James S. Carter, Omid Safa, and Jared Zola
More insurers are offering stand-alone cyberinsurance policies than ever before. At the same time, there are very few decisions by courts regarding this relatively new breed of insurance policy. Most of the decisions construing insurance coverage for cyber risks to date involve other types of insurance policies, such as commercial general liability (“CGL”) and commercial crime policies. Although such cases may not involve cyber policies per se, buyers trying to navigate the cyberinsurance market ignore them at their peril. They illustrate the types of cyber incidents that have generated insurance coverage disputes significant enough to be litigated to decision. Familiarity with such cases can help buyers select and negotiate cyber risk policies with wording aimed at minimizing such disputes and increasing the scope and certainty of the coverage available to the policyholder.
Quality cyber risk policies offer a combination of first-party and third-party coverages that address the various types of losses that may arise out of a cyber incident. Typical coverages include:
- Forensic costs;
- Notification/credit monitoring/PR costs;
- Business interruption and extra expense;
- Liability coverage for privacy and cyber incidents;
- Regulatory defense and coverage for fines and penalties;
- Media liability; and
- Cyber extortion.
Many insurers structure their cyber policies with separate insuring agreements governing each coverage. Accordingly, the coverage available under each agreement may be subject to different terms, conditions, and limitations.
Adding another layer of complexity, cyber policy wordings differ significantly from one insurer to another. Even when two policies are advertised as offering the same types of coverages, the specific terms of those policies may differ significantly. And, although cyber policies are not standardized, they are not necessarily written with the needs of any particular insured or industry in mind, either. It is thus incumbent upon buyers seeking the best available cyberinsurance to carefully compare prospective policies and request modifications, if necessary.
Although cyber policies are relatively new, it is important to remember the principles governing the interpretation of insurance policies are well established and apply regardless of the type of insurance involved. For example, the overwhelming majority of jurisdictions recognize that insuring clauses should be broadly construed to effectuate the purpose of the insurance, while exclusions and limitations are narrowly construed. The insurer bears the burden of proving the applicability of any exclusion or limitation, and all ambiguities must be construed in favor of coverage. Moreover, policies must be read as a whole and all terms are given their ordinary meaning unless otherwise specified.
In litigation over coverage for cyber risks, insurers often seek to undermine these principles by urging courts to adopt narrow, technical interpretations that are inconsistent with the language they market and sell to policyholders. Often, these insurers seek to conflate the technological nature of cyber-related risks with the interpretation of ordinary insurance terms. Unfortunately, a few courts have failed to recognize this distinction and strayed from applying longstanding principles of insurance interpretation. Thus, it is important for cyberinsurance buyers to carefully scrutinize the specific terms of prospective cyberinsurance policies and request changes to help ensure that the coverage will meet their expectations.
TRIGGER OF COVERAGE
One of the most commonly litigated insurance coverage issues is whether a particular risk falls within the basic scope of coverage under a particular policy. Cyber and privacy risks are no exception. Such risks can take a myriad of forms and each cyber incident is likely to feature its own unique fact pattern. Moreover, cyber threats are constantly evolving as technology advances and attackers continue to create new cyber threats, and the laws and regulations that govern cyber and privacy risks continue to develop. The variation in cyber risks combined with the variation in wording across cyber policies creates an environment ripe for coverage disputes over whether a cyber incident will or will not satisfy the criteria for triggering a policy.
The trigger of coverage issue has been litigated most often in connection with cyber and privacy risks under CGL policies. For example, in Travelers Indemnity Co. of America v. Portal Healthcare Solutions, LLC, 35 F. Supp. 3d 765, 772 (E.D. Va. 2014), aff’d, 644 Fed. Appx. 245 (4th Cir. 2016), the dispute centered on whether a suit triggered advertising/personal injury coverage under a CGL issued to a healthcare company. The company sought coverage for a lawsuit alleging that it had accidentally posted patients’ private medical records on the internet, and the insurer denied coverage, asserting that there was no “publication” triggering coverage under the policy, because the underlying suit failed to allege that anyone (other than patients) had viewed the records. The district disagreed and held that the insurer had a duty to defend based on the ordinary meaning of “publication.” Applying a dictionary definition, the court reasoned that “[p]ublication occurs when information is ‘placed before the public,’ not when a member of the public reads the information placed before it.” Thus, the court concluded that the alleged disclosure of medical records online fell within the plain meaning of “publication” and triggered the duty to defend. Id. at 770-71.
Portal Healthcare’s interpretation of the term “publication” (a term which also appears in some cyber policies), favors policyholders, because it rejects the insurers’ overly technical interpretation. But few policyholders would relish a coverage dispute that hinges on the interpretation of a single term. For this reason, one of the most important steps a cyberinsurance buyer can take is to carefully review the terms that describe criteria for triggering coverage. At a minimum, the terms should encompass the cyber risks that most concern the buyer. But because cyber risks can be unpredictable, the terms should be as broad as possible to encompass other types of cyber risks that are potentially relevant to the buyer’s business. One question to consider, for example, is to what extent would a prospective cyber policy respond to a cyber incident like the one in Portal Healthcare, where it may be unclear whether sensitive data was accessed, viewed, or exfiltrated by a third party? If the answer is not clear from the policy language, then it may be beneficial to consult with your broker and counsel.
A significant number of cyber incidents arise from the acts of persons that have rights to access an insured’s network or confidential data, such as employees, contractors, vendors, and customers. Unfortunately, scenarios involving insiders are likely to draw significant scrutiny from insurers. One issue that can arise in such situations is whether a person acted with or without authorization.
In Pestmaster Services, Inc. v. Travelers Casualty & Surety Co. of America, No. 14-56294, 2016 U.S. App. LEXIS 13820 (9th Cir. July 29, 2016), aff’g CV 13-5039-JFW (MRWx), 2014 U.S. Dist. LEXIS 108416 (C.D. Cal. July 17, 2014), for instance, the insured’s payroll contractor was authorized to transfer funds from the insured’s account to pay the insured’s payroll taxes. After the contractor used the funds to pay its own expenses, the insured sought coverage under the computer fraud section of its commercial crime policy, which defined computer fraud as the “use of any computer to fraudulently cause a transfer of Money . . . .” Id. at *2. Siding with the insurer, the district court held that the insured was not entitled to coverage, and the court of appeals affirmed. The court of appeals interpreted the operative phrase to require a completely unauthorized transfer of funds, rather than a transfer for a fraudulent purpose by an individual normally authorized to transfer funds.
The court was also concerned about expanding coverage under commercial crime policies beyond what it believed was intended (a concern that should not apply to cyber policies). But most insureds would justifiably find the court’s reasoning in Pestmaster troubling, because the policy did not expressly exclude coverage for fraudulent transfers by authorized persons and, in any event, the insured clearly did not authorize the contractor to transfer the funds for its own use. Even the court of appeals conceded that the insurer “could have drafted th[e] language more narrowly.” 2016 U.S. App. LEXIS at **2-3. Pestmaster is thus a cautionary tale that underscores the importance of evaluating whether and to what extent a cyber risk policy would cover cyber and privacy incidents arising from the acts of insiders.
To avoid similar disputes, cyberinsurance buyers should confirm that any conduct exclusion in a cyber policy features an exception for insiders who act without the knowledge of the insured’s management. But references to unauthorized conduct or persons may be scattered throughout other policy provisions. Therefore, purchasers should consider what unauthorized may mean within the context of each provision and the policy as a whole. To the extent that such terms may invite reference to the insured’s own practices, purchasers should ensure that their internal data privacy and computer security policies mesh with their cyberinsurance to enhance coverage.
A growing trend is the tendency for insurers to challenge coverage for a cyber incident by attributing the incident to conduct by the insured or its employees that may not be covered. Even in clear cases of computer hacking, insurers have sought to shift blame for losses to non-covered conduct by the insured.
In State Bank v. BancInsure, Inc., 823 F.3d 456 (8th Cir. 2016), for instance, malware infected a computer used by the bank to make wire transfers. To make a transfer, two employees were supposed to each enter their credentials and insert physical tokens into the computer. Against the bank’s policies and procedures, one employee used the infected computer to complete a wire transfer using her credentials and token as well as the credentials and token of another employee and then left the two tokens in the computer overnight while the computer was running. Hackers then used the infected computer to make transfers to a fraudulent bank account. The bank sought coverage for the lost transfers under its financial institution bond, which is similar to an insurance policy. The insurer denied coverage, asserting that the overriding cause of the loss was the bank employee’s violations of the bank’s policies and procedures, not the hacking of the computer system. Fortunately for the insured, the court disagreed, holding that the overriding cause of the loss was the criminal activity of a third party, rather than the employee’s failure to follow policies and procedures. Id. at 461.
The BancInsure court reached the right result. But the dispute in BancInsure may have been avoided altogether had the policy extended to cyber incidents that arise from either a breach of computer security or a failure to follow the insured’s written security policies and procedures. Cyber policies should also be scoured for exclusions relating to the failure to maintain certain security standards.
If past experience with other types of insurance coverage is any indication, courts eventually will have plenty of opportunities to hear disputes over stand-alone cyberinsurance policies. This emerging body of case law will help cyber risk policies mature by clarifying for the market what wording works best for insureds. But no insured wants to end up in litigation with its insurer. For this reason, cyberinsurance buyers should not ignore existing cases construing coverage for cyber risks under other types of policies because such cases illustrate problematic situations that have given rise to coverage litigation in the past. Those purchasers who are able to draw on the lessons from past cyber risk coverage litigation will be best positioned to select and negotiate cyber policies that will help them avoid repeating such disputes in the future.