Got Good Cyber Insurance Cover? Beware of Holes in Your Policy.

Uploaded on 2015-06-19 in NEWS-Cybersecurity News, FREE TO VIEW, BUSINESS-Services-Financial

 CyberPolicyHoles-480px.jpg

A brand new decision from a federal trial court in Utah is a sobering reminder that just because you have purchased “cyber” insurance does not mean that your insurance company will pay a cyber-related claim. 
 
In Travelers Property Casualty Company of America et al. v. Federal Recovery Services et al., the insurance company sued its policyholder for a declaration of no coverage under a CyberFirst liability insurance policy it had sold. The policyholder was in the business of processing and storing data for its clients. In this case, the policyholder was storing and processing data for a client that offered fitness center memberships. 
 
Those gym members provided to the policyholder “either credit card or bank account information through which [the gym] could bill the members.” According to the decision, for cyber “security purposes, the only copy of the Member Accounts Data was retained by [the policyholder] on behalf of [the gym].” After the fitness chain was purchased by another fitness center company, the client requested that the policyholder return all of the stored data. The policyholder “had provided all of the Member Accounts Data except the credit card, checking account, and savings account information.” 
 
After a dispute arose over the data that was not returned despite numerous requests by the client, the client sued the policyholder. In its amended complaint, the client asserted claims against the policyholder for, among other things, tortious interference, breach of contract and the implied covenant of good faith and fair dealing, and promissory estoppel.
 
The policyholder sought insurance coverage under the CyberFirst policy that it had purchased. The policy included a “Network and Information Security Liability Form” and a “Technology Errors and Omissions Liability Form.” The Utah court held, however, that the underlying claims were not covered by the cyber liability policy because there were no allegations of neglect. Rather, the court determined that the underlying allegations all involved intentional/willful conduct of the policyholder. 
 
Specifically, the CyberFirst policy stated that “‘errors and omissions wrongful act’ means any error, omission or negligent act.” Putting to the side the correctness of the interpretation of the allegations of the underlying complaint by both the insurance company and the court, this type of insurance coverage dispute can be avoided by purchasing better cyber E&O terms in the first instance. We have long recommended that policyholders buying E&O insurance purchase “wrongful acts” coverage that is broader in scope and more akin to the type of defined terms provided by most D&O insurance policies. This is especially important in an age where alternative theories of liability are often pursued (e.g., fraud, breach of contract, negligence, strict liability, etc.). 
 
A typical D&O policy definition, for instance, provides insurance coverage for any alleged act, error, misstatement, misleading statement, omission, neglect or breach of duty. Such a definition is often available in E&O policies as well as D&O insurance policies. Such a definition of wrongful act should have certainly overcome the interpretation applied by the Utah court.
 
The risk of an E&O insurance company arguing that its insurance policy only provides coverage for claims sounding in “negligence” has been around for a while — particularly in the context of computer technology-related claims. See, e.g., USM Corp. v. First State Ins. Co. (1995 Massachusetts high court ruling rejecting insurance company’s argument that E&O insurance policy did not cover a claim for a computer system that failed to function properly — even though no negligence claim was asserted).
 
What is not clear from the Utah trial court’s ruling is why the allegations could not have been construed as comprising a form of omission — namely, the failure to return the data sought by the underlying claimant. The sentence structure of the CyberFirst policy indicates that “negligent” could not be read to modify “omission.”  One definition of “omission” is “a failure to do something, especially something that one has a moral or legal obligation to do.”  It would seem coverage should have been granted.  Perhaps an appeal is in the works? Stay tuned.
AgentsOfAmerica:  http://bit.ly/1Fp66Le

 

« Digital Currencies: A Gold Standard for Bitcoin
What’s in the New UK Surveillance Bill? »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall (and why does it matter)?

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall (and why does it matter)?

Watch this webinar to hear security experts from Amazon Web Services (AWS) and SANS break down the myths and realities of what an NGFW is, how to use one, and what it can do for your security posture.

Resecurity

Resecurity

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

Cyber Security Supplier Directory

Cyber Security Supplier Directory

Our Supplier Directory lists 6,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

DCL Search & Select

DCL Search & Select

DCL Search & Selection connect candidates to the best companies in the IT Security, Telco, UC, Outsourcing, ERP, Audit & Control markets.

LogonBox Software

LogonBox Software

LogonBox Software specialises in producing a cost-effective range of Network Security and Identity Management software solutions for all sizes of Enterprise.

BGD E-GOV CIRT

BGD E-GOV CIRT

BGD e-GOV CIRT's mission is to support government efforts to develop ICT programs by establishing incident management capabilities within Bangladesh.

Cyber Security Audit Corp (C3SA)

Cyber Security Audit Corp (C3SA)

C3SA specializes in architecting, operating, managing and improving defensible and resilient IT infrastructures for Canada's public and private sectors.

Database Cyber Security Guard

Database Cyber Security Guard

Database Cyber Security Guard (aka Don't Be Breached) informs Security Professionals and DBAs of Zero Day, Ransomware and Data Breach attacks within milli-seconds

Digital Security

Digital Security

Digital Security is an Ecuadorian company specialized in providing comprehensive information security solutions.

Romanian Accreditation Association (RENAR)

Romanian Accreditation Association (RENAR)

RENAR is the national accreditation body for Romania. The directory of members provides details of organisations offering certification services for ISO 27001.

Qualcomm Technologies

Qualcomm Technologies

Qualcomm invents breakthrough technologies that transform how the world connects, computes and communicates.

BIRD Cyber

BIRD Cyber

BIRD Cyber is a program to promote collaboration on cybersecurity and emerging technologies aimed at enhancing the cyber resilience of critical infrastructure.

rSolutions

rSolutions

rSolutions delivers managed cybersecurity services to clients in many industry sectors including financial services, telecommunications, energy, government and retail.

Ceeyu

Ceeyu

Ceeyu is an all-in-one cybersecurity ratings and third party risk management platform.

Recast Software

Recast Software

Recast Software exists to simplify the work of IT teams and enable them to create highly secure and compliant environments.

NSW IT Support

NSW IT Support

NSW IT Support: Your exclusive hub for comprehensive Business IT services in Sydney. Our skilled team ensures seamless technology solutions nationwide, consistently delivering top-tier IT support.

Multidisciplinary Institute for Cybersecurity and Cyber Resilience (IMC2)

Multidisciplinary Institute for Cybersecurity and Cyber Resilience (IMC2)

IMC2 brings together resources to carry out ambitious, innovative and multidisciplinary projects in the field of cybersecurity and cyber resilience.

Wattlecorp Cybersecurity Labs

Wattlecorp Cybersecurity Labs

Wattlecorp Cybersecurity Labs are a group of IT security specialists, ethical hackers, and researchers driven to identify security flaws before cyber threat actors does.

Net Essence

Net Essence

Net Essence is a Managed IT Services Provider. We deliver effective, reliable and fit-for-purpose IT solutions for SMEs based in the UK.