Cyber Risks: Three Basic Structural Issues to Resolve

  • Leo P. MartinezEmail author
Part of the AIDA Europe Research Series on Insurance Law and Regulation book series (ERSILR, volume 1)


The incidence of cyber liability and cyber losses, collectively cyber risks, have increased greatly over the last several years. To add to the problem, cyber risks also expose insureds to statutory liability.

The increasing number of incidents has given rise to an important question: “to what extent is liability for data breaches covered by a CGL or other sort of insurance policy?” Insurers have responded by including exclusions to mass data breaches in their CGL policies and offering separate plans (with high premiums) to cover such an event. However, insurers face a problem in drafting these policies because there is a lack of judicial information about how these policies will be interpreted by the courts. Without a thorough case history, insurers cannot confidently draft these policies to exclude (or price in) certain high-risk practices.

In this vacuum, several aspects of cyber liability require resolution. A short list of issues will illuminate the problem.
  1. 1.

    The definitional boundaries of exactly what is meant by cyber liability or loss is a basic systemic problem. The range of possible types of losses already seems daunting. It does not bode well if the insurance industry and policyholders face scores of coverage cases regarding cyber liability or loss coverage issues that seem only limited by human ingenuity.

  2. 2.

    Will exclusions for cyber liability or losses be effective? The insurance industry’s odyssey with respect to the pollution exclusion suggests that a trial and error approach spanning 20 years is not a good idea.

  3. 3.

    Are coverage provisions regarding cyber liability and losses effective? If so, do they affect the basic duties to indemnify and defend?


This paper addresses the three issues above with the aim of providing a framework for resolution.


  1. 42 U.S.C. § 1320d–5Google Scholar
  2. America Online, Inc. v. St. Paul Mercury Ins. Co., 347 F.3d 89, 95 (4th Cir. 2003)Google Scholar
  3. American Guar. & Liab. Ins. Co. v. Ingram Micro, Inc., 2000 U.S. Dist. LEXIS 7299; 2000 WL 726789 at 7Google Scholar
  4. Anthem Elecs., Inc. v. Pac. Emplrs. Ins. Co., 302 F.3d 1049 1058-59 (9th Cir. 2002)Google Scholar
  5. Apache Corp. v. Great American Ins. Co., 662 Fed. Appx. 252, 258-59 (5th Cir. 2016)Google Scholar
  6. Ashland Hosp. Corp. v. Affiliated FM Ins. Co., 2013 U.S. Dist. LEXIS 114730 at 18-19 (E.D. Ky. 2013)Google Scholar
  7. Ashland Hosp. Corp. v. Affiliated FM Ins. Co., 2013 U.S. Dist. LEXIS 114730 at 18-19 (E.D. Ky. 2013)Google Scholar
  8. Boyce R (2001) Vulnerability assessments: the pro-active steps to secure your organization. SANS Institute.
  9. Buchanan J, Cho D, Rawsthorne P (2018) When things get hacked: coverage for cyber-physical risks. ABA Litigation Section, Insurance Coverage Litigation Committee.
  10. Buchanan JG, Gallozzi MS (2018) Kicking the tires on a new cyber policy: top tips and traps. American Bar Ass’n.
  11. Centennial Ins. Co. v. Applied Health Care Sys., Inc., 710 F.2d 1288, 1290 (7th Cir. 1983)Google Scholar
  12. Computer Corner, Inc. v. Fireman’s Fund Ins. Co., 132 N.M. 264, 266 (N.M. Ct. App. 2002)Google Scholar
  13. Cope CE, Reynolds I (2015) “Breaking Bad” in Cyberspace: A Challenge for the Insurance Industry. Emerging Issues 7296Google Scholar
  14. Doherty KR (2017) The Art of (Cyber) War. Intell Prop Technol Law J 29(6):16Google Scholar
  15. Dominitz EJ (2017) To err is human; to insure, divine: shouldn’t cyber insurance cover data breach losses arising (in whole or in part) from negligence? The Brief 46(4):32, 33 (describing cyber losses as “not just a passing fad”)Google Scholar
  16. Enigbokan O, Ajayi N (2017) Managing cybercrimes through the implementation of security measures. J Inf Warf 16:112, 114Google Scholar
  17. Eyeblaster, Inc. v. Fed. Ins. Co., 613 F.3d 797, 802 (8th Cir. 2010)Google Scholar
  18. First Bank of Del., Inc. v. Fid. & Deposit Co. of Md., 2013 Del. Super. LEXIS 465 at 5-7Google Scholar
  19. First Commonwealth Bank v. St. Paul Mercury Ins. Co., 2014 U.S. Dist. LEXIS 141538; 2014 WL 4978383 at 10-11Google Scholar
  20. Garrie D, Mann M (2014) Cyber-security insurance: navigating the landscape of a growing field. J Marshal J Inf Technol Priv Law 31:389–390Google Scholar
  21. Hartwig RP, Wilkinson C (2014) Cyber risks: the growing threat. Insurance Information Institute.
  22. InComm Holdings Inc. v. Great Am. Ins. Co., 2017 U.S. Dist. LEXIS 38132; 2017 WL 1021749 at 23Google Scholar
  23. Insurance Services Office, Inc. (2013) Exclusion — Access or Disclosure of Confidential or Personal Information and Data-Related Liability — With Limited Bodily Injury Exception, CG 21 06 05 14 Google Scholar
  24. Jerry RH, Mekel ML (2001) Cybercoverage for cyber-risks: an overview of insurers’ responses to the perils of E-Commerce. Conn Inst Law J 7:11–17Google Scholar
  25. Latham & Watkins (2014) Cyber Insurance: A Last Line of Defense When Technology Fails.
  26. Martinez LP, Richmond DR (2018) Insurance law, 8th edn. West Publishing CoGoogle Scholar
  27. Matthew Bender & Company, Inc. (2nd 2011) Appleman on Insurance Law & Practice Archive. 20-129 § 129.2Google Scholar
  28. N.Y. Comp. Codes R. & Regs. tit. 23, § 500.00 (2017)Google Scholar
  29. N.Y. Comp. Codes R. & Regs. tit. 23, §§ 500.02-500.17 (2017)Google Scholar
  30. Nitardy ME (2017) Fraud involving a computer is not automatically “Computer Fraud”. Brief 46(4):27Google Scholar
  31. O’Donnel B, Oonk LA (2017) Changes in latitudes, changes in attitudes: looking back over 25 years of coverage litigation. Brief 47:10–11Google Scholar
  32. OOIDA Risk Retention Grp., Inc. v. Griffin, 2016 U.S. Dist. LEXIS 57469 at p. 15 (E.D. Va. 2016)Google Scholar
  33. Oshinsky J, Lee K (2010) Insurance coverage for cyber crimes. L.A. DAILY J. 14 April 2010.
  34. Ostrander B (2006) Chasing Moore’s Law: information technology policy in the United States. J High Technol Law 5:1Google Scholar
  35. P.F. Chang’s China Bistro, Inc. v. Federal Insurance Company, No. CV–15–01322–PHX-SMM, 2016 WL 3055111 (D. Ariz. May 31, 2016)Google Scholar
  36. Ponemon L (2016) 2016 Cost of data breach study: global analysis. Ponemon Institute. Available at
  37. Retail Sys., Inc. v. CNA Ins. Cos., 469 N.W.2d 735 (Minn. Ct. App. 1991)Google Scholar
  38. Retail Ventures, Inc. v. Nat’l Union Fire Ins. Co., 691 F.3d 821, 824-26 (6th Cir. 2012)Google Scholar
  39. Romanosky S et al (2017) Content analysis of cyber insurance polices. Rand Corp WR-1208:3, 14Google Scholar
  40. Schwarcz D (2017) Coverage information in insurance law. Minn Law Rev 101:1500-02Google Scholar
  41. Selective Way Ins. Co. v. Crawl Space Door Sys., 162 F. Supp. 3d 547, 551 (E.D. Va. 2016)Google Scholar
  42. Southeast Mental Health Ctr., Inc. v. Pac. Ins. Co., 439 F. Supp. 2d 831, 838 (W.D. Tenn. 2006)Google Scholar
  43. State Auto Property & Cas. Ins. Co. v. Midwest Computers & More, 147 F. Supp. 2d 1113 (W.D. Okla. 2001)Google Scholar
  44. Stephens JF, Tilton MW (2017) Lawyers still lag behind in network and information security risk management: clients and regulators demand more. Brief 46(4):12, 15Google Scholar
  45. Sun M (June 21, 2018) Europe’s Privacy Law Fails to Stoke Demand for Cyber Insurance, WSJ B10Google Scholar
  46. Travelers Indemnity Co. v. Portal Healthcare Solutions, LLC, 35 F. Supp. 3d 765 (E.D. Va. 2014), aff’d per curiam, 644 Fed. Appx. 245 (4th Cir. 2016)Google Scholar
  47. Union Pump Co. v. Centrifugal Tech., Inc., 2009 U.S. Dist. LEXIS 86352 (W.D. La. 2009) (electronic data is not tangible property)Google Scholar
  48. Ward General Ins. Services, Inc. v. Employers Fire Ins. Co., 114 Cal. App. 4th 548, 556 (2003)Google Scholar
  49. WMS Indus. v. Fed. Ins. Co., 588 F. Supp. 2d 730, 733-34 (S.D. Miss. 2008)Google Scholar
  50. Wood SA et al (2017) Aviation and cybersecurity: an introduction to the problem and the developing law. Brief 46(4):38–39Google Scholar

Copyright information

© Springer Nature Switzerland AG 2020

Authors and Affiliations

  1. 1.University of California, Hastings College of the LawSan FranciscoUSA

Personalised recommendations