Cyber Insurers On the Prowl for Liable Third Parties

While there have been a number of high-profile data breaches in recent years, there have been few coverage lawsuits arising out of these breaches, presumably because cyber insurers have been paying claims. A recent action, however, suggests how cyber insurers may be trying to fund this coverage position: by suing allegedly responsible third parties. In what appears to be a novel approach for insurers covering data breach claims, Travelers Casualty and Surety Co. of America has sued its insured’s website designer in the wake of a cyber attack. Travelers’ complaint alleges that its insured, Alpine Bank, hired Ignition Studio, Inc. to design and service the bank’s website. Travelers alleges that Ignition negligently designed and maintained the website, allowing hackers to access the site through the server on which it was hosted. Alpine spent over $150,000 complying with its data breach notification obligations, for which it was reimbursed by Travelers. Travelers, as Alpine Bank’s assignee and subrogee, now seeks to recover that amount from Ignition.

Travelers alleges that Ignition made several errors in maintaining and servicing Alpine Bank’s website, including: not placing basic anti-malware software on the server; not installing critical software patches; and maintaining inadequate encryption of bank customer data, among others. As a result of this “substandard work,” Ignition has been accused of allowing hackers to obtain illegal access to Alpine Bank’s website.

From a policyholder’s perspective, this case provides more evidence that issuers of cyber and technology E&O policies are, at the moment, paying their insureds’ claims. While Travelers’ complaint does not specify the type of policy under which Alpine Bank sought and received coverage, the fact that the claim was for data breach notification costs strongly suggests that the Travelers policy was a cyber policy, which typically covers such expenses. In the current climate, in which cyber coverage is still relatively new and insurers are developing a market for such coverage, cyber insurers appear to be willing to pay claims rather than contest coverage. The dearth of litigation between insurers and policyholders involving cyber coverage further supports this point.

While this case should give policyholders some security that insurers are paying claims on cyber policies, this case should give third party website designers reason for concern as insurers may sue them instead of bearing the cost of data breach claims. From a policy perspective, however, this might be in everyone’s best interest—other than website designers—because it might incentivize the institution of websites that provide more robust protection of data and are more resilient to data breaches.

It remains to be seen whether insurers will continue to pay out cyber coverage claims, or whether they will start to challenge coverage as more and more cyber claims are presented. In any event, insurers seem to be hunting for third parties to help them defray the cost of paying claims in the new arena of cyber coverage.