At the end of this month (January 26, to be exact), assuming that the Mayans remain incorrect, I’ll be doing a presentation to the New Jersey Institute for Continuing Legal Education on the topic of insurance coverage for cyberthreats.  Of course, I probably should be disqualified from making any comments whatsoever about trends in computer-related coverage, since I was a charter subscriber to the Mealey’s Y2K Litigation Reporter, the litigation world’s version of the Ford Edsel.

In any event, Willie Sutton is supposed to have remarked that he robbed banks because “that’s where the money is.”  (He denied making such a comment, but I’m not going to let the facts get in the way of a good story.)  Nowadays, the money is accessible without dynamite, drills or guns, to a new breed of criminal – so much so that the SEC now recommends that companies disclose the extent of their cybersecurity risks, including the availability of “relevant insurance coverage.”  (You can read the SEC guidance here.)  Liability associated with network security breaches is extreme.  According to one study of 137 events that took place between 2009 and 2011, the average total cost per incident was $3.7 million (including remedial costs and legal fees).     

I’ve previously blogged about Retail Ventures, Inc. v. National Union, 691 F.3d 821 (6th Cir. 2012), in which a chain of shoe stores had its wireless network hacked, and the Court found coverage under a computer fraud rider to a blanket (first-party) crime policy.  You can read that post here.

I’d now like to review briefly an interesting cyberliability case involving third-party coverage, Eyeblaster, Inc. v. Federal Ins. Co., 613 F.3d 797 (8th Cir. 2010).  (You can read the full Eyeblaster decision here.)  Facts: Eyeblaster is a marketing company that helps run advertising campaigns on the internet.  A computer user (Sefton) sued Eyeblaster, alleging that Eyeblaster injured his computer, software, and data after he visited an Eyeblaster website, through, among other things, the unauthorized installation of cookies on Sefton’s computer. Sefton contended that, after Eyeblaster did its thing, his computer slowed to a crawl and he had difficulty remediating the problem.

With respect to Eyeblaster’s general liability coverage, the issue was whether there had been damage to “tangible property,” so as to trigger property damage coverage.  The Court said yes,  writing as follows:  “Federal did not include a definition of ‘tangible property’ in its General Liability policy, except to exclude ‘software, data or other information that is in electronic form.’ The plain meaning of tangible property includes computers, and the Sefton complaint alleges repeatedly the ‘loss of use’ of his computer. We conclude that the allegations are within the scope of the General Liability policy.”

What we see here is that, at least under general liability policies, hardware tends to be viewed as more “tangible” than software, so that if there are allegations of any harm to hardware, there’s more likely to be coverage.

Along these lines, for those of you who may be dealing with cyberliability issues under standard liability policies, keep in mind that there are ISO exclusions that may apply.  The 2001 version of the exclusion reads: “For purposes of this insurance, electronic data is not tangible property.”  The 2004 version of the exclusion excludes ”[d]amages arising out of the loss of, loss of use of, damage to, corruption of, inability to access or inability to manipulate electronic data.”  Even if the 2004 exclusion had been in play in Eyeblaster, however, the Court likely would have found coverage.  The Eyeblaster Court focused on the idea that the hardware itself did not work, as opposed to electronic data (which may be an intangible concept) being corrupted.

As to the E&O coverage, Federal argued that there was no coverage for intentional acts, even if they result in unintentional damage.   The Court disagreed with that argument as well, writing:  “Sefton alleges that Eyeblaster installed tracking cookies, Flash technology, and JavaScript on his computer, all of which are intentional acts. However, Federal can point to no evidence that doing so is intentionally wrongful. As Eyeblaster points out in an affidavit filed with the district court, Federal’s parent company utilizes JavaScript, Flash technology, and cookies on its own website. Federal cannot label such conduct as intentionally wrongful merely because it is included in the Sefton complaint; Federal has a duty to show that the use of such technology is outside its policy’s coverage.”  (I always admire good lawyering; going to Chubb’s website and finding similar applications there was a nice touch.)

There are, of course, new insurance products coming onto the market specifically to deal with cyberliability issues, such as Marsh’s “Cloud Protect,” which is designed to protect small and midsized businesses against losses stemming from a cloud service provider’s failure.  When reviewing any of the new policies, pay specific attention to the definition of the terms “computer system” or “computer network,” to make sure that what you want to have covered, is in fact covered.