Information To Protect What You Grow

Businesses Argue Cyber Coverage Under CGL Advertising Injury

Written by Jeffrey Forbes | Mar 15, 2018 1:00:00 PM

Whether to purchase cyber risk insurance remains a big question for many companies.  Recent studies have shown that only a quarter of U.S. companies currently have cyber risk insurance despite more than half of companies stating they expect to suffer a breach within the next year.  These positions seem inapposite, but they appear to stem from doubts about the effectiveness and the extent of cyber coverage given its price.

All Cyber Coverage Is Not The Same

Cyber risk insurance has not yet become standardized, meaning that key differences exist between policies offered by different companies.  Determining whether a specific breach may qualify as a covered loss involves a dense reading of the policy combined with a number of longstanding legal principles.  Few legal cases exist examining these policies, creating even greater uncertainty in this field. In this context, hesitating to purchase cyber risk insurance can seem to make sense

Just Because There Is Doubt, You Shouldn't Skip Cyber Insurance

On the other hand, failure to purchase cyber insurance can create similar problems.  An increasing number of lawsuits involve insureds seeking coverage for data breaches under their commercial general liability policies.  The insureds involved in this litigation are facing multimillion dollar judgments stemming from cyber breaches yet lack cyber coverage to protect them from the lawsuits. 

There Is No One-Size-Fits-All Solution

Commercial general liability policies cover losses resulting from personal or advertising injury as a result of material published by the insured.  Advertising injury is generally defined as involving the violation of copyrights or trademarks, the violation of privacy rights, or defamation.  When a policyholder allegedly commits one of those violations by means of a covered act, they can seek both defense and indemnity under their CGL policy.  Businesses facing lawsuits for data breaches that exposed the personally identifiable information of others have sought protection under the advertising injury section of their commercial general liability policies.  The argument stems from the fact that the alleged injuries giving rise to the lawsuit occur as a result of a violation of privacy rights by the insured.  

Courts Even Disagree On The Definitions Of Cyber Breaches

To date, these cases have met with mixed success.  Courts in Florida, New York and Connecticut have denied lawsuits attempting to make this argument, while a different court in New York had made a finding that the CGL policy could cover a cyber breach as an “advertising injury.”  These decisions often focus on determining to what extent the insured was involved in the publication of the personally identifiable information.  Where an insured suffered a data breach that involved the simple theft of information, courts have generally held this did not constitute publication, and therefore commercial general liability policies offered no coverage for the insured from the pending lawsuit.  Cases finding differently have normally involved situations where insured have accidentally posted personally identifiable information on websites or in emails, which courts have found satisfy the publication requirement.

Companies Could Be Forced Out Of Business Due To The Uncertain Nature  Of Advertising Injury

The uncertain nature of relying on advertising injury as a form of cyber insurance should caution businesses strongly against it.  At best, this argument will only work in a small number of data breach lawsuits.  More importantly, though, true cyber risk insurance can cover not just these types of breaches, but a host of other potential cyber losses such as data loss.  Charlie E. Bernier Principal Consultant and Cyber Insurance Expert at ECBM says, "Cyber risk insurance also normally covers far more than just the defense and indemnity against a lawsuit stemming from a breach; it can, depending on the policy to forensic investigation costs, the costs of complying with state notification requirements, and the costs of damage or loss of intangible assets."

And It's Not Going To Be A Quick Resolution

Charlie warns "The risks companies face as a result of cyber matters will only increase in the coming years."  Cyber risk insurance, for all of the legitimate businesses express concerning it, will quickly become as necessary for sound business operations as auto insurance is for trucking companies.  Companies, working with an experienced broker, can still use the growing thirst for cyber risk within insurance companies and the differences in the coverages they offer to find a policy that works for them at the right price.