Data Breach Liability Exclusion – It’s Not Your Father’s CGL

shutterstock_55614910No business is immune to data breach. Digital data in particular can be lost in innumerable ways, causing serious business interruptions and consumer injuries. After falling victim to a hack, virus, or cyber theft, companies often search for coverage under their commercial general liability (“CGL”) policy, but a new endorsement by Insurance Services Office, Inc. means that such searches will likely be in vain. Effective May 1, 2014, cyber liability is excluded from the CGL form. Businesses seeking protection from data loss will need cyber liability policies specific to malicious and accidental data breaches.

Insurance Services Office’s new endorsement revises Coverage A, removing coverage for bodily injury and property damage regarding “access or disclosure of confidential or personal information, and data-related liability.” An identical exclusion modifies Coverage B, removing cyber liability coverage for personal and advertising injury claims. These new exclusions may not mention the word “cyber,” but they encompass breaches resulting from all manner of cyber accident or crime.

The endorsement bars coverage for injury or damage arising from: any access to or disclosure of customer lists; credit card, health and financial information; and other types of non-public information that may include confidential business or personal information such as patents, trade secrets, and processing methods. Data-related losses include any loss of, loss of use of, damage to, corruption of, and inability to access or manipulate electronic data. “Electronic data” is defined as “information, facts or programs stored as or on, created or used on, or transmitted to or from computer software, including systems and applications software, hard or floppy disks, CD-ROMs, tapes, drives, cells, data processing devices or any other media,” which covers most systems that businesses rely on to perform daily operations.

The endorsement also bars bodily injury claims from damages regarding access to or disclosure of confidential or personal information. It excludes coverage for the data breach, as well as responding and remediating costs. Coverage is precluded for notification costs, credit monitoring expenses, forensic expenses, public relations expenses, or any other loss, cost or expense incurred.

The costs associated with data loss and theft can be extraordinary—from protecting customers to rebuilding computer systems to defending the company’s public reputation. As CGL policies expire and are replaced, businesses must carefully consider how to manage their financial exposure to newly excluded data losses, including those carried by third-party vendors. No longer can businesses rely on their CGL policies for cyber coverage, so they must consider seeking protection elsewhere.

About The Author

Kenneth Hong joined Cozen O'Connor in 2013 as an associate in the Global Insurance Department. Kenneth graduated from the University of Washington School of Law, and Emory University with an economics degree.

Posted in Data Breach, Insurance

Leave a Reply

Your email address will not be published. Required fields are marked *


About Cyber Law Monitor
In the new digital world, individuals and businesses are almost entirely dependent on computer technology and electronic communications to function on a daily basis. Although the power of modern technology is a source of opportunity and inspiration—it also poses huge challenges, from protecting privacy and securing proprietary data to adhering to fast-changing statutory and regulatory requirements. The Cyber Law Monitor blog covers privacy, data security, technology, and cyber space. It tracks major legal and policy developments and provides analysis of current events.
Receive Email Updates


Cozen O’Connor Blogs