Some Significant & Representative Cyber Insurance Cases First Period

Part I

There are not very many reported cyber insurance cases.  There are plenty of civil (and criminal cases) about the so-called cyber-world), but direct, focused, coverage, or similar cases are very few in number—almost none in the Twentieth Century.   There were more in the early Twentieth Century, but as they have evolved, the topics of those cases are probably passé.  There are many
more cases now; that arise from (1) the exponential growth of computer technology, following what is called “Moore’s Law”—something which is not a scientific law at all, (2) the increasing number of diverse insurance policies offered, sold and bought, and (3) the growth of the market’s need for cyber-lawyers.  Category (3) to a degree of certainty vastly exceeding that of  Moore’s Law, where the market wants transactional lawyers, it will need litigation lawyers.

Two Cases of the “Earlier Period”

Most cyber insurance judicial analyses of 10 or more years, 1994-2004 approximately, concerned two principal issues. They are concerned insurability of interactions between the cyber-world and the real world.  There were a number of these cases, but most are not worthy of substantive, attention nowadays, at least for the purposes of this blog, given what the insurance issues turned on, to wit: what counted as a material object and how the various policies interacted with that conceptualization. (Don’t let me mislead you into the idea that they are unworthy of being cited in briefs, etc.  Many of the subordinate citations in briefs, coverage opinion letters, law review articles, and so forth are designed to show that there is or has been a wide agreement as to some
proposition(s) of law under at least some circumstance. This is valuable in and of itself, though not always necessary, for example, in this essay.)
 
It seemed and seems obvious that cyber-world events can causally impact the real world in a variety of insurable ways. Elements of the cyber-world can inflict damage on a material object. They can cause physical injury to tangible property and/or the loss of the user whether physically damaged or not. They can also cause bodily injury. Here is an example, sort of.  According to a recent article in the trade periodical Business Insurance, insurance companies are designing a new maritime policy designed to insure against bodily and property damages caused by cyber risks. AIG is apparently the leader of this fraction of the industry, it is reported. Judy Greenwald, Insurers Develop Cyber Cover for Maritime Industry (May 12, 2014).

The question asked in lawsuits and elsewhere is the reverse of this. Can events in the real world cause injuries to parts of the cyber world, e.g., data. The insurance questions asked are like this: Can negligent work in the real world cause covered injuries to
inhabitants of the cyber world?  And here’s another one: If there is negligent work repairing a computer that damages the computer, do the consequences of the damage to a tangible physical object cause insurable injuries in the cyber world?  To some extent answers to this question turn on matters of metaphysics aka ontology.  What is it to be a physical entity?  What is it to be a material substance (or thing)?
  
These are questions about interactions between the real world and the cyber world. Notice that the cyber insurance questions are to be answered differently, perhaps, than the non-insurance questions.  This makes the meaning of the insurance policies crucial to these disputes.  That should come as a surprise to no one.
 
Although the current near consensus on the insurance is “No,” at least for standard policies of the real world, e.g., the CGL policy, there is an aggressive plaintiff lawyer who tries to pursue the opposite conclusion, for example, in some class actions. The now established proposition regarding insurance questions was recognized as nonsense for bodily injury and property damage quickly because of the idea that tangibility was built into the idea of property in most first and many third-party policies.
 
At the same time, it must be remembered that CGL policies also cover some physical non-injuries. An example of the opposite in the first party case is the insuring of money, stamps, bonds, ideals, and so forth. All of these ideas are built into some third-party
policies, CGL’s coverage B is like this. There are more. Legal malpractice is like that, as will be discussed briefly in §IV, as copyright on music. It has been mostly taken as true that a physical object could not cause physical injury to components of the cyber world, since they are usually understood not to be material objects, though it was conceded that such a thing could happen in a number of ways, (none of them leading to insurance under a CGL type policy). It doesn’t even work for legal malpractice, etc., because the immediate injury is what is inflicted on a person, whether a real person or an abstract entity, often also called a “person.”  Nevertheless, a few—very few—“ancient” cases reached an opposite conclusion, saying that the destruction of data can, under some come circumstances, be property damage.
 
The second question is the reverse of the first question. How should damages inflicted on components of the cyber-world by the real world be thought about?  The received answer is that since the components of the cyber-world are not tangible, they cannot be property, and so there is no coverage under CGL-type policies. This observation is true even if what is called “the cyber-world” and the “real-world,” i.e. the material world, are really part of one world.
 
Here, are two examples of cases in those early days. In one case, the court found that the definition of “property damage” was ambiguous and therefore covered data.  The opposite, however, was decided in the other case.
 
One case that is regarded as a leading case is Ward General Insurance Services v. Employers Fire Insurance Company, 114 Cal. App. 4th 548 (2003).  The facts are simply described, even if they were not simple in real life.  The plaintiff was working on a computer; there was a human error; data was lost. It cost the plaintiff over $250,000 to restore the data and caused the business interruption. The question was whether the loss of the data was a “direct physical loss.” Both the trial court and the court of appeals said
“No”:
 
The word “physical” is defined, inter alia, as “having material existence” and “perceptible esp. through the senses and subject to the laws of nature.” (Merriam-Webster’s Collegiate Dict. (10th ed. 1993) p. 875.) “MATERIAL implies formation out of tangible matter.” (Id. at p. 715.) “Tangible” means, inter alia, “capable of being perceived esp. by the sense of touch.” (Id. at p. 1200.) Thus, relying on the ordinary and popular sense of the words, we say with confidence that the loss of the plaintiff’s database does not qualify as a
“direct physical loss,” unless the database has a material existence, formed out of tangible matter, and is perceptible to the sense of touch.
 
A “database” is a “large collection of data organized esp. for rapid search and retrieved (as by a computer).” (Merriam-Webster’s Collegiate Dict. (10th ed. 1993) p. 293.) “Data is defined, quite simply, as factual or numerical “information.” (Ibid.) Thus, the loss
of a database is the loss of organized information, in this case, the loss of client names, addresses, policy renewal dates, etc.
 
 We fail to see how information, qua information, can be said to have a material existence, be formed out of tangible matter, or be perceptible to the sense of touch. To be sure, information is stored in a physical medium, such as a magnetic disc or tape, or
even as papers in three-ring binders or a file cabinet, but the information itself remains intangible. [Emphasis added.]  Here, the loss suffered by the plaintiff was a loss of information, i.e., the sequence of ones and zeroes stored by aligning small domains of magnetic material on the computer’s hard drive in a machine-readable manner. Plaintiff did not lose the tangible material of the storage medium. Rather, the plaintiff lost the stored information. The sequence of ones and zeroes can be altered, rearranged, or
erased, without losing or damaging the tangible material of the storage medium.

A case cited for the proposition that data is a physical object and therefore sustains “property damage” when destroyed or made unusable, is a Texas case. (This does not say that “data damage” is “property damage,”). Lambrecht & Associates v. State Farm Lloyds, 119 S.W.3d 16 (Tex. App.–Tyler, 2003 pet.). There were two separate arguments being used in this case, although they are not separated. 
 
The court noted that there are cases holding that data are physical objects and hence that they sustain “property damage” when injured. Those cases “focus on the physical nature of the data itself and debate whether or not it can be dissolved into a quantitative mass or is merely transcendental.” Instead, “the losses alleged by [the plaintiff] are covered by the policy as can be determined by analyzing the policy itself.  We need not attempt to compose such an erudite thesis because”  the issue can be
resolved by analyzing the policy.
 
Here the policy contained provisions that explicitly determined coverage. First, the policy indicated that it covered damages to personal property of a business of the policyholder at a covered location.  What was damaged was the server; it is incontestable that servers are physical objects, and it was rendered useless.  That’s obviously covered.  In order to fix it, or restore it, there had to be the finding of, or otherwise dealing with, the server’s function, and the sort of substance upon which it did its work. (It seems to me that it would not matter whether that was physical or not. That, however, was not an explicit issue in this case.)
 
The court also considered that the policy explicitly said in its loss of income section that “electronic media and records” are covered.  In turn, that phrase is defined in part as [a] “electronic data processing, recording or storage media such films, tapes, discs, drums or cells; [b] data stored on such media; or [c] programming records used for electronic data processing. . . .”  On the basis of this language, the court held “that the plain language of the policy dictates that the personal property losses alleged by [the plaintiff]  were ‘physical’ as a matter of law.”  Section [b] it seems to me, makes this conclusion obvious and ironclad.  This conclusion, however, implies nothing about policies that do not have this or this kind of language in them.
 
Alas, the issue regarding property damage in these kinds of cases has not completely croaked.  It gets revived from time to time.  However, it usually arises in cases in which huge amounts of information are released; the insured commercial entity, often a large retail entity, is subject to a class action, and it sues its insurer for coverage.  Bodily injury and property damages claims in the underlying lawsuit usually were never serious, except to try to trigger a duty to defend, and they drop out of serious contention quickly.  
 
The question asked in lawsuits and elsewhere is the reverse of this. Can events in the real world cause insured injuries to parts of the cyber world, e.g., data?  The insurance questions asked are like this:

Can negligent work in the real world cause covered injuries to inhabitants of the cyber world?  And here’s another one:
If there is negligent work repairing a computer that damages the computer, do consequences of the damage to a tangible physical object cause insurable injuries in the cyber world?  Remember. Two of the main categories of covered injuries or damages in standard policies in the so-called real world are bodily injury and injury to tangible property.
 
These are questions about interactions between the real world and the cyber world. Notice that the cyber insurance questions are to be answered differently, perhaps, than the non-insurance questions.  This makes the meaning of the insurance policies crucial to these disputes.  That should come as a surprise to no one.
 
Although the current near consensus on the insurance is “No,” at least for standard policies of the real world, e.g., the CGL policy, there is an aggressive plaintiff lawyer who tries to pursue the opposite conclusion, for example, in some class actions. The now established proposition regarding insurance questions was recognized as nonsense for bodily injury and property damage quickly because of the idea that tangibility was built into the idea of property in most first and many third-party policies.
 
At the same time, it must be remembered that CGL policies also cover some physical non-injuries. An example of the opposite in the first party case is the insuring of money, stamps, bonds, ideals, and so forth. All of these ideas are built into some third-party
policies, CGL’s coverage B is like this.  There are perils in that coverage—its “Coverage B”—that do not require tangibility as the human body and physical property do. There are more; copyright violations, e.g., on music and videos are a couple; sometimes patent torts are another, and most important some forms of privacy are yet another.  (Various kinds of malpractice are covered in
real-world policies, and some of them may cover conduct “in” the cyber world.  Med mal cannot be like that, for obvious reasons.) It has been mostly taken as true that a physical object could not cause physical injury to components of the cyber world, since they are usually understood not to be material objects, though it was conceded that such a thing could happen in a number of ways, (none of them leading to insurance under a CGL type policy). It doesn’t even work for legal malpractice, etc., because the immediate injury is what is inflicted on a person, whether a real person or an abstract entity, often also called a “person.”  Nevertheless, a few—very few—“ancient” cases reached an opposite conclusion, saying that the destruction of data can, under some come circumstances, be property damage. There will be further discussion of Coverage B in a later blog.
 
The second question is the “reverse” of the first question. How should damages inflicted on components of the cyber-world by the real world be thought about?  The received answer is that since the components of the cyber-world are not tangible, they cannot be physical property, and so there is no coverage under CGL-type policies. This observation is true even if what is called “the cyber-world” and the “real-world,” i.e. the material world, are really part of one world.
 
Whether there is coverage for something, and this will be determined by analyzing the insurance policy itself.  We need not attempt to compose such an systematic and erudite theory as to potential coverages, because the issues can be resolved by analyzing the relevant insurance policy, and—actually—not otherwise.
 
Here the policy contained provisions that explicitly determined coverage. First, the policy indicated that it covered damages to personal property of a business of the policyholder at a covered location.  What was damaged was the server; it is incontestable that servers are physical objects, and it was rendered useless.  That’s obviously covered.  In order to fix it, or restore it, there had to be the finding of, or otherwise dealing with, the server’s function, and the sort of substance upon which it did its work. (It seems to me that it would not matter whether that was physical or not. That, however, was not an explicit issue in this case.)
 
Alas, the issue regarding property damage in these kinds of cases has not completely croaked.  It gets revived from time to time.  However, it usually arises in cases in which huge amounts of information are released; the insured commercial entity, often a large retail entity, is subject to a class action, and it sues its insurer for coverage.  Bodily injury and property damages claims in the underlying lawsuit usually were never serious, except to try to trigger a duty to defend, and they drop out of serious contention
quickly.  Nevertheless, a few—very few—“ancient” cases reached an opposite conclusion, saying that the destruction of data can, under some come circumstances, be “property damage.”  This view can’t be right. Property in the cyber world is not tangible.

Before closing and moving on the Period Two, I need to explain the last piece of the title, the locution “(Minus One).” Early in 2012, the Appellate Court of Connecticut decided a case styled Recall Total Information Management v. Federal Insurance Company, 147 Conn. App. 450 (Conn. App. January 14, 2014). Some have suggested that it may have been an attempt to  resurrect the themes of the “First Period.”  That’s the wrong answer, but this is not the place to prove it.