By JOSEPH D. JEAN, counsel in Dickstein Shapiro's Insurance Coverage Practice; SCOTT GODES, counsel in the practice and co-head of the firm's Cyber Security Insurance Coverage Initiative; and RACHEL WRIGHTSON, an associate with the practice in the firm's New York office
As computer technology rapidly advances, legislatures often cannot enact laws quickly enough to respond to new cybersecurity risks. Enterprising lawyers, however, have turned to old legal doctrines for relief. The doctrine of "trespass to chattels," for example, is an antiquated term that once was buried in the dusty pages of old law dictionaries. But lawyers who handle cybersecurity issues, including allegations of spam, viruses, worms, unauthorized access, and more, have revived the doctrine as a means of redress. For companies facing potential liabilities based on such allegations, the availability of insurance coverage is critical to navigate the nuances of the ever-changing landscape.
What is "trespass to chattels"? It is an old legal doctrine that protects against harm to property other than a parcel of land or other "real property." Generally, trespass to chattel punishes one who substantially interferes with the use of another's personal property, or chattel. Since the 1990s, lawyers and courts have recognized this antiquated doctrine in the context of cybersecurity, network, and computer-related claims. Courts that imported this doctrine into the digital world reason that computers, networks, and proprietary servers constitute property, the interference with which can support a trespass claim.
The doctrine of trespass to chattels gained wide recognition during the anti-spam wars in the 1990s, when companies such as America Online, CompuServe, and others used the doctrine to try to hold companies and individuals liable for damages arising out of alleged spamming activities. But the use of trespass to chattels expanded beyond alleged spammers; class actions were brought against one online services provider alleging that the company's activities and software consisted of a trespass to chattels because they harmed users' computers.
Many states currently recognize the tort, and it has been used with increasing regularity in the cybersecurity area. Companies typically face such claims when claimants allege that companies installed spyware, advertisements, viruses, or other malware onto their computers. The doctrine also has been used to support phishing and spamming claims. Other cases have used the doctrine in support of damages resulting from "screen scraping" information from a Web site by means of a search robot. Enterprising plaintiff lawyers may also begin to use the tort to support even more creative class actions against companies. For example, Internet and online service providers might start to face such claims in relation to provision or alleged disruption of Internet access.
COVERAGE FOR TRESPASS CLAIMS
Although designed to cover a wide range of risks that could befall a business, many standard form "traditional" insurance policies do not explicitly mention cybersecurity or claims arising out of online activity. But look closely, because coverage can still be available. For example, commercial general liability (CGL) insurance policies, the basic insurance policies bought by thousands of companies every year, provide, in standard form, two basic coverages relevant to this question: coverage for liability arising out of "property damage" and coverage for liability arising out of "personal and advertising injury." Both coverages might apply to potential liability for a trespass to chattels claim.
Critically, insurance companies write a "duty to defend" into their standard form CGL policies, thereby obligating insurance companies to defend the policyholder against class actions and other claims. The duty to defend extends even to claims that contain allegations that are groundless, false, or fraudulent, and so CGL policies provide extremely valuable protection, even to have meritless claims dismissed, as defense costs always are incurred.
Is trespass to chattel "property damage"? The first coverage found in standard-form CGL policies is for damages due to "property damage," with property damage often defined to include physical damage to tangible property or loss of use of tangible property. When a company is sued for allegedly committing a trespass to chattels in the cybersecurity realm, that potential liability may be construed as arising out of property damage under a CGL policy.
In the late 1990s and early 2000s, the question of whether damage to software and data could be considered physical damage to tangible property, or loss of use of tangible property, was hotly contested in courts around the United States. Some courts held that damage to software and data, as a cybersecurity-based trespass to chattels claim must allege, was physical damage to tangible property.
But other courts--perhaps unwilling to recognize that when an old tort doctrine was applied to today's facts, insurance should be interpreted to follow the potential liability--held that damage to and loss of use of customers' data and software were not covered under a CGL policy because there was no damage to "tangible property." The latter seemed to ignore that a trespass to chattels claim requires physical damage to tangible property to succeed. Because CGL policies are designed to follow the liability against which they were sold to insure, courts should find that such claims meet the requirements of property damage under CGL policies.
The insurance industry has since taken steps to change policy language, and certain policy forms now incorporate language addressing whether data, software, and other electronic information are or are not "tangible property."Insurers are likely to argue that such language would preclude coverage for a claim of trespass to chattels based on damage to software and data. Nonetheless, CGL policies may still treat data losses as within property damage.
The Insurance Services Office, which drafts standard-form CGL policies, created two "Electronic Data Liability" endorsements that incorporate language covering loss of electronic data, including loss resulting from an "electronic incident," but they may not be available to policyholders who provide certain types of computer-related products or services. Thus, when facing a claim based upon online or electronic activity, policyholders should carefully review their policy language and applicable state law.
What is more, because insurers' obligations to policyholders are generally determined by the facts alleged in a claim--and not merely the labels applied to them--if the facts of the underlying activity constitute a trespass to chattel, then an insurer's defense obligations can be triggered even if the lawsuit at issue does not seek damages specifically for a trespass to chattel claim.
Of course, if a complaint alleges that there is damage to or loss of use of computer hardware, such as a hard drive, server, or other component, in addition to software and data, there should be no question that property damage is alleged for purposes of a CGL policy. If a complaint includes allegations that unquestionably consist of property damage, under many states' laws, the insurance company will be obligated to defend the entire claim, even if there are other claims that the insurance company argues are not covered.
Is trespass to chattel "personal and advertising injury"? In addition to coverage for property damage, CGL policies also provide coverage for "personal and advertising injury," which often is defined to include coverage for claims that allege invasion of privacy. Depending upon the facts alleged in a complaint, a company's CGL policy may provide coverage under this section.
For example, a complaint might assert an electronic encroachment onto private property such as a personal computer, network, or server by way of a virus, spyware, worm, spam, or other electronic interference. If the action allegedly viewed or stole personal data, that could be considered an invasion of privacy, in addition to an electronic trespass to chattels. Some courts have found that the invasion of privacy need not be divulged to a third party for purposes of obtaining coverage, thereby making personal and advertising injury coverage applicable to a trespass to chattels claim. Additionally, even if a complaint asserts only a trespass to chattel claim, the underlying facts might develop to constitute invasion of privacy, and such facts may require the insurance company to provide coverage, notwithstanding a denial of the duty to defend.
Looking beyond "traditional" insurance policies, which were originally designed to cover all risks of a business (with a handful of exceptions), policyholders should be aware that insurers continue to introduce new, specialized products for cybersecurity risks. These new policies are typically marketed as including data compromise, cyber liability, network risk, and/or computer data coverage.
The Insurance Services Office, which designs and seeks regulatory approval for many insurance policy forms and language, has a standard form called the "Internet Liability and Network Protection Policy," and insurance companies may base their coverages on this basic insuring agreement, or they may provide their own company-worded policy form.
Cybersecurity and data breach policies--certain forms of which may be known as network risk, cyberliability, privacy and security, or media liability insurance--are relatively new to the market and are ever-evolving. An experienced broker may be able to advise what coverages are available. Just as significant, an attorney with experience counseling policyholders about insurance coverage may be able to advise on the potential strengths and weaknesses of various available policy terms, including whether proposed terms might cover allegations of trespass to chattels.
November 1, 2009
Copyright 2009© LRP Publications