Quimbee logo
DMCA.com Protection Status

General Liability Insurance Coverage for Data Breaches

4.9 out of 5 Excellent(15 reviews)
TA
Presenter(s)
Start your FREE 7-day trial
Preview this course and the rest of Quimbee's CLE library for free with a 7-day free trial membership.
Buy this course - $49
Get access to just this course for $49
Play video

General Liability Insurance Coverage for Data Breaches

This course will provide an overview of the insurance coverage provided by Commercial General Liability (CGL) policies. This overview will include a summary of an insurer’s duties to defend and indemnify its policyholder for losses covered by the policy. The presentation will then provide an in-depth analysis of the 2013 Target data breach and ensuing insurance-coverage decision. Finally, the course will conclude with a discussion of the impact the Target decision will have on other policyholders with CGL policies.

Presenters

Tae Andrews
Senior Managing Associate
PasichLLP

Transcript

- Good afternoon. This is the Quimbee CLE presentation entitled "General Liability Insurance Coverage for Data Breaches." So before we begin, and we're now on slide number two, I'm gonna introduce myself. My name is Tae Andrews. I am a senior managing associate here at Pasich LLP. And in terms of just a little bit of background about me, I have exclusively represented policyholders throughout my career to date in a variety of disputes, many of them under what are called general liability or commercial general liability policies, which is actually something we're gonna talk about in detail during the presentation today, in addition to directors and officers insurance policies, errors and omissions or professional liability insurance policies, and also a variety of other types of insurance policies. So that's my background as an attorney, and that's what we're gonna be discussing today, is a specific type of insurance and how the basic coverage works. And then we're also going to analyze how that coverage applies to data breach losses. And to do that, we're gonna talk about insurance coverage for a data breach that Target suffered back in 2013. So that's a little bit of information about me, and we are now gonna transition to slide number three. All right, so before we can go a little bit further here, I do have to provide a disclaimer, and here's what that disclaimer is. So the views that I express in this program are not those of my employer or any clients or any other organization. And the opinions that I express in this presentation also do not constitute legal advice, nor do they constitute risk management advice. So the views that we're going to discuss during this presentation are for educational purposes only, and they're provided only for use during this session. All right, well, we are now on slide number four. And before we get into the nitty-gritty or the details of the presentation, I thought we would just provide a brief overview. So essentially this presentation's gonna have two main parts with several subparts. But in terms of just sort of framework for the presentation, we're gonna spend roughly the first half talking about coverage, and what I mean by that is we're gonna be focusing today on a very specific type of insurance policy. We're gonna be discussing what is called a commercial general liability policy, or a CGL policy. And what's important about these types of policies to understand is that many, many businesses, many companies have these kinds of insurance policies, and they are also drafted in a standard issue manner. What that means is many of these companies have literally the same policy language or substantially similar policy language. And so coverage decisions regarding the interpretation or the construction, the meaning of what those policies cover, they can have very important and wide-ranging effects for other policyholders. Because again, they have the same policy language or very similar policy language. So what one court rules in terms of what the policy covers will have many far-reaching implications for other policyholders or other insureds. So that's what we're gonna spend the first half of the presentation discussing. And we're gonna get into the detail, sort of the, at a very granular level, like what these policies cover. We're gonna talk about the insuring agreements. We're gonna talk about the various definitions of defined terms in those policies. We're also gonna talk about a few policy exclusions, which are clauses in the policy that remove coverage for certain risks. And we're also gonna talk about two of the main duties that an insurer has, that it is legally obligated to provide to its policyholder. So we're gonna talk about the duty to defend. We're also going to discuss an insurer's duty to indemnify. And again, all of this will take place during the first half or so of this presentation. The second half, what we're gonna talk about is the recent decision in the Target case, which again ties back to a data breach that occurred in 2013. We're going to talk about how CGL policies such as Target's, as an example, can cover losses associated with the data breach. And we're also going to apply the concepts that we talked about in the first half and show how they applied and were at issue in the Target case. So that's sort of, we'll call that like, sort of part two A. In part two B, and this is another key part of the presentation, we're going to discuss the implications of that Target decision for other policyholders. And again, that all ties back to what I was saying earlier, which is that because a lot of these policies have the same, literally identical, or substantially similar policy language, coverage decisions can be very important because they help define or shape the contours of what these policies cover. And in that regard, they have tremendous implications for other policyholders with the same or very similar policy language. So that's just a brief overview of what we're gonna talk about during the presentation. And we are now transitioning to slide number five. All right, so again, the first half or so of this presentation, we're gonna talk about CGL policies. CGL, of course, is an acronym. It stands for commercial general liability. And what they do is they provide what we call third-party liability coverage. So what does that mean? Well, I'm gonna give you a chart I made, sort of like an infographic, in the next slide, but there's essentially two main ways that we can categorize or separate insurance policies. You can think of them as like two buckets of types of insurance policies that exist. So the first would be what's called a first-party insurance policy, and the classic example of this would be a fire insurance policy. So if you took out a fire insurance policy on your home or maybe on a factory for your business and then something happens and it burns down, the insurance company will pay you directly as the policyholder or as the insured for that first-party loss, for the fire damage to your property. That's what we would call a first-party policy. The second type is what's known as third-party liability coverage, and it's called that because there are actually three different entities or parties involved in the relationship at issue. So what that means is you have the policyholder or the insured, you also have the insurer or the insurance company that provides insurance to the policyholder, and then you also have a third party, one or more third parties. And those third parties often file a lawsuit or make a demand or a claim against the policyholder, and then the policyholder will turn around and tender that claim or that lawsuit to its insurer and ask for coverage. So that's just a brief discussion of the difference between first-party insurance policies and third-party insurance policies. All right, and we are now on slide number six. So, as I promised, here's an infographic or a chart that I prepared, and it just briefly illustrates the concept of third-party liability insurance. So if you look at sort of the intersection of the corner of the L, so to speak, when I say the policyholder, I mean the insured. And I'm gonna use that term policyholder primarily because I think that insurer and insured, insured, they look very similar, and they sound very similar. So to avoid confusion, I often like to just refer to the company that purchased the insurance policy as the policyholder. On one side, you have the insurer. The insurer, that is the insurance company, and they agreed to provide CGL insurance to protect the policyholder from lawsuits brought by third parties. And that's what I was talking about earlier when I was referring to third-party liability insurance. That's how it works. And just for a little bit more background on the relationship between the insurer and the policyholder, one way to think about it is the insurer drafts an insurance policy, and then they sell it to the policyholder who buys it. And then all that insurance policy is, is a written contract, and it specifies the legal obligations that the insurer agrees to, to provide or be contractually bound to provide to the policyholder in exchange for the premium, which is the amount of money that the policyholder pays to purchase the insurance policy. So that's the relationship between the insurer and the policyholder. On the other side of the L, and again this is the nature of third-party liability insurance, you have one or more third parties. So what will happen is the third party will suffer some kind of injury or a loss. And that can be a bodily injury claim. That can be property damage. That can be what's called personal and advertising injury, which we'll talk about actually later on in this first half. But that third party will eventually either make a demand or file a lawsuit against the policyholder. The policyholder will then tender that claim to the insurer and request a defense and/or indemnity coverage. All right, so we are now on slide number seven. We're still talking about section one. We're doing our overview of what CGL policies are and what they cover. And one of the main things that you need to know is that CGL policies impose two main duties on the insurer. And one of them is called the duty to defend. The other is called the duty to indemnify. And we're gonna discuss both of them during this presentation. And when we get to the Target decision, we're actually gonna apply them as well. And in that case, we're gonna talk about the second one. We're gonna focus on an insurer's duty to indemnify its policyholder. But both of these duties are very valuable, and they're all specified by the terms of the contract. So that's what I was saying earlier when I was saying that one way to think about this relationship conceptually is just that an insurance policy is just a written contract. So it's a type of private law that two parties agreed to be bound by. And again, the insurance company or the insurer, the insurance company drafts the policy, and they're responsible for meeting the obligations contained within that policy. And then they sell it to the policyholder who agrees to buy it in exchange for a policy premium, which is just a payment that you make to purchase the policy. And after that transaction occurs, the insurer has a duty to both defend and to indemnify its policyholder. All right, so we are now on slide number eight. We're gonna start with the duty to defend. Well, what is the duty to defend? That is a contractual obligation that's specified in an insurance policy, such as a CGL policy, that requires the insurer to hire defense attorneys to defend the policyholder against the underlying lawsuit brought by the third party. So if you think back to our infographic, on the one hand, you have the policyholder. They buy the insurance policy from the insurer. On the other hand, you have a third party, which claims that it has somehow been harmed or damaged by some kinda conduct by the policyholder. The third party will file a suit or make a demand against the policyholder. And when that happens in a third-party liability policy with a duty to defend, the policyholder will tender the claim or provide notice of it to the insurer and then ask for a defense. And then at that point, the duty to defend will kick in, and it will require the insurer to hire defense attorneys to defend the policyholder against that underlying lawsuit. So one other thing that I want you to think about as you view this presentation and as we go through the different coverages is that the duty to defend actually kicks in at the beginning of the underlying claim or lawsuit. And if you think about it, that makes sense, right? Because if you ever had the misfortune of being sued, someone has filed a lawsuit against you, one of the very first, most important things you'll obviously need to do is retain defense counsel to represent you and protect your interests in the defense against that lawsuit or that claim. So the duty to defend kicks in at the beginning of the underlying claim or lawsuit. And we are now in slide number nine. So one other thing I want you to think about and just keep in mind when we talk about the duty to defend is that this is a very useful coverage. The court system in America is, the wheels of justice are not fast, right? They are slow. So one thing that, you know, many attorneys can tell you who are involved in litigation is that lawsuits can drag on for a long time. They can take many years to resolve. And those defense invoices, those bills that are charged by the defense counsel and that the policyholder has to pay, they can add up in a hurry and become very expensive. So the duty to defend is actually a very critical coverage for many policyholders that, they need a legal defense in a time of need after being sued or after receiving a demand letter. And so the insurer's duty to defend is sometimes referred to as, quote, unquote, "litigation coverage." All right, so we're now on slide number 10. Some more things we need to know as we're talking about an insurer's duty to defend, one of the most important ones is that the duty to defend and whether or not the insurer has a duty to defend, that's a question of law for the judge to decide. So over the years, legal doctrine has evolved very broadly and in favor of the policyholder. And insurance law specifically requires that it ensures duty to defend must be construed or interpreted broadly. So, as an aside, whenever I talk about how a policy provision is construed, all that means is how it has been interpreted by the courts reviewing the case and deciding what the policy means and what it covers and doesn't cover. So if I mention construe or if I mention the construction of a policy term, what I'm talking about is how that policy term has been interpreted by courts and the kinda coverage that it has been interpreted to apply to the things that it covers or doesn't cover. So if we return to the duty to defend standard, it's very broad. It's what we call a potentiality standard, and here's what that means. If the insurance policy even potentially covers any of the allegations in the underlying complaint against the policyholder, then the insurer must defend against the entire lawsuit. And there are a lot of good reasons for that. So one of them is that insurance policies are what we call contracts of adhesion, and what that means is the insurance companies draft them by themselves, they come up with the policy language, they create the definitions, and then they offer them to policyholders essentially on a take-it or leave-it basis. So there's not a lot of negotiation being done. There's not a lot of opportunity to revise or amend or perhaps swap in more broad coverage provisions. And so for those reasons, the duty to defend is a very broad standard. And if there's any doubt whatsoever regarding whether an insurer has a duty to defend, it must be interpreted broadly and in coverage of the policyholder. And then again, that's what we call a potentiality standard. So if the policy even potentially covers any of the allegations in the underlying complaint against the policyholder, then the insurer must defend against the entire lawsuit. All right, so we're now on slide number 11. We're still talking about the duty to defend. What does it depend on? Well, here's how a court deciding whether an insurer has a duty to defend makes its decision. So the duty to defend depends on what the third party alleges against the policyholder, so not only its causes of action. And those are typically listed at the end of the complaint, which are again the third-party plaintiff's legal theories about what the policyholder did wrong as a matter of law. That's not what the duty to defend depends on. The duty to defend depends on the allegations made against the policyholder. And so the way that courts will make that decision or that determination is by comparing the four corners of the underlying complaint to the four corners of the policy. And depending on what jurisdiction you're in, some states call this the four corners rule, some states call this the eight corners rule, and what that means is you look at either the four or eight corners of the documents involved. So under the eight corners rule, which makes more sense to me, you would look at the four corners of the insurance policy itself. And then you would look at the four corners of the underlying complaint, which is the lawsuit filed against the policyholder. And then if there's even the potentiality, if there's even a possibility that the policy might cover some of those factual allegations, then the insurer has the duty to defend against the entire lawsuit. All right, we are now on slide number 12. So some other parts of the duty to defend doctrine that you should be aware of. One of 'em is that if there are any ambiguities, so if there is any clause in the policy or any coverage in the insurance policy or in the underlying complaint, if there's anything unclear or ambiguous in there, the judge must interpret them in favor of the policyholder. And so one way to think about this is it's similar to baseball, right? If you lay down a bunt and you're sprinting towards first base and then, you know, the third baseman charges in and whips the ball to the first baseman and it's a tie, in baseball, the tie goes to the runner. And in the same way, a tie in the world of insurance policy interpretation, and all that means is that perhaps there's an instance where both the policyholder and the insurer can both offer a reasonable interpretation of the policy provision. If there's any ambiguity, if there's anything that's unclear in terms of the policy's language or coverage or in the underlying complaint, then the court must interpret those ambiguities in favor of the policyholder. All right, and we are now on slide number 13. So still talking about the duty to defend, a couple more notes here. A judge, when interpreting an insurance policy, including making a duty to defend determination, must resolve any doubt in favor of the policyholder. So that goes back to what I was saying earlier, which is that there's an inherent imbalance in the bargaining and purchase process in which the insurance company unilaterally drafts the insurance policies. They're offered on a take-it or leave-it basis, and the policyholder either buys them or doesn't buy them. There's not a lot of negotiation that occurs. And so because of that, the legal doctrine for the duty to defend has held that a judge or a court making a duty to defend determination must resolve any doubts in favor of the policyholder. And just another part of the duty to defend determination in the second bullet point here and something that's important to keep in mind is whether or not the allegations in the third party's underlying complaint are true is irrelevant. For the duty to defend purpose, that is irrelevant. It doesn't matter whether they're true or not. All right, and we are now on slide number 14. So, yeah, as I was saying, whether or not the underlying allegations made by the third party, whether or not they're true does not matter. And if you think about it, that makes good sense, right? Because in a duty to defend against a lawsuit, nothing has been proven yet, but you certainly need a defense attorney to represent your interest and protect you from that lawsuit. And so for that reason, the duty to defend also covers groundless, false, or fraudulent claims. And to talk about what I mentioned earlier, one of the ways that people think about the duty to defend is that it's litigation coverage, right? And that's the whole point, is that policyholders need protection not only from lawsuits that end up resulting in actual judgment or finding of liability against the policyholder, they also need a legal defense and coverage for lawsuits that merely allege that the policyholder engaged in wrongdoing. So that's why the duty to defend standard, again, is very broad. It's based on potentiality standard. And if there's even a potential that the insurance policy could cover the underlying claims, the insurer has an obligation to fund or defend against the entire lawsuit. All right, so we're still on our first section here. We're still talking about commercial general liability, or CGL, policies, but we're gonna actually transition to a different coverage now. So we had talked about an insurer's duty to defend the policyholder against claims or lawsuits, and now we're gonna talk about an insurer's duty to indemnify the policyholder, which is slightly different. So our first bullet point here, as I mentioned earlier, that's a different legal obligation required of the insurer by the insurance policy. And once again, the insurance policy is just a written contract. They can be quite long, but that's all they are. They're a written contract, and they specify the rights and obligations of each party under the policy. And one of those duties or obligations from the insurer is the duty, again, to indemnify. And what does that mean? Well, to indemnify someone means to hold them harmless, and what that means is the duty to indemnify requires the insurer to pay for any judgment or settlement against the policyholder in the underlying suit. All right, so we are now on slide number 16. We're talking about the duty to indemnify. I had previously said the duty to defend kicks in at the beginning of the underlying lawsuit, right? And that makes sense because if you've been served with the plaintiff's complaint, any self-respecting attorney knows what you need to do first is hire a defense attorney to protect both yourself and your legal interests. And again, that happens at the beginning of the underlying lawsuit. What we're talking about with the duty to indemnify in contrast is that it takes place at the end or the resolution of the underlying lawsuit. So it actually has a different standard in terms of what the insurance company must pay. So earlier, I had said that the duty to defend depends on the factual allegations contained in the underlying complaint. Here we have something slightly different. The duty to indemnify actually depends on, quote, unquote, "the actual facts," meaning the jury's actual findings in the judgment against the policyholder. So key difference between the two duties, duty to defend starts at the beginning of the underlying lawsuit, the duty to indemnify begins at the, it takes place at the end of the underlying lawsuit. And actually, if you're ever trying to just think of other ways to distinguish them, yeah, the duty to defend kicks in at the beginning, duty to indemnify takes place at the end, and the duty to indemnify depends on the actual facts. So what that means is the jury's findings of fact, in the judgment against the policyholder. All right, we are now on slide number 17. We're talking about CGL policies. We've talked about the insurer's twin duties to defend and indemnify its policyholder against lawsuits or claims brought by third parties. We are now gonna talk about some of the very specific coverages that CGL policies provide. So for our first bullet point here, CGL policies generally cover lawsuits brought by third parties against the policyholder alleging, quote, unquote, "bodily injury or property damage." And just as an aside, whenever you see policy language that I put in quotation marks, that means that in the insurance policy it has a definition for it. And that's standard in insurance policies. They either, they'll put a specially defined term in quotation marks, or they might make it bold, or they might make it all capitals. But there's typically a way to identify that term as being a term of art that has a special meaning. And as I was saying earlier, insurance policies, especially CGL policies, are oftentimes standard issue policy forms, and what that means is they're not individually negotiated. It's not like a custom-made policy. They're offered on policy forms. And because they have either literally the same language or very similar language, a result under one insurance policy can provide a lot of context and clues regarding the meaning of a similar or even identical provision in another policy. So I had mentioned that CGL policies cover claims brought by third parties against the policyholder that are alleging bodily injury or property damage. Another coverage that you should be aware of is CGL policies can also cover lawsuits alleging personal and advertising injury. And once again, if you see terms in quotation marks or terms that are bolded, it means that those terms are specially defined in the definition section of the insurance policy. All right, so we are now on slide number 18. All right, so CGL policies, and again, when I said earlier, bodily injury, property damage, personal advertising injury, those are all specially defined terms. So in our case, CGL policies define property damage to mean, quote, unquote, "physical injury to tangible property, including all resulting loss of use of that property." And then the definition of property damage can also include loss of use of tangible property that is not physically injured. And one of the reasons I've excerpted this policy language and we're sort of shining the spotlight on it right now is that this policy language actually was some of the key language at issue in the Target coverage decision. So when we get to that section, we're gonna apply a lot of these concepts and analyze how they actually work and apply to the insurance coverage dispute in that case over losses associated with a data breach in 2013. All right, so we are now on slide number 19. We're discussing CGL policies. One other thing that you need to know is that CGL policies provide coverage that is, quote, unquote, "occurrence based." And what that means is they provide insurance coverage for an occurrence that first takes place during the policy period. All right, so once again, and we are now on slide number 20, an occurrence, that's a specially defined term. You know that because it's in quotation marks. The word occurrence in a CGL policy is typically defined to mean, quote, unquote, "an accident including continuous or repeated exposure to substantially the same general harmful conditions." And I've also included here, on the next slide in particular, you might want to hear this, the CGL forms are based on what we call ISO form language. And again, this is a theme I talked about earlier. But what that means is almost all policies, all CGL policies have either identical or substantially similar policy language. So we are now on slide number 21. For a bit of background on ISO, that stands for the Insurance Services Office, Incorporated. What is that? Well, that's an organization that develops standard policy forms. So as I was saying earlier, these policies are, they are not what we call manuscript, or, you know, custom made. They are offered on a take-it or leave-it basis, and they have essentially the same policy language across different policies. So an insurance coverage decision under one of them can be very important because it can illustrate to other courts the contours or, you know, what that product or insurance product will cover or will not cover. All right, so we are now on slide number 22. We have talked about an insurer's twin duties to defend and duty to indemnify its policyholder. We also talked about the coverage for claims or lawsuits alleging bodily injury or property damage or personal advertising injury. Now what we're gonna talk about briefly are policy exclusions. So, well, what are they? So CGL policies also include certain exclusions that can limit or try to limit coverage for certain risks. All right, and we are now on slide number 23. I've actually provided you here an example of an exclusion. So the one that we're looking at is what's called the electronic data exclusion. In some CGL policies, they actually exclude, and when I say exclude I mean they remove coverage. In this case, they exclude tangible property. Oh, I'm sorry. They exclude electronic data from the definition of covered tangible property that is not physically injured. So once again, in that definition of property damage, that typically includes tangible property that is not physically injured or the loss of use thereof. But this electronic data exclusion specifies that electronic data is actually missing or not covered in the definition of property damage or property that is not physically injured. All right, and so we are now on slide number 24. Again, anything you see in bold in an insurance policy or in all caps or in quotation marks, it means it's specially defined. Here, that definition of electronic data means information, facts, or programs stored as or on, created or used on, or transmitted to or from company software, including systems and application software, hard or floppy disks, CD-ROMs, tapes, drives, cells, data processing devices, or any other media which are used with electronic controlled equipment. All right, so we are now on slide number 25, and we are on the back nine now. So we had started by discussing CGL policies. We did an overview of an insurer's twin duties to defend and to indemnify its policyholder. We talked about some of the basic coverages provided by CGL policies. So we talked about coverage for claims or lawsuits alleging bodily injury or property damage, as well as personal and advertising injury. And now we're going to take those concepts, and we're going to show how they work in action. So we're gonna apply those concepts to the Target case, which was insurance coverage under CGL policies for a very widespread data breach that took place in 2013. So we're gonna use that case and the holding and the analysis as a critical lens or a way of thinking about these CGL insurance concepts that we just discussed and then applying them to a particular loss and resulting coverage lawsuit. So that's what we're gonna do in the second half, and let's do it. All right, so one of the first things we need to do is talk about the nuts and bolts of what happened. So in any insurance dispute, one thing that's very important for policyholders is to drill down on the facts and become acquainted with them and understand as a matter of fact what literally happened. So we're gonna start with that here as well. So back in 2013, Target actually suffered one of the worst data breaches in history at the time. And what's remarkable is that as we continue to progress into the 21st century, increasingly data breaches just seem to be like a feature of American life in that every time you turn on the news, you read about more and more of them. And part of that I do think is because of the nature of payment in the 2020s is that so many things customers buy online, and they buy them using payment cards. And when we talk about payment cards, all that means is things like credit and debit cards. But, yeah, as you may already know, in 2013 hackers actually accessed and then compromised the payment card information of millions of Target customers, so both their credit and debit cards. All right, so we are now on slide number 27. So after the hackers accessed the payment card data of Target's customers, the financial institutions that issue the payment cards, they filed lawsuits against Target, which were later consolidated into a class action. So just to keep the terminology clear, when I talk about, I'm gonna refer to them as the issuers. When I mention the issuers, I mean those are the financial institutions like banks that issued the payment cards to Target's customers. So what did they want? Well, the card issuers, they sought damages for the cost that they incurred in having to cancel and replace the compromised payment cards. All right, so we are now on slide 28. So the card issuers alleged that Target had negligently failed to adequately safeguard or protect its customers' card data. And as I was mentioning earlier, because the card issuers had to cancel and then replace those compromised payment cards, they didn't just eat that loss. They turned around and filed lawsuits that were later consolidated into a class action lawsuit, and they sought damages for those amounts of money that they had to pay out of pocket from Target. All right, so we are now on slide number 29. So what happened? Well, in that underlying lawsuit, and, again, to go back to the infographic or the chart that I prepared at the beginning of section one, if you think back to that, the, you know, diagram illustrating the nature of third-party liability insurance, the third party here were the card issuers, the banks and other financial institutions that issued the cards. In that lawsuit, in the underlying third-party lawsuit, Target eventually settled the class action lawsuit for the small sum of $58 million. All right, so we're now on slide 30. So what did Target do? Well, again, they didn't just eat that cost. Target fortunately had CGL policy coverage. So they sought coverage for that $58 million settlement with the card issuers under its CGL policy and from its insurer. But as you might imagine, the insurer denied coverage, which led to the ensuing coverage dispute and eventual decision. All right, so we're now on slide number 32. So as far as the insurer's reasoning or why it denied coverage, the insurer actually denied coverage for three main reasons, and here they are. First, the insurer argued that there was no occurrence. That was the first ground for denying coverage. Second ground, the insurer also alleged that there was no, quote, unquote, "loss of use of tangible property that was not physically injured." And third, the insurer also argued that the, quote, unquote, "electronic data exclusion applied to bar or remove coverage." So those are the three grounds, no occurrence, no loss of use of tangible property that was not physically injured, and then the insurer finally also argued that the electronic data exclusion applied to bar coverage. All right, so because those are the reasons that the insurer denied coverage, we're gonna tee each one of them up and then use them to analyze and talk about and discuss the different provisions and coverages that we had mentioned earlier that CGL policies provide. So we are now on slide number 33. Looking at and examining that first ground for denying coverage, the insurer argued that there was no, quote, unquote, "occurrence because no accident had taken place." In the insurance company's view, because the issuers had intentionally canceled the payment cards after the data breach, there was no accident, there was no occurrence, and therefore there was no coverage under the policy. All right, so we are now on slide number 34. And just to recap, because we did present a lot of information earlier, as a friendly reminder, CGL policies, they cover claims brought by third parties against the policyholder for, quote, unquote, "property damage," but it must be caused by, quote, unquote, "an occurrence." CGL policies typically define an occurrence to mean an accident. So that is a contractual obligation that insurers will sometimes seize upon when there's a loss. They'll say, "Oh, well, the third party does not allege that an occurrence or an accident caused the loss, and therefore there's no coverage." So this is a common insurer tactic, if you will. As another reminder, and again, while we're just recapping or reviewing some of the CGL coverages and, you know, clauses and definitions that we discussed earlier, CGL policies cover claims brought by third parties against the policyholder for, quote, unquote, "property damage." And as part of that definition, property damage, it includes, and I quote again, "the loss of use of tangible property that was not physically injured." All right, so again, in the coverage dispute, this is now the second ground for denying coverage. The insurer argued that there was, quote, unquote, "no loss of use because the payment cards did not stop working." So in the insurer's view, the customers technically still could have used the cards to make payments. All right, so we are now on, this is slide 37. We had previously talked about what CGL policies cover. We summarized a lot of the important provisions and definitions and one exclusion as well. And we now just ran through the different grounds that the insurer raised for denying coverage, so why they did not agree to pay for the $58 million settlement that Target paid to end the class action lawsuit that was brought by the payment card issuers against Target. Now, using those same three grounds for denying coverage, we're gonna explore and analyze what the court ruled, why the court ruled that way. And then in the process, we're gonna show how many of the CGL policy terms and coverages that we talked about earlier, how they work in action and what they actually do cover. So big picture, the Target decision, the judge rejected the insurance company's arguments and granted summary judgment in favor of Target. So the judge held that the insurer had a duty to indemnify or provide coverage for Target's $58 million settlement with the card issuers. So just as an aside on that, as I had mentioned earlier, an insurer has two duties. They have, oh, they have more than that, but they have two primary duties under a CGL policy. One is the duty to defend. The other is the duty to indemnify. The duty to defend takes place at the beginning of the underlying lawsuit, and the duty to indemnify takes place at the end. So, as I had mentioned, typically you may have a resulting judgment, which means the jury finds, issues of finding of liability against the policyholder. And then there's also a damages award. That's one way an underlying lawsuit can resolve itself. The other, and this is far more common, is that the policyholder may settle an underlying lawsuit, typically an exchange for a payment of an agreed upon sum of money. So in exchange for the third-party claimant or plaintiff agreeing to drop the suit, they'll demand the payment of a certain amount of money. The policyholder will make that payment out of pocket and then seek coverage for it under their insurance policies. So again, we're talking about the duty to indemnify, which is, typically gets involved or is triggered at the conclusion or the end of the underlying lawsuit. All right, so we are now on slide number 38. We're talking about key holdings from the Target decision. The judge rejected the insurer's argument that no, quote, unquote, "occurrence or accident had taken place because the issuers intentionally canceled the payment cards." So one thing, and we're gonna take a moment here and do a brief aside, is that you should be aware this is a common insurer tactic. So oftentimes after a loss occurs, insurers will seize upon an intentional act somewhere in the causal chain and then argue that no occurrence, and again occurrence is defined in CGL policies to mean an accident, no occurrence, no accident has taken place. This is a very common insurer tactic or ground for denying coverage. All right, so we are now on slide number 39. And as I had mentioned previously, insurance companies often try to argue that no occurrence caused the loss at issue. There was no accident in there. Therefore, there's no coverage. How do judges feel about this? Well, judges analyze whether, quote, unquote, "an occurrence has taken place from the perspective of the policyholder, not some third party." So what I think is important to keep in mind here about this is that this only makes common sense, right? The policyholder, they purchase the policy. They literally make an often very substantial payment in the form of the policy premium to buy the policy. So when analyzing whether or not an occurrence or an accident has taken place, it's only fair to analyze that from the perspective of the policyholder. So keep that, this is a very important sort of mini lesson about insurance, which is just to focus and think about if the insurance company is arguing that there's no occurrence, that has to be analyzed from the perspective of the policyholder and not a third party. All right, so we are now on slide number 40. So again, what is that? What happened in the Target case? Well, here or there, the policyholder was Target and not the card issuers. So from Target's perspective as the policyholder, as the insured, the data breach absolutely was an occurrence or an accident because there was no evidence that Target, and again Target as the policyholder, there was no evidence that Target had somehow expected or intended for the data breach to occur. So the court reaffirmed what we talked about previously, which is that when analyzing whether an occurrence or an accident has taken place, you have to examine it from the perspective of the policyholder and not some third party, such as, in this case, the card issuers. All right, so that was the insurer's first reason or the first ground for denying coverage. Now we're gonna look at and analyze the second argument. So just to recap, the insurer had argued that in addition to claiming that no occurrence or no accident had taken place, the insurer also tried to deny coverage by arguing that no, quote, unquote, "loss of use had occurred." And the rationale offered by the insurer was that because the customers technically still could have used the compromised payment cards to make payments, there was no, quote, unquote, "loss of use." And what's important to keep in mind here is that the court once again rejected this argument as well. And so the court said no, that that defined term, that loss of use, loss of use can also occur when insured property can no longer be safely used for its intended purpose. All right, we're now on slide number 42. So again, for the insurer's second ground for denying coverage, the court ruled that the customers lost their use of the payment cards because they could not safely and securely make payments with them without exposing their accounts to fraudulent charges. And so if you, if we just put on our common sense hat again and think about this just as a normal person would, right, that makes total common sense, and here's why. No rational customer of Target or any other company, no one in his or her right mind would continue using compromised payment cards to make payments. And that's just common sense, right? Doing so would expose you to fraudulent charges and put your bank account and other financial information at risk. So the holding very much aligns with common sense and also what in the insurance world is sometimes referred to as the reasonable expectations of the policyholder. All right, so we are now on slide number 43. We're discussing the key holdings from the Target case, the Target decision. As far as the insurer's third argument, the judge also rejected that argument, which was that the electronic data exclusion should apply. So in terms of coverage, both Target and the insurer agreed that the payment cards were, quote, unquote, "tangible property that was not physically injured." So in agreeing on that, they both agreed that that comes within the policy's coverage for, quote, unquote, "property damage." All right, so we are now on slide number 44. Here's the wrinkle. The insurer tried to argue that what Target was really seeking coverage for was missing electronic data from the payment cards, which would have been excluded in the insurer's view by the exclusion in the definition of property damage or, in other words, the electronic data exclusion. But in terms of the holding, the judge once again rejected this argument and said, "No, the customers lost the use of the payment cards. They didn't lose the use of electronic data on the payment cards." So that exception, that exclusion to the definition of property damage did not apply. All right, so we are now on slide number 45. And now what we're gonna do is, so just to recap what we did in the first part of this presentation again, we talked about CGL policies. We talked about an insurer's twin duties to defend the policyholder, which takes place at the beginning of the lawsuit. We talked about an insurer's duty to indemnify its policyholder, which typically takes place at the conclusion or the end of the underlying lawsuit and which takes place after there has been a judgment against the policyholder or there's a settlement, which is what happened in this case because Target settled the claim brought by the card issuers for $58 million. And now what we're gonna do is tie it all together. And what I mean by that is, again, at the beginning of the presentation, we discussed how CGL policies provide standard issue coverage, right? And that means that many policies have either literally the same or substantially similar policy terms and clauses and coverage agreements and provisions and definitions and exclusions. And so rulings about what these policies cover and the meaning of the coverage, the interpretation of that coverage, they can have tremendous impacts for other policyholders because many other policies, policies and other policyholders literally have the same language or very similar language. So the first lesson that you should keep in mind for other policyholders is to keep your eyes on the ball. What do I mean by that? Well, when a loss occurs, insurers will often seize upon a fact or try to point to an intentional act somewhere in the causal chain. And then they'll argue that no covered occurrence, which again is a specially defined term that means an accident under the policy, they'll argue that there was no covered occurrence. There was no accident here. Because along the way, there was some intentional act committed or done by some party. And what I would encourage you to do is not to fall for it. And the reason for that is what we discussed earlier, which is that analysis, that determination of whether an occurrence or an accident has taken place, that is analyzed from the perspective of the policyholder. So it doesn't matter whether another third party, if the card issuers in this case or some other third party, it doesn't matter whether those third parties acted intentionally or perhaps expecting a certain outcome. Because we don't analyze whether an occurrence has taken place from the perspective of a third party. We analyze whether an occurrence has taken place from the perspective of the policyholder because the policyholder purchased the policy. So keep your eyes on the ball. That's one of the first lessons that I would encourage you to take away from the Target case. So we are now on slide number 46. And, yeah, just to recap what we talked about earlier, again, keep your eyes on the ball. Whether some third party has engaged in an intentional act is irrelevant. All that matters is whether the policyholder has engaged in an intentional act. So if the policyholder did not expect or did not intend for the loss to happen, then there absolutely is a covered occurrence or a covered accident which has taken place. The end. All right, so we are now on slide number 47. All right, so for our second key takeaway here, what I would impress upon you is that a loss of use can also occur when insured property can no longer be safely used for its intended purpose. So, as a reminder, as a brief recap of some of the concepts we talked about earlier, CGL policies cover claims and lawsuits brought by third parties alleging, quote, unquote "property damage." The definition of property damage often includes, quote, unquote, "loss of use of tangible property that is not physically damaged." All right, and so we are now on slide number 48. And this may be the most important takeaway of the entire presentation. So if you gather nothing else from the CLE, I would focus on this one, and this is why I've started in the presentation. So CGL policies, they can cover losses associated with a data breach, and here's what I mean by that. So earlier I had mentioned that because of the occurrence requirement, the requirement in the policy that the loss must result from an occurrence or an accident, and insurers often try to seize upon a loss somewhere in the causal chain, and then say, "Ah, look, someone acted intentionally, so there was no accident here." And there's no occurrence, and there's therefore no coverage. That's a very common insurer tactic. It's a way of getting out of coverage. Another one that we're gonna talk about in this section is as follows. So when a loss occurs and when a policyholder files a claim, the insurer will often argue that this policy, its policy, is not somehow the right policy or the correct policy that should provide coverage. And so what they'll say is, "Oh, you know, too bad, so sad, some other policy should apply and cover this loss instead." All right, and we are now on slide number 49. So as I said earlier, when I was mentioning the importance of keeping your eyes on the ball and, you know, if your insurer tries to tell you that there was no occurrence, that there was no accident because someone else behaved intentionally, keep your eyes on the ball. Don't fall for it. Same thing here, this is a very common insurer tactic to pass the buck and avoid paying for losses. So when a policyholder submits a claim, the insurance company will often try to point the finger at someone else and say, "Oh, this isn't the right kind of policy. You should have tendered this claim and notice of this lawsuit to your cyber policy insurer," something like that. And what I would impress upon you to think about or consider is that when you get a coverage opinion from your insurer, consider the source. Insurers often literally have millions, millions of reasons or millions of dollars not to pay for claims. Because if they do, they're on the hook for all of those defense invoices that we mentioned earlier. They may also be on the hook for a very large settlement, such as the $58 million Target settlement that Target paid to settle the lawsuit brought by the payment card issuers. So insurance companies will often come up with many, many creative ways to try and avoid their coverage obligations. So when you get a coverage opinion from your insurer, consider the source. They often have a very sizable, a very considerable financial reason not to pay for your claim. So if your insurance company tells you that this is the wrong kind of policy, think about that, and ask yourself why they may be telling you that. All right, so we are now on slide number 50. So again, the key, the most important takeaway from this whole presentation, CGL policies can and often do cover data breach losses. And what I mean by that is there are no magic words. So insurance companies will often try to pass the buck. They'll often point the finger at someone else and say, "Oh, well, your cyber policy should cover this, not your CGL policy." And what I would impress upon you is that there aren't no magic words. There are no requirements that only certain kinds of policies can cover certain kinds of losses. That is not true, and all that matters is the plain meaning of the language in the insurance policy. So if the policy language covers the loss, the insurer will have a duty to indemnify or provide coverage for a resulting settlement or judgment from the third party lawsuit brought against the policyholder. All right, so we are now on slide 51. Just as a matter of an observation about a legal trend in the field, another thing I would have you be aware of is that the Target decision has joined a growing list of decisions that are finding coverage, insurance coverage for data breach losses under CGL policies. So I've included the citation here. Another landmark case, another big case in this area, in this space is the Landry's decision from the Fifth Circuit in last year, in 2021. So in this case, we talked about CGL or Target's insurer's duty to indemnify Target for the $58 million settlement that it paid to resolve the card payment, the payment card issuers is class action lawsuit brought against them, right, for coverage for the 2013 data breach losses. That was discussing the duty to indemnify. The Landry's case actually found that the insurer had a duty to defend the policyholder against claims brought by card issuers resulting from a data breach. So again, as we talked about earlier in the presentation, the duty to defend typically kicks in at the beginning of the lawsuit and is also judged by a different standard, right? It's based on the potentiality standard. And if there's any possibility or potential that the policy could cover claims brought by the third-party plaintiff based on the facts alleged in that underlying complaint, then the insurer will have a duty to defend. And that's exactly what happened in the Landry's case as well. All right, so this brings us to slide number 52. This is the conclusion of our presentation. I've included here my contact information. Thank you very much for joining the presentation. And if you have any questions or would like to get in touch with me, like I said, I've listed my information here. And thanks again for joining, and have a nice day.
Start your FREE 7-day trial
Preview this course and the rest of Quimbee's CLE library for free with a 7-day free trial membership.
Buy this course - $49
Get access to just this course for $49

Course materials

Supplemental MaterialsHandout

Practice areas


Course details

On demand
1h 11s

Credit information