No business is immune to data breach. Digital data in particular can be lost in innumerable ways, causing serious business interruptions and consumer injuries. After falling victim to a hack, virus, or cyber theft, companies often search for coverage under their commercial general liability (“CGL”) policy, but a new endorsement by Insurance Services Office, Inc. means that such searches will likely be in vain. Effective May 1, 2014, cyber liability is excluded from the CGL form. Businesses seeking protection from data loss will need cyber liability policies specific to malicious and accidental data breaches.
Insurance Services Office’s new endorsement revises Coverage A, removing coverage for bodily injury and property damage regarding “access or disclosure of confidential or personal information, and data-related liability.” An identical exclusion modifies Coverage B, removing cyber liability coverage for personal and advertising injury claims. These new exclusions may not mention the word “cyber,” but they encompass breaches resulting from all manner of cyber accident or crime.
The endorsement bars coverage for injury or damage arising from: any access to or disclosure of customer lists; credit card, health and financial information; and other types of non-public information that may include confidential business or personal information such as patents, trade secrets, and processing methods. Data-related losses include any loss of, loss of use of, damage to, corruption of, and inability to access or manipulate electronic data. “Electronic data” is defined as “information, facts or programs stored as or on, created or used on, or transmitted to or from computer software, including systems and applications software, hard or floppy disks, CD-ROMs, tapes, drives, cells, data processing devices or any other media,” which covers most systems that businesses rely on to perform daily operations.
The endorsement also bars bodily injury claims from damages regarding access to or disclosure of confidential or personal information. It excludes coverage for the data breach, as well as responding and remediating costs. Coverage is precluded for notification costs, credit monitoring expenses, forensic expenses, public relations expenses, or any other loss, cost or expense incurred.
The costs associated with data loss and theft can be extraordinary—from protecting customers to rebuilding computer systems to defending the company’s public reputation. As CGL policies expire and are replaced, businesses must carefully consider how to manage their financial exposure to newly excluded data losses, including those carried by third-party vendors. No longer can businesses rely on their CGL policies for cyber coverage, so they must consider seeking protection elsewhere.