Insurance Coverage for Data Breach Claims

by Bruce A. Friedman, Esq.

Recent examples of data breaches resulting in invasion of privacy lawsuits abound.  Target and other retailers, financial services companies and other businesses have had their internal data systems breached and consumers’ private financial information stolen.  There are insurance policies designed for such risks, but they are a relatively recent development.  Yet, according to a recent article in the Boston Globe, only one-third of American businesses have purchased these new data breach policies.  So what do the other two-thirds of the business community do when confronted with a data breach lawsuit?

In mediating both data breach disputes and insurance coverage cases arising out of similar claims, I have had to review and consider whether any insurance coverage applies to protect a business under these new circumstances.  The most common policies held by businesses include comprehensive general liability (CGL) policies, directors and officers liability (D&O) policies and crime coverage, often included in fidelity policies.

CGL policies are the bedrock of commercial insurance and cover property damage and bodily injury claims.  They also include coverage for various offenses, including invasion of privacy.  Depending on the wording of the invasion of privacy offense, and absent an exclusion for Telephone Communications Privacy Act (TCPA) claims and the likelihood that new policies will reflect an exclusion for claims arising out of data breach (insurers generally exclude claims covered under policies that are written for specific risks), a CGL policy should cover invasion of privacy claims arising out of data breach.  There are policies, for example, that provide coverage for “making known to any person or organization written or spoken material that violates an individual’s right of privacy.”  This language would appear to provide coverage for data breaches, but according to the California Court of Appeal, it does not provide coverage for claims under the TCPA.  In ACS Systems, Inc. v. St. Paul Fire and Marine Ins. Co., the court found that the foregoing language violates the secrecy right of privacy, but not the seclusion right of privacy.  Since most data breaches violate the secrecy right of privacy, coverage should be afforded under this language for invasion of privacy claims arising out of data breaches, as those claims are based on the failure to maintain private personal information about the claimant.  Violation of the seclusion prong of privacy, being free from unwanted intrusion, is not covered, according to the Court of Appeal, under language that requires that private information be made known to others.

For the rest of "Insurance Coverage for Data Breach Claims,” please read the full article from Law.com by clicking here.