Coverage Liabiltiy Cyber Insurance Las vegas

By: Judy Greenwald (Business Insurance) May 2015

A court ruling in favor of an insurer in one case and coverage litigation in another — both involving cyber insurance policies — may mark the beginning of a new stage in the coverage as a growing number of firms obtain these policies.

“It’s not surprising to see cases beginning to be filed under cyber policies, given their increasing adoption across various industries,” said Russell P. Cohen, a partner with law firm Orrick, Herrington & Sutcliffe L.L.P. in San Francisco, who is not involved with either case.

In one of the first coverage rulings involving a cyber insurance policy, the U.S. District Court in Salt Lake City held last week that a Travelers Cos. Inc. unit is not obligated to defend a policyholder.

Salt Lake City-based Federal Recovery Services Inc., which is in the business of providing processing, storage, transmission and other handling of electronic data for its customers, had a cyber insurance policy with Travelers Property Casualty of America, according to the ruling in Travelers Property Casualty Co. of America et al. v. Federal Recovery Services Inc. et al.

Travelers had issued a CyberFirst policy to the defendants that included a technology errors and omissions liability form stating coverage would be provided for an “errors and mission wrongful act,” which “means any error, omission or negligent act,” says the ruling.

Federal Recovery allegedly refused to transfer some requested data until Lexington, Kentucky-based Global Fitness Holdings L.L.C., with which it had a contract, “satisfied several vague demands for significant compensation,” according to the ruling. In March 2014 Global filed suit against Federal Recovery on charges including breach of contract

Federal Recovery sought defense coverage from Travelers under its cyber policy. Travelers provided a defense, but with a reservation of rights.

The District Court ruled Travelers does not have a duty to defend Federal Recovery, holding that Global alleges the defendants withheld the information until Global met certain demands, not because of an error, omission or negligence.

Joseph F. Bermudez, a partner with law firm Wilson, Elser, Moskowitz, Edelman & Dicker L.L.P. in Denver, who is not involved in the case, said the ruling is significant because “it’s one of the first decisions in regard to coverage under a cyber policy.”

However, Linda Kornfeld, a partner with law firm Kasowitz Benson Torres & Friedman L.L.P. in Los Angles, who also is not involved in the case, pointed out this ruling “should not apply when a company is seeking defense costs under a breach policy for an actual data breach event.”

Exclusions dispute

Separately, Columbia Casualty Co., a unit of Chicago-based CNA Financial Corp., is seeking a judicial ruling that it is not obligated to pay a $4.1 million settlement under an exclusion in Santa Barbara, California-based Cottage Health System’s cyber policy that precludes coverage for “failure to follow minimum required practices.”

The complaint in Columbia Casualty Co. v. Cottage Health System was filed May 7 in U.S. District Court in Los Angeles. Policyholder attorney Stephen T. Raptis, a partner with law firm Manatt, Phelps & Phillips L.L.P. in Washington, said the exclusion in Cottage Health Systems’ policy is common in cyber policies and “one that’s troubled me for a long time” because it is “completely open-ended” and overly broad, as well as subjective.

Mr. Cohen, who was not involved in the case, said it “highlights the importance of negotiating over the terms of your cyber policy to eliminate these kinds of broad exclusions.”

Business Insurance