For relatively little expense, insureds can often add cyber endorsements to traditional CGL, professional liability or other insurance policies. On October 25, 2016, the Northern District of Alabama issued a decision in Camp’s Grocery, Inc. v. State Farm, one of the few decisions interpreting cyber coverage to date, that demonstrates why insureds should be wary of opting for cyber endorsements instead of stand-alone policies. Docket No. 4:16-cv-0204, 2016 WL 6217161.
Camp’s had a series of no good, very bad days. First, hackers accessed its network and compromised customers’ credit card, debit card and check card information. Yipes. Then, three credit unions sued Camp’s to recover card reissuance, fraud reimbursement and fraud prevention expenses. Double yipes. Finally, Camp’s tendered the claim to State Farm, which informed Camp’s that the Computer Programs and Electronic Data Extension of Coverage and related endorsements to its property and casualty policy only covered Camp’s first party data breach losses. The endorsements did not cover, in State Farm’s view, third party liability claims like the credit unions’.
The court agreed. It held that State Farm and no duty to defend or indemnify Camp’s with respect to the credit union lawsuit. It explained that “[i]nsurance contracts generally are assigned to one of two classes: either ‘first party coverage’ or ‘third party coverage’…’First party coverage’ pertains to loss or damage sustained by an insured to its property…In contrast, if the insurer’s duty to defend and pay runs to a third party claimant who is paid according to a judgment or settlement against the insured, then the insurance is classified as ‘third party insurance.’ Thus, wholly different interests are protected by ‘first-party coverage’ and ‘third-party coverage’.” In holding that Camp’s endorsements offered only first party coverage, the essentially held that Camp’s had no coverage since it was only attempting to deal with the credit unions’ third party claims.
First party coverage is important in cyber-land. It can cover forensic investigations to determine the source of a breach and stop it, repair of damaged or lost electronic data, breach notice reporting costs and other significant expenses. But third party coverage is also critical. It covers lawsuits like the credit unions’ against Camp’s, and even regulatory investigations and fines (the latter is admittedly kind of a blend of first and third party coverage, but it’s also not likely to be in inexpensive endorsements to traditional insurance policies). The importance of both sets of coverage is why many cyberinsurance policies are a hybrid of both first and third party insurance.
Without stating a position on the Camp’s result, I can say that I’ve seen many endorsements, particularly to professional liability policies, that provide only third party coverage. In Camp’s, the court deemed the endorsement to provide only first party coverage. If you’re trying to save a few bucks by adding cyber coverage to other insurance, do so with caution. Both first and third party coverage is critical, and, like so many things, you very well may get only what you pay for…