Breach Coverage Proves Tricky

If there is a lesson to be learned from Zurich's litigation over data breach claims submitted by Sony earlier this year it is this: If you think you have coverage for data breaches under your commercial general liability policy, think again.

By Patricia Vowinkel

Insurers are moving quickly to tighten policy language and add new exclusions to make it as clear as possible that privacy and data breaches and other cyber crimes are not covered under a commercial general liability policy.

Zurich took its case to court, filing suit against Sony this summer claiming that it was not obligated to indemnify or defend Sony for claims arising from the hacking of its PlayStation Network earlier this year.

Avoid a Legal Black Hole (04/12/13)
Technological Obsolescence (05/01/13)
Part 3: Big Data Masters (04/12/13)
Defending Your Networks (04/12/13)
Excess and Surplus At the Ready (04/12/13)

That hacking incident resulted in the theft of personal identification and financial information of millions of customers, and Sony is now facing extensive litigation and defense costs.

The problem with the Sony claim was that it was filed under a commercial general liability policy, which is good for things like slips and falls, but not so much for computer security and privacy risks.

A good lawyer, of course, may be able to find loopholes or deconstruct poorly worded language in a commercial general liability policy and win coverage for the insured.

From an insured's perspective, policy language can vary greatly from one insurer to another and courts sometimes find in favor of insureds. And so it often makes sense to file claims under commercial general liability or any policy that could possibly provide coverage. But it is an increasingly perilous gambit.

A commercial general liability policy will provide coverage for liabilities arising from bodily injury, property damage or advertising injury. But those categories don't really apply to privacy breaches, hacking and network security intrusions, so businesses that buy nothing more than a commercial general liability policy for computer security risks put themselves at risk.

Does this mean businesses like Sony and others are stuck with no insurance alternatives? No.

Insurers may be excluding computer security risks from their commercial general liability policies, but they have created other policies that allow them to define and price these risks separately.

These network security or information risk policies are now widely available in the insurance market. There are some 29 sources of insurance that make up the core of the cyber risk insurance market, according to a June 2011 Cyber/Privacy/Media Liability Survey from The Betterley Report. That's up from 19 sources in last year's survey.

The market is broadening, according to the report, as small to midsized companies become aware of the possibilities of liability, and especially of a breach and resulting response costs.

Rates for cyber risk insurance, meanwhile, have been showing signs of softness with some of the smaller carriers reporting plans to reduce rates on the order of 5 percent to 10 percent, while the larger carriers indicated that rates will stay flat or perhaps go down about 5 percent.

The bottom line is that a commercial general liability policy is good for what it is designed to do, but that's not data breaches and network security.

One more thing: If you think you have a cyber risk or network security policy, check again. In an informal study conducted last year by Rick S. Betterley, who publishes The Betterley Report, 40 percent of middle market executives thought they had a cyber policy, but on closer examination learned they didn't.

PATRICIA VOWINKEL has worked for national media outlets for more than 20 years.

October 15, 2011

Newsletter Sign-up