I’ve written about the Ashley Madison data breach before especially about their use of DMCA takedown notices. Today a short twitter conversation about technicalities gave me a thought to write something brief about how insurance coverage and cyber liability interact in the wake of the Sony/Zurich case. I will be talking at NOLASec next week with more commentary on, inter alia, the DMCA/Copyright issues present. Here, I will limit myself to Cyber Liability considerations.
The Sony Data Breach and Zurich’s Coverage Denial – A 1 Paragraph Summary
Sony Corp. of America experienced a significant data breach in 2011. Sony had a Commercial General Liability (CGL) policy with Zurich American Insurance Co. Sony made a claim under its CGL policy for coverage related to potential litigation, cost of remediation, and surely any other expenses attributable to the breach. Zurich sued Sony to deny coverage on the theory that (1) the CGL policy would only cover the incident if Sony (or its employees, agents, etc) published the information, (2) that the hackers who breached the data constituted a third party, and thus (3) the CGL policy would not cover the incident because the third party, not Sony, actually did the publication (i.e. breach) of the data. The Court sided with Zurich, Sony appealed, the parties reached a settlement before the Appellate Court could weight in. See generally Zurich Am. Ins. v. Sony Corp. of Am., 2014 N.Y. Misc. LEXIS 5141 (N.Y. Sup. Ct. Feb. 21, 2014) (finding that a breach by hackers did not constitute the affirmative act of publication by the insured and thus was excluded under the coverage policy); C.f. Young Ha, “Sony, Zurich Reach Settlement in PlayStation Data Breach Case in New York”, available at http://www.insurancejournal.com/news/east/2015/05/01/366600.htm, accessed 2015-08-12.
Ashley Madison Breach
Like Sony, Ashley Madison was breached. Unlike Sony, Ashley Madison is an incredibly unsympathetic victim as are the Ashley Madison Users whose information was breached. Neither here nor there. Someone retweeted Jose Pagliery (@jose_pagliery)’s humorous observation that Ashley Madison’s registration still promises they will never share your email address. I, having a fairly dry sense of humor, tweeted in response that technically Ashley Madison did not share the addresses, they just lost them.
The fact a third party breached Ashley Madison’s systems and subsequently leaked the information online is a technicality that actually matters in a substantive way. It matters because it impacts what insurance coverage may be available to cover legal expenses, investigation costs, and potential future litigation/liability exposure. I will stress that almost everything is speculation at this point because specific details of the hack, other than that it happened, have not come to light.
Assuming Ashley Madison has a CGL policy, as many companies do and should, the first question their inside and outside counsel will need to ask is whether that policy has similar language to the Zurich policy at issue in the Sony case. If it does, poof, because the breach occurred from a third party that coverage avenue is likely closed off. Either coverage may be denied outright, or a reservation of rights and subsequent attempt to claw back will occur – not a pretty picture in either case.
The real question will be whether they have a specific Cyber Liability policy that covers data breaches. Cyber Liability policies are becoming very attractive for companies with significant data breach exposure potential, and they will probably be the norm in the near future. If they do, the third party publication question is not relevant because these types of policies are designed for third party breach and leak. (Can I coin that term? Can we make that a thing? Breach’n’Leak or BNL for short?).
However, even if they have a Cyber Liability policy, it does not mean they are in the clear. Insurers are only starting to write these policies and case law has not developed around their extent, the language used in them, or the requirements imposed by them. Many Cyber Liability policies require the insured to answer questionnaires prior to the policy being issued and/or maintain certain security practices. Failure to maintain the requisite standards of security etc, can result in coverage denial, and this area is so new that jurisprudence has yet to develop concerning it. i.e. We are in the Wild West.
It is almost certain Ashley Madison and its parent company Avid Life Media will be sued. It is also nearly certain they will be sued in a class action and in multiple jurisdictions. This is a very interesting case for a potential litigation. There are some serious issues with data breach cases and standing where the harm cannot be plead adequately as a concrete harm (i.e. monetarily quantifiable damage as opposed to merely speculative of future harm). This issue is potentially impacted by the Spokeo case (See http://www.scotusblog.com/case-files/cases/spokeo-inc-v-robins/ for coverage of the case the SCOTUS will take up this term). In the European Union, or at least the United Kingdom, this appears no longer to be a problem. (See http://www.theregister.co.uk/2015/08/21/ashley_madison_legal_woes_court_costs/).
There are also some legitimate questions regarding the reported fee for deleting your account from Ashley Madison in that it is being alleged that data was not actually deleted in some instances. That certainly would be a concrete enough injury to overcome the standing issue.
My final thought here relates to press releases from Ashley Madison regarding forensic teams and cooperation with law enforcement. That sounds great in a press release, but can come back to haunt a company in litigation. If counsel was not engaged first in anticipation of litigation to conduct a liability assessment and instead the forensics team was engaged directly by management or the IT department, any reports, data, observations, or other information generated may not be protected by privilege. The cloak of privilege is a delicate membrane that has to be carefully preserved, and once lost generally cannot be restored. It is a necessary function of our legal system that allows a client to fully disclose information to their attorney so that the attorney can provide legal advice to the client with a fully informed view of the situation. That privilege can extend to non-testifying experts who assist the attorney in understanding complex issues such as are present in a data breach scenario. It will be interesting to see if Ashley Madison did this the prudent way or whether it will cause them more headaches when litigation is filed – especially if a regulatory agency takes an interest in them.