Tag Archives: roberta anderson

5 Ransomware Ideas, or You’ll WannaCry

A massive cyberattack involving a ransomware software program called Wanna Decryptor, also known as “WannaCry,” recently swept the globe, freezing computer systems and causing major disruptions. The attack — which is the largest ransomware infestation ever — affected tens of thousands of organizations across the globe and a wide range of industry sectors, including the U.K.’s National Health Service (NHS), Spanish telecom giant Telefonica, French car maker Renault, Portugal’s Telecom and U.S. delivery company FedEx, among many others. The attack reportedly affected nearly 150 countries.

Ransomware (a combination of the terms “malware” and “ransom”) has become an increasingly common form of cyber extortion. It often involves extortionists taking control of a computer system and locking files and data on the system by encryption, thereby rendering them inaccessible and useless, until a demand for payment, typically in Bitcoin, is satisfied. A typical form of ransomware, WannaCry does the following: 1) locks all data on the victims’ computer systems; 2) informs victims that their files have been encrypted; 3) warns that those files will be deleted unless payment in Bitcoin is received; and 4) provides instructions for executing and sending the payment.

Ransomware has become frighteningly pervasive and increasingly serious and expensive. Ransomware attacks quadrupled from 2015 through 2016, to an estimated 4,000 per day according to the U.S. Department of Justice and, as punctuated by WannaCry, are projected to double yet again in 2017. These types of cyberattacks can, and do, cause significant operational disruption, often halting a business in its tracks, damage reputations and create other types of losses and exposures. Every industry sector is seeing an increasing threat, with the healthcare and education sectors particularly targeted. Other forms of cyberextortion — including threats to obtain or release protected information, such as personally identifiable customer data, protected health information and confidential corporate information, or to discharge denial-of-service attacks that disrupt an organization’s networks, causing business interruption — also entail significant potential exposure to organizations.

See also: The Growing Problem of Ransomware

Here we offer five insurance and other considerations for organizations to consider in the face of an enormous uptick in increasingly severe ransomware attacks and other forms of cyberextortion:

1. Consider purchasing “cyberextortion” insurance. No firewall is unbreachable, and no security system impenetrable. In the context of this reality, insurance can play a vital role in a company’s overall strategy to address, mitigate and maximize protection against the legal and other exposures flowing from serious cybersecurity, privacy and data protection-related incidents. Importantly, almost all stand-alone so-called “cyber” insurance policies offer coverage for ransomware and other forms of cyberextortion. This type of coverage is specifically designed to cover losses and expenses that an organization incurs in the wake of a cyberextortion incident like the WannaCry software virus, together with myriad other forms of first and third-party cybersecurity and data privacy-related exposures, including coverage for crisis management (such as notification to potentially affected individuals, credit monitoring and call center services), data breach and network security-related claims and liability, including regulatory liability, business income loss, and digital asset loss. Cyberextortion coverage can be extremely valuable as a way for organizations to address and mitigate losses arising from mounting extortion threats, and many organizations now purchase this coverage as part of their cyberinsurance programs.

2. Closely review cyberextortion insurance terms and conditions. It is clear that cyberinsurance can be extremely valuable, but obtaining the right insurance product presents significant challenges. There is a diverse and growing array of cyberinsurance products in the marketplace, each with its own insurer-drafted terms and conditions that vary dramatically from insurer to insurer — and even between cyberinsurance policies underwritten by the same insurer. In addition, the specific needs of different industry sectors, and different organizations within those sectors, are far-reaching and diverse. For these reasons, organizations purchasing cyberinsurance, and the cyberextortion components of that insurance, are well advised to closely review the terms and conditions of the coverage to ensure that the organization’s cyber extortion risk will be covered, without a protracted battle with the insurer, in the wake of an attack. Among other things, organizations are advised to consider the following:

  • Scope of coverage. Cyberextortion coverage should be written to cover as broad a range of potential attacks, and potential exposure outcomes, as possible. The coverage should include any threat to harm, impair access to or engage in unauthorized access to, relevant computer systems and the applications, files and data residing on those systems, together with any threat to access or divulge any sensitive information in the organization’s possession or control.
  • Key definitions. Key definitions must be sufficiently broad to match the reality of risk faced by the insured organization. By way of example, in addition to definitions that define the scope of coverage, definitions governing the types of losses and expenses that are covered should be carefully reviewed. The policy should cover reasonable and necessary expenses incurred by the insured organization resulting from a covered threat, including the costs of investigating and assessing a threat (even if no ransom is paid), should expressly cover payment of cryptocurrencies (including Bitcoin), as well as, preferably, any other consideration or action that may be demanded by the extortionists, and should cover reasonable and necessary expenses incurred to mitigate or reduce other covered expenses.
  • Conditions. Organizations are advised to pay close attention to policy conditions, including notice and consent provisions, proof of loss provisions, allocation provisions, alternative dispute resolution provisions and any requirements that the organization notify law enforcement of the incident at issue. The importance of notice provisions is addressed in further detail below. Consent provisions may be favorably amended to state that an insurer’s consent to satisfying the extortion demand “shall not be unreasonably withheld.” Other provisions, such as the requirement of involving authorities, may be deleted. As discussed more below, cyberinsurance policies are highly negotiable, and very favorable amendments can often be made for no additional premium charge.
  • Exclusions. It also is critical that organizations be aware of any insurance policy exclusions that may vitiate the coverage that the policy was intended to cover. By way of example, cyberinsurance policies typically contain a “bodily injury” exclusion. Such an exclusion may pose a particular problem for hospitals and other healthcare providers, which rely on access to patients’ medical records to provide appropriate care and treatment. As with other exclusions, it may be possible to significantly curtail or delete bodily injury exclusions. Many other types of exclusions can be curtailed or deleted — often for no additional policy premium.
  • Sublimits and retentions. It is clearly important that a cyberinsurance sublimit of liability (a ceiling on the amount of coverage available to cover a specific type of loss at issue) be sufficient to cover the organization’s potential exposure. Like other facets of cyberinsurance coverage, including coverage for losses associated with regulatory action and PCI DSS-related liabilities, cyberextortion coverage may be written subject to a relatively low sublimit, such that, for example, a $10 million limit primary policy may provide only $250,000 or $500,000 for cyberextortion losses. In addition to policy limits, organizations are advised to pay attention to self-insurance features, such as policy retentions or deductibles, which typically range from $0 to in excess of $5 million. As with the case of other cyberinsurance terms and conditions, sublimits and retentions usually are negotiable. On a related point, as discussed further below, what starts with an extortion threat can end up triggering many different modular aspects of cyberinsurance coverage. It, therefore, is important that the policy contain a provision stating that an extortion threat, together with any other first- or third-party covered events that trigger different coverage sections of a policy, are subject only to a single retention, and that any lower retention amount applicable to a particular coverage section, such as a cyber extortion section, is met when that lower retention amount is satisfied by payment of loss under that coverage section.

Although placing coverage in this dynamic space presents a challenge, it also presents substantial opportunity. The cyberinsurance market is competitive, and cyberinsurance policies are highly negotiable. This means that the terms of the insurers’ off-the-shelf policy forms often can be significantly enhanced and customized to respond to the insured’s particular circumstances. Frequently, very significant enhancements can be achieved for no increase in premium. Before an attack occurs, organizations are encouraged to negotiate and place the best possible coverage to decrease the likelihood of a coverage denial and litigation. A well-drafted policy will reduce the likelihood that an insurer will be able to successfully avoid or limit insurance coverage in the event of a claim.

3. Provide notice and comply with other policy conditions. Insurance policies typically contain notification provisions stating that the insured organization must provide notice within a certain time frame, often “as soon as practicable,” even “immediately,” after the organization becomes aware of an incident. Although providing notice to an insurer may not be top of mind in a cyberattack, particularly where the demand is far below the policy retention or deductible, it is important for an organization to reasonably comply with notice provisions (and other policy conditions, including consent provisions) to not jeopardize, or delay, coverage. In the context of providing notice, moreover, it is important for organizations to recognize that what begins as a relatively low cyberextortion demand may quickly evolve into an incident or series of related events that triggers other first-party coverage sections of the insurance policy, such as the business income loss coverage (an extortion event may result in a significant loss of business income), extra expense coverage, digital asset loss recover/restoration coverage and crisis management coverage and, to the extent personally identifiable information or protected health information may have been compromised, for example, the third-party claim coverage sections of the policy, including coverage for data breach-related lawsuits and regulatory liability. Indeed, a ransom demand may be deployed as a purposeful diversion from a different, principal goal, such as stealing sensitive records. Recognizing this reality, it is important that the organization be aware of, and reasonably comply with, notice provisions to avoid a coverage defense based on purported late notice. In addition, providing notification can provide the insured organization with valuable coverage for costs related to the extortion threat, such as a forensics investigation, which may reveal other malware on the computer system, stop the intrusion and block future extortion attempts, a consultant to utilize decryption keys or to recreate the files and data at issue, and, where appropriate, legal counsel. The bottom line: In the event of a cyberextortion demand, organizations are advised to provide notice under all potentially implicated policies, excepting in particular circumstances that may justify refraining to do so, and to carefully evaluate all potentially applicable coverages.

4. Maximize coverage across the entire insurance program. Although cyberextortion coverage is an obvious place to look for coverage in the wake of a ransomware attack or other cyberextortion incident, organizations are advised to consider all potentially applicable insurance policies and coverages. As noted above, a cyberextortion incident may trigger various other coverages under the organization’s cyberinsurance program, and also may trigger other insurance policies and programs, such as computer crime policies and kidnap and ransom policies. The various types of insurance policies that may be triggered by a cyberattack likely carry different insurance limits, deductibles, retentions and other self- insurance features, together with various different and potentially conflicting provisions addressing, for example, other insurance, erosion of self-insurance and stacking of limits. For this reason, in addition to considering the scope of substantive coverage under an insured’s different policies, it is important to carefully consider the best strategy for pursuing coverage in a manner that will most effectively and efficiently maximize the potentially available coverage across the insured’s entire insurance portfolio. Absent a compelling reason, notice should be provided under all policies that potentially provide coverage.

5. Exercise business continuity and improve computer security. Insurance aside, the best protection against a ransomware attack is to have all files and data securely backed up, in a separate physical location, or at least on a separate system, so that no business-critical information that is not recoverable may be permanently deleted by extortionists. It also is important to reflect on how these types of attacks occur. Cyberextortionists must download malicious software onto a system, or a connected device, and this often is achieved through tricking employees to click on attachments or links in phishing emails, which increasingly look convincing. Therefore, improving computer security, including through antivirus programs, spam filters, firewalls, installation of software updates and security patches (early reports indicate that WannaCry appears to exploit a vulnerability in Windows that Microsoft patched on March 14, which would have automatically protected those computers with Windows Update enabled), disabling of macro scripts and using application whitelists, which only allow approved files to execute, is essential. Likewise, training employees about how to recognize and avoid social engineering exploits such as phishing emails, is key in negating or minimizing ransomware threats. Organizations also are advised to consider incorporating ransomware attack scenarios into their incident response planning.

See also: Ransomware: Your Money or Your Data!

A well-negotiated insurance program, together with solid business continuity planning and comprehensive, active cybersecurity policies and procedures, will position an organization to be resilient in the face of the serious and escalating threat posed by cyberextortion.

This article originally appeared on Law 360.

5 Tips for Success in Cyber Litigation

Many insurance coverage disputes can be, should be and are settled without the need for litigation and its attendant costs and distractions. However, some disputes cannot be settled, and organizations are compelled to resort to courts or other tribunals to obtain the coverage they paid for, or, with increasing frequency, they are pulled into proceedings by insurers seeking to preemptively avoid coverage. As illustrated by CNA’s recently filed coverage action against its insured in Columbia Casualty Company v. Cottage Health System, in which CNA seeks to avoid coverage for a data breach class action lawsuit and related regulatory investigation, cyber insurance coverage litigation is coming. And in the wake of a data breach or other privacy, cybersecurity, or data protection-related incident, organizations regrettably should anticipate that their cyber insurer may deny coverage for a resulting claim against the policy.

Before a claim arises, organizations are encouraged to negotiate and place the best possible coverage to decrease the likelihood of a coverage denial and litigation. In contrast to many other types of commercial insurance policies, cyber insurance policies are extremely negotiable, and the insurers’ off-the-shelf forms typically can be significantly negotiated and improved for no increase in premium. A well-drafted policy will reduce the likelihood that an insurer will be able to successfully avoid or limit insurance coverage in the event of a claim.

Even where a solid insurance policy is in place, however, and there is a good claim for coverage under the policy language and applicable law, insurers can and do deny coverage. In these and other instances, litigation presents the only method of obtaining or maximizing coverage for a claim.

When facing coverage litigation, organizations are advised to consider the following five strategies for success:

1. Tell a Concise, Compelling Story

In complex insurance coverage litigation, there are many moving parts, and the issues are typically nuanced. It is critical, however, that these complex issues come across to a judge, jury or arbitrator as relatively simple and straightforward. Getting overly caught up in the weeds of policy interpretive and legal issues, particularly at the outset, risks losing the organization’s critical audience and obfuscating a winningly concise, compelling story that is easy to understand, follow and sympathize with. Boiled down to its essence, the story may be—and in this context often is—something as simple as:

“They promised to protect us from a cyber breach if we paid the insurance premium. We paid the premium. They broke their promise.”

2. Place the Story in the Right Context

It is critical to place the story in the proper context because, unfortunately, many insurers in this space, whether by negligent deficit or deliberate design, are selling products that do not reflect the reality of e-commerce and its risks. Many off-the-shelf cyber insurance policies, for example, limit the scope of coverage to only the insured’s own acts and omissions, or only to incidents that affect the insured’s network. Others contain broadly worded, open- ended exclusions like the one at issue in the Columbia Casualty case, which insurers may argue, as CNA argues, can vaporize the coverage ostensibly provided under the policy. These types of exclusions invite litigation and, if enforced literally, can be acutely problematic. There are myriad other traps in cyber insurance policies—even more in those that are not carefully negotiated—that may allow insurers to avoid coverage if the language were applied literally.

If the context is carefully framed and explained, however, judges, juries and arbitrators should be inhospitable to the various “gotcha” traps in these policies. Taking the Columbia Casualty case as an example, the insurer, CNA, relies principally upon an exclusion, titled “Failure to Follow Minimum Required Practices.” As quoted by CNA in its complaint, the exclusion purports to void coverage if the insured fails to “continuously implement” certain aspects of computer security. In this context, however, given the extreme complexity of cybersecurity and data protection, any insured can reasonably be expected to make mistakes in implementing security. This reality is, in fact, a principal reason for purchasing cyber liability coverage in the first place. Indeed, CNA represents in its marketing materials that the policy at issue in Columbia Casualty offers “exceptional first- and third-party cyber liability coverage to address a broad range of exposures,” including “security breaches” and “mistakes”:

“CNA NetProtect fills the gaps by offering exceptional first- and third-party cyber liability coverage to address a broad range of exposures. CNA NetProtect covers insureds for exposures that include security breaches, mistakes and unauthorized employee acts, virus attacks, hacking, identity theft or private information loss, and infringing or disparaging content. CNA NetProtect coverage is worldwide, claims-made with limits up to $10 million.”

It is important to use the discovery phase to fully flesh out the context of the insurance and the entire insurance transaction in addition to the meaning, intent and interpretation of the policy terms and conditions, claims handling and other matters of importance depending on the particular circumstances of the coverage action.

3. Secure the Best Potential Venue and Choice of Law

One of the first and most critical decisions that an organization contemplating insurance coverage litigation must make is the appropriate forum for the litigation. This decision, which may be affected by whether the policy contains a forum selection clause, can be critical to potential success. Among other reasons, the choice of forum may have a significant impact on the related choice-of-law issue, which in some cases determines the outcome. Insurance contracts are interpreted according to state law, and the various state courts diverge widely on issues surrounding insurance coverage. Until the governing law applicable to an insurance contract is established, the policy can be, in a figurative and yet a very real sense, a blank piece of paper. The different interpretations given the same language from one state to the next can mean the difference between a coverage victory and a loss. It is therefore critical to undertake a careful choice-of-law analysis before initiating coverage litigation, selecting a venue or, where the insurer files first, taking a choice-of-law position or deciding whether to challenge the insurer’s selected forum.

4. Consider Bringing in Other Carriers

Often, when there is a cybersecurity, privacy or data protection-related issue, more than one insurance policy may be triggered. For example, a data breach like Target’s may implicate an organization’s cyber insurance, commercial general liability (CGL) insurance and directors’ and officers’ liability insurance. To the extent that insurers on different lines of coverage have denied coverage, it may be beneficial for the organization to have those insurance carriers pointing the finger at each other throughout the insurance coverage proceedings.

A judge, arbitrator or jury may find it offensive if an organization’s CGL insurer is arguing, on the one hand, that a data breach is not covered because of a new exclusion in the CGL policy and the organization’s cyber insurer also is arguing that the breach is not covered under the cyber policy that was purchased to fill the “gap” in coverage created by the CGL policy exclusion. It is also important to carefully consider the best strategy to maximize the potentially available coverage across the insured’s entire insurance portfolio and each triggered policy.

5. Retain Counsel With Cyber Insurance Expertise

Cyber insurance is unlike any other line of coverage. There is no standardization. Each of the hundreds of products in the marketplace has its own insurer-drafted terms and conditions that vary dramatically from insurer to insurer—and even between policies underwritten by the same insurer. Obtaining coverage litigation counsel with substantial cyber insurance expertise will assist an organization on a number of fronts.

Importantly, it will give the organization unique access to compelling arguments based upon the context, history, evolution and intent of this line of insurance product. Likewise, during the discovery phase, coverage counsel with unique knowledge and experience is positioned to ask for and obtain the particular information and evidence that can make or break the case—and will be able to do so in a relatively efficient manner. In addition to creating solid ammunition for trial, effective discovery often leads to successful summary judgment rulings, which, at a minimum, streamline the case in a cost-effective manner and limit the issues that ultimately go to a jury.

Likewise, counsel familiar with all of the many different insurer-drafted forms as they have evolved over time will give the organization key access to arguments based upon both obvious and subtle differences among the many different policy wordings, including the particular language in the organization’s policy. Often in coverage disputes, the multimillion-dollar result comes down to a few words, the sequence of a few words, or even the position of a comma or other punctuation.

Following these five strategies and refusing to take “no” for an answer will increase the odds of securing valuable coverage.

Does CGL Cover for Data Breach?

In a highly anticipated May 26 decision, the Connecticut Supreme Court ruled that two commercial general liability (CGL) insurers, Federal Insurance and Scottsdale Insurance, are not required to cover losses in connection with the mysterious disappearance of computer tapes containing employment-related data, including the Social Security numbers, of approximately 500,000 current and former IBM employees in Recall Total Information Management, Inc. v. Federal Ins. Co.[1] Although the insurers in Recall Total won this particular battle, Recall Total’s value as precedent value as insurer-ammunition in their war against data breach coverage under CGL policies is severely limited by a highly unusual fact pattern. Recall Total can reasonably be read to assist insureds facing more typical kinds of data breaches, like the Target breach and many others.

Below is a brief summary of the facts, the key coverage issue, the ruling and five takeaways.

The Facts

The facts of Recall Total are unusual, to say the least: The computer tapes at issue, which belonged to IBM, fell off the back of a transportation subcontractor’s van near a highway exit ramp.[2] About 130 of the tapes were then removed from the roadside by an unknown person and never recovered.[3]

In the wake of this highway misadventure, IBM incurred more than $6 million in expenses to address the incident, including notification, call center services and credit monitoring.[4] IBM sought indemnification from its vendor, Recall Total Information Management (Recall), which had contracted with IBM to transport off-site and store the computer tapes at issue.[5] Recall settled with IBM and, in turn, sought indemnification from its transportation subcontractor, Executive Logistics (Ex Log), which lost the tapes after they fell off its van during transit. Ex Log agreed to pay more than $6.4 million to Recall and assigned to Recall its rights under a $2 million primary CGL policy and a $5 million umbrella policy following a coverage tender and denial.[6] Ex Log and Recall then initiated coverage litigation.[7]

Key Coverage Issue: Was There a “Publication”?

ExLog’s CGL policy at issue, similar to the current ISO standard form CGL policy,[8] states in relevant part that the insurer “will pay damages that the insured becomes legally obligated to pay … for … personal injury.”[9] The policy defines the key term “personal injury” to include “injury … caused by an offense of … electronic, oral, written or other publication of material that … violates a person’s right to privacy.”[10]

The Ruling

The intermediate appellate court, in a decision adopted by the Connecticut Supreme Court, appeared ready to find, or at least was not averse to finding, “publication” satisfied if there was any evidence of access to the data. Based upon the unique facts, however, the intermediate appellate court determined that the “publication” requirement was not satisfied because there was no evidence that the data on the tapes, which could not be read by a personal computer, “was ever accessed by anyone”[11] — let alone used it for “any improper purpose.”[12]

As the intermediate appellate court stated, there was not even any evidence that the party who took the tapes “even recognized that the tapes contained personal information.”[13] Under these unique facts, and the fact that no IBM employee had suffered any injury, the court determined that it was “unable to infer that there has been a publication” and concluded that “[a]s the complaint and affidavits are entirely devoid of facts suggesting that the personal information actually was accessed, there has been no publication.”[14]

In a brief per curiam opinion, the Connecticut Supreme Court affirmed on the basis that there was no “publication,” noting that “[t]here is no evidence that anyone ever accessed the information on the tapes or that their loss caused injury to any IBM employee.”[15]

Takeaways

  1. The “Access” Lacking in Recall Total Is Present in Many Data Breach Cases

Recall Total is of limited utility to insurers seeking to avoid CGL coverage for data breaches given its peculiar factual setting. As the decision makes abundantly clear, it hinged on the fact that there was no evidence of access to the sensitive data. In fact, there was no evidence that the data could be accessed — or even that the party who took the tapes was aware that they contained sensitive data. This is in stark contrast to a typical data breach fact pattern, in which there is no question that sensitive information was accessed. In breaches like Target, and innumerable others, information is specifically identified and targeted by the actors taking it, and then used for criminal activity. In those cases, there is abundant evidence that the data in question was accessed.

  1. Other Courts Have Found the CGL “Publication” Requirement Satisfied Without Proof of “Access” in the Data Breach Context

Although “access” to data may be required under Connecticut law, courts in other jurisdictions have appropriately determined that the CGL “publication” requirement can be satisfied without proof that data was accessed. In one recent case involving the alleged posting of confidential medical records on the Internet, for example, the Eastern District of Virginia determined that “publication” does not require proof of “access”: [T]he issue is not whether a third party accessed the information because the definition of “publication” does not hinge on third-party access. Publication occurs when information is “placed before the public,” not when a member of the public reads the information placed before it. By Travelers’ logic, a book that is bound and placed on the shelves of Barnes & Noble is not “published” until a customer takes the book off the shelf and reads it.[16]

The bottom line: access to data storage devices alone, including laptops, may suffice to satisfy the “publication” requirement in other jurisdictions — and even in Connecticut under a different set of facts.

  1. Insureds Must Be Prepared to Fight to Secure CGL Coverage

The insurance industry has made it abundantly clear that it does not want to cover “cyber” and data privacy related exposures under CGL policies. Although there is potential valuable coverage under CGL policies, insureds should expect that they will need to fight to secure it. Insurers routinely assert, among other things, that there has been no “publication” of data. The good news is that if insureds decide to fight for coverage, they may well prevail. Many courts have upheld coverage for data breaches and other claims alleging violations of privacy rights in a variety of settings.[17]

  1. Insureds Should Be Aware of New CGL “Data Breach” Exclusions

Insurance Services Office (ISO), the insurance organization responsible for drafting standard-form CGL language, recently promulgated a series of data breach exclusionary endorsements.[18]   The exclusions became effective in most states in May 2014 and began appearing on new placements and renewals, in various forms, almost immediately.[19] Although it is important to be aware of new, potentially limiting, coverage terms, it also is important to recognize that the applicable policy in a data breach situation — where breaches often are discovered long after the “occurrence” that triggers coverage — may predate the newer exclusions. Where policies do contain the newer exclusions, insureds should not assume that they necessarily void coverage. Coverage will depend on myriad factors, including the particular facts of the case, specific policy language and applicable law.

The very existence of the exclusions, moreover, illustrates the insurance industry’s awareness that there is valuable potential data breach coverage under CGL policies. Indeed, when ISO filed the newer exclusions, it acknowledged that there currently may be data breach coverage for data breaches under CGL policies and advised that the new exclusions may be a “reduction in personal and advertising injury coverage”: “At the time the ISO CGL and CLU policies were developed, certain hacking activities or data breaches were not prevalent, and, therefore, coverages related to the access to or disclosure of personal or confidential information and associated with such events were not necessarily contemplated under the policy. As the exposures to data breaches increased over time, stand-alone policies started to become available in the marketplace to provide certain coverage with respect to data breach and access to or disclosure of confidential or personal information. . . . To the extent that any access or disclosure of confidential or personal information results in an oral or written publication that violates a person’s right of privacy, this revision may be considered a reduction in personal and advertising injury coverage.[20] 

The implication is that the insurance industry understood there was CGL data breach coverage in the absence of the new exclusions.

  1. Organizations Are Advised to Consider Cyber Insurance

Given the insurance industry’s clear indication that it does not want to cover data breaches under CGL policies, organizations are advised to consider purchasing cyber insurance. In addition to providing defense and indemnity coverage in connection with claims arising out of a data breach, among many other types of cybersecurity and data privacy-related exposures, cyber policies generally cover a range of “crisis management” expenses, such as attorney “breach coach” fees, notification to potentially affected individuals, forensics, credit monitoring, call centers, ID theft protection and public relations efforts, which often are required after a breach of any consequence.

Cyber insurance coverage can be extremely valuable, but choosing the right insurance policy presents a real and significant challenge. There is a diverse and growing array of cyber products in the marketplace, each with its own insurer-drafted terms and conditions that vary dramatically from insurer to insurer—and even between policies underwritten by the same insurer. Because of the nature of the cyber insurance and the risks that it is intended to cover, a placement should include the involvement and input, not only of a capable risk management department and a knowledgeable insurance broker, but also of in-house legal counsel, information technology professionals and compliance personnel, among other key internal players — and insurance coverage counsel well-versed in this challenging and dynamic line of coverage.

[1] — A.3d —-, 2015 WL 2371957 (Conn. May 26, 2015), aff’g 83 A.3d 664 (Conn. App. Ct. 2014).

[2] Recall Total, 83 A.3d at 667.

[3] Id.

[4] Id. at 668.

[5] Id.

[6] Id.

[7] Id.

[8] The current standard industry form states that the insurer “will pay those sums that the insured becomes legally obligated to pay as damages because of ‘personal and advertising injury,’” which is defined to include “[o]ral or written publication, in any manner, of material that violates a person’s right of privacy.” ISO Form CG 00 01 04 13 (2012), Section I, Coverage B, §1.a., §14.e.

[9] Recall Total, 83 A.3d at 672.

[10] Id.

[11] Id. at 673.

[12] Id.

[13] Id. at n.9 (emphasis added).

[14] Id. at 672 (emphasis added).

[15] Recall Total, 2015 WL 2371957, at *1.

[16] Travelers Indem. Co. of America v. Portal Healthcare Solutions, LLC, 35 F.Supp.3d 765, 771 (2014).

[17] See, e.g., Hartford Cas. Ins. Co. v. Corcino & Assocs,. 2013 WL 5687527, at *2 (C.D. Cal. Oct. 7, 2013) (upholding coverage in a data breach case for statutory damages of $1,000 per person under the CMIA and statutory damages of as much as $10,000 per person under the California Lanterman-Petris-Short Act under a policy that covered damages that the insured was “legally obligated to pay as damages because of … electronic publication of material that violates a person’s right of privacy”).

[18] One of the exclusionary endorsements, entitled “Exclusion – Access Or Disclosure Of Confidential Or Personal Information,” adds the following exclusion to the standard form CGL primary policy:

This insurance does not apply to:

Access Or Disclosure Of Confidential Or Personal Information

“Personal and advertising injury” arising out of any access to or disclosure of any person’s or organization’s confidential or personal information, including patents, trade secrets, processing methods, customer lists, financial information, credit card information, health information or any other type of non public information.

This exclusion applies even if damages are claimed for notification costs, credit monitoring expenses, forensic expenses, public relations expenses or any other loss, cost or expense incurred by you or others arising out of any access to or disclosure of any person’s or organization’s confidential or personal information.

CG 21 08 05 14 (2013).

[19] See Roberta Anderson, “Coming To A CGL Policy Near You: Data Breach Exclusions,” Law360, April 23, 2014.

[20] ISO Commercial Lines Forms Filing CL-2013-0DBFR, at pp. 3, 7-8 (emphasis added).

The Devil Is in the Details of Cyber

There’s a tempest amid the recent spring shower of cyber insurance cases. It isn’t the Recall Total case,[1] or the Travelers v. Federal Recovery Services case reported the week before.[2] Although those two cases have garnered a great deal of media and other attention from those seeking, and seeking to provide, guidance surrounding insurance coverage for cybersecurity and data privacy-related liability, those cases are, by and large, relatively insignificant.

The tempest case is Columbia Casualty Company v. Cottage Health System.[3] In Columbia Casualty, CNA’s non-admitted insurer, Columbia Casualty, seeks to avoid coverage under a cyber insurance policy for the defense and settlement of a data breach class action lawsuit. This is one of the first cyber/data privacy disputes under a cyber insurance policy that has resulted in litigation.

Columbia Casualty warrants close attention by any organization that currently purchases, or is considering purchasing, cyber insurance, as well as by those insurance intermediaries, outside coverage counsel and other parties who seek to capably assist organizations in this complex area. Irrespective of the ultimate merits of CNA’s coverage positions, Columbia Casualty illustrates that the devil is in the details when placing cyber insurance coverage. Although this type of coverage can be extremely valuable, and is likely to soon become a nondiscretionary purchase for many, if not most, organizations, it is particularly challenging to place successfully.

Below is a factual summary of the Columbia Casualty case, a summary of the coverage issues and some takeaway thoughts for avoiding the two important potential coverage issues highlighted by the case: (1) broad exclusions relating to cybersecurity/data protection practices and (2) the misrepresentation defense.

The Facts

Underlying Data Breach Litigation and Regulatory Investigation

Columbia Casualty arises out of a data breach incident that resulted in the release of private electronic healthcare patient information stored on network servers owned, maintained or used by the insured, Cottage Health System (Cottage).[4]

In the wake of the breach, Cottage faced a putative class action lawsuit alleging that “the confidential medical records of approximately 32,500 patients at the hospitals affiliated with [Cottage] were negligently disclosed and released to the public on the Internet.”[5] The lawsuit sought damages for alleged violation of California’s Confidentiality of Medical Information Act.[6]

The lawsuit settled in April 2015 for $4.1 million.[7] Cottage’s cyber insurer, CNA, funded the settlement pursuant to a reservation of rights.[8]

Following the settlement of the data breach lawsuit, CNA filed its coverage litigation, in which CNA seeks declarations of non-coverage. In particular, CNA seeks declarations both that it: (1) “is not obligated to provide Cottage with a defense or indemnification in connection with any and all claims stemming from the data breach,”[9] and (2) is entitled “to reimbursement in full from Cottage for any and all attorney’s fees or related costs or expenses … in connection with the defense and settlement of the class action lawsuit and any related proceedings.”[10]

The Cyber Insurance Policy

CNA issued to Cottage its NetProtect360 cyber insurance policy with limits of $10 million.[11] The policy provides coverage for, among other things, “privacy injury claims.”[12]   Based on CNA’s complaint, there is no dispute as to whether the data breach lawsuit triggers the policy coverage. Those familiar with the off-the-shelf NetProtect360 policy form likely would agree that it does. And CNA does not allege otherwise.

The Coverage Issues

CNA denies coverage for the defense and settlement of the data breach lawsuit on two principal bases, which are discussed in turn.

Exclusion for “Failure to Follow Minimum Required Practices”

CNA relies upon an exclusion in the NetProtect360 policy, titled “Failure to Follow Minimum Required Practices,” which states:

Whether in connection with any First Party Coverage or any Liability Coverage, the Insurer shall not be liable to pay any Loss:

  • Failure to Follow Minimum Required Practices based upon, directly or indirectly arising out of, or in any way involving:
  • Any failure of an Insured to continuously implement the procedures and risk controls identified in the Insured’s application for this Insurance and all related information submitted to the Insurer in conjunction with such application whether orally or in writing;…[13]

Citing this exclusion, CNA alleges that coverage is precluded because its insured purported to do certain things relating to various aspects of network and computer security. In particular, CNA alleges that its insured failed to “continuously implement the procedures and risk controls identified in its application,” to “regularly check and maintain security patches on its systems” and to “enhance risk controls,” among a host of “other things”:

  1. Upon information and belief, the data breach at issue in the Underlying Action and the DOJ Proceeding was caused as a result of File Transfer Protocol[14] settings on Cottage’s internet servers that permitted anonymous user access, thereby allowing electronic personal health information to become available to the public via Google’s internet search engine.
  2. Upon information and belief, the data breach at issue in the Underlying Action and the DOJ Proceeding was caused by Cottage’s failure to continuously implement the procedures and risk controls identified in its application, including, but not limited to, its failure to replace factory default settings, its failure to ensure that its information security systems were securely configured, among other things.
  3. Upon information and belief, the data breach at issue in the Underlying Action and the DOJ Proceeding was caused by Cottage’s failure to regularly check and maintain security patches on its systems, its failure to regularly re-assess its information security exposure and enhance risk controls, its failure to have a system in place to detect unauthorized access or attempts to access sensitive information stored on its servers and its failure to control and track all changes to its network to ensure it remains secure, among other things.
  4. Accordingly, Columbia is entitled to a declaration that it is not obligated to defend or indemnify Cottage in connection with the Underlying Action or the DOJ Proceeding and that coverage for the claims and potential damages at issue in the Underlying Action and the DOJ Proceeding is precluded pursuant to the Columbia Policy’s Failure to Follow Minimum Required Practices” exclusion.[15]

CNA does not allege that its insured acted willfully, that it acted recklessly or even that it was grossly negligent.

The Misrepresentation Defense

In support of its misrepresentation defense, CNA relies principally upon the policy “Application” condition in the policy, which states, among other things, that the insurance policy “shall be null and void if the Application contains any misrepresentation or omission … which materially affects either the acceptance of the risk”:

  1. Application
  • The Insureds represent and acknowledge that the statements contained on the Declarations and in the Application, and any materials submitted or required to be submitted therewith (all of which shall be maintained on file by the Insurer and be deemed attached to and incorporated into this Policy as if physically attached), are the Insured’s representations, are true and: (i) are the basis of this Policy and are to be considered as incorporated into and constituting a part of this Policy; and (ii) shall be deemed material to the acceptance of this risk or the hazard assumed by the Insurer under this Policy. This Policy is issued in reliance upon the truth of such representations.
  • This Policy shall be null and void if the Application contains any misrepresentation or omission:
  • made with the intent to deceive, or
  • which materially affects either the acceptance of the risk or the hazard assumed by the Insurer under the Policy.[16]

Citing this condition, CNA alleges that it is entitled to a declaration of non-coverage because its insured’s “application for coverage … contained misrepresentations and/or omissions of material fact” relating to its purported “failure to maintain the risk controls identified in its application”:

  1. The Columbia Policy’s “Application” condition provides that the Columbia Policy “shall be null and void if the Application contains any misrepresentation or omission: a. made with the intent to deceive, or b. which materially affects either the acceptance of the risk or the hazard assumed by the Insurer under the Policy.”
  2. The Columbia Policy’s “Minimum Required Practices” condition provides that, as a “condition precedent to coverage,” Cottage warrants that it shall “maintain all risk controls identified in the Insured’s Application and any supplemental information provided by the Insured in conjunction with Insured’s Application for this Policy.”
  3. Upon information and belief, Cottage’s application for coverage under the Columbia Policy contained misrepresentations and/or omissions of material fact that were made negligently or with intent to deceive concerning Cottage’s data breach risk controls.
  4. Upon information and belief, the data breach at issue in the Underlying Action and the DOJ Proceeding was caused by Cottage’s failure to maintain the risk controls identified in its application, including, but not limited to, its failure to replace factory default settings to ensure that its information security systems were securely configured.
  5. Accordingly, Columbia is entitled to a declaration that it is not obligated to defend or indemnify Cottage in connection with the Underlying Action or the DOJ Proceeding based on Cottage’s breaches of the Columbia Policy’s “Application” and “Minimum Required Practices” conditions.[17]

Again, note that CNA seeks to avoid coverage even to the extent its insured’s alleged misrepresentations or omissions “were made negligently.”

The Takeaway Tips

  1. Beware Of Broadly Worded Cybersecurity/Data Protection Exclusions

The California Court in Columbia Casualty should reject outright CNA’s attempt to avoid coverage based on a ridiculously broadly worded, open-ended exclusion, which, if enforced literally as interpreted by CNA, would largely, if not entirely, vaporize the coverage that CNA sold under the NetProtect360 policy. For starters, exclusions are to be read narrowly against CNA under established rules of insurance policy construction,[18] and broad exclusions that would render coverage illusory are not permitted in California[19] or elsewhere.[20] Nor is the exclusion, as interpreted by CNA, consistent with an insured’s reasonable expectations concerning the coverage afforded under the NetProtect360 policy,[21] which, as represented by CNA in its marketing materials, offers “exceptional first- and third-party cyber liability coverage to address a broad range of exposures,” including “security breaches” and “mistakes”:

Cyber Liability and CNA NetProtect Products

CNA NetProtect fills the gaps by offering exceptional first- and third-party cyber liability coverage to address a broad range of exposures. CNA NetProtect covers insureds for exposures that include security breaches, mistakes and unauthorized employee acts, virus attacks, hacking, identity theft or private information loss and infringing or disparaging content. CNA NetProtect coverage is worldwide, claims-made with limits up to $10 million.[22]

To be sure, the fact that any insured reasonably can be expected to make mistakes, i.e., to be negligent, in the complex areas of cybersecurity and data protection is a principal reason for purchasing cyber liability coverage.

Putting aside the merits of CNA’s contentions, the type of “Failure to Follow Minimum Required Practices” exclusion found in the off-the-shelf NetProtect360 is regrettably common, and, as the Columbia Casualty illustrates, may be read by insurers to significantly undermine, if not completely vitiate, coverage, requiring insureds to become engaged in coverage litigation as a predicate to obtaining coverage.

The good news is that, although certain types of exclusions are unrealistic given the nature of the risk an insured is attempting to insure against, cyber insurance policies are highly negotiable. It is possible to cripple inappropriate exclusions by appropriately curtailing them, or to entirely eliminate them — and often this does not cost additional premium.

  1. Guard Against a Misrepresentation Defense

We have seen it in the D&O context for years, and it’s coming to cyber: the insurer’s misrepresentation/concealment defense. Provisions like the ones that CNA relies upon in Columbia Casualty are contained in some form in the majority of insurance applications and policies. And, while certainly not unique to cyber insurance, these types of provisions can be more troubling in the cyber context because of the subject matter being insured. Cyber insurance applications can, and usually do, contain myriad questions concerning an organization’s cybersecurity and data protection practices, seeking detailed information surrounding technical, complex subject matter. These questions are often answered by technical specialists, moreover, that may not appreciate the nuances and idiosyncrasies of insurance coverage law, such as the fact that, depending upon applicable law, there is a risk that an unintentional misrepresentation may suffice to allow an insurer to deny coverage.[23]  So what can be done? One line of attack is to negotiate significantly better policy terms relating to the application and misrepresentation. Another worthwhile strategy is to have coverage counsel involved in the application process. It often makes sense for coverage counsel to engage outside computer security consultants to assist with the application process. The application process can be valuable, shining a spotlight on current cybersecurity risk management practices that may reveal potential weaknesses that should be addressed. But, clearly, managing the process with an eye toward potential future claims is advisable. The CNA case illustrates the importance of embracing a cohesive, team approach and being mindful of potential future coverage disputes when placing this type of coverage.

 

[1] Recall Total Info. Mgmt., Inc. v. Federal Ins. Co., — A.3d —-, 2015 WL 2371957 (Conn. May 26, 2015).

[2] Travelers Prop. Cas. Co. of Am., et al. v. Federal Recovery Servs., Inc., et al., No. 2:14-CV-170 TS (D. Utah May 11, 2015)).

[3] No. 2:15-cv-03432 (C.D. Cal.) (filed May 7, 2015).

[4] See CNA Complaint For Declaratory Judgment And Reimbursement, ¶¶2-3. Cottage operates a network of hospitals located in Southern California. See id.

[5] Kenneth Rice, et al. v. INSYNC, Cottage Health Sys., et al., Case No. 30-2014-00701147-CU-NP-CJC (Ca. Super. Ct. Jan. 27, 2014), ¶1.

[6] Id. ¶¶68, 80.

According to CNA’s complaint, Cottage also faces an ongoing investigation by the California Department of Justice regarding potential HIPAA violations. See Complaint For Declaratory Judgment And Reimbursement, ¶¶6, 22. In its declaratory judgment action, CNA also disclaims coverage for this proceeding. See CNA Complaint For Declaratory Judgment And Reimbursement, ¶¶46-49.

[7] See Order Granting Final Approval of Proposed Class Action Settlement and Judgment (Apr. 15, 2015), Findings in Support of Final Settlement Approval ¶2.B.; see also Class Action Settlement And Release Agreement, § 3.1.

[8] See CNA Complaint For Declaratory Judgment And Reimbursement, ¶5.

[9] Id. ¶8.

[10] Id. ¶9.

[11] Id. ¶22-23.

[12] Id. ¶25.

[13] Id. ¶26. A separate policy “condition” states as follows:

  1. Minimum Required Practices

The Insured warrants, as a condition precedent to coverage under this Policy, that is shall:

  1. follow the Minimum Required Practices that are listed in the Minimum Required Practices endorsement as a condition of coverage under this policy, and
  2. maintain all risk controls identified in the Insured’s Application and any supplemental information provided by the Insured in conjunction with Insured’s Application for this Policy.

Id. ¶27.

[14] This is used to transfer files between computers on a network.

[15] Id. ¶¶41-44 (footnote reference and emphasis added).

[16] Id. ¶27. CNA also cites to a “Warranty” provision in the insurance application, stating as follows:

Applicant hereby declares after inquiry, that the information contained herein and in any supplemental applications or forms required hereby, are true, accurate and complete, and that no material facts have been suppressed or misstated. Applicant acknowledges a continuing obligation to report to the CNA Company to whom this Application is made (“the Company”) as soon as practicable any material changes…all such information, after signing the application and prior to issuance of this policy, and acknowledges that the Company shall have the right to withdraw or modify any outstanding quotations and/or authorization or agreement to bind the insurance based upon such changes.

Further, Applicant understands and acknowledges that:

2) If a policy is issued, the Company will have relied upon, as representations, this application, any supplemental applications and any other statements furnished to this Company in conjunction with this application.

3) All supplemental applications, statements and other materials furnished to the Company in conjunction with this application are hereby incorporated by reference into this application and made a part thereof.

4) This application will be the basis of the contract and will be incorporated by referenced into and made a part of such policy.

Id. ¶31.

[17] Id. ¶¶51-55 (emphasis added).

[18] See, e.g.,. 2 Couch on Insurance § 22:31 (“the rule is that, such terms are strictly construed against the insurer where they are of uncertain import or reasonably susceptible of a double construction, or negate coverage provided elsewhere in the policy”); see also 17A Couch on Insurance § 254:12 (“The insurer bears the burden of proving the applicability of policy exclusions and limitations or other types of affirmative defenses.”).

[19] See, e.g., Armstrong World Indus., Inc. v. Aetna Cas. & Sur. Co., 52 Cal. Rptr. 2d 690, 705 (Cal. Ct. App. 1996) (rejecting the insurers’ approach where “the insurers’ approach would essentially render the asbestos manufacturers’ insurance coverage illusory”).

[20] See, e.g., Allan D. Windt, 2 Insurance Claims and Disputes § 6:2 (6th ed. updated Mar. 2015) (“a court will not allow an exclusion to eliminate coverage that is expressly and specifically provided for in the same policy form. More generally stated, a policy will not be interpreted to create illusory coverage. For example, in the context of analyzing the absolute pollution exclusion, discussed in § 11:11, some courts have refused to apply the exclusion as written based upon what was, in effect, the conclusion that the exclusion would cause the coverage to be illusory.”).

[21] See, e.g., 2 Couch on Insurance § 22:11 (“the rule is that the objectively reasonable expectations of applicants and intended beneficiaries regarding the terms of insurance contracts will be honored even though a painstaking study of the insurance provisions would have negated those expectations”).

[22] https://www.cnapro.com/html/Our_Products/OurProducts_CNANetProtect.html

[23]See, e.g., Rafi v. Rutgers Cas. Ins. Co., 872 N.Y.S.2d 799 (N.Y. App. Div. 2009) (“although misrepresentations made by an insured must be material, they may be innocently or unintentionally made”).

5 Takeaways From First Cyber Case

On May 11, 2015, in a case that is being widely celebrated as one of the first coverage rulings involving a “cyber” insurance policy, a federal court ruled that Travelers has no duty to defend its insured in Travelers Property Casualty Company of America, et al. v. Federal Recovery Services, Inc., et al.

Although the Travelers case does not involve cyber-specific coverage issues, the case nonetheless carries some important takeaways for insureds, insurers and many other interested spectators.

Here is a brief summary of the ruling and five key takeaways:

The Facts

The insured, Federal Recovery, was in the business of providing processing, storage, transmission and other handling of electronic data for its customers, including Global Fitness. In particular, Federal Recovery agreed to process Global Fitness’s gym members’ payments under a servicing retail installment agreement.

Global Fitness sued Federal Recovery, alleging that Federal Recovery wrongfully refused to return member account data to Global Fitness, including member credit card and bank account information. Global Fitness asserted claims for tortious interference, promissory estoppel, conversion, breach of contract and breach of the implied covenant of good faith and fair dealing.

The Cyber Policy

The policy at issue was a “CyberFirst” policy issued by Travelers. The policy included a technology errors and omissions liability form, which stated that Travelers “will pay those sums that [Federal Recovery] must pay as ‘damages’ because of loss … caused by an ‘errors and omissions wrongful act’….” The key term “errors and omissions wrongful act” was defined to include “any error, omission or negligent act.” In addition to covering potential damages, the Travelers policy provided defense coverage, stating that Travelers “will have the right and duty to defend [Federal Recovery] against any claim or ‘suit’ seeking damages for loss to which the insurance provided under one or more of ‘your cyber liability forms’ applies.”

Federal Recovery tendered the defense of the underlying Global action to Travelers, which initiated litigation seeking a declaration that it wasn’t required to provide coverage. Travelers argued that it did “not have a duty to defend [Federal Recovery] against the original or amended complaints in the Global action because Global [Fitness] does not allege damages from an ‘error, omission or negligent act.’”

The Coverage Disputes: Scope of Coverage and Duty to Defend

Although Travelers involves underlying cyber-related facts and a “cyber” insurance policy, the coverage issues arising out of the facts and policy certainly are not cyber-specific. Travelers’ declaratory judgment action raises two coverage disputes concerning: (1) the scope of coverage afforded by the technology errors and omissions policy at issue, as shaped by its key “wrongful act” definition; and (2) the scope of an insurer’s duty to defend under Utah law. While arising in the context of “cyber”-related facts surrounding electronic account and payment data, and under a “cyber” insurance policy, the coverage disputes at issue in the Travelers case are precisely the types of disputes that we routinely see in the context of errors and omissions and other claims-made liability coverages.

(1) The Scope of Coverage

As to the scope of coverage, errors and omissions, D&O, professional liability and other claims-made policies, like the policy at issue in the Travelers case, typically cover “wrongful acts,” a term that typically in turn is defined as “any negligent act, error or omission,” or similar language. There are scores of cases addressing whether intentional and non-negligent acts fall within or outside the purview of a covered “wrongful act.”

Unfortunately, and in contrast to other decisions, the U.S. District Court for the District of Utah in the Travelers case took a narrow view of the key language, ruling that “[t]o trigger Travelers’ duty to defend, there must be allegations in the [underlying] action that sound in negligence.” The court further found that there were “no such allegations.”

In contrast, other courts have appropriately upheld coverage for various types of intentional and non-negligent conduct under errors and omissions and other claims-made policies. As one commentator has summarized: Claims-made policies typically afford coverage for claims by reason of any “negligent act, error or omission.” What if an insured is held liable for a non-negligent act? Most courts have held that the insured is still entitled to coverage. The strongest argument in favor of that conclusion is that (i) an “error” or “omission” encompasses more than negligent conduct, and (ii) if only negligent errors and negligent omissions were covered, the “error or omission” language would be rendered redundant.

To the extent some may wish to reference other cases addressing cyber-related fact patterns, those cases exist. For example, in 1995, the Supreme Judicial Court of Massachusetts in USM Corp. v. First State Ins. Co.10 upheld coverage under an errors and omissions policy for a breach of express warranty claim involving the insured’s failure to develop and deliver a turnkey computer system that would perform certain functional specifications. The errors and omissions policy at issue in the USM case, similar to the policy at issue in the Travelers case, covered claims against the insured “by reason of any negligent act, error or omission.” Also, the insurers in USM, like the insurers in Travelers, argued that the policy only covered the insured for negligent acts. The USM court rejected the insurers’ arguments, noting that courts have not limited coverage under errors and omissions policies to circumstances involving negligence:

Other courts have not limited liability under “errors and omissions” policies to circumstances involving negligence but have recognized certain non-negligent errors as being within the coverage afforded. Cases involving the words such as “negligent act, error or omission” (the crucial language of the policies before us) have not consistently determined that an error must be a negligent one if coverage is to be available.

***

Because some, but not all, judicial opinions have rejected the interpretation of errors and omissions policies for which the insurers contend, if it was the insurers’ intention, the crucial words of the policy should have been amended to eliminate the ambiguity and to make clear that coverage extended only to negligent errors. Potential policyholders could then have more accurately determined whether such coverage met their needs.
Because of the uncertainty about the scope of the word “error,” the insurers as authors of the policies must suffer the consequences of the ambiguity.

The New York Appellate Division’s decision in Volney Residence, Inc. v. Atlantic Mut. Ins. Co. is likewise instructive. In that case, the Appellate Division held that the insurer had a duty to defend a federal RICO action in which the insured defendants “were alleged intentionally to have committed acts of self-dealing and fraud.” Applying well-established rules of contract interpretation, the court ruled that there was a duty to defend:

The policy provision in question covers claims arising from “a negligent act, error or omission,” which term is defined as “any negligent act, error or omission or breach of duty of [the] directors or officers while acting in their capacity as such.” The definition is susceptible of more than one meaning and can be understood to cover any breach of duty of the directors or officers, not exclusively negligent breaches of duty. Ambiguities in an insurance policy are to be resolved against the insurer.

Other cases are to the same effect.

(2) Scope of the Duty to Defend

Turning to the separate issue of the duty to defend, it is well established that the duty to defend is very broad—broader than the duty to indemnify. The duty to defend is typically triggered if there is some potential for coverage, and, in many jurisdictions, it is appropriate to look outside the facts pled in the underlying complaint to determine whether there is a duty to defend. Again, unfortunately, the court in the Travelers case took a narrow view of the insurer’s duty to defend. Even assuming for the sake of argument that the policy covered only negligence, the underlying complaint alleged, among other things, that Federal Recovery “retained possession of member accounts data, including the billing data, which was the property of Global Fitness ….” Allegations surrounding improper retention of data, even if that retention ultimately was wrongful or not legally justifiable, clearly may arise out of negligence as opposed to intentional conduct.

Travelers Takeaways

Putting aside the ultimate merits of the court’s ruling, and whether this case addresses any coverage issues that are appropriately characterized as “cyber” issues, Travelers offers at least five key takeaways:

First, Travelers illustrates that decisions involving cyber insurance policies are coming and, considering all of the attention and buzz surrounding an otherwise seemingly mundane errors and omissions case, insureds and insurers alike are anxiously awaiting and anticipating the guidance those decisions may provide.

Second, Travelers underscores that the types of coverage disputes that we will see arise out of cyber-related facts and, under cyber insurance policies, often will involve, or at least will intertwine with, the types of disputes that routinely arise in connection with traditional insurance coverages, including errors and omissions coverage and general liability coverage. This is useful for insureds to appreciate toward the goal of being prepared for future potential coverage disputes under cyber policies.

Third, Travelers underscores the importance of securing a favorable choice of forum and choice of law in insurance coverage disputes. Until the governing law applicable to an insurance contract—cyber or otherwise—is established, the policy can be, in a figurative and yet a very real sense, a blank piece of paper.

Fourth, although its label as a first cyber case is debatable, Travelers at a minimum has spotlighted the approaching disputes under cyber liability policies, which should remind insureds of the need to be prepared for, in addition to the traditional types of coverage issues and disputes that can arise under those policies, the potential cyber-specific coverage issues and disputes that may arise, such as the scope of coverage for “cloud”- related exposures.

Fifth, Travelers illustrates the importance of obtaining the best possible policy cyber language at the initial coverage placement and renewal stage. Unlike some types of traditional insurance policies, cyber policies are extremely negotiable, and the insurer’s off-the-shelf language can often be significantly negotiated and improved—often for no increase in premium. It is important for the insured to understand its unique potential risk profile and exposure— and what to ask for from the insurer.

Often in coverage disputes, the issue of coverage comes down to a few words, the sequence of a few words or even the position of a comma or other punctuation. It is important to get the policy language right before a dispute. And while the Travelers case addresses coverage issues that are not cyber-specific, the fundamentals of successfully pursuing coverage under traditional insurance coverage are important to keep in mind as we enter a time and space in which coverage disputes based on underlying cyber-related factual scenarios, and under specialized cyber insurance coverages, are poised to become commonplace.