Sony. Anthem. The Home Depot. Target. The last year has seen mega-scale data breaches involving some of the world’s largest companies. These breaches cost the companies tens-of-millions of dollars in lawsuits, damages and credit protection for individuals whose personal data is compromised. It is little wonder that, given this new era of exposure, cyber insurance is among the most important protections policyholders can acquire today. Two new cases provide some needed guidance to policyholders.
The First Cyber Coverage Opinion
The first case, Travelers Prop. Cas. Co. of Am. v. Federal Recovery Serv., Inc., 2015 WL 2201797 (D. Utah May 11, 2015), is a decision heralding from the US District Court for the District of Utah. Federal Recovery Services (“FRS”) was a data processing and storage company who contracted with Global Fitness, a gym, to process Global Fitness’ members’ credit cards for their monthly membership fees. FRS had a Travelers’ CyberFirst policy, which specifically protected against data breaches stemming from any wrongful act, defined as a “negligent act, error or omission.”
During a dispute between Global Fitness and FRS, the latter refused to return the members’ credit card and bank account information to Global Fitness. Global Fitness sued FRS for a number of business torts and for breach of contract, but not negligence claims. FRS tendered the claim to Travelers, which denied coverage and brought a seeking a declaration that it did not owe a defense or coverage for the Global Fitness lawsuit. The court agreed. The reason for the ruling was that Global Fitness’ claims did not fit within the definition of “wrongful acts.”
Court Clarifies Data Coverage Under CGL Policies
The second case is Recall Total Info. Mgmt., Inc. v. Federal Ins. Co., 317 Conn. 46 (May 26, 2015). There, IBM contracted with Recall Total Information Management, Inc. to transport and store computer tapes containing personal information of IBM employees. Recall subcontracted with Ex Log to provide transportation services for these tapes. Ex Log and Recall only held commercial general liability policies. During transportation, IBM’s computer tapes literally fell off Ex Log’s truck and disappeared. While no proof existed that any of these employees’ information was ever accessed, IBM spent over $6 million providing identity theft protection services to its employees. IBM demanded that Recall and Ex Log indemnify these losses. Recall and Ex Log tendered the claim to their insurers under their commercial general liability policies, who denied coverage.
The insurers asserted – and the Court agreed – that the loss of the computer tapes did not constitute a “personal injury” as defined by the CGL policies. The Court determined that no indemnification or defense was required under the policies. This ruling highlights the concerns with businesses looking for data breach and privacy coverage in CGL policies.
Coverage Pointers for Policyholders
Data breach cases and cyber litigation are at the forefront of insurance law. Pundits believe that coverage litigation is just starting for true cyber insurance disputes, so there is certainly more to come. These cases highlight several critical aspects for insured to understand:
- traditional CGL and commercial property coverage are simply insufficient for data/privacy coverage;
- even upon obtaining cyber coverage, policyholders need to ensure that the coverage is broad enough to encompass real-life liability claims;
- many of the traditional coverage disputes remain the same that policyholders will now face under cyber insurance policies;
- insureds need to be aware that where the coverage litigation is filed can have a huge impact on the actual scope of coverage, especially with so little case law interpreting the new cyber policies; and
- while third-party coverage is important, having first-party cyber coverage is likely even more important for many policyholders.
As with most insurance policies, the devil is in the details of the policy language. The outcome of many coverage disputes may turn on a word, definition or phrase. Policyholders are well advised to make every effort to get the language correct up front, least they find themselves without coverage when most needed.
Frank Cragle is a trial lawyer and a member of Hirschler Fleischer’s Insurance Recovery Team. He handles a variety of commercial business disputes, including insurance recovery and policyholder claims. Frank also devotes a substantial portion of his time to business tort litigation and intellectual property claims. For more information, contact Frank at 804.771.9515 or firstname.lastname@example.org.
Stephanie A. Hood