Select Page

In this installment of my series of posts about the basics of cyber policies (you can read earlier posts here and here) I’m going to talk about privacy liability coverage.

As illustrated in the graphic below, privacy liability coverage is one of the four coverages available in typical cyber policies.

Privacy liability coverage is available to respond to claims by parties who have sustained a privacy injury. That seems simple enough, right? Unfortunately it isn’t. Privacy liability coverage truly is one where the devil is in the details.

Privacy Injury

So what is a privacy injury? Generally speaking, a privacy injury is one caused by the company’s failure to properly manage private information. Most policies will also cover a breach of privacy laws and an unintentional breach of the company’s privacy policy. After that, policies begin to differ.

A good policy will also cover the wrongful collection of information. What does a wrongful collection claim look like? Remember a few years back when it was discovered that Apple and Google phones were tracking users’ locations? Predictably, that revelation resulted in lawsuits alleging that the collection of location data was wrongful. Many cyber policies would not cover that claim.

Other privacy injuries that might not be covered under a typical off the shelf cyber policy include the theft of private information, the failure to develop and administer an identity theft prevention program, a breach of confidence, breach of duty, infringement or violation of any rights to privacy, breach of a person’s right of publicity, and intrusion upon a person’s seclusion. A good policy will cover some or all of these.

Private Information

Because privacy liability coverage depends on injuries involving private information it is important to understand the scope of information covered by a policy.

A good cyber policy will cover personal information as well as corporate confidential information.

Personal Information

Cyber policies take different approaches to defining what personal information is covered. Some will list the types of information, i.e. name, address, social security number, credit card number, health information, etc. Some policies also require sufficient information to allow an individual to be uniquely identified.

This approach of listing personal information is fine as far as it goes, but it inevitably misses information that should be considered private but that isn’t on the list. A company may have data concerning citizens of many different locations, each of which may deem different information to be private. Experience has taught me that not all of that information will be listed in a cyber policy.

A policy’s list of personal data items will certainly omit information that is public, but that is nevertheless deemed protected. We saw a great example of a claim arising from such information in 2014 when the European Court of Justice ruled that Google was required to remove accurate public information about an auction of the claimant’s assets in order to pay his debts many years after it was relevant. This is the “right to be forgotten” that you may have heard references to. A claim involving public information that effectively becomes private would not be covered under any standard cyber policy form that I am aware of.

Better cyber policies do not attempt to list the types of personal information. Instead, they have very broad definitions that include any information that can be used to identify a specific individual, or that is subject to any privacy law. These definitions include everything in a typical list of personal information, and leave room to also include information types that may not have been regarded as private in the past.

Corporate Confidential Information

In addition to covering breaches of personal information, a cyber policy will also cover liability resulting from a breach of corporate confidential information. That is typically defined to mean proprietary or confidential information of a third party that is held by the insured.

Do Other Insurance Policies Apply?

Maybe, but I wouldn’t count on it.

A lot of insureds that haven’t yet bought cyber coverage have argued that general liability (GL) coverage applies to privacy liability claims. There has been a lot of litigation over this issue. Some insureds have won, but the trend in court decisions now seems to favor insurers. The most you can say is that the outcome of a GL claim based on a privacy injury is uncertain. As I noted in an earlier post on this subject, the only certainty a company has with respect to a cyber claim under their GL policy is that they will end up in a fight with their GL insurer.

Some companies think their errors and omissions (E&O) policies will apply to a privacy liability claim. They could be right, but potential obstacles to coverage exist. For example, E&O policies typically respond to claims by clients and customers. They might not respond to a privacy liability claim brought by an employee or other non-client. I would not sleep easily if I thought I had to rely on an E&O policy to cover privacy risks.

If a company is concerned about privacy liability claims, the only sure way to insure them is to obtain a cyber policy.