Got Good Cyber Insurance Cover? Beware of Holes in Your Policy.

 CyberPolicyHoles-480px.jpg

A brand new decision from a federal trial court in Utah is a sobering reminder that just because you have purchased “cyber” insurance does not mean that your insurance company will pay a cyber-related claim. 
 
In Travelers Property Casualty Company of America et al. v. Federal Recovery Services et al., the insurance company sued its policyholder for a declaration of no coverage under a CyberFirst liability insurance policy it had sold. The policyholder was in the business of processing and storing data for its clients. In this case, the policyholder was storing and processing data for a client that offered fitness center memberships. 
 
Those gym members provided to the policyholder “either credit card or bank account information through which [the gym] could bill the members.” According to the decision, for cyber “security purposes, the only copy of the Member Accounts Data was retained by [the policyholder] on behalf of [the gym].” After the fitness chain was purchased by another fitness center company, the client requested that the policyholder return all of the stored data. The policyholder “had provided all of the Member Accounts Data except the credit card, checking account, and savings account information.” 
 
After a dispute arose over the data that was not returned despite numerous requests by the client, the client sued the policyholder. In its amended complaint, the client asserted claims against the policyholder for, among other things, tortious interference, breach of contract and the implied covenant of good faith and fair dealing, and promissory estoppel.
 
The policyholder sought insurance coverage under the CyberFirst policy that it had purchased. The policy included a “Network and Information Security Liability Form” and a “Technology Errors and Omissions Liability Form.” The Utah court held, however, that the underlying claims were not covered by the cyber liability policy because there were no allegations of neglect. Rather, the court determined that the underlying allegations all involved intentional/willful conduct of the policyholder. 
 
Specifically, the CyberFirst policy stated that “‘errors and omissions wrongful act’ means any error, omission or negligent act.” Putting to the side the correctness of the interpretation of the allegations of the underlying complaint by both the insurance company and the court, this type of insurance coverage dispute can be avoided by purchasing better cyber E&O terms in the first instance. We have long recommended that policyholders buying E&O insurance purchase “wrongful acts” coverage that is broader in scope and more akin to the type of defined terms provided by most D&O insurance policies. This is especially important in an age where alternative theories of liability are often pursued (e.g., fraud, breach of contract, negligence, strict liability, etc.). 
 
A typical D&O policy definition, for instance, provides insurance coverage for any alleged act, error, misstatement, misleading statement, omission, neglect or breach of duty. Such a definition is often available in E&O policies as well as D&O insurance policies. Such a definition of wrongful act should have certainly overcome the interpretation applied by the Utah court.
 
The risk of an E&O insurance company arguing that its insurance policy only provides coverage for claims sounding in “negligence” has been around for a while — particularly in the context of computer technology-related claims. See, e.g., USM Corp. v. First State Ins. Co. (1995 Massachusetts high court ruling rejecting insurance company’s argument that E&O insurance policy did not cover a claim for a computer system that failed to function properly — even though no negligence claim was asserted).
 
What is not clear from the Utah trial court’s ruling is why the allegations could not have been construed as comprising a form of omission — namely, the failure to return the data sought by the underlying claimant. The sentence structure of the CyberFirst policy indicates that “negligent” could not be read to modify “omission.”  One definition of “omission” is “a failure to do something, especially something that one has a moral or legal obligation to do.”  It would seem coverage should have been granted.  Perhaps an appeal is in the works? Stay tuned.
AgentsOfAmerica:  http://bit.ly/1Fp66Le

 

« Digital Currencies: A Gold Standard for Bitcoin
What’s in the New UK Surveillance Bill? »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

Cyber Security Supplier Directory

Cyber Security Supplier Directory

Our Supplier Directory lists 6,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

Perimeter 81 / How to Select the Right ZTNA Solution

Perimeter 81 / How to Select the Right ZTNA Solution

Gartner insights into How to Select the Right ZTNA offering. Download this FREE report for a limited time only.

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

Alvacomm

Alvacomm

Alvacomm offers holistic VIP cybersecurity services, providing comprehensive protection against cyber threats. Our solutions include risk assessment, threat detection, incident response.

XenArmor

XenArmor

XenArmor products include NetCertScanner, an enterprise software to scan & manage expired SSL Certificates on your local network or internet.

CERT NZ

CERT NZ

CERT NZ supports businesses, organisations and individuals affected by cyber security incidents, and provide trusted and authoritative information and advice.

Aiuken Cybersecurity

Aiuken Cybersecurity

Aiuken is an international IT Security company, focused on communications and IT technologies, specialised in Security and Cloud Services solutions with high added value.

ZeroNorth

ZeroNorth

ZeroNorth provides a new approach to improve software and infrastructure security, simplify continuous compliance reporting and to create more cost-effective risk management programs.

ReFirm Labs

ReFirm Labs

ReFirm Labs provides the tools you need for firmware security, vetting, analysis and continuous IoT security monitoring.

Greensafe IT

Greensafe IT

Greensafe offer various onsite and offsite data erasure services, aimed at increasing data security whilst reducing any risk of data loss during transit.

Data Destruction London

Data Destruction London

Data Destruction London offers fast, confidential and compliant expert data destruction services to businesses and organisations in London.

689cloud

689cloud

689Cloud is a cloud content collaboration platform that allows users to protect, track, and control files AFTER they have been shared.

BOXX Insurance

BOXX Insurance

BOXX Insurance Inc. is a new type of insurance company for a new type of risk. Cyberboxx is the first fully-integrated cybersecurity and insurance solution for small-to-medium-sized businesses.

Ermetic

Ermetic

Ermetic’s identity-first cloud infrastructure security platform provides holistic, multi-cloud protection in an easy-to-deploy SaaS solution.

KSOC Labs

KSOC Labs

KSOC is an event-driven SaaS platform built to automatically remediate Kubernetes security risks.

Cyberani Solutions

Cyberani Solutions

Cyberani Solutions was created to fulfill the cybersecurity needs of industry and government in Saudi Arabia, and across the Middle East and North Africa regions.

ABM Technology Group

ABM Technology Group

ABM Technology Group (formerly True IT) provide business information technology services, solutions, and consulting for small to mid-sized organizations.

Benchmark IT Services (BITS)

Benchmark IT Services (BITS)

BITS is a leading cyber security company in Australia. Our certified professionals work with you to keep your data assets safe and secure.

Telenor Cyberdefence

Telenor Cyberdefence

Telenor Cyberdefence is a newly established (2024) cloud-born Managed Security Service Provider focused on the Nordic markets.

Fusion5

Fusion5

Fusion5 is a leading ANZ Business Services and IT Solutions provider. Our customers trust us to make their potential reality by providing advisory, IT project deployment, and managed services.