Travis Wall’s article Cyberattacks Push Companies to Specialty Insurance Policies says the window is closing for obtaining coverage for cyber attacks under traditional policies.
The article, published in The Recorder on May 23 says as insures refine coverage defenses and expand exclusions for cyber events, business will have to turn to specialty cyber policies for protection against data theft or loss.
Commercial general liability (CGL) policies have two basic coverage types. Coverage A addresses "property damage" and "bodily injury." Coverage B applies to "personal injury" offenses, such as publications that invade rights of privacy. Because data breaches typically do not involve property damage or bodily injury, policyholders rely primarily on the personal injury prong.
Among other requirements, personal injury coverage applies only to claims arising from a "publication" of information. Data theft through hacking does not appear to involve a "publication" as that term is commonly understood.
Courts will not presume a publication simply because a data loss occurred. In a recent case, tapes containing confidential employee information fell out of a delivery truck. An unknown person then retrieved them but there was no evidence that employee information was publicly disclosed or improperly used.
A Connecticut appellate court rejected the argument that the data loss, in and of itself, constituted a "publication." The mere potential for disclosure was not enough—there had to be evidence that confidential information on the tapes was actually published. See Recall Total Information Management Inc. v. Federal Ins. Co., 147 Conn. App. 450 (2014).
Read the full article at The Recorder.
Read more on this topic, please visit The Recorder (subscription required).