Like a brown-paper-bag-wrapped birthday present, the Fifth Circuit’s June 25th decision in Spec’s v. Hanover arrived in my in-box with a resounding ‘meh.’ You see, I get daily emails from Westlaw attaching opinions that may or may not implicate cyberinsurance coverage law. I use the broadest search terms imaginable to make sure I don’t miss anything by being under-inclusive. And when you ask for everything, you get, well, everything. Most days I can tell from the caption of the attachment whether it’s a case I should read. Most days, it isn’t.
But today the Fifth Circuit redefined the fairly typical contractual liability exclusion in the cyberinsurance context. The fact pattern is common. Retailer hires credit card processor. The processor says, ‘ok, we’ll take your business, but you’ll sign a contract that makes you responsible if anything goes wrong.’ The retailer has no choice because you need a processor and they all use the same liability shifting language in their contracts. Then the data breach…
Following the breach, the Payment Card Industry (PCI) comes down on the processor with considerable fines and enhanced security requirements. The processor passes both along to the retailer. The retailer is in the hole, big time.
But we have insurance for this, right?
Most policies still contain language like this: “This insurance does not apply to…’Loss’ on account of any ‘Claim’ made against any ‘Insured’ directly or indirectly based upon, arising out of, or attributable to any actual or alleged liability under a written or oral contract or agreement. However, this exclusion does not apply to your liability that would have attached in the absence of such contract of agreement.”
The District Court construed the processor’s demands against Spec’s as based entirely on Spec’s contractual indemnification requirement contained in its payment card processing agreement. And that is in fact one way to skin a cat. No coverage.
The Fifth Circuit reversed. It reasoned that the second sentence of the exclusion opened the door for the Court to consider other theories of liability for the same asserted damages. While contractual indemnification was one means by which the processor could attempt to collect damages caused by PCI fines and enhanced security requirements, the Fifth Circuit was not convinced that it is the only way. The Court noted that the processor’s demand letters also noted alleged failures by Spec’s to meet mandated PCI security protocols, a failure that, in this day and age, could also be deemed ordinary “negligence.”
That’s the real rub. We all agree that data security must be prioritized, and that lapses must have consequences. We are still grappling, however, with the logistics. Courts have reached widely varying conclusions when evaluating contractual and tort theories of liability, and governmental oversight via statutory and regulatory standards is in its infancy. So, when considering whether any other theory of liability other than breach of contract might attach to data breach related claims against an insured, it would seem to be exceedingly difficult to say no. And the Fifth Circuit just made it a lot more difficult.
Though Spec’s is a duty to defend case, which some may argue narrows its application, the contractual liability exclusion found in most cyberinsurance policies was just considerably weakened. Expect to see revised language in response at renewal time.