Examining Coverage for Cyber Risks Under Property and Liability Policies, New York Law Journal
Over the past few years, data breaches have become more frequent and have impacted an increasing number of people. As computer hacking and data breaches become more common, an issue that is often raised is whether, and to what extent, damages resulting from these incidents fall within the coverage of the policies held by the corporate victims of the attacks. This article explores courts’ differing conclusions when faced with claims for cyber risks under different types of insurance policies, looks at some of the recent cyber-crimes and the direct financial and legal impact on businesses, and posits solutions to address insurance coverage for cyber-related risks.
A cyber-hacking or data breach event, such as the ones suffered recently by Equifax, Target, Yahoo, and Sonic, typically involves a third-party gaining unauthorized access to a company’s computer system, stealing customer information and then using that stolen information to apply for mortgages, credit cards and student loans, and tapping into bank debit accounts, filing insurance claims and tax refunds, and racking up substantial debts. The theft of the personal financial information of their customers causes direct loss to the company itself, through lost records, reputational damage, business interruption, and costs to correct and repair the damage done by intruders, and may also subject the company to lawsuits from their customers.
Naturally, companies have sought coverage for these cyber-losses from their insurers. An insured seeking to protect itself from losses due to data breaches and cyber-attacks can procure specific first-party policies that will cover such loss. For example, certain property policies have been found to provide coverage for data breaches when the policy contains a specific definition of property to include electronic data.
In NMS Services v. The Hartford, 62 Fed.Appx. 511 (4th Cir. 2003), the Fourth Circuit held that there was coverage under a business property policy for an insured’s loss of business and costs to restore records lost when a former employee hacked into the insured’s network. Similarly, in Lambrecht & Associates v. State Farm Lloyds, 119 S.W.3d 16 (Tex. App. Ct. 2003), the insured suffered direct losses due to a hack of its system. The Texas Court of Appeals found that the insurer could not prove as a matter of law that the damaged property was not covered under the insured’s business property policy, which covered “accidental direct physical loss to business personal property.” However, the court also denied the insured’s motion for summary judgment, finding an issue of fact as to whether the insured’s losses were “accidental.”