As the number of companies suffering a data breach continues to grow — with U.S. retailer Staples now reported to be investigating a breach — so do the legal developments arising out of these incidents.
While companies that have suffered a data breach look to their insurance policies for coverage to help mitigate some of the enormous costs, recent legal developments underscore the fact that reliance on traditional insurance policies is not enough, notes the I.I.I. white paper Cyber Risks: The Growing Threat.
A post in today’s Wall Street Journal Morning Risk Report, echoes this point, noting that a lawsuit between restaurant chain P.F. Chang’s and its insurance company Travelers Indemnity Co. of Connecticut could further define how much, if any, cyber liability coverage is included in a company’s CGL policy.
Collin Hite, partner and leader of the insurance recovery group at law firm Hirschler Fleischer tells the WSJ that whatever the outcome of this case, companies that want to be sure they are protected against cyber-related losses may have to purchase separate cyber liability policies–and make sure those policies are broad enough to encompass the myriad ways an attack could cost the firm money.
P.F. Chang’s confirmed in June that it had suffered a data breach in which data from credit and debit cards used at its restaurants was stolen.
An earlier post in the Hartford Courant Insurance Capital blog by Matthew Sturdevant has the details on the legal action between Travelers and P.F. Chang’s.
To-date the application of standard form commercial general liability (CGL) policies to data breach incidents has led to various legal actions and differing opinions, according to the I.I.I. paper on cyber risks.
One recent high profile — and oft-cited case — followed the April 2011 data breach at Sony Corp. in which hackers stole personal information from tens of millions of Sony PlayStation Network users.
A New York trial court ruled that Zurich American Insurance Co. owed no defense coverage to Sony Corp. or Sony Computer Entertainment America LLC.
In his ruling, New York Supreme Court Justice Jeffrey K. Oing said acts by third-party hackers do not constitute “oral or written publication in any manner of the material that violates a person’s right of privacy” in the Coverage B (personal and advertising injury coverage) under the CGL policy issued by Zurich.
Further expertise and analysis on cyber risks and insurance is available from the I.I.I.