More On ISO’s Just-Filed CGL Data Breach Exclusions

As discussed in the Late-r Notice column in the last issue of Coverage Opinions, there has been much chatter of late about insurance for losses that a business sustains from cyber liability – especially data breaches. Think of a computer network that has been hacked or somehow failed, with the result being customers’ personal information, which should have been confidential (credit card, medical, social security, etc.), now being revealed in some manner.

If cyber risks are real, and I believe they are, then cyber policies will take hold in the market. That’s just how our economy works. But until cyber policies are in wide-spread use, efforts will be made by companies to find coverage for cyber losses under the policies that they do have at their disposal, namely, commercial general liability. That’s just how common sense works.

Insurance Services Office, Inc. does not believe that such cyber claims should be covered under a commercial general liability policy. But ISO can’t ignore the fact that, under its CGL policy, coverage is provided for personal and advertising injury, which is defined, in part, as the offense of an oral or written publication, in any manner, of material that violates a person’s right of privacy. Data breach + personal information being revealed = no surprise that attempts have been made to obtain coverage, for such losses, under a provision that addresses violation of the right of privacy.

It is for this reason that ISO recently filed data breach exclusions for certain of its policies. Putting aside some different formats, a necessity on account of ISO’s wide-ranging products and forms, a CGL exclusion (with a May 2014 date) has been filed titled “Exclusion – Access or Disclosure of Confidential or Personal Information and Data-Related Liability – with Limited Bodily Injury Exception.”

Looking at the personal and advertising injury aspect of the exclusion, it precludes coverage for such injury “arising out of any access to or disclosure of any person’s or organization’s confidential or personal information, including patents, trade secrets, processing methods, customer lists, financial information, credit card information, health information or any other type of nonpublic information.” The exclusion then goes on to explain that it “applies even if damages are claimed for notification costs, credit monitoring expenses, forensic expenses, public relations expenses or any other loss, cost or expense incurred by you or others arising out of any access to or disclosure of any person’s or organization’s confidential or personal information.”

The exclusion is certainly written in broad terms. But then again so was the Total Pollution Exclusion. And we know how that worked out in about half the states. Like all new exclusions, ISO’s Data Breach exclusion can be expected to be tested on several fronts.

First, even when the exclusion is raised in a situation where it clearly applies, efforts will be made to pick it apart to create an ambiguity. That’s just how coverage disputes work. Second, as the world of data breach emerges, and no doubt hacking and technology are everevolving, situations may arise that were not contemplated by the exclusion – because they didn’t exist at the time that the exclusion was drafted. That’s just how new exposures work. Third, ISO’s new exclusions, and their Impact statements, can be expected to be used by policyholders seeking coverage for data breaches under policies that do not  yet have the new exclusion. That’s just how policyholder counsel works.

Coverage Opinions is a bi-weekly (or more frequently) electronic newsletter reporting or providing commentary on just-issued decisions from courts nationally addressing insurance coverage disputes. Coverage Opinions focuses on decisions that concern numerous issues under commercial general liability and professional liability insurance policies. For more information visit www.coverageopinions.info.

The views expressed herein are solely those of the author and not necessarily those of his firm or its clients. The information contained herein shall not be considered legal advice. You are advised to consult with an attorney concerning how any of the issues addressed herein may apply to your own situation. Coverage Opinions is gluten free but may contain peanut products.

   Randy J. Maniloff is an attorney in the Philadelphia office of White and Williams, LLP.  He concentrates his practice in the representation of insurers in coverage disputes over primary and excess obligations under a host of policies. Randy is co-author of “General Liability Insurance Coverage - Key Issues In Every State” (Oxford University Press, 2nd Edition, 2012). For the past twelve years Randy has published a year-end article that addresses the ten most significant insurance coverage decisions of the year completed.

Read more from this issue of Coverage Opinions.

For more information about LexisNexis products and solutions connect with us through our corporate site