If you’re a Rolling Stones fan, you may remember the (underrated) 1974 song, “Fingerprint File.” (You can hear it by clicking here…“Listenin’ to me/On your satellite.”) Who knew that, four decades ago, Mick and Keith could be so prescient about cybersnooping and leaks of sensitive data? Edward Snowden, Bradley Manning, NSA, Nigerian scammers…even British schoolboys are now getting in on the “data breach” act! The annualized cost of cybercrime incurred by a benchmark sample of US organizations was $11.56 million over the past year, representing a 78% increase since the initial study was conducted four years ago. The time it takes to resolve a cyberattack has increased by nearly 130% during the same time period, with the average cost incurred to resolve a single attack totaling more than $1 million. The average time spent to resolve a cyberattack was 32 days.
All of this disturbing information raises the question: Why aren’t more companies buying insurance coverage specifically designed to deal with cybercrime? Part of the issue, at least with respect to smaller and middle-market companies, may be that the coverage is relatively cheap, meaning that retail brokers don’t have a terrific incentive to market it. So, with respect to companies with between $10 million and $25 million in annual revenue, only 6.9% have purchased cybercoverage, based on figures compiled by Advisen. Even big companies that generate more than $5 billion in revenue, however, have a relatively low participation rate in the cybercoverage market: 21.9%. With an SEC Guidance now requiring publicly traded companies disclose the insurance that they maintain to deal with cyberattacks, I’d imagine that the percentage of large companies buying such insurance will markedly increase, though.
In the interim, companies faced with cyberliability sometimes seek to enforce coverage under other policy forms. I previously wrote about one such case here. A couple of weeks ago, a federal court in California issued a significant ruling finding coverage for a data breach under a commercial general liability policy.
The facts of the case, Hartford Casualty Insurance Company v. Corcino & Associates, will leave you wondering, “Did this stuff really happen?” Or, as my teenage daughter might type in a text: “SMH.”
Corcino is a business consultant to the health industry. Stanford Hospital apparently engaged Corcino to provide consulting services, and, as part of the engagement, gave Corcino access to private and sensitive medical information (including psychiatric information) for almost 20,000 patients of Stanford’s Emergency Department. Corcino then inadvisably gave the information to an employment applicant, and asked him to perform certain tests with the data as part of a “test for employment suitability.” I’m guessing that the applicant failed the suitability test (at least in retrospect), because he promptly posted all of the confidential information on a public website called “Student of Fortune,” which is an online tutorial marketplace for students who need help with their homework. The sensitive data remained there for a year, before one of Stanford’s patients found it and became justifiably upset. This being America, class action litigation followed.
Hartford had sold a commercial general liability policy to Corcino containing the standard coverage for “personal and advertising injury” (otherwise known as “Coverage B”). The policy obligated Hartford to pay amounts that Corcino became “legally obligated to pay as damages because of… Electronic publication of material that violates a person’s right of privacy.” The policy, however, excluded coverage for personal and advertising injury “arising out of the violation of a person’s right to privacy created by any state or federal act.” An exception to the exclusion stated: “However, this exclusion does not apply to liability for damages that the insured would have in absence of such state or federal act.”
Hartford filed a lawsuit for declaratory relief that there was no coverage for the claim, on the ground that the unhappy patients had premised their lawsuit on statutes such as California’s Confidentiality of Medical Information Act.
It’s difficult to understand Hartford’s position, which seems to read the exception to the exclusion out of the policy. (Coverage lawyers with experience in the construction defect world may be familiar with the concept of reading exceptions out of exclusions, since insurance companies and some courts are fond of reading the “subcontractor exception” to the “your work” exclusion out of general liability policies.)
Unwarranted invasion of privacy is a tort irrespective of statutory law, and the Court here so held, writing: “Since at least 1931, California has recognized both a constitutional privacy right and a common-law tort cause of action for violations of the right to privacy… Although courts have expressly recognized a constitutional right of privacy with respect to medical records since at least 1979, medical records have been considered private and confidential for well over 100 years at common law.” Hence, Corcino would have faced liability irrespective of any statutory law, and the exception to the exclusion allowed for coverage.
Hartford also argued that it only sought a ruling that no duty to indemnify existed for statutory penalties. The Court rejected that argument, holding that the statutes created “effective remedies for breaches of an individual’s right to medical privacy” (emphasis added), meaning that the statutes allowed injured persons “to recover damages for breach of an established privacy right.” The Court opined that “if Hartford had intended to include a specific distinction in its exclusion, it could have done so when drafting its Policy.”
If Hartford appeals this ruling, I’m guessing that the damages issue will be the focus of the appeal: namely, that the patients were claiming damages established by statutory law (not common law), which (Hartford will argue) should not be covered because of the “statutory cause of action” exclusion. I think that’s a distinction without a difference. As the New Jersey Supreme Court has held in an analogous context, “to allow the insurance company to construct a formal fortress of the third party’s pleadings and to retreat behind its walls, thereby successfully ignoring true but unpleaded facts within its knowledge that require it, under the insurance policy, to conduct the putative insured’s defense would not be fair.” SL Industries, Inc. v. American Motorists Insurance Co., 128 N.J. 188, 199 (1992). So, we’ll see.
You can read the full Hartford v. Corcino decision by clicking here.