Computer Fraud Claim Triggers Insurer’s Duty to Pay Defense Costs Despite “Gravamen” of Litigation Involving Excluded Misappropriation Claims
The Superior Court of the State of Delaware, applying Delaware and Kansas law, has held that an insurer owed a duty to pay defense costs under a directors and officers liability policy for a lawsuit primarily alleging the misappropriation of trade secrets, despite a misappropriation exclusion, on the basis that the underlying complaint asserted a claim alleging computer fraud not excluded by the policy. WoodSpring Hotels LLC v. Nat’l Union Fire Ins. Co. of Pittsburgh, PA, Case No. N17C-09-274 (Del. Super. Ct., May 2, 2018).
The insureds, an extended stay hotel and one of its employees, were sued by the employee’s former employer, which alleged that the employee stole a customer database of detailed information regarding corporate customers when she left the company. The “gravamen” of the lawsuit involved claims based on the employee’s alleged theft and misappropriation of trade secrets. However, the lawsuit also stated one count for violation of the Computer Fraud and Abuse Act (CFAA) alleging unlawful access to the company’s computer system to copy its information.
The insureds tendered the lawsuit under a directors and officers liability policy. The carrier denied coverage on the basis of a misappropriation exclusion, which barred coverage for any actual or alleged misappropriation of a “trade secret.”
In resulting coverage litigation, the court held that the “gravamen” of the action was the misappropriation of a customer database, which, as alleged, would constitute “trade secrets.” However, despite the misappropriation exclusion, the court held that the CFAA count triggered the insurer’s duty to pay defense costs for the lawsuit. The court reasoned that under Delaware law, an insurer is required to “defend the entire action even if only one count or theory of liability potentially lies within the coverage” and predicted that Kansas would follow the same approach.
The court held that a violation of the CFAA turns on fraudulently obtaining “anything of value” through the unauthorized access of a computer, and does not require that the item of value be “a trade secret or even confidential.” The court found that while the “item of value” in the underlying action plausibly included a trade secret, the insurer did not undertake an investigation to determine what the accessed information actually entailed.