Got Good Cyber Insurance Cover? Beware of Holes in Your Policy.

Uploaded on 2015-06-19 in NEWS-Cybersecurity News, FREE TO VIEW, BUSINESS-Services-Financial

 CyberPolicyHoles-480px.jpg

A brand new decision from a federal trial court in Utah is a sobering reminder that just because you have purchased “cyber” insurance does not mean that your insurance company will pay a cyber-related claim. 
 
In Travelers Property Casualty Company of America et al. v. Federal Recovery Services et al., the insurance company sued its policyholder for a declaration of no coverage under a CyberFirst liability insurance policy it had sold. The policyholder was in the business of processing and storing data for its clients. In this case, the policyholder was storing and processing data for a client that offered fitness center memberships. 
 
Those gym members provided to the policyholder “either credit card or bank account information through which [the gym] could bill the members.” According to the decision, for cyber “security purposes, the only copy of the Member Accounts Data was retained by [the policyholder] on behalf of [the gym].” After the fitness chain was purchased by another fitness center company, the client requested that the policyholder return all of the stored data. The policyholder “had provided all of the Member Accounts Data except the credit card, checking account, and savings account information.” 
 
After a dispute arose over the data that was not returned despite numerous requests by the client, the client sued the policyholder. In its amended complaint, the client asserted claims against the policyholder for, among other things, tortious interference, breach of contract and the implied covenant of good faith and fair dealing, and promissory estoppel.
 
The policyholder sought insurance coverage under the CyberFirst policy that it had purchased. The policy included a “Network and Information Security Liability Form” and a “Technology Errors and Omissions Liability Form.” The Utah court held, however, that the underlying claims were not covered by the cyber liability policy because there were no allegations of neglect. Rather, the court determined that the underlying allegations all involved intentional/willful conduct of the policyholder. 
 
Specifically, the CyberFirst policy stated that “‘errors and omissions wrongful act’ means any error, omission or negligent act.” Putting to the side the correctness of the interpretation of the allegations of the underlying complaint by both the insurance company and the court, this type of insurance coverage dispute can be avoided by purchasing better cyber E&O terms in the first instance. We have long recommended that policyholders buying E&O insurance purchase “wrongful acts” coverage that is broader in scope and more akin to the type of defined terms provided by most D&O insurance policies. This is especially important in an age where alternative theories of liability are often pursued (e.g., fraud, breach of contract, negligence, strict liability, etc.). 
 
A typical D&O policy definition, for instance, provides insurance coverage for any alleged act, error, misstatement, misleading statement, omission, neglect or breach of duty. Such a definition is often available in E&O policies as well as D&O insurance policies. Such a definition of wrongful act should have certainly overcome the interpretation applied by the Utah court.
 
The risk of an E&O insurance company arguing that its insurance policy only provides coverage for claims sounding in “negligence” has been around for a while — particularly in the context of computer technology-related claims. See, e.g., USM Corp. v. First State Ins. Co. (1995 Massachusetts high court ruling rejecting insurance company’s argument that E&O insurance policy did not cover a claim for a computer system that failed to function properly — even though no negligence claim was asserted).
 
What is not clear from the Utah trial court’s ruling is why the allegations could not have been construed as comprising a form of omission — namely, the failure to return the data sought by the underlying claimant. The sentence structure of the CyberFirst policy indicates that “negligent” could not be read to modify “omission.”  One definition of “omission” is “a failure to do something, especially something that one has a moral or legal obligation to do.”  It would seem coverage should have been granted.  Perhaps an appeal is in the works? Stay tuned.
AgentsOfAmerica:  http://bit.ly/1Fp66Le

 

« Digital Currencies: A Gold Standard for Bitcoin
What’s in the New UK Surveillance Bill? »

Infosecurity Europe
CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Alvacomm

Alvacomm

Alvacomm offers holistic VIP cybersecurity services, providing comprehensive protection against cyber threats. Our solutions include risk assessment, threat detection, incident response.

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

Pen Test Partners LLP

Pen Test Partners LLP

Pen Test Partners provides penetration testing, security assessment and training services.

CERT.at

CERT.at

CERT.at is the Austrian national Computer Emergency Response Team.

Axiomatics

Axiomatics

Axiomatics provides dynamic authorization and access control solutions to protect critical data assets.

Guardtime

Guardtime

Guardtime's Black Lantern platform provides real-time cybersecurity and data-centric asset protection.

Pole SCS (Secure Communicating Solutions)

Pole SCS (Secure Communicating Solutions)

SCS is a world-class competitiveness cluster dedicated to digital technologies in the fields of Microelectronics, Internet Of Things, Digital Security, Artificial Intelligence And Big Data.

Cybersecurity Innovation Hub

Cybersecurity Innovation Hub

The main objective of the Hub is to bring cybersecurity and other advanced technologies closer to companies and as a result help to increase their performance as Industry 4.0.

Kleiner Perkins

Kleiner Perkins

For five decades, Kleiner Perkins has made history by partnering with some of the most ingenious and forward-thinking founders in technology and life sciences.

Trail of Bits

Trail of Bits

Trail of Bits combine high-end security research with a real-world attacker mentality to reduce risk and fortify code.

SuperCom

SuperCom

SuperCom are a global secure solutions integrator and technology provider for governments and other consumers facing organizations around the world.

MicroSec

MicroSec

MicroSec is a company specializing in IoT security. We focus on bringing enterprise grade security to IoT and embedded systems.

Kocho

Kocho

Kocho (formerly TiG) is a provider of identity and access, cyber security, cloud transformation, and managed IT services.

Axellio

Axellio

Axellio provides economic, end-to-end cyber security solutions designed for your team, environment, and security objectives, providing packet level visibility across your network.

Computacenter

Computacenter

Computacenter is a leading independent technology partner, trusted by large corporate and public sector organisations. We help our customers to source, transform and manage their IT infrastructure.

Unified National Networks (UNN)

Unified National Networks (UNN)

UNN’s mission is to unify the national networks and create a modern and cost efficient digital platform connecting the entire country.

Indevtech

Indevtech

Indevtech has been serving Hawaii since 2001, providing end-to-end managed IT services to small- and medium-businesses.

OpenAI

OpenAI

OpenAI is an AI research and deployment company dedicated to ensuring that general-purpose artificial intelligence benefits all of humanity.