Applying Washington state law, the United States District Court for the Western District of Washington has held that an insurer had a duty to defend a demand for payment under a vendor invoice for usage fees incurred due to hackers’ use of a software service. Advaiya Solutions Inc. v. Hartford Fire Ins. Co., Case No. C23-0685-KKE, 2024 WL 4253171 (W.D. Wash. Sept. 20, 2024).
An insured technology consulting company purchased software services for a client. The consultant purchased the software services from a vendor, who in turn purchased the services from the provider. Based on the client’s use, the provider would invoice the vendor, who would invoice the consultant, who would invoice the client. Hackers gained access to the client’s software, incurring about $334,000 in usage fees. The vendor and consultant disputed liability for the fees, with the vendor arguing that the consultant failed to enable two-step authentication and the consultant arguing that the vendor failed to apply a $30,000 limitation on charges.
The consultant submitted the vendor’s demands for payment to its insurer seeking coverage under its claims-made enterprise liability policy. The insurer denied coverage on the basis that the demand for fees was not a demand for “damages” because the policy specifically carved out from damages “any kind of: refund, rebate, redemption coupon, offset, return or credit that has been paid to or by any of you, or that is owed to or by any of you; examples include but are not limited to any of the following: any licensing fee or other fee, royalty, subscription or access charge or other charge.”
The insured consultant then filed an action for breach of contract and declaratory judgment, asserting that the insurer owed a duty to defend under the policy. In response to the insured’s motion for summary judgment, the insurer argued that (1) the vendor’s demand for payment was not a claim because it was not a formal legal proceeding against the insured; (2) the vendor’s demand was excluded by the carve-out for fees from the definition of damages; and (3) the vendor did not allege a wrongful act, as required by the policy.
The court rejected these three arguments. The court determined that the vendor’s demand for payment constituted a claim because the policy defined “claim” as a “written demand . . . for damages” and thus the duty to defend was not limited to lawsuits, as the insurer could appoint an attorney to address the vendor’s demand. The court also determined that the fee carve-out from the definition of damages did not necessarily apply to bar coverage because the carve-out required that fees be “owed to or by” the insured, and the charges were incurred by a third-party hacker and not by services provided to the insured. The court determined that “[t]his is not . . . an effort by [the insured] to pass on its routine business expenses to its insurer” and the insured had demonstrated that the vendor’s demand “could conceivably constitute damages under the Policy.” Finally, the court determined that although the vendor’s demand did not expressly allege a wrongful act, the insurer was obligated to consider and investigate extrinsic evidence to decide whether it was “conceivable” that the amount sought was caused by a wrongful act. Here, the court determined that it was “conceivable” because an incident report prepared after the hack included recommended actions to be taken by the insured to prevent similar incidents in the future and the vendor’s terms of service required the insured to ensure that its customers implemented information security best practices, but two-step authentication for access to the software was not enabled.
[View source.]
This post was originally published on here