A subplot is brewing in the policy limits dispute between a data breach victim and its cyber insurer – is a specialty broker that worked with the independent agent in placing the policy liable for claims against the agent? In New Hotel Monteleone, LLC v. Certain Underwriters at Lloyd’s, No. 2:16-cv-00061 (E.D. La.), the insured hotel filed a claim for $3 million in losses arising from a 2013 cyberattack. The insurer denied coverage as to losses in excess of $200,000, asserting that the limit in an endorsement for “payment card industry fines” applied to all claims arising from the cyberattack. (See Testing the Limits - Cyber Coverage Litigation (Feb. 23, 2016).)

In the original complaint, the insured sued the both the insurer and the independent agent that procured the policy. The complaint alleges that full policy limits of $3 million should be available to cover the insured’s losses. As to the agent (Eustis Insurance, Inc.), the complaint alleges that the agent is liable for breach of contract and negligent failure to procure coverage. According to the insured, if the insurer’s interpretation of the endorsement is found to be correct, then the agent “did not use reasonable diligence to place the insurance requested, as the insurance is limited to only $200,000 in coverage for fraud recovery, operational reimbursement, and case management fees resulting from a cyberattack, whereas the full policy limit is $3 million.”

On March 28, 2016, the agent filed a third-party complaint against the broker, R-T Specialty, LLC, which the agent contends it relied on in procuring the policy. The agent alleges that it “had no experience in procuring cyber insurance policies,” and “relied on the expertise of R-T Specialty to procure the cyber coverage requested by Hotel Monteleone.” The third-party complaint asserts that in the event damages are awarded against the agent, then R-T Specialty is wholly liable for those damages. 

Although the case is in the early stages and the allegations are unproven, Hotel Monteleone is a reminder that the parties in a cyber coverage lawsuit can include not only the insured and insurer, but also a broad range of brokers and other advisors. The evolving case law, variation in policy language, increasingly costly breaches and shifting landscape of regulatory and PCI fines will continue to raise the stakes in cyber-related coverage litigation and provide incentives to seek compensation from the widest possible scope of parties.