Should commercial general liability insurers be concerned about potential indemnity coverage arising from the NY SHIELD Act?
In the midst of uncertainty surrounding the coronavirus, New York’s Stop Hacks and Improve Electronic Data Security (SHIELD) Act went into full effect on March 21, 2020, creating new data privacy and cybersecurity requirements for companies that own, license, or maintain computerized data that include any New York resident’s private information, whether or not the company is located in New York. The Act imposes various penalties including $20 for each failure to notify a New York resident of a breach of that resident’s private information (capped at $250,000), and an uncapped penalty of up to $5,000 for each instance of certain other data protection violations. As we discuss below, though it appears unlikely that suits seeking recovery under the Act, which only the Attorney General may prosecute, will trigger coverage under standard commercial general liability (CGL) policies, the Act may influence the standard of care to which such businesses may be held, and thus give rise to suits by the consumers it is designed to protect that may trigger coverage under such policies.
Coverage for data-breach claims, if any, falls under the standard CGL policy’s Coverage B. The standard Coverage B insuring agreement covers “those sums that the insured becomes legally obligated to pay as damages because of any ‘personal and advertising injury’” to which the policy applies. The standard CGL policy defines “personal and advertising injury” to include “oral or written publication, in any manner, of material that violates a person’s right of privacy.”
Although data breaches of the kind addressed in the Act may thus fit this definition, state insurance laws often prohibit coverage as a matter of public policy for fines and penalties of the kind imposed under the Act. For example, New York has an “unswerving policy against permitting insurance indemnification for punitive damage awards,” Zurich Ins. Co. v. Shearson Lehman Hutton, Inc., 84 N.Y.2d 309, 321 (1994), because such coverage would “defeat the purpose of punitive damages, which is to punish and to deter others from acting similarly.” Hartford Acc. & Indem. Co. v. Village of Hempstead, 48 N.Y.2d 218, 226 (1979). This policy has been applied to bar coverage for common-law punitive damage awards as well as statutory penalties. See, e.g., McCabe v. St. Paul Fire & Marine Ins. Co., 79 A.D.3d 1612, 1614 (4th Dep’t 2012) (finding that public policy bars coverage of treble damages under Judiciary Law § 487, which authorizes such damages for certain attorney misconduct amounting to a misdemeanor); Rental & Mgmt. Assocs., Inc. v. Hartford Ins. Co., 206 A.D.2d 288, 288 (1st Dep’t 1994) (finding that public policy bars coverage of treble damages assessed under RPAPL § 853, which authorizes such damages where a person is evicted from real property “in a[n] . . . unlawful manner”); N.Y. Gen Counsel Op. 4-30-90 (Apr. 30, 1990) (opining that civil penalties assessable under ERISA for breach of fiduciary duty are not insurable).
Moreover, Coverage B is “limited to claims actually arising out of the torts enumerated in the policy” and thus may not be triggered by claims asserted by those who “would have no standing to bring” such tort claims, such as the Attorney General. Purdue Frederick Co. v. Steadfast Ins. Co., 40 A.D.3d 285 (1st Dep’t 2007).
Nevertheless, CGL insurers may still face indemnity exposure for claims arising out of an insured’s violation of the SHIELD Act. While consumers may not seek recovery under the Act, they may still refer to the standards set forth in the Act to support their claims of negligence or other tortious conduct against an insured in connection with a data breach.
For instance, the Act contains a “reasonable security requirement” mandating that “any person or business that owns or licenses computerized data which includes private information of a resident of New York shall develop, implement and maintain reasonable safeguards to protect the security, confidentiality and integrity of the private information including, but not limited to, disposal of data.”
The Act further states that unless a business can otherwise establish compliance, it must implement a data security program that includes various enumerated administrative, technical, and physical safeguards. In effect, the Act thus serves to set forth what the State of New York deems a “reasonable” data security program.
Consumer plaintiffs who have suffered harm as a result of a data breach will thus likely pay close attention to these provisions. Such plaintiffs often seek to recover costs for credit monitoring services or even funds lost due to unauthorized access to financial accounts following a data breach. A plaintiff who can establish that a violation of the Act proximately caused any such loss will likely be able to recover.
Any such recovery may fall within the Coverage B insuring agreement, and may ultimately give rise to coverage absent any policy exclusion that specifically addresses data breaches. Coverage may also be barred under policies that contain exclusions for damages arising from conduct that violates statutory law. Absent an applicable exclusion, and even though New York public policy may prohibit indemnity coverage with respect to those penalties issued by the Attorney General for a violation of the SHIELD Act, those damages alleged in private negligence actions may be covered.
 N.Y. State Tech. Law § 208 (McKinney).
 N.Y. Gen. Bus. Law § 899-bb(2)(a)(McKinney).