5 Takeaways From First Cyber Case

On May 11, 2015, in a case that is being widely celebrated as one of the first coverage rulings involving a “cyber” insurance policy, a federal court ruled that Travelers has no duty to defend its insured in Travelers Property Casualty Company of America, et al. v. Federal Recovery Services, Inc., et al. Although the Travelers case does not involve cyber-specific coverage issues, the case nonetheless carries some important takeaways for insureds, insurers and many other interested spectators. Here is a brief summary of the ruling and five key takeaways: The Facts The insured, Federal Recovery, was in the business of providing processing, storage, transmission and other handling of electronic data for its customers, including Global Fitness. In particular, Federal Recovery agreed to process Global Fitness’s gym members’ payments under a servicing retail installment agreement. Global Fitness sued Federal Recovery, alleging that Federal Recovery wrongfully refused to return member account data to Global Fitness, including member credit card and bank account information. Global Fitness asserted claims for tortious interference, promissory estoppel, conversion, breach of contract and breach of the implied covenant of good faith and fair dealing. The Cyber Policy The policy at issue was a “CyberFirst” policy issued by Travelers. The policy included a technology errors and omissions liability form, which stated that Travelers “will pay those sums that [Federal Recovery] must pay as ‘damages’ because of loss ... caused by an ‘errors and omissions wrongful act’....” The key term “errors and omissions wrongful act” was defined to include “any error, omission or negligent act.” In addition to covering potential damages, the Travelers policy provided defense coverage, stating that Travelers “will have the right and duty to defend [Federal Recovery] against any claim or ‘suit’ seeking damages for loss to which the insurance provided under one or more of ‘your cyber liability forms’ applies.” Federal Recovery tendered the defense of the underlying Global action to Travelers, which initiated litigation seeking a declaration that it wasn't required to provide coverage. Travelers argued that it did “not have a duty to defend [Federal Recovery] against the original or amended complaints in the Global action because Global [Fitness] does not allege damages from an ‘error, omission or negligent act.’” The Coverage Disputes: Scope of Coverage and Duty to Defend Although Travelers involves underlying cyber-related facts and a “cyber” insurance policy, the coverage issues arising out of the facts and policy certainly are not cyber-specific. Travelers’ declaratory judgment action raises two coverage disputes concerning: (1) the scope of coverage afforded by the technology errors and omissions policy at issue, as shaped by its key “wrongful act” definition; and (2) the scope of an insurer’s duty to defend under Utah law. While arising in the context of “cyber”-related facts surrounding electronic account and payment data, and under a “cyber” insurance policy, the coverage disputes at issue in the Travelers case are precisely the types of disputes that we routinely see in the context of errors and omissions and other claims-made liability coverages. (1) The Scope of Coverage As to the scope of coverage, errors and omissions, D&O, professional liability and other claims-made policies, like the policy at issue in the Travelers case, typically cover “wrongful acts,” a term that typically in turn is defined as “any negligent act, error or omission,” or similar language. There are scores of cases addressing whether intentional and non-negligent acts fall within or outside the purview of a covered “wrongful act.” Unfortunately, and in contrast to other decisions, the U.S. District Court for the District of Utah in the Travelers case took a narrow view of the key language, ruling that “[t]o trigger Travelers’ duty to defend, there must be allegations in the [underlying] action that sound in negligence.” The court further found that there were “no such allegations.” In contrast, other courts have appropriately upheld coverage for various types of intentional and non-negligent conduct under errors and omissions and other claims-made policies. As one commentator has summarized: Claims-made policies typically afford coverage for claims by reason of any “negligent act, error or omission.” What if an insured is held liable for a non-negligent act? Most courts have held that the insured is still entitled to coverage. The strongest argument in favor of that conclusion is that (i) an “error” or “omission” encompasses more than negligent conduct, and (ii) if only negligent errors and negligent omissions were covered, the “error or omission” language would be rendered redundant. To the extent some may wish to reference other cases addressing cyber-related fact patterns, those cases exist. For example, in 1995, the Supreme Judicial Court of Massachusetts in USM Corp. v. First State Ins. Co.10 upheld coverage under an errors and omissions policy for a breach of express warranty claim involving the insured’s failure to develop and deliver a turnkey computer system that would perform certain functional specifications. The errors and omissions policy at issue in the USM case, similar to the policy at issue in the Travelers case, covered claims against the insured “by reason of any negligent act, error or omission.” Also, the insurers in USM, like the insurers in Travelers, argued that the policy only covered the insured for negligent acts. The USM court rejected the insurers’ arguments, noting that courts have not limited coverage under errors and omissions policies to circumstances involving negligence: Other courts have not limited liability under “errors and omissions” policies to circumstances involving negligence but have recognized certain non-negligent errors as being within the coverage afforded. Cases involving the words such as “negligent act, error or omission” (the crucial language of the policies before us) have not consistently determined that an error must be a negligent one if coverage is to be available. *** Because some, but not all, judicial opinions have rejected the interpretation of errors and omissions policies for which the insurers contend, if it was the insurers’ intention, the crucial words of the policy should have been amended to eliminate the ambiguity and to make clear that coverage extended only to negligent errors. Potential policyholders could then have more accurately determined whether such coverage met their needs. Because of the uncertainty about the scope of the word “error,” the insurers as authors of the policies must suffer the consequences of the ambiguity. The New York Appellate Division’s decision in Volney Residence, Inc. v. Atlantic Mut. Ins. Co. is likewise instructive. In that case, the Appellate Division held that the insurer had a duty to defend a federal RICO action in which the insured defendants “were alleged intentionally to have committed acts of self-dealing and fraud.” Applying well-established rules of contract interpretation, the court ruled that there was a duty to defend: The policy provision in question covers claims arising from “a negligent act, error or omission,” which term is defined as “any negligent act, error or omission or breach of duty of [the] directors or officers while acting in their capacity as such.” The definition is susceptible of more than one meaning and can be understood to cover any breach of duty of the directors or officers, not exclusively negligent breaches of duty. Ambiguities in an insurance policy are to be resolved against the insurer. Other cases are to the same effect. (2) Scope of the Duty to Defend Turning to the separate issue of the duty to defend, it is well established that the duty to defend is very broad—broader than the duty to indemnify. The duty to defend is typically triggered if there is some potential for coverage, and, in many jurisdictions, it is appropriate to look outside the facts pled in the underlying complaint to determine whether there is a duty to defend. Again, unfortunately, the court in the Travelers case took a narrow view of the insurer’s duty to defend. Even assuming for the sake of argument that the policy covered only negligence, the underlying complaint alleged, among other things, that Federal Recovery “retained possession of member accounts data, including the billing data, which was the property of Global Fitness ....” Allegations surrounding improper retention of data, even if that retention ultimately was wrongful or not legally justifiable, clearly may arise out of negligence as opposed to intentional conduct. Travelers Takeaways Putting aside the ultimate merits of the court’s ruling, and whether this case addresses any coverage issues that are appropriately characterized as “cyber” issues, Travelers offers at least five key takeaways: First, Travelers illustrates that decisions involving cyber insurance policies are coming and, considering all of the attention and buzz surrounding an otherwise seemingly mundane errors and omissions case, insureds and insurers alike are anxiously awaiting and anticipating the guidance those decisions may provide. Second, Travelers underscores that the types of coverage disputes that we will see arise out of cyber-related facts and, under cyber insurance policies, often will involve, or at least will intertwine with, the types of disputes that routinely arise in connection with traditional insurance coverages, including errors and omissions coverage and general liability coverage. This is useful for insureds to appreciate toward the goal of being prepared for future potential coverage disputes under cyber policies. Third, Travelers underscores the importance of securing a favorable choice of forum and choice of law in insurance coverage disputes. Until the governing law applicable to an insurance contract—cyber or otherwise—is established, the policy can be, in a figurative and yet a very real sense, a blank piece of paper. Fourth, although its label as a first cyber case is debatable, Travelers at a minimum has spotlighted the approaching disputes under cyber liability policies, which should remind insureds of the need to be prepared for, in addition to the traditional types of coverage issues and disputes that can arise under those policies, the potential cyber-specific coverage issues and disputes that may arise, such as the scope of coverage for “cloud”- related exposures. Fifth, Travelers illustrates the importance of obtaining the best possible policy cyber language at the initial coverage placement and renewal stage. Unlike some types of traditional insurance policies, cyber policies are extremely negotiable, and the insurer’s off-the-shelf language can often be significantly negotiated and improved—often for no increase in premium. It is important for the insured to understand its unique potential risk profile and exposure— and what to ask for from the insurer. Often in coverage disputes, the issue of coverage comes down to a few words, the sequence of a few words or even the position of a comma or other punctuation. It is important to get the policy language right before a dispute. And while the Travelers case addresses coverage issues that are not cyber-specific, the fundamentals of successfully pursuing coverage under traditional insurance coverage are important to keep in mind as we enter a time and space in which coverage disputes based on underlying cyber-related factual scenarios, and under specialized cyber insurance coverages, are poised to become commonplace.