Guidance for businesses on buying Cyber Liability insurance

ISO’s 2014 Data Breach Exclusion EndorsementsPerhaps a large majority of all businesses are subject to data breach liability whereby someone steals or makes unauthorized use of personal or confidential information, often of customers. Such data breaches have resulted in lawsuits and government sanctions. While most “ISO standard” policies do not cover most types of data breaches, ISO has introduced a number of liability data breach exclusion endorsements.The unendorsed ISO CGL policy defines “property damage” to include:Physical injury to tangible property, including all resulting loss of use of that property.Loss of use of tangible property that is not physically injured.It also confirms what a number of courts have found that, “For the purpose of this insurance, electronic data is not tangible property.”In addition, Coverage A of the CGL policy has a specific exclusion 2.p. for Electronic Data:Damages arising out of the loss of, loss of use of, damage to, corruption of, inability to access or inability to manipulate electronic data.As a result, ISO’s CGL policy provides virtually (no pun intended) no coverage for data breach. However, given that almost any sized business can experience a data breach with potentially catastrophic liability, depending on how many customer records are maintained, ISO has introduced a series of data breach exclusion endorsements for its general liability and umbrella/excess programs. This article specifically discusses the three primary CGL endorsements being introduced:CG 21 06 05 14– Exclusion – Access Or Disclosure Of Confidential Or Personal Information And Data-related Liability – With Limited Bodily Injury Exception (For Use With The Commercial General Liability Coverage Part)Note: The companion Commercial Umbrella endorsement is the CU 21 86 05 14 and the companion OCP/PCO endorsement is the CG 33 53 05 14.CG 21 07 05 14– Exclusion – Access Or Disclosure Of Confidential Or Personal Information And Data-related Liability –Limited Bodily Injury Exception Not Included (For Use With The Commercial General Liability Coverage Part)Note: The companion Commercial Umbrella endorsement is the CU 21 87 05 14 and the companion OCP/PCO endorsement is the CG 33 59 05 14.CG 21 08 05 14 – Exclusion – Access Or Disclosure Of Confidential Or Personal Information (Coverage B Only) (For Use With The Commercial General Liability Coverage Part)Note: The companion Commercial Umbrella endorsement is the CU 21 88 05 14.In addition to the above, ISO is introducing the CG 33 63 05 14 – Exclusion – Access, Disclosure Or Unauthorized Use Of Electronic Data (For Use With The Electronic Data Liability Coverage Part) and the CX 21 43 05 14 – Exclusion –Access Or Disclosure Of Confidential Or Personal Information (For Use With The Commercial Excess Liability Coverage Part) which are not discussed in this article. ISO is also revising the CG 04 37 04 13 – Electronic Data Liability (For Use With The Commercial General Liability Coverage Part) and CU 04 02 04 13 – Electronic Data Liability Endorsement (For Use With The Commercial Liability Umbrella Coverage Part) to reflect these new data breach endorsements.CG 21 06 05 14 – Exclusion – Access Or Disclosure Of Confidential Or Personal Information And Data-related Liability – With Limited Bodily Injury Exception (For Use With The Commercial General Liability Coverage Part)This is a mandatory endorsement (unless one of the optional endorsements below is used) that replaces the existing Electronic Data exclusion under Coverage A and combines the provisions of that exclusion with the exclusionary provisions described below for Coverage B:Coverage B excludes losses for personal and advertising injury arising out of any access to, or disclosure of, any person’s or organization’s confidential or personal information, including patents, trade secrets, processing methods, customer lists, financial information, credit card information, health information, or any other type of nonpublic information. The endorsements provide examples of such losses that are excluded by, but not limited to, those enumerated in the endorsement.CG 21 07 05 14 – Exclusion – Access Or Disclosure Of Confidential Or Personal Information And Data-related Liability –Limited Bodily Injury Exception Not Included (For Use With The Commercial General Liability Coverage Part)This is an optional endorsement that can be used in lieu of mandatory endorsement CG 21 06. The purpose of the CG 21 07 is identical to that of the CG 21 06 except that it does not include an exception for bodily injury that is included in the CG 21 06.CG 21 08 05 14 – Exclusion – Access Or Disclosure Of Confidential Or Personal Information (Coverage B Only) (For Use With The Commercial General Liability Coverage Part)This optional endorsement can be used in lieu of either the CG 21 06 or CG 21 07. It has the same exclusionary provisions for Coverage B as the other two endorsements. However, there is no replacement exclusion under Coverage A for the Electronic Data exclusion and the existing Electronic Data exclusion in the CGL policy is not modified.ISO’s property, CGL, crime, and BOP programs have various endorsements to provide some very limited coverage for the loss of data of information and a full Information Security Protection Policy (EC 00 10) to provide much broader coverage. In addition, most insurers have their own proprietary cyber exposure policies. For an excellent and very detailed comparison, check out the most recent comparison report at www.betterley.com.