Summary of the lawsuit between Spec’s and Hanover
Spec’s Family Partners sued its cyber insurance carrier, Hanover Insurance Co., for payment of litigation defense costs associated with litigation arising out of Spec’s payment card data breach that took place from October 2012 to February 2014. Because this was a payment card breach, Visa and MasterCard (the Card Brands) issued liability assessments of approximately $10 million to reimburse their issuing banks for payment card monitoring, replacement costs and fraudulent transactions on the payment cards. The assessment was issued against Spec’s payment card processor, FirstData, which then withheld approximately $4.2 million from Spec’s daily payment card settlements pursuant to FirstData’s contract with Spec’s.
Spec’s asserted that FirstData’s withholding the $4.2 million was improper and filed a lawsuit against FirstData seeking to have the money returned. Spec’s provided notice to Hanover and sought to have Hanover pay its legal fees for the cost of litigation. Hanover refused and that led to Spec’s filing the present lawsuit against Hanover in February 2017.
Hanover filed its Answer and quickly filed a Motion for Judgment on the Pleadings which was granted by the court and, in less than a month, the case was dismissed on March 15, 2017.
The Motion for Judgment on the Pleadings was filed under seal, as was the court’s memorandum opinion, so to some extent all we can do is speculate about the court’s reasoning. However, a motion such as this means that the court looks at the plaintiff’s complaint and the defendant’s answer and makes a ruling based on those documents meaning that in this case, Hanover’s Answer provides the best clues and lessons going forward from this case.
Spec’s asserted multiple legal claims against Hanover, however, it primarily emanated from what it contended was Hanover’s breach of the insurance policy because Hanover refused to pay Spec’s defense expenses.
Four key defenses to Spec’s claims
Because Hanover prevailed in the case, the real lessons to be learned come from Hanover’s Answer in which it asserted multiple legal defenses against Spec’s. We do not know whether the court found all of these to be persuasive or, if not, which of them it relied on in dismissing Spec’s case. However, there were four key defenses that are not as well-known as others that businesses should understand; in the event they find themselves in similar position as Spec’s, they can anticipate these defenses to claims on their cyber insurance as well.
Spec’s was aware that the data breach occurred before the Policy became effective.
Hanover asserted that the Known Loss Doctrine barred Spec’s claim for the data breach. The Hanover policy became effective on October 28, 2013. According to Hanover, (1) on February 22, 2013, Spec’s was notified by FirstData that MasterCard had identified fraudulent activity on numerous credit cards between December 2011 and January 2013; (2) in February 2013, the United States Secret Service notified Spec’s of fraudulent payment card activity; and (3) on October 17, 2013, Fishnet Security provided Spec’s with a PFI Final Incident Report showing conclusive evidence of the data breach. Each of these events showed that Spec’s was aware of the data breach prior to the inception of the insurance policy and, therefore, that the data breach did not come from a “loss” or “wrongful act” that occurred during the time the policy provided coverage.
The obligation Spec’s was seeking coverage for was a contractual obligation not a covered “loss.”
Spec’s made a claim on its Hanover insurance policy for the $4.2 million that FirstData withheld from Spec’s because of the assessment levied against it by Visa and MasterCard, pursuant to the indemnification provision of the contract between Spec’s and FirstData, a contractual obligation. The insurance policy contained an exclusion for claims “directly or indirectly based upon, arising out of, or attributable to any actual or alleged liability under a written or oral contract or agreement.” Because the claim for the $4.2 million was based on a contractual liability from Spec’s to FirstData, it was excluded from being a covered loss.
Spec’s lawsuit against FirstData was offensive, not defensive.
The Hanover policy stated “[w]e have no duty to defend Claims or pay related Defense Expenses for Claims to which this insurance does not apply.... Defense Expenses means and is limited to [a]ny reasonable and necessary legal fees and expenses... incurred in defending and appeal of a Claim.” Further, a Claim is defined in the policy as being one in which a demand is being made upon the insured, not the insured making a demand upon another. In the FirstData lawsuit, Spec’s asserted claims against FirstData but FirstData did not assert any claims against Spec’s. Because Spec’s lawsuit was offensive in nature, not defensive, it did not include any “Claim” under the policy.
Spec’s offer of free credit monitoring prior to notifying Hanover of the Claim was an excluded voluntary payment.
The Hanover policy contained a Voluntary Payments Clause that excluded coverage where an insured voluntarily makes a payment, assumes an obligation, agrees to a settlement, or incurs an expense related to a claim without Hanover’s consent. In March 2014, Spec’s issued a press release about the data breach in which it offered one year of free fraud resolution services. This occurred prior to Spec’s putting Hanover on notice of the Claim and, therefore was excluded as a voluntary payment.
4 key takeaways about cyber insurance and data breaches
Cyber insurance is becoming more and more critical for companies. The cost of remediating and responding to data breaches continues to increase. Without quality cyber insurance coverage, the cost of doing so properly is becoming more prohibitive for all but the largest and most well-funded companies. Companies must make sure to obtain cyber insurance coverage that is effective for their unique risks, from reputable companies, and then ensure that they do not do anything that will vitiate that coverage. Cyber insurance is a contract, nothing more, nothing less. Companies must ensure that they uphold their end of the bargain if they expect the insurance companies to uphold theirs.
Here are four key takeaways about cyber insurance data breach coverage from the Spec’s v. Hanover case:
- Ensure your company has cyber insurance coverage in place for incidents that occur during the policy period, as well as prior to the policy period that are not yet known. It takes well over 200 days, on average, before a company learns that it has had a data breach and you want to make sure these events will be covered once they are discovered.
- Ensure that any cybersecurity vulnerabilities that have been identified prior to obtaining cyber insurance coverage have been remediated -- especially when they are documented. If they can not be remediated, you must disclose them to the insurance company prior to obtaining coverage.
- Companies that have contractual liability for cyber risk whether through indemnification agreements, business associate agreements, other privacy or cybersecurity-related agreements, or otherwise, must be cognizant of these obligations and seek insurance that will cover them for this type of contractual liability.
- Provide notice to your insurance carrier immediately upon learning of a potential event that could trigger coverage under your cyber insurance policy. Not only will insurance coverage likely not cover promises your company makes without obtaining the insurer’s consent but, more importantly, timely notice of a claim is virtually always a prerequisite to providing coverage.