Almost daily, the headlines report new cybersecurity attacks, each more brazen and far-reaching than the last. Businesses may think their general commercial liability policy will cover their losses in the event of a cybersecurity attack, but often learn the hard way that insurance companies frequently deny coverage for these losses. Electronic data is not considered to be “tangible property” by most traditional policy terms, and because data breaches don’t typically involve loss or damage to physical property, general liability policies often do not cover the resulting expenses and damages. Whether your business is protected depends on the specific language of your policy and the circumstances of the loss. Here’s a look at how that played out in two recent examples – and some guidance on how to protect your company.

In one recent case, an employee received a fake email from the address of the company’s president, who had been hacked.[1] The employee believed the company president was directing him to make a transfer of money. Because the employee had essentially been tricked into causing the loss, in this instance the insurance company was obligated to pay on the claim because the hacking was a form of unauthorized use covered by the insurer.[2]

A restaurant that suffered a data breach under different circumstances, however, was not as lucky. In that case, cyber criminals hacked into a fast food restaurant’s network, then obtained and fraudulently charged the credit cards of several customers.[3]  A credit card company forced to reimburse its customers for the fraudulent charges filed suit against the restaurant for failure to keep the information safe.  The restaurant sought coverage from its insurance company, but its insurer denied coverage, asserting that no coverage existed for third-party claims arising out of the loss of electronic data.[4]  Ultimately, the Court agreed with the insurer, finding that the policy language clearly provided coverage only in the event of property damage.[5] “Property damage” was defined in the policy as “[p]hysical injury to tangible property… or … [l]oss of use of tangible property that is not physically injured.”[6]  The policy went further and stated that electronic data was not considered tangible for the purposes of insurance coverage.[7]  Therefore, the restaurant had no insurance coverage for the loss.[8]

If it seems that your coverage depends on your specific policy terms and the right set of circumstances, you’re right.  In today’s data-driven world, many insurance companies offer policies that cover electronic data claims, but exclusions from coverage and definitions can severely limit coverage. Some questions to consider:

  • What minimum cybersecurity measures must your company implement for the policy to take effect?
  • What types of cyber events trigger coverage and when does coverage commence?
  • What aspects of your company’s technology infrastructure are covered?
  • Against what type of legal actions is your company insured, and how much control will your company have to respond to those actions?
  • Does the perpetrator or motivation of the cyberattack matter?

(More information on these questions here.)
Please call us to review your policy language and help you decide if the policy offers the protection you need.
[1] See Medidata Sols., Inc., 268 F. Supp. 3d 471, 476 (S.D.N.Y. 2017), aff’d, (2d Cir. 2018).
[2] Id.
[3] See RSVT Holdings, LLC v. Main Street America Assur. Co., 136 A.D.3d 1196 (3d Dep’t 2016).
[4] Id.
[5] Id. at 1198.
[6] Id.
[7] Id.
[8] Id.