Businesses are increasingly purchasing dedicated cyber insurance policies to address their cyber and data security exposures. To date, however, many of the judicial decisions addressing insurance for cyber exposures have done so under other, more traditional, types of insurance policies such as commercial general liability (“CGL”) and commercial property policies. Some of these rulings have disappointed policyholders by concluding that such non-cyber insurance policies do not cover cyber exposures. But a recent decision by the United States Court of Appeals for the Fifth Circuit demonstrates that certain non-cyber policies potentially afford coverage for cyber exposures. In Spec’s Family Partners, Ltd. v Hanover Insurance Co., No. 17-20263, 2018 U.S. App. LEXIS 17246 (5th Cir. June 25, 2018), the court of appeals found that a contractual liability exclusion in a management liability policy did not excuse the insurer of its duty to defend its policyholder, a private company, against a claim arising out of a payment card data breach.
Spec’s Family Partners, Ltd. v. Hanover Insurance Co.
In the decision, the policyholder, Spec’s Family Partners, Limited (“Spec’s”), a specialty retail chain, entered into a merchant agreement with a payment processor to process credit and debit card transactions. The credit card network used by Spec’s was hacked, resulting in the payment processor having to reimburse issuing banks for costs associated with fraudulent transactions.
The payment processor in turn demanded reimbursement from Spec’s. In the first of two demand letters it sent to Spec’s, the payment processor asserted that there was conclusive evidence of a breach of the cardholder environment at Spec’s and that Spec’s was non-compliant with Payment Card Industry Security Standard (“PCIDSS”) requirements. The payment processor listed the amounts of the case management fee, fines, and reimbursement costs that the payment processor used to establish a reserve account in the total amount of $7,624,846.21 in order to fund MasterCard fines and anticipated Visa fines. In addition, the payment processor demanded documentation and security compliance from Spec’s, including a completed MasterCard Site Data Protection Account Data Information Form and Attestation of Compliance from a Qualified Security Assessor.
In the second demand letter it sent to Spec’s, the payment processor repeated the same allegations regarding the breach of Spec’s cardholder environment and notified Spec’s of the establishment of a second reserve fund in the amount of $1,978,019.49 for the payment of MasterCard fines relating to monitoring and replacement costs and fraud reimbursement.
Both demand letters alleged that the reserve accounts were established in accordance with Spec’s indemnification obligation under the merchant agreement.
Spec’s sought coverage under the directors’ and officers’ (“D&O”) section of its private company management liability insurance policy. Although the insurer initially paid the company’s defense costs, it eventually stopped paying them. Spec’s brought suit in federal district court against the insurer to enforce the insurer’s duty to defend.
In response to the suit, the insurer moved for judgment on the pleadings. The insurer asserted that the “contractual liability” exclusion in the insurance policy barred coverage. The contractual liability exclusion precluded coverage for any loss on account of any claim “directly or indirectly based upon, arising out of, or attributable to any actual or alleged liability under a written or oral contract or agreement.” An exception to the exclusion preserved coverage for “liability that would have attached in the absence of such contract or agreement.”
The district court granted the insurer’s motion for judgment on the pleadings. It held that the demand letters constituted a claim that triggered the duty to defend; however, the contractual liability exclusion barred coverage because the demands against Spec’s arose entirely out of the merchant agreement between Spec’s and the payment processor. According to the court, Spec’s failed to show “it would be liable or have any form of privity or obligation to pay damages to [the payment processor] for any other reason tha[n] those that arise out of contractual liability.”
Spec’s appealed the district court’s decision. In contrast to the district court, the court of appeals determined that the contractual liability exclusion did not excuse the insurer’s duty to defend. As the court of appeals explained, “[w]hether [the insurer] owed Spec’s a duty to defend turns on whether the two demand letters contain at least one claim that potentially falls within [the insurer’s] scope of coverage under the Policy.” Applying the broad standard applicable to an insurer’s duty to defend known as the “eight-corners” rule, the court of appeals found that the allegations in the demand letters, when construed liberally and in the light most favorable to Spec’s, included the potential for liability on non-contractual grounds.
The court of appeals pointed out, for example, that the demand letters asserted that Spec’s had an “obligation” for the assessments and to pay sums to the payment processor upon request. Such allegations, the court of appeals explained, implicated theories of “negligence” and “general contract law” that “imply Spec’s liability for the assessments separate and apart from any obligations ‘based upon, arising out of, or attributable to any actual or alleged liability under’ the Merchant Agreement.” Although the court did not elaborate on the term “general contract law,” the idea is that allegations framed merely as obligations, without reference to a specific contract provision, do not necessarily fall within the scope of the contractual liability exclusion
Other examples of non-contractual allegations pointed out by the court of appeals included alleged negligence by Spec’s in not complying with PCIDSS requirements and demands for non-monetary relief, such as the completion and submission of forms and an Attestation of Compliance from a Qualified Security Assessor.
Although the demands referred to the indemnification obligation under the merchant agreement with Spec’s, the court of appeals observed that “this phrase appears in the claim only in connection with the [payment processor’s] creation of Reserve Accounts. Further, its significance is outweighed by the references to non-contractual theories of liability contained in the letters, which must be construed in favor of Spec’s and the duty to defend.”
The court of appeals concluded that “[t]he pleadings, viewed in the light most favorable to Spec’s, do not unequivocally show [the contractual liability exclusion] excused [the insurer’s] duty to defend under any set of facts or possible theory.” Accordingly, the court reversed the district court’s decision and remanded the case for further proceedings.
Coverage for Cyber and Data Breach Risks under Non-Cyber Insurance Policies
Spec’s confirms that non-cyber insurance policies may provide coverage under certain circumstances for cyber or data breach claims. Private company D&O policies like the one at issue in Spec’s are known for providing relatively broad coverage for insureds and their directors and officers. Unlike CGL insurers, D&O insurers have been slow to add exclusions to their policies specifically targeting cyber and data breach liabilities. Even so, some D&O insurers may be reluctant to acknowledge coverage for cyber and data breach claims. A policyholder who believes it has a valid insurance claim should not be daunted by an initial denial of coverage. Instead, it should scrutinize the adverse coverage determination and engage the insurer to convince it to change its adverse coverage position.
Contractual Liability Exclusion
D&O insurance, however, is not synonymous with cyber insurance. Exclusions commonly found in D&O and other non-cyber policies can complicate efforts to secure coverage for cyber and data breach claims. For example, the same contractual liability exclusion in Spec’s may be invoked with more success in other cases depending on the particular facts and allegations at issue. Indeed, the Spec’s case could have turned out differently had all of the allegations in the payment processor’s demand letters hewed more closely to the merchant agreement.
Many organizations have contractual obligations to maintain the security of confidential information of their customers and business partners and to indemnify them in the event of improper disclosure. Questions about the proper application of the contractual liability exclusion are likely to reoccur in future insurance coverage litigation relating to cyber and data breach claims.
Cyber Insurance and the Contractual Liability Exclusion
Because non-cyber policies may not provide reliable coverage for cyber and data breach claims, many organizations are investing in dedicated cyber insurance policies. But do organizations that have purchased cyber policies have to worry about the contractual liability exclusion?
In a word, yes. In fact, one of the few judicial decisions involving a dedicated cyber insurance policy ultimately denied coverage in circumstances similar to those in Spec’s based on a contractual liability exclusion. In P.F. Chang’s China Bistro, Inc. v. Federal Ins. Co., No. CV-15-01322-PHX-SMM, 2016 U.S. Dist. LEXIS 70749 (D. Ariz. May 31, 2016), the policyholder, P.F. Chang’s, a restaurant chain, experienced a payment card breach and its payment processor demanded that P.F. Chang’s reimburse it for costs and fines pursuant to an indemnity agreement. P.F. Chang’s sought coverage under its cyber insurance policy. The cyber policy had a contractual liability exclusion that barred coverage for “liability assumed by any Insured under any contract or agreement.” Unfortunately for P.F. Chang’s, the district court held that the contractual liability exclusion barred coverage.
Why the different outcomes in P.F. Chang’s and Spec’s? P.F. Chang’s based its coverage arguments on non-contract theories that were never actually alleged by the payment processor. Although P.F. Chang’s contended that it could have been “liable under a variety of theories, including: negligence or particular statutes,” the restaurant chain had reimbursed the payment processor in response to a demand to fulfill its contractual obligations. Against this backdrop, the court was unconvinced that the theories put forth by P.F. Chang’s about other potential grounds for liability were sufficient to remove the claim from the scope of the contractual liability exclusion. Indeed, the court noted that it was “unable to find and Chang’s does not direct the Court’s attention to any evidence in the record indicating that Chang’s would have been liable for these Assessments absent its agreement with [the payment processor]”—which, was unsurprising given that the payment processor made no such allegations. The court’s reference to “evidence” also highlights that the court may have also viewed the claim for coverage through the standard for the duty to indemnify. Unlike the duty to defend, which focuses on the allegations of a claim (although extrinsic evidence is sometimes considered), the duty to indemnify standard focuses on the facts as proven.
Since the P.F. Chang’s decision was issued in 2016, many cyber insurers have started to market cyber policies with contractual liability exclusions that have exceptions intended to preserve coverage in certain situations. But the precise wording of the exclusions and the exceptions vary from insurer to insurer. A contractual liability exclusion may simply state, as the one at issue in Spec’s did, that it does not apply to liability that would have attached in the absence of a contract. That may not be enough. For any policyholder purchasing or renewing a cyber insurance policy, the contractual liability exclusion and any related exclusions or other limitations must be on its list of provisions to review carefully.
A dedicated cyber insurance policy that offers a combination of first party and third party coverages specifically designed to cover cybersecurity and data breach events is becoming an essential element of any organization’s insurance portfolio. The Spec’s decision serves as a reminder, however, that policyholders seeking coverage for cyber and data breach claims should not overlook other potentially applicable policies, such as D&O policies. It is also a reminder that policyholders concerned about coverage for cyber and data breaches should always consider the scope of the contractual liability exclusion—especially when purchasing (or renewing) cyber insurance. An unduly broad exclusion can give the insurer a foothold to deny coverage. If that happens, policyholders may still be entitled to coverage. Policyholders should carefully analyze denials of coverage in light of judicial decisions like Spec’s that narrowly construe the contractual liability exclusion in favor of coverage.