As cybersecurity incidents continue to mount and as the issue of data security becomes increasingly important and a source of potential liability, companies should consider whether their standard commercial general liability (“CGL”) policies provide adequate coverage. The case law, although limited, suggests that policyholders might face an uphill battle in obtaining coverage.
In Innovak International, Inc. v. The Hanover Insurance Company, No. 8:16-cv-2453-MSS-JSS, — F. Supp. 3d —, 2017 WL 5632718 (M.D. Fla. Nov. 17, 2017), the Court found that the insurer was not required to provide a defense to the policyholder because the underlying complaint did not allege that the policyholder published the private data. Innovak develops and markets accounting and payroll software and maintains a database accessible via Internet portals. The complaint alleged that as a result of Innovak’s negligence, hackers were able to access class members’ personal information, including social security numbers, addresses, dates of birth, telephone numbers, employment information, and spousal information. The complaint included claims for negligence, breach of implied contract, gross negligence, unjust enrichment, and fraudulent suppression. The claimants alleged that they suffered psychic injuries including stress, nuisance, loss of sleep, worry, and the annoyance of dealing with the data breach.
Innovak notified its insurer—Hanover. Hanover denied coverage on multiple grounds. Innovak filed suit in state court seeking a declaration that Hanover owed a defense. Hanover removed the case to federal court. Both parties filed motions for summary judgment.
In the litigation, Innovak sought coverage under Coverage B of the policy. (Hanover had also denied coverage under other provisions of the policy.) Coverage B in the policy provides:
We will pay those sums that the insured becomes legally obligated to pay as damages because of “personal and advertising injury” to which this insurance applies. We will have the right and duty to defend the insured against any “suit” seeking those damages. However, we will have no duty to defend the insured against any “suit” seeking damages for “personal and advertising injury” to which this insurance does not apply.
The policy defines personal and advertising injury in part as “injury, including consequential ‘bodily injury’, arising out of one or more of the following offenses:…e. Oral or written publication, in any manner, of material that violates a person’s right of privacy.” (Emphasis added.)
Hanover argued that Coverage B did not apply because Coverage B “necessarily requires an act or conduct by the Insured for coverage to be present. Here, third party hackers, not the Insured, caused the data breach.” Innovak, on the other hand, argued that Coverage B provides coverage for claims alleging any publication of material that violates a person’s right to privacy—where that publication is directly or indirectly committed by the insured.
The Court analyzed the policy language under South Carolina law. (The Parties agreed that South Carolina law applied.) Under South Carolina law, the insurer’s duty to defend is determined by the allegations in the complaint. The Court found that the duty to defend turned on whether the underlying complaint alleged publication by the insured of the private information. The pertinent policy language (Coverage B) required publication of the information. That language does not expressly state that the publication must be committed by the insured, but the court concluded that there was no duty to defend because the underlying complaint did not allege that the insured published their information. The court found that: “The act that violates the claimants’ right of privacy is the publication of their PPI, and the Underlying Claimants have not alleged that Innovak directly or indirectly committed that act.”
The Court cited Zurich American Insurance v. Sony Corporation of America, No. 651982/2011, 2014 WL 8382554 (N.Y. Sup. Ct. Feb. 21, 2014). In Sony, the court interpreted the same policy language and reached the same conclusion, i.e., that the policy provision requires the policyholder to commit the act, reasoning that to construe the policy language to apply to acts of third parties would expand coverage beyond the anticipated scope. The Innovak Court found this reasoning persuasive and concluded that the only “plausible” interpretation is that the policyholder must be the publisher of the information.
This case underscores the difficulties in applying the language of CGL policies to the rapidly evolving problem of cybersecurity and data privacy. Policyholders that maintain private data must examine their policies and should consider policies that are more specifically tailored to cyber incidents.