Coverage for cyber-liability under the CGL policy

In September last year, at the CLEBC Insurance Law Conference, the author presented a paper on the topic of coverage for cyber-liability under the Commercial General Liability policy, focusing on coverage for data breaches under Part B, and in particular, “personal and advertising injury” as being “Oral or written publication, in any manner, of material that violates a person’s right of privacy”.[1] He presented an updated version of that paper at our B.C. mid-winter briefing in Toronto on March 5th [2].

Since then, developments have occurred in two of the cases discussed in the paper. Unfortunately, neither advance the current state of the caselaw in this area.

Recall Total Information Management Inc. et al. v. Federal Insurance Company et al.

In this case, the Connecticut Court of Appeals upheld a trial court’s dismissal of the plaintiff’s action against its insurer. At issue for our purposes was the finding that the loss of encrypted data tapes, which had fallen out of the back of a van and were removed from the roadside by a person or persons unknown and never recovered, did not fall within the definition of personal and advertising injury, as there was no “publication”. There, the parties agreed that no identity theft incident could be traced to the loss of the tapes, there was no allegation in the underlying action of publication, and Recall Total did not allege that the information contained in the tapes was ever accessed.

In April the Supreme Court of Connecticut heard Recall Total’s appeal of the appellate decision and in May, it handed down its decision, dismissing the appeal.[3] The Supreme Court noted: “Because the Appellate Court’s well reasoned opinion fully addresses the certified issue, it would serve no purpose for us to repeat the discussion contained therein. We therefore adopt the Appellate Court’s opinion as the proper statement”.

Zurich American Insurance Co. v. Sony Corporation of America

Possibly the most anticipated appellate decision of the year in this area has been avoided by the settlement of the action between the parties that occurred after the appeal had been argued, but before the judgment was handed down.

There, the New York Supreme Court, on a summary trial motion and in an oral decision that clearly contemplated an appeal being heard, held essentially that “Oral or written publication, in any manner…” within the definition of personal and advertising injury required the publication to be by or on behalf of the insured (i.e., in that case, not the ‘hackers’ who had obtained credit card and related private information), but that mere access to the information (again, by the backers) was sufficient to constitute “publication”.


As above, neither of these developments advance the state of the caselaw in this area.

Despite an appeal that even he expected, the contentious decision of New York Supreme Court Judge Jeffrey Oing in the Zurich case stands. No doubt his finding that the publication must be on or behalf of an insured, is a shield that will be wielded by coverage counsel for insurers faced with claims for coverage under the CGL from a data breach incident. However the effect of his finding on Canadian jurisprudence, remains to be seen.

Insurers, commentators and coverage counsel alike continue to watch this space with interest.


[2] http://www.guildyule.com/wp-content/uploads/2015/03/Coverage-for-Cyber-Liability-Under-the-CGL-Policy.pdf

[3] https://www.jud.ct.gov/external/supapp/Cases/AROcr/CR317/317CR54.pdf


Download as PDF

This post is intended to give general information about legal topics and is not a complete statement of the law. It is not intended to be relied upon in the absence of specific legal advice on particular circumstances. Accordingly, we do not accept any liability for any loss which may result from reliance upon this publication or the information it contains. Views expressed in this paper are those of the author and do not necessarily reflect those of Guild Yule LLP.