Thanks to Amy Spencer at Blank Rome LLP for allowing me to republish her informative 2-part series here.
In Part I of this two-part series, I identified first-party and third-party insurance claims that could result from a cyber event or attack on the Smart Grid. In this part, I examine how insurance policy language governs resolution of these claims and how to minimize gaps in coverage.
Examine Your Insurance Policies
Traditionally, third-party losses are covered by a company’s commercial general liability (“CGL”) policy. To qualify for coverage under a CGL policy, the policyholder typically must be confronted with a claim for “bodily injury” to another person or “physical injury to tangible property” (collectively known as “Coverage A”), or with a claim for “personal and advertising injury” (injury arising out of certain enumerated offenses such as malicious prosecution or invasion of privacy) (“Coverage B”). Various disputes have arisen as to whether cyber-related losses fit within these coverages. For example, some courts have found cyber-related losses to constitute loss of use of tangible property under Coverage A. See, e.g., Eyeblaster, Inc. v. Federal Ins. Co., 613 F.3d 797 (8th Cir. 2010) (general liability insurance policy provided coverage to insured internet advertising business for lawsuit brought by third-party computer user, who alleged that his computer became inoperable after he visited insured’s website).
In addition, coverage may exist for “personal injury” damages under Coverage B because a release of personal information constitutes an “invasion of privacy.” See, e.g., Travelers Indem. Co. of America v. Portal Healthcare Solutions, L.L.C., 644 F. App’x 245 (4th Cir. 2016) (complaint alleged publication on the internet of private medical information potentially covered by insurance policies).
However, the standard CGL policy form has been revised several times in response to the evolving case law. Initially, in 2001, the definition of covered “property damage” was revised to state that “electronic data is not tangible property.” See ISO Properties, Inc., CG 00 01 10 01 at 15. In 2004, an “Electronic Data” exclusion was added to exclude “[d]amages arising out of the loss of, loss of use of, damage to, corruption of, inability to access, or inability to manipulate electronic data.” See ISO Properties, Inc., CG 00 01 12 04 at 5 (Exclusion P). Thus, even though policyholders typically would look to their CGL policies for coverage for bodily injury or property damage from a cyber breach, it is possible that insurers will assert that the policies expressly exclude cyber-related losses.
In 2013, the standard CGL policy was again amended to preserve coverage for “bodily injury” notwithstanding the Electronic Data exclusion. The amended exclusion expressly provided that “this exclusion does not apply to liability for damages because of ‘bodily injury.’” See ISO Properties, Inc. CG 00 01 04 13 at 5. However, in 2014, two standard endorsements were issued, one with a “limited bodily injury exception” and one with that exception “not included,” thus allowing insurers to again choose to delete coverage for bodily injury. The new endorsements also allow insurers to exclude from coverage damages arising out of “any access to or disclosure of any person’s or organization’s confidential personal information…..” See ISO Properties, Inc., CG 21 07 06 05 14; CG 21 07 05 14. A separate exclusionary endorsement that would apply to Coverage B was also made available. See ISO Properties, Inc., CG 21 08 05 14.
In sum, the variation among CGL policies requires close examination as to whether the policy preserves coverage for damages from cyber events. If a utility or Smart Grid company’s policies lack the necessary coverage, it can look to purchase cyber liability insurance. On its face, cyber insurance is intended to dovetail with and fill gaps in coverage for loss of electronic data left by CGL and first-party property policies. Unlike the standard CGL, cyber insurance policies are not uniformly worded and a number of insurers in the marketplace use their own forms.
However, because issuers of cyber insurance policies presume that CGL policies will step in to provide general coverage for “bodily injury” and “property damage,” cyber insurers often include express exclusions for these losses. With multiple insurers pointing the finger at one other to be responsible for coverage, companies should not buy insurance policies off-the-shelf and should seek to negotiate coverage for both physical and non-physical injuries. The insurance industry has developed cyber “difference-in-conditions” (“DIC”) coverage to cover bodily injury and property damage losses resulting from cyber events or attacks.
The case of P.F. Chang’s China Bistro, Inc. v. Federal Insurance Co., No. CV-15-01322-PHX-SMM, 2016 WL 3055111 (D. Ariz. May 31, 2016), illustrates the risk of buying off-the-shelf with the intent to obtain a “full breadth” of coverage. The restaurant chain P.F. Chang’s purchased a cybersecurity insurance policy from Federal Insurance Company, marketed as “a flexible insurance solution designed by cyber risk experts to address the full breadth of risks associated with doing business in today’s technology world” that covered “direct loss, legal liability, and consequential loss resulting from cyber security breaches.” As is typical for merchants, P.F. Chang’s had a contract with a third-party servicer to process its credit card transactions, which in turn contracted with MasterCard. P.F. Chang’s suffered a data breach in 2014 when computer hackers obtained and posted on the internet approximately 60,000 credit card numbers belonging to P.F. Chang’s customers. As a result, MasterCard incurred fees and passed them on to the servicer per their agreement, who passed them on to P.F. Chang’s per the agreement between P.F. Chang’s and the servicer. P.F. Chang’s sought reimbursement from Federal Insurance Company. However, the court held that the Federal properly denied coverage on the basis of policy exclusions “for contractual obligations an insured assumes with a third-party.” Even though a merchant like P.F. Chang’s may have had a “reasonable expectation” that its insurance company would cover its higher risk for data breach with resulting fees owed to third parties, the court could find nothing in the record to suggest that P.F. Chang’s sought to ensure coverage for such fees. The court found that “Chang’s and Federal are both sophisticated parties well versed in negotiating contractual claims, leading the Court to believe that they included in the Policy the terms they intended.”
At a minimum, companies involved in the Smart Grid industry should review policy terms with the help of a professional, under their cyber, CGL, first-party property, and any other potentially applicable lines of coverage such as directors and officers insurance and errors and omissions insurance. Smart Grid companies should understand their risks by surveying and analyzing the cybersecurity measures in their technology, and seek to negotiate coverage gaps. With variation among policy coverages and the court decisions interpreting those coverages, Smart Grid companies can expect disputes to arise. Nevertheless, advance measures and planning can help to minimize disruption and ensure insurance claims are fully paid.