CG 21 07: Exclusion – Access Or Disclosure Of Confidential Or Personal Information And Data-related Liability – Without Bodily Injury Exception
Current Edition: 12 19 · Full ID: CG 21 07 12 19
Have a CG 21 07?
Upload it for instant AI analysis — form identification, coverage impact, gap detection, and E&O risk scoring.
What Is CG 21 07?
This endorsement is the strictest cyber/data exclusion available for the CGL policy. It removes all coverage for data breach and privacy claims, including claims where the data breach results in someone being physically injured. Unlike CG 21 06, there is NO exception for bodily injury.
Technical Summary: Excludes all damages arising out of any access to or disclosure of confidential or personal information, including patents, trade secrets, processing methods, customer lists, financial information, credit/debit card numbers, health information, and similar data. Also excludes loss of, loss of use of, damage to, corruption of, inability to access, or inability to manipulate electronic data. Unlike CG 21 06, this form does NOT include a bodily injury exception — even BI arising from a data-related event is excluded. This is the most restrictive of the two ISO data exclusion forms.
What CG 21 07 Covers
No coverage additions documented.
What CG 21 07 Does NOT Cover
- -All bodily injury arising from access to or disclosure of confidential/personal information — NO exception
- -All property damage arising from data breach or unauthorized access to personal information
- -Personal and advertising injury related to data/privacy violations
- -Loss of, loss of use of, damage to, corruption of, inability to access, or inability to manipulate electronic data
- -Notification costs, credit monitoring, forensic investigation, and regulatory penalties related to data events
- -Claims arising from unauthorized collection, use, or disclosure of personal data
Key Provisions
- ●NO bodily injury exception — this is the critical distinction from CG 21 06
- ●Exclusion applies regardless of whether the access or disclosure was intentional, negligent, or accidental
- ●Electronic data is broadly defined to encompass all forms of digital information
- ●The exclusion is absolute for data-related events — there is no carve-back whatsoever
Edition History
- • Expanded scope of excluded data-related liability
- • Updated definitions of electronic data for modern technology landscape
- • Clarified application to cloud, SaaS, and IoT-related exposures
Common Mistakes & E&O Warnings
CG 21 07 is more dangerous than CG 21 06 because it eliminates even the bodily injury exception. Agents must clearly communicate this gap to insureds and document the conversation. Healthcare, education, and any industry where a data breach could foreseeably lead to physical harm is especially exposed. Failure to recommend standalone cyber coverage when this endorsement is present is a significant E&O risk. Some agents confuse the two forms, believing both have the BI exception.
- ⚠Confusing CG 21 07 with CG 21 06 and believing there is a bodily injury exception — there is NOT
- ⚠Not recognizing this is attached to the policy because it was added at renewal without notice
- ⚠Assuming only technology companies are affected — any business with customer data is exposed
- ⚠Believing the standard CGL personal/advertising injury coverage still handles privacy claims — it does not
- ⚠Thinking a cyber endorsement on the CGL is equivalent to standalone cyber liability coverage
Frequently Asked Questions
Why is CG 21 07 more restrictive than CG 21 06?
CG 21 07 removes ALL coverage for data-related events, including bodily injury. CG 21 06 at least preserves bodily injury coverage. For example, if a hospital data breach leads to a patient receiving the wrong medication and suffering physical harm, CG 21 06 would cover the BI claim but CG 21 07 would not.
Should I request CG 21 06 instead of CG 21 07?
If a cyber exclusion must be on the CGL, CG 21 06 is preferable because it retains the bodily injury exception. However, the best approach is standalone cyber coverage regardless of which CGL exclusion is used.
Does CG 21 07 affect my certificates of insurance?
Yes. If a certificate holder expects data breach or privacy liability coverage under the CGL, CG 21 07 eliminates that coverage entirely. The agent should disclose the exclusion and recommend the insured obtain standalone cyber coverage.
Analyze any endorsement in 30 seconds
Upload a PDF or paste endorsement text. Our AI identifies the form, explains coverage impact, detects gaps, and scores E&O risk — instantly.
Analyze Your Endorsement