In a win for policyholders, a federal court in Washington recently held that an insurer had a duty to defend a technology company against a vendor’s demand for damages it allegedly suffered when hackers accessed software solutions the vendor licensed from Microsoft.
The case, Advaiya Solutions, Inc. v. Hartford Fire Insurance Company, concerned an enterprise liability policy whose coverage focused on liabilities for claims arising from such things as breaches of data privacy, harm caused by unauthorized intrusion into computer systems and networks, and denial or disruption of service attacks.
The claim arose when hackers accessed a portal to cloud-based applications that the policyholder had created for a customer. The policyholder licensed these applications from the vendor, who in turn licensed them from Microsoft. In a matter of hours, the hackers’ unauthorized use of these applications rang up hundreds of thousands of dollars in usage fees that the vendor paid Microsoft. The vendor then sent the policyholder an “invoice” and a written “final demand” for reimbursement of these fees. The policyholder promptly notified Hartford, seeking coverage under its claims-made enterprise liability policy.
Hartford refused to defend, contending that the vendor was merely trying to collect payment on an invoice for services rendered, and had not made a “claim” for “damages” as required to trigger coverage. The court rejected Hartford’s position across the board, holding that Hartford owed a duty to defend against the vendor’s demand. The court’s rejection unfolded in four steps.
First, the court rejected Hartford’s twin arguments that Washington’s “eight corners” rule did not apply to claims-made policies and did not prevent an insurer from presenting extrinsic evidence that (allegedly) supported its refusal to defend. Instead, the court properly confined its analysis to the policy, the vendor’s written demand, and any extrinsic evidence that tended to establish coverage.
Second, the court rejected Hartford’s contention that a demand for payment was not a “claim” because the vendor had not initiated legal proceedings and noted that the policy defined a “claim” to include a “written demand,” which the vendor had clearly presented.
Third, the court rejected Hartford’s position that the vendor’s demand was excluded because the vendor did not seek “damages,” and rather sought payment of an excluded invoice for “licensing fees and subscription charges.” Looking beyond the vendor’s written demand, the court pointed to facts suggesting that the vendor had not issued a standard invoice to the policyholder for software usage the policyholder had purchased under the parties’ license agreement. Instead, facts showed that the vendor sought reimbursement of costs it had incurred due to the hackers’ criminal conduct, costs that could conceivably constitute “damages” under the policy, and thus triggered the insurer’s duty to defend.
Finally, the court rejected Hartford’s assertion that the vendor’s demand did not result from a covered “wrongful act.” Again turning to Washington’s “eight corners” rule and its two exceptions, the court considered extrinsic evidence of the vendor’s allegations that the policyholder was liable because it failed to implement sufficient security measures—a covered wrongful act.
The court’s ruling has significant implications for policyholders and insurers alike, particularly regarding claims arising in the technology sector.
First, it counsels insurers against a too-speedy refusal to defend a demand to a policyholder before carefully investigating to determine whether, notwithstanding a demand’s superficial appearance, a covered claim has been asserted.
Second, it cautions both insurers and policyholders about the limited application of out-of-state case law in Washington. In refusing to defend, Hartford had cited cases from other jurisdictions that directly contradicted Washington law, a problem the court called out.
Finally, it reminds policyholders of the importance of engaging advocates who can grasp and convey the technical circumstances giving rise to a claim as well as the specialized features of enterprise cyber-liability policies, which often do not rely on uniform policy language commonly used in other coverage lines.
Advaiya Solutions was represented by Tristan Swanson and Don Scaramastra of Miller Nash, LLP.
This article is provided for informational purposes only—it does not constitute legal advice and does not create an attorney-client relationship between the firm and the reader. Readers should consult legal counsel before taking action relating to the subject matter of this article.
