By Todd M. Rowe, Esq. of Tressler LLP
While there is little authority concerning a brokersaEUR(TM) potential liability when a policyholder claims it received inadequate insurance coverage under a cyber policy, one case currently pending in federal court in Louisiana could provide some insight. The Hotel Monteleone originally filed a declaratory action on December 10, 2015 in the District Court of Orleans Parish, Louisiana, alleging it was entitled to coverage under an Ascent CyberPro Policy for damages related to a breach at the Hotel in 2014. (The case was removed to federal court in January 5, 2016 and is currently not progressed beyond initial pleadings). The Hotel claims the broker, Eustis, aEURoefailed in its obligation to obtain the insurance coverage that the Hotel Monteleone requested specifically.aEUR?
The
Petition for Damages filed in state court provides the following information concerning the cyber policy:
- Ascent sold the Ascent CyberPro insurance policy which provided $3 million in limits to the Hotel.
- The CyberPro policy contained a aEURoePayment Card Industry Fines or PenaltiesaEUR? endorsement that limited certain coverage to $200,000 for aEURoea monetary fine or penaltyaEUR? from credit card company related to a breach.
The Petition provides the following information concerning the cyber attacks on the Hotel and its attempt to obtain coverage for such attacks:
- Prior to purchasing the CyberPro policy, the Hotel suffered a cyber attack in 2013 involving the theft of credit card information. The Hotel had losses related to this 2013 attack exceeding $200,000. The Hotel did not have cyber coverage at the time of this 2013 attack.
- After the 2013 attack, the Hotel sought insurance coverage specifically for aEURoeoperational fraud and operational reimbursement amounts for fraudulent charges and the costs of replacing payment cards as a result of a cyberattack.aEUR?
- The Hotel alleges that it purchased the CyberPro policy for this coverage. Specifically, the Hotel alleges aEURoeit would not have paid $20,277.40 for only $200,000 in coverage for operational fraud and operational reimbursement amounts for fraudulent charges and the costs of replacing payment cardaEUR|aEUR? that was provided through the endorsement.
- On October 17, 2014, the Hotel discovered it had suffered an attack that involved the breach of payment card numbers.
- After the attack, the Hotel claims a number of payment card companies demanded reimbursement for amounts they paid related to the HotelaEUR(TM)s breach to replace compromised cards.
The Petition alleges that the Hotel sought coverage for the amounts claimed by the payment card company but quickly learned Ascent planned to limit coverage under the CyberPro policy to the $200,000 limit in the endorsement. In its Petition, the Hotel claims it is entitled to the entire $3 million in limits under the policy rather than $200,000 under the endorsement to the policy. The HotelaEUR(TM)s breach of contract claim seeks to enforce the insuring agreement of the CyberPro policy absent the aEURoePayment Card Industry Fines or PenaltiesaEUR? endorsement. In the alternative, the Hotel claimed the CyberPro policy is ambiguous and requests the District Court find all the HotelaEUR(TM)s damages from the 2014 breach are covered under the CyberPro policy.
In addition to claims against the insurer, the Petition also contains allegations against the broker for negligent failure to procure insurance coverage. The Hotel supports these claims with allegations that the broker aEURoeadvised [the Hotel] about the terms and extent of coverage afforded by the 2014 CyberPro Insurance Policy and procured a cyberinsurance policy that met [the HotelaEUR(TM)s] coverage needs.aEUR? In particular, the Hotel claims the broker stated the insurance policy it procured for the Hotel would have provided coverage for the damages sustained by the Hotel in its earlier cyber attack. The Hotel claims this statement was incorrect when the policy only provided $200,000 in coverage.
Even though this matter is still pending it still demonstrates that policyholders are looking to their brokers to guide them through the cyber marketplace. Specifically, in this matter, the Hotel claims its broker aEURoewas responsible for submitting and communicating the [HotelaEUR(TM)s] insurance needs to the insurance marketplaceaEUR|aEUR? As seen with the HotelaEUR(TM)s claims, there is still a certain level of
confusion in the cyber insurance marketplace as these products develop and the threats constantly evolve. Regardless of the outcome of this litigation, this case demonstrates that brokers are on the frontlines of cyber coverage and must understand their clientsaEUR(TM) businesses and the unique threats to their clientsaEUR(TM) businesses.
For additional information, please contact Todd at
trowe@tresslerllp.com or (312)627-4180