Vendor’s Demand for Payment of an Invoice Triggers Duty to Defend Under Washington Law

October 29, 2024

Applying Washington state law, the United States District Court for the Western District of Washington has held that an insurer had a duty to defend a demand for payment under a vendor invoice for usage fees incurred due to hackers’ use of a software service. Advaiya Solutions Inc. v. Hartford Fire Ins. Co., Case No. C23-0685-KKE, 2024 WL 4253171 (W.D. Wash. Sept. 20, 2024).

An insured technology consulting company purchased software services for a client. The consultant purchased the software services from a vendor, who in turn purchased the services from the provider. Based on the client’s use, the provider would invoice the vendor, who would invoice the consultant, who would invoice the client. Hackers gained access to the client’s software, incurring about $334,000 in usage fees. The vendor and consultant disputed liability for the fees, with the vendor arguing that the consultant failed to enable two-step authentication and the consultant arguing that the vendor failed to apply a $30,000 limitation on charges.

The consultant submitted the vendor’s demands for payment to its insurer seeking coverage under its claims-made enterprise liability policy. The insurer denied coverage on the basis that the demand for fees was not a demand for “damages” because the policy specifically carved out from damages “any kind of: refund, rebate, redemption coupon, offset, return or credit that has been paid to or by any of you, or that is owed to or by any of you; examples include but are not limited to any of the following: any licensing fee or other fee, royalty, subscription or access charge or other charge.”

The insured consultant then filed an action for breach of contract and declaratory judgment, asserting that the insurer owed a duty to defend under the policy. In response to the insured’s motion for summary judgment, the insurer argued that (1) the vendor’s demand for payment was not a claim because it was not a formal legal proceeding against the insured; (2) the vendor’s demand was excluded by the carve-out for fees from the definition of damages; and (3) the vendor did not allege a wrongful act, as required by the policy.

The court rejected these three arguments. The court determined that the vendor’s demand for payment constituted a claim because the policy defined “claim” as a “written demand . . . for damages” and thus the duty to defend was not limited to lawsuits, as the insurer could appoint an attorney to address the vendor’s demand. The court also determined that the fee carve-out from the definition of damages did not necessarily apply to bar coverage because the carve-out required that fees be “owed to or by” the insured, and the charges were incurred by a third-party hacker and not by services provided to the insured. The court determined that “[t]his is not . . . an effort by [the insured] to pass on its routine business expenses to its insurer” and the insured had demonstrated that the vendor’s demand “could conceivably constitute damages under the Policy.” Finally, the court determined that although the vendor’s demand did not expressly allege a wrongful act, the insurer was obligated to consider and investigate extrinsic evidence to decide whether it was “conceivable” that the amount sought was caused by a wrongful act. Here, the court determined that it was “conceivable” because an incident report prepared after the hack included recommended actions to be taken by the insured to prevent similar incidents in the future and the vendor’s terms of service required the insured to ensure that its customers implemented information security best practices, but two-step authentication for access to the software was not enabled.

Practice Areas

Wiley Executive Summary

Sign up for updates

Wiley Rein LLP Cookie Preference Center

Your Privacy

When you visit our website, we use cookies on your browser to collect information. The information collected might relate to you, your preferences, or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. For more information about how we use Cookies, please see our Privacy Policy.

Strictly Necessary Cookies

Always Active

Necessary cookies enable core functionality such as security, network management, and accessibility. These cookies may only be disabled by changing your browser settings, but this may affect how the website functions.

Functional Cookies

Always Active

Some functions of the site require remembering user choices, for example your cookie preference, or keyword search highlighting. These do not store any personal information.

Form Submissions

Always Active

When submitting your data, for example on a contact form or event registration, a cookie might be used to monitor the state of your submission across pages.

Performance Cookies

Performance cookies help us improve our website by collecting and reporting information on its usage. We access and process information from these cookies at an aggregate level.

Powered by Firmseek