Insurance Coverage Implications of Private Data Breaches

Insurance Coverage Implications of Private Data Breaches

Posted by Tom Hagy
President, HB Litigation Conferences
  
With hundreds of laws governing data privacy and the potential for billions of dollars in damages, you can’t help but think that insurance coverage disputes are about to fall on courts like confetti. 
 
Maybe yes; maybe no. 
 
Either way, companies need to pay as close attention to their insurance policies as they do their data protection policies.
 
Speaking on HB’s July 15 teleconference – “Private Data Breaches: Insurance Coverage Implications & Prevention” – policyholder counsel Scott Godes of Dickstein Shapiro told listeners that, despite what insurance counsel might say, “don’t write off your existing coverage” if looking for protection. He also said to know the window of time to get your notice in quickly to get your insurer “to partner up with you,” and to consider new cyber-security coverage – but “know its limitations.”
 
Godes said that according to one report, data breaches in 2008 compromised 285 million records. And there has been a “massive proliferation” of state laws in addition to federal privacy laws, he continued. There are now laws in 44 states, plus Washington, DC, Puerto Rico and the Virgin Islands, Godes reported. Co-presenter Arturo Perez Reyes said California alone has 81 separate privacy laws, and there are hundreds of laws outside the U.S.   If you lose records, you will have to tell everyone that you lost them, he said, “essentially notifying a whole class of potential plaintiffs.”
 
There was a 44% increase in data losses last year that resulted in $50B in losses, Reyes reported, adding that nine million people were affected by identification theft.
 
“The concept of a firewall is a joke,” Reyes declared.
 
As businesses have more information and data, there will be more people interested in getting access to it, Godes said, adding that paper-based data are vulnerable, too.
 
Godes cited the well-known case involving TJX Companies, which paid a $200M settlement for a massive data theft of customer credit card information. They recently had to pay nearly $10M more for the cost of resolving underlying claims. “If you’re a company faced with that situation, what would your insurer say if you asked them to defend you?”
 
In examining traditional liability policies’ coverage of property damage, Godes said courts are split on whether computer data are property. He maintains that data are property, albeit of the microscopic variety stored in the form of tiny metal particles.  
 
  
The most notable case against this argument, Godes said, is Eyeblaster, Inc. v. Fed. Ins. Co., 2008 U.S. Dist. LEXIS 81912 (D. Minn. Oct. 7, 2008), where the court rejected the idea, based on new ISO language, that electronic data are tangible property.
 
Godes cautioned, though, that under many states’ laws there may be a duty to defend – in itself a costly proposition – even if just one claim in an entire complaint is potentially covered. 
 
He urged policyholders to look to policy endorsements for language that might reverse standard form language regarding data. He said crime policies should be examined for coverage of computer fraud or theft. And don’t forget business interruption or consequential business interruption coverage, he said, for situations in which a third party has a breach that is essential to keep your business running.
 
As far as notifying carriers, Godes said time is not on your side: policyholders should not hesitate to bring carriers into the loop when claims arise.
 
Godes criticized insurance company arguments against coverage for data theft arising from failures on the part of the policyholder’s systems. “If there is no failure to maintain proper authentication and no failure of data security measures, there would be no potential liability and no lawsuits,” he said. “And if there never was a failure of proper authentication and never was a failure of data security, I suppose insurance companies would be thrilled because they would get your insurance premiums and nothing ever goes wrong.” 
 
Co-presenter Timothy Delahunt of Kenney, Shelton, Liptak & Nowak called this a “classic policyholder complaint – that insurance companies issue coverage then deny it.”
 
“The analogue is that courts will find coverage when they need to, to satisfy an underlying liability. Do I think the facts and policy language have changed?” Delahunt
asked. “By and large no. Could the coverage landscape change as underlying liability expands? I believe that’s possible.” 
 
Put Down Your Hats & Hooters
 
Delahunt was quick to tell coverage lawyers not to get too excited at the potential for new business. “If we are waiting for an onslaught of cyber-data-breach coverage litigation, we may be disappointed,” he said. “These types of liabilities are going to be covered or not covered in the future based largely on specialty insurance products, rather than the basic coverage forms.    And if that’s true, and if they are underwritten carefully, and if they are narrowly written to cover specific exposures, then it’s at least possible that the litigation would not be widespread from the coverage perspective, but [instead] will happen in pockets.” 
 
Barring a fundamental change in the way ISO issues its basic liability products and the way companies follow suit, Delahunt doesn’t see much litigation on the horizon.   He said there just isn’t anything “novel from a coverage law perspective” here. 
 
However, he said,  “If these data breaches become more frequent, which they are, then the impact will be that there is going to be an increase in the underlying litigation . . . that would signal a broadening of the underlying liability.”
 
“If corporations and even other entities . . . are subject to wider third-party liability,” he went on, “then what I would suggest is that courts applying insurance products in their ‘institutional subconscience’ are going to expand coverage under standard products under specialty products to at least keep some pace with the scope of the underlying liability.” 
 
Of the 2001 ISO revision to the definition of property damage that takes out electronic and digital data, Delahunt called it “a well-crafted amendment to the definition.” “But unless your claimant is claiming that the damage of a data breach is to their own software or their own data, rather than their money interest, bodily interest, commercial interest, then this doesn’t really do much for a carrier as far as a carrier extricating themselves from claims.”
 
Reyes, who is with Saylor & Hill Company, a Barney & Barney Company, in Oakland, Calif., claims insurance policies are all about “tangible goods dealing in a world of atoms.” Are data tangible? “Not at all,” he said. “We’re talking about bits. There is no cost to a ‘one’ and a ‘zero.’”
 
Reyes said the biggest cost to companies comes when credit monitoring is required. He said in one case there were 45 million people whose records were allegedly compromised. The cost of credit monitoring is $35 per person, per year. In that case, one year’s worth of monitoring would cost $1.44B. 
 
The other key costs, which also are not usually covered by insurance, are the forensic costs to identify what has been lost and the cost of crisis management to repair damage to a company’s brand and stock values.
 
In the end, whether covered or not covered, Godes probably summed it up best. “This is not a problem that is going to fade away.”
 
Copyright 2009 HB Litigation Conferences. http://www.litigationconferences.com/