Limits of Cyber Attack Insurance Being Tested in Litigation

Some of the first cases relating to a cyber-attack or data breach relied on traditional insurance forms that contained specific coverages relating to electronic data. A Delaware Superior Court analyzed Commercial General Liability (CGL) coverage for the hack of a bank’s credit card records. Although it found the attack fell within Electronic Risk Liability coverage, it also said it fell within the policy’s fraud exclusion for losses based on fraudulent activity. The court, however, refused to respect the exclusion, reasoning that every unauthorized use or access to the insured’s electronic data or software would almost necessarily involve fraud, thus rendering coverage illusory.

In a 2015 case in the Central District of California, an insurer argued that it was not responsible for a settlement because of the insured’s “failure to follow minimum required practices.” The case was dismissed on other grounds so this important issue remains unresolved. Courts have found varying policy language in CGL insurance to either cover or exclude privacy claims resulting from the disclosure of personally identifiable information.

The scope of cyber insurance is a work-in-progress. Cyber attacks and data breaches are becoming more common, hackers are more sophisticated, and there is an increasing amount litigation seeking redress. Meanwhile, cyber insurance policies have proliferated, arguably without sufficient data for comprehensive underwriting. With more lawsuits and higher damages, cyber insurance litigation may be a bet-the-company issue for many companies, as well as their insurers.