Home Page The Publication The Editor Contact Information Insurance Key issues Book Subscribe

Vol. 8 - Issue 2
February 6, 2019


ISO Data Breach Exclusion
And The Scott Baio Bobble Heads






Over the past few years talk in insurance coverage circles has been cyber, cyber, cyber, especially data breaches.  Much of that discussion has been on the drafting, marketing of, and applicability of cyber policies.  But ISO’s workhorse CGL policy – CG 00 01 – should not be ignored in this context.  Arguments are still made that its coverage, offered for invasion of privacy, applies to a data breach.  Indeed, ISO says it does in its August 28, 2013 Circular in conjunction with its filing of data breach exclusions (LI-CU-2013-059/LI-GL-2013-143). 

In an attempt to remove such coverage from a CGL policy, and transfer the risk to stand-along cyber policies, ISO introduced a mandatory data breach exclusion.  In general, it excludes coverage for “bodily injury,” “property damage,” and “personal advertising injury” “arising out of any access to or disclosure of any person’s or organization’s confidential or personal information, including patents, trade secrets, processing methods, customer lists, financial information, credit card information, health information or any other type of nonpublic information.”  The exclusion then goes on to explain that it “applies even if damages are claimed for notification costs, credit monitoring expenses, forensic expenses, public relations expenses or any other loss, cost or expense incurred by you or others arising out of any access to or disclosure of any person’s or organization’s confidential or personal information.”
The applicability of ISO’s new data breach exclusion was before a New Mexico trial court in Wobbler, Inc. v. Land of Enchantment Property & Casualty Company, No. 17-2234 (N.M. Dist. Ct., 13th Judicial Dist., Cibola Cty., Jan 22, 2019). 

At issue was coverage for Wobbler, Inc. for a claim arising out of the hacking of its website.  Its list of customers and their purchases, within the past 18 months, was made available on the internet.  The hacking incident was publicized in the media.  The name Wobbler sounded familiar to Pete Clemenza.  He had seen a co-worker, Luca Brasi, frequently receive packages from Wobbler.  One time Clemenza had asked Brasi what was in the packages and Brasi gave an evasive answer.  Clemenza went on line and found Wobbler’s hacked data.  He discovered that, over the past year, Brasi had purchased five Scott Baio bobble heads from Wobbler.  Clemenza revealed to numerous company employees that Brasi had made these purchases.  Brasi was subjected to ridicule.   

Brasi filed suit against Wobbler for invasion of privacy.  Wobbler, based in New Mexico, sought coverage under its CGL policy issued by Land of Enchantment Property & Casualty Company.  LoE disclaimed coverage to Wobbler on the basis of the policy’s data breach exclusion.  The insurer saw it as a simple matter – Brasi’s claim against Wobbler was for “personal advertising injury,” specifically, invasion of privacy, arising out of disclosure of Brasi’s confidential or personal information.  Wobbler undertook its own defense and settled the claim with Brasi for $65,000.

Wobbler filed an action against Land of Enchantment for recovery of its defense costs and the settlement – around $100,000.  The parties filed competing motions for summary judgment.  In Wobbler, Inc. v. Land of Enchantment P&C, the New Mexico trial court held that the data breach exclusion did not apply.  The court awarded Wobbler $101,512. 

It was revealed that Brasi had posted photos of the Scott Baio bobble heads on his Facebook page.  Thus, as the court saw it, the information about Brasi’s purchases was not “nonpublic information,” as required to trigger the data breach exclusion.  The court rejected Wobbler’s argument that, despite the information about Brasi’s bobble head purchases being on Facebook, it was de facto non-public, as nobody would have had a reason to look for it.  In other words, Wobbler argued that it was not until the data breach and subsequent media stories, which gave rise to Clemenza’s web search, that the information about Brasi became public.  At the time of the breach its was essentially non-public.  But the court disagreed -- not willing to shake its head up and down.


That’s my time. I’m Randy Spencer. Contact Randy Spencer at

Website by Balderrama Design Copyright Randy Maniloff All Rights Reserved