Sony and Dropbox cases highlight cyberliability insurance coverage issues
Two Peas in Different Pods
Much ink has been spilled about Zurich Insurance’s recent denial of coverage for the massive Sony Playstation breach. Some of the early commentary has been useful (mostly by providing accurate descriptions of what has transpired so far), while some has been wildly amiss (mostly by mischaracterizing the kind of coverage at issue). In the end, Zurich’s coverage denial will probably be confirmatory rather than revelatory — that is, it will likely confirm the warnings of experienced insurance professionals and not uncover any shocking new facts about coverage for breaches of privacy and data security.
Less attention has been paid to a pair of claims involving Dropbox, a popular cloud-based storage service. One claim was filed with the FTC, alleging that Dropbox had made false claims about the security of its users’ data. The other claim, a class action lawsuit, followed a self-inflicted breach of network security that enabled Dropbox members to gain access to other users’ data. Despite their lower profile, the Dropbox claims are likely to reveal more about the nature and limitations of privacy/data security coverage in the current marketplace than is the Zurich/Sony dispute.
The Zurich Coverage Denial
As many readers know, in late April 2011 Sony announced that 77 million individual records had been breached in an attack on its PlayStation Network (see blog post here for a description of the matter). It is not surprising that Sony would cast a wide net to try and recoup as much as possible of the mammoth costs (estimates range from tens of millions to billions) it will incur in connection with the breach.
At least one popular magazine has referred to the Zürich policies at issue as “cyberliability” policies. They are not. They are Commercial General Liability (CGL) policies, the broad generalist policies that are usually among the first insurance policies that companies buy.
While many courts have found liability coverage under the “personal injury” section of CGL policies – at least in cases where the policies in question hadn’t yet been endorsed specifically to exclude coverage for cyberliability matters — most commentators consider the CGL policy a poor vehicle for covering cyberliability breaches. While the definition of covered “personal injury” in a CGL policy generally includes invasions of privacy, there are sometimes disputes over whether there has been sufficient “publication” or disclosure of personal information to trigger the coverage. There is also wide consensus that CGL policies do not adequately cover the range of expenses that companies face when they suffer privacy or network security breaches. Most agree that CGL policies won’t cover the “first-party” out-of-pocket expenses — statutory breach notices, credit monitoring, forensic investigation expenses, public relations expenses, and the like — that have so far been the greatest exposure for most companies suffering breaches.
Zurich’s complaint initiating the dispute did not shed much light on its position. Zurich’s complaint essentially asserts that the injuries claimed by the Sony class action plaintiffs do not constitute “personal injury” claims — and if they do, then there are applicable exclusions in the policy. Later court filings will reveal Zurich’s reasoning and arguments, but at this point speculation about Zurich’s position constitutes something of a parlor game among insurance professionals.
The unfolding of the Zurich/Sony coverage dispute will probably reinforce the widespread belief that companies are unwise to rely on their CGL policies to provide them satisfactory protection from the considerable costs of privacy and network security breaches. This would be a useful reminder, and may convince holdouts, skeptics and those who haven’t yet focused on this issue. It is not, however, likely to break new ground — although if the court rules significantly in favor of coverage, insurers will almost certainly change their policies to preclude such coverage in the future.
The Dropbox Cases
As mentioned above, a complaint submitted to the FTC in May 2011 alleged that Dropbox made false claims about the supposed privacy of its users’ data. According to the complaint, even when users designated their stored files as “private,” Dropbox kept encryption keys that enabled its employees to gain or provide access to users’ information. There are other elements to the complaint, but the gist is that Dropbox gained an unfair competitive advantage by misrepresenting the nature of its security.
In June 2011 Dropbox disclosed that it had introduced a bug that enabled users to log into others’ accounts and gain access to their data. Three days later, a class action lawsuit was filed against the company, alleging that Dropbox failed to maintain the security of its users’ data and also failed to notify most of its users of the breach. The class action suit alleges, among other things, that Dropbox invaded its users’ privacy and violated California law.
It would seem on its face that the two Dropbox claims have the essential earmarks of covered matters: failure to protect sensitive confidential information, alleged legal violations, the filing of claims asserting liability. If there is cyberliability insurance coverage involved in this situation (I do not know), however, there could be significant coverage issues based on the nature of the claims.
When insurers write policies, they naturally craft the language to reflect their experiences with risks and claims. Policies cover this type of claim, from that claimant, under those kinds of circumstances. In the relatively new and rapidly evolving area of cyberliability insurance, there has not yet been a wealth of claims data to help insurers and buyers determine if current policy provisions are adequate to cover the reasonably expected scope of the risks insurance buyers face.
Why might there not be cyberliability insurance coverage for the Dropbox claims? In a nutshell, it would be because many cyberliability insurers weren’t thinking about these types of claims, citing those laws, when they drafted their policies. Some of the current policy forms would provide coverage for claims like these, but many — probably most — others have drafting quirks in their scope of coverage, in their definitions, and in their exclusions that could enable the insurers to deny coverage. These drafting shortcomings can usually be corrected during the negotiation of coverage terms. Many insurers, however, have pushed back when asked to make the changes necessary to provide clear coverage for what would seem to the reasonable insurance buyer to be garden-variety privacy and network security breaches. Fixing these policy shortcomings usually requires more extensive explanation, and often escalation to higher authorities at the insurer, than do most other coverage enhancements.
The Dropbox claims may demonstrate how diligent insurance buyers must be in pursuing coverage that will be broad enough to protect them from the kinds of exposures they are likely to face if they are responsible for breaches of privacy or network security. This requires both keeping current with the claims landscape and looking forward to anticipate how claims make evolve. Perhaps it is arcane insurance esoterica to focus on why the Dropbox cases may reveal more about the state of cyberliability coverage than the higher-profile Zurich/Sony coverage dispute. But of such stuff are coverage advancements made, enhancements that can protect insurance buyers from unpleasant surprises.
About the Author
John Doernberg is a Vice President at WGA. He is responsible for developing relationships and serving as a resource for WGA clients, with a particular focus on privacy, information security and risk management issues. Before becoming an insurance broker in 1995, he practiced law for more than ten years at major firms.