The U.S. District Court for the District of Utah recently issued an opinion construing cyber insurance coverage — one of the first cases of its kind. The court determined in Travelers Property Casualty Co. of America v. Federal Recovery Services, Inc. that there was no cyber insurance coverage under a technology errors and omissions policy, because the allegations against the insured included only claims of intentional misconduct. Similar to traditional forms of liability insurance, the errors and omissions cyber insurance only covered mistaken, negligent, or otherwise unintentional conduct.
As data security breaches have become commonplace, many insurers have responded by limiting or excluding coverage for data-related events and claims under traditional policies, and have instead offered separate cyber insurance policies. While there has been much discussion about cyber insurance generally, few courts have yet construed cyber insurance policy terms.
The Travelers opinion illustrates that cyber insurance does not provide cure-all protection for data-related events and disputes. While we expect some variation in court decisions on this issue because the duty to defend is based on state law, and therefore varies by jurisdiction, this case illustrates the limitations of certain forms of cyber insurance.
Not all cyber insurance coverage is limited to claims alleging unintentional conduct. As a relatively new product, cyber insurance policies are highly variable. Some policies cover losses from intentional acts, provided those acts are attributed to third parties or certain lower-level employees.
Perhaps unintended by the court, the Travelers case also provides a roadmap for invoking insurance coverage when seeking to recover for a data-related event. It is common for litigants to frame allegations and claims in an effort to enable coverage for their opponent, because such efforts provide an additional route for recovery and potential leverage for settlement. Given the rise in data-related claims and events, as well as growing prevalence of separate cyber coverage, we expect that litigants will increasingly try to invoke insurance coverage for data-related claims by including allegations of errors, omissions, or negligence.
What This Means to You
Because cyber insurance is a relatively new product and coverage terms vary from policy to policy, insureds need to pay close attention to policy details. Some policies only cover errors and omissions, while others cover certain intentional acts. Insureds need to evaluate their data risks and review their insurance coverage, paying close attention to the type of coverage, policy definitions, and policy exclusions.