Losses Incurred in a Data Breach: How the Courts Are Determining Liability for Insurers

Posted in Legal Alerts on January 6, 2023

Companies and their customers have increasingly fallen victim to cybersecurity incidents. Hackers have found numerous ways around safeguards to perpetrate frauds, which have caused large losses to companies. Not only have their own assets been stolen, but defrauded customers are also filing lawsuits against companies that have suffered cybersecurity incidents. As a result, companies have to incur large expenses to defend against these lawsuits. The first thing they often do is look to their insurance company to cover the losses and defend them against the claims; but if a dispute arises, courts do not take a uniform approach in determining whether these kinds of losses are covered.

Data Breaches Are Usually Not Considered a Physical Loss

Commercial and general liability insurance is usually intended to cover loss of physical property. When a company is the victim of any type of cyber fraud, the loss is not of physical property. Instead, data breaches and other frauds yield a loss of information, which is not considered a “tangible” loss.

Moreover, insurance policies will generally exclude cyber incidents from coverage. Many commercial general liability (CGL) policies use similar terms for insurance, so they have the same language. The Insurance Services Office, Inc. (ISO) also drafts standardized forms that many insurance providers use; however, some insurance carriers customize the terms of a policy, so the language may vary.

Courts Have Not Uniformly Ruled on Coverage for Data Breaches

To date, court decisions have generally reflected a split as to how judges have interpreted the requirement for a tangible physical loss. In one major early case, the U.S. Court of Appeals for the Fourth Circuit agreed with an insurer's interpretation of its policy language in holding that a theft of data was not covered under a CGL policy. However, another federal court held that a loss of use or functionality of a computer could be considered a physical loss.

As is often the case, the ISO has changed its forms over time to address the evolving landscape. Insurance companies often amend language to comprehensively protect themselves against ambiguity that could lead to a coverage dispute. Although carriers cannot change the terms of existing policies, they can remove uncertainty by updating and tightening up the language in future policies.

Recent Cases Have Focused on Whether Data Breaches Are Computer Fraud

While insurance companies have responded to the proliferation of lawsuits over coverage of data breaches in a CGL policy by tweaking the language in their policies, the legal battles have now shifted. Policyholders have purchased additional coverage for computer fraud, and they have added it to their CGL policies. Ongoing disputes remain about what is covered in these computer fraud policies. Courts have been called upon to interpret specific policy language to render a judgment about whether a specific type of incident is covered.

In one case, the U.S. Court of Appeals for the Eleventh Circuit agreed with an insurance company's interpretation of the computer fraud clause in its policy in holding that a specific type of fraud was not covered. In this case, fraudsters found a way around the company's telecommunication system in order to redeem the same digital assets multiple times. The company suffered a loss of $11.4 million. Even though the telephone system was computerized, the court found that the specific type of fraud was not computer fraud as defined by the specific language of the policy. According to the court, simply using a computer to commit fraud is not the same thing as computer fraud.

However, in another case, the U.S. Court of Appeals for the Second Circuit held that a spoofing attack was covered by a computer fraud policy. The court reasoned that computers were integral to the success of the fraud. Hence, the spoofing attack was covered by the clear and unambiguous language of the insurance policy.

The difference between the courts’ holdings in these cases does not appear to be easily remedied by changing the language of future policies. There is a fundamental disagreement among the courts about whether simply using a computer to commit fraud is enough to trigger coverage under a computer fraud clause. In other words, one school of thought applies a broad reading that places the use of a computer as part of the fraud at the center of its decision, while the other school looks specifically at the exact language of the operative insurance policy.

In any case, courts will first look at the explicit language of an insurance policy to determine whether the loss is covered or the insurer has a duty to defend against a lawsuit. This applicable rule is called the “eight corners” rule. The court will look at the four corners of the insurance policy and the four corners of the legal complaint to determine whether the complaint concerns a loss that is specifically covered by the policy. Beyond following precedent, policyholders and insurance companies may not have much predictability as to how courts will rule.

The Cybersecurity Insurance Market Poses Challenges to Insurers and Insureds Alike

Although one obvious solution would be for companies to purchase dedicated cybersecurity insurance, that market has failed to materialize as expected. The risk-reward ratio does not make it profitable or viable for insurance companies to provide this type of insurance. The market only becomes efficient when there is a large risk pool across which to spread out the potential hazards. The problem is that only a small universe of companies needs the protection that cybersecurity insurance would provide. Insurance companies would need to charge high premiums because they cannot adequately spread out the risk.

In the meantime, cybersecurity risk is a sizable and growing risk that companies are having a hard time managing. In the event that courts consistently rule that data breaches are covered by GCL insurance or computer fraud clauses, companies can expect to pay much higher premiums. Insurance companies will also likely adjust the language of new policies going forward to explicitly exclude these occurrences from coverage. The evolving risks of cyber fraud have left insurance companies in a difficult position when determining how they price these risks.