It’s a familiar pattern. First, new risks inspire legislation and regulations that impose new penalties. Next, insurers and policyholders fight over whether the new liabilities are covered under traditional liability policies. Finally, insurers craft new coverages to define their obligations in the changed environment. See, e.g., DeMeo, Eldred, Utiger & Scruggs, “Insuring Against Environmental Unknowns,” 23 J. Land Use & Envtl. L. 61, 62-65 (2007). In this respect (if not in any others), the unprecedented growth of both cybersecurity exposure and the demand for cybersecurity insurance have unfolded in a predictable way. In 2015, some of the most closely-watched suits over traditional CGL policies wound down or settled, while litigation under early cyber endorsements has begun to spring up. Last Fall, the Insurance Services Office (ISO) amended its standard CGL coverage form specifically to exclude data breach liability; then, in a March 2015 press release, it unveiled a standardized cyber-liability coverage form.
The First Wave Recedes: Square Peg Litigation
The first wave of coverage litigation over claims related to cybersecurity tested the limits of policies that had been issued without specific underwriting of cybersecurity risks. Insureds typically sought coverage under GL and E&O/D&O/professional liability coverages. In many cases, the policies were written before the privacy laws and regulations that imposed the policyholder’s loss had been enacted. This first wave of litigation thus consisted of “square peg” cases—courts struggled to fit a square peg of liability into a round hole of coverage.
• In 2013, for example, in First Bank of Delaware v. Fidelity and Deposit Co. of Maryland, No. N11C-08-221 (Del. Super. Ct. Oct. 30, 2013), VISA claimed a bank was liable for a data breach, after a subcontractor that processed the bank’s credit and debit transactions was hacked, and customers’ personal identification numbers were compromised. The breach resulted in millions of dollars in unauthorized withdrawals, and it also triggered contractual indemnification issues by and among the bank, the subcontractor and VISA. Under one of the relevant contracts, VISA charged the Bank $1.5 million in cost reimbursement assessments.
The bank looked to its D&O carrier to defend and indemnify. Its policy included an “electronic risk liability’ coverage that insured against “unauthorized use of, or unauthorized access to electronic data or software with a computer system.” Coverage under that provision depended, in part on whether the hacked computer system, which belonged to the subcontractor, was “used to transact business on behalf of the [bank].” The Delaware court found that it was (at least arguably), and so that coverage was available.
Then things got complicated. The court examined whether a fraud exclusion applied, and it held that the insurer had met its burden of proving that it did. But it went on to hold that the exclusion, when applied to a data breach, would render the entire coverage grant for electronic risk liability illusory, and it therefore declined to apply the exclusion. After reargument was denied, the insurer did not pursue an appeal.
• The coverage saga of Recall Total Information Management, Inc. v. Federal Ins. Co., 317 Conn. 46 (Conn. May 26, 2015), finally came to an end this year. In that case, the insured was an information management contractor for IBM. On a trip from one IBM facility to another, a van belonging to a subcontractor inadvertently dropped 130 computer tapes—containing HR data about 500,000 current and former IBM employees—onto a highway. The contractor sought coverage under the theory that the associated losses—such as the costs of notification and credit—came within the personal injury coverage of its GL policy, which applied to “injury. . . caused by an offense of . . . electronic, oral, written or other publication of material that. . . violates a person’s right of privacy.”
An intermediate appellate court found there was no coverage, but the Connecticut Supreme Court granted certiorari to review the decision. At oral argument, the Justices openly struggled with the insured’s square peg argument that the employee information had been “published” within the meaning of the policy, because the record contained no evidence that the data on the tapes had actually been accessed—which would have required special equipment. (The only evidence of what happened to the tapes was a report that a motorist had been seen loading them into his car.) One of the Justices asked whether a hacker who gains access to a “closed architecture system” has thereby “published” the information in that system; he also suggested that the theft at issue had involved only the medium on which the information was stored, rather than the information itself. Shortly after argument, the Court ruled in favor of the insurers, holding that this peg did not fit into an advertising injury hole.
• 2015 also saw the resolution of another much-watched cybersecurity coverage case, pitting Sony Corporation against its insurers in a dispute over coverage for Sony’s much-publicized Playstation data breach. In 2014, a New York trial court dismissed the insurers from a declaratory judgment action. Sony appealed, and industry watchers eagerly awaited an appellate ruling—especially because the trial court decision was a short bench ruling, blunting its usefulness as precedent. They were disappointed: the case settled before the appeal was heard.
The underlying bench ruling may be of little precedential value, but it might also have been the catalyst for the explosive increase in demand for dedicated cybersecurity coverage that followed it. Whatever the cause, the purchase of cyber- specific coverage has sky-rocketed.
A New Regime Emerges
So what do these new cyber policies look like? How do they fit into an overall coverage program? What are the limits and contours of coverage under these policies? These questions will drive the second wave of cybersecurity coverage litigation.
According to recent industry data, the coverage is not cheap. This is due in large part to the growth of the liability exposure. As noted by one analyst, “the average costs for a breached company total $9.4 million over a 24-month period.” Those costs include both first- and third-party losses, including regulatory penalties and fines, credit monitoring, public relations costs to address reputational harm, costs associated with the lost data itself, business interruption and, of course, litigation expense. Annual premiums can range from $7,000 – $15,000 for smaller companies to as high as $50,000 for larger ones, depending on variety of factors.
One important factor that can help keep premium costs down will be loss services associated with the new insurance regime. In scoring the risk, underwriters will look to the level of the cybersecurity measures employed. Industry organizations have developed standards and best practices (see e.g. ISO/IEC 27001:2013), and insurers may require or offer incentives to insureds to adhere to such standards in maintaining an Information Security Management System (ISMS). Prevention-driven loss services of this kind can create a “virtuous cycle” of reducing losses, and thus reducing premiums costs over time. This cycle creates additional benefits to the consuming public, whose data is being vacuumed up at astonishing rates and in often surprising ways.
Sizing up the Second Wave
What will the next wave of cybersecurity coverage litigation look like? No doubt, some of the thorny issues that have vexed coverage lawyers under traditional coverages will be raised under these policies.
- Courts will still have to construe “other insurance” clauses in connection with packages of insurance that include (for example) GL coverage, D&O coverage and a tower of excess insurance—each of which might deal with cybersecurity in a different way.
- They will have to determine what constitutes prior knowledge of threats or related wrongful acts.
- They will probably confront new and perplexing late notice issues—especially because cybersecurity coverage is typically issued on a claims-made or claims-made-and-reported basis.
- Problems will be especially complex when the actual or potential threat to data integrity comes from a government actor or terrorist organization, forcing courts to define the boundaries between cyber coverage, excess coverage and traditional terrorism/war exclusions and even the Terrorism Risk Insurance Program, which was renewed earlier this year.
• One of the first reported decisions in a case seeking coverage under a cyber liability policy, Health Trio, LLC v. Travelers Prop. & Cas. Co. of Amer., No. 14-cv-00135-REB-KLM (D. Colo. Dec. 24, 2014), is itself something of a cypher. The publicly-issued opinion in this case concerned the insured’s objection to the use of an “abridged” version of the policy in connection with the insurer’s motion for summary judgment. The opinion overruled that objection, but it appears that the ruling on the summary judgment motion itself—issued by a magistrate on January 20, 2015—is under seal.
The record of the case does, however, provide some interesting nuggets. The complaint, as well as plaintiff’s Daubert motion challenging Travelers’ disclosed expert on claims handling issues, reveal that the insured sought coverage for an underlying contractual dispute it was having with the University of Miami, which had licensed the insured’s medical data management software. The dispute involved software licensing and design issues, and the insured sought coverage under a “CyberFirst Technology Errors and Omissions Liability Coverage” part. In defense of the claim, Travelers raised old-fashioned defenses, based on notice and the allocation of legal expenses—because the insured was using defense counsel to prosecute its own claim against The U.
• More recently, a federal judge in Utah issued what may be the first merits ruling in a cyber liability policy coverage case. Travelers Prop. Cas. Co. of Amer. v. Federal Recovery Services, Inc., No. 2:14-cv-170 (D. Utah May 11, 2015), involved a coverage claim under a cyber liability policy’s “Technology Errors and Omissions Liability Form,” brought by an insured in the business of processing, storing and transmitting electronic data. The insured managed customer credit and debit accounting for Global Fitness Holdings, LLC, an operator of sports and fitness clubs under the name “Urban Active.” When LA Fitness acquired the Urban Active centers pursuant to an Asset Purchase agreement with Global, the seller was required to map its existing customer financial data to the purchaser’s systems. Global Fitness looked to Travelers’s insured, Federal Recovery Services, Inc., to effect the transfer. But Federal allegedly refused, based on what Global called “several vague demands for significant compensation.” Global sued, and Federal tendered the defense to Travelers.
Travelers reserved its rights and sought a declaration that there was no coverage, and/or that coverage was excluded, because the acts complained of were not “errors” or “omissions,” but, rather, intentional conduct. The district court agreed: because Global’s claims sounded in contract, rather than tort, it granted summary judgment, finding that Travelers had no duty to defend or indemnify.
Trust The Brave And Sure
Thus, while courts have not yet addressed some of the novel issues cyber liability coverage will present—such as how key terms like “loss” and “your work” and “your product” will be construed in a new context—the early returns suggest that future cases will re-run many familiar coverage issues. Parties and courts are likely to work those issues especially hard when new forms of data crime and cyber screw-up produce claims that underwriters have not yet anticipated. The second wave may be cresting, but there’s still plenty of time for the weather to start getting rough again.
Image source: CBS Television (Wikimedia)