We have previously addressed First Commonwealth Bank v. St. Paul Mercury Ins. Co., No. 2:14-cv-00019-MPK (W.D. Pa.), where the insurer denied coverage under a professional liability policy because the insured first reimbursed its customer for amounts lost when a fraudulent wire transfer was made from the customer’s account. The problem in First Commonwealth was the insured made this payment to its customer before notifying its insurer as required under the policy. The insured took the position that the “voluntary payments” provision in the policy, which prohibited the insured from making any payments without first notifying the insurer of its potential claim, conflicted with a Pennsylvania law requiring the insured immediately reimburse the customer for the fraudulent wire transfers.
Unfortunately, we can expect the problem faced by the insured in First Commonwealth to become more commonplace. It is not difficult to envision other scenarios where insureds will need to carefully navigate various laws and requirements governing a data breach while complying with insurance policy conditions. Likewise, insurers will need to thoroughly understand the various federal and state laws as they draft insurance policies. For example, in the case of a breach, an insured will need to comply with state notification laws as well as the notice requirements under their policies. And, in complying with state/federal notification requirements, the insured will need to make sure they do not push their claim toward the exclusionary language in the policy.
The First Commonwealth decision provides an example of competing interests under state law and policy conditions. However, the federal government is proposing its own statutory framework that may end up conflicting with state data security laws. We have yet to see an example of an insured having to reconcile federal law, state law and policy conditions. Therefore, while it is a good thing that insureds are starting to understand the importance of cyber liability insurance, we can expect growing pains as all these requirements harmonize.