Everyone, and I do mean “everyone,” is affected by cyberattacks. Technology touches every aspect of how we do business and because of that, lawyers can no longer pretend that cyber security is someone else’s problem. For those of us who study insurance policies for a living, we are learning that cyberattacks often pose complicated questions for insurers, and these questions have led and will lead to litigation. This article examines 3 recent cyber coverage cases that illustrate the integration of electronic data and everyday business transactions and offers some practical advice for lawyers who face cyber litigation questions. In Camp’s Grocery, Inc. v. State Farm Fire & Cas. Co., 2016 U.S. Dist. LEXIS 147361, (N. D. Alabama) Camps—a Piggly Wiggly grocery store owner– sought coverage from State Farm for a lawsuit stemming from the theft of customer credit cards, accomplished through a computer hack. Three credit unions sought recovery of costs and damages from Camps for negligence in failing to secure customer data, and the costs involved with issuing new credit cards. Camps, in turn, submitted a claim to State farm under a CGL policy and asked for both defense and indemnity coverage.
The District Court determined the State Farm policy only covered damage to “physical tangible property,” and since the customer credit card information was not physical tangible property, the policy provided no coverage to Camps. Camps argued, however, that the credit cards themselves were physical tangible property, and that because the credit unions claimed damages for issuing replacement cards, State Farm must cover Camps and provide a defense. However, the court ruled because the thieves stole the electronic data stored on the cards, and not the cards themselves, the theft did not actually involve physical tangible property. Thus, the court did not require State Farm to provide coverage under a CGL policy to Camps for the theft of customer credit card data.
Finally, Camps argued the State Farm policy’s inland marine endorsement, which covers damage to computer systems, required State Farm to defend the lawsuit. But the court determined the inland marine endorsement provided only first party coverage for damage to computers, and the endorsement did not cover liability claims such as the credit unions claims against Camps.
In a second case, the 4th Circuit Court of Appeals Court in Virginia affirmed summary judgment against an insurer who tried to deny coverage for an apparent data breach, thus starting a cyber coverage debate. Travelers v. Portal Heathcare, Case No. 14-1944. Portal Healthcare is a medical records storage company that services medical care providers such as hospitals. Two patients discovered their medical records were posted on line by “Googling” their names. The patients initiated a class action suit against Portal, who in turn sought coverage from Travelers under two insurance policies. The Traveler’s policies covered Portal for damages, “because of injury arising from (1) the electronic publication of material that … gives unreasonable publicity to a person’s private life or (2) the electronic publication of material that … discloses information about a person’s private life.”
The court determined the online posting of medical records, even though unintended, was a “publication” that triggered coverage from Travelers. Interestingly, although the Traveler’s policies covered Portal for electronic “publication,” the policies did not define what it means to “publish.” Travelers argued the data breach did not constitute a publication, because Portal never intended to make the records available to the public. The court rejected this argument, noting the plain definition of the term “publish,” found in a commonly used dictionary, included the scenario of allowing medical records to be inadvertently posted online.
Although the 4th Circuit’s decision may be narrowly tailored to the language in Traveler’s policy, it shows that coverage for cyber breaches will undoubtedly be a subject of legal study and debate in the age of cyber security and data breaches.
In P.F. Chang’s China Bistro, Inc. v. Fed. Ins. Co., 2016 U.S. Dist. LEXIS 70749, the court had to determine whether PF Chang’s had coverage under a cyber security insurance policy for damages resulting from a hack into PF Chang’s computer system and the theft of credit card data from thousands of people who used their credit card while dining at the restaurant. Bank of America sued PF Chang’s for damages PF Chang’s was required to pay under a Master Services Agreement. Although Changs’ cyber insurance policy with Travelers covered certain damages from cyberattacks, the policy excluded coverage for liabilities assumed by contract. Since Chang’s contractually assumed a duty to pay BOA’s damages, the court determined that Travelers owed no coverage under its cyber policy for over a million dollars of damages and service charges related to the hack.
Traditionally, CGL policies cover the loss of property-physical tangible property. Because data is not tangible property, a CGL is not likely to cover a data breach. Businesses concerned about an expensive breach may choose to purchase special cyber insurance policies. Lawyers representing those businesses should help those businesses secure the right coverage, and should review policies and procedures to make sure the business is doing all it can to prevent a cyberattack. If necessary, engage a specialist in cyber security—not just an IT specialist, but an actual data security expert (there’s a difference).
All businesses, including law firms, should assess their cyber risk by reviewing internal policies and procedures for securing data. This is more than just having a strong password. Employ a “defense in depth” system. Backing up data regularly and deleting data you don’t need are just two examples of tools that can help prevent a data loss.
A lawyer should review a client’s insurance policies to know critical areas of vulnerability before a breach occurs. Many cyber policies require annual security audits and have exclusions for liabilities assumed by contract, and breaches resulting from “human error.” Now more than ever, our ability to do business depends on our ability to secure data, and our security is only as strong as our weakest link. We have to use good common sense to protect ourselves, our co-workers and those with whom we do business.