In one of the first published decisions on the scope of cyber risk coverage, Utah has cast doubt on whether coverage pursuant to standard “wrongful act” definitions in cyber policies provides coverage for damages stemming from cyber attacks, particularly under cyber policies fashioned as “errors and omissions.”
On May 11, the United States District Court for the District of Utah ruled that the carrier, Travelers Property Casualty Company of America, had no obligation to defend its insured under a “Cyber First” policy that comprised a “Technology Errors and Omissions Liability Form (decision here). Travelers stated in this form that it would pay damages caused by “an error or omissions wrongful act” defined as “an error, omission or negligent act.” The claim here arose when the insured, Federal Recovery, refused to return certain account data, including credit card numbers, to its customer Global Fitness. Global Fitness brought suit against Federal Recovery, alleging, among other theories, breach of contract, conversion, tortious interference and promissory estoppel. Federal Recovery tendered its defense to Travelers and Travelers moved for declarative relief that it had not duty to defend Federal. Federal moved for summary judgment.
The Court denied the motion and held that Travelers had no duty to indemnify or defend Federal Recovery. The claims did not allege negligence, the court held, and allegations of negligence were required to trigger coverage under the “error, omission or negligent act” language. Though the duty to defend is greater than the duty to indemnify, the court ruled that there was no duty to defend Federal Recovery because the allegations in the Complaint described only intentional, not negligent, conduct.
While scope of indemnity and defense are subject to state court interpretation, and states such as Massachusetts and New York have adopted more liberal constructions of the “errors and omissions” language, the Utah decision is troubling with regard to coverage for cyber attacks, which are, by their nature, intentional acts. Unless the attack can be traced to probable acts of negligence (i.e., failure to keep malware controls current), carriers may attempt to rely on the Utah decision to deny coverage and defense in the event of a cyber attack.
Not all cyber policies are fashioned as errors and omissions coverage, but organizations should review the language of their cyber coverage with their counsel to ascertain the scope of available coverage in the event of an attack – before the inevitable attack occurs.
Please contact Kenneth N. Rashbaum if you have questions regarding your cyber risk coverage.