Maximizing Insurance Coverage for Cyber Losses: Two New Decisions Highlight Potential Recovery Sources
Businesses prudently and increasingly purchase stand-alone cyber insurance policies to manage the risk of cyber breaches and attacks. Two decisions from separate U.S. Courts of Appeals in the past two weeks highlight the fact that in-house counsel and risk managers should look to their organizations’ traditional insurance policies as a source of potential coverage for cyber-related losses. Spec’s Fam. Partners, Ltd. v. Hanover Ins. Co., 17-20263, 2018 WL 3120794 (5th Cir. June 25, 2018) (“Spec’s Family”); Medidata Sols. Inc. v. Fed. Ins. Co., 17-2492, 2018 WL 3339245 (2d Cir. July 6, 2018) (“Medidata”).
The Spec’s Family Ruling
In Spec’s Family, the U.S. Court of Appeals for the Fifth Circuit considered whether the trial court erred in granting judgment on the pleadings to the insurer. In the case, Spec’s faced claims by its credit card processor demanding payment of amounts that the processor had to pay to reimburse issuing banks for costs associated with fraudulent transactions after Spec’s credit card network was hacked. When Spec’s sought defense coverage from Hanover under its management liability policy, the insurer asserted that the credit card processor’s claims were barred from coverage based on a “breach of contract” exclusion, which precluded coverage for claims “directly or indirectly based upon, arising out of, or attributable to any actual or alleged liability under a written or oral contract or agreement. However, this exclusion does not apply to your liability that would have attached in the absence of such contract or agreement.” Id. at *2. The insurer claimed that this exclusion applied because Spec’s potential liability arose out of a merchant agreement it had with the credit card processor, and the trial court agreed and granted judgment on the pleadings. On appeal, the Fifth Circuit, applying Texas law, reversed. The Fifth Circuit pointed to the broad duty to defend, stating that “[w]here an underlying petition includes allegations that ‘go beyond’ conduct covered by an exclusion, the duty to defend is still triggered.” Id. at *4. The Fifth Circuit ruled that “[t]he pleadings, viewed in the light most favorable to Spec’s, do not unequivocally show [the exclusion] excused Hanover’s duty to defend under any set of facts or possible theory.” Id. at *5. The court pointed, for example, to language in the credit card processor’s claims that referred to “non-contractual theories of liability . . . , which must be construed in favor of Spec’s and the duty to defend.” Id.
The Medidata Ruling
In Medidata, the U.S. Court of Appeals for the Second Circuit considered whether a “spoofing” attack was covered under the computer fraud provision of a crime insurance policy. The provision covered losses stemming from “entry of Data into” or “change to Data elements or program logic of” a computer system. Id. at *1. The insurer argued that this coverage applied only to hacking-type intrusions, and not instances where an email address had simply been disguised. Applying New York law, the Second Circuit rejected the insurer’s argument and ruled that, although no hacking had occurred, “the fraudsters nonetheless crafted a computer-based attack that manipulated Medidata’s email system,” which indisputably constituted a “computer system” within the meaning of the policy. Because the spoofing code was introduced into the email system, the Second Circuit held that the attack was covered as “a fraudulent entry of data into the computer system.” Id. at *1. The Second Circuit distinguished attacks where employees were simply duped by confusing email addresses, noting that the fraud against Medidata, by contrast, “clearly implicates the ‘computer system qua computer system,’ since Medidata’s email system itself was compromised.” Id. at *2.
In addition to the fact that two prominent courts issued pro-policyholder rulings relating to cyber losses, there are several takeaways from these cases:
- Pennsylvania Health Insurers Must Cover Medication Synchronization Services Beginning July 2020
- IT Outsourcing by Banks and Insurers Facilitated by Revised Regulations
- Reading the Tea Leaves for 2020
- OCR Announces Recent Enforcement Actions and Settlements for HIPAA Noncompliance
- Hedge Funds of All Sizes Are Using More Alternative Data, But Not Without Concerns, According to Lowenstein Sandler Survey
- Lowenstein Client Tower International (NYSE: TOWR) Agrees to Acquisition by Autokiniton Global Group in $900 Million Deal
- The Wall Street Journal: Lowenstein Sandler Is One of the Nation’s Top Power Players in Large Corporate Bankruptcies
WSG Member: Please login to add your comment.