Classic phishing attacks identify an item of information or an opportunity that is appealing to a target audience, and they use that to bait the target into clicking a malicious link or opening a corrupted file. Like a worm to a fish. Hence the term, phishing.

The earliest attacks fed off of a near universal allure – money. Do as I say, and you will receive hundreds of thousands, or even millions, of dollars. As we wised up, the scams became more tailored. Professionals were hit with new client inquiries. Manufacturers received purportedly important alerts from trade associations. Parents’ in-boxes were inundated with phony updates from their children’s schools (yes, this has happened).

There has likely never been a single subject, however, with the same universal appeal as information related to the COVID-19 outbreak. And phishing scammers know it.

Had my mother previewed this post, she would have cautioned me not to give myself a kenahorah (ken-a-ho-rah).  That’s a yiddish term.  It means doing or saying something to tempt evil, to invite bad things to come your way.  The title of this post, in light of what may or may not be warranted mass hysteria, would seem to flirt with something that, to be on the safe side, should not be flirted with.  Alas, like the names of my children, Bubby does not get a preview of my blogs.  She sees them after they are posted, just like you.  So, at the risk of a kenahorah…

My office is still open.  Will that be the case tomorrow?  Or the next day?  Unclear.  The NBA just suspended the entire season.  Schools are closing.  New Rochelle, New York has created a one-mile quarantine zone.  Anything is possible.  We are officially freaking out.

Many companies are either going remote or are preparing to do so.  But the fortunate employees who can do their jobs from home are more likely than those who cannot to access or process sensitive electronic data.  Think about it.  Many professionals are going this route.  Even manufacturing or other industrial processes that have become largely automated are probably able to control some or all of their operations remotely.  Because the volume of remote work is increasing, so too are the opportunities for cyber crime.  Here’s three simple, easily implementable tips to improve security as we all voluntarily quarantine ourselves in what I truly hope will prove to have been an unnecessary panic.  I’m just not sure at this point.  The tips…

In 2018, the FBI’s Internet Crime Complaint Center (IC3) received more than 900 complaints of internet driven crime every day.  This amounted to over 350,000 complaints involving $2.7 billion in losses.  Business enterprise compromises (BECs) were the most common and the most consequential.

These scams, which involve the use of fraudulent emails instructing recipients to unwittingly wire payments to criminals’ bank accounts, accounted for over 20,000 complaints and a whopping $1.2 billion in losses in 2018.  The Cyber Division of the FBI’s Economic Crimes Unit investigates these complaints with the goal of recovering fraudulently diverted funds.

“Michael” is a retired FBI field agent who worked in this Unit since its inception.  With his permission, the following is a summary of our recent conversation.

In April 2016, I highlighted insurance issues related to business enterprise compromises, or BECs.  Yesterday, I had the privilege of presenting on the topic to the Central Jersey Chapter of the Institute of Internal Auditors at its Annual Fraud Conference (thanks  to Frank Pina at Mercadian for the invite).

Since I last wrote about the subject, the FBI has determined that BECs, also known as CEO fraud, social engineering and spoofing, are among the most costly forms of cyber-crime.  Refresher: the FBI defines a BEC as a “sophisticated scam targeting both businesses and individuals performing wire transfer payments…[that] is frequently carried out when a subject compromises legitimate business e-mail accounts through social engineering or computer engineering techniques to conduct unauthorized transfers of funds.”   Common examples of BECs are e-mails that appear to come from a CEO or CFO directing an employee to pay a fake vendor and scammers posing as title insurance representatives sending last-minute changes in wiring instructions to real estate purchasers.

Between 2013 and 2018, BECs accounted for over $12.5 billion in reported losses globally.  I say reported because the FBI’s data set is limited to self-reported information received through its Internet Complaint Center, or IC3.  Many victims of this type of fraud likely do not report it to the FBI for a multitude of reasons.  Of these losses, there have been 41,058 incidents in the United States accounting for nearly $3 billion in losses.  This figure represents more than half of fraud-related losses reported to the FBI during this -five-year period.

In January, I offered my view on Zurich’s invocation of an ‘act of war’ exclusion to deny coverage for Mondelez International’s losses caused by NotPetya.  And made a funny joke about Oreos in the process.  You’re welcome.  More recently, I was interviewed by Matt Fleischer-Black for CyberInsecurity News on the same subject, and Matt suggested that his research revealed that Sony’s claims were covered by AIG following the 2014 ‘The Interview’ hack.  That got me thinking – if AIG covered Sony’s losses, is there a difference between Sony’s AIG policy and Mondelez’s Zurich policy?

Sony reportedly had an AIG CyberEdge policy in place when the “Guardians of Peace” hacked into Sony’s network in November 2014.  The GOP locked employees computers with a very scary image and threatened to release Sony’s data about unreleased movies and confidential business issues.  They also threatened “9-11 style” attacks at theatres that showed Sony’s “The Interview,” a comedy about two reporters sent to assassinate North Korean Supreme Leader Kim Jong Un.   The CIA identified the GOP as North Korean state actors, and President Obama enhanced sanctions against North Korea.

Image result for guardians of peace interview hack
I don’t have Sony’s actual AIG policy.  I did, however, find a sample AIG CyberEdge policy that would have been in use during Sony’s April 2014 -April 2015 policy term.  Like Mondolez’s Zurich policy, it contains an ‘Act of War Exclusion.’  The AIG policy bars coverage “arising out of…war, invasion, military action…political disturbance, civil commotion, riot, martial law, civil war, mutiny, popular or military uprising, insurrection, rebellion, revolution, military or usurped power…”.

Cyber this.  Cyber that.  I deal in dirt, and I don’t care.

If there’s a commercial building on top of that dirt, you should.

The “internet of things” refers to the ever-expanding connectivity between our digital and physical worlds.  In our homes, we have smart climate control, security, refrigerators, televisions, vacuum cleaners (yes, vacuum cleaners) and, well, you get it.  We like the comfort and convenience, and the fact that we can control all of it from our phones, which we’re always looking at anyway.

Welcome back.  Unless you never left, in which case you’re probably having a smoother morning than I am.  If you’re reading this, we’re both having better mornings than Mondelez International, Inc. had on June 27, 2017, when the company was hit by the NotPetya attack that rocked pretty much the whole world. Think you never heard of Mondelez?  It’s the snack food mega company that makes Ritz crackers, Cadbury chocolates and milk’s and my favorite cookie – the Oreo.

Refresher on NotPetya – most (including the CIA) believe this attack was propagated by the Russian military against Ukraine, where it is estimated that 50-80% of damage occurred.  Many believe that the spread of this malware – the fastest ever as of the time of the attack – to multinational and US corporations was not even intentional.  That didn’t stop it from causing an estimated $10 billion in damages to hospitals, banks, shipping companies and others worldwide.

Mondelez, though, has a Zurich insurance policy that specifically covers “physical loss or damage to electronic data, programs or software, including physical loss or damage caused by the malicious introduction of machine code or instruction.”  When NotPetya hit Mondelez, it permanently destroyed 1,700 servers and 24,000 computers.  Mondelez claims that it lost over $100 million in the form of property damage, commercial supply and distribution disruptions, unfulfilled customer orders and reduced margins.  Mondelez tendered a claim to Zurich, and Zurich wasn’t exactly sure what to do.

Sexy title, I know.  Here’s the thing – this is a big deal.  Particularly for employers, and likely for any entity that collects and stores personal data, the law in Pennsylvania just changed dramatically.

First, a bit of law 101.  The “economic loss rule” is a legal concept that recognizes the division of the law into essentially two worlds: tort (i.e., negligence) and contract.  Under the rule, no claim exists for negligence that results solely in economic damages without physical injury or property damage.  Example:  You pay a painter to paint your house.  He doesn’t.  You want to sue for everything, including the emotional distress that comes with living in a home the color of which does not reflect the “real you.”  But you (probably) can’t.  Under the economic loss rule, the economic injury suffered when you paid for nothing does not give rise to a negligence claim or to the broader range of damages that may recoverable in tort.  You’re stuck with a breach of contract claim for your money back and maybe the increased cost of hiring somebody else to paint your house.  There are exceptions and nuances, but that’s all you need to know for this post.

Courts have reached different conclusions as to whether the economic loss rule bars negligence claims for financial losses caused by data breaches.  And some states don’t even recognize an independent tort duty to support a negligence claim for a data breach that is accompanied by physical damage (say, to your hardware). The United States District Court for the District of Minnesota examined this state-by-state variation in the Target data breach class action.  The court held that, at least of 2014, negligence claims for data breaches were barred by the economic loss rule in Alaska, California, Illinois, Iowa, Massachusetts and…Pennsylvania.  As for class members from the District of Columbia, Georgia, Idaho, New Hampshire and New York, the law was still sufficiently unsettled in those jurisdictions that their negligence claims survived Target’s motion to dismiss.

Yesterday, I wrote about the application of the “voluntary parting” exclusion in Schmidts v. Travelers, a 2015 case out of the Southern District of Ohio.  If you couldn’t tell, I didn’t agree with the result.

The Sixth Circuit offered a more reasoned and more recent view of insurance coverage for email/wire scams in American Tooling Center, Inc. v. Travelers (July 13, 2018).  An American manufacturer received an email purportedly from its Chinese subcontractor.  The sub said that the next payment should be wired to a new bank account due to an ongoing audit.  The company wired the money.  The sub emailed again, saying there was a problem with the account and asking for a new wire to a different account.  This happened four times.  $834,000 later, the real sub started asking where its payment was…

The company sought coverage under its Wrap+ business insurance, which contained “computer fraud” coverage.  It read: “The Company will pay the Insured for the Insured’s direct loss of…Money…directly caused by Computer Fraud.”  The policy defined “computer fraud” as the “use of any computer to fraudulently cause a transfer of Money…”.

It’s (approximately) the ides of National Cybersecurity Awareness Month.  Yes, it’s a thing.  A 15-year old thing.  Appropriately, I spent last night at a cybersecurity seminar hosted by Citrin Cooperman (thanks, by the way).  It sparked this first of a two-part blog post about the “voluntary parting” exclusion.  Get your popcorn ready.

First, the scene.  We’re at the Union League in Philadelphia.  It’s kind of dark, because it’s always kind of dark in there.  Everyone is wearing coats, because everyone has to wear coats there.  Despite the lighting and formality (to which I should really be more accustomed in my 11th year as a lawyer), the panel is exceptional.  An ethical hacker demonstrates the ease with which he can figure out all of our passwords using software that makes billions of guesses per second.  A valuation expert explains the process of quantifying cyber incident losses.  Of most interest to me, the general counsel of a sophisticated insurance brokerage offers specific claims insights (no names, of course).

Consistent with the narrative that many of us are hearing, she emphasizes that carriers are by and large responding quickly to, and paying, the majority of cyber claims.  So, I ask: “Are there any exclusions that you are seeing create some deviation from that narrative, maybe exclusions that could be addressed during the front-end application process given the tailored nature of cyber policies?”