{"id":120,"date":"2018-09-04T10:09:50","date_gmt":"2018-09-04T14:09:50","guid":{"rendered":"https:\/\/pbacyber.com\/?p=120"},"modified":"2019-04-12T10:56:14","modified_gmt":"2019-04-12T14:56:14","slug":"does-the-fifth-circuits-decision-in-specs-suggest-a-breach-for-cyber-coverage-into-other-insurance","status":"publish","type":"post","link":"https:\/\/pbacyber.com\/index.php\/2018\/09\/04\/does-the-fifth-circuits-decision-in-specs-suggest-a-breach-for-cyber-coverage-into-other-insurance\/","title":{"rendered":"Does the Fifth Circuit\u2019s Decision in Spec\u2019s Suggest a Breach for Cyber Coverage Into Other Insurance?"},"content":{"rendered":"<div>By\u00a0<a href=\"https:\/\/www.whiteandwilliams.com\/lawyers-JoshuaMooney.html\" target=\"_blank\" rel=\"noopener noreferrer\">Joshua Mooney<\/a> and <a href=\"https:\/\/www.whiteandwilliams.com\/lawyers-AndrewLipton.html\" target=\"_blank\" rel=\"noopener noreferrer\">Andrew Lipton<\/a>, <a href=\"https:\/\/www.whiteandwilliams.com\" target=\"_blank\" rel=\"noopener noreferrer\">White and Williams LLP<\/a><\/div>\n<p>&nbsp;<\/p>\n<p>Despite the existence of cybersecurity insurance, companies still seek coverage for cyber liability under various types of other insurance. Carriers, in turn, rely upon broad exclusions to limit coverage for risks never intended to be insured. One such broad exclusion is for contractual liability. However, the decision rendered by the United States Court of Appeals for the Fifth Circuit in <em>Spec\u2019s Family Partners, Ltd. v. The Hanover Insurance Co.,<\/em> 2018 U.S. App. LEXIS 17245 (5<sup>th<\/sup> Cir. June 25, 2018), casts some doubt over the applicability of this exclusion. Although litigated in the context of directors and officers liability (D&amp;O) insurance and an underlying data breach claim, the potential effect of the decision reaches far beyond D&amp;O insurance. It questions whether coverage may be found in different types of policies where an insured is accused of breaching data security standards \u2013 a common theme in cyber liability litigation.<\/p>\n<p>&nbsp;<\/p>\n<p>In <em>Spec\u2019s,<\/em> the insured, Spec\u2019s, sustained a data breach compromising credit card payment information. Ultimately, the insured\u2019s credit card processor, First Data Merchant Services, was required to reimburse the issuing banks for loss associated with fraudulent transactions from the breach. First Data, in turn, issued multiple demands to the insured seeking indemnification for the reimbursement of the loss, as well as for fines and fees, in excess of $7.6 million pursuant to an indemnity provision in the merchant agreement between Spec\u2019s and First Data. In its demand letters, First Data contended that there was \u201cconclusive evidence of a breach of the cardholder environment at Spec\u2019s,\u201d and that \u201cSpec\u2019s was non-compliant\u201d with the Payment Card Industry Data Security Standards (PCI DSS) it was required to follow. First Data also demanded documentation of the insured\u2019s security compliance, including a completed MasterCard attestation of compliance from a third-party qualified security assessor. The accusation regarding data security compliance and the demand for an assessment turned out to be critical.<\/p>\n<p>&nbsp;<\/p>\n<p>The insurer had issued to Spec\u2019s a Private Company Management Liability Insurance Policy, which provided coverage for \u201cDirectors, Officers, and Corporate Entity Liability Coverage.\u201d The insuring agreement covered \u201cLoss\u201d for which the insured was legally obligated to pay because of \u201cClaims\u201d made against it for \u201cWrongful Acts.\u201d The policy defined \u201cClaim\u201d as \u201c[a]ny written demand presented for monetary \u2018Damages\u2019 or non-monetary relief for a \u2018Wrongful Act.\u2019\u201d The policy also had a contractual liability exclusion that prohibited coverage for:<\/p>\n<p>&nbsp;<\/p>\n<p style=\"padding-left: 30px;\">\u201cLoss\u201d on account of any \u201cClaim\u201d made against any \u201cInsured\u201d directly or indirectly based upon, arising out of, or attributable to any actual or alleged liability under a written or oral contract or agreement. However, this exclusion does not apply to your liability that would have attached in the absence of such contract or agreement.<\/p>\n<p>&nbsp;<\/p>\n<p>The insurer contended that the exclusion prohibited coverage. In subsequent coverage litigation, the trial court agreed; however, the Fifth Circuit reversed.<\/p>\n<p>&nbsp;<\/p>\n<p>According to the Fifth Circuit, because Spec\u2019s obligation to comply with PCI data security standards was independent of the merchant agreement between Spec\u2019s and First Data, the carve-out exception in the contractual liability exclusion precluded application of the exclusion. The court further concluded the demand that the insured undertake a security assessment also constituted a Claim (a demand for non-monetary relief) independent of the merchant agreement fall outside the scope of the exclusion. The court explained:<\/p>\n<p>&nbsp;<\/p>\n<p style=\"padding-left: 30px;\">The demand letters themselves include references to Spec\u2019s \u201cnon-complian[ce]\u201d with third-party security standards and not insignificant demands for non-monetary relief, wholly separate from the Merchant Agreement. As explained by Spec\u2019s, the non-monetary relief requested in the form of the completion and submission of forms and an Attestation of Compliance from a Qualified Security Assessor \u201ctook several months to complete, demanded countless hours of employee time, and required Spec\u2019s to hire an outside firm to assist with the effort.\u201d The demand letters included Spec\u2019s \u201cobligation\u201d for the assessments, and Spec\u2019s requirement to \u201cpromptly pay\u201d sums to First Data upon request.<\/p>\n<p>&nbsp;<\/p>\n<p>According to the court, the underlying allegations, when construed liberally, implicated \u201ctheories of negligence and general contract law that imply Spec\u2019s liability for the assessments separate and apart from any obligations \u2018based upon, arising out of, or attributable to any actual or alleged liability under\u2019 the Merchant Agreement.\u201d Thus, the exclusion did not apply. In so holding, the court gave no apparent consideration to the broad language of the exclusion, other than to restate the \u201cdirectly or indirectly\u201d and \u201carising out of\u201d language without explaining why it was not satisfied. The court never explained how Spec\u2019s liability to First Data could attach absent the merchant agreement.<\/p>\n<p>&nbsp;<\/p>\n<p>Notably, the Fifth Circuit\u2019s decision was made in the context of a motion for judgment on the pleadings over the duty to defend \u2013 a difficult standard to satisfy. This early stage of coverage litigation may explain the court\u2019s reasoning. Nevertheless, the significance of this decision should not be underestimated.<\/p>\n<p>&nbsp;<\/p>\n<p>Allegations of non-compliance with data security standards, as well as demands for security assessments, typically accompany indemnity claims made by a business partner against another for loss resulting from a cybersecurity incident. Many business relationships now have contractual agreements that require business partners to meet certain data security standards. Laws and regulations, such as HIPAA, GLBA, and New York\u2019s cyber regulations Part 500, require companies to have reasonable information security programs developed and implemented (i.e., they have to satisfy reasonable data security standards).<\/p>\n<p>&nbsp;<\/p>\n<p>Indemnity demands between business partners following a cybersecurity incident extend beyond the context of retailers and credit card processors in <em>Spec\u2019s<\/em>. They can include many other business relationships where information is exchanged, including business associate agreements under HIPAA, nondisclosure agreements, and even client retention agreements with accounting firms and law firms. These business relationships are governed by contracts, and presumably, liability would stem from these contracts. However, in <em>Spec\u2019s<\/em>, the Fifth Circuit thought different, and its decision could have a broad effect on coverage determinations for other claims submitted under D&amp;O insurance, especially \u201cduty to defend\u201d policies. The effect of the decision could also spill into claims submitted under E&amp;O and legal malpractice policies. This decision and its effect will be a significant one to watch, for it breathes life into the assertion that a contractual liability exclusion does not wholly preclude coverage for loss arising out of a cyber incident between parties whose relationship is governed by a contract.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>By\u00a0Joshua Mooney and Andrew Lipton, White and Williams LLP &nbsp; Despite the existence of cybersecurity insurance, companies still seek coverage for cyber liability under various types of other insurance. Carriers, in turn, rely upon broad exclusions to limit coverage for risks never intended to be insured. One such broad exclusion is for contractual liability. However, <br \/><a class=\"read-more-button\" href=\"https:\/\/pbacyber.com\/index.php\/2018\/09\/04\/does-the-fifth-circuits-decision-in-specs-suggest-a-breach-for-cyber-coverage-into-other-insurance\/\">Read More &raquo;<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[9,6,10],"tags":[],"_links":{"self":[{"href":"https:\/\/pbacyber.com\/index.php\/wp-json\/wp\/v2\/posts\/120"}],"collection":[{"href":"https:\/\/pbacyber.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/pbacyber.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/pbacyber.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/pbacyber.com\/index.php\/wp-json\/wp\/v2\/comments?post=120"}],"version-history":[{"count":6,"href":"https:\/\/pbacyber.com\/index.php\/wp-json\/wp\/v2\/posts\/120\/revisions"}],"predecessor-version":[{"id":263,"href":"https:\/\/pbacyber.com\/index.php\/wp-json\/wp\/v2\/posts\/120\/revisions\/263"}],"wp:attachment":[{"href":"https:\/\/pbacyber.com\/index.php\/wp-json\/wp\/v2\/media?parent=120"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/pbacyber.com\/index.php\/wp-json\/wp\/v2\/categories?post=120"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/pbacyber.com\/index.php\/wp-json\/wp\/v2\/tags?post=120"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}