Data-breach coverage disputes are emerging on two fronts. The first, litigation of traditional insurance products, is like running out the proverbial string. These disputes will not be long-lasting, as the insurance industry has taken affirmative steps to eliminate exposure for such claims under CGL and other P&C products. The second, however — litigation of new-generation, stand-alone cyberinsurance products — will impact the insurance industry for decades to come.
First, insurers are embroiled in data-breach coverage litigation with their policyholders under traditional insurance policies, primarily CGL policies. The decisions have been a mixed bag. Perhaps the most influential pro-insurer decision is Recall Total Information Management, Inc. v. Federal Insurance Co. The particular issue there was whether the “publication” requirement was satisfied in relation to data tapes that fell out of a truck and were subsequently taken by an unknown thief. The Connecticut Appellate Court and Supreme Court answered in the negative, since there was no evidence or indication the private information on the tapes was actually accessed by anyone. More detailed discussions of Recall Total are available here and here.
Another significant pro-insurer decision was handed down in 2014 by Judge Jeffrey Oing of the Supreme Court of New York in Zurich American Insurance Co. v. Sony Corp. of America. That decision concerned coverage for defense costs in connection with a host of consumer lawsuits emanating from the 2011 hacking of the Sony PlayStation Network. Here, Judge Oing determined the insurers did not have a duty to defend Sony because the publication offense under Coverage B requires affirmative wrongdoing by the insured and does not apply to passive conduct. The parties settled while the matter was on appeal, so Judge Oing’s opinion remains undisturbed. A spirited defense of the Sony ruling can be found here.
In contrast to Sony and Recall Total, the Fourth Circuit ruled in Travelers Indemnity Company of America v. Portal Healthcare Solutions, L.L.C. that a data breach did trigger the insurer’s duty to defend. The court specifically found the policyholder, a provider of medical record hosting services, was covered for allegations that it passively allowed unauthorized access to patient medical records. The Fourth Circuit determined, in particular, there was “publication” of the private medical information since any member of the public with Internet access could have viewed the information. A full discussion of the decision and its limited impact on the insurance industry is available here.
In another data-breach coverage case involving a financial institution bond, the Eighth Circuit in State Bank of Bellingham v. BancInsure, Inc. affirmed summary judgment in favor of the policyholder, finding the policyholder covered for a fraudulent transfer caused by a hacker using a Trojan Horse virus. As background, the fraudulent transfer occurred after a bank employee left the bank’s computer running after the password, passphrase, and security tokens were entered. BancInsure denied coverage, pointing to exclusions barring coverage for employee-caused losses. Following cross-motions for summary judgment, a Minnesota federal district court determined there was coverage in spite of the employee-caused exclusions since the actions of the hacker were the efficient and proximate cause of the loss. The Eighth Circuit similarly rejected BancInsure’s argument that the hacking was not an overriding cause of the loss, reasoning the illegal wire transfer was not a “foreseeable and natural consequence” of the bank employee’s negligence.
While these recent pro-policyholder decisions may appear to be a panacea and obviate the need to purchase stand-alone cyberinsurance, that would be a mistaken read of the landscape. Even if courts in other jurisdictions were to adopt the reasoning of the Fourth and Eighth Circuits in analogous situations, the precedential value of these decisions is fleeting at best. For instance, Portal Healthcare’s policy did not include the new ISO endorsements specifically addressing the disclosure of private information. Some E&O, D&O, crime and fidelity policies, and commercial property policies are also being tailored to eliminate coverage for data breaches. Insurers are instead looking to push this exposure into the realm of their add-on and stand-alone cyberinsurance products. Absent those products, it is doubtful Portal Healthcare, Bellingham, and other pro-policyholder decisions will save policyholders from uncovered exposure arising out of future data breaches. Notably, it does not appear yet that the new ISO exclusions are being litigated, but once they are, it is likely the CGL insurers will see the end of data breach coverage.
By contrast, new(ish), stand-alone cyberinsurance policies (and add-on products) are the answer and are imperative for businesses of all types and sizes. They remain expensive and may not yet be a line-item on some companies’ annual budget. Nevertheless, the reality is data breaches are ubiquitous. So, proceeding uncovered with respect to this existential exposure risks an outcome so disastrous that the collapse of or great financial hardship for the business is a very real possibility.
There have been a small handful of litigations over new-generation cyberinsurance policies. The most significant and recent one is P.F. Chang’s China Bistro v. Federal Insurance Co., where an Arizona district court held an insurer had no duty to reimburse its policyholder for payment card industry liability assessments. Click here for a complete discussion of the case and the lessons to be learned from the district court’s well-reasoned approach.
This decision echoes a framework utilized by a Utah federal district court in interpreting a stand-alone cyberinsurance policy in the context of a non-data breach claim. In Travelers Property Casualty Co. of America v. Federal Recovery Services, Inc. (D. Utah, No. 14-cv-170), the district court denied the policyholders’ motion for partial summary judgment and found that the Travelers plaintiffs had no duty to defend (the parties ultimately settled their dispute as to the policyholder’s bad faith claim). Significantly, the parties were disputing coverage under the Network and Information Security Liability and Technology Errors and Omissions Liability subparts of a CyberFirst Policy. This was a watershed decision because it was the first ruling with respect to the new generation of cyberinsurance policies. Also, this case reminded us that the make-up of cyberinsurance policies are shaped by underwriters trained on and comfortable with traditional liability policies, and that judicial interpretation of traditional policies will likely be adopted in the cyberinsurance context where possible. In other words, while cyberinsurance policies are new, the actors and analytical tools for resolving the coverage disputes are not. The district court in P.F. Chang’s, indeed, used those analytical tools to reach its decision.
Another important case, which we touched upon in our 2015 State of Cyberinsurance Coverage Litigation, is Columbia Casualty Company v. Cottage Health System (C.D. Cal., No. 16-cv-3759), where the insurer sought a declaration that it had no duty to defend or indemnify its policyholder arising out of the release of patient records and a subsequent class action lawsuit. The insurer’s position centered on a Failure to Follow Minimum Required Practices Exclusion, which it contended barred coverage because of the policyholder’s failure to continuous implement certain cybersecurity procedures and risk controls. This case provides a chilling reminder for businesses to be fully aware of the particulars of any cyberinsurance policy it purchases, as there is no standard form for the coverage, and most policies are sold a la carte. For a more detailed discussion of Cottage Health, click here.
Disputes about the a la carte nature of cyberinsurance coverage likewise gave rise to a dispute in New Hotel Monteleone LLC v. Certain Underwriters at Lloyd’s of London (E.D. La. No. 2:16-cv-00061). Importantly, this lawsuit reflects the problems potentially faced by insurance brokers in the cyberinsurance space. Here, Hotel Monteleone contended it had deficient payment card industry liability coverage following a cyberattack in October 2014. As a result, Hotel Monteleone sued its insurer and retail agent. As for the retail agent, Hotel Monteleone alleged negligent failure to procure and breach of contract claims. Thereafter, the retail agent filed a third-party complaint against a specialty broker which professed expertise in the area of cyberisnurance. This lawsuit serves as a reminder of the perils associated with the underwriting process for cyberinsurance policies. More specifically, since the underwriting process is generally more involved than with traditional policies, brokers need to have a strong grasp of the applicant’s cybersecurity infrastructure. And in turn, due to brokers’ greater involvement in the application for cyberinsurance, their corresponding E&O exposure is greater. A more detailed discussion of Hotel Monteleone and potential broker liability in connection with the purchase of cyberinsurance coverage is available here.
Spec’s Family Partners, Ltd. v. The Hanover Insurance Co. (S.D. Tex., No. 16-cv-438) is yet another case about PCI liability coverage. There, Spec’s Family Partners, Ltd., a retail chain, fell victim to an attack on its credit card payment network. Pursuant to an agreement, FirstData Merchant Services provided transaction services for Spec’s for customers using Visa and MasterCard payment cards. Following two data breaches, MasterCard issued two liability assessments totaling nearly $10 million. In turn, FirstData made a demand on Spec’s for indemnification. FirstData also withheld approximately $4.2 million from Spec’s to cover the costs from the losses. Spec’s then notified its insurer, Hanover, of FirstData’s demands and filed suit in a Tennessee federal district court against FirstData for breach of contract. Hanover allegedly refused to pay for the cost of the Spec’s-First Data litigation. Spec’s then filed the subject action, alleging, in pertinent part, breach of the policy and bad faith and seeking a declaratory judgment action. Notably, Hanover has since filed a motion for judgment on the pleadings, but the motion papers were filed under seal. This matter bears revisiting once there is more clarity regarding the parties’ respective positions.
With the first half of 2016 almost in the books, new-generation cyberinsurance coverage litigation is beginning to drip out the faucet. The faucet is not yet turned on full-blast, but we are fortunately seeing coverage disputes play out in an expected and predictable manner. The lesson to be learned so far is that although stand-alone cyberinsurance policies use many novel terms and language not found in other traditional insurance products, courts are not about to create new rules and maxims for interpreting these policies. Instead, courts will rely on the time-honored principles of insurance coverage jurisprudence and contract interpretation. In evaluating coverage for data breach claims under new-generation cyberinsurance policies, it would stand to reason that the place to start for carriers is with the tools and resources developed under traditional P&C products.
If you have any questions on how this could impact your business, please contact: