Got Good Cyber Insurance Cover? Beware of Holes in Your Policy.

Uploaded on 2015-06-19 in NEWS-Cybersecurity News, FREE TO VIEW, BUSINESS-Services-Financial

 CyberPolicyHoles-480px.jpg

A brand new decision from a federal trial court in Utah is a sobering reminder that just because you have purchased “cyber” insurance does not mean that your insurance company will pay a cyber-related claim. 
 
In Travelers Property Casualty Company of America et al. v. Federal Recovery Services et al., the insurance company sued its policyholder for a declaration of no coverage under a CyberFirst liability insurance policy it had sold. The policyholder was in the business of processing and storing data for its clients. In this case, the policyholder was storing and processing data for a client that offered fitness center memberships. 
 
Those gym members provided to the policyholder “either credit card or bank account information through which [the gym] could bill the members.” According to the decision, for cyber “security purposes, the only copy of the Member Accounts Data was retained by [the policyholder] on behalf of [the gym].” After the fitness chain was purchased by another fitness center company, the client requested that the policyholder return all of the stored data. The policyholder “had provided all of the Member Accounts Data except the credit card, checking account, and savings account information.” 
 
After a dispute arose over the data that was not returned despite numerous requests by the client, the client sued the policyholder. In its amended complaint, the client asserted claims against the policyholder for, among other things, tortious interference, breach of contract and the implied covenant of good faith and fair dealing, and promissory estoppel.
 
The policyholder sought insurance coverage under the CyberFirst policy that it had purchased. The policy included a “Network and Information Security Liability Form” and a “Technology Errors and Omissions Liability Form.” The Utah court held, however, that the underlying claims were not covered by the cyber liability policy because there were no allegations of neglect. Rather, the court determined that the underlying allegations all involved intentional/willful conduct of the policyholder. 
 
Specifically, the CyberFirst policy stated that “‘errors and omissions wrongful act’ means any error, omission or negligent act.” Putting to the side the correctness of the interpretation of the allegations of the underlying complaint by both the insurance company and the court, this type of insurance coverage dispute can be avoided by purchasing better cyber E&O terms in the first instance. We have long recommended that policyholders buying E&O insurance purchase “wrongful acts” coverage that is broader in scope and more akin to the type of defined terms provided by most D&O insurance policies. This is especially important in an age where alternative theories of liability are often pursued (e.g., fraud, breach of contract, negligence, strict liability, etc.). 
 
A typical D&O policy definition, for instance, provides insurance coverage for any alleged act, error, misstatement, misleading statement, omission, neglect or breach of duty. Such a definition is often available in E&O policies as well as D&O insurance policies. Such a definition of wrongful act should have certainly overcome the interpretation applied by the Utah court.
 
The risk of an E&O insurance company arguing that its insurance policy only provides coverage for claims sounding in “negligence” has been around for a while — particularly in the context of computer technology-related claims. See, e.g., USM Corp. v. First State Ins. Co. (1995 Massachusetts high court ruling rejecting insurance company’s argument that E&O insurance policy did not cover a claim for a computer system that failed to function properly — even though no negligence claim was asserted).
 
What is not clear from the Utah trial court’s ruling is why the allegations could not have been construed as comprising a form of omission — namely, the failure to return the data sought by the underlying claimant. The sentence structure of the CyberFirst policy indicates that “negligent” could not be read to modify “omission.”  One definition of “omission” is “a failure to do something, especially something that one has a moral or legal obligation to do.”  It would seem coverage should have been granted.  Perhaps an appeal is in the works? Stay tuned.
AgentsOfAmerica:  http://bit.ly/1Fp66Le

 

« Digital Currencies: A Gold Standard for Bitcoin
What’s in the New UK Surveillance Bill? »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

Cyber Security Supplier Directory

Cyber Security Supplier Directory

Our Supplier Directory lists 6,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

NextPlane

NextPlane

NextPlane provide secure real-time B2B unified communication and collaboration solutions within and across business systems.

Andrisoft

Andrisoft

Andrisoft develops WANGUARD, an anti-DDoS Software solution that monitors IP traffic using packet-based and flow-based Sensors, and protects networks

tietoEVRY

tietoEVRY

TietoEVRY creates digital advantage for businesses and society. We are a leading digital services and software company with local presence and global capabilities.

CRU Data Security Group (CDSG)

CRU Data Security Group (CDSG)

CRU is a pioneer in devices for data mobility, data security, encryption, and digital investigation.

Rafael

Rafael

Rafael has more than 15 years of proven experience in the cyber arena providing solutions for national security as well as commercial applications.

RedSeal

RedSeal

RedSeal’s network modeling and risk scoring platform is the foundation for enabling enterprise networks to be resilient to cyber events.

Trustless Computing Association (TCA)

Trustless Computing Association (TCA)

TCA is is a non-profit organization promoting the creation and wide availability of IT and AI technologies that are radically more secure and accountable than today’s state of the art.

Archivo

Archivo

Archivo is a value added reseller focused on Disaster Recovery as a Service (DRaaS), backup, hyper-convergence, hybrid storage and Cyber security.

Ensconce Data Technology (EDT)

Ensconce Data Technology (EDT)

EDT’s focus is on providing solutions to properly sanitize Solid State Drives (SSD) and Magnetic Drives (HDD) before they are disposed or redeployed.

Global Cyber Security Capacity Centre (GCSCC) - Oxford University

Global Cyber Security Capacity Centre (GCSCC) - Oxford University

GCSCC's work is focused on developing a framework for understanding what works, what doesn’t work and why – across all areas of cybersecurity capacity.

Silicon Cloud International

Silicon Cloud International

Silicon Cloud is a high performance and secure cloud computing platform for engineering and scientific applications.

CyGlass

CyGlass

CyGlass simply and effectively identifies, detects, and responds to threats to your network without requiring any additional hardware, software, or people.

VC3

VC3

VC3 provides a full range of Information Technology Solutions and Services to hundreds of municipalities and organizations throughout the USA.

Readynez

Readynez

Readynez is the digital skills concierge service that helps you ensure your workforce has the tech skills and resources needed to stay ahead of the digital curve.

Waterleaf International

Waterleaf International

Waterleaf provide advanced network and cybersecurity solutions - informed by data sciences. Transforming Connectivity, Security and Information for Municipalities, Government & Enterprise.

Amtivo Group

Amtivo Group

Amtivo provides Certification, Inspection and Training services to national and local Government bodies, multi-nationals, enterprise clients and SMEs.