In two recent cases, certain contours of the cyber insurance industry were refined. In the first case, a court found that the existence of a common law right of privacy thwarted an argument by an insurance company that it was relieved of payment on a claim by a corporate data breach victim. In the second case, an insurance company decided to drop an action against a different corporate data breach victim (Schnucks) and instead work with them.
In order to discuss these cases, let’s go back to the early 2000’s when cyber insurance became a very popular topic. Cyber insurance policies in those days covered some basic scenarios, but also contained numerous carve outs. In many cases, those carve outs resulted in the insurance company not having to pay on certain claims. This led, in part, to a period when cyber insurance was still available but its popularity had waned.
We now have two very interesting cases to discuss. The first case stemmed from a data breach involving medical records of almost 20,000 patients that were posted on a public website for at least one year. The records were alleged to have been posted by a job applicant who received them from a health IT contractor as part of an employment test. The health IT contractor had been contracted by a hospital who supplied the records to the health IT contractor. Plaintiffs sued the hospital and the health IT contractor, claiming violation of common law and constitutional rights, along with statutory violations under California’s Confidentiality of Medical Information Act (CMIA).
The Hartford Casualty Insurance Company then brought a declaratory judgment action asking the California state courts to find that the Hartford had no obligation under the hospital’s commercial general liability (GL). The insurer took the position that the damages fell within an exclusion in the policy that stated “[t]his insurance policy does not apply to…[injury] arising out of the violation of a person’s right to privacy created by any state or federal act.” That exclusion, however, was followed by the statement that “this exclusion does not apply to liability for damages that the insured would have in absence of such state or federal act.”
The court ultimately found that a common law right of privacy existed long before the CMIA statutory privacy framework that has been created in California. As a result, the court dismissed the Hartford’s declaratory judgment action.
In a second case, an insurer had brought a declaratory judgment action against Schnuck Markets, Inc., which faces lawsuits related to compromised credit cards that were traced to almost 80 of its 100 stores. In its complaint, Liberty Mutual raised the argument that the damages suffered by Schnuck Markets were not covered by the insurance policy that Schnuck Markets had with Liberty Mutual. In particular, Liberty Mutual said the policy at issue would cover physical damage suffered by Schnuck Markets, not the alleged damages arising from the data breach. Liberty Mutual specifically stated that “there is no allegation of ‘bodily injury’ or ‘property damage’ in the [lawsuits against Schnuck Markets].” They also made some other interesting assertions, including that coverage wouldn’t apply “at least to the extent that the claims are for Schnuck Markets’ delay in reporting the breach” or that “the damages were not because of oral or written publication of material.” Surprisingly, just a few weeks after filing its action, Liberty Mutual voluntarily dismissed its suit deciding instead to work with Schnuck Markets to settle any insurance claims.
Although these are only two data points, they do raise a couple of interesting issues. First, companies should read their GL policies very closely if they have any concerns about coverage for data breaches or other cyber claims. Second, they may want to consider separate cyber insurance or cyber riders to their existing policies. In those situations, though, the provisions of any cyber coverage should be read very closely (including by appropriate cyber/technical resources).
