The cyber market has evolved incredibly in a few short years. It’s been barely more than twenty years since the internet became a ubiquitous presence in the lives of most Americans. As cyberspace has grown, the risks attendant on cyberspace has grown as well. To meet the challenges of combining scope and risk, legislators and courts have had to move quickly to regulate this area and protect individuals from loss. At the same time, insurance companies have had to tailor policies to protect companies from the risks of doing business online.
The rapid growth and changes in this field mean that there is a certain amount of uncertainty in the legal arena when it comes to claim coverage. The uncertainty gives lawyers the freedom to test novel approaches to recovery and insurance coverage for the loss. Commentators have discussed for some time the responsibility of management to protect their firm and their customers from cyber breaches by ensuring their company has taken the necessary steps to keep their systems secure. In the wake of high profile failures at major companies to do so, both shareholders and customers have begun bringing lawsuits against the directors and officers of these companies for their inability to manage cyber risks responsibility.
As a result of these suits, litigation has also started to raise the question of the extent to which directors and officers liability insurance provides coverage in the wake of massive cyber breaches. A United States District Court in Texas recently had to answer that question. The case, Spec’s Family Partners, Ltd. V. The Hanover Ins. Co. involved a retail chain that suffered a breach of its credit card payment systems. The breach gave rise to a dispute between the retail chain and its credit card payment processor. Hanover had issued a directors and officers policy to the retail chain that included corporate liability coverage. A secondary dispute arose between Hanover and the retail chain as to whether the corporate liability covered the dispute with the credit card processor.
While the district court dismissed the case, effectively finding that Hanover had no obligation to defend the retail chain in its dispute with the credit card processor, the Fifth Circuit Court of Appeals disagreed. The District Court had relied on an interpretation of the dispute that focused exclusively on the Merchant Agreement between the retail store and the credit card processor. This placed the dispute within the contractual liability exclusion to the insurance policy. The Circuit Court, however, found that the case implicated general theories of negligence for the failure to secure the systems properly and thus included at least some claims for which Hanover had a duty to defend.
The case does raise the possibility that certain directors and officers liability policies may provide coverage for some of the losses suffered as a result of cyber breaches. The extent to which the case may apply to other businesses will depend heavily on both the nature of the losses suffered and the language and coverages of the policy purchased.