financial blow. A corporation may think that its first line of defense to
negate these costs is its Commercial General Liability Insurance policy
(“CGL policy”). Coverage for such losses, however, is not guaranteed.

Whether data breaches are covered by a company’s CGL policy has been
regularly litigated over the last few years without producing clear
results. Indeed, in April of this year, while pending on appeal, Zurich Am.
Ins. Co. settled a lawsuit with its insured, Sony Corporation of America,
where Sony sought coverage for a data breach. See Zurich Am. Ins. Co., et
al. v. Sony Corp. of Am., et al., Index No. 651982/2011 (N.Y. Sup. Ct.
February 21, 2014).

A standard-form CGL policy typically provides coverage for sums that an
insured is required to pay as damages due to property damage, bodily
injury, and personal and advertising injury. Often times, electronic data
is specifically excluded from the definition of property damage. Indeed,
ISO Form CG 00 01 04 13 (2012), Section V, § 17 provides:

For the purposes of this insurance, electronic data is not tangible
property. As used in this definition, electronic data means information,
facts or programs stored as or on, created or used on, or transmitted to or
from computer software, including systems and applications software, hard
or floppy disks, CD-ROMS, tapes, drives, cells, data processing devices or
any other media which are used with electronically controlled equipment.

When litigated, these exclusions have routinely been upheld. See, e.g.,
Liberty Corp. Capital Ltd. v. Sec. Safe Outlet, Inc., 937 F. Supp. 2d 891
(E.D. Ky. Mar. 27, 2013); Recall Total Info. Mgmt. v. Fed. Ins. Co., 2012
Conn. Super. LEXIS 227, at *1, 5 (Super. Ct. Conn. January 12, 2012),
aff’d, May 26, 2015.

In addition, many CGL-policies contain an electronic data exclusion. Under
the exclusion, damages “arising out of the loss of, loss of use of, damage
to, corruption of, inability to access, or inability to manipulate
electronic data”, are specifically excluded from coverage. See ISO General
Liability Form, CG 00 01 04 13 (2012), Section I, Coverage A, § 2.p. As a
result, the majority of data breach claims are not covered by a traditional
CGL-policy.

Understanding insurance coverage is key to protecting a company against the
financial injury that can result from a cyber-attack. In order to help
ensure insurance coverage in the event of a data breach, companies should
start by reviewing their CGL-policies. Companies should then contact their
insurance company and ask whether certain types of cyber-attacks are
covered.   Companies should also discuss whether adding an electronic data
liability endorsement and/or an electronic data liability coverage form is
right for them.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!