Last May, we told you that the “waiting has ended“ for courts to start weighing in on cyber insurance policies, as the District of Utah issued one of the first federal court decisions construing such a policy in Travelers Property Casualty, et al. v. Federal Recovery Services, Inc., et al., No. 2:14-CV-170. Although the claims at issue were not the sort of data breach and cybersecurity liability claims for which policyholders eagerly anticipate guidance, it was, as we noted, an important step in understanding how a court may approach these policies. In the first weeks of 2016, the Travelers court revisited the May 2015 decision, and affirmed its prior findings in favor of the insurer.
In the May decision, the court had found that under the cyber policy at issue, the insurer had no duty to defend its insured, a payment and account processing company, against tort claims alleging that the insured improperly—and intentionally—withheld customer payment and account data from the plaintiff, a gym network, the plaintiff had entrusted to it.
The policy at issue was a Travelers CyberFirst Technology Errors and Omissions Liability Form Policy. Under the policy, the duty to defend attaches when the plaintiff’s suit alleges an action by the insured that, if true, would constitute a covered claim under the policy. The insured sought coverage through an E&O module that provided coverage for “any error, omission, or negligent act.” The plaintiff alleged, however, that the insured acted with “knowledge, willfulness, and malice.” The court held that because the complaint alleged intentional, instead of negligent misconduct, the insurer did not have a duty to defend.
On the basis of this decision, the insurer then sought summary judgment of the insured’s counterclaims for breach of contract, breach of fiduciary duty and breach of the duty of good faith and fair dealing, which alleged, in different ways, that insurer’s failure to provide a defense violated its duties to promptly provide a defense to the insured.
Applying Utah law, the court declined again to find that the insurer had a duty to defend. The court refused to consider additional evidence from the insured relating to the duty to defend, finding that Utah law did not permit the court under the circumstances to go beyond the “eight corners” of the policy and complaint documents. The court did permit the insured to press its bad faith claim on the unrelated, but “narrow,” theory that the insurer had improperly refused to render a timely coverage decision and imposed additional requirements that hurt the insured during the course of the underlying litigation.
While this case involves a cyber policy, the E&O coverage addressed by the case appears in more traditional liability policies. As such, this decision offers some indication of how such policies may be implicated by a cyber-attack or data breach. Conversely, it also illustrates how cyber insurance policies may (or may not) provide coverage for otherwise “traditional” claims that involve data and networks.
Insurers have been adding and adjusting coverage under cyber policies to respond to the needs of their clients and to streamline their policies and appropriately address related clusters of risks. Still, for now and in the immediate future, cyber insurance policies remain modular, and cyber policy language varies among insurers. Policyholders should carefully review their policies at placement and each renewal to make sure that they obtain the specific coverage they need. While some courts are beginning to address the issue, the waiting (for standard policy language and forms) has not ended.