Policyholders currently face what may be the toughest cyber insurance market ever. For many, requirements have tightened, premium increases have been astronomical, and obtaining the same quality of protection for cyber incidents has become more difficult—even for those organizations that have strong safeguards in place.
Despite these conditions, not all is doom and gloom for cyber insurance buyers. Over the past year, court decisions have been largely favorable to policyholders pursuing cyber claims under insurance products that are not cyber-specific. These successes highlight the fact that insurance coverage may be found across product lines in the wake of a multi-faceted cyber loss. Risk professionals should consider the following six lessons on cyber insurance recovery from recent legal cases:
1. The “silent cyber” narrative that coverage can be negated in the absence of a dedicated cyber policy must be taken with a grain of salt.
A slew of commercial insurance policies may provide significant coverage for policyholder losses or claims, including D&O, E&O, general liability/CGL, crime, and property. For example, in the recent Indiana Supreme Court decision in G&G Oil Co. of Indiana, Inc. v. Continental Western Insurance Co., the fact that the policyholder had refrained from purchasing a specific cyber coverage endorsement did not negate coverage under commercial crime insurance for a cyber loss resulting from a ransomware attack.
The Indiana Supreme Court rejected the argument that a crime coverage insuring agreement could not cover the policyholder where it had failed to purchase specialized cyber coverage under a business package policy. Instead, the court expressly ruled that coverage had to be determined based upon the actual insuring language as written—not based upon external concepts such as what other insurance options might be sold in the marketplace.
Policyholders should not discount the fact that their crime, property, CGL and other insurance products may cover cyber claims in whole or in part. While dedicated cyber insurance remains a very important product to protect against cyber losses, it is not the only insurance product that can provide coverage. In 2021, the Fifth Circuit further supported this concept, finding coverage for cyber-related claims under D&O insurance. When a cyber incident occurs, it is critical that policyholders make sure to consider notice and claim submission to all relevant insurance policies to help preserve coverage options and maximize potential sources of recovery.
2. Sufficient evidence is essential to support an insurance claim.
In G&G Oil, the Indiana Supreme Court did not grant summary judgment to G&G because it was unable to determine whether the policyholder was ultimately entitled to insurance coverage given the limited evidence presented. Instead, the court sent the case back to the trial court for further factual determinations as to whether the policyholder was tricked into letting the ransomware into its computing environment. For insureds, the remand underscores the importance of securing sufficient technological details surrounding the cyber incident and consequential harm to the policyholder.
Conversely, in the Ohio appellate court decision EMOI Services, LLC v. Owners Ins. Co., the court rejected the insurance company’s motion to dismiss the case on grounds that the policyholder had not demonstrated direct physical loss—that damage to its software was caused by a ransomware attack. The court found that deposition testimony from the policyholder’s software developer and IT manager asserting that the attack damaged the company’s software and data was sufficient to allow the coverage suit to proceed.
For a host of reasons including coverage claim support, the bottom line is that an organization that experiences a cyber incident should secure detailed technological information concerning any attack, including the manner of entry, the systems and data targeted, the resulting harm, the duration of that harm, and any lingering damage caused by the incident. Computer forensic reports are also useful for addressing inquiries from regulators and law enforcement in the wake of security incidents.
3. The frequent insurance company assertion that cyberattacks on computer systems do not entail “physical loss or damage” to “covered property” is not always correct.
The court in the EMOI case rejected, among other arguments, the assertion that covered property only includes “tangible property,” noting that the alleged requirement that the property be “tangible” was nowhere to be found in the property policy language. Indeed, the court rejected efforts to label media and other electronic items as uncovered property, relying in part on a Maryland court’s 2020 decision in National Ink and Stitch v. State Auto Property and Casualty Insurance Co. The EMOI and National Ink courts rejected arguments that property insurance did not cover system damage caused by ransomware attacks when adverse computing issues lingered after attempted decryption of the affected files. The Ohio court concluded that “the policy contemplated that EMOI’s software and reproduction of data was capable of being physically damaged, and [the IT manager] has testified that it was.”
4. Commercial general liability (CGL) insurance may cover liability for alleged violations of privacy resulting from data breaches.
In a July 2021 decision in Landry’s Inc. v. the Insurance Co. of the State of Pennsylvania, the federal Fifth Circuit reversed a trial court ruling and found coverage for Landry’s, a multi-brand restaurant and hospitality company, for liability stemming from a hacker’s theft of payment card information at certain Landry locations.
Landry’s was sued for more than $20 million by its merchant bank, Paymentech, after Visa and Mastercard had assessed damages against Paymentech for payment card fraud charges and replacement expenses stemming from the Landry’s theft. The policyholder asserted that it was expressly promised CGL coverage for the underlying complaint because Paymentech was seeking damages arising out of the “oral or written publication…of material that violates a person’s right of privacy,” to quote the policy.
The insurance company denied that the theft constituted “publication.” In finding coverage, the Fifth Circuit held, “The Paymentech complaint plainly alleges that Landry’s published its customers’ credit-card information—that is, exposed it to view.” Given that the policy clearly covered liability arising from violations of consumers’ privacy rights, the Fifth Circuit also rejected the insurance company’s “salami-slicing distinctions” as to the nature of the complaint (alleging breach of contract as opposed to tort).
5. Insurance companies are unlikely to prevail in attempts to deny data breach coverage by invoking exclusions for war or terrorism.
In a December 2021 decision in Merck Co. Inc. et al. v. ACE American Insurance Co. et al., a New Jersey Superior Court ruled on summary judgment that a war exclusion did not negate coverage sought by Merck against 15 insurance companies. The pharmaceutical giant suffered $1.4 billion in losses stemming from a malware infection that spread to 40,000 of its computers.
Merck was a victim of the notorious NotPetya attack, which impacted countless corporate networks worldwide and even caused global supply chain disruption. The U.S. and U.K. governments have accused Russia of being ultimately responsible for the attack and, on those grounds, the insurance companies deemed the malware, as described in the decision, “an instrument of the Russian Federation as part of its ongoing hostilities against the nation of Ukraine.”
In an all-risk policy such as Merck’s, “the burden of proof is on the insurer to show that a policy exclusion applies,” Judge Thomas J. Walsh noted. He wrote, “Merck maintains its reasonable understanding of this exclusion involved the use of armed forces, and all of the case law on the war exclusion supports this interpretation.” The judge agreed with Merck that “no court has applied a war (or hostile acts) exclusion to anything remotely close to the facts herein.” He further emphasized that the language of the exclusion had not changed for years and that, if the insurance companies wished to expressly exclude specific types cyberattacks, they could do so.
The Merck decision reinforces the reality that it is very difficult for an insurer to meet its burden of proof in attributing a malware attack to a state actor. Cybercriminals cloak their true identities, motives and hacking tools, almost always using deception and misinformation in the process of an attack. Government allegations notwithstanding, the provenance of an attack generally remains disputed.
6. Policyholders should seek coverage for biometric claims and be prepared to fight for it.
Lawsuits for violations of Illinois’s Biometric Information Privacy Act (BIPA) or similar state statutes generally allege failure to adequately disclose collection of biometric data or the illegal sale or sharing of such data. To date, most lawsuits based on BIPA do not involve a cyber breach. Some insurers have denied liability coverage for such claims, citing an exclusion that typically addresses coverage for certain claims asserted under the Telephone Consumer Protection Act (TCPA) or the CAN-SPAM Act of 2003, which create a private right of action for recipients of unsolicited telemarketing. The cited exclusion sometimes references any other statute that is similar to the TCPA and CAN-SPAM Act.
In 2021, the Supreme Court of Illinois held that the exclusionary language did not apply to BIPA. In West Bend Mutual Insurance Company, v. Krishna Schaumburg Tan, Inc., the insurance company sued for a declaration that BIPA claims against its policyholder were barred from coverage based on this exclusion. West Bend argued that BIPA’s regulation of the use and storage of biometric information was similar to the TCPA’s regulation of telephone calls and faxes and the CAN-SPAM Act’s regulation of emails. The Illinois Supreme Court applied the doctrine of ejusdem generis (“of the same kind or class”) to find that BIPA was not the same kind of statute and required the insurer to provide defense coverage. As BIPA is an Illinois statute, the Illinois Supreme Court’s decision carries significant weight.
In March 2022, a federal court in Illinois followed the state Supreme Court precedent in West Bend, finding coverage for the policyholder in a lawsuit alleging biometric data violations. The court in Citizens Insurance Company of America et al. v. Thermoflex Waukegan LLC et al. rejected the insurance company’s application of not only the TCPA exclusion, but also an exclusion relating to confidential material, because none of the listed material was within the scope of what BIPA protects.
Policyholders should continue to seek coverage for potential BIPA liability under all applicable policies, including general liability policies, and be prepared to push back against denials. The West Bend decision should be persuasive outside of Illinois, as BIPA is the leading statute and many other comparable state laws are based upon it.