Court Rejects Insurer’s Expansive Reading of Data Breach Exclusion and Undefined Term “Data”


Many non-cyber policies include data breach exclusions, but few cases have addressed their scope.  In a recent case, a federal district court rejected an insurer’s broad interpretation of the term “data” as it was used in data breach exclusions in a multimedia liability policy. In Ellicott City Cable, the insurer contended that satellite television programming was “data” within the meaning of the exclusions.  The court found the term ambiguous, construed the ambiguity against the insurer, and ruled that the underlying lawsuit triggered the insurer’s duty to defend.  While the case did not involve a data breach, the decision demonstrates that data breach exclusions should be narrowly construed and also offers helpful guidance about interpreting the term “data” if it is undefined in a policy.

The underlying case involved a distribution arrangement between Ellicott City Cable and DirecTV, whereby Ellicott City Cable distributed satellite television programming to its customers. Apparently Ellicott City Cable was overzealous in serving its customers and allegedly distributed DirecTV’s programming beyond the scope of the contracts.  DirecTV sued Ellicott City Cable, alleging that Ellicott City Cable fraudulently obtained and distributed DirecTV’s programming.

Ellicott City Cable tendered the lawsuit to its multimedia liability insurer. The insurer denied coverage based on two exclusions.

The first exclusion barred coverage for claims “for or arising out of any actual or alleged . . . unauthorized access to, unauthorized use of, or unauthorized alteration of any computer or system, hardware, software, program, network, data, database, communication network or service, including the introduction of malicious code or virus by any person.”

By endorsement, the policy gave back coverage for “the failure to prevent a party from unauthorized access to, unauthorized use of, tampering with or introduction of a computer virus or malicious code into data or systems,” unless it resulted from the intentional conduct of the policyholder.

The insurer contended that both the main policy exclusion and the exclusion to the endorsement operated to preclude coverage of the DirecTV suit because DirecTV had alleged intentional unauthorized access by Ellicott City Cable to DirecTV’s satellite television programming, which constituted “data.”

The court rejected the insurer’s argument, holding that the term “data” in the exclusions was ambiguous, and, construing the ambiguity against the insurer, concluded that the satellite television programming was not “data.” First, the court noted that the policies did not define “data” and that the dictionary definition of “data” was broad.  Next, the court observed that “data” in the context of the two exclusions appeared to be related to the internet, computers, and digital matters rather than to television programming.  The court found unpersuasive the insurer’s argument that one form of DirecTV’s television programming was in fact digital matter.  DirecTV’s television programming also came in analog form; the court was unconvinced that the policies would cover unauthorized access to DirecTV’s analog programming but not unauthorized access to DirecTV’s digital programming.  Ultimately, the court decided that the insurer’s interpretation of “data” would be inconsistent with other provisions of the policies.  The policy provided coverage for piracy, defined as the wrongful use of copyrighted intellectual policy, which the court found included DirecTV’s television programming.  The insurer’s broad interpretation of “data,” the court explained, would effectively eliminate any coverage for piracy.

The court also noted that even if the data breach exclusions applied to DirecTV’s unauthorized use allegations, DirecTV’s complaint included other allegations that independently triggered the insurer’s broad duty to defend.