Most policy forms contain defined terms or phrases that have very special and often very specific meanings. Insurers use these terms and phrases to limit the scope of coverage afforded by the policy. These defined terms are easily identified as they are capitalized and in Bold lettering throughout the policy (they can also appear in italics, be underlined, in “quotation marks” or any combination thereof).

Understanding how to interpret these defined terms is critical as they can change how coverage is afforded under the policy.

A good example of this coverage ambiguity was found in a cyber liability policy I recently reviewed. Although cyber insurance is often referred to as ‘liability’ coverage, the policy is truly intended to provide first-party coverage to the insured. The “liability” or third-party coverage that is afforded, only applies to another’s data in the care, custody or control of the insured.

In the below cyber liability policy, the Insuring Agreement states that the policy provides “Data & Network Liability” coverage;

Data & Network Liability

                        To pay Damages and Claims Expenses, which the Insured is legally obligated to pay

                        because of any Claim first made against any Insured during the Policy Period for:

                        1. a Data Breach;

                        2. a Security Breach;

At first glance, one would presume that liability (i.e. third-party) coverage is afforded under this policy. However, when we take a closer look at the bolded terms, that is not the case at all;

Data Breach:

            Data Breach means the theft, loss, or Unauthorized Disclosure of Personally Identifiable

            Information or Third Party Information that is in the care, custody or control of the Insured

            Organization or a third party for whose theft, loss of Unauthorized Disclosure of Personally

            Identifiable Information or Third Party Information the Insured Organization is liable.

This definition is often misinterpreted as providing Data Breach coverage to a third party. However, this definition translates as coverage being afforded for 1) third-party information that is in the care, custody or control of the Insured, or 2) third-party information that is held by a third party (e.g. a contractor, vendor, etc.) for whom the Insured is liable for.

It does not provide Data Breach coverage for any third-party data that is not in the Insured’s, or a contractor, vendor, etc. for whom the Insured is liable for, possession.

Security Breach:

                        Security Breach means a failure of computer security to prevent:

                        1. Unauthorized Access or Use of Computer Systems, including Unauthorized

                        Access or Use resulting from the theft of a password from a Computer System or

                        from any Insured;

                        2. a denial of service attach affecting Computer Systems;

                        3. With respect to coverage under the Liability insuring agreements, a denial of service

                        attack regarding computer systems that are not owned, operated or controlled by an

                        Insured; or

                        4. Infection of Computer Systems by malicious code or transmission of malicious code

                        from Computer Systems.

In this definition, it is important to understand what the bolded term Computer Systems means as it plays a critical part in the interpretation of coverage for a Security Breach. After conferring with the underwriter of this specific policy, Computer Systems refers to the Insured’s computer system(s), not to a third-party’s computer system(s). Therefore, Computer Systems is to be interpreted as the (Insured’s) Computer System.

So, looking at Parts 1. and 2. of Security Breach, they are straight forward in that they only apply to first-party coverage.

Part 3. addresses the liability coverage to be afforded under a Security Breach. Notice that the term ‘computer systems’ is not bolded. That is because the definition of ‘computer systems’ here, is intended to be interpreted with its natural and ordinary meaning (i.e. anyone’s computer systems). If the term were bolded, then it would pertain to the (Insured’s) Computer Systems;

            3. With respect to coverage under the Liability insuring agreements, a denial of service

            attack regarding the (Insured’s) Computer System that are not owned, operated or controlled by an

            Insured; or”

…doesn’t make sense, right? By not bolding computer systems, Part 3. clearly intends to provide liability (third-party) coverage for a denial of service attack.

In Part 4., Computer Systems is back to a bolded term. Keep in mind that Computer Systems is confirmed to be the (Insured’s) Computer System;

            4. The infection of the Computer System by malicious code or transmission of malicious code

           from the Computer System.

“An infection of the Insured’s Computer System…from the Insured’s Computer System”…doesn’t make sense either. That is because Part 4. is not intended to provide coverage to a third-party’s computer system.

If Part 4. were intended to provide third-party coverage, the insurer would not have bolded the first ‘computer systems’ like they did in Part 3., making it pertain to the infection of anyone’s computer system;

            4. The infection of computer systems by malicious code or transmission of malicious code

            from Computer Systems.

Or the insurer could have used ‘and’ in the place of ‘or’, which would read that the Insured’s Computer System was infected by a malicious code and then the transmission of said infection came from the Insured’s Computer System:

            4. The infection of Computer Systems by malicious code and transmission of malicious code

           from Computer Systems.

One could also argue that inserting a comma to the original wording, would also afford third-party coverage;

            4. The infection of Computer Systems by malicious code, or transmission of malicious code

           from Computer Systems.

However, the lack of a comma leaves the interpretation of the definition open and therefore you must revert back to how the policy uses the bolded, and non-bolded, term ‘Computer Systems’ throughout the policy.

Any one of these changes would change the meaning of a Security Breach to possibly afford coverage to a third-party computer system. However, as it is written, it does not.

Insurance policies are contracts of adhesion, meaning they are written by one party only and the other party can either accept it “as is” or they can reject it. There is very little power for the insured to negotiate the policy’s terms. However, in most states the insured is responsible to read and understand the policy they have purchased. Understanding how to read an insurance policy is something that takes some level of experience. While it may be an exceptionally tedious task, understanding the definitions provided in an insurance policy can mean the difference between a covered and non-covered claim. It is better to understand the coverage afforded under your policy(s) before a loss occurs rather than being surprised on the back end.