Does the Fifth Circuit’s Decision in Spec’s Suggest a Breach for Cyber Coverage Into Other Insurance?
Despite the existence of cybersecurity insurance, companies still seek coverage for cyber liability under various types of other insurance. Carriers, in turn, rely upon broad exclusions to limit coverage for risks never intended to be insured. One such broad exclusion is for contractual liability. However, the decision rendered by the United States Court of Appeals for the Fifth Circuit in Spec’s Family Partners, Ltd. v. The Hanover Insurance Co., 2018 U.S. App. LEXIS 17245 (5th Cir. June 25, 2018), casts some doubt over the applicability of this exclusion. Although litigated in the context of directors and officers liability (D&O) insurance and an underlying data breach claim, the potential effect of the decision reaches far beyond D&O insurance. It questions whether coverage may be found in different types of policies where an insured is accused of breaching data security standards – a common theme in cyber liability litigation.
In Spec’s, the insured, Spec’s, sustained a data breach compromising credit card payment information. Ultimately, the insured’s credit card processor, First Data Merchant Services, was required to reimburse the issuing banks for loss associated with fraudulent transactions from the breach. First Data, in turn, issued multiple demands to the insured seeking indemnification for the reimbursement of the loss, as well as for fines and fees, in excess of $7.6 million pursuant to an indemnity provision in the merchant agreement between Spec’s and First Data. In its demand letters, First Data contended that there was “conclusive evidence of a breach of the cardholder environment at Spec’s,” and that “Spec’s was non-compliant” with the Payment Card Industry Data Security Standards (PCI DSS) it was required to follow. First Data also demanded documentation of the insured’s security compliance, including a completed MasterCard attestation of compliance from a third-party qualified security assessor. The accusation regarding data security compliance and the demand for an assessment turned out to be critical.
The insurer had issued to Spec’s a Private Company Management Liability Insurance Policy, which provided coverage for “Directors, Officers, and Corporate Entity Liability Coverage.” The insuring agreement covered “Loss” for which the insured was legally obligated to pay because of “Claims” made against it for “Wrongful Acts.” The policy defined “Claim” as “[a]ny written demand presented for monetary ‘Damages’ or non-monetary relief for a ‘Wrongful Act.’” The policy also had a contractual liability exclusion that prohibited coverage for:
“Loss” on account of any “Claim” made against any “Insured” directly or indirectly based upon, arising out of, or attributable to any actual or alleged liability under a written or oral contract or agreement. However, this exclusion does not apply to your liability that would have attached in the absence of such contract or agreement.
The insurer contended that the exclusion prohibited coverage. In subsequent coverage litigation, the trial court agreed; however, the Fifth Circuit reversed.
According to the Fifth Circuit, because Spec’s obligation to comply with PCI data security standards was independent of the merchant agreement between Spec’s and First Data, the carve-out exception in the contractual liability exclusion precluded application of the exclusion. The court further concluded the demand that the insured undertake a security assessment also constituted a Claim (a demand for non-monetary relief) independent of the merchant agreement fall outside the scope of the exclusion. The court explained:
The demand letters themselves include references to Spec’s “non-complian[ce]” with third-party security standards and not insignificant demands for non-monetary relief, wholly separate from the Merchant Agreement. As explained by Spec’s, the non-monetary relief requested in the form of the completion and submission of forms and an Attestation of Compliance from a Qualified Security Assessor “took several months to complete, demanded countless hours of employee time, and required Spec’s to hire an outside firm to assist with the effort.” The demand letters included Spec’s “obligation” for the assessments, and Spec’s requirement to “promptly pay” sums to First Data upon request.
According to the court, the underlying allegations, when construed liberally, implicated “theories of negligence and general contract law that imply Spec’s liability for the assessments separate and apart from any obligations ‘based upon, arising out of, or attributable to any actual or alleged liability under’ the Merchant Agreement.” Thus, the exclusion did not apply. In so holding, the court gave no apparent consideration to the broad language of the exclusion, other than to restate the “directly or indirectly” and “arising out of” language without explaining why it was not satisfied. The court never explained how Spec’s liability to First Data could attach absent the merchant agreement.
Notably, the Fifth Circuit’s decision was made in the context of a motion for judgment on the pleadings over the duty to defend – a difficult standard to satisfy. This early stage of coverage litigation may explain the court’s reasoning. Nevertheless, the significance of this decision should not be underestimated.
Allegations of non-compliance with data security standards, as well as demands for security assessments, typically accompany indemnity claims made by a business partner against another for loss resulting from a cybersecurity incident. Many business relationships now have contractual agreements that require business partners to meet certain data security standards. Laws and regulations, such as HIPAA, GLBA, and New York’s cyber regulations Part 500, require companies to have reasonable information security programs developed and implemented (i.e., they have to satisfy reasonable data security standards).
Indemnity demands between business partners following a cybersecurity incident extend beyond the context of retailers and credit card processors in Spec’s. They can include many other business relationships where information is exchanged, including business associate agreements under HIPAA, nondisclosure agreements, and even client retention agreements with accounting firms and law firms. These business relationships are governed by contracts, and presumably, liability would stem from these contracts. However, in Spec’s, the Fifth Circuit thought different, and its decision could have a broad effect on coverage determinations for other claims submitted under D&O insurance, especially “duty to defend” policies. The effect of the decision could also spill into claims submitted under E&O and legal malpractice policies. This decision and its effect will be a significant one to watch, for it breathes life into the assertion that a contractual liability exclusion does not wholly preclude coverage for loss arising out of a cyber incident between parties whose relationship is governed by a contract.