Five Takeaways from the First Cyber Insurance Case

by K&L Gates LLP
Contact

On May 11, 2015, in a case that is being widely celebrated as one of the first coverage rulings involving a “cyber” insurance policy, a federal court ruled that Travelers has no duty to defend its insured in Travelers Property Casualty Company of America, et al. v. Federal Recovery Services, Inc., et al.[1]

Although the Travelers case does not involve “cyber”-specific coverage issues, the case nonetheless carries some important takeaways for insureds, insurers, and many other interested spectators.
Here is a brief summary of the ruling and five key takeaways.

The Facts
The insured, Federal Recovery, was in the business of providing processing, storage, transmission, and other handling of electronic data for its customers, including Global Fitness. In particular, Federal Recovery agreed to process Global Fitness’s gym members’ payments under a Servicing Retail Installment Agreement.[2]

In the underlying litigation, Global Fitness brought suit against Federal Recovery alleging, essentially, that Federal Recovery wrongfully refused to return member account data to Global Fitness, including member credit card and bank account information. Global Fitness asserted claims for tortious interference, promissory estoppel, conversion, breach of contract, and breach of the implied covenant of good faith and fair dealing.[3]

The “Cyber” Policy
The policy at issue was a “CyberFirst” policy issued by Travelers. The policy included a Technology Errors and Omissions Liability Form, which stated that Travelers “will pay those sums that [Federal Recovery] must pay as ‘damages’ because of loss… caused by an ‘errors and omissions wrongful act’….” The key term “errors and omissions wrongful act” was defined to include “any error, omission or negligent act.”[4] In addition to covering potential damages, the Travelers policy provided defense coverage, stating that Travelers “will have the right and duty to defend [Federal Recovery] against any claim or ‘suit’ seeking damages for loss to which the insurance provided under one or more of ‘your cyber liability forms’ applies.”[5]

Federal Recovery tendered the defense of the underlying Global action to Travelers, which initiated coverage litigation seeking a declaration of non-coverage. Travelers argued that it did “not have a duty to defend [Federal Recovery] against the original or amended complaints in the Global action because Global [Fitness] does not allege damages from an ‘error, omission or negligent act.’”[6]

The Coverage Disputes: Scope of Coverage and Duty to Defend
Although Travelers involves underlying cyber-related facts and a “cyber” insurance policy, the coverage issues arising out of the facts and policy certainly are not cyber-specific. 

Travelers’ declaratory judgment action raises two coverage disputes concerning: (1) the scope of coverage afforded by the technology errors and omissions policy at issue, as shaped by its key “wrongful act” definition; and (2) the scope of an insurer’s duty to defend under Utah law.  While arising in the context of “cyber”-related facts surrounding electronic account and payment data, and under a “cyber” insurance policy, the coverage disputes at issue in the Travelers case are precisely the types of disputes that we routinely see in the context of errors and omissions and other claims-made liability coverages.   

(1) The Scope of Coverage
As to the scope of coverage, errors and omissions, D&O, professional liability, and other claims-made policies, like the policy at issue in the Travelers case, typically cover “wrongful acts,” a term that typically in turn is defined as “any negligent act, error, or omission,” or similar verbiage. There are scores of cases addressing whether intentional and non-negligent acts fall within or outside the purview of a covered “wrongful act.”

Unfortunately, and in contrast to other decisions, the United States District Court for the District of Utah in the Travelers case took a narrow view of the key language, ruling that “[t]o trigger Travelers’ duty to defend, there must be allegations in the [underlying] action that sound in negligence.”[7] The court further found that there were “no such allegations.”[8]

In contrast, other courts have appropriately upheld coverage for various types of intentional and non-negligent conduct under errors and omissions and other claims-made policies.  As one commentator has summarized:

[C]laims-made policies typically afford coverage for claims by reason of any “negligent act, error or omission.” What if an insured is held liable for a non-negligent act? Most courts have held that the insured is still entitled to coverage. The strongest argument in favor of that conclusion is that (i) an “error” or “omission” encompasses more than negligent conduct, and (ii) if only negligent errors and negligent omissions were covered, the “error or omission” language would be rendered redundant.[9]

To the extent some may wish to reference other cases addressing “cyber”-related fact patterns, those cases exist. For example, in 1995, the Supreme Judicial Court of Massachusetts in USM Corp. v. First State Ins. Co.[10] upheld coverage under an errors and omissions policy for a breach of express warranty claim involving the insured’s failure to develop and deliver a turnkey computer system that would perform certain functional specifications. The errors and omissions policy at issue in the USM case, similar to the policy at issue in the Travelers case, covered claims against the insured “by reason of any negligent act, error or omission.”[11] Also, the insurers in USM, like the insurers in Travelers, argued that the policy only covered the insured for negligent acts. The USM court rejected the insurers’ arguments, noting that courts have not limited coverage under errors and omissions policies to circumstances involving negligence:

Other courts have not limited liability under “errors and omissions” policies to circumstances involving negligence, but have recognized certain nonnegligent errors as being within the coverage afforded. Cases involving the words such as “negligent act, error or omission” (the crucial language of the policies before us) have not consistently determined that an error must be a negligent one if coverage is to be available.

***

Because some, but not all, judicial opinions have rejected the interpretation of errors and omissions policies for which the insurers contend, if it was the insurers’ intention, the crucial words of the policy should have been amended to eliminate the ambiguity and to make clear that coverage extended only to negligent errors. Potential policyholders could then have more accurately determined whether such coverage met their needs. Because of the uncertainty about the scope of the word “error,” the insurers as authors of the policies must suffer the consequences of the ambiguity.[12]

The New York Appellate Division’s decision in Volney Residence, Inc. v. Atlantic Mut. Ins. Co.[13] is likewise instructive. In that case, the Appellate Division held that the insurer had a duty to defend a federal RICO action in which the insured defendants “were alleged intentionally to have committed acts of self-dealing and fraud.”[14] Applying well-established rules of contract interpretation, the court ruled that there was a duty to defend:

The policy provision in question covers claims arising from “a negligent act, error or omission”, which term is defined as “any negligent act, error or omission or breach of duty of [the] directors or officers while acting in their capacity as such.” The definition is susceptible of more than one meaning and can be understood to cover any breach of duty of the directors or officers, not exclusively negligent breaches of duty. Ambiguities in an insurance policy are to be resolved against the insurer.[15]

Other cases are to the same effect.

(2) Scope of the Duty to Defend
Turning to the separate issue of the duty to defend, it is well established that the duty to defend is very broad—broader than the duty to indemnify. The duty to defend is typically triggered if there is some potential for coverage and, in many jurisdictions, it is appropriate to look outside the facts pled in the underlying complaint to determine whether there is a duty to defend.[16] Again, unfortunately, the court in the Travelers case took a narrow view of the insurer’s duty to defend. Even assuming for the sake of argument that the policy covered only negligence, the underlying complaint alleged, among other things, that Federal Recovery “retained possession of Member Accounts Data, including the Billing Data, which was the property of Global Fitness….”[17] Allegations surrounding improper retention of data, even if that retention ultimately was wrongful or not legally justifiable, clearly may arise out of negligence as opposed to intentional conduct.

Travelers Takeaways
Putting aside the ultimate merits of the court’s ruling, and whether this case addresses any coverage issues that are appropriately characterized as “cyber” issues, Travelers offers at least five key takeaways:

First
Travelers illustrates that decisions involving “cyber” insurance policies are coming and, considering all of the attention and buzz surrounding an otherwise seemingly mundane errors and omissions case, insureds and insurers alike are anxiously awaiting and anticipating the guidance those decisions may provide. 

Second
Travelers underscores that the types of coverage disputes that we will see arise out of “cyber”-related facts and, under “cyber” insurance policies, often will involve, or at least will intertwine with, the types of disputes that routinely arise in connection with “traditional” insurance coverages, including errors and omissions coverage and general liability coverage. This is useful for insureds to appreciate toward the goal of being prepared for future potential coverage disputes under “cyber” policies.

Third
Travelers underscores the importance of securing a favorable choice of forum and choice of law in insurance coverage disputes. Until the governing law applicable to an insurance contract—“cyber” or otherwise—is established, the policy can be, in a figurative and yet a very real sense, a blank piece of paper.

Fourth
Although its label as a first “cyber” case is debatable, Travelers at a minimum has spotlighted the approaching disputes under “cyber” liability policies, which should remind insureds of the need to be prepared for, in addition to the “traditional” types of coverage issues and disputes that can arise under those policies, the potential “cyber”-specific coverage issues and disputes that may arise, such as, for example, the scope of coverage for “cloud”-related exposures.

Fifth
Travelers illustrates the importance of obtaining the best possible policy “cyber” language at the initial coverage placement and renewal stage. Unlike some types of “traditional” insurance policies, “cyber” policies are extremely negotiable, and the insurer’s off-the-shelf language can often be significantly negotiated and improved—often for no increase in premium. It is important for the insured to understand its unique potential risk profile and exposure—and what to ask for from the insurer.

Often in coverage disputes, the issue of coverage comes down to a few words, the sequence of a few words, or even the position of a comma or other punctuation.  It is important to get the policy language right before a dispute. And while the Travelers case addresses coverage issues that are not “cyber”-specific, the fundamentals of successfully pursuing coverage under “traditional” insurance coverage are important to keep in mind as we enter a time and space in which coverage disputes based on underlying “cyber”-related factual scenarios, and under specialized “cyber” insurance coverages, are poised to become commonplace.


[1] No. 2:14-CV-170 TS, Slip Op. (D. Utah May 11, 2015) (Utah law).

[2] Id. at 2-3.

[3] Id. at 5.

[4] Id. at 3.

[5] Id. at 2.

[6] Id. at 7.

[7] Id. at 8.

[8] Id.

[9] Allan D. Windt, 2 Insurance Claims and Disputes 4th § 11:5 (2003) (emphasis added).

[10] 652 N.E.2d 613 (Mass. 1995).

[11] Id. at 614.

[12] Id. at 614-15 (emphasis added).

[13] 600 N.Y.S.2d 707 (N.Y. App. Div. 1993).

[14] Id. at 707.

[15] Id. (original emphasis).

[16] See, e.g., Frontier Insulation Contractors, Inc. v. Merchants Mut. Ins. Co., 690 N.E.2d 866, 869 (N.Y. 1997 (“If any of the claims against the insured arguably arise from covered events, the insurer is required to defend the entire action.”); New York City Hous. Auth. v. Commercial Union Ins. Co., 734 N.Y.S.2d 590, 592 (N.Y. App. Div. 2001) (“An insurer’s duty to defend is broader than the duty to indemnify and arises whenever the allegations of the complaint against the insured, liberally construed, potentially fall within the scope of the risks undertaken by the insurer.”).

[17] Travelers, Slip Op. at 4-5.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© K&L Gates LLP | Attorney Advertising

Written by:

K&L Gates LLP
Contact
more
less

K&L Gates LLP on:

Readers' Choice 2017
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign up using*

Already signed up? Log in here

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
Privacy Policy (Updated: October 8, 2015):
hide

JD Supra provides users with access to its legal industry publishing services (the "Service") through its website (the "Website") as well as through other sources. Our policies with regard to data collection and use of personal information of users of the Service, regardless of the manner in which users access the Service, and visitors to the Website are set forth in this statement ("Policy"). By using the Service, you signify your acceptance of this Policy.

Information Collection and Use by JD Supra

JD Supra collects users' names, companies, titles, e-mail address and industry. JD Supra also tracks the pages that users visit, logs IP addresses and aggregates non-personally identifiable user data and browser type. This data is gathered using cookies and other technologies.

The information and data collected is used to authenticate users and to send notifications relating to the Service, including email alerts to which users have subscribed; to manage the Service and Website, to improve the Service and to customize the user's experience. This information is also provided to the authors of the content to give them insight into their readership and help them to improve their content, so that it is most useful for our users.

JD Supra does not sell, rent or otherwise provide your details to third parties, other than to the authors of the content on JD Supra.

If you prefer not to enable cookies, you may change your browser settings to disable cookies; however, please note that rejecting cookies while visiting the Website may result in certain parts of the Website not operating correctly or as efficiently as if cookies were allowed.

Email Choice/Opt-out

Users who opt in to receive emails may choose to no longer receive e-mail updates and newsletters by selecting the "opt-out of future email" option in the email they receive from JD Supra or in their JD Supra account management screen.

Security

JD Supra takes reasonable precautions to insure that user information is kept private. We restrict access to user information to those individuals who reasonably need access to perform their job functions, such as our third party email service, customer service personnel and technical staff. However, please note that no method of transmitting or storing data is completely secure and we cannot guarantee the security of user information. Unauthorized entry or use, hardware or software failure, and other factors may compromise the security of user information at any time.

If you have reason to believe that your interaction with us is no longer secure, you must immediately notify us of the problem by contacting us at info@jdsupra.com. In the unlikely event that we believe that the security of your user information in our possession or control may have been compromised, we may seek to notify you of that development and, if so, will endeavor to do so as promptly as practicable under the circumstances.

Sharing and Disclosure of Information JD Supra Collects

Except as otherwise described in this privacy statement, JD Supra will not disclose personal information to any third party unless we believe that disclosure is necessary to: (1) comply with applicable laws; (2) respond to governmental inquiries or requests; (3) comply with valid legal process; (4) protect the rights, privacy, safety or property of JD Supra, users of the Service, Website visitors or the public; (5) permit us to pursue available remedies or limit the damages that we may sustain; and (6) enforce our Terms & Conditions of Use.

In the event there is a change in the corporate structure of JD Supra such as, but not limited to, merger, consolidation, sale, liquidation or transfer of substantial assets, JD Supra may, in its sole discretion, transfer, sell or assign information collected on and through the Service to one or more affiliated or unaffiliated third parties.

Links to Other Websites

This Website and the Service may contain links to other websites. The operator of such other websites may collect information about you, including through cookies or other technologies. If you are using the Service through the Website and link to another site, you will leave the Website and this Policy will not apply to your use of and activity on those other sites. We encourage you to read the legal notices posted on those sites, including their privacy policies. We shall have no responsibility or liability for your visitation to, and the data collection and use practices of, such other sites. This Policy applies solely to the information collected in connection with your use of this Website and does not apply to any practices conducted offline or in connection with any other websites.

Changes in Our Privacy Policy

We reserve the right to change this Policy at any time. Please refer to the date at the top of this page to determine when this Policy was last revised. Any changes to our privacy policy will become effective upon posting of the revised policy on the Website. By continuing to use the Service or Website following such changes, you will be deemed to have agreed to such changes. If you do not agree with the terms of this Policy, as it may be amended from time to time, in whole or part, please do not continue using the Service or the Website.

Contacting JD Supra

If you have any questions about this privacy statement, the practices of this site, your dealings with this Web site, or if you would like to change any of the information you have provided to us, please contact us at: info@jdsupra.com.

- hide
*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.