Personal and advertising injury coverage appears in standard commercial general liability ("CGL") policies. Even though courts have been hostile to invasion of privacy claims based on data security breaches, such claims frequently are filed and are not always dismissed at an early stage. Particularly for companies that do not have specialized data security coverage, CGL coverage might provide a basis for the payment of defense costs and, if necessary, indemnity in response to such third-party claims.
For a company faced with a data breach resulting in the possible disclosure of private information, an important question is how, if at all, commercial general liability insurance will respond to third-party claims alleging damages. If your company has specialty coverage for data security loss, cybertheft, or similar liabilities, then your right to coverage might be clear.1 If you do not have such special coverage available, however, then you might nevertheless have a prospect of recovering defense costs and indemnity under your CGL policy.
Through both inadvertence and malice, corporate entities are exposed to the risk of data security breaches that can result in the revelation of the private data pertaining to millions of customers, employees, or others. The Privacy Rights Clearinghouse estimates that more than 343 million individual records containing sensitive personal information have been involved in data security breaches in the U.S. for the period January 2005 through January 2010. See Privacy Rights Clearinghouse, "Chronology of Data Breaches." (www.privacyrights.org/ar/ChronDataBreaches.htm#CP) The recent data attacks on Google and Yahoo! illustrate the way in which even the most technologically capable entities are subject to the risk that personal data of their customers can be revealed. See, e.g., The Wall Street Journal, "Google Investigating If China Staff Involved in Cyber Attack" (http://tinyurl.com/yb79bx7 ) (Jan. 21, 2010).
The opportunities for inadvertent loss and outright theft have grown exponentially with the ubiquity of laptops, PDA/BlackBerry devices, large-capacity microdisks, and external access to corporate systems and data. Furthermore, corporations have reported that targeted data attacks, originating from both inside and outside the entity, are on the rise. See, e.g., Outpacing Change: Ernst & Young's 12th Annual Global Information Security Survey (2009) (http://tinyurl.com/y9bggl3) (in 2009, "41% of respondents noted an increase in external attacks and 25% of respondents witnessed an increase in internal attacks."). Moreover, the sophistication of data analysis is such that even data believed to be safely encrypted can sometimes be decoded by determined parties. See, e.g, Valdez-Marquez, et al. v. Netflix, Inc., C09-05903 (N.D. Cal. 2009) (complaint filed Dec. 17, 2009) (anonymized video rental data allegedly de-anonymized and reviewed by third parties).
Just as the opportunities for security breaches escalate, legislative efforts to protect privacy rights have increased to the point of saturation. Numerous federal and state statutes now require both protection of data and notification of security breaches, meaning that customers and the public swiftly learn when a data breach occurs.2 These statutes can also provide for penalties or private rights of action. In what has been reported as the first instance of state enforcement under HIPAA, the Connecticut Attorney General recently sued Health Net, Inc. over an alleged failure to protect private data (and to report the breach of security) regarding more than 400,000 enrollees following the loss of a laptop computer. Attorney General v. Health Net of the Northeast, Inc., D. Conn., 3:10-CV-00057-PCD (complaint filed Jan. 13, 2010).
The insurance market has responded to these risks with special coverage written to address this type of claim.3 Nevertheless, for those companies with CGL insurance and no special coverage, there is an opportunity to seek coverage for defense costs (or indemnity payments, in the event of a settlement or judgment) for third-party claims under standard CGL policy wording.4
Third-Party Claims Based on Disclosure of Private Information
To date, courts have been somewhat hostile to claims seeking to recover damages for security breaches, rejecting them on the grounds that the plaintiffs assert only speculative loss. See, e.g., Pisciotta v. Old Nat'l Bancorp, 499 F.3d 629, 634 (7th Cir. 2007) (compromise of personal information was not a "compensable injury" as required for negligence or breach of contract under Indiana law).5 Nevertheless, there is no guarantee that all such claims will fail, and due to the wide variety of common-law and statutory provisions addressing this subject, it is likely that a significant number of such claims will survive early stages of litigation and potentially proceed to final resolution.6
For example, the United States District Court for the Northern District of Illinois recently declined to dismiss a putative class action alleging violations of the Fair Credit Reporting Act and an Illinois privacy statute, along with a common-law invasion of privacy claim. Rowe v. Unicare Life and Health Insur. Co., 2010 U.S. Dist. LEXIS 1576, 09-C-2286 (N.D. Ill. Jan. 10, 2010). In Rowe, the defendant health insurance providers advised individual plan members that some of their personal information inadvertently had been made available online to the general public. The private information included...