A Reminder of the Critical Issue of Notice and Timing in Claims-Made Cyber and Tech E&O Policies
The recent decision in Illinois federal court in Hartford Fire Insurance Company v. iNetworks Services, LLC, 2020 U.S. Dist. LEXIS 53473 (N.D. Ill. Mar. 27, 2020), serves as an important reminder on the role of timely notice under a claims-made policy, especially in the context of cybersecurity and tech E&O claims, where the determination of the timing of an insured’s knowledge of an underlying claim can be critical.
iNetworks Group and its affiliate iNetworks Services (iNetworks) are a managed service provider (MSP) which store data for its clients. In April 2016, iNetworks’ servers containing the data of one of its clients, San Jose Group Company (San Jose), became infected by malware that destroyed San Jose’s data. Id. at *3-4. The parties exchanged emails about the server compromise, its causes, the impact it had on San Jose’s business, and potential settlement offers between April 2016 and August 2016.
In January 2018, San Jose commenced litigation against iNetworks Group. However, iNetworks Group did not inform their insurer, Hartford, or tender the action under its Technology Liability Policy until July 15, 2018 – six months later. In December 2018, San Jose added iNetworks Services as a defendant. Ultimately, the underlying trial court entered a default judgment against the iNetworks defendants for $10.5 million. The insurer successfully intervened and vacated the default, and the lawsuit was dismissed. The case is currently pending before an Illinois appellate court. Id. at *4. Hartford thereafter commenced coverage litigation against iNetworks and San Jose, seeking a declaration that it had no duty to defend or indemnify the iNetworks defendants under the Technology Policy.
Hartford issued to iNetworks Services a Technology Liability Policy (Technology Policy) for the period of January 27, 2016 – January 27, 2017. The Technology Policy includes a reporting requirement, which states in relevant part:
This is a claims first made policy... Your policy applies only to claims when:
the glitch occurs on or after the Retroactive Date and before the end of the policy period, and
the claim is first made against any of you during the policy period and you use your best efforts to report such claim to us in writing as soon as practicable in accordance with the terms of this policy.
Id. at *4-5. The policy defined “glitch” to include a “negligent act, error, or omission,” or the “[f]ailure of your technology services to perform the function or serve the purpose intended.” Id. at *6. It also defined the term as an “[u]nauthorized access to, unauthorized use of, repudiation of access to, tampering with or introduction of malicious code into: firmware, data, software, systems or networks.” Id.
The reporting requirement was repeated under the “When We Insure” section of the policy, stating that coverage is provided for a claim if “the claim because of the glitch is first made against any of you during the policy period and reported to us in writing by you using your best efforts to notify us as soon as practicable after any specified insured becomes aware of it.” Id. at *5. The policy also had a “notice” condition, stating that “[t]he named insured must notify us in writing as soon as practicable of a glitch or circumstance that may result in a claim under this policy.” Id. The notice condition also stated that “[i]f a claim is made against any of you, as soon as any specified insured knows of such a claim, you must. . . immediately send us copies of all demands, notices, summonses and legal papers. . . .” Id. at *5-6.
That the compromise of iNetworks’ servers qualified as a “glitch” was not disputed. Id. at *8. Nor did the parties dispute that the emails between San Jose and iNetworks between April 2016 and August 2016 constituted a “claim,” as defined by the policy. Id. Instead, the parties disputed whether the Technology Policy was a claims-made policy, and whether iNetworks’ delay in reporting the lawsuit and glitch precludes coverage. Id.
San Jose argued that the policy was “not a pure claims-made policy, but is a hybrid of both an occurrence policy and a claim-made policy.” Id. San Jose based its argument on the policy’s requirements that both an occurrence and the claim “both occur during the policy, and that the Technology Policy does not require that notice of the claim be given during the policy period.” Id. San Jose also argued that iNetworks had provided notice within “a reasonable time” to permit coverage. Id. The trial court rejected the contention:
The Court is unpersuaded. The Technology Policy is clearly a claims-made policy, which provides the insureds with coverage for claims by third parties that are both made and reported during the applicable time period. The plain text of the Policy expressly identifies itself as a claims made policy at least twice: “this is a claims first made and reported in writing policy” … and “this is a claims first made policy.” [Citation omitted.] In addition to identifying itself as such, the Technology Policy has the features of a claims-made policy: it requires that a claim be made during the policy period and that the claim be reported “as soon as practicable.” Importantly, “[a] ‘claims made’ policy can contain the ‘as soon as practicable’ language and remain ‘claims made,’ since the ‘claims made’ character of a policy only turns on the existence of the requirement that the claim be reported during the term of the policy.”
Id. at *9. Noting that “[c]ourts strictly construe notice requirements in claims-made policies and view notice requirements as valid conditions precedent,” the court then determined that iNetworks had failed to satisfy the Technology Policy’s notice requirements.
“The Illinois Supreme Court has looked to several factors in assessing whether an insured’s notice is reasonable, including: (1) the language of the policy’s notice provision; (2) the insured’s sophistication in the insurance matters; (3) the insured’s awareness of an event which may trigger insurance coverage; (4) the insured’s diligence in ascertaining whether the policy coverage is available; and (5) prejudice to the insurer.” Id. at *12. The trial court addressed each factor and determined that iNetworks had breached its notification obligation.
- The first two factors — the policy language and “sophistication” of the insured — were viewed as neutral, the court stating that “[n]either party has presented compelling arguments in its favor.”
- The third factor — “awareness of an event that may trigger insurance coverage” — “clearly “favor[ed]” the insurer because iNetworks “was aware of the Server Compromise in April 2016,” its “detrimental impact” on San Jose’s business operations, and iNetworks and San Jose “exchanged emails on the subject for three months.” at *12.
- The fourth factor also favored the insurer, the court concluding that the insured’s delay “exceeded two years after the Server Compromise and claim, eighteen months after the expiration of the Technology Policy, and six months after the filing of the lawsuit.” at *13.
- Finally, the court held that the fifth factor – prejudice – also favored the insurer. The insurer had been left unable to investigate the compromise in real time, unable to provide iNetworks with experts that could have mitigated the data loss, and that relevant iNetworks personnel may not be able to recall as much information as they could have recalled if questioned several years ago. It was also unclear whether relevant hardware or software had been preserved for testing. at *14.
Finally, the court held as a matter of law that iNetworks failed to timely report the claim to the insurer and also breached the Technology Policy’s notice condition. The court concluded that the iNetworks’ delay was not “within a reasonable time.” Id.
WHAT THIS CASE MEANS
Many cyber and tech E&O policies are claims-made policies. Claims-made policies are worded (and priced) the way that they are because claims-made policies only cover a specific scope of risks, namely, only those claims first made during the given policy year, and reported in accordance with the notice provisions of that policy. When a claim submitted for coverage is not first-made during a given policy year, or reported in accordance with a policy’s notice provisions under a claims-made policy, the insured in effect seeks coverage for a risk outside the bargain negotiated between insurer and insured. This case serves as a reminder that notice issues under claims-made policies are addressed differently than under occurrence-based policies.
If you have any questions or need more information, contact Joshua A. Mooney (email@example.com; 215.864.6345), Timothy A. Carroll (firstname.lastname@example.org; 215.864.6218) or Andrew G. Lipton (email@example.com; 212.631.1252).