Tech E&O, Network Security, Internet Media, and MPL Insurance Policy 
Insuring Agreement I.C–Privacy Liability Coverage
Remember: This Blog is organized around insuring agreements, definitions, and exclusions. Conditions, etc., may be remarked upon briefly, but they often resemble not only each other but those found in currently existing policies.
This is Part IV of a series of blogs about the above-named policy.  Part I was an introduction and a discussion of Insuring Agreement insofar as it closely resembled “physical-world” policies, as opposed to “cyber-world” policies.  The topic pertained to D & O insurance.  Part II was a discussion of the substantive content of the Insuring agreement Ins Ag I.B, again regarding a type of D & O liability insurance.  I.A. pertained to network security and privacy wrongful acts, both of which are extensively discussed in society.  Ins. Ag. I.B concerns the same range of problems and is a broader D & O liability policy.   As already set forth in Part I, what is written here is nothing more than a sketch and the observations are not guaranteed.
I.C. Privacy Liability Coverage
This Insuring Agreement sets forth liability insurance for Damages the Insured is legally obligated to pay for losses directly resulting from any covered claim alleging a Privacy Wrongful Act against the Insured. (The last term includes not only the Company, plus directors and officers, but a variety of others, e.g.,  employees of various sorts, among others.)  [This passage is a bit confusing.  It might apply to a duty to defend, or something like it, but it will not apply to actual damages suffered.  The idea in the claim is that if an insured has a legal obligation to pay for something that is damaged, the insurer will pay it on its behalf.
The substantive components of this Insuring Agreement are, first, the idea of Privacy Wrongful Act (PWA), second,  the idea of Privacy Incident, and third, the idea of  Damages (D).  
First, we examine PWA, since the term “privacy” is not independently defined, so we start with PWA.
This is a blessed definition since it is short and direct.  PWA “means any actual or alleged act, unintentional error, omission, neglect or breach of duty by an Insured or a Service Provider that results in a” PI. 
PI–and now we arrive at the crucial part of the insuring agreement–is, roughly speaking (1) the unpermitted disclosures of Non-Public Personal Information or Confidential Corporate Information that “is in the care, custody, or control of any Insured or Service Provider, ad defined., or (2[a]) it is a violation of any Privacy Regulation or (2[b]) or is a “failure to comply with the  Company’s own privacy policy.”
Privacy Regulation is a concept of extraordinary significance.  It includes a number of named federal and state statutes “associated with the control and use of personally identifiable financial, medical, or other sensitive information,” plus “any similar, state federal or foreign identity theft or privacy protection statute.”
Damages, of course, are a crucial idea in all insurance policies.  The definition of Damages in this policy is a complex one, to say the least. There are 4 components of what the term means, and there are 9 lines setting forth what the terms do not mean, and the 9th line contains at least 13 different concepts which the term does not cover.
Here is that which the term applies.  It resembles traditional lists of damages in some “so-called” real world policy:
  • that for which the insured is legally obligated to pay as the result of a covered judgment, award or settlement
  • monies the  court victorious victim has been able to impose on the insured, e.g., attorney fees and so forth
  • pre- and post-judgment interest (with exceptions)
  • punitive, exemplary, or multiple damages to the extent that state law applies and to the extent more that one applies, the one which is most favorable to the insurer if insurable.

Defense costs are usually covered elsewhere in the policy; they are usually not found in the definitions of damages.

An apparent complexity in the definition of Damages is to be found in a list of those to which the term does not refer.  The positive side of the definition is straightforward and relatively simple.  Most of its components resemble the definition or characterizations of Damages found in so-called “real-world” policies, except for defense costs.  That matter is usually set forth else were in at least most policies. The “Damages do not include” section explicitly sets forth a number of situations to which the term Damages does not apply. These matters are usually found in exclusionary sections.

There are several special components “added” on, as it were, to the definition of Damages, which are “not included” in the definition section or other sections of so-called, “real-world” policies–as already stated, one would expect these to be in an exclusion section. The following are included among the not included:

#6. nearly 5 lines of activities which might have to be undertaken, including “Computer System of the Company, [its] security system and Electronic Publishing.”  Significantly,  Electronic Publishing includes Electronic Data, and other things, objects, events, and activities.  [MSQ:  Obviously this definition of what is not included in the a covered definition is enormously complex.] 

#7. “any discount, coupon, prize, award, redemption or other incentives;”

#8. “Bodily Injury or “Property Damage;”  [MSQ: It is easy to see why they are let’s say excluded, by definition, they are two of the principal coverages under some significant “real world” insurance policies, e.g., the Commercial General Liability.

#9. Business Interruption Income Loss, Claim. . . . Regulatory Proceeding.  [In total, there are 13 separate categories included in this “not included in the definition of Damages” category.]

 And so forth. Significantly, all definitions found in the definition section are used throughout the policy.  In many “real world” policies, different sections may have at least some different definitions
The list of exclusions is a long, long one, so not many of them can be addressed.  Some are repetitions of what is in the definition or the “not included” definition of Damages and perhaps elsewhere to boot. Many of them resemble or are analogs of exclusions found in so-called “real world” policies.
For example, there is an exclusion for Losses resulting from various causes, most of them contract-based (or likely contract-based).  It is more complex than the usual exclusion of that sort; it takes up 7 lengthy subsections. Perhaps what is happening here is that given the “new-ness” of this type of policy, the insurer is trying to make sure nothing is left out. Perhaps it believes that details cut exposure. Of course, this may be wrong. It may be that all they do is create new exposures.
Here are some other exclusions:
  • based on actions brought by some trade associations, particularly an international array of those from the IP sector
  • based on violations of various statutes
  • resulting from various kinds of discrimination
  • resulting from various types of unsolicited cyber misconduct
  • thefts of various sorts
  • IP misconducts of various sorts related to thefts  [Some of these pertain to the proposition that there is no insurance for many types of intentional acts and especially for those involving crimes.]
  • mechanical and electrical faults
  • gambling, etc.
Thus, this insurance policy in general and perhaps this section, in particular, resemble “real world” insurance policies, but in vastly more important ways, they are a new species–one filled with new ideas, new definitions, and new coverages. Interestingly, most of the new coverages are, in one way or another, topics widely discussed in various media.
Now, for Insuring Agreement I.D Privacy Breach Expenses Coverage.  See Part V.