By Scott N. Godes Esq., John A. Gibbons Esq., David L. Elkind Esq.
You may have heard the news about the Epsilon data breach. In light of the event, we wrote an alert for our firm and the insurance coverage practice regarding insurance coverage for data breaches and what companies should consider in the context of insurance coverage for data breaches in general and for the Epsilon data breach in particular. Here’s the alert:
Recent high profile data breaches highlight the importance of insurance coverage for such an event. The resulting costs may be staggering. A company’s insurance policies may provide protection for related losses and costs. Coverage may be available to pay for investigations, crisis management, and defense costs that will immediately impact a company facing a data breach. A recent and notable example brings this issue front and center: on March 30, email and marketing communications company Epsilon detected what has been reported as “a massive data breach that leaked customer names and e-mail addresses.” (Hayley Tsukayama, The Circuit: Massive Data Leak Exposes Customer Information, Calif. Do-Not-Track Bill, Verizon 911 Calls, WashingtonPost.com (April 4, 2011) http://www.washingtonpost.com/blogs/post-tech/post/the-circuit-massive-data-leak-exposes-customer-information-calif-do-not-track-bill-verizon-911calls/2011/03/08/AFwB66aC_blog.html
The affected companies include a litany of well-known consumer goods and services companies. Tsukayama, The Circuit: Massive Data Leak Exposes Customer Information, Calif. Do-Not-Track Bill, Verizon 911 Calls. Those companies sent out “warn[ings] over the weekend that hackers gained access to customers’ files, including e-mail addresses.” (Associated Press, Consumer E-mail Addresses Breached, (April 4, 2011) http://www.washingtonpost.com/business/consumer-e-mail-addressesbreached/2011/04/03/AFX6i8ZC_story.html
Epsilon, a company that reportedly sends out 40 billion e-mails per year on behalf of 2,500 separate corporate clients (John D. Sutter, As Scope Of E-Mail Hack Grows, Should You Be Worried? CNN.com (April 4, 2011), http://articles.cnn.com/2011-04-04/tech/epsilon.stolen.emails_1_fake-e-mail-phishing-security-breach?_s=PM:TECH), reportedly “issued a brief statement Friday [April 1] saying ‘a full investigation was under way’ of the breach of some customer client data.” (Associated Press, Consumer E-mail Addresses Breached.) Some of the companies whose customers were affected reportedly “were warning customers to avoid responding to any suspicious emails asking for personal, financial or other sensitive information.” (Data Breach At Email Marketing Service Company Affects Several Companies, WFSB.com (April 2, 2011) http://www.wfsb.com/news/27411416/detail.html)
Companies faced with data breaches need to address the breach, put customers on notice, and work with regulators to resolve the incident. Perhaps even more important is for companies to make sure that their insurance companies cover the losses.
In terms of insurance coverage for a data breach, there are strong arguments for insurance coverage across a policyholder’s insurance portfolio. The first place to determine whether there may be coverage for a data breach is with a media or cyber liability policy. As those policies offer varying coverage from insurance company to insurance company, and from form to form, a careful review and analysis of the insurance provided by the policy is essential to ensure coverage.
There may also be overlapping or independent coverage for a data breach in other insurance policies, such as a Commercial General Liability (CGL) policy or Business Owners Policy (BOP). CGL and BOP insurance policies typically provide coverage for “personal and advertising injury” claims, and those provisions typically provide coverage for the publication, in any manner, of material violating a right of privacy. That is what a data breach involves: the publication of information that was supposed to remain private, and such claims should be covered by personal and advertising injury. Recent court decisions have found that when there is publication of private information, even to one person, the “personal and advertising injury” coverage in a standard form CGL insurance policy applies.
Keep in mind that even if the claims against a company are groundless, false, or fraudulent, an insurance company nonetheless has to defend the claim if even one portion of the complaint could be covered. At a minimum, a CGL or BOP insurance policy with personal and advertising injury coverage should provide a defense for the claims, even if just one allegation is covered out of an entire claim against a company that suffered a data breach.
Other insurance policies, beyond CGL and BOP, may provide coverage for a data breach. For example, one federal court recently found coverage for a data breach under a commercial crime policy. Another court was considering the same kind of coverage, until the insurance company settled when it was ordered to produce discovery from its claims files and more. In addition to those types of insurance policies, coverage may be available elsewhere, such as first-party insurance policies, Errors & Omissions insurance policies, or others, either by endorsement or within the basic insuring agreement of the insurance policies. A careful analysis of all of the insurance policies in place for a company that suffered a data breach is critical so that all avenues for coverage may be considered.
Dickstein Shapiro has a team of experienced insurance coverage attorneys available to pursue coverage for data breach claims, including:
• Scott N. Godes is co-leader of the firm’s Cyber Security Insurance Coverage Initiative and a co-chair of the American Bar Association’s Computer Technology Subcommittee of the Insurance Coverage Litigation Committee of the Section of Litigation. Mr. Godes recently wrote a chapter in the New Appleman’s treatise on insurance coverage for cybersecurity, data breaches, and intellectual property claims. Scott is a regular speaker on coverage for data breaches and cybersecurity incidents and is frequently called upon to offer the policyholder counsel perspective on the availability of coverage.
• John A. Gibbons is a partner in the firm’s Insurance Coverage Practice and leader of the Anticompetitive Practices Insurance Coverage Initiative. Mr. Gibbons focuses exclusively on representing corporate policyholders in insurance coverage disputes, and enforcing those policyholders’ rights to insurance recoveries. He has resolved insurance coverage disputes favorably for clients through settlements, and, when necessary, through litigation and trial.
• David L. Elkind is a partner in the firm’s Insurance Coverage Practice and co-leader of the Products/Contaminants Insurance Coverage Initiative and leader of the Environmental Insurance Coverage Initiative. He has successfully represented a wide variety of clients seeking to obtain insurance coverage from their insurance companies. Mr. Elkind has directed major litigation and settlement efforts in matters involving numerous significant insurance coverage claims during his 23 year career. He has counseled numerous clients concerning strategies for maximizing their insurance coverage, and also has lectured before various groups regarding insurance coverage issues.
Disclaimer: This article is for informational purposes only. This may be considered attorney advertising in some states. The opinions on this blog do not necessarily reflect those of the author’s law firm and/or the author’s past and/or present clients. By reading it, no attorney-client relationship is formed. If you want legal advice, please retain an attorney licensed in your jurisdiction. The opinions expressed here belong only the individual contributor(s). © All rights reserved. 2011.