We in business are all overwhelmed with reading material, but I try to make sure that I read at least some legal and business publications every day to keep up with developing trends. And, it seems that every day I see another article about a new hacking incident, or another dire warning about cyber-risk. (The headline in Wired today reads: “Hackers Hit the IRS and Make Off with 100K Taxpayers’ Files.” Is nothing sacred??) I also see that many major law and consulting firms have set up cyberliability practice groups to capitalize on the need for information and advice on cyber-risk.
I’m a veteran of the Y2K debacle (“The sky is falling! The sky is falling!”), so I tend to view computer-related hysteria with skepticism. But there’s no question that prudent risk management is a good idea when it comes to cyber-risk (and just about everything else!), and that insurance is a major part of risk management. The problem, from a coverage lawyer’s perspective, is that there isn’t a standard form cyber-risk policy, and with so many products on the market, we’re sort of in the Wild West when it comes to figuring out where the coverage holes will be. So we’ve been watching for court decisions dealing specifically with cyberliability policies, in the hopes that some of the bases for dispute will appear.
One such decision just came down from a federal court in Utah (Judge Ted Stewart) in a case captioned Travelers Property Casualty Company of America v. Federal Recovery Services, Inc. (Judge Ted Stewart). Facts: FRS is a data management company that stored customer information (including credit card information) for Global Fitness, which owns and operates fitness centers. In connection with a proposed merger, Global agreed to transfer its member accounts data to LA Fitness. So, Global asked FRS to transfer the data to LA Fitness and then transfer it back, but apparently several key pieces of data (unspecified in the decision) went missing. According to the opinion, FRS then withheld certain data until Global “satisfied several vague demands for significant compensation.” Global sued FRS for conversion, tortious interference, and breach of contract, and FRS tendered the suit to Travelers, which disclaimed coverage.
The Travelers’ “CyberFirst” policy provides coverage for an “errors and omissions wrongful act,” which is unhelpfully defined as “any error, omission or negligent act.” The Court found that no coverage existed, writing: “Global alleges that Defendants knowingly withheld…information and refused to turn it over until Global met certain demands…To trigger Travelers’ duty to defend, there must be allegations in the Global action that result in negligence.” (Emphasis added.)
In my view, this sort of global pronouncement is what happens when judges (who understandably do not and cannot specialize in the myriad nuances of coverage law) fall back on what they know – that insurance is supposed to cover car wrecks. The truth is that, to trigger Travelers’ duty to defend, there must be allegations that potentially fall within coverage as defined in the policy. That’s presumably how premiums get established by Travelers’ underwriters, and that’s what Travelers’ policyholders pay for.
In the Travelers policy, the word “negligent” is juxtaposed with “act,” but not with “error” or “omission.” That indicates that the alleged “error” or “omission” need not be negligent.
Travelers’ advertising, in fact, makes a point that alleged “errors” or “omissions” do not have to be negligent to be covered. According to Travelers, the CyberFirst policy protects the policyholder against loss “caused by failure to provide access to authorized users of the policyholder’s website or communications network.” The word “negligence” is not used. Travelers also states that CyberFirst “covers [liability from] unauthorized use of any advertising, or any slogan or title, of others.” That doesn’t sound like “negligence.” And, as examples of covered claims, Travelers’ advertising information presents the following scenarios, among others:
– “You develop enterprise labor force software to integrate with a client’s HR and payroll systems. You fall behind in delivering the work, resulting in missed milestones and nonfunctioning project met modules. You contend that the client repeatedly changed the size and scope of the project. Ultimately, the client fires you and files a lawsuit, seeking to recover lost profits due to the disruption.”
– “You place advertisements on your website and in your direct mailings to announce a new service offered by one of your important partners. The advertising contains material that your partner’s competitor claims it owns. The competitor sues you, contending you are liable for damages caused by unauthorized use of the advertising material.”
These “wrongful acts” do not appear to involve negligence.
I think that, respectfully, Judge Stewart was relying upon the judicially-created “icky” exclusion that we sometimes see. That is, if the conduct of the policyholder seems sufficiently “icky,” then there’s no coverage. Here there were vague allegations that the policyholder essentially committed extortion (“pay us, or we won’t release the data”). But Judge Stewart appears to have resolved any doubts in favor of the insurance company, which is the opposite of the way liability insurance is supposed to work. If there’s any possibility of coverage (not “negligence”), then a defense is supposed to be provided unless and until the insurance company can demonstrate that the claim does not fall within coverage, or that coverage is forfeited by an exclusion. Here, all we know is that some data was (negligently?) omitted from an information transfer, and that FRS demanded to be paid. Why doesn’t that fall within the advertised coverage for “failure to provide access to authorized users of the policyholder’s…communications network,” at least until Travelers can prove that it doesn’t?
Here’s the bottom line. While the SEC and other regulators are interested in companies’ available insurance for cyberliability problems, including data breaches, these types of claims can be quite expensive. Although the insurance company’s underwriting and marketing departments are interested in selling coverage and making money, the nature of the claims department is to look for any plausible reason not to pay. Because of this predilection, at a recent conference of General Counsel that I attended, one prominent in-house lawyer stood up and loudly proclaimed: “Cyberliability coverage is worthless.” I won’t go that far. I think you should have cyberliability coverage. But I also know that, like most lines of coverage, you can’t completely rely upon it. The best risk management always involves proper and prudent internal controls.