A Seattle-area managed services provider is suing its insurance company for refusing to pay off on a claim stemming from the criminal actions of the MSP’s former employee.
Denali’s former CTO pleaded guilty in September to a federal charge of computer fraud for repeatedly hacking into the network of Columbia Sportswear Company – a Denali IT hardware and services customer – to look for information he could use to gain a business advantage.
Columbia is suing the MSP, putting at stake potentially millions of dollars in damages, legal fees and other costs associated with remediating the breach.
The case offers a cautionary tale about the importance of understanding the fine print in liability policies that many IT services firms are relying on to stay afloat should the unthinkable come to pass.
“Hartford has a duty to assume obligations to Denali under the Policy related to Columbia’s claims, including all claim expenses, from the inception date of the Policy on October 24, 2016,” lawyers for Denali wrote in the company’s latest amended complaint, filed Nov. 7. “Hartford additionally has ongoing defense and indemnity obligations to Denali under the Policy related to the Underlying Suit.”
A copy of the policy indicates Denali would pay an annual premium of $30,644.
In exchange, Hartford would pay up to $5 million in relevant expenses, minus a $50,000 retention – essentially a deductible.
The former CTO, Michael Leeper, had previously worked in IT at Columbia for 14 years before taking the job at Denali, and used a fake account he created on the eve of his separation from Columbia to access files, including employee emails and documents detailing IT purchasing plans.
He’s scheduled to be sentenced Dec. 7.
Denali fired Leeper and maintains it had no knowledge of – nor derived benefit from – his unlawful activities.
“The Insuring Agreement of the Policy provides that: ‘We will pay on your behalf money in excess of the Retention that you become legally required to pay as damages and claims expenses because of a claim caused by a glitch in your performance of technology services,’” Denali’s lawyers wrote in court papers.
But precisely what constitutes a “glitch in performance of technology services” is a key point of contention.
Hartford argues that the conduct alleged by Columbia is not covered by the policy for several reasons.
“First, there is no coverage because the allegations were not ‘caused by a glitch in [Denali’s or Leeper’s] performance of technology services’ while such services were ‘performed for others,’” Hartford’s lawyers argued.
The policy, Hartford said, also contains exclusions for misuse, misappropriation or theft of trade secrets; unfair or deceptive business practices; unfair competition; violations of consumer protection laws; and “for any glitch or claim arising out of or in any way related to…dishonest, fraudulent, criminal or intentional wrongful act or omission by any of you.”
Additionally, attorneys for Hartford argued that the former CTO knew before the policy became effective that his actions could result in a claim “and that failure to satisfy a condition precedent of coverage means coverage is precluded.”
This past summer, Denali submitted filings already anticipating losses would exceed $1 million for the litigation with Columbia.
The MSP is now asking to be made whole for having to go after the insurance company in court.
“Denali is entitled (to) any and all relief resulting from this breach, including declaratory relief, injunctive relief and damages caused by Hartford’s breach,” the Denali filing says. “Denali is entitled to its reasonable attorneys’ fees and expenses because it has been compelled to assume the burden of legal action to receive the benefit of its insurance contract.”
The case is scheduled to go to trial next year.
Send tips and news to [email protected]