The U.S. District Court for the Middle District of Florida, in Innovak International v. The Hanover Insurance Co., recently granted summary judgment in favor of Hanover Insurance Company finding that it had no duty to defend Innovak against a data breach lawsuit. Innovak, which is a payroll service, suffered a breach of employee personal information, including social security numbers. The employees then filed suit against Innovak alleging it had negligently created a software that allowed personal information to be accessed by third parties. Innovak sought a defense for the lawsuit from its commercial general liability carrier, Hanover Insurance Company. Innovak argued that the employee’s allegations triggered the personal and advertising injury coverage part of the policy, which covers loss arising out of the advertising of the policyholder’s goods or services, invasion of privacy, libel, slander, copyright infringement, and misappropriation of advertising ideas. The court disagreed and found the employees’ allegations did not involve a publication that would trigger coverage under the commercial general liability policy.
A recent article published by Securityroundtable.org highlights the vulnerabilities businesses face in a world of e-commerce and interconnectivity, and how proper planning through a tailored cybersecurity program that includes – among other components – appropriate insurance coverage for cyber risks can help prevent a successful attack and mitigate the financial impact should one occur. Whether the issue is prevention or risk mitigation, cybersecurity should be at the top of the corporate agenda. As discussed in the Securityroundable.org article, Lisa Sotto, chair of the global privacy and cybersecurity practice of Hunton & Williams, explained at a recent briefing and crisis planning exercise in New York City that “it’s been a complete revolution. The cyber environment has just exploded…We could not have predicted this five years ago. There is no question that cybersecurity is a top priority for C-suites and boards. It is now recognized as a basic risk issue by every company.” Walter Andrews, chair of the insurance coverage practice at Hunton & Williams, addressed the insurability of cybersecurity risks, explaining that, “we’ve seen a sea change in a lot of areas in the last two years…There will always be liability no matter what, but cyber insurance has gone from a product a few companies acquired to one held by almost all. In fact, today regulators and boards require it.” For a recap of the entire briefing and crisis planning exercise, see the full Securityroundtable.org article, which can be found here.