BlogLine

Could Facebook’s $5 Billion FTC Fine for Privacy Violations be Covered by Cyber Insurance?

8/14/19

cyber; phone; data

By: Isis Miranda

A similar question was posed to me recently at a conference where I was speaking about the GDPR (European General Data Protection Regulation): “Could my company just buy insurance instead of worrying about whether our China-based venders are complying with the GDPR?” The audience chuckled. But the question raises important and complex issues, one of which is whether civil fines are insurable and, more importantly, whether they should be.

Record-breaking fines recently announced by the FTC (Federal Trade Commission), including $5 billion against Facebook and up to $700 million against Equifax, and proposed fines by the ICO (the UK’s Information Commissioner’s Office), including £183 million against British Airways and £99 million against Marriott, combined with the advent on the horizon of the CCPA (California Consumer Privacy Act), a sweeping GDPR-like privacy law, has increased anxiety over the insurability of these fines.

Traditional insurance policies generally do not cover regulatory fines, but many cyber policies do. These insuring provisions, which typically provide coverage for civil fines and penalties levied by any regulator worldwide arising from a data breach “where insurable by law,” have yet to be scrutinized by a court. Uncertainty over whether courts may void these policy provisions as being contrary to public policy prompted the Global Federation of Insurance Associations to request assistance from the OECD (Organisation for Economic Co-operation and Development), explaining that “there is international confusion as to the insurability of fines and penalties” and stating that “OECD work to clarify this issue would benefit consumer and insurer contract certainty.”

Answering this question is no easy task. Starting with the question of whether these fines are insurable, one immediately finds that there are no legislative pronouncements or court decisions addressing the issue in the context of a cyber policy that expressly provides coverage for regulatory fines. And efforts to predict how a court might rule once the issue is raised, as it inevitably will be, are stymied by the disarray of the current case law in the related areas of punitive and statutory damages. This diversity of opinion reflects the complexity of the underlying question – whether such fines should be insurable. Courts struggle with questions, such as who should decide – legislators, judges, insurance companies? And what criteria should be applied in making the decision? Should the decision apply to all civil fines and penalties issued pursuant to a given regulation or should the issue be decided on a case-by-case basis for each violation?

In the U.S. the decisions of courts across the country regarding the insurability of punitive damages are, well, all over the map. These decisions vary in their approach to reconciling the language of the insurance policy at issue with public policy considerations in the approximately 20 states that prohibit insurance for directly assessed punitive damages, including decisions that:

  1. prohibit insurance for punitive damages, even if the policy expressly provides coverage;
  2. prohibit insurance for punitive damages, unless the policy expressly provides coverage;
  3. do not prohibit insurance for punitive damages but do not interpret policies as covering them, unless expressly included; and
  4. do not prohibit insurance for punitive damages and interpret policies as covering them, unless expressly excluded.

It is unclear whether courts will address coverage for fines and penalties in similar fashion. States that do not prohibit punitive damages could, nonetheless, place restrictions on insurance for civil fines and penalties beyond existing limits on insuring intentional conduct. And vice versa. Thus far, a few courts have applied the prohibition on punitive damages to civil fines and penalties without addressing the distinctions between the two. For example, in City of Fort Pierre v. United Fire and Casualty Company, 463 N.W.2d 845 (S.D. 1990), the federal government sued the City of Fort Pierre seeking civil penalties due to violations of the Clean Water Act of 1977. The South Dakota Supreme Court held that the civil penalties were punitive in nature and thus precluded from being covered under the City’s insurance policy. A dissenting justice disagreed, stating: “Before punitive damages may be awarded, malice on the part of the party from whom the punitive damages are sought must be shown. No similar requirement exists for the imposition of the civil penalty. Therefore, the civil penalty the United States sought to have imposed upon the City of Ft. Pierre cannot be equated to punitive damages.” Similarly, in Bullock v. Maryland Casualty Company, 85 Cal. App. 4th 1435 (Ct. App. 2001), the California Court of Appeal held that civil fines are not insurable without addressing the fact that the public policy prohibiting insurance for punitive damages was expressly limited to punitive damages that were assessed upon a finding of fraud, oppression or malice. City Products Corporation v. Globe Indemnity Company, 88 Cal. App. 3d 31 (Ct. App. 1979). It will be interesting to watch how the case law evolves as coverage battles involving cyber policies that expressly provide coverage for fines and penalties percolate through the courts.

Now to the question we started with. Without knowing the contents of Facebook’s insurance policy, we can only speculate as to its terms, including which state’s laws would apply to interpret the policy. But we would not be going out on a limb by saying that the $5 billion FTC fine likely exceeds policy limits. Facebook will not garner much sympathy, given that it inarguably violated the FTC’s 2012 order and can readily afford the $5 billion fine. And there is concern that allowing companies to obtain insurance to cover civil penalties for violating data privacy and security statues would discourage them from making the investments necessary for compliance. But the reality is more nuanced. Small- and medium-sized businesses, in particular, benefit from the data security assessments, cyber risk consulting services, and preferred vendors that are made available by many cyber insurance carriers, which serves to increase compliance with related statutes. See, e.g., Kyle D. Logue & Omri Ben-Shahar, “Outsourcing Regulation: How Insurance Reduces Moral Hazard” (Coase-Sandor Institute for Law & Economics Working Paper No. 593, 2012). These issues will, no doubt, continue to be debated for many years to come.

Amidst all this uncertainty, one thing is sure: the future will be fascinating.

If you have any questions or would like more information, please contact Isis Miranda at isis.miranda@fmglaw.com.