Court Offers Narrow Interpretation of Cyberinsurance. If you’ve been paying attention to the news or any of your social media channels, you’ve probably heard people talking about cyberinsurance and that your company needs it. You might even have been told that cyberinsurance is a panacea for all risks related to cybersecurity and data privacy. To date, there has been very little publicly available litigation about the meaning of cyberinsurance policies. One federal court changed that with a decision issued on May 11, 2015, in Travelers Property Casualty Co. of America v. Federal Recovery Services, Inc., No. 2:14-cv-170 TS, slip op. (D. Utah May 11, 2015). Unfortunately, the decision ruled against the policyholder and offered a narrow interpretation of the cyberinsurance policy involved in the dispute. The Cyberinsurance Policy in Dispute. The policyholders are in the business of processing, storing, transmitting, and handling data. (Slip op. at 1.) Presumably to cover those risks, they bought a Travelers CyberFirst Policy. (Slip op. at 1.) The Travelers CyberFirst Policy contained a Technology Errors and Omissions Liability Form (commonly referred to as a “Tech E&O” coverage part), and a Network and Information Security Liability Form. (Slip op. at 2.) The Tech E&O coverage part stated that Travelers would indemnify “those sums that the insured must pay as ‘damages’ because of loss to which this insurance applies.” (Slip op. at 2.) A covered cause of loss was “an ‘errors and omissions wrongful act.’” (Slip op. at 2.) An “errors and omissions wrongful act” was defined as “any error, omission or negligent act.” (Slip op. at 3.) (As an aside, why do insurance companies refuse to use the Oxford comma?) The Travelers cyberinsurance policy provided a duty to defend. (Slip op. at 2.) What Happened? The policyholders entered into a contract to process member accounts and financial transactions for a chain of fitness centers. (Slip op. at 3.) The policyholders received financial information related to the fitness chain’s members, and used that to charge monthly membership fees. (Slip op. at 3.) The fitness chain later entered into an asset purchase agreement with another fitness chain. The sellers (the policyholders’ customers) agreed to provide the buyer with the sellers’ member account data, including the data that the policyholders had. (Slip op. at 3.) But the policyholders, the court explained, did not transfer the data in full, as the sellers requested. (Slip op. at 3-4.) As a result of the policyholders’ alleged refusal to provide the full member account data, the price of the asset purchase agreement decreased dramatically, the court explained. (Slip op. at 5.) The sellers sued the policyholders. The sellers brought counts against the policyholders “for tortious interference, promissory estoppel, conversion, breach of contract, and breach of the implied covenant of good faith and fair dealing.” (Slip op. at 5.) The sellers later amended their complaint against the policyholders. The amended complaint alleged that the policyholders “withheld the Billing Data unless and until [the sellers] satisfied several demands for significant compensation above and beyond what were provided in the Agreement” with the policyholders, that the policyholders “willfully interfered with [the sellers’] property and refused to return [the sellers’] property without cause or justification,” and that the policyholders’ “actions knowingly harmed [the sellers’] rights under the” asset purchase agreement. (Slip op. at 4-5.) The policyholders provided notice of the claim to Travelers and asked Travelers to defend them. Travelers filed a lawsuit asking a court to rule that it did not have coverage obligations. The Insurance Coverage Dispute. Travelers denied coverage on the basis that the complaints against the policyholders do not “allege damages from an ‘error, omission or negligent act.’” (Slip op. at 7.) The policyholder argued that they could be held liable for negligently holding, transferring, or storing data. (Slip op. at 7.) The court cited several paragraphs of the complaint to find that there were no errors, omissions, or negligence alleged, but rather that there only was knowing, willful, and malicious conduct alleged. (Slip op. at 8.) The court ruled that Travelers had no duty to defend the policyholders. The court explained that “[t]o trigger Travelers’ duty to defend, there must be allegations in the [underlying] action that sound in negligence,” and because none of the “allegations involve errors, omissions, or negligence,” there was no duty to defend. (Slip op. at 8-9.) Takeaways Some people might view this case as a traditional errors and omissions insurance coverage analysis that was applied to a new policy. We suggest that this view is too narrow, even under that lens. For example, there are insurance coverage decisions interpreting errors and omissions insurance policies that have allowed claims to proceed and ruled in favor of policyholders when the underlying actions involved allegations of civil RICO claims. Thus, a view that a complaint must allege a negligence claim should be viewed as too restrictive, putting the policyholder at the mercy of the vagaries of a claimant’s pleadings. Just as significant, the law in connection with the retention and use of data evolves and changes on a daily basis. Claimants frequently bring multiple causes of action in their suits against insureds as they try to fit new types of claims into old law. Would your cyberinsurance carrier or Tech E&O carrier take a similarly narrow view of how coverage under your cyberinsurance or Tech E&O policy applies? Consider the claims handling reputation of the proposed carrier when considering the purchase of this type of coverage. Also ask the insurance broker whether the insurance carrier would write broader coverage if the coverage seems too narrow for your business; or ask if other carriers have broader coverage forms, as the language within cyberinsurance and Tech E&O policies varies significantly. Some insurance carriers, for instance, have been willing to use language broader than what is at issue in the Travelers v. Federal Recovery decision.
Will Your Tech E&O Insurance Cover Your Retention of Someone Else’s Electronic Data?
May 12, 2015 | cyberinsurance