Early days still for coverage litigation about cyber risks – whether under cyber insurance policies or other types of policies. This is not surprising given the relatively short history of cyber risks and even shorter history of cyber-specific policies. Also, a number of claims described as “cyber claims” are paid or privately negotiated between insurers and insureds, resulting in a dearth of published decisions.
But the ball is rolling now. Three recent cases illustrate the evolving issues in cyber-related insurance litigation. In Universal American Corp. v. Nat’l Union Fire Ins. Co., N.Y. Slip Op. 05516, 2015 WL 3885816 (June 25, 2015), New York’s highest court affirmed summary judgment for the insurer, National Union, where the alleged losses resulted from authorized entry into the systems of the insured, a health care insurance company. Specifically, health care providers authorized to access the insured’s systems submitted fraudulent claims to certain of the insured’s health insurance plans. The policy provision at issue covered losses for fraudulent entry to the insured’s systems or data, and fraudulent change of a computer program or data. The trial court granted summary judgment to National Union on grounds that the rider applied only to “unauthorized” access to the insured’s systems. The New York Court of Appeals affirmed, noting that the rider was not ambiguous and “does not extend as far as providing coverage for fraudulent claims which were entered into the system by authorized users.”
In Travelers Property Cas. Co. v. Federal Recovery Servs., Inc., No. 2:14-CV-170 TS (D. Utah May 11, 2015), a Utah federal district court held there was no coverage for and no duty to defend in connection with a lawsuit concerning the refusal of the insured, a payment processing company, to return certain credit card and bank account information to its customer. The court said the insured’s cyber errors and omissions policy did not respond because there was no allegation in the complaint against the insured that the insured “withheld the data because of an error, omission, or negligence.”
Finally, in a recently filed coverage action regarding third party lawsuits alleging a health care data breach, the insurer sought a declaration that its cyber policy does not respond because the insured breached its warranty to follow the data and privacy protection procedures and risk controls that it identified on its policy application. Columbia Cas. Co. v. Cottage Health Sys., No. 2:15-cv-03432 (C.D. Cal., filed May 7, 2015). The case was dismissed without prejudice on July 17, 2015, based on the insurer’s failure to follow the alternative dispute resolution provision in the policy prior to filing its complaint. But the issue of the insured’s alleged noncompliance with warranties about its internal cybersecurity processes was not resolved by the dismissal, and the same issue is likely to be raised in other cases.
The three cases highlight three “fault lines” – these and others set the stage for future disputes over the scope of cyber-related insurance coverage: (1) what constitutes fraudulent or unauthorized access to a system for purposes of a cyber-related loss; (2) whether a loss or threatened liability is due to intentional or negligent activity; and (3) to what extent will an insured’s risk control and mitigation practices be put on trial when an insurer disputes a cyber-related claim. These and other key coverage issues are familiar in the insurance arena in other contexts. There are or may also be coverage issues unique to this burgeoning new area. Regardless, longstanding insurance principles and prior insurance case law over the years will play a critical role in any litigation and in any published decisions. Given the massive expansion in cyber risk underwriting in recent years, the potential for large and aggregated losses inherent in cyber risks, and the widely varying policy language, it seems inevitable that courts will be forced to address these issues with increasing frequency.