Identity Theft and Your CGL Policy

This article appeared in the May/June 2009 issue of Coverage. Author George S. McCall of Sedgwick, Detert, Moran & Arnold LLP, formerly of Kern & Wooley LLP, explores the issue of whether a Commercial General Liability policy provides coverage for the liabilities of cyber attacks on, or the negligent mishandling of, consumers’ electronically stored private or confidential information. These cyber attacks usually consist of hackers obtaining personal information such as social security numbers and account information which is used for financial gain. In 2008 alone, over 35 million records were stolen. Thus it is not surprising that identity theft exposes businesses to tens of millions of dollars of potential liability. Claims against businesses for breaches of data security are increasing based on theories of negligence, breach of fiduciary duty, invasions of privacy, and breach of contract. When faced with these liabilities, businesses are apt to tender their claims to their CGL insurers, but this article points out that such claims are generally not covered by standard CGL policies.
The article examines potential avenues for such coverage under both components of Standard CGL policies: Coverage A for claims alleging bodily injury or property damage and Coverage B for damages because of “personal and advertising injury.” Pertinent policy language and court decisions are analyzed. The author concludes that recovery for liability for identity theft arising from cyber attacks or negligence in the handling of electronically stored information under standard CGL policies is unlikely. Although businesses are not likely to find coverage for identity theft under CGL policies, insurers are now offering Corporate Identity Theft Protection policies. The author recommends that businesses should consider those policies to address their concerns for liability arising from security breaches and identity theft.