In September, 2014, the home-improvement retail chain, Home Depot, confirmed the theft of customers’ financial information in the United States and Canada.1 Home Depot joins a growing list of high profile companies to have data stolen as the result of cyber-attacks.2
The incidence of cyber-attacks is increasing and the form and scope of cyber risks is expanding.3 Obvious cyber risks include hardware failure, device theft, and online attacks.4 Less obvious risks include an employer’s vicarious liability for an employee’s inadvertent or purposeful defamation of a competitor on a company’s websites, blogs or social networking sites like Facebook and Twitter.5
The costs associated with a data breach can be staggering, in terms of business interruption, and potential litigation costs. In the United States, it is estimated that the average cost to an organization in relation to a data breach was $5.85 million.6 However, the costs associated with the well-publicized data breach cases involving companies such as: Target, Google, JPMorgan etc., is in the hundreds of millions.7
Technology driven change in the way businesses collect, store, maintain and administer data has created entirely new areas of undefined risks. As business practices continue to be shaped in the face of technological change, insurers, as well as companies of all sizes, need to be proactive in planning for, and protecting against exposure to tort actions associated with conducting business in the digital age.
Cyber Risk and Cyber Risk Coverage: Will My CGL Policy Provide Coverage For Cyber Losses?
Absent a cyber-risk policy or endorsement, most businesses that suffer a cyber-related loss claim coverage under a CGL policy. Cyber and privacy liability were never contemplated when most commercial liability policies were created.8 To date, coverage disputes pertaining to cyber claims have largely hinged on the interpretation of Coverage B – Personal Injury and Advertising Liability of CGL Policies.9 In Canada, there is no jurisprudence regarding cyber-risk coverage and American jurisprudence is divided as to how Coverage B should be interpreted. Accordingly, insurers’ duties, under a CGL policy in respect of cyber and privacy claims remain in a state of flux.10
Traditional CGL policies may provide limited coverage in respect of cyber incidents11 under the personal and advertising injury sections12 that provide liability coverage for injuries arising from publication of material that slanders or libels a person or organization and that violates a person’s right to privacy. To date, coverage disputes and litigation have largely arisen out of disagreement as to whether a publication has occurred that violates a right to privacy.13
In 2011, networks operated by Sony for the benefit of Sony PlayStation were the subject of online cyber-attacks. As a result of those attacks, a vast quantity of personal information was stolen from Sony online users, including financial information. Sony faces numerous class action lawsuits on behalf of network users alleging injury as a result of this data breach and failure on the part of Sony to notify members of the breach in a timely manner.14
Sony’s insurer, Zurich, filed an insurance coverage action seeking a declaration that it had no duty to defend or indemnify Sony with respect to data breach privacy suits. The Supreme Court of New York considered the issue, and construed sub point (ii) under the personal and advertising coverage section of its CGL policy in favour of the insurer.15 The Court held that there was no coverage under the CGL policy as a result of hacking that was the subject of the underlying actions. The Court stated that coverage would be afforded only in situations where the defendants committed and/or perpetrated the act and/or acts of publishing information. In this case, the acts underlying the action were not carried out or perpetrated by Sony, but rather by a third party hacker. As such, the act of “hacking” did not constitute oral or written publication that violated a person’s right to privacy that fell under the CGL coverage provisions. The decision is currently under appeal.
Types of Cyber Coverage Available
Many insurers have added exclusions for cyber claims to their CGL wording; however, specific cyber risk coverage has emerged and is available.16 Cyber specific coverage is perhaps best seen as a bridge that covers specific cyber risks not contemplated by traditional CGL policies. Both first and third party coverage is available in respect of cyber risks touching on various areas including17:
- Loss/corruption of data;
- Business interruption;
- Liability (including defence costs arising from claims in respect of breach of privacy, transmission of computer viruses and/or computer attacks and failure to secure network systems);
- D &O Liability; and
- Social Media/Networking
Cyber Risk and Invasion of Privacy: The Tort of “Intrusion Upon Seclusion”
In Canada, Ontario courts have recently recognized ‘the right to bring a civil action for damages for the invasion of personal privacy’.18 In Jones v Tsige19, the plaintiff and defendant were unknown to each other; however, they worked for different branches of the same bank. The defendant had formed a relationship with the plaintiff’s ex-husband. Over a period of approximately four (4) years, the defendant used her workplace computer to access the plaintiff’s personal information on numerous occasions. The plaintiff brought an action for damages for invasion of privacy. The motion judge held that Ontario common law did not recognize the tort of intrusion upon seclusion, and granted the defendant’s application for summary dismissal.
On Appeal, the Ontario Court of Appeal accepted that a cause of action based on the tort of intrusion upon seclusion does exist and ‘it was necessary for the court to fashion a remedy where privacy rights have been violated given the technological changes that have occurred over such a short period of time and in such a pervasive manner’.20
- The Court of Appeal outlined the essential elements of the tort of intrusion upon seclusion as follows:
- The defendant’s conduct must be intentional, within which includes recklessness;
The defendant must have invaded, without lawful jurisdiction, the plaintiff’s private affairs or concerns; and
- Whether a reasonable person would consider the invasion as highly offensive causing distress, humiliation or anguish.
The Court of Appeal went on to hold that damage awards for intrusion upon seclusion, where pecuniary loss was indeterminable, would be up to $20,00021 and that proof of harm to a recognized economic interest is not a requirement of such an award.22
Judicial recognition of a cause of action based on the invasion of privacy is significant in that it has the potential to expand the ambit of third party liability. Statistically, most privacy breaches are unintentional. In a 2013 study of Cyber Liability and Data Breach Insurance Claims,23 it was found that approximately 20% of data breach insurance claims emanated from a lost and/or stolen laptop or device.24 Thus, it is conceivable that a company could potentially be found vicariously liable for the actions of its employees in respect of claims arising from the improper access of personal and financial information that range from carelessly sent emails, to the inadvertent disclosure of sensitive workplace information through a cellphone.
In addition, although an award of damages in the range of $20,000 may not appear to be financially taxing, consider the potential damage award for a claim involving a lost or stolen flash drive containing a spreadsheet with the personal and financial information of one thousand (1000) clients. This seemingly innocuous event has the potential to create liability exposure in the millions of dollars.
Cyber Risk: Director and Officer Liability
Another emerging trend in the area of cyber incident and/or data breach litigation involves directors and officers liability. The allegations contained in these lawsuits concern ‘failures to disclose cybersecurity risks and misstatements concerning the state of a company’s cybersecurity preparedness’.25
In Collier v Steinhafel and Kulla v Steinhafel, two shareholder class action lawsuits were commenced against the retail chain, Target, following its significant data breach. In that case, it is alleged, that ‘the directors and officers breached their fiduciary duties to the company by “failing to take reasonable steps to maintain its customers’ personal and financial information” and failed to implement a system of internal controls to protect such customer information from a data breach’.26
According to securities regulators and commentators in the United States, it is only a matter of time before we begin to see a wave of securities class action law suits against corporate entities, as well as directors and officers27. In a recent speech delivered by United States Securities and Exchange Commissioner Luis A. Aguilar28 in respect of what boards of directors can and should be doing to oversee cyber risk, Mr. Aguilar stated:
In addition to the threat of significant business disruptions, substantial response costs, negative publicity, and lasting reputational harm, there is also the threat of litigation and potential liability for failing to implement adequate steps to protect the company from cyber-threats. Perhaps unsurprisingly, there has recently been a series of derivative lawsuits brought against companies and their officers and directors relating to data breaches resulting from cyber-attacks. Thus, boards that choose to ignore, or minimize, the importance of cybersecurity oversight responsibility, do so at their own peril.29
In short, ‘the cyber risk landscape is fast-evolving and companies face growing potential liabilities in this area’.30 Thus, it is important for insurers, businesses and their respective boards of directors, to understand the nature and source of cyber risks in order to properly guard against exposure.
Although the standard form CGL policy may respond in respect of certain cyber and privacy losses, it is likely that any grant of coverage for such claims will be few and far between. The likely occurrence of a cyber-incident to your businesses is increasing exponentially and the potential consequence of an incident can result in damages that can be crippling. Businesses should not assume that existing CGL policies will provide protection against cyber and privacy liability exposures. Insurers, businesses and their directors and officers must actively guard against cyber risks.
- Reuters Online, Data Breach at Home Depot lead to Fraud (September 23, 2014), online: Fortune http://fortune.com/2014/09/23/data-breach-at-home-depot-leads-to-fraud>
- Robert P. Hartwig and Claire Wilkinson, Cyber Risks: The Growing Threat (June 27, 2014),online: Insurance Information Institute <http://www.iii.org/white-paper/cyber-risks-the-growing-threat> at 12.
- Paul Dawson, Cyber Insurance- Who Need It (And- What Do They Need, Anyway) (July 5, 2013), online: Dolden Wallace Folick LLP Insurance Journal< http://dolden.com/content/files/1373303811cyber-insurance-who-needs-it.pdf>
- Belinda A. Bain, Help- we’ve been hacked! Cyber risk insurance and related legal issues (September 2014), online: Gowling Lafleur Henderson LLP <http://www.gowlings.com/KnowledgeCentre/article.asp?pubID=3697>
- Bain (n 4).
- Hartwig and Wilkinson (n 2) at 13.
- Hartwig and Wilkinson (n 2) at 17.
- Michal Gnatek and Roberta D. Anderson, Why buy Cyber and Privacy Liability When You Have a Perfectly Good Commercial General Liability Program? online: Lockton < http://www.cyberrisknetwork.com/wp-content/uploads/2014/07/why-buy-cyber-lockton-gnatek-anderson-2014-07.pd> at 7.
- Gnatek and Anderson (n 8) at 4.
- Commercial General Liability Coverage B. Personal and Advertising Injury Coverage B- Lowndes Christopher Quinlan, New York Trial Court Denies Coverage for Cyber Claims Under Commercial General Liability Policies, online: McGuire Woods < http://www.mcguirewoods.com/Client-Resources/Alerts/2014/3/New-York-Trial-Court-Denies-Coverage-for-Cyber-Claims.aspx>
- Hartwig and Wilkinson (n 2) at 13.
- Jennifer Biernaskie, “CGL Coverage for Cyber Risks” (Paper delivered at the Canadian Defence Lawyers Insurance Coverage Symposium, February 6, 2014) at 2.
- Gnatek and Anderson (n 8) at 3.
- Quinlan (n 10).
- Hartwig and Wilkinson (n 2) at 13. Zurich America Insurance Company v Sony Corporation of America., case no. 65198/2011 (N.Y. Sup. Ct. February 21, 2014
- Quinlan (n 10).
- Hartwig and Wilkinson (n 2) at 19.
- McIntosh v Legal Aid Ontario, 2014 ONSC 6136.
- Jones v Tsige, 2012 ONCA 32.
- McIntosh v Legal Aid Ontario (n 17) at .
- Jones v Tsige (n 18) at .
- Jones v Tsige (n 18) at .
- Mark Greisiger, Cyber Liability and Data Breach Insurance Claims: A Study of Actual Claims Payouts (2013), online: NetDilligence http://www.netdiligence.com/files/CyberClaimsStudy-2013.pdf>
- Greisiger (n 22) at 1.
- Black, Voutyras and Wolinsky (n 24).
- John E. Black Jr. Sarah Voutyras and Rebecca Wolinsky, Awake at Night: Cyberbreaches and the new risk to Directors and Officers (October 2014), online: IRMI Online: Professional, D&O, and Fiduciary Liability: http://www.irmi.com/expert/articles/2014/black10-directors-officers-insurance.aspx>
- Black, Voutyras and Wolinsky (n 24).
- Luis A. Aguilar Securities and Exchange Commissioner, “Boards of Directors, Corporate Governance and Cyber-Risks: Sharpening the Focus” (Speech delivered at Cyber Risks and the Boardroom Conference, New York Stock Exchange, June 10, 2014), online: <http://www.sec.gov/News/Speech/Detail/Speech/1370542057946#.VLiOFrDwv4g
- Aguilar (n 27).
- Hartwig and Wilkinson (n 2) at 16.