Rulings raise questions about
key coverages and exclusions.
[E]enterprises (that outsource e-commerce functions) can breathe a little easier
after a recent decision of the Superior Court of Pennsylvania, but they need
to remain vigilant regarding their insurance coverage. So what else is new?
By Joseph S. Harrington, CPCU
Remember “e-commerce?” That phrase arose when businesses first began to transact business over the Internet. The term has since become passé, as it’s become hard to imagine anyone engaging in any kind of “commerce” today without the “e-” part.
That said, it’s still common for enterprises to outsource the “e-“ part of their commerce by having transactions processed and data stored on remote third-party servers. Those enterprises can breathe a little easier after a recent decision of the Superior Court of Pennsylvania, but they need to remain vigilant regarding their insurance coverage. So what else is new?
In the Pennsylvania case[1], a leading U.S. insurer sought to deny coverage for a video distributor that provided access to the videos on servers owned by the GoDaddy online service provider. A hacker managed to delete the videos along with the application for accessing them.
Among other things, the insurer argued that the commercial property policy provision at issue only covered loss to electronic data that “originates and resides in your computers.” [emphasis added] Since the hacked videos and application were not on servers owned by the insured, the insurer claimed there was no coverage.
As it turns out, the superior court upheld the denial of coverage on the basis that the insured did not establish that the loss exceeded the deductible. But on the question of application of coverage, the court came down for the insured, ruling that the term “your computers” could be interpreted to include computers the insured had a right to use as well as computers owned outright by the insured.
For insurers using similar policy language, this ruling expands exposure from data on servers owned and controlled by the insured—and presumably underwritten as such—to networked operations not known to the insurer.
Fingerprints left behind
The outcome was also ambivalent for the insured in an Illinois case where an appeals court sided with a Lloyd’s syndicate in denying coverage for unauthorized disclosure of employee information.[2] The case was brought under Illinois’s unique Biometric Information Privacy Act (BIPA), but the ruling has implications for any arrangement for sharing and storing personal information.
The case involved electronic scans of employee fingerprints used to check in and out of work, with the claimants arguing that the fingerprints were not protected as required under BIPA when they were shared with a third-party service that stored the prints.
Among other things, BIPA requires companies to obtain written consent from employees before acquiring biometric data, prohibits companies from disclosing biometric information without the person’s consent, and requires that companies in possession of biometric data follow policies for safeguarding and deleting biometric information.
Upon receiving the claim, the syndicate denied coverage, stating that the claim did not allege that data was disclosed “in a manner that is unauthorized” by the insured, as required under the relevant cyber policy provision. The court agreed, holding that a failure to safeguard biometric data in compliance with BIPA did not constitute a data breach or security failure as defined in the policy (and in most policies, for that matter).
Unsilent cyber
That’s not the whole story, however. Readers are probably aware that Lloyd’s has been striving to eliminate “silent cyber” coverage from non-cyber policies, and to relegate cyber coverage to “affirmative” coverage provisions in cyber policies and coverage parts.
As it turns out, more than a year before our grocery chain lost its suit for cyber coverage over the employee fingerprints, a U.S. court in Illinois found that it was entitled to coverage for essentially the same claim under the standard commercial general liability (CGL) section of a policy from a domestic carrier.[3]
In that case, the insurer argued from seemingly well-established premises: that the injury did not meet the policy definition of bodily injury or personal injury, and that coverage would be voided anyway by exclusions for employment practices, for disclosure of personal information, and for unlawful recording and distribution of information.
Yet, in a ruling certain to have policy drafters pulling their hair out, the judge systematically reasoned that each of these provisions was either ambiguous or inapplicable to the claim at issue.
If that’s a win for agents and brokers, it’s a strange one. Capitalizing on it would call for encouraging insureds to place their hopes in disregarding some very explicit policy provisions. Stay tuned and stay alert.
The author
Joseph S. Harrington, CPCU, is an independent business writer specializing in property and casualty insurance coverages and operations. For 21 years, Joe was the communications director for the American Association of Insurance Services (AAIS), a P&C advisory organization. Prior to that, Joe worked in journalism and as a reporter and editor in financial services.
[1] Watchword Worldwide v. Erie Ins. Co., 308 A.2d 728 (Pa. Superior Ct.) 2024
[2] Tony’s Finer Foods Enterprises v. Certain Underwriters at Lloyd’s, 2024 IL App (1st) 231712
[3] Cont’l W. Ins. Co. v. Tony’s Finer Foods Enterprises, Inc., 2023 WL 4351469 (N.D. Ill. July 5, 2023)
