The prevalence of cyber data breach over the years has not only grown in number, but has also grown in size.  Perhaps the most well-known example of a large-scale data breach is that suffered by Target Corp. occurring at the end of 2013.  The effects of the breach on Target Corp. have been profound. Indeed, within days of the announcement of the breach, class action lawsuits were filed against Target around the country, including in California, Massachusetts, Minnesota, Ohio, and Utah. These class actions fall into three general categories: (1) those brought by consumers whose information was compromised; (2) those brought by financial institutions such as banks and credit unions that service these consumers; and (3) derivative actions brought by Target shareholders.

For a single data breach, the Ponemon Institute reports that the average U.S. organizational cost is $5,403,644 — with $565,020 spent on post-breach notification alone.[1] Importantly, the numbers do not include “data breaches in excess of 100,000 [records] because they … would skew the results.”

There is potential coverage for cybersecurity data breaches under standard CGL policies. In particular, the ISO’s form CGL policy states that the insurer “will pay those sums that the insured becomes legally obligated to pay as damages because of ‘personal and advertising injury.’”[2]  “Personal and advertising injury” is defined to include “[o]ral or written publication, in any manner, of material that violates a person’s right of privacy.”[3]

But just when insureds need coverage for damages caused by cyber data breaches the most, the Insurance Services Office Inc. (“ISO”), which sets guidelines for pricing and creates insurance forms for insurers to use across the country, has come up with a number of data breach exclusionary endorsements or standard exclusions for use with its standard-form primary, excess and umbrella commercial general liability (“CGL”) policies to lock out any potential coverage.  For example, the ISO filed endorsement form number CG 21 06 05 14 entitled, “Exclusion – Access Or Disclosure Of Confidential Or Personal Information And Data-related Liability – With Limited Body Injury Exception,” which modifies the CGL coverage part.  This endorsement excludes coverage for damages arising out of:

(1) Any access to or disclosure of any person’s or organization’s confidential or personal information, including patents, trade secrets, processing methods, customer lists, financial information, credit card information, health information or any other type of nonpublic information; or

(2) The loss of, loss of use of, damage to, corruption of, inability to access, or inability to manipulate electronic data.

The endorsement goes one step further and clarifies that:

This exclusion applies even if damages are claimed for notification costs, credit monitoring expenses, forensic expenses, public relations expenses or any other loss, cost or expense incurred by you or others arising out of that which is described in Paragraph (1) or (2) above.

Naturally the insurers snapped up these exclusions, incorporated them into their policy forms and submitted them for approval to the state insurance departments where they do business. The majority if not all U.S. states and territories have approved these new exclusions.  It is not surprising that the insurance industry has promulgated these new air-tight exclusions for cyber related losses while also at the same time they have begun to roll out in earnest specialized cybersecurity insurance products to fill the gap they are creating. The cybersecurity insurance products available are both pricy and limited.

With ISO’s new data breach exclusions rolling out, organizations should assess potential threats to its company and private customer information, and identify which insurance products will best fit their needs including, careful review of their insurance and at renewal negotiation of the broadest possible coverage including wherever possible, older versions of the ISO CGL forms, and no special endorsements reducing coverage even more.  If data breach is a serious concern, and any company of any size should be concerned, perhaps careful consideration of cyber insurance is in order, as limited and expensive as it may be.

[1] Ponemon Institute, 2013 Cost of Data Breach Study: Global Analysis, at 5, 16 (May 2013).

[2] ISO Form CG 00 01 04 13 (2012), Section I, Coverage B, §1.a.

[3] Id. §14.e.