Jul 02, 2015

Cyber Liability: Are you protected? Examining your coverage in the wake of the first decision under a “cyber” insurance policy

The first coverage decision under a “cyber” policy was handed down in May 2015 from a Utah federal court. That case—Travelers Property Casualty Co. v. Federal Recovery Services, Inc.—did not involve a data breach, but it did involve a dispute over data rights, and contains a number of important takeaways for commercial policyholders concerned about cyber liability.

In this case, the insured, Federal Recovery Services, Inc. (FRS), was in the business of providing processing, storage and other handling of electronic data for its customers. FRS sought coverage from Travelers under a CyberFirst Policy for a suit from a customer involving claims of tortious interference, promissory estoppel, breach of contract and breach of the duty of good faith and fair dealing relating to the alleged mishandling and withholding of FRS’ client’s data. The Travelers’ policy contained a Technology Errors and Omissions Liability Form. Under that Form, Travelers agreed to pay damages and defend FRS for any suit seeking damages for loss to which the insurance provided. At issue specifically was the interpretation of the clause “loss caused by an ‘errors and omissions’ wrongful act,” which was defined under the policy to mean “any error, omission, or negligent act.”

The court considered whether Travelers’ duty to defend had been triggered. The court held that it had not, and that Travelers had no duty to defend FRS in the suit because the complaint against FRS alleged only that FRS had “knowingly withheld the information,” “willfully,” and with “malice,” but did not allege “negligence.”

The case is interesting for several reasons. First, it illustrates that a multitude of data-related cases could potentially fall within coverage under a cyber liability policy, not just data breach or loss of data. Second, it is the first of what will likely be a number of decisions interpreting the new cyber liability policy forms. And third, it underscores the importance of good policy wording.

What should you do to protect yourself in light of this decision?

1. If you do not have a cyber liability policy, you should get one immediately. This is truer than ever as exclusions are being added to general liability and property policies excluding claims and losses related to data issues.

2. When data-related issues arise, ensure that you are providing notice under all applicable policies, including cyber liability policies. If you are unsure about how or to whom to give notice, enlist the support and advice from a coverage lawyer.

3. Review your cyber liability policy to ensure that it is sufficiently broad to cover a variety of data-related issues and losses. Also consider adding choice of law and choice of forum clauses to ensure that your policy will be treated under the broadest possible reading.

Does your insurance policy contain accurate wording, include enhancements and clarifications that carefully consider the intricacies of your business? Are all the protections in place in your policy? In order to be sure we strongly encourage you to contact your attorney.

This Chuhak & Tecson, P.C. communication is intended only to provide information regarding developments in the law and information of general interest. It is not intended to constitute advice regarding legal problems and should not be relied upon as such.

Client Alert authored by: Kristen E. Hudson