As cyber hacking and phishing schemes become more common, one issue that is often raised is whether, and to what extent, damages resulting from these incidents fall within the coverage afforded under a standard commercial general liability policy. The United States District Court for the Middle District of Florida recently addressed this issue Innovak Int’l, Inc. v. Hanover Ins. Co., No. 8:16-CV-2453-MSS-JSS, (M.D. Fla. Nov. 17, 2017), and held that a data breach was not a covered “personal and advertising injury” because there was no publication of the data.
In that case, Innovak (the insured) filed a declaratory judgment action against Hanover, seeking a declaration that Hanover was contractually obligated to defend and indemnify Innovak in a class action filed against it for damages resulting from the release of the underlying claimants’ personal private information (PPI) after Innovak was the subject of a data breach. According to the underlying complaint, Innovak designed and developed accounting and payroll software for schools, school districts, and other entities. Innovak’s database contained W-2 and paystub information, which necessarily contained PPI including social security numbers, addresses, telephone numbers, dates of birth, employment information, etc. According to the underlying claimants, a hacker gained access to Innovak’s software and database and “appropriated” their PPI. The underlying claimants asserted claims against Innovak for negligence, breach of implied contract, gross negligence, unjust enrichment, and fraudulent suppression based on Innovak’s alleged failure to adequately protect the PPI and timely disclose the breach to end users.
Innovak notified Hanover of the underlying action and sought coverage under a commercial general liability policy (the “Policy”). The Policy provided coverage for “bodily injury” and “property damage” (Coverage A), “personal and advertising injury” (Coverage B), as well as certain expenses enumerated in a data breach form included in the Policy. Hanover denied coverage for the underlying action under each of these provisions. Hanover denied coverage under Coverage A because the emotional injuries alleged by the underlying claimants did not fall within the Policy’s definition of “bodily injury,” and, because the PPI was intangible, it did not qualify as “property damage.” Coverage was also denied under Coverage A because the underlying claims were based on the intentional acts of third party hackers, and Coverage A only covered “accidents” or unintentional conduct. Hanover also denied coverage under the data breach form because the form specifically excluded coverage for “defense or legal liability” including expenses related to third party litigation.
Finally, Hanover denied coverage under Coverage B of the Policy for “personal and advertising injury.” Denial on this basis was the focal point of the court’s decision. The Policy, in relevant part, defines covered “personal and advertising injury” as “injury, including consequential ‘bodily injury’, arising out of one or more of the following offenses: … e. Oral or written publication, in any manner, of material that violates a person’s right of privacy.” The court found that Hanover rightfully denied coverage under Coverage B because the underlying complaint did not allege any publication of PPI — either by Innovak or the third party hacker.
Moreover, even if the hacker’s actions in appropriating the PPI could be considered a “publication,” the Policy required publication by Innovak for coverage to be triggered. In so holding, the court relied on the Supreme Court of New York’s decision in Zurich American Insurance Company v. Sony Corporation of America, No. 651982/2011, 2014 WL 8382554 (N.Y. Sup. Ct. Feb. 21, 2014), and rejected Innovak’s argument that the “in any manner” language could be interpreted to mean that publication could be made by anyone. Instead, “in any manner” described the medium of publication, not the identity of the person publishing the material. The court highlighted the New York court’s reasoning that to allow coverage for publication by third parties other than the insured would expand coverage beyond what the insurer intended.
The court’s decision highlights the conceptual limits of commercial general liability coverage in the context of cyber security claims. The claims and damages related to these claims may not fit within the definitions of “bodily injury,” “property damage,” or “personal and advertising injury,” as those terms are typically defined. Accordingly, cyber insurance that is specifically tailored to potential risks is important.