5 takeaways from the first cyber insurance case

By Roberta Anderson on May 14, 2015

gavel-lawbooksOn May 11, in a case being widely celebrated as the first–or at least one of the first–coverage rulings involving a “cyber” insurance policy, a federal court ruled that Travelers has no duty to defend its insured under a “cyber” insurance policy in Travelers Property Casualty Company of America, et al. v. Federal Recovery Services, Inc., et al.

Although the Travelers case does not involve “cyber” coverage issues, the case nonetheless carries some important takeaways for insureds, insurers and many other interested spectators.

Below we offer 5 key takeaways.

The Facts

The insured, Federal Recovery, was in the business of providing processing, storage, transmission, and other handling of electronic data for its customers, including Global Fitness. In particular, Federal Recovery agreed to process Global Fitness’s gym members’ payments under a Servicing Retail Installment Agreement.

In the underlying litigation, Global Fitness brought suit against Federal Recovery alleging, essentially, that Federal Recovery wrongfully refused to return member account data to Global Fitness, including member credit card and bank account information. Global Fitness asserted claims for tortious interference, promissory estoppel, conversion, breach of contract, and breach of the implied covenant of good faith and fair dealing.

The “Cyber” Policy

Federal Recovery was insured under a “CyberFirst” policy issued by Travelers. The policy included a Technology Errors and Omissions Liability Form, which stated that Travelers “will pay those sums that [Federal Recovery] must pay as ‘damages’ because of loss … caused by an ‘errors and omissions wrongful act’….”

The key term “errors and omissions wrongful act” was defined to include “any error, omission or negligent act.” In addition to covering potential damages, the Travelers policy provided defense coverage, stating that Travelers “will have the right and duty to defend [Federal Recovery] against any claim or ‘suit’ seeking damages for loss to which the insurance provided under one or more of ‘your cyber liability forms’ applies.”

Federal Recovery tendered the defense of the suit to Travelers, which initiated coverage litigation seeking a declaration of non-coverage and arguing that it did “not have a duty to defend [Federal Recovery] against the original or amended complaints in the [underlying] action because Global [Fitness] does not allege damages from an ‘error, omission or negligent act.’”

The Coverage Disputes:  Scope Of Coverage And Duty To Defend

Although the Travelers case involves underlying cyber-related facts and a “cyber” insurance policy, the coverage issues arising out of the facts certainly are not cyber-specific.

Travelers’ declaratory judgment action raises two coverage disputes concerning: (1) the scope of coverage afforded by the technology errors and omissions policy at issue, as shaped by its key “wrongful act” definition; and (2) the scope of an insurer’s duty to defend under Utah law.  While arising in the context of “cyber”-related facts surrounding electronic account and payment data, and under a “cyber” insurance policy, the coverage disputes at issue in the Travelers case are precisely the types of disputes that we routinely see in the context of errors and omissions and other claims-made liability coverages.

(1) The Scope Of Coverage

Errors and omissions, professional liability D&O policies and other claims-made policies, like the policy in the Travelers case, typically cover “wrongful acts,” which in turn is typically defined as “any negligent act, error, or omission,” or similar verbiage.  There are scores of cases addressing whether intentional and non-negligent acts fall within the purview of a covered “wrongful act.”

Unfortunately, and in contrast to other decisions, the United States District Court for the District of Utah in the Travelers case took a narrow view of the key language, finding that “[t]o trigger Travelers’ duty to defend, there must be allegations in the [underlying] action that sound in negligence” and that there were “no such allegations.”

In contrast, other courts have appropriately upheld coverage for various types of intentional and non-negligent conduct under technology errors and omissions and other claims made policies.  As one commentator has summarized:

Claims-made policies typically afford coverage for claims by reason of any “negligent act, error or omission.”   What if an insured is held liable for a non-negligent act?  Most courts have held that the insured is still entitled to coverage.  The strongest argument in favor of that conclusion is that (i) an “error” or “omission” encompasses more than negligent conduct, and (ii) if only negligent errors and negligent omissions were covered, the “error or omission” language would be rendered redundant.

To the extent some may wish to reference other cases addressing “cyber” related fact patterns, those cases certainly exist. For example, in 1995, the Supreme Judicial Court of Massachusetts in USM Corp. v. First State Ins. Co. upheld coverage under an errors and omissions policy for a breach of express warranty claim involving the insured’s failure to develop and deliver a turnkey computer system that would perform certain functional specifications.  The errors and omissions policy in the USM case, similar to the policy in the Travelers case, covered claims against the insured “by reason of any negligent act, error or omission.”

The insurers in USM, like the insurers in Travelers, argued that the policy only covered the insured for negligent acts. The court rejected the insurers’ arguments, noting that courts have not limited coverage under the policy language to circumstances involving negligence:

Other courts have not limited liability under “errors and omissions” policies to circumstances involving negligence, but have recognized certain nonnegligent errors as being within the coverage afforded.  Cases involving the words such as “negligent act, error or omission” (the crucial language of the policies before us) have not consistently determined that an error must be a negligent one if coverage is to be available.

***

Because some, but not all, judicial opinions have rejected the interpretation of errors and omissions policies for which the insurers contend, if it was the insurers’ intention, the crucial words of the policy should have been amended to eliminate the ambiguity and to make clear that coverage extended only to negligent errors. Potential policyholders could then have more accurately determined whether such coverage met their needs.

Because of the uncertainty about the scope of the word “error,” the insurers as authors of the policies must suffer the consequences of the ambiguity.

The New York Appellate Division’s decision in Volney Residence, Inc. v. Atlantic Mut. Ins. Co. is also instructive. In that case, the Appellate Division held that the insurer had a duty to defend a federal RICO action in which the insured defendants “were alleged intentionally to have committed acts of self-dealing and fraud.”  Applying well established rules of contract interpretation, the court ruled that there was a duty to defend:

The policy provision in question covers claims arising from “a negligent act, error or omission”, which term is defined as “any negligent act, error or omission or breach of duty of [the] directors or officers while acting in their capacity as such.”  The definition is susceptible of more than one meaning and can be understood to cover any breach of duty of the directors or officers, not exclusively negligent breaches of duty.
Ambiguities in an insurance policy are to be resolved against the insurer.

Other cases are to the same effect.

(2)Scope Of The Duty To Defend

Turning to the separate issue of the duty to defend, it is important to appreciate that the duty to defend is very broad, broader than the duty to indemnify.  The duty to defend is typically triggered if there is a some potential for coverage and, in many jurisdictions, it is appropriate to look outside of the facts pled in the complaint to determine whether there is a duty to defend.

Again, unfortunately, the court in the Travelers case took a narrow view of the insurer’s duty to defend. Assuming for sake of argument that the policy covered only negligence, the underlying complaint alleged, among other things, that Federal Recovery “retained possession of Member Accounts Data, including the Billing Data, which was the property of Global Fitness ….” Allegations surrounding improper retention of data, even if the retention ultimately was not legally justifiable, clearly may arise out of negligence as opposed to intentional conduct.

The Travelers Takeaways

Putting aside the ultimate merits of the court’s ruling, and whether this case addresses any coverage issues that are appropriately characterized as “cyber” issues, Travelers offers at least five important takeaways:

First, Travelers illustrates that decisions involving “cyber” insurance policies are coming and, considering all of the attention and buzz surrounding a seemingly-mundane errors and omissions case, insureds and insurers alike are anxiously awaiting and anticipating the guidance those decisions may provide.

Second, Travelers underscores that the types of coverage disputes that we will see arise out of “cyber” related facts, and under “cyber” insurance policies, will often involve, or at least will intertwine with, the types of disputes that routinely arise in connection with “traditional” insurance coverages, including errors and omissions insurance and general liability insurance coverages.  This is useful for insureds to appreciate towards the goal of being prepared for future potential coverage disputes under “cyber” policies.

Third,  Travelers underscores the importance of securing a favorable choice of forum and law in insurance coverage disputes.  Until the governing law applicable to an insurance contract, “cyber” or not, is established, the policy can be, in a figurative yet very real sense, a blank piece of paper.

Fourth, Although its label as a first “cyber” case is debatable, Travelers at a minimum has spotlighted the approaching disputes under “cyber” liability policies, which should remind insureds of the need to be prepared for, in addition to the “traditional” types of coverage issues and disputes that can arise, potential “cyber”-specific coverage issues and disputes, such as, for example, the scope of coverage for “cloud”-related exposures.

Fifth, Travelers illustrates the importance of obtaining the best possible policy “cyber” language at the initial coverage placement and renewal stage.  Unlike some types of “traditional” insurance policies, “cyber” policies are extremely negotiable, and the insurer’s off-the-shelf language can be significantly be negotiated and improved — often for no increase in premium — if the insured understands its potential exposure and what to ask from the insurer.

Often in coverage disputes, the issue of coverage comes down to a few words, the sequence of a few words, or even the position of a comma or other punctuation.   It is important to get it right before a dispute.  And while the Travelers case addresses coverage issues that are not “cyber” specific, the fundamentals of successfully pursuing coverage under “traditional” insurance coverage are important to keep in mind as we enter a time and space in which coverage disputes based on underlying “cyber” related factual scenarios, and under specialized “cyber” insurance coverage, are poised to become commonplace.

Roberta Anderson is a partner in the Pittsburgh office of K&L Gates LLP. She has represented insureds in connection with a broad spectrum of insurance issues and disputes arising under many kinds of insurance coverages, including general liability, commercial property, business interruption, data privacy and “cyber”-liability, directors and officers (D&O), errors and omissions (E&O), and employment practices liability. In addition to assisting clients in maximizing their current insurance assets, Anderson provides strategic advice on complex underwriting and risk management issues, including the drafting and negotiation of data privacy, cyber liability, technology E&O, and D&O insurance coverage. Anderson can be reached at [email protected] or 412.355.6222.