By Kendall Bodden1

© 2005 Kendall Bodden

Abstract

Will general business insurance cover liability for electronic data loss? A recent change to Commercial General Liability language specifies that data is not “tangible property” for CGL coverage. However, many companies may still be covered by older policies that do not contain this express exclusion. Case law interpreting the older policy language tends to deny coverage for the lost data itself, but successful claims have been made based on the loss of use of hardware caused by a data loss.

Table of Contents

Introduction
Definitions
Prior Ambiguity Regarding Data as “Tangible Property”
Data Intangible
Data Tangible
Exclusions Effect Coverage
Hardware Damage or Loss of Use Can Trigger Coverage
Pertinent Change in the 2001 ISO Commercial General Liability Form
Consequences of New Policy Language
Conclusion
Practice Pointers

Introduction

<1> An information services company is hired to upgrade their customer’s IT systems but valuable customer data is lost in the process. A customer’s computer crashes horribly when she installs the software vendor’s latest product. A data processing company loses its customer’s data before it can be manipulated. In all of these scenarios, the customer is harmed and will attempt to impose liability for the data loss on the business. At this point, the business will look to its liability insurance for protection.

<2> However, businesses that are expecting coverage under their Commercial General Liability (“CGL”) policy may be in for a rude surprise. In October 2001, the Insurance Services Office, Inc., (“ISO”) changed the language of the standard form CGL to expressly exclude electronic data from “tangible” property damage coverage. Older insurance policies, without this express definition, have been interpreted in a variety of ways: many courts have held that data is not “tangible,” so loss of data is not “property damage”; other courts have found loss of data to constitute “property damage”; still other courts have granted or denied coverage based on other policy terms or exclusions. While the new policy language expressly excludes data, many businesses are still insured under the old language. This article will explore the ambiguity found in the prior policy language, map out the change in the ISO language that affects liability coverage for lost data, and provide practice pointers for practitioners facing this issue.2

Definitions

<3> Business insurance generally takes one of two forms: first party or third party. “First party” insurance covers the insured’s own actual losses and expenses. Typical first party policies include property insurance, fidelity insurance, and business interruption insurance. “Third party” insurance protects the insured from actual or potential liability to someone else, such as a customer. 3 CGL is a common third party coverage. While many scenarios exist for first party coverage for the loss of electronic data, this article will focus on third party coverage for liability resulting from damage to another’s electronic data. Due to the novelty of electronic data as a subject of insurance, cases on both first and third party coverage will be used to illustrate key concepts.

<4> Under third party policies, the insurer has separate duties to defend the insured and indemnify the insured for liability imposed.4 The insurer’s duty to defend the insured is broader than the duty to indemnify. The duty to defend is triggered by the third party’s allegations, whereas the insurers’ duty to indemnify the insured will be based on the established facts and the terms of the policy.5

<5> With CGL third party coverage, a qualifying loss typically must happen as the result of an “occurrence” and involve “property damage.” An “occurrence” is usually defined as an accident, including continuous or repeated exposure to substantially the same general harmful conditions.6 “Property damage” is typically defined as 1) “physical injury to or destruction of tangible property, including loss of use resulting therefrom” and 2) “loss of use of tangible property which has not been injured7 (emphasis added). The uncertainty of whether electronic data was considered tangible property under this language has led to litigation.

Prior Ambiguity Regarding Data as “Tangible Property”

<6> In general, courts interpreting the prior policy language have held that data is not tangible and therefore denied coverage for claims of damaged or lost data. However, a minority of courts have granted coverage. The loss of use of hardware, due to damaged or lost data, was usually an element of the claim when coverage was granted. Some courts have used policy terms and exclusions to avoid deciding data tangibility. On occasion, policy exclusions have been used to deny coverage even though data was found to be tangible.

Data Intangible

<7> In a recent leading case, the Fourth Circuit held, in America Online, Inc., v. St. Paul Mercury Ins. Co., (AOL, Inc.),8 that injuries to computer data, software, and systems were not damage to tangible property, and thus were not covered by America Online’s CGL. This dispute arose over CGL coverage for a class action lawsuit alleging that AOL 5.0 caused consumers’ computers to malfunction, crash, or freeze. The court distinguished tangible computer hardware from intangible computer software and data. The court analogized hardware to a tangible pad lock and data to the intangible combination. The lock is unusable without the combination, but the lock is not physically damaged. Thus, the court held that a computer with damaged data is not usable by the end-user, but it is not physically damaged for purposes of CGL coverage.

<8> When AOL argued at trial that the consumers’ loss of use of their computers constituted covered property damage, the District Court agreed with AOL that consumers’ loss of use of hardware was “property damage,” but denied coverage based on the policy’s “impaired property” exclusion.9 On appeal, the Fourth Circuit upheld the application of the impaired property exclusion and declined to decide whether the consumers’ loss of use of their computers was a tangible loss. However, Judge Traxler’s dissent argued that the consumer complaints indicated their belief that AOL 5.0 had caused physical damage to their computers and that this allegation was enough to invoke the insurer’s duty to defend AOL.10

<9> The District Court decision in AOL, Inc. has been followed by other jurisdictions. In one case, the U.S. District Court for Kansas held that absent an allegation of physical harm to the hardware, loss of use of data was not equivalent to the loss of use of tangible property. 11 Thus, the insurer had no duty to defend or indemnify the insured under the third party coverage. In another case, the California Court of Appeals cited to AOL, Inc., in finding that the insured’s loss of a computer database was an economic loss but that the data was intangible so its loss was not a “direct physical loss” covered by the first-party policy. 12

Data Tangible

<10> Courts that have granted coverage for liability for electronic data loss have utilized an expansive definition of physical damage, or relied on particular facts. In the U.S. District Court of Arizona, the insurer argued that after a power failure, once power was restored, the affected mainframe computers were not physically damaged by the loss of their custom programming. The court rejected these arguments and instead embraced an expansive definition of “physical damage” that included the loss of use and functionality of computer technology.13 While not using the word “tangible,” this was an explicit holding that loss of data is “physical” damage for first party insurance coverage purposes. Since “physical” and “tangible” are closely related concepts, it could be argued that if loss of data is a physical loss, then harm to data is damage to tangible property for CGL purposes.14

<11> The Court of Appeals of Minnesota upheld the liability insurer’s duty to defend, due to the insured’s loss of a computer tape storing third party data.15 However, this decision likely has limited precedential value due to the unique circumstances of this case. The court held that the data integrated with the lost tape was tangible property under the liability policy. Following this logic, there would be coverage when a disk is lost or stolen, but not when the data on the disk is erased or corrupted.

Exclusions Effect Coverage

<12> Courts have used policy exclusions to deny coverage without deciding whether data was tangible. In 1989, the Minnesota Supreme Court declined to decide if erased data was intangible. Instead, the court noted that if it were intangible, there was no CGL coverage, and that even if it were tangible, the “control of property” coverage exclusion in the policy negated any coverage. “Under this exclusion, property damaged while on the insured’s premises for the purpose of being worked on is excluded from coverage.” 16 Therefore, the specific wording of the policy exclusion formed the basis of the court’s decision, and the court did not determine if data was tangible or intangible.

<13> Exclusions have also been used to deny coverage for a “tangible” data loss. In a suit arising from a third party claim of loss of computer data and loss of use of computers, the U.S. District Court for the Western District of Oklahoma held that data was intangible property and thus, did not trigger third party liability coverage as physical injury to tangible property. However, the court also decided that the loss of use of the computers constituted a loss of use of tangible property that is not physically injured, and was therefore “property damage” within the meaning of the disputed third party policy. Ultimately, the court denied coverage due to an exclusion for property that was damaged by the insured’s work.17 In a different case, however, the New Mexico Court of Appeals let stand an unchallenged trial court ruling that data was tangible and found that the insurer had a duty to indemnify when the CGL policy’s exclusions were too vague and indefinite to be enforced.18

Hardware Damage or Loss of Use Can Trigger Coverage

<14> While coverage for lost data was disputed, the standard form CGL defined property damage to include physical injury to tangible property as well as the loss of use of tangible property that is not physically injured. Thus, under the old policy language, damage to hardware and loss of use of hardware caused by data loss has been held to be loss of tangible property.19 In fact, it can be argued that loss of use of hardware is a determinative factor in triggering pre-2001 standard form CGL coverage. When an insured requested coverage for a third party claim of loss of use of data, but not expressly of hardware, coverage was declined because loss of data did not necessitate loss of use of hardware.20 On the other hand, a loss of use of hardware was a loss of tangible property, even when coverage was ultimately denied under a policy exclusion.21

Pertinent Change in the 2001 ISO Commercial General Liability Form

<15> In 2001, ISO added to the definition of “property damage” in the CGL standard form, which reads in pertinent part:

For the purposes of this insurance, electronic data is not tangible property. As used in this definition, electronic data means information, facts or programs stored as or on, created or used on, or transmitted to or from computer software, including systems and applications software, hard or floppy disks, CD-ROMS, tapes, drives, cells, data processing devices or any other media which are used with electronically controlled equipment.22

<16> This change in language excludes data loss from CGL “property damage” coverage.23 Therefore, liability for physical injury to or destruction of data or any resulting loss of use of data will not be covered under the plain language of the new CGL standard form. However, the standard form is often modified so it is imperative that the insured reads their policy closely to determine the exact scope of their coverage.

Consequences of New Policy Language

<17> The new policy language expressly denies standard form CGL coverage of liability for the loss of data as a physical injury to tangible property. However, the 2001 changes to the policy did not remove coverage for loss of use of hardware as a loss of use of tangible property that is not physically injured. This type of coverage was also available under the old policy language and was often critical to a court’s determination of coverage.

<18> Similarly, under the new policy language, the third party’s claim of loss of use of hardware should trigger liability coverage. While this point has not yet been litigated, it follows from the plain meaning of the new CGL language. The new language excludes data as tangible property, so there is no direct coverage for the third party’s data loss, or for their loss of use of data. However, the new language does not exclude the third party’s loss of use of undamaged hardware (i.e. tangible property) caused by data loss (i.e. intangible property). Therefore the key to coverage under the new policy language is a claim not for the lost data itself, but instead for the loss of use of hardware which was caused by the loss of data. To borrow the combination lock analogy from AOL, Inc., if hardware is the lock and data is the combination, then there will not be coverage solely for the loss of the combination, but the loss of the lock’s use due to the loss of the combination should be covered. Thus, if an insured’s litigation to force CGL coverage is to be successful, the underlying third party complaint should include an allegation of loss of use of the lock.

<19> To fill the gaps in traditional insurance policies and cover the increasing number of first party and third party “cyber” losses, insurance companies are now offering a variety of new insurance products. Major insurance companies such as ACE, AIG, Beazley, CNA and Hiscox are now offering e-business (first party) and cyber liability (third party) policies. These policies are usually sold either in an ala carte menu driven platform that allows the insured to specify the coverage purchased, or are sold bundled in a multiline policy, typically offered in conjunction with technology errors and omissions or media liability.24 For example, AIG offers its NetAdvantage suite of digital asset coverage including Network Security Liability, Web Content Liability, Network Security Business Interruption, and Cyber-Extortion among others.25 Policy eligibility and premiums may depend on the insured’s risk management and information technology (IT) practices. Thus, the insured’s efforts to minimize risk will benefit the insured through lower premiums, and third parties through lower risk. A failure to take minimally reasonable steps in this area may be considered a breach of the insured’s duty to mitigate its risk, thereby providing a basis for a denial of insurance coverage.26 Due to the rapidly changing nature of these policies, prospective insured’s should consult a knowledgeable broker who has experience with this complex coverage area.

Conclusion

<20> The most recent revision to the ISO standard form CGL now excludes data from the definition of “property damage” covered under the policy. Therefore, in order for a business to have coverage for a loss of third party data, it must either buy additional specific coverage or expect litigation of its claim under a CGL policy that does not contain the express exclusion. Both of these options can be expensive.

<21> A business seeking cyber-insurance should consult a knowledgeable broker to select the coverage best suited to their needs. If a business has no choice but to litigate its CGL claim for coverage of lost third party data, the claims as expressed in the third party’s complaint and the specific language of the policy exclusions and provisions can determine the insurer’s duty to defend, regardless of whether the data is found to be “tangible” under the policy.27 Therefore, practitioners should analyze each term of the policy closely to determine its effect on coverage. Early in litigation of third party claims, a court may activate the insurer’s duty to defend even where the insurer’s duty to indemnify is unclear.28 A third party complaint of loss of use of hardware increases the chance of CGL coverage under both the pre and post 2001 policy language. A claim absent a loss of use of hardware has been denied under the pre-2001 language, and is likely expressly precluded by the post-2001 language.

Practice Pointers

<< Top

Footnotes

  1. Kendall Bodden, University of Washington School of Law, Class of 2005. Many thanks to Karen Weaver for her valuable feedback on a draft of this article.
  2. This article will only address insurance coverage for electronic data loss. For an overview of all the 2001 changes to the ISO CGL standard form see McGaw, Amy, “Commercial General Liability Policy Update” at http://www.cooperscully.com/10th_annual/CommGenLiabPolicy.pdf (last visited April 23, 2004).
  3. Couch on Insurance § 198:3 (Lee R. Russ, et al. eds., 3rd ed., 2003).
  4. Couch on Insurance § 200:3.
  5. Couch on Insurance § 172:2, § 200:20. See also Centennial Ins. Co., v. Applied Health Care Systems Inc., 710 F.2d 1288, 1292 (7th Cir. 1983).
  6. Comprehensive General Liabilty Coverage Form, § V (13), available at LEXIS, Nexis Library, ISO Policy Forms, Form Number: CG 00 01 10 01. For a thorough discussion of “occurrence” see Rowland H. Long, The Law of Liability Insurance § 1.08[1], § 4.20[1] (originally published in 1966, and updated annually) (Matthew Bender; 4 volumes).
  7. Paula M. Yost et al., In Search of Coverage in Cyberspace: Why the Commercial General Liability Policy Fails to Insure Lost or Corrupted Data, 54 SMU L. Rev. 2055, 2063 (2001).
  8. America Online, Inc. v. St. Paul Mercury Ins. Co., 347 F.3d 89, 96 (4th Cir. 2003).
  9. America Online, Inc. v. St. Paul Mercury Ins. Co., 207 F.Supp. 2d 459, 470-71 (E.D. Va., 2002) (AOL’s CGL policy excluded “property damage … that results from: [AOL’s] faulty or dangerous products”).
  10. The insurer’s duty to defend the insured is broader than the duty to indemnify. The duty to defend is triggered by the third party’s allegations, whereas the insurers’ duty to indemnify the insured will be based on the established facts and the terms of the policy. Couch on Insurance § 172:2, § 200:20. See also Centennial Ins. Co., v. Applied Health Care Systems Inc., 710 F.2d 1288, 1292 (7th Cir. 1983).
  11. Cincinnati Ins. Co. v. Prof’l. Data Serv. Inc., 2003 LEXIS 15859 (D. Kan. 2003).
  12. Ward Gen. Ins. Services Inc., v. Employers Fire Ins. Co., 114 Cal. App. 4th 548, 556-57 (2003).
  13. American Guarantee & Liab. Ins. Co., v. Ingram Micro, Inc., 2000 WL 726789, at *2 (D.Ariz. 2000).
  14. Paula M. Yost et al., In Search of Coverage in Cyberspace: Why the Commercial General Liability Policy Fails to Insure Lost or Corrupted Data, 54 SMU L. Rev. 2055, 2075-76 (2001). However, the District Court in AOL Inc., declined to apply Ingram Micro to CGL coverage. 207 F.Supp. 2d at 469.
  15. Retail Sys. Inc., v. CNA Ins. Cos., 469 N.W.2d 735, 738 (Minn. Ct. App. 1991).
  16. Magnetic Data, Inc., v. St. Paul Fire & Marine Ins. Co., 442 N.W.2d 153, 156 (Minn. 1989).
  17. State Auto Prop. & Cas. Ins. Co., v. Midwest Computers & More, 147 F.Supp. 2d 1113, 1117 (W.D. Okla., 2001).
  18. Computer Corner, Inc., v. Fireman’s Fund Ins. Co., 46 P.3d 1264 (N.M. Ct. App. 2002).
  19. Midwest Computers & More, 147 F.Supp. 2d at 1117 (coverage denied on other grounds). See also American Guarantee & Liability Ins. Co., v. Ingram Micro, Inc., 2000 WL 726789 (D.Ariz. 2000).
  20. See Cincinnati Ins. Co. v. Prof’l Data Serv. Inc., 2003 LEXIS 15859 (Kan. D.C., 2003).
  21. Midwest Computers & More, 147 F.Supp. 2d at 1116. See also, America Online Inc., v. St. Paul Mercury Ins. Co., 207 F.Supp.2d 459, 470 (E.D. Virginia 2002).
  22. Comprehensive General Liabilty Coverage Form, § V (17)(b), available at LEXIS, Nexis Library, ISO Policy Forms, Form Number: CG 00 01 10 01. Immediately preceding this language, “property damage” is defined as: a. Physical injury to tangible property, including all resulting loss of use of that property. All such loss of use shall be deemed to occur at the time of the physical injury that caused it; or b. Loss of use of tangible property that is not physically injured. All such loss of use shall be deemed to occur at the time of the "occurrence" that caused it.
  23. For purposes of this article the term “data” will include software as in the CGL definition.
  24. Michael A. Rossi, Cyber Liability Insurance Issues for Large Companies, at http://www.irmi.com/Expert/Articles/2003/Rossi08.aspx (last visited Nov. __ 2003).
  25. The AIG netAdvantage Complete®: Internet Insurance, at http://www.chamberagent.com/chamberagent/prod_cat/products/internet_prods/na_comp.html (last visited Oct. 18, 2004).
  26. Kevin P. Cronin et al., Data Security & Privacy Law: Combating Cyberthreats § 14:31 (2003).
  27. Magnetic Data, Inc., 442 N.W.2d at 156.
  28. Centennial Ins. Co., v. Applied Health Care Systems Inc., 710 F.2d 1288, 1292 (7th Cir. 1983).
<< Top