Get updates by email

Select Specific Blog Updates

Paul Zimmerman

Photo of M&R Blog

Karel Noppe ©

Cyber Liability Insurance: Protection Worth the Search

New risks present themselves before insurance policies exist to cover them.  When a risk materializes, insureds want their insurers to cover them under familiar existing insurance policies, while insurers resist on the ground that they never intended their policies to cover the new risk.  The insurers draft exclusions, and new risk-specific policies become available.  While these processes are unfolding, insurers, insureds, and third party claimants must live with considerable uncertainty.

A case in point is cyber liability insurance. The news is full of stories of hackers invading business’ computers and stealing customers’ confidential data.  When these invasions occur, the victimized businesses face liability from customers for disclosure of private information.  The businesses then seek defense and indemnity from their insurers for the customers’ claims and/or lawsuits.

One major issue is whether customers’ suits against businesses for disclosure of private cyber information are covered under standard commercial general liability (CGL) insurance policies.  Virtually all businesses have CGL policies, and virtually all CGL policies include a variant of “personal injury” liability coverage.  This category almost always includes coverage for the insured’s invasion of a third party’s privacy rights.  Some businesses have attempted to obtain coverage for cyber liability under this invasion-of-privacy prong.  At this time, the question of whether a CGL’s invasion-of-privacy coverage extends to cyber liability is unsettled.

In a recent New York case, Sony Corporation sued two insurers after hackers invaded Sony’s PlayStation Network and obtained customers’ confidential information, causing customers to sue Sony.  Sony sought defense and indemnity under its CGL policy for the suit.  Sony argued the policy should cover the suit because the policy language stated it provided coverage for invasion of privacy resulting “publication” of private information “in any manner” – even though the hackers – not Sony – were responsible for the “publication.”  The insurers argued that a requirement for coverage is that the “publication” must have been by the insured (Sony), and that “in any manner” referred to the mode of publication rather than the identity of the publisher.  The lower court agreed with the insurers, and Sony appealed.

Insurers and businesses were eagerly awaiting the outcome of the appeal – as it would have provided guidance to both.  Fortunately for the parties, and unfortunately for insurers and businesses, Sony settled with its insurers before any appellate decision was issued.

Meanwhile, two parallel developments are in progress.  First, CGL insurers are adding cyber liability exclusions to their policies.  Second, several insurers are developing and offering specialized cyber liability policies.

While the good news for businesses is that coverage for cyber liability is likely to be available even if it is not covered by CGL policies, the bad news is that cyber liability polices are relatively new insurance products – which means that the cyber liability policies available today are not standardized:  Different insurers use different words and phrases to describe the same risk; different policies cover different risks; and these factors make comparison shopping for cyber insurance policies difficult.  Additionally, while courts throughout the country have repeatedly and thoroughly interpreted many terms within CGL policies so that insurers and insureds have considerable guidance as to the meanings of construed terms, the wordings of cyber liability policies are so new that they have not yet worked their way through the courts.  Thus, there is a high degree of uncertainty as to the scope of coverage under these new policies.

Still, it is encouraging that multiple insurers are making cyber liability coverage available as the need for this coverage is obvious.

In summary, insurers and businesses will have to wait for any significant degree of predictability in the cyber liability insurance market.  In the interim, businesses can take the following steps to intelligently navigate this unknown territory:

  • The business should review its CGL policy to determine whether it currently includes an exclusion for cyber liability. 
  • If the business’ current policy does not contain a cyber liability exclusion, the business should specifically inquire whether such an exclusion will be included when the policy is renewed.  Also, the business can inquire if cyber liability coverage can be added to the CGL pursuant to an endorsement.
  • If no cyber liability coverage is available under the business’ CGL policy, the business should seriously consider purchasing a stand-alone cyber liability policy.  A knowledgeable commercial insurance broker can assist the business in determining the types of policies available to meet the business’ specific needs.
  • The business should not go without cyber insurance – as the risk of hackers will continue to increase.

This article is not offered as, and should not be relied on as, legal advice. You should consult an attorney for advice in specific situations.