On January 5, 2016, a federal District Court granted the removal petition of Lloyd’s of London in a declaratory judgment action involving coverage under a cyber policy. The Hotel Monteleone originally filed a lawsuit on December 10, 2015 in the District Court of Orleans Parish, Louisiana, alleging it was entitled to coverage under an Ascent CyberPro Policy for damages related to a breach at the Hotel in 2014. The Petition for Damages [1] filed in state court provides the following information concerning the cyber policy:
- Ascent sold the Ascent CyberPro insurance policy which provided $3 million in limits to the Hotel.
- The CyberPro policy contained a “Payment Card Industry Fines or Penalties” endorsement that limited certain coverage to $200,000 for “a monetary fine or penalty” from credit card company related to a breach.
The Petition provides the following information concerning the cyber attacks on the Hotel and its attempt to obtain coverage for such attacks:
- Prior to purchasing the CyberPro policy, the Hotel suffered a cyber attack in 2013 involving the theft of credit card information. The Hotel had losses related to this 2013 attack exceeding $200,000. The Hotel did not have cyber coverage at the time of this 2013 attack.
- After the 2013 attack, the Hotel sought insurance coverage specifically for “operational fraud and operational reimbursement amounts for fraudulent charges and the costs of replacing payment cards as a result of a cyberattack.”
- The Hotel alleges that it purchased the CyberPro policy for this coverage. Specifically, the Hotel alleges “it would not have paid $20,277.40 for only $200,000 in coverage for operational fraud and operational reimbursement amounts for fraudulent charges and the costs of replacing payment card…” that was provided through the endorsement.
- On October 17, 2014, the Hotel discovered it had suffered an attack that involved the breach of payment card numbers.
- After the attack, the Hotel claims a number of payment card companies demanded reimbursement for amounts they paid related to the Hotel’s breach to replace compromised cards.
The Petition alleges that the Hotel sought coverage for the amounts claimed by the payment card company but quickly learned Ascent planned to limit coverage under the CyberPro policy to the $200,000 limit in the endorsement. In its Petition, the Hotel claims it is entitled to the entire $3 million in limits under the policy rather than $200,000 under the endorsement to the policy. The Hotel’s breach of contract claim seeks to enforce the insuring agreement of the CyberPro policy absent the “Payment Card Industry Fines or Penalties” endorsement. In the alternative, the Hotel claims the CyberPro policy is ambiguous and requests the District Court find all the Hotel’s damages from the 2014 breach are covered under the CyberPro policy.
In addition to claims against the insurer, the Petition also contains allegations against the broker for negligent failure to procure insurance coverage. The Hotel supports these claims with allegations that the broker “advised [the Hotel] about the terms and extent of coverage afforded by the 2014 CyberPro Insurance Policy and procured a cyberinsurance policy that met [the Hotel’s] coverage needs.” The Hotel’s claims illustrate that some confusion in the cyber insurance marketplace [2] is expected, as these products develop and the threats constantly evolve. Regardless of the outcome of this litigation, this case demonstrates the importance of insurers, brokers and policyholders coordinating to make sure everyone understands a policyholder’s particular risks and the safeguards put into place.