The risk is not limited, however, to large companies or the government. Almost every business relies on electronically-stored information in one way or another. But if your company experienced a data breach and was sued, your insurance would cover it, wouldn't it?
The short answer is "maybe, but maybe not." Commercial General Liability ("CGL") policies provide the most common liability coverage for businesses. Most CGL policies are written on forms written by the Insurance Services Office ("ISO"), an organization that prepares insurance policy forms for the insurance industry.
The CGL policy used to be called "comprehensive general liability" coverage, but that nomenclature changed in the 1980s. Today, CGL policies are neither that comprehensive nor that general. I have written about the ever-shrinking CGL policy on prior occasions.
In the realm of data breach risks, policyholders have had some luck--but hardly universal luck--in finding coverage under CGL policies. For example, some insureds have been able to recover under "Coverage B" for "personal and advertising injury," which is often defined to include the "offense" of “oral or written publication, in any manner, of material that violates a person’s right of privacy.” The results, however, have been far from uniform. The insurance companies tend to fight these claims hard, and sometimes they win.
More importantly, since 2001, ISO has repeatedly either modified the CGL coverage form or prepared endorsements for CGL policies designed to restrict or eliminate claims for data breaches. An endorsement is simply an amendment to a policy that can either expand or restrict coverage. When a policy contains such restrictive provisions, it becomes even harder to recover.
Unfortunately, my experience is that many businesses have no idea what their policies contain. They do not know, for example, whether their CGL policy, which they may have been faithfully renewing for many years, has been changed to limit coverage for cyber-related risks.
There is not all bad news. If an insured knows about the restrictions, it may be possible for a savvy agent or broker to eliminate restrictive endorsements. Many carriers now also offer stand-alone cyber coverage. ISO has also now promulgated forms for add-on cyber coverage.
This is still, however, an evolving area of insurance. The new policy forms differ greatly. It is difficult to compare offerings. There has also not been much experience with how carriers will, as a practical matter, handle claims. There are indications, however, that some carriers will take aggressive coverage positions even for these specially-designed products.
For now, policyholders will want to assess their risks, and review their coverage. They may want to consider discussing additional coverage options with a broker, and, if necessary, a coverage attorney.