Reports of cyber-attacks on U.S. companies and government agencies have become disturbingly common the last two years starting with the Target data breach during the 2013 holiday season. The most recent of these data breaches occurred in early June as hackers stole personnel data and Social Security numbers from the U.S. Office of Personnel Management. Lucas Blower gave a succinct overview of what risks a cyber-risk policy could potentially cover. As Lucas pointed out, there are many different types of cyber risk policies and potential exclusions.
While various cyber risk policies have been in the market for some time, there has not been extensive judicial review of cyber risk policies. In one of the first coverage rulings involving a cyber insurance policy, the U.S. District Court for the District of Utah ruled a “CyberFirst Policy” issued by Travelers Cos. Inc. does not provide coverage for alleged willful and malicious conduct by the insured. Travelers Prop. Cas. Co. of Am. et al. v. Fed. Recovery Servs. Inc. et al., D. Utah No. 2:14-CV-170 TS, 2015 U.S. Dist. LEXIS 62185, *11 (May 11, 2015).
The CyberFirst policy issued by Travelers included the Technology Errors and Omissions Liability Form which granted coverage for losses caused by error, omissions, or negligent act. Id. at *3. The insured is in the business of providing processing, storage, transmission, and other handling of electronic data for its customers. One of its customers brought suit alleging that the insured willfully interfered with the customer’s data and property which the insured was storing. Id. at *4-5. It was on these facts the customer brought claims against the insured for tortious interference, promissory estoppel, conversion, breach of contract, and breach of the implied covenant of good faith and fair dealing. Id. at *8.
The insured provided formal written notice of its tender of the defense to Travelers, and Travelers accepted the tender of defense under a full and complete reservation of rights. Id. Based upon their reservation of rights, Travelers filed an action for declaratory relief. The insured then moved for Partial Summary Judgment requesting a determination that Travelers owed them a duty to defend.
The issue before Senior U.S. District Judge Ted Stewart was “whether the [customer’s] action triggered Travelers’ duty to defend under the Technology Errors and Omissions Liability Form.” Id. at *9. Travelers argued that it did not have a duty to defend the insured because the original and amended complaints from the customer suit did not allege damages from an “error, omission or negligent act.” Id.
Under Utah law, an “insurer’s duty to defend is determined by comparing the language of the insurance policy with the allegations in the complaint.” Id. at *3 (quoting Fire Ins. Exch. v. Estate of Therkelsen, 201 UT 48, 27 P.3d 555, 560 (Utah 2001)). Judge Stewart explained that the customer’s complaint does not allege that the insured withheld the requested data because of error, omission, or negligence. Instead, it alleges the insured “knowingly withheld this information and refused to turn it over until [the customer] met certain demands.” Id. at *10. Therefore, because these allegations are not covered by the Technology Errors and Omissions Liability Form, Travelers has no duty to defend. Id. at *11.
Judge Stewart’s analysis shows that although these cyber policies are relatively new, fundamental insurance principles will be applied as they would be to any other insurance policy. Policyholders are well-served to engage competent coverage counsel to determine what types of claims their cyber risk policy covers before tendering an offer of defense to its insurer.