Courts are offering conflicting rulings on whether commercial general liability insurance policies cover data breaches, and with cyberattacks growing in scope, companies will need to look at specialized cybersecurity policies to fill in coverage gaps and provide them with more certainty, attorneys say.
In a recent white paper, Swiss Re America Holding Corp. found that a lack of judicial consensus on whether CGL insurance covers data breaches coupled with a move by insurers to inject new exclusions into the standard-form liability policies indicate that companies are mistaken to turn to CGL policies as a tonic for data breach losses.
Unlike CGL policies, specialized cyber policies can cover the nuances of increasingly complex breach responses, such as notification to affected consumers and regulators, public relations management, and credit monitoring services. They can even cover physical losses stemming from nontraditional data breaches that involve unauthorized access to a critical infrastructure system or to one of the many devices connected through the emerging Internet of Things, attorneys say.
“CGL policies can provide coverage for some data breach-related claims, but do they provide coverage for every single aspect of a possible data breach? Probably not,” said Steven H. Weisman, a policyholder-side insurance coverage partner at McCarter & English LLP.