Cyber Losses and Insurance Implications
Recent studies have estimated that U.S. companies collectively lose over $100 billion as a result of cyber attacks (i.e. hacking) or cyber espionage. It is further estimated that on average, a single targeted cyber attack can cost a U.S. business over $2.5 million. The costs incurred from these attacks include lost opportunity costs from service interruptions, costs associated with defending lawsuits brought by customers in situations where customer data was stolen, costs associated with notifying customers that sensitive personal information may have been stolen, and other reputational damages.
Companies that fall victim to these attacks often turn to their insurance carriers for assistance in recovering some of these costs or, in the cases where the company faces lawsuits in the aftermath of the attack, for defense and indemnification costs. However, these companies are often finding that “traditional” insurance policies might not offer the protection from cyber attacks that they anticipated. Accordingly, companies have been met with denials of coverage by their insurance carriers that potentially leads to litigation over whether coverage exists.
A. The Sony PlayStation Network Case
The widespread use of the internet is still a relatively new phenomenon, as are the costly cyber attacks. Accordingly, courts are just beginning to address issues related to insurance coverage stemming from these attacks. One case currently pending in New York illustrates the competing policy interpretations that are implicated in these types of disputes.
In Zurich American Insurance Co., et al. v. Sony Corporation of America, et al., N.Y. Supreme Court, New York County, No. 651982/2011 (the “Sony Action”), Zurich is seeking, inter alia, a declaration that it has no duty to defend or indemnify numerous Sony Defendants for claims stemming from a massive cyber attack Sony experienced in 2011. A review of the docket indicates that the case is being set up for dispositive motion briefing this fall.
As part of their business, the Sony Defendants manufacture and sell video game devices, including the PlayStation. In connection with the PlayStation consoles, the Sony Defendants operate and maintain several online gaming/entertainment networks, including the PlayStation Network (“PSN”). The PSN allows consumers to play video games on-line against other users, and also allows consumers to purchase and download games, music, movies and other content to their PlayStation. Although credit card information is not needed for some services, consumers need to enter that information to purchase content.
Between April and June 2011, computer hackers unlawfully gained access to the PSN and other networks operated by the Sony Defendants. The various intrusions resulted in the unauthorized access to and theft of personal and financial information of over 100 million PSN customers. In the aftermath of the attacks, the Sony Defendants found themselves named as defendants in 55 class action complaints filed in the United States and three class action lawsuits filed in Canada. In general, the underlying complaints allege that Sony failed to take adequate steps to protect the underlying plaintiffs’ information, and that Sony unreasonably delayed notifying consumers of the cyber attack and resulting theft of information. The underlying plaintiffs further allege that they suffered damages as a result of the shutdown of the PSN following the cyber attacks. The Sony Defendants provided notice of the claims asserted in the various actions to Zurich, but Zurich denied it had a duty to defend and instituted the insurance action.
The Sony Defendants have filed a motion for partial summary judgment, seeking a ruling that Zurich owes them a duty to defend. The Sony Defendants argue that the policies provide coverage for damages because of “personal and advertising injury,” which includes “oral or written publication, in any manner, of material that violates a person’s right of privacy.” The Sony Defendants claim that the underlying complaints trigger this coverage by virtue of seeking damages arising out of the unauthorized disclosure of private, personal, and/or confidential information.
Among the issues to be argued include whether the “publication” aspect of the policy’s provisions can be met even where the customer information is not formally published in any location. (i.e., it was not released on a website, etc.). Additionally, the Sony Defendants argue that an Internet Business Exclusion in the policy does not apply to preclude coverage. That exclusion excludes coverage for an insured whose business is, inter alia, “An Internet search, access, content or service provider.” Whether the Sony Defendant’s hosting of content on the PSN renders it an Internet Business will be an issue decided in the litigation.
Similar issues to those being litigated in the Sony Action were litigated in another recent case. InArch Insurance v. Michaels Stores, Inc., No. 12-0786, N.D. Ill., Arch sought a declaration that had no duty to defend Michaels in underlying actions stemming from the theft of consumers’ credit and debit card information. The theft of data in this case arose when Pin Pads at store registers were tampered with to allow for the theft of data to occur. The policy at issue excluded electronic data from the definition of tangible property. As a result, the focus was on the publication of materials clause. Although the issue was briefed, the parties reached a settlement agreement prior to a decision being issued. Based on a review of case law, it does not appear that the application of this “publication” clause has been addressed in the context of a case involving a cyber attack.
B. Other Insurance Issues Implicated in Cyber Cases
In addition to the issues being litigated in the Sony Action and Michaels, other policy provisions are likely to arise in cases involving cyber incidents (regardless of whether it is an attack, or something more innocent such as a network outage). Obviously, the outcome of any dispute will depend on a number of factors, including the precise language of the policy.
1. What Property Is Covered?
One issue that comes up in cyber cases, is whether the damaged property (typically electronic data or customer information) is covered by the policies at issue. Courts have issued diverse rulings on this issue, which are dependent on the facts of the case.
In Eyeblaster, Inc. v. Federal Insurance Company, 613 F.3d 797 (8th Cir. 2010), the United States Court of Appeals for the Eight Circuit reversed the granting of summary judgment to Federal by the United States District Court for the District of Minnesota. At issue in the case was whether Eyeblaster, an online marketing campaign management company, was entitled to coverage under a general liability insurance policy after it was sued by a computer user who alleged that Eyeblaster injured his computer, software, and data after he visited an Eyeblaster website.
Under the terms of the policy at issue, Federal was obligated to provide coverage for property damage caused by a covered occurrence. Property damage was defined as “physical injury to tangible property, including resulting loss of use of that property…or loss of use of tangible property that is not physically injured.” Under the terms of the policy, tangible property did not include “software, data, or other information that is in electronic form.” The district court granted summary judgment to Federal after concluding that the computer user’s complaint only alleged damage to software, which was excluded from coverage. On appeal, the Eighth Circuit agreed that the policy did not cover any losses stemming from injuries to the customer’s data. However, the Eighth Circuit reversed the district court and found that to the extent that the computer user was alleging Eyeblaster’s website caused his computer to run slowly and inefficiently, this was covered under the part of the definition of property damage that included the “loss or use of tangible property that is not physically injured.”
In American Guarantee & Liability Insurance Company v. Ingram Micro, Inc., 2000 U.S. Dist. LEXIS 7299 (D. Ariz. 2000), the United States District Court for the District of Arizona granted Ingram’s motion for partial summary judgment and concluded that a 1998 power outage caused direct physical loss to Ingram. Ingram was a wholesale distributor of microcomputer products and used a world-wide computer network to track its customers, products and transactions. In December 2008, a power outage caused all the electronic equipment at Ingram’s Data Center to stop working. Although some systems were restored within hours of the outage, communications with some locations were not restored for several days.
Ingram filed a claim under its property damage policy, which insured against certain business and service interruptions, but American denied the claim and the litigation ensued. In briefing on the summary judgment motions, American argued that Ingram’s computer systems were not “physically damaged” because their capability to perform remained intact. It does not appear that the American policy included an exclusion for electronic data as was present in the Eyeblaster case. The district court refused to accept a narrow definition of the term “physical damage” and instead agreed with Ingram that the term included loss of use and functionality, as well as loss of data. As a result, the court granted summary judgment to Ingram.
As the above cases illustrate, whether losses of electronic data are covered will depend on the definition of tangible property in the policy and whether the data is excluded from coverage.
2. Intentional Acts or Accidents?
Another issue that arises less frequently in cyber cases is whether coverage is excluded because the underlying injury was caused by an intentional act. This issue can arise over questions as to whether a third party’s attack triggers the exclusion or in situations where the dispute centers around an intentional act with allegedly unintended results.
In Lambrecht & Associates v. State Farm Lloyds, 119 S.W.3d 16 (Tex. Ct. App. 2003), the Texas Court of Appeals reversed the lower court’s granting of summary judgment to the insurer. In this case, Lambrecht, an employment agency, encountered issues when its server contracted a computer virus that prevented employees from inputting or retrieving data from the computer system. The virus forced Lambrecht to replace the server. Lambrecht submitted claims for: (1) the value of lost property, comprised of (a) the value of the server, and (b) the value of the software installed on the server; and (2) income lost due to business interruption, comprised of (a) Lambrecht’s inability to conduct business when the server was inaccessible, and (b) time lost due to replacing information on the server. State Farm denied coverage.
Among the issues addressed by the court was whether the conduct causing the loss was intentional, which would bar coverage under the policy. State Farm argued that coverage was excluded because the actions of the hacker were intentional. The court disagreed and found that Lambrecht’s contracting the computer virus was accidental rather than intentional. Specifically, the court concluded that intentionality is determined from the viewpoint of the insured, and State Farm failed to present evidence that Lambrecht intentionally downloaded the computer virus or committed any acts that Lambrecht would reasonably believe result in contracting the computer virus. Thus, the lower court’s entry of summary judgment was improper and was reversed.
Santos v. Peerless Insurance Company, 2009 Cal. App. Unpub. LEXIS 3415 (Cal. Ct. App. Apr. 30, 2009), presented a different situation. Here, Santos was the party causing the cyber injury, and although there was no dispute that he acted intentionally, he claimed Peerless was obligated to provide coverage to him because he didn’t intend the results that occurred. The insurance dispute arose after Apple Computer filed claims against Santos alleging that he attempted to infiltrate Apple’s information systems by sending repeated information requests to Apple through its website, which caused slowdown and loss of capacity of Apple’s servers. Santos tendered the claims to Peerless, who denied coverage.
There was no dispute that Santos acted intentionally by sending requests to Apple’s servers. However, Santos claimed that he did not intend to cause Apple’s servers to slowdown or lose any capacity. Although the court agreed that intentional conduct could cause accidental results for insurance purposes in some cases (i.e. hitting a baseball that accidentally breaks a window), in this case Santos intentionally bombarded Apple’s servers in order to procure information (that he was not entitled to), and thus the unforeseen damage to Apple’s server could be tied to the intentional conduct. Accordingly, the policy excluded damages due to slowdown and loss of capacity of Apple’s server.
C. Cyber Insurance?
In recent years, many insurance providers have begun offering cyber insurance policies that are designed to provide coverage for many of the situations described above. It is unclear how fast this new type of coverage is catching on. According to Chubb Group of Insurance Companies, only 35% of those companies surveyed purchased cyber insurance companies, despite the fact that over 60% of those surveyed stated that cyber attacks were a major concern. Whether companies need to purchase separate cyber insurance policies depends upon a number of factors, including how much risk the company has for a cyber incident, and what the company’s “traditional” policies provide coverage for.