Cyber liability insurance is a relatively new product and many of the terms and conditions found in cyber-liability policies are as yet untested in the courts. In this guest post, Stephen O’Donnell of the Steptoe & Johnson law firm takes a look at two particular standard features of the cyber liability insurance policies, the retroactive date and policy inception date exclusions, and the potential for these exclusions to preclude coverage for the very kind of exposures that are the reasons most purchasers buy the insurance.
I would like to thank Stephen for his willingness to publish his article on this site. I welcome guest post submissions from responsible authors on topics of interest to this blog’s readers. Please contact me directly if you would like to submit a guest post. Here is Stephen’s guest post.
The threat of cyber breach is one of the most significant risk management challenges facing corporations, officers and directors today. Realizing this risk does not fit easily within protections afforded by traditional insurance, the insurance industry has created and brought to market a variety of cyber-risk policies providing both first-party loss and third-party liability coverage. The insurance-buying community has responded enthusiastically, as noted in online reports of year-on-year growth of cyber-risk insurance premiums.
But how much third-party liability protection are insureds really getting from these new cyber-risk insurance products? The answer at this stage is unclear, as these manuscript products are largely untested in the courts. One common feature of several of the competing products may, however, emerge as an unexpected limitation on coverage for policyholders: the exclusion of “wrongful acts” commencing before the policy inception date or retroactive date specified in the policy declarations. The goal of this article is to call attention to this common feature in the hope that insurance buyers, brokers and cyber insurers will recognize and address its potential impact during the insurance placement process, thereby avoiding costly coverage litigation down the road.
Setting the stage for the coverage discussion, this article will first discuss the current state of cyber-breach litigation in order to identify key characteristics of claims against entities whose information systems have been hacked, as well as against their officers and directors. The article will then analyze the retroactive date and policy inception date exclusions, and their potential for knocking virtually all of the typical lawsuits that follow a cyber-breach out of coverage. Given this risk, insureds considering the purchase of cyber-liability insurance should carefully consider whether the product being offered provides acceptably broad coverage and, if not, whether modifications to these exclusions can be negotiated.
TYPICAL CLAIMS FOLLOWING A CYBER-BREACH
Following a hack of a company’s information system, litigation may come from seven primary sources: (1) customers of the company whose personally identifiable information (“PII”), personal financial information (“PFI”), or other private personal information (“PPI”) has been stolen by the hackers; (2) employees of the company whose PII, PFI or PPI has been stolen; (3) federal or state regulators bringing enforcement actions against the hacked company or its officers or directors for inadequate cyber-security measures, inadequate mitigation of harm, ineffective or untimely notification of persons affected by the breach, or false and misleading representations related to the foregoing; (4) financial institutions that issue credit and debit cards (together, “payment cards”) to the persons whose PFI has been stolen; (5) financial institutions that have contracts with the hacked company or other merchants to process payment card transactions, and thereby unwittingly clear fraudulent transactions effected with stolen PFI; (6) shareholders bringing derivative claims against the hacked company’s directors and officers for failing to implement adequate cyber-security measures, mitigate harm, or timely and effectively notify those affected by the hack; and (7) investors who purchased the hacked company’s stock at a time when the company’s inadequate cyber-security protections were misrepresented or not disclosed.
The first six categories of claimants have been established as real threats, as they have filed lawsuits against hacked companies, officers and directors in the wake of cyber-breaches. The threat of category (7), on the other hand, is more theoretical than real at this point because, to date, corporate stock prices generally have not reacted negatively to public disclosure of a hack. As a result, we have not yet seen any significant cyber-breach “stock drop” cases. This article will, accordingly, focus on threats (1) through (6).
Customers of the hacked company are the most likely claimants following a cyber-breach. A plaintiff whose PII, PFI, or PPI was stolen by hackers typically brings suit against the hacked company on his or her own behalf and on behalf of a class of similarly situated people, hoping the presiding court will certify the proposed class and allow the case to proceed as a class action. Causes of action in customer cases run a wide gamut of legal theories, from traditional tort claims (negligence and fraud) to allegations of state and federal statutory violations (for example, the federal Fair Credit Reporting Act (“FCRA”), state consumer fraud statutes, state unfair competition statutes, and state cyber-breach notification statutes). The relief sought in such cases similarly spans a wide range of remedies: from common law compensatory and punitive damages to statutory damages and attorney’s fee awards to restitution and injunctive relief.
The conduct challenged in customer cases inevitably focuses on inaction by the hacked entity. A litany of alleged failures to protect the PII, PFI, or PPI of the putative plaintiff class typically is at the forefront of the allegations in these cases. The alleged failures often include failure to adhere to an industry standard of cyber-security, such as those set forth in the ISO/IEC 27000 Series, failure to implement firewalls, encryption and other security features to protect customer data, failure to monitor the computer system and discover the hack in a timely manner, and failure to promptly notify persons whose PII, PFI, or PPI was stolen.
Employees of the hacked entity have also been known to sue the entity following a breach. Perhaps the highest profile cyber-breach resulting in theft of employee personal information was the hack into the federal government’s Office of Personnel Management (“OPM”) database that exposed the information of some 18 million applicants for federal jobs and contracts. This hack led to a putative class action complaint being filed against OPM and others in the United States District Court for the District of Columbia in late June, 2015. As in the customer cases discussed above, the gravamen of the employee complaint against OPM is inaction. The named plaintiffs allege that OPM failed to implement and maintain adequate cyber-security measures to protect the class members’ PII and PPI.
The Federal Trade Commission (“FTC”) has been the most active federal regulator policing corporate cyber-security practices. Pursuant to its mandate to prohibit “unfair or deceptive acts or practices in or affecting commerce,” the FTC has taken action against companies whose information systems were breached where it considered the companies’ privacy and data protection assurances misleading. One of the most recent examples of such FTC action is the 2013 enforcement case it brought against hotelier Wyndham Worldwide Corporation following a 2008-09 hack into Wyndham’s computer system. In the Wyndham action, the FTC alleged numerous cyber-security failures by the hotelier, including failure to use readily available security measures such as firewalls, failure to adequately restrict access of third-party vendors to Wyndham’s computer network, failure to adopt reasonable measures to detect and prevent unauthorized access to the network, and failure to follow proper incident response procedures.
In the last several years, the Securities and Exchange Commission (“SEC”) has emerged as another regulator to be reckoned with in the cyber-security arena, vowing to be vigilant in policing cyber-risk disclosures by publicly-traded companies and financial institutions under its jurisdiction. In September 2015, the SEC made good on this promise, announcing its first cyber-breach enforcement action settlement. The defendant in that action was R.T. Jones Capital Equities Management, Inc. (“Jones”), a retirement funds investment manager. Following a hack into Jones’ computer system, the SEC brought the aforementioned enforcement action against Jones for non-compliance with a regulatory rule requiring investment managers to adopt cyber-security policies and procedures. Once again, the alleged failing was inaction—Jones’ failure to adopt the mandated policies and procedures.
Payment-Card Financial Institution (Issuing Bank and Acquiring Bank) Cases
Visa, MasterCard, American Express and other payment card companies have formed extensive payment processing networks of banks, credit unions, and other financial institutions. Financial institutions wanting to join one of these networks must enter into a membership agreement with the payment card company. Pursuant to the membership agreement, the financial institution agrees to abide by operating guidelines prescribed by the payment card company. In the Visa and MasterCard networks, these guidelines are entitled “Operating Regulations.”
Some member financial institutions in the networks issue payment cards to consumers. These members are called “Issuing Banks” in the payment card industry. Other member financial institutions enter into separate contracts with merchants, agreeing to process the merchants’ transactions with consumers. These members are called “Acquiring Banks” or “Merchant Banks” in the payment card industry.
Among other obligations, the Operating Guidelines require Acquiring Banks to adhere to the cyber-security rules set forth in the “Payment Card Industry Data Security Standard” (“PCI DSS”) and to include a clause in their contracts with merchants requiring the merchants themselves to adhere to PCI DSS. Version 3.0 of PCI DSS requires any merchant accepting payment cards to: (1) install and maintain a firewall in its information system; (2) protect the system from malware by installing an up-to-date antivirus software; (3) store data at the point of sale only long enough to authorize the transaction; (4) encrypt cardholder data that is transmitted to and stored on the merchant’s information system; (5) limit employee and other access to cardholder data on a need-to-know basis; (6) monitor access to cardholder data by, among other things, assigning a unique user identification number to each person with access to the system; and (7) regularly test its data security system and processes to prevent or promptly detect unauthorized access.
When a merchant’s information system is hacked and customer PFI stolen, an Issuing Bank may sustain two principal types of loss: (1) the expense of cancelling and replacing payment cards for customers whose PFI was stolen or compromised, and (2) loss associated with fraudulent transactions presented by the merchant and its Acquiring Bank to the Issuing Bank, accepted and paid by the Issuing Bank, but then rejected by the customer upon receipt of his or her monthly statement. Following such rejection by the payment card customer, the Issuing Bank may attempt to charge back the transaction to the Acquiring Bank for good cause, such as non-compliance by the merchant with PCI DSS. The Acquiring Bank then has the option of either accepting the charge back or presenting the charge a second time to the Issuing Bank, with an explanation of the justification for the re-presentment. If, following re-presentment, the Issuing Bank still wishes to challenge the charge, it must arbitrate with the Acquiring Bank pursuant to arbitration guidelines in the Operating Regulations.
In addition to the risk of loss associated with having to reimburse the Issuing Bank, the Acquiring Bank may also face the risk of fines and penalties assessed by Visa, MasterCard, American Express or other credit card companies based on a merchant’s or the Acquiring Bank’s non-compliance with PCI DSS requirements. These fines and penalties can be hefty.
Whether losses from fraudulent transactions fall on the Issuing Bank, Acquiring Bank, or both, the Banks may seek reimbursement from the hacked merchant where the merchant failed to comply with PCI DSS, as required by its contract with the Acquiring Bank. Several Issuing Banks sought to do just that following a cyber-breach at the discount retailer, BJ’s Wholesale Club, Inc. (“BJ’s Wholesale”), in mid-2003 to early 2004, as well as in the wake of the cyber breach at the St. Louis-area grocery chain, Schnuck Markets, Inc. (“Schnuck’s”), in late 2012 to early 2013. In the BJ’s Wholesale case, the Issuing Banks filed lawsuits against both the Acquiring Bank and the retailer to recoup their losses. In the Schnuck’s case, two issuing banks and two credit unions filed suit against the grocer, alone, seeking to recoup losses, disgorge profit made by Schnuck’s, and seeking other relief, including punitive damages. The gravamen of the claims made against the Acquiring Bank and BJ’s in the first incident, and Schnuck’s in the second incident, were the same: failure to implement and comply with the data security protections required by Visa and MasterCard.
Shareholder Derivative Cases
In the wake of several highly publicized hacks, shareholders of the hacked companies have filed derivative actions against the companies’ directors and officers. The causes of action set forth in the derivative complaints typically are breach of fiduciary duty (owed by the directors and officers to the hacked corporation) based on inaction: namely, failure to ensure the corporation implemented reasonable cyber-security measures, failure to adequately monitor the corporation’s computer system to detect the hack, and/or failure to ensure the corporation provided required notice to those affected by the breach. While the few shareholder derivative actions filed to date have been stymied by the “business judgment” rule hurdle, they are undoubtedly expensive cases to defend.
THE POTENTIAL COVERAGE GAP ARISING FROM THE RETROACTIVE DATE / POLICY INCEPTION DATE-RELATED EXCLUSIONS
As the foregoing discussion demonstrates, cyber-breach litigation against a hacked company, no matter what its form, inevitably includes allegations of failure to implement adequate cyber-security measures and/or to monitor the corporate computer system to promptly detect a cyber breach. These recurring allegations have the potential to negate any insurance protection for the hacked company under a number of the cyber-liability products being marketed today due to the products’ frequent inclusion of retroactive date and policy inception date-related exclusions.
Several of the leading cyber-liability insurance forms adopt a professional indemnity policy format, with the insuring agreement extending coverage to claims made against the insured alleging “wrongful acts” (as defined), and with the insurer disavowing any duty to defend but, rather, merely undertaking to reimburse the insured’s costs of defense of covered claims. The definitions of “wrongful acts” in these forms, not surprisingly, include various “actual or alleged” “failures” to protect confidential data from theft or loss. So far, so good: the insuring agreement and key defined terms appear to extend coverage to the aforementioned panoply of potential third-party liability claims that may be made against a hacked company or its directors and officers in the aftermath of a cyber breach. A grave problem arises in the policy exclusions, however, which: (1) often include an exclusion of claims based on wrongful acts occurring, in whole or in part, before a specified retroactive date; and (2) may include a further exclusion of claims arising from facts or circumstances that the insured could reasonably have foreseen at policy inception might lead to a claim.
These retroactive date and policy inception date-related exclusions potentially afford cyber-liability insurers a ready basis upon which to deny coverage of the typical customer, employee, payment-card financial institution, regulatory, and shareholder derivative claims against insureds following a hack. As discussed above, the allegations of wrongdoing in such cases inevitably include a contention that the hacked company failed to implement computer system protections. Such allegations of inaction, by their nature, will often not be assignable to a specific point in time, but instead will span a period of time potentially dating back to when the policyholder first implemented the allegedly deficient computer system or configuration. The impact of the retroactive date and policy inception date-related exclusions should be considered in the context of these recurring allegations of failure to act.
Insurance companies often set the retroactive date of an insured’s policy as the first date the insured purchased coverage from the insurer, and keep the retroactive date constant in ensuing years, provided the insured maintains the insurance continuously with the insurer. Through this convention, the insurer avoids underwriting conduct or events that occurred before it came on risk. In some instances, it may be possible for an insured to negotiate a retroactive date that pre-dates its first purchase of coverage from the insurer, often for an additional premium.
Where a policyholder’s retroactive date is the same as its first policy-inception date, the alleged wrongful act—i.e., the “failure to implement” security protections—arguably “first occurred” prior to the retroactive date whenever the insured’s computer system configuration pre-dated its first purchase of coverage from the cyber-liability insurer. In these circumstances, the insured that believed it was purchasing coverage against claims arising from a cyber breach of its existing computer system may find its coverage knocked out by the retroactive date exclusion. Alternatively, even where a policyholder purchases a retroactive date that pre-dates its first policy-inception date and the insured’s computer system configuration post-dates that retroactive date, the cyber-liability insurer may have grounds to argue that the claim is excluded because the policyholder “could have reasonably foreseen” at the time of policy inception that its failure to implement security protections could become the basis of a claim.
This potential trap for the unwary is particularly dangerous inasmuch as several of the leading forms: (1) define “wrongful act” as an actual or alleged failure to prevent a cyber-breach; and (2) contain either no provision for advancement of defense costs pending resolution of a claim that falls within the scope of an exclusion or, alternatively, conditions any advancement on a strict undertaking by the insured to reimburse the advanced costs if it is later established that the claim is excluded. Thus, the insured may have no basis to recover the costs of even a successful defense in which it proves that the allegations of failure to implement reasonable cyber-security measures are not well-founded, if those allegations trigger the retroactive date or policy inception date-related exclusions based on the broad definition of “wrongful act.” In other words, even false allegations of cyber-security failures by the insured may render the policy valueless with respect to that claim. This structure is significantly less policyholder friendly than, say, some D&O policies, which limit the fraud exclusion to instances of adjudicated fraud and provides for the advancement of defense costs during the adjudicative process.
Commercial concerns are understandably wary of cyber-breaches and the fallout that could follow the same. As such, the market for insurance products tailored to this risk is large and growing. Insurance purchasers and their brokers should, however, first acquire working knowledge of the nature of the allegations commonly included in post-breach lawsuits and, armed with that knowledge, scrutinize the insurance product or products they are considering buying to ensure those products provide an acceptable scope of protection. Depending on the wording of retroactive date and policy inception date-related exclusions, the third-party liability protections afforded by a given product may be less than meets the eye.
EDITOR’S NOTE: Please see addendum below, following the footnotes.
Stephen O’Donnell, a partner in Steptoe’s Chicago office, focuses on commercial litigation, with particular experience in insurance, reinsurance, and securities litigation and arbitration. His practice includes cases throughout the United States and abroad, specifically London and Bermuda.
The foregoing comments and analysis are solely those of the author and not those of his law firm, any other attorney at the law firm, or the law firm’s clients.
Copyright, Stephen O’Donnell, 2016. All rights reserved
E.g., PartnerRe, Cyber Liability Insurance Market Trends: 2015 Survey, http://www.partnerre.com/opinions-research/cyber-liability-insurance-market-trends-2015-survey#.VqJPsJhIiM8
 See E. Kvochko and R. Pant, Why Data Breaches Don’t Hurt Stock Prices, March 31, 2015 Harvard Business Review.
 Examples include In Re: TJX Companies, 246 F.R.D. 389 (D. Mass. 2007); In Re: Adobe Systems, Inc. Privacy Litigation, 66 F. Supp.3d 1197 (N.D. Cal. 2014); Barbashov v. Experian Information Solutions, Inc., No. 1:15-cv-8943 (N.D. Ill.); Community Bank of Trenton v. Schnuck Markets, Inc., No. 3:15-cv-01125 (S.D. Ill.); Doe v. Avid Life Media, Inc., 1:15-cv-08270 (N.D. Ill.).
 E.g., Barbashov, No. 1:15-cv-8943 (N.D.Ill.), Document #1, Class Action Complt., Second and Third Causes of Action (Negligent and Willful Violations of FCRA).
 E.g., Barbashov, No. 1:15-cv-8943 (N.D.Ill.), Document #1, Class Action Complt., ¶¶ 41-45.
 Am. Fed. of Govt. Employees, AFL-CIO v. U.S. Office of Personnel Mgt., No. 1:15-cv-1015.
 Id. at 55.
 15 U.S.C. §45(a).
 See FTC v. Wyndham Worldwide Corp., 799 F.3d 236 (3d Cir. 2015).
 Id. at 240-41.
 March 2014 SEC Cybersecurity Roundtable.
 See In Re: R.T. Jones Capital Equities Mgt, Inc., SEC Admin. Proc. No. 3-16827 (Sept. 22, 2015).
 See Cumis Ins. Society, Inc. v. BJ’s Wholesale Club, Inc., 455 Mass. 458, 460, 918 N.E.2d 36, 40, n.9 (2009).
 Id. at 460, n.7.
 Id. at 460, n.6.
 Id. at 460-61, n 9.
 See, e.g., Genesco, Inc. v. Visa U.S.A., Inc., 296 F.R.D. 559, 565-66 (M.D. Tenn. 2014); see generally, http://www.visa.com/cisp.
 See Genesco, Inc., 296 F.R.D. at 564,
 See id. (Acquiring Banks fined $13 million in large cyber breach resulting in stolen consumer information).
 See Banknorth, N.A. v. BJ’s Wholesale Club, Inc., 394 F. Supp.2d 283 (D. Maine 2005); Cumis Ins. Society v. BJ’s Wholesale Club, Inc., 455 Mass. 458, 918 N.E.2d 36 (2009); Community Bank of Trenton, Case No. 3:15-cv-01125 (S.D. Ill.) Dkt # 1..
 Banknorth, N.A., 394 F. Supp.2d at 285; Cumis Ins. Society, 455 Mass. at 459-60, 918 N.E.2d at 39-40.
 Community Bank of Trenton, Case No. 3:15-cv-01125 (S.D. Ill.) Dkt # 1 at pp. 63-64.
 See Banknorth, N. A., 394 F. Supp.2d at 284; Cumis Ins. Soc., 455 Mass. at 460-61, 918 N.E.2d at 39-40; Community Bank of Trenton, Case No. 3:15-cv-01125 (S.D. Ill.) Dkt # 1 at pp. 13-16 .
 E.g., Palkon v. Wyndham Worldwide Corp., No. 2:14-CV-01234 (D.N.J. 2014); Kulla v. Steinhafel, 14-CV-00203 (D. Minn. 2014) (Target Corp. Cyber-breach); Bennek v. Ackerman, No. 1:15-CV-2999 (N.D. Ga. 2015) (The Home Depot Cyber-breach).
 See, e.g., Palkon, No. 2:14-CV-01234 (D.N.J. 2014), Opinion dated October 20, 2014, granting motion to dismiss.
 See New Hotel Monteleone, LLC v. Certain Underwriters at Lloyd’s of London, Case No. 2:16-cv-00061 (E. D. La.2016), Document No. 1-3, § I, Insuring Modules 1-4; see also, https://www.travelers.com/business-insurance/management-professional-liability/documents/CYB-3001.pdf, at p. 1 of 30, § I, ¶¶ A, B, and C.
 New Hotel Monteleone LLC, Case No. 2:16-cv-00061, at §VII, ¶ KK; https://www.travelers.com/business-insurance/management-professional-liability/documents/CYB-3001.pdf, at pp. 12 and 9 of 30, § II, ¶¶ GGG and QQ.
 See New Hotel Monteleone, LLC, Case No. 2:16-cv-00061, Document No. 1-3, § VIII, ¶¶ A and B; see also, https://www.travelers.com/business-insurance/management-professional-liability/documents/CYB-3001.pdf, at p. 13 of 30, § III, ¶ B 3.
 E.g., New Hotel Monteleone, LLC, Case No. 2:16-cv-00061, Document No. 1-3, Declarations, ¶¶ 2 and 5.
ADDENDUM: RETROACTIVE DATE EXCLUSION OFTEN IS NOT LIMITED TO CYBER-BREACH EVENT
I was happy to see that my article, Cyber-Liability Insurance and the Retroactive Date Exclusion, generated a few DISQUS™ comments. One of those comments prompted me to write this brief follow-up.
Commenter “Steve” writes that while the retroactive date exclusion is a concern, it is not a significant one because, he submits, the wrongful act should be deemed to take place when the cyber-breach event occurs. From this premise, he concludes that so long as the system hack occurs after the retroactive date, the retroactive date exclusion will not pose an obstacle to insurance recovery. The assumption underlying Steve’s contention is that the retroactive date exclusion only applies to previously occurring cyber breaches because no wrongful act occurs until a hacker gains access to the insured’s computer system.
While Steve’s contention that “wrongful act” should be interpreted as coextensive with the cyber-breach event is itself highly debatable, there is a more fundamental problem with his assertion: his assumption that the retroactive date exclusion is limited to prior-occurring “wrongful acts” is at odds with the plain language of the exclusion in several of the leading cyber-insurance policy forms. The retroactive date exclusion in these forms is not so limited but, instead, casts a far wider net.
The policy at issue in the New Hotel Monteleone v. Certain Underwriters at Lloyd’s case cited in the footnotes of my article provides one good example of the breadth of one leading retroactive date exclusion. The exclusion in that policy provides:
We shall not be liable for any claim directly or indirectly arising out of or in any way attributable to:
- Any wrongful acts or the same, related, or continuing acts, facts, or circumstances that were first committed or first occurred prior to the retroactive date.
By employing the disjunctive “or” between “wrongful act” and “related or continuing acts, facts or circumstances,” this exclusion self-evidently is more expansive than merely eliminating claims arising out of pre-retroactive date wrongful acts or cyber-breaches.
The retroactive date exclusion in the cyber-insurance policy forms cited and hyper-linked in commenter “Abe_R’s” DISQUS™ comment provides another example of a broadly worded retroactive-date exclusion. That formulation provides:
The coverage under this Insurance does not apply to any Claim or Loss:
- For, arising out of or resulting from any related or continuing acts, errors or omissions, incidents or events where the first such act, error, omission, incident or event was committed or occurred prior to the Retroactive Date.
As in the prior example, by employing the disjunctive “or” in the phrase “related or continuing acts, errors or omissions, incidents or events,” this retroactive date exclusion is more expansive than merely eliminating claims arising out of previously occurring cyber-breach events.
Faced with the language of either of these exclusions, an insured would have a difficult time convincing a court that the exclusion does not knock out coverage of a claim alleging that the insured failed to implement adequate computer system security features from a time pre-dating the retroactive date – even if that ongoing failure did not result in a system hack until after the retroactive date.
Coverage battles are most often won and lost in the theater of specific policy language. If an insured seeks the scope of coverage outlined in Steve’s comment, the insured would be well-advised to scrutinize the retroactive date exclusion in the form being offered and consider whether a modification of the language of the exclusion is necessary to achieve the objective.
 New Hotel Monteleone, LLC v. Certain Underwriters at Lloyd’s of London, Case No. 2:16-CV-00061 (E.D. La. 2016), Document No. 1-3 at Section VIII, ¶ A (accessible through the Pacer system).
 https//www.beazley.com/specialty_lines/small_business/technology_media_and_business_services_/forms.html, “InfoSec Policy” Link, “Information Security & Privacy Insurance With Electronic Media Liability Coverage,” Section V, ¶ I.