In one of the first cases of its kind, last week the U.S. District Court for the District of Utah issued an opinion construing coverage under a “cyber” insurance policy. In Travelers Property Casualty Co. of America v. Federal Recovery Services, Inc., the court determined there was no coverage under a cyber insurance policy where the allegations against the insured included only claims of intentional misconduct. The coverage at issue was limited to “errors and omissions.” Similar to traditional insurance, the “errors and omissions” cyber insurance only covered mistaken, negligent, or otherwise unintentional conduct.
As data security breaches and disputes have risen (think Target, Home Depot, Sony, and so on), many insurers have responded by limiting or excluding coverage for data-related events and claims under traditional policies, and have instead offered separate cyber insurance policies. While there has been much discussion on the topic of cyber insurance, few courts have applied and construed cyber insurance to real life events.
The opinion in Travelers illustrates that just like traditional insurance, cyber insurance does not provide cure-all protection for all data-related events and disputes. While we expect some variation in court decisions on this issue because the duty to defend is based on state law, and therefore varies by jurisdiction, this case illustrates the limitations of cyber insurance and its similarity to traditional insurance.
This is not to say that all cyber insurance policies only cover claims alleging unintentional conduct. As a relatively new product, cyber insurance terms are highly variable. Some policies cover losses from intentional acts, provided those acts are attributed to third parties or certain lower-level employees.
Perhaps unintended by the court, the Travelers case also provides a roadmap for invoking insurance coverage when seeking to recover for a data-related event. It is common for litigants to characterize allegations and claims in effort to invoke coverage for their opponent because it provides an additional route for recovery and potential leverage for settlement. Given the rise in data-related claims and events, as well as growing prevalence of separate cyber coverage, we expect that litigants will try to invoke insurance coverage for data-related claims by including allegations of mistaken errors, omissions, or negligence.
What This Means to You
Because cyber insurance is a relatively new product and coverage terms vary from policy to policy, insureds need to pay close attention to policy details. Some policies only cover “errors and omissions,” while others cover certain intentional acts. Insureds need to evaluate their data risks and review their insurance coverage, playing close attention to the type of coverage, policy definitions, and policy exclusions.