It is critical for companies to understand the scope of their cyber-insurance coverage. Given the increasing number of cyber-related losses that companies are experiencing (e.g., data breaches, loss of customer information, etc.), most companies will be faced with the question of whether such losses are covered by their cyber-insurance policy in the near future.
Several high profile cases have recently addressed this question. The first is Recall Total Information Management, Inc. v. Federal Insurance Company, 2015 WL 2371957 (Conn. May 26, 2015) where, a company was transporting computer tapes in a van and the tapes fell out of the back of the van. The tapes contained the personal information of approximately 500,000 IBM employees. Fortunately, the data was encrypted and required specialized equipment to access. IBM spent around $6 million in mitigation costs, which it sought to recover from the transport company.
The transport company did not have cyber-insurance, so it instead sought coverage under its general CGL policy. The Connecticut Supreme Court held that there was no coverage under the CGL policy because there had not been any “personal injury,” as that term was defined in the CGL policy. It reasoned that there had not been a showing that anyone had actually accessed the tapes and that the $6 million in mitigation costs that IBM incurred did not constitute a “personal injury” under the policy.
The takeaway from Recall Total is that companies should not expect their general insurance policies (whether it be CGL, E&O, D&O) to protect them from cyber-related losses. Instead, they should procure specific cyber insurance to protect against losses like the ones in the Recall case.
A second recent decision is Travelers v. Federal Recovery Acceptance, Inc., Case No. 2:14-CV-170 (D. Ut. May 11, 2015). This case was hailed by some observers as the first “cyber insurance case.”
In Federal Recovery a data processing company Federal Recovery Acceptance (FRA) purchased cyber-insurance from Travelers. FRA later sought coverage in response to a suit by a fitness company (Global), which provided its customer information to FRA to process. When Global later entered into a sale transaction with another company, it asked FRA to return all of it’s customer information. FRA refused, claiming that Global Fitness owed it money.
Presumably because the customer information was maintained in a digital format, FRA tendered the suit to its insurer (Travelers) under its cyber-insurance policy. While the cyber policy provided coverage for losses caused by a negligent act, the court held that the policy was not triggered because FRA was intentionally withholding the customer information.
The takeaway from Federal Recovery is that it is important to understand the scope of coverage under your cyber-insurance policy. Given that such policies are a relatively new product being offered by insurers, many of the provisions affecting the scope of coverage can be negotiated to match an insured’s risks.
An important pending case to watch is Columbia Casualty Company v. Cottage Health Systems, which was filed on May 7, 2015, in the Central District of California (2:15-cv-03432-DDP-AGR). Cottage Health Systems was sued for a data breach, part of which may have been caused by one of its third-party vendors. Pursuant to Cottage Health’s cyber-insurance policy, Cottage Health tendered the lawsuit to its insurer (Columbia). Columbia paid for the costs to defend and settle the lawsuit, and later sought reimbursement from Cottage Health via a declaratory judgment action.
In its complaint, Columbia claims that coverage is barred by an exclusion in Cottage Health’s cyber-insurance policy that excludes coverage where the insured fails to continuously implement the risk controls identified in its cyber-insurance application. According to Columbia, Cottage Health indicated in its application that it had certain procedures in place to protect against such data breaches, but that the data breach at issue was caused by Cottage Health’s failure to maintain those procedures.
There are several important takeaways from this case. First, companies should make sure they understand the risks associated with including such “best practices” exclusions in their cyber-insurance policies, and should negotiate such exclusions on the front end. Otherwise, the same acts/omissions for which they are seeking coverage may trigger the exclusion. Second, companies entrusting personal information to third party vendors should insure that such vendors have appropriate cyber-insurance, and should require such vendors to provide indemnification for data breaches caused by the vendor.
(Note: On July 17, 2015, the court dismissed this case without prejudice, so that the parties can pursue alternative dispute resolution (ADR) as required by the terms of the policy. If ADR is unsuccessful, the case will likely be reactivated.)
As these cases demonstrate, it is important for companies to procure proper insurance coverage to protect against cyber-related losses. Companies should not rely on their general insurance policies to protect them from these losses, and should make sure that they understand what their cyber policies (and the cyber policies of their vendors) do and do not cover. Moreover, companies should carefully consider and understand any applicable exclusions, and negotiate those exclusions to match their risk.