Wade Clark Mulcahy LLP

The U.S. District Court for the Western District of Texas is currently dealing with that question in the declaratory judgement action brought by Capitol Specialty Insurance Company (“CSIC”) against TGG Management Company, Inc. d/b/a Tgg Accounting (“TGG”) and TGG’s CEO Matthew Garrett (“Garrett”) (collectively “TGG Defendants”). See Capitol Specialty Ins. Co. v. TGG Management Company, Inc. et al., 2024 WL 2190668 (W.D. Tex. 2024). In Capitol Specialty Ins. Co., CSIC is seeking a declaratory judgement that it does not owe a duty to defend or indemnify TGG Defendants in a breach of contract lawsuit filed by Ikigai Marketing Works LLC (“Ikigai”) and Pooph Inc. (“Pooph”) (collectively the “Underlying Plaintiffs”) against TGG Defendants in California’s San Diego County Superior Court (the “Underlying Action”). Id. The Underlying Plaintiffs claim that each entity separately entered into professional services agreements with TGG wherein TGG agreed to provide accounting services. Id. On January 18, 2023, TGG allegedly received a request to send money to a phishing scammer, who had “spoofed” one of the Underlying Plaintiffs’ vendor’s email addresses and was holding themselves out as the vendor. Id. On four separate occasions in February 2023, TGG allegedly transferred payments to the scammer, totaling $843,704.90. Id. The Underlying Plaintiffs allege that each time TGG sent payments, TGG “failed to implement proper screening and failed to verify changes to the vendor’s banking information to filter out the phisher’s emails.” Id. The Underlying Plaintiffs claim that TGG only repaid them $67,000 and sought to profit from the phishing scam by requiring clients to cover the costs of its investigation into the scam. Id. The Underlying Plaintiffs assert causes of action against TGG Defendants for, inter alia, breach of contract, breach of implied covenant and good faith and fair dealing, professional negligence, and constructive fraud. Id.

TGG Defendants tendered their defense in the Underlying Action to CSIC, and CSIC agreed to defend them under TGG’s errors and omissions policy (“E&O Policy”) subject to a reservation of rights. Id. Now, CSIC is seeking a declaratory judgement that it does not owe a duty to defend or indemnify TGG Defendants in the Underlying Action because the E&O Policy expressly precludes coverage for any damages, claims or expenses arising out of “unauthorized access to, use of, or tampering with data or systems by any person,” and Underlying Plaintiffs allege that TGG failed to implement proper internal e-mail screening controls leading the scammer to have unauthorized access to TGG’s email system. Id. Further, CSIC argues that coverage is not owed under the E&O Policy pursuant to the exclusions for “criminal, dishonest, fraudulent, malicious or knowingly wrongful acts” committed by TGG, “unfair competition,” and “any gain, profit, advantage to which [TGG] is not legally entitled.” Id.

While TGG Defendants undisputably suffered a loss as a result of a phishing scam, the allegations in the Underlying Action present an interesting scenario in which TGG Defendants not only failed to implement sufficient data protection protocols, but also sought to profit off of their failure by making their customers pay. We will have to wait and see how the case progresses in Texas; however, the allegations against TGG Defendants suggest that one of the above exclusions is likely to apply to bar coverage under the E&O Policy. As phishing scams are becoming more sophisticated and harder to identify, this case highlights the importance for businesses to prioritize data protection.