Got Good Cyber Insurance Cover? Beware of Holes in Your Policy.

Uploaded on 2015-06-19 in NEWS-Cybersecurity News, FREE TO VIEW, BUSINESS-Services-Financial

 CyberPolicyHoles-480px.jpg

A brand new decision from a federal trial court in Utah is a sobering reminder that just because you have purchased “cyber” insurance does not mean that your insurance company will pay a cyber-related claim. 
 
In Travelers Property Casualty Company of America et al. v. Federal Recovery Services et al., the insurance company sued its policyholder for a declaration of no coverage under a CyberFirst liability insurance policy it had sold. The policyholder was in the business of processing and storing data for its clients. In this case, the policyholder was storing and processing data for a client that offered fitness center memberships. 
 
Those gym members provided to the policyholder “either credit card or bank account information through which [the gym] could bill the members.” According to the decision, for cyber “security purposes, the only copy of the Member Accounts Data was retained by [the policyholder] on behalf of [the gym].” After the fitness chain was purchased by another fitness center company, the client requested that the policyholder return all of the stored data. The policyholder “had provided all of the Member Accounts Data except the credit card, checking account, and savings account information.” 
 
After a dispute arose over the data that was not returned despite numerous requests by the client, the client sued the policyholder. In its amended complaint, the client asserted claims against the policyholder for, among other things, tortious interference, breach of contract and the implied covenant of good faith and fair dealing, and promissory estoppel.
 
The policyholder sought insurance coverage under the CyberFirst policy that it had purchased. The policy included a “Network and Information Security Liability Form” and a “Technology Errors and Omissions Liability Form.” The Utah court held, however, that the underlying claims were not covered by the cyber liability policy because there were no allegations of neglect. Rather, the court determined that the underlying allegations all involved intentional/willful conduct of the policyholder. 
 
Specifically, the CyberFirst policy stated that “‘errors and omissions wrongful act’ means any error, omission or negligent act.” Putting to the side the correctness of the interpretation of the allegations of the underlying complaint by both the insurance company and the court, this type of insurance coverage dispute can be avoided by purchasing better cyber E&O terms in the first instance. We have long recommended that policyholders buying E&O insurance purchase “wrongful acts” coverage that is broader in scope and more akin to the type of defined terms provided by most D&O insurance policies. This is especially important in an age where alternative theories of liability are often pursued (e.g., fraud, breach of contract, negligence, strict liability, etc.). 
 
A typical D&O policy definition, for instance, provides insurance coverage for any alleged act, error, misstatement, misleading statement, omission, neglect or breach of duty. Such a definition is often available in E&O policies as well as D&O insurance policies. Such a definition of wrongful act should have certainly overcome the interpretation applied by the Utah court.
 
The risk of an E&O insurance company arguing that its insurance policy only provides coverage for claims sounding in “negligence” has been around for a while — particularly in the context of computer technology-related claims. See, e.g., USM Corp. v. First State Ins. Co. (1995 Massachusetts high court ruling rejecting insurance company’s argument that E&O insurance policy did not cover a claim for a computer system that failed to function properly — even though no negligence claim was asserted).
 
What is not clear from the Utah trial court’s ruling is why the allegations could not have been construed as comprising a form of omission — namely, the failure to return the data sought by the underlying claimant. The sentence structure of the CyberFirst policy indicates that “negligent” could not be read to modify “omission.”  One definition of “omission” is “a failure to do something, especially something that one has a moral or legal obligation to do.”  It would seem coverage should have been granted.  Perhaps an appeal is in the works? Stay tuned.
AgentsOfAmerica:  http://bit.ly/1Fp66Le

 

« Digital Currencies: A Gold Standard for Bitcoin
What’s in the New UK Surveillance Bill? »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

Shavlik Protect

Shavlik Protect

Shavlik Protect is an easy-to-use security software solution that discovers missing patches and deploys them to the entire organization.

Zadara Storage

Zadara Storage

Zadara provide complete data backup and protection delivered as a fully-managed service.

CloudLayar

CloudLayar

CloudLayar is a cloud-based website firewall for protecting your website against online threats.

ACI Solutions

ACI Solutions

ACI Solutions is a managed IT services and network security provider working with diverse global commercial, government and public sector clients.

Merlin Cyber

Merlin Cyber

Merlin is a premier cybersecurity platform that leverages security technologies, trusted relationships, and capital to develop and deliver groundbreaking security solutions.

DynaRisk

DynaRisk

DynaRisk helps companies protect their staff, clients and supply chain from cyber threats by enabling people to take action for themselves.

Unitrends

Unitrends

Unitrends helps IT pros do more with less by providing an all-in-one enterprise backup and continuity solution.

Crashtest Security

Crashtest Security

Crashtest Security is a cyber security company that helps digital companies to continuously create secure software with the help of automated vulnerability assessments.

Czech Accreditation Institute

Czech Accreditation Institute

Czech Accreditation Institute is the national accreditation body for the Czech Republic. The directory of members provides details of organisations offering certification services for ISO 27001.

Secberus

Secberus

SECBERUS creates cloud security technology to help organizations stay secure & compliant in the public cloud.

Gridware

Gridware

Gridware is a specialised cybersecurity consultancy firm and an emerging global player in the cybersecurity intelligence and advisory field.

Mage Data

Mage Data

Mage (formerly Mentis Software) is a leading solutions provider for data security and data privacy software for global enterprises.

Intelligent CloudCare

Intelligent CloudCare

Intelligent CloudCare, a division of IPS, is a full IT Services provider serving the needs of SMBs in the metropolitan New York City region.

Turk Telekom

Turk Telekom

Turk Telekom is the first integrated telecommunications operator in Turkey.

iomart Group

iomart Group

iomart is a cloud computing and IT managed services business providing secure hybrid cloud, network connectivity, data management, and digital workplace capability.

Intelidata Techedge Pvt. Ltd.

Intelidata Techedge Pvt. Ltd.

Intelidata are a Global Cyber Security Consultancy and Services firm that helps companies drive growth by minimizing risk and maximizing potential.