On October 6, 2014, a federal court denied a professional liability insurer’s motion to dismiss a coverage dispute over a $3.5 million payment the policyholder-bank made when a bank customer’s account was targeted by a computer hacker. See First Commonwealth Bank v. St. Paul Mercury Ins. Co., No. 2:14-cv-00019-MPK, Opinion and Order Dated October 6, 2014, Dkt No. 21 (W.D. Pa.) (“Order”). This case highlights that policyholders should focus on insurance obligations at the outset of a cyber event so as not to compromise potential coverage. It also reinforces the fact that coverage for cyber risks remains available under multiple types of insurance, and that policyholders should continue to evaluate all insurance in their portfolio in the event of a loss.
Earlier this year, First Commonwealth Bank brought suit against its professional liability insurer, St. Paul Mercury Insurance Company, seeking coverage for a cyberliability loss it incurred after one of its customers “was the victim of malware (i.e., malicious software) that allowed an unknown third party to access” the customer’s systems. Order at 12. After obtaining access to the customer’s bank account passwords and information, the hacker initiated wire transfers from the customer’s account at First Commonwealth to Russia, Philadelphia and Belarus. The bank refunded more than $3.5 million to the client’s account after being notified that the transfers were unauthorized. Shortly thereafter, the bank sought reimbursement for the payment from St. Paul. St. Paul refused to cover the bank’s loss, arguing that the bank breached the Defense and Settlement provision of its policy because the bank voluntarily refunded its customer’s account without St. Paul’s consent. In response, the bank argued that its repayment was not “voluntary” – rather, the bank was required by law to refund its client under Pennsylvania’s Uniform Commercial Code. The District Court for the Western District of Pennsylvania agreed with the policyholder, finding that the bank had a legal and statutory obligation to reimburse its client after the unauthorized wire transfers took place, and that such obligations necessarily “interfered with the restrictions imposed upon Plaintiffs under the Policy.” Order at 7.
The opinion reiterates the importance of involving one’s insurer as early as possible when settling, or even contemplating settling, a dispute. The costs of resolving a consent-to-settle dispute may be avoided by (1) notifying all insurers of a claim as soon as the loss is identified, (2) reviewing policy obligations of dispute resolution, and (3) complying with policy requirements when settling a claim. The District Court’s decision also demonstrates, however, that where reimbursement is mandated by law, a consent-to-settle provision that applies to “voluntary” payments may not be implicated.
Experienced coverage counsel can assist policyholders in determining whether an existing insurance program provides adequate protection if a data breach or other cyberliability loss takes place.