Unless you’ve been paying very close attention to policies issued since May 1, you might not have noticed a subtle but potentially significant change in commercial general liability insurance policies based on ISO forms. Starting on that date, a new endorsement must be attached to all ISO CGL policies – CG 21 06 05 14, titled Exclusion – Access Or Disclosure Of Confidential Or Personal Information And Data-Related Liability – With Limited Bodily Injury Exception.
The unendorsed CGL coverage form states that the insurance does not apply to damages arising out of “The loss of, loss of use of, damage to, corruption of, inability to access, or inability to manipulate electronic data.” If a business gets sued because of alleged damage to someone else’s data, the policy will not provide coverage. This new endorsement tacks on an additional paragraph to this exclusion. It now says that the insurance does not apply to damages arising out of, “Any access to or disclosure of any person's or organization's confidential or personal information, including patents, trade secrets, processing methods, customer lists, financial information, credit card information, health information or any other type of nonpublic information.”
Translation: No coverage for you if someone sues you for a data breach. This exclusion applies to both Coverage A (Bodily Injury and Property Damage Liability) and Coverage B (Personal and Advertising Injury Liability.) This prevents an insurer from having to cover a loss that might fit within the policy’s definition of personal and advertising injury. ISO’s explanatory memorandum described the impact of the endorsement this way:
“With respect to bodily injury and property damage arising out of access or disclosure of confidential or personal information, these changes are a reinforcement of coverage intent. As discussed above, damages related to data breaches, and certain data-related liability, are not intended to be covered under the abovementioned coverage part. These types of damages may be more appropriately covered under certain stand-alone policies including, for instance, an information security protection policy or a cyber liability policy.
To the extent that any access or disclosure of confidential or personal information results in an oral or written publication that violates a person's right of privacy, this revision may be considered a reduction in personal and advertising injury coverage.”
ISO rules have made this endorsement mandatory; we should expect the next edition of the Commercial General Liability Coverage Form to have this wording built in. Also, the New York State Department of Financial Services approved this endorsement for use here last December. (The filing is available for download using the DFS rate, rule and form filing search tool. Enter “ISOF-129157450” in the SERFF Tracking Number field.) It should be appearing on new and renewal policies now.
There is a New York legal requirement to keep in mind. New York Insurance Law Section 3426(e)(1) states that a CGL policy issued by an admitted insurer:
“(S)hall remain in full force and effect pursuant to the same terms, conditions and rates unless written notice is mailed or delivered by the insurer to the first-named insured, at the address shown on the policy, and to such insured's authorized agent or broker, indicating the insurer's intention: … to condition its renewal upon … reduction of coverage … or addition of exclusion …”
It appears that New York law may require insurers to send conditional renewal notices on every CGL policy renewal affected by this change. The notice must “contain the specific reason or reasons for nonrenewal or conditional renewal … and describe in plain and concise terms the nature of any other … changes specified in (the wording quoted above) …” I’m willing to bet that not too many underwriters are aware that the addition of this endorsement might trigger that obligation.
On the other hand, ISO’s response to NYSDFS questions about the filing indicates that ISO does not view this as a reduction in coverage:
“It is important to note that notwithstanding the revisions contained in the referenced filing, there are several current exclusions in the ISO CGL and CLU Coverage Forms that may preclude coverage for records in the custody of an insured. For example, under Coverage A – Bodily Injury And Property Damage Liability, the Damage To Property exclusion provides, in part, that insurance does not apply to property damage to personal property (which could potentially include various types of records) in the care, custody or control of the insured. This exclusion also precludes coverage with respect to property the named insured owns, including any costs incurred to repair, replace or restore such property. In addition, the Electronic Data exclusion as it currently exists in the CGL and CLU Coverage Forms excludes coverage, in part, with respect to damages arising out of the loss of, loss of use of, and damage to electronic data, which also could potentially include various types of records.
With respect to bodily injury and property damage arising out of access or disclosure of confidential or personal information, the changes contained in this filing are a reinforcement of coverage intent. As discussed in the Explanatory Memorandum submitted with this filing, damages related to data breaches, and certain data-related liability, are not intended to be covered under the CGL and CLU Coverage Parts. With respect to personal and advertising injury liability arising out of access or disclosure of confidential or personal information, this revision may be considered a reduction in personal and advertising injury coverage to the extent that any access or disclosure of confidential or personal information results in an oral or written publication that violates a person's right of privacy. It is important to note that other invasion of privacy offenses (i.e., those that do not otherwise involve access or disclosure of confidential or personal information) are not expressly addressed by the exclusions newly introduced in this filing.”
Essentially, ISO is saying that they never intended for the CGL form to cover liability for data breaches, so this isn’t a reduction in coverage. That leads to the question of why it feels the endorsement is necessary. My guess is that the insurers who subscribe to ISO forms have been unnerved (understatement) by some of the damages resulting from these breaches and want the policy to plainly state that there is no coverage. Whether ISO’s arguments about the intent of the form will be enough to absolve insurers of the obligation to send conditional renewal notices is an open question.
I’ll throw that open question to all of you. What do you think – does the law require insurers to send conditional renewal notices on thousands of CGL policy renewals, or do you agree with ISO that the endorsement is simply an affirmation of coverage intent with no real reduction in coverage?