January 7, 2019
Insurance companies continue to assert coverage exclusions incorporated into their cyber insurance policies in an attempt to avoid providing coverage to their insureds. The latest example to be adjudicated is the “False Pretense Exclusion” that appears in insurance policies issued or underwritten by Sentinel Insurance Company. Rainforest Chocolate, LLC v. Sentinel Ins. Co., 2018 VT 140, 2018 Vt. LEXIS 240. On December 28, 2018, the Vermont Supreme Court reversed a trial court’s summary judgment in favor of Sentinel Insurance Company. The Court held that the exclusion language was ambiguous, and therefore, construed the policy in accordance with the reasonable expectations of the insured.
The case involved what is now a ubiquitous fact pattern: supervisor’s e-mail account is hacked, employee receives an e-mail from supervisor to transfer funds, and employee transfers funds. Upon discovering computer fraud, company files insurance claim under Computer Fraud coverage with the reasonable expectation that it is insured for this type of loss. However, the reality that is playing itself out across the cyber insurance landscape is that your insurance carrier will deny coverage for these incidents that you reasonably believe you are insured against.
Buried at Section B.2.f in the “Exclusions” portion of the Sentinel Insurance policy is the provision that excludes from coverage “physical loss . . . caused by or resulting from . . . [v]oluntarily parting with any property by you or anyone else to who you have entrusted the property if induced to do so by any fraudulent scheme, trick, device or false pretense.” There is little doubt what fact pattern (see above) this language is supposed to exclude from coverage.
The court’s opinion included an extensive analysis of whether the fraudulently appropriated funds constituted a physical loss. However, it was a quotation from the trial court’s judgment that was of particular interest to those of us who evaluate cyber insurance policies:
The complicated nature of this policy, with its layers of coverages and exclusions, is almost impossible to follow without a compass and a guide. It took the court many hours of reading and rereading the policy and the briefs to reach a clear understanding of how the various provisions fit together. How any insured, however sophisticated, is supposed to determine that it is getting what it paid for with a policy like this is a mystery to the court.
Id. at **2-3.
And that is the crux of the matter. Insurance companies market cyber insurance policies that are so complex that no insured can possibly comprehend the true nature and scope of the actual coverage. The complexity allows insurance companies to bury in the policies new and ever-expansive coverage exclusions. The brokers selling these cyber insurance policies have no idea what will or won’t be covered in the event of a cyber incident – though the constant flow of claim denials should be giving them some indication by now. As a result, the insureds are left with little hope of understanding what they are buying.
Finally, let’s hear it for Rainforest Chocolate for standing up their insurance carrier! They filed suit over a loss of just $10,000. Faced with that type of loss, most insureds throw up their hands and let their insurance company deny coverage. Rainforest Chocolate not only sued their insurance carrier, but was forced to litigate an appeal to the Vermont Supreme Court. We need more companies like Rainforest Chocolate and less insurers that force their clients to sue to secure the coverage they are entitled to.
RegitzMauck PLLC is an intellectual property boutique based in Dallas, Texas. The firm focuses on providing value-based legal services to cost-conscious clients seeking high quality legal representation in intellectual property, cybersecurity, and technology matters and disputes.