Register to receive a printed copy(For Lexis Practice Advisor® Subscribers Only)
Lexis Practice Advisor®Free Trial
Learn More AboutLexis Practice Advisor®
By: Ellen MacDonald Farrell and Rachel P. Raphael Crowell & Moring
Today, billions of different devices are connected to the internet, and the internet-capability of everyday objects is expected to grow exponentially in the years to come. The Internet of Things (IoT) refers to the network of these devices that collect and exchange data. Connected devices may include everything from automobiles to implantable medical devices to home appliances. The large-scale use of these devices is already revolutionizing many aspects of our daily lives by increasing the availability of information and changing the ways that business and consumers interact. But at the same time, it is creating a host of new cyber-related risks, as a wealth of new information may be open for attack. This article focuses on the complex insurance issues raised by IoT devices.
CYBER-RELATED BREACHES APPEAR NOW TO BE AN everyday occurrence. And as more devices become part of the IoT, the more consumers and businesses are put at risk. Personal and confidential data is more susceptible to hackers; manipulations of wireless medical devices risk bodily injury and even death; and cyber incidents involving (for example) power grids, connected planes, trains, and automobiles could have devastating impacts.
Controlled demonstrations and data breach incidents have shown that there are still improvements to be made in the techniques used to secure IoT devices. The exposure of vulnerabilities has led to lawsuits against companies involved in the production, sale, distribution, and marketing of internet-connected products. When facing potential liability, companies commonly turn to their insurance policies for coverage. But with complicated risks come complicated insurance issues. The tangible and intangible nature of data breaches involving IoT products raises interesting issues under both standalone cyber insurance and more traditional liability policies.
IoT1 is generally understood to refer to a decentralized network of physical objects that are connected to the Internet and enable communication between humans, computers, objects, applications, and devices.2 To put it simply, “[t]he IoT is what we get when we connect Things, which are not operated by humans, to the Internet.”3 “Things” here may include any object for which remote communication, data collection, or control is useful; for example, “streetlights, thermostats, electric meters, fitness trackers, factory equipment, automobiles, unmanned aircraft systems (UASs or drones), or even cows or sheep in a field.”4 An object becomes part of the IoT once it has two features: (1) an Internet Protocol (IP) address, which allows the object to be uniquely identified; and (2) internet connectivity, which allows the object to send and receive information from computers and other smart objects in the IoT.5
The number of connected objects in the IoT is growing at a rapid rate. The network has expanded significantly in the last 20 years due to the “explosive growth in mobile devices and applications and the broad availability of wireless connectivity.”6 In 2003, approximately 500 million devices were connected to the internet.7 Today, there are more than 6.4 billion such devices, with approximately 5.5 million more connecting to the internet each day.8 By 2020, the number of devices in the IoT is predicted to exceed 20 billion9— possibly reaching as many as 40 to 50 billion.10 Global spending on IoT products is forecasted to reach $737 billion by 2016 and grow at a compound annual rate of 15.5% from 2015–2020 to $1.29 trillion.11 By 2020, consumer IoT products are expected to be the third largest segment of market purchases,12 with each person in the world owning an average of more than six connected devices.13
Within the IoT, billions of sensors around the world are constantly acquiring information about their surroundings, and new ways of capturing and using personal information continue to emerge.14 One of the government’s top concerns regarding growth of the IoT is the unpermitted access to and misuse of personal information and consumer data.15 This could occur in a variety of situations. For example, a company could store for later use data collected from the IoT in ways its consumers did not authorize.16 Or, an employer could use sensors to monitor an employee’s behavior after work hours without the employee’s permission.17
Another privacy concern is the ease with which hackers may conduct identity theft. “General data available on the internet, combined with social media information, plus data from smart watches, fitness trackers and if available smart meters, smart fridges and many more” provide hackers with “a great all-round idea” of individual identities.18 Fitness watches and smartphones contain some of the most private information, including a person’s name, address, date of birth, credit card information, and health information.19 Smartphones also contain unprotected access to a person’s email, business, and social media accounts, and online banking information.20
As the number of smart objects in the IoT grows, so does the potential risk of cyber-attacks and the costs associated with such incidents. Cybersecurity is designed to protect “information systems, their components and contents, and the networks that connect them from intrusions or attacks involving theft, disruption, damage or other unauthorized or wrongful actions.”21 Today, cyber-attacks pose a significant threat to businesses, costing approximately $400 billion every year.22 Such attacks do not just result in the theft of data. Sometimes data breaches—especially those involving IoT products—can cause bodily injury and property damage.23
For example, in 2008, hackers accessed a Turkish pipeline through surveillance camera software and caused an explosion by superpressurizing the oil in the pipeline after shutting down its alarms.24 The next year, a former employee was responsible for a computer intrusion of a large power company in Texas that crippled the company’s energy forecast system and caused the company to incur more than $26,000 in damages.25
In 2014, the German Federal Office of Information Security announced that hackers had gained access to a German steel factory’s production networks and caused system components to fail by tampering with the controls of its blast furnace.26 Then in 2015, hackers obtained control of a power grid in western Ukraine, opening up circuit breakers and knocking out power stations.27
More recently, in January 2017, hackers infiltrated an Austrian hotel’s electronic key system, locking guests out of their rooms and forcing the hotel to give in to the hackers’ ransom demand.28 Finally, just eight days before President Trump’s inauguration, hackers tampered with 70% of storage devices that record data from police surveillance cameras in Washington, D.C., “forcing major citywide reinstallation efforts.”29
Of the risks inherent in an expansive IoT system, the most significant is the risk to our health and safety. For example, in 2014, the Federal Bureau of Investigation (FBI) warned hospitals to discontinue use of a particular line of infusion pumps produced by Hospira due to security flaws that could allow a user to remotely change medication doses.30 And in January 2017, the Food and Drug Administration (FDA) confirmed that St. Jude Medical’s implantable cardiac devices had vulnerabilities that could allow a hacker to access them and deplete their batteries and/or administer incorrect pacing or shocks.31
The possibility of such intrusions does not come as a surprise. In 2011, a former security guard hacked a hospital’s computer network and took control of the HVAC system, putting vulnerable patients and treatments (such as temperature-sensitive drugs and supplies) at risk.32 A few years later, as part of a demonstration at the University of South Alabama, students hacked a pacemaker and showed that they could speed up and slow down heart rates.33
Hackers can also endanger our safety by targeting different modes of transportation. For example, in 2008, a teenage boy hacked into a Polish train system, causing a train derailment and injuring at least 12 people.34 Additionally, in April 2015, the U.S. Government Accountability Office (GAO) published a report addressing cybersecurity issues with commercial aircraft.35 In its report, the GAO noted that the increasing interconnectedness of modern aircraft creates the possibility of unauthorized access to aircraft avionics systems.36 Similarly, “[w]hile there have been no known cyber-attacks against vehicles . . . most experts believe ‘real-world attacks with safety implications could occur in the near future, particularly as automakers begin deploying autonomous (i.e., self-driving) vehicles and connected vehicle technologies.’ ”37 The possibility of such intrusions was confirmed in mid-2015 when two individuals conducting a white hat hacking experiment were able to manipulate systems and then disable a sport utility vehicle speeding on a busy highway 10 miles away.38
Cases Dealing with the Definition of Property Damage
Courts have long grappled with whether cyber-related losses are covered under first- and third-party insurance policies. In early cases, courts addressed coverage for losses to data or functionality of electronic devices that resulted from causes such as faulty equipment, power outages, or malware. Today, courts all over the country continue to address these issues.
Generally speaking, policyholders have sought coverage for the loss of use of data or functionality of electronic devices on the ground that such losses involved property damage, which has been typically defined as including injury to or the loss of use of tangible property. In contrast, insurers have argued that such losses were not covered because those losses did not involve injury to or the loss of use of such property. Although courts have reached different conclusions on these issues, their reasoning may be instructive as courts begin to deal more specifically with coverage for tangible losses relating to IoT devices.
At one end of the spectrum is Am. Guar. & Liab. Ins. Co. v. Ingram Micro, Inc.39 The policyholder in that case, Ingram Micro, distributed “microcomputer products” and used a network (Impulse) to track orders and keep information on its customers and products.40 Due to a power outage, programming information that had been stored on Ingram Micro’s mainframe computers was lost and had to be reprogrammed, and Ingram Micro’s data center was disconnected from the Impulse network for eight hours until a system switch was fixed.41 Ingram Micro sought coverage for its resulting business and service interruption losses under an all risks policy that Ingram Micro had procured from American Guarantee and Liability Insurance Company (AGLIC).42 This policy provided coverage for “[a]ll Risks of direct physical loss or damage from any cause, howsoever or wheresoever occurring . . . .”43
AGLIC argued that the all risks policy did not cover Ingram Micro’s business and service interruption losses because Ingram Micro’s computer systems were not physically damaged, since the “power outage did not adversely affect the equipment’s inherent ability to accept and process data and configuration settings when they were subsequently reentered into the computer system.”44 By contrast, Ingram Micro argued that the computer systems had been physically damaged because they had lost their functionality.45
The U.S. District Court for the District of Arizona sided with Ingram Micro, concluding that loss of programming information and customer configurations did constitute physical damage to tangible property. In so doing, the court explained:
Similarly, in Eyeblaster, Inc. v. Fed. Ins. Co., the U.S. Court of Appeals for the Eighth Circuit held that allegations in an underlying complaint, that a computer was damaged due to malware, alleged physical damage under a general liability policy.47 Specifically, the plaintiff (Sefton) alleged in an underlying complaint that Eyeblaster’s online advertising malware had caused Sefton’s computer to crash, causing Sefton to lose data on a tax return that he had been preparing. Sefton further alleged that even after his computer was repaired, the computer continued to run slowly and freeze up.48
Eyeblaster tendered defense of Sefton’s complaint to its general liability carrier, Federal Insurance Company, but Federal Insurance denied the claim (inter alia) on the ground that the underlying complaint did not allege property damage caused by an occurrence.49 The policy at issue defined “property damage” as “physical injury to tangible property, including resulting loss of use of that property . . . or loss of use of tangible property that is not physically injured.”50
Even though this definition excluded “any software, data or other information that is in electronic form,”51 the court held that Sefton’s complaint alleged property damage, since Sefton had alleged that his computer itself was damaged by Eyeblaster’s malware.52
Am. Online, Inc. v. St. Paul Mercury Ins. Co. represents the other end of the spectrum in these cases.53 There, multiple class action suits had been filed against America Online (AOL), alleging that AOL’s access software Version 5.0 caused plaintiffs’ operating systems to crash and their computers to lose stored data. AOL tendered the defense of those suits to St. Paul Mercury Insurance Company, which had issued a commercial general liability (CGL) insurance policy to AOL.54 The policy covered property damage, which was defined as
St. Paul denied AOL’s claim on the ground that the underlying complaints did “not allege damage to ‘tangible’ property” under the CGL policy.56
In the resulting coverage litigation, the U.S. District Court for the Eastern District of Virginia, and then the U.S. Court of Appeals for the Fourth Circuit, agreed with St. Paul. In so doing, the Fourth Circuit analogized the loss of use of software on a computer to a lock combination and the lock itself, noting that “when the combination to a combination lock is forgotten or changed, the lock becomes useless, but the lock is not physically damaged. With the retrieval or resetting of the combination—the idea—the lock can be used again.”57 With this in mind, the court then explained that although AOL’s CGL policy “cover[ed] any damage that may have been caused to circuits, switches, drives, and any other physical components of the computer,” it did not cover “the loss of instructions to configure the switches or the loss of data stored magnetically.”58 Because “[t]hese instructions, data and information are abstract and intangible,” the court held that damage to them “is not physical damage to tangible property.”59
Other courts have followed America Online and similarly concluded that damage to electronic data is not covered property damage.60
Coverage for Damages Resulting from the Unauthorized Access to Data under “Traditional” Liability Policies
Policyholders’ Approaches to Coverage
Coverage disputes relating to data breaches may also be instructive as courts begin to deal with IoT-related coverage disputes. Policyholders seeking coverage for such breaches generally argue that their resulting losses constitute property damage under Coverage Part A of their general liability policies or advertising injury under Coverage Part B of those policies
Data Breaches as Covered Property Damage
As a general matter, courts that have considered whether breachrelated losses constitute “damage to tangible property,” as required under CGL policies, have determined that they do not.
For example, in 2012, the U.S. District Court for the Western District of Wisconsin addressed whether electronic funds in an online bank account were tangible property under a commercial excess liability and “Bis-Pak” policy.61 In Carlon, the policyholder, DelaGet, had been hired by a restaurant group to manage its finances.62 The restaurant group’s accounts were allegedly exposed to a virus on DelaGet’s computer, and several hundred thousand dollars were stolen from the restaurant group’s bank account.63
DelaGet argued that the term tangible property was reasonably susceptible to more than one meaning, and therefore, should be read to include electronic bank account funds.64 The district court disagreed.65 It concluded that the electronic funds at issue were not covered under the third-party liability coverage form because there was no required loss of use of tangible property.66
More recently, a federal district court in Alabama reached a similar conclusion.67 In that case, the policyholder, Camp’s Grocery, was sued by three credit unions after a breach of its computer network.68 In the underlying suit, the credit unions alleged that the data breach had compromised their customers’ credit card, debit card, and check card information.69 Camp’s Grocery sought coverage under a business owners insurance policy, and when the insurer refused to provide coverage, Camp’s Grocery filed suit.70 Among other things, Camp’s Grocery argued that the physical credit, debit, and check cards were tangible property and that the losses suffered by the credit unions in replacing these cards was “covered property damage.”71 Rejecting Camp’s Grocery’s argument, the U.S. District Court for the Northern District of Alabama concluded that the underlying claims were based on compromised intangible data contained on the cards that made the cards unusable.72
Data Breaches as Advertising Injury
The term advertising injury is typically defined in CGL policies as
Unlike the recent decisions considering whether breachrelated losses constitute property damage, courts have reached different results when deciding whether such losses qualify as advertising injury
In April 2011, Sony Corporation suffered a massive data breach in its PlayStation video game online network, which led to the theft of millions of customers’ private information. Sony faced claims following the hack, and it sought coverage under its general liability policies. In Zurich Am. Ins. Company v. Sony Corp. Of Am., a New York trial court was asked to decide whether the insurance companies were obligated to provide coverage for these claims.73
In an oral opinion issued by Judge Jeffrey K. Oing, the court held that a publication took place when hackers breached Sony’s network even though the hackers did not actually make the stolen information public.74 However, pursuant to the general liability policies issued by Zurich, the publication had to be made by Sony itself.75 Coverage could not be triggered by the actions of third parties.76 Thus, Zurich’s policies did not cover Sony’s losses because the hackers, rather than Sony, were responsible for the publication.77
On the other hand, in Travelers Indem. Co. of Am. v. Portal Healthcare Solutions, L.L.C., the U.S. Court of Appeals for the Fourth Circuit held that the insurer was obligated to defend its policyholder in a class action lawsuit alleging that the policyholder had made private medical records available on the internet for several months.78 In that case, confidential patient records kept by a medical records company were made available to unauthorized users.79 The medical records company, Portal Healthcare, sought coverage under two commercial general liability policies for a class action lawsuit that had been filed against it.80 The insurer argued that it was not obligated to provide coverage because Portal Healthcare’s conduct did not effect a publication, and no publicity occurred when Portal Healthcare posted the records online.81 The district court disagreed, concluding that making the records publicly available on the internet amounted to a publication that gave “unreasonable publicity” to and “disclose[d] information about patients’ private lives” under the commercial general liability policies even though no third party was alleged to have viewed the information and Portal Healthcare took no steps to attract public attention to the information.82
On appeal, the Fourth Circuit affirmed the district court’s decision, holding that the insurer had a duty to defend Portal Healthcare in the underlying class action because the alleged conduct at least potentially constituted a publication of the patients’ confidential information.83
Insurance Services Office Endorsements
Early Cyber-Related Endorsements
In response to coverage disputes under traditional policies involving the loss of ability to access data and the unauthorized access to data, the Insurance Services Office (ISO) has dealt with whether to exclude or limit coverage under traditional policies for cyberrelated losses. For example, after some courts had determined that electronic data could constitute tangible property, in 2001 the ISO issued a CGL coverage form that explicitly provided that electronic data was not tangible property.84 In 2004, the ISO then introduced an exclusion (p) in the CGL form for “Damages arising out of the loss of, loss of use of, damage to, corruption of, inability to access, or inability to manipulate electronic data.”85 But that same year, the ISO also introduced an endorsement through which policyholders could buy back limited coverage for “ ‘property damage’ because of all loss of ‘electronic data’ arising out of any one ‘occurrence.’ ” That same endorsement defined the term property damage for purposes of the endorsement to include the “[l]oss of, loss of use of, damage to, corruption of, inability to access, or inability to properly manipulate ‘electronic data,’ resulting from physical injury to tangible property . . . .”86 Thus, this endorsement would apply where there has been a loss of or inability to access or manipulate electronic data only where there had otherwise been injury to tangible property.87
ISO Endorsement CG 24 13 04 13
More recently, through endorsements that went into effect in April 2013, the ISO amended the definition of advertising injury to which Coverage Part B applies. Recall that CGL policies typically define advertising injury as follows:
Endorsement CG 24 13 04 13 removes subpart (b) of that definition—and in so doing (inasmuch as policyholders have relied on subpart (b) in seeking coverage for data breaches), this endorsement arguably defeats coverage in most cases for cyber liability claims as personal or advertising injury.
ISO Endorsement CG 21 06 05 14
Finally, the ISO endorsement CG 21 06 05 14, which went into effect in May 2014, impacts both Coverage Parts A and B by seeking further to limit recovery for cyber-related losses under traditional policies. With respect to Coverage Part A (bodily injury and property damage), the endorsement replaces exclusion (p) of CGL policies with the following:
Electronic data means “information, facts or programs stored as or on, created or used on, or transmitted to or from computer software.” This endorsement also provides that the exclusion applies even if “damages are claimed for notification costs, credit monitoring expenses, forensic expenses, public relations expenses or any other loss, cost or expense incurred by [the named insured] or others arising out of” that which is the subject of the exclusion.
Notably, there are two versions of this endorsement. Both versions have the language quoted above, but the second version also expressly excepts bodily injury from the exclusion by providing that “[u]nless Paragraph (1) above applies, this exclusion does not apply to damages because of ‘bodily injury.’” This version of the endorsement thus indicates that damages due to bodily injury that arise out of “[t]he loss of, loss of use of, damage to, corruption of, inability to access, or inability to manipulate electronic data” may not be excluded from coverage, as long as the bodily injury did not arise from access to or disclosure of a person or organization’s nonpublic information. This variation of endorsement CG 24 13 04 13 will likely be front and center in future coverage disputes, where policyholders are liable for bodily injury due to the hacking or other malfunctions of IoT devices.
Finally, with respect to Coverage Part B (personal and advertising injury), CG 21 06 05 14 also states:
An ISO executive explained the rationale for endorsement CG 21 06 05 14 at the time that it was introduced:
Thus, the intent of CG 21 06 05 14 seems to be to direct policyholders to standalone policies for coverage for cyber-related claims, with the notable exception of claims for bodily injury, where policyholders have purchased coverage with that version of the endorsement.
Coverage for Data Breaches under Standalone Cyber Policies
At the same time that courts have reached mixed results (at best) as to whether coverage is available for cyber-related incidents under traditional policies, and against the backdrop of the ISO’s exclusionary endorsements, the market for standalone cyber policies has grown. Unlike traditional policies, which often have standard wording, there is no standard wording for cyber-related policies. Cyber policies typically present coverages for discrete types of cyber-related losses, such as first- and third-party losses arising from data breaches, network interruption, and extortion.
Although specialized policies have gained popularity in recent years, so far there have been only a few reported court decisions regarding the scope of coverage under these policies. Although the case law is thus less well-developed, a few key cases underscore the importance of paying attention to policy terms and understanding the scope of coverage even when purchasing a specialized policy.
One of the first litigated disputes involving a stand-alone cyber insurance policy was Columbia Cas. Co. v. Cottage Health Sys.89 In that case, Cottage Health suffered a data breach that released private health care information on approximately 32,500 patients that was stored on its servers.90 Columbia Casualty had issued a standalone NetProtect360 cyber insurance policy to Cottage Health, and following the data breach, Columbia Casualty sought a declaration in the U.S. District Court for the Central District of California that it was not obligated to provide coverage for Cottage Health’s losses. More specifically, Columbia Casualty alleged that (1) the breach occurred because Cottage Health and/or its thirdparty vendor stored the patient information on a system that was internet-accessible and without the proper security measures, and (2) Cottage Health violated non-delegable duties under California law to maintain the security of confidential medical records and to detect and prevent data breaches on its systems.91
Another early case was Travelers Prop. Cas. Co. of Am. v. Fed. Recovery Servs. 92 Federal Recovery was in the business of processing, storing, transmitting, and handling electronic data for other companies.93 Federal Recovery entered into a Servicing Retail Installment Agreement with Global Fitness, pursuant to which Federal Recovery agreed to process member accounts and transfer member fees to Global Fitness.94 A dispute erupted between the companies, and Global Fitness sued Federal Recovery, alleging that Federal Recovery had retained possession of member data and interfered with Global Fitness’ business dealings.95 Federal Recovery tendered defense of the suit to Travelers, which had issued a CyberFirst Technology Errors and Omissions Liability Form Policy to Federal Recovery.96
Pursuant to the CyberFirst policy, Federal Recovery was entitled to coverage for losses caused by an “errors and omissions wrongful act,” which was defined as “any error, omission or negligent act.”97 But in its complaint, Global Fitness alleged Federal Recovery “knowingly withheld [data from Global Fitness] and refused to turn it over until Global [Fitness] met certain demands.”98 Thus, “[i]nstead of alleging errors, omissions, or negligence, Global [Fitness] allege[d] knowledge, willfulness, and malice.”99 Accordingly, the U.S. District Court for the District of Utah concluded that Travelers did not have a duty to defend Federal Recovery in the Global Fitness suit.100
Additionally, just last year, in P.F. Chang’s China Bistro, Inc. v. Fed. Ins. Co., the U.S. District Court for the District of Arizona was asked to weigh in on the scope of coverage under a standalone cyber insurance policy.101 P.F. Chang’s, like many merchants, was unable to process credit card transactions itself.102 As a result, it entered into an agreement with a third party, Bank of America Merchant Services (BAMS), to facilitate the processing of credit card transactions with the banks who issue credit cards.103 Pursuant to the agreement, P.F. Chang’s agreed to pay any fines, fees, or penalties imposed on BAMS by credit card associations, based on P.F. Chang’s acts or omissions.104
In June 2014, P.F. Chang’s learned that computer hackers had obtained about 60,000 credit card numbers belonging to P.F. Chang’s customers and posted these numbers to the internet.105 After the cyber incident, credit card associations imposed fees on BAMS and, in accordance with their agreement, BAMS passed along the fees to P.F. Chang’s.106 P.F. Chang’s then sought coverage for cyber-related losses from Federal Insurance under a Cybersecurity by Chubb Policy.107 Federal Insurance reimbursed P.F. Chang’s for $1.7 million in costs incurred by P.F. Chang’s as a result of the data breach, but it refused to reimburse P.F. Chang’s for the fees assessed by BAMS.108
P.F. Chang’s filed suit against Federal Insurance, and Federal Insurance moved for summary judgment.109 In support of its motion, Federal Insurance argued that the BAMS fees did not constitute a loss as it was defined under the policy and, even if it did, coverage was eliminated by two exclusions that precluded coverage for liabilities assumed by P.F. Chang’s without Federal Insurance’s consent.110 The Arizona federal district court agreed with Federal Insurance, concluding that the BAMS fees did not fall under the policy’s definition of loss and, in any event, these fees fell within the policy’s exclusions concerning assumed liabilities.111
When the Unauthorized Access to Data Causes Bodily Injury or Property Damage
To date, courts deciding coverage disputes following a data breach have considered whether the loss of electronic data constitutes property damage. But with IoT products, a cyber-related loss could fall under the more traditional definition of covered property damage.
For example, the 2008 hack of a Polish train system discussed above resulted in a train derailment that injured at least 12 passengers and may very well have caused damage to the passengers’ personal property and the property in the vicinity of the incident. In a situation like that one, the train company might, in the first instance, seek coverage for any third-party claims under traditional general liability policies. If those general liability policies exclude coverage based on the unauthorized access of the train’s electronic systems, there might well not be coverage. As discussed above, ISO endorsement CG 21 06 05 14 excludes “[d]amages arising out of: . . . (2) [t]he loss of, loss of use of, damage to, corruption of, inability to access, or inability to manipulate electronic data.” This would arguably exclude property damage (and, unless the adopted endorsement contains the limited exception, bodily injury) resulting from the hack if the train derailment were considered as damage “arising out of . . . the] corruption of . . . electronic data.” Having said this, policyholders like the train company might argue (especially as to policies that have not incorporated the more recent ISO endorsements, or that have adopted the variant of CG 21 06 05 14 that excepts bodily injury) that the focus should be on the resulting injury (not the cause) and that bodily injury and/or property damage emanating from the unauthorized access to data therefore should be covered.
The train company might also look to its cyber insurance policy for coverage. But unlike general liability policies, those policies tend to focus coverage for costs of more typical post-breach losses such as customer notification, credit monitoring, legal fees, and fines. By contrast, those policies typically do not provide coverage for bodily injury or property damage.
Recently, however, certain carriers have started to offer insurance policies that include broader coverage for the types of losses that might occur after a cyber incident. For example, some cyber insurance policies now cover bodily injury, property damage, business interruption, and product liability related to a data breach. Even still, cyber policies offering coverage for a wider array of damages are not as commonplace right now; most cyber insurance policies do not provide such coverage. As a result, even if a company, like the train company, had purchased traditional insurance coverage and a standalone cyber insurance policy, that company might face complex insurance-related issues when property damage and/or bodily injury occurs after a cyber-attack, as in the example just discussed.
Other Complications Raised by Connected Devices
Beyond coverage for bodily injury and property damage, the interconnectedness of a widespread number of devices presents other issues. Information stored on one IoT device is only as protected as the least secure device connected to the same network. Regardless of how secure a particular device is on its own, if it is connected to a network, the security of that device could be vulnerable due to lack of security of a completely different device connected to that network. This has the potential to compromise a policyholder’s ability to seek coverage under its stand-alone cyber policy.
As mentioned above., in the case of Columbia Cas. Co. v. Cottage Health Sys., Columbia Casualty sought a declaration that it was not obligated to provide coverage for its policyholder, Cottage Health, under a NetProtect360 cyber insurance policy after a data breach released tens of thousands of patient medical records stored electronically on Cottage Health’s servers.112 Columbia Casualty alleged, in part, that the cyber incident occurred because Cottage Health and/or its third-party vendor had stored the patient files on a system that lacked the proper security measures contrary to the representations Cottage Health made on its insurance application.113
Such representations are commonly required in cyber insurance policy applications. Where the security of one connected device depends on all other devices connected to the same network (potentially including devices outside of the policyholder’s control), this could complicate a policyholder’s ability to make representations regarding the security measures in place and/or comply with a cyber insurance policy requirement to maintain certain security measures.
The explosion of the IoT brings many opportunities. But it also comes with a wealth of unique risks. Controlled demonstrations and actual cyber incidents have shown IoT products to be susceptible to attacks. The next wave of insurance coverage litigation may very well involve these products as manufacturers derive new and creative ways to connect everyday objects to the internet. As more disastrous losses occur with the mainstream use of these products, courts will be faced with complicated insurance coverage questions regarding the interplay between various insurance policies. As a result, it will be all the more important for insurance carriers and policyholders to pay careful attention to the specific terms of their insurance policies to make sure that the available coverage satisfies both parties’ expectations.
Ellen MacDonald Farrell is a senior counsel in Crowell & Moring’s Washington, D.C. office and a member of the Insurance/Reinsurance Group, focusing on the litigation, arbitration, and negotiated resolutions of insurance and reinsurance disputes, as well as counseling on policy language and privacy and security issues. For more than 15 years, Ellen has represented some of the nation’s argest insurers in high-stakes disputes involving the insurance industry. Ellen has helped insurers negotiate cost-share and buyback agreements, and she has advised insurers on a wide range of issues including the classification and allocation of long-tail claims, number of occurrences, equitable contribution between insurers, trigger, allocation, multi-year policy issues, alleged/missing policy issues, late notice, and issues presented by Bermuda Form policies. Ellen also counsels insurers with respect to the development of policy wording and emerging insurance issues and has spoken frequently on insurance issues implicated by cyber risks. Rachel P. Raphael is an associate in Crowell & Moring’s Washington, D.C. office and a member of the Insurance/Reinsurance Group. Rachel’s practice involves litigation, arbitration, and counseling on a wide variety of insurance and reinsurance issues and includes pre-dispute advice as well as insurer/reinsurer representation in complex disputes. Rachel previously worked as a law clerk for the Office of the Assistant General Counsel for International Affairs of the U.S. Department of the Treasury and as an investment banking analyst at Houlihan Lokey.
To find this article in Lexis Practice Advisor, follow this research path:
RESEARCH PATH: Commercial Transactions > Insurance > Understanding Business Insurance > Article
For more information on the coverage of cyber claims by commercial general liability insurance policies, see
> INTELLECTUAL PROPERTY INFRINGEMENT AND CYBER CLAIMS UNDER A COMMERCIAL GENERAL LIABILITY POLICY
RESEARCH PATH: Commercial Transactions > Insurance > Understanding Business Insurance > Practice Notes
For a checklist of the items that are important in determining whether to purchase a particular cybersecurity insurance policy, see
> CYBER-SECURITY INSURANCE POLICIES REVIEW CHECKLIST
RESEARCH PATH: Commercial Transactions > Insurance > Insurance Policies > Checklists
For an overview of the coverage and exclusions in commercial general liability insurance, see
> COMMERCIAL GENERAL LIABILITY INSURANCE
RESEARCH PATH: Commercial Transactions > Insurance > Insurance Policies > Practice Notes
For a detailed discussion on the benefits and risks surrounding the Internet of Things, including privacy laws and data security regulation, see
> THE INTERNET OF THINGS: KEY LEGAL ISSUES
RESEARCH PATH: Commercial Transactions > E-Commerce > Internet Business & New Media > Practice Notes
For guidance on how an organization should plan for and manage a data breach, see
> PLANNING FOR & MANAGING A DATA BREACH
RESEARCH PATH: Commercial Transactions > E-Commerce > Privacy & Data Security on the Internet > Practice Notes
1. The term “Internet of Things” was coined as early as 1999 by Kevin Ashton, a British technology pioneer who was then working at Proctor & Gamble as an assistant brand manager. See Shawn DuBravac & Carlo Ratti, The Internet of Things: Evolution or Revolution? 6 (2015). 2. Nasrine Olson, The Internet of Things, 18 New Media & Soc’y 680 (2016) (book review); National Sec. Telecomms. Advisory Comm., NSTAC Report to the President on the Internet of Things (2014). 3. Peter Waher, Learning Internet of Things 2 (2015). 4. Eric A. Fischer, Cong. Research Serv., R44227, The Internet of Things: Frequently Asked Questions 2 (2015). 5. Id. at 3. 6. DuBravac & Ratti, supra note 1, at 7. 7. Id. 8. H. Michael O’Brien, The Internet of Things and its Future Impact on Product Liability (2015). 9. Id. 10. DuBravac & Ratti, supra note 1, at 2. 11. Internet of Things Spending to Reach US$1.29 trillion by 2020, Insurance Industry to See Fast Spending Growth, Canadian Underwriter (Jan. 5, 2017), http://www.canadianunderwriter.ca/insurance/internet-things-spending-reach-us1-29-trillion-2020-insurance-industry-see-fast-spending-growth-report-1004106299/. 12. Id. 13. Lea Toms, Beware! Data and Identity Theft in the IoT, GlobalSign Blog (Mar. 22, 2016), https://www.globalsign.com/en/blog/identity-theft-in-the-iot/. 14. DuBravac & Ratti, supra note 1, at 15. 15. Mohana Ravindranath, Who’s in Charge of Regulating the Internet of Things?, Nextgov (Sept. 1, 2016), http://www.nextgov.com/emerging-tech/2016/09/internet-things-regulating-charge/131208/. 16. Id. 17. DuBravac & Ratti, supra note 1, at 13. 18. Toms, supra note 16. 19. Id. 20. Id. 21. Cong. Research Serv., supra note 4, at 14. 22. DuBravac & Ratti, supra note 1, at 16. 23. Cong. Research Serv., supra note 4, at 14. 24. Jordan Robertson & Michael Riley, Mysterious ’08 Turkey Pipeline Blast Opened New Cyberwar, Bloomberg Tech. (Dec. 10, 2014, 5:00 AM), https://www.bloomberg.com/news/articles/2014-12-10/mysterious-08-turkey-pipeline-blast-opened-new-cyberwar. 25. Kevin Poulsen, Ex-Employee Fingered in Texas Power Company Hack, Wired (May 29, 2009, 4:36 PM), https://www.wired.com/2009/05/efh/. 26. Hack Attack Causes ‘Massive Damage’ at Steel Works, BBC (Dec. 22, 2014), http://www.bbc.com/news/technology-30575104; Andrew Roth, Not Just the DNC: Five More Hacks the West Has Tied To Russia, Wash. Post (June 15, 2016), https://www.washingtonpost.com/news/worldviews/wp/2016/06/15/not-just-the-dnc-five-more-hacks-the-west-has-tied-to-russia/?utm_term=.d0fd4b683b32. 27. Roth, supra note 26; Kim Zetter, Inside the Cunning, Unprecedented Hack of Ukraine’s Power Grid, Wired (Mar. 3, 2016, 7:00 AM), https://www.wired.com/2016/03/inside-cunning-unprecedented-hackukraines-power-grid/.28. Dan Bilefsky, Hackers Use New Tactic at Austrian Hotel: Locking the Doors, N.Y. Times, Jan. 30, 2017, https://www.nytimes.com/2017/01/30/world/europe/hotel-austria-bitcoin-ransom.html?_r=0. 29. Clarence Williams, Hackers Hit D.C. Police Closed-Circuit Camera Network, City Officials Disclose, Wash. Post, Jan. 27, 2017, https://www.washingtonpost.com/local/public-safety/hackers-hit-dc-policeclosed-circuit-camera-network-city-officials-disclose/2017/01/27/d285a4a4-e4f5-11e6-ba11-63c4b4fb5a63_story.html?utm_term=.7ccd6a0e1b23. 30. Jessica Conditt, FDA Tells Hospitals to Ditch IV Pumps That Can be Hacked Remotely, Engadget (July 31, 2015), https://www.engadget.com/2015/07/31/fda-security-warning-hackers/. 31. Press Release, FDA, Cybersecurity Vulnerabilities Identified in St. Jude Medical’s Implantable Cardiac Devices and Merlin@home Transmitter: FDA Safety Communication (Jan. 9, 2017). 32. Press Release, FBI, Former Security Guard Who Hacked Into Hospital’s Computer System Sentenced to 110 Months in Federal Prison (Mar. 18, 2011). 33. Jason Koebler, Hackers Killed a Simulated Human by Turning Off Its Pacemaker, Motherboard (Sept. 7, 2015), https://motherboard. vice.com/en_us/article/hackers-killed-a-simulated-human-by-turning-off-its-pacemaker. 34. Graeme Baker, Schoolboy Hacks Into City’s Tram System, Telegraph (Jan. 11, 2008), http://www.telegraph.co.uk/news/worldnews/1575293/Schoolboy-hacks-into-citys-tram-system.html. 35. U.S. Gov’t Accountability Office, GAO-15-370, Air Traffic Control—FAA Needs a More Comprehensive Approach to Address Cybersecurity As Agency Transitions to NextGen (2015). 36. Id. 37. See Paul Merrion, House Smart Car Caucus Revs Up Vehicle Cybersecurity Issue,” Congressional Quarterly Roll Call (April 28, 2016). 38. Michael E. Miller, ‘Car Hacking’ Just Got Real: In Experiment, Hackers Disable SUV on Busy Highway, Wash. Post, July 22, 2015, https://www.washingtonpost.com/news/morning-mix/wp/2015/07/22/car-hacking-justgot-real-hackers-disable-suv-on-busy-highway/?utm_term=.7a30e09871f9. 39. 2000 U.S. Dist. LEXIS 7299 (D. Ariz. Apr. 18, 2000). 40. Id. at *2–*3. 41. Id. at *3–*5. 42. Id. at *3. 43. Id. 44. Id. at *5–*6. 45. Id. at *6. 46. Id. See also Centennial Ins. Co. v. Applied Health Care Sys., 710 F.2d 1288, 1291 (7th Cir. 1983) (underlying complaint that alleged faulty controllers caused the loss of electronically stored data “clearly raise[d] the spectre that liability for property damage [might] ensue”); Computer Corner, Inc. v. Fireman’s Fund Ins. Co., 46 P.3d 1264, 1266 (lower court had concluded data lost when policyholder reformatted a hard drive constituted tangible property, and the parties did not appeal that conclusion); Retail Systems, Inc. v. CNA Ins. Cos., 469 N.W.2d 735, 737 (Minn. Ct. App. 1991) (data on a computer tape constituted tangible property). 47. 613 F.3d 797 (8th Cir. 2010). 48. Id. at 800. 49. Id. Eyeblaster had also purchased an Information and Network Technology Errors or Omissions policy from Federal and tendered the defense of Sefton’s claims under that policy as well. Federal also denied coverage under the Tech E&O policy, which covered “financial injury caused by a wrongful act that results in the failure of Eyeblaster’s product to perform its intended function or to serve its intended purpose,” because Eyeblaster’s conduct was allegedly intentionally wrongful. Id. at 803–84. However, the court concluded that Federal had not met its burden of proof with respect to that argument. Id. at 804–85. 50. Id. at 801. 51. Id. 52. Id. at 802. 53. 347 F.3d 89 (4th Cir. 2003). 54. Id. at 91–92. 55. Id. at 94. 56. Id. 57. Id. at 96. 58. Id. 59. Id60. See, e.g., Ward General Ins. Services, Inc. v. Employers Fire Ins. Co., 114 Cal. App. 4th 548, 556 (2003) (the loss of a computer database was not a direct physical loss or damage to covered property under the first-party insurance policy at issue, as the court rejected the idea that “information, qua information, can be said to have a material existence, be formed out of tangible matter, or be perceptible to the sense of touch”); Recall Total Info. Mgmt, Inc. v. Fed. Ins. Co., 2012 Conn. Super. LEXIS 227, at *17 (Conn. Super. Ct. Jan. 17, 2012) (the theft or loss of use of data on tapes did not constitute damage to tangible property). 61. See Carlon Co. v. DelaGet LLC, 2012 U.S. Dist. LEXIS 70836 (W.D. Wis. May 21, 2012). 62. Id. at *3. 63. Id. 64. Id. at *14–*15. 65. Id. at *14. 66. Id. 67. See Camp’s Grocery, Inc. v. State Farm Fire & Cas. Co., 2016 U.S. Dist. LEXIS 147361 (N.D. Ala. Oct. 25, 2016). 68. Id. at *2. 69. Id. 70. Id. at *1. 71. Id. at *21. 72. Id. 73. 2014 N.Y. Misc. LEXIS 5141 (N.Y. Sup. Ct. Feb. 21, 2014). 74. Id. at *70. 75. Id. 76. Id. 77. Id. Other courts have similarly concluded that a data breach did not amount to advertising injury under the policies at issue in those cases. See, e.g., Santos v. Peerless Ins. Co., 2009 Cal. App. Unpub. LEXIS 3415 (Cal. Ct. App. Apr. 30, 2009) (breach of a company’s network did not constitute an advertising injury because Apple, plaintiff in an underlying suit, “had not alleged that Santos violated Apple’s privacy rights”). 78. 35 F. Supp. 3d 765 (E.D. Va. 2014). 79. Id. at 768. 80. Id. 81. Id. at 770–72. 82. Id. 83. 644 Fed. Appx. 245 (4th Cir. 2016). 84. ISO Policy Forms, Form Number CG 00 01 10 01. That amendment defined electronic data as “information, facts or programs stored as or on, created or used on, or transmitted to or from computer software, including systems and applications software, hard or floppy disks, CD-ROMs, tapes, drives, cells, data processing devices or any other media which are used with electronically controlled equipment.” 85. ISO Policy Forms, Form Number CG 00 01 12 04. 86. ISO Policy Forms, Form Number CG 04 37 12 04 at D.17. 87. ISO Policy Forms, Form Number CG 04 37 12 04. That same year, the ISO also introduced a claims-made coverage for liability due to the loss of data, where computer hardware has not also been damaged. ISO Policy Forms, Form Number CG 00 65 12 04. 88. ISO Comments on CGL Endorsements for Data Breach Liability Exclusions, Ins. J., July 18, 2014, available at http://www.insurancejournal.com/news/east/2014/07/18/332655.htm. 89. No. 2:15-cv-03432 (C.D. Cal. filed May 5, 2015). 90. Id. at ¶ 16. 91. Id. at ¶¶ 17–18. Ultimately, this case was not decided on the merits. A few months later, the U.S. district court judge dismissed the suit to allow the parties to pursue alternative dispute resolution as provided for in the NetProtect360 cyber insurance policy. 92. 103 F. Supp. 3d 1297 (D. Utah 2015). 93. Id. at 1298. 94. Id. at 1299. 95. Id. at 1300. 96. Id. at 1301. 97. Id. at 1302. 98. Id. 99. Id. 100. Id. 101. 2016 U.S. Dist. LEXIS 70749 (D. Ariz. May 31, 2016). 102. Id. at *3. 103. Id.. 104. Id. at *4. 105. Id.. 106. Id. at *6. 108. Id. at *5–*7. 109. Id. at *1. 110. Id. at *11–*23. 111. Id. at *14–*15, *24–*25. 112. No. 2:15-cv-03432. 113. Id. at ¶¶ 17–18.