Insurer’s obligations under a cyber insurance E&O are not triggered by an allegation of intentional misconduct (and other glitches in coverage)
Nathan M. Crystal
Travelers Property Casualty Co. of America v. Federal Recovery Services, Inc., 103 F. Supp. 3d 1297 (D. Utah 2015), was a declaratory judgment action in which the court found that the defendant’s cyber insurance policy did not provide either coverage or defense of claims brought against it. Federal Recovery provided various electronic data services to its clients, including Global Fitness. Global Fitness sued Federal Recovery claiming that Federal wrongfully refused to return member account data to Global. Travelers refused to provide coverage or a defense to Federal, claiming that an intentional wrongful act was not covered by the policy. The policy defined an “errors and omissions wrongful act” to include any “error, omission or negligent act.” The court agreed with Travelers, finding that the policy did not provide coverage or an obligation to defend. Other courts, however, have found that similar policy language provides coverage for intentional acts; otherwise, the language covering an “error” or “omission” would be redundant with “negligent act.” See Robert D. Anderson, Five Takeaways from the First Cyber Insurance Case, K&L Gates blog (May 21, 2015).
Another example of denial of coverage under a cybersecurity policy is Columbia Casualty Co. v. Cottage Health System, in which the insurer refused to provide coverage because the data breach was ultimately caused by the insurer’s failure to implement the procedures and risk controls that they identified in the policy application. More on this: Francesca Giannoni-Crystal, Columbia Casualty v. Cottage Health System, i.e. when your cyber-insurance is not what it seems (http://www.technethics.com/blog/columbia-casualty-v-cottage-health-system-i-e-when-your-cyber-insurance-is-not-what-it-seems/) The case was ultimately dismissed on other grounds (i.e. that the parties could pursue alternative dispute resolution under the terms of the policy) not because the insurer’s allegation was ungrounded (see here https://www.pacermonitor.com/public/case/8204159/Columbia_Casualty_Company_v_Cottage_Health_System.
In my opinion, both cases may stand for the same proposition: you should review your cyber insurance policy for scope of coverage (both to understand the claims that are covered and whether you are supposed to do anything to maintain that coverage) and conduct a review, both internally and externally, to assure compliance with representations made to the insurer about your practice and procedure.
For more information, Nathan M. Crystal.