As the legal troubles for P.F. Chang's restaurant chain kept piling up over the breach discovered this summer affecting 33 of its locations, its legal team made an insurance end-around play that many enterprises try after a breach. It filed a claim for coverage under its comprehensive general liability (CGL) policy. But a lawsuit filed earlier this month from its general liability insurer, Travelers Insurance, offers a good lesson to organizations on why this ploy rarely works.
Travelers asked the US District Court in Connecticut to clear it of any obligation to defend or indemnify the restaurant company during breach litigation. Its argument to the court: that not only is a breach like this not covered in its general policy definitions, but that even if it were, the restaurant company hadn't met a $250,000 basement floor limit up to which the firm needed to self-insure for covered events.
According to a number of legal and insurance experts, the case is about as open and shut as it gets for Travelers.
"The likelihood that PF Chang's would prevail seems quite slim," says Francoise Gilbert, an attorney with Palo Alto-based IT Law Group.
That's because this is hardly the first time that the cyber mettle of CGLs has been tested in court. Dating back to Sony Entertainment's case against its CGL insurer Zurich American in 2011, the rulings have been pretty clear that cyber incidents are rarely on the table for coverage under general liability policies.
"In general they find that there is no coverage. A court might rule that there is coverage if occurrence causes the loss of use of some physical computer component or data storage medium," Gilbert says. "On the other hand, a court might find that there is no coverage if there is no physical injury to tangible property resulting from the mere loss of data."
On the off-chance that Travelers does not win its case, this will still likely do little for enterprises hoping to use CGLs as an umbrella for cyber risk fallout.
"If Travelers is not successful and their CGL policy is found to provide coverage, the result would most likely be the implementation of stricter exclusions on policies that do not want to pick up cyber exposure in any way," says Michael Carey, senior advisor for CyberInsure Solutions. "From a general perspective, unless the CGL policy expressly grants cyber coverage, the proof would need to show that there is implicit coverage through the lack of dedicated cyber exclusions, which would be a weaker position to have in court."
This, of course, is the whole reason companies like Travelers offer cyber liability insurance -- a.k.a. cyber insurance -- as an added type of coverage.
<strong><a>Read the rest of this article on <a href="https://www.darkreading.com/why-you-shouldnt-count-on-general-liability-to-cover-cyber-risk/d/d-id/1316758?cid=edit_stub_IT">Dark Reading</a></strong>
Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading. View Full Bio