In this high tech era we live in, creating, storing and using data is commonplace. The sheer quantity and scope of data has made protecting that data of paramount importance. Yet, every day we hear about another data breach, leading to the disclosure of personal information of millions. But what if the data breach came from your business, and you suddenly find yourself the recipient of thousands of claims or lawsuits due to the breach? Are you covered by traditional commercial general liability (CGL) policies? The answer should concern you, because you are probably not covered.
Now keep in mind, I am writing about traditional CGL policies – you can purchase specialized cyber coverage or endorsements to provide coverage specific to data security, so if you have obtained such specialized cyber coverage, this blog may not apply to you. But, if you have a basic CGL policy for your business, you may want to pay attention. Let’s start with the basics. For liability coverage to apply under an insurance policy there must first be either an “occurrence” or “personal and advertising injury.” Most policies define “occurrence” as bodily injury or property damage caused by an accident, or words to that effect. Quite simply, failure to prevent a data breach is not an “occurrence” under this definition.
Most CGL policies define bodily injury as “physical injury, sickness, or disease to a person.” Data breaches do not typically result in such injuries. As for “property damage”, a common definition is “physical injury to tangible property, including all resulting loss of use of that property” or “[l]oss of use of tangible property that is not physically injured or destroyed, provided such loss of use is caused by physical injury to or destruction of other tangible property.” Again, not the type of injury normally associated with a data breach, especially with most CGL policies specifically stating that “electronic data is not tangible property.” Courts routinely uphold such unambiguous provisions. In addition, many courts hold that purely economic losses are not included in the definition of “property damage.” So, with no bodily injury or property damage, the chances of a data breach claim triggering the insuring agreement of your CGL are slim to none.
But what about “personal and advertising injury”? It is true the insuring agreement in most CGL policies can also be triggered if a “personal and advertising injury” has been caused by an offense. However, “personal and advertising injury” is specifically defined under most CGL policies, with only the listed items falling within that coverage – almost like a “named peril” policy. Most of the listed events are inapplicable to a data breach (e.g., false arrest, detention or imprisonment; malicious prosecution; wrongful eviction; copyright infringement). But there are two listed items under “personal and advertising injury” that some argue provide coverage for data breaches: (1) oral or written publication, in any manner, of material that slanders or libels a person or organization or disparages a person’s or organization’s goods, products or services; and (2) oral or written publication, in any manner, of material that violates a person’s right of privacy.
Unfortunately, based on how most courts define “publication” (typically requiring communication to the public or the like by the insured), these parts of a CGL insuring agreement are also not triggered by most data breach allegations. You really don’t have a communication to the public in most data breach situations, and you certainly don’t have such communication being made by the insured. It is usually through the criminal act of a third party that the data breach is conducted and then disseminated.
Which brings me to the final point – even if a data breach claim does trigger the insuring agreement of a CGL policy, there are numerous exclusions that would likely apply to still preclude coverage (such as the criminal acts exclusion, and others). So, if you handle the data of others, you may want to check your coverage to be sure it encompasses data breaches.