Articles Posted in Legal Developments

There have been relatively few confirmed cyber attacks resulting in substantial physical harm to property (other than computer hardware) and people.  The first known event involved the 2008-2010 infiltration of a computer virus called “Stuxnet” into Iranian networks that controlled nuclear subterfuges.  The virus caused them to spin out of control, destroying about 20% of them.  Another involved a hacking attack on a German steel mill in 2014, causing a blast furnace to malfunction and resulting in massive damage.  Last year, an Iranian petrochemical company suffered a series of fires and explosions believed to have been caused by a hacking attack.  And for each of these types of events, there have been innumerable other attacks on that could have but did not result in physical harm.

While underwriters still struggle to accurately quantify this risk, there is an increased willingness to enter the cyber-physical coverage market in different, and sometimes fairly creative, ways.  But this risk doesn’t only impact cyber-coverage.  Cyber-physical attacks can have enormous consequences, with damages likely to exponentially exceed the coverage provided by these new products.  These attacks can be coordinated across multiple geographic regions, they can impact many people and businesses across numerous economic sectors and they appear to be easier than ever to anonymously effectuate.

The increased ease with which these attacks can be carried out coupled with the unprecedented level of harm they can cause requires likely targets to carefully explore the cyber-physical risk market.  These circumstances, however, also require renewed consideration of traditional coverages by those who may be impacted downstream and by those who might find themselves defendants when even cyber-physical coverage purchased by the targets of these attacks proves woefully insufficient in light of the extent of harm.  In fact, there are likely few companies that don’t need to revisit their entire insurance programs in light of the emerging cyber-physical risk.  Consider whether coverages and limits are still appropriate for cyber and traditional coverages.  This will get physical.

 

For relatively little expense, insureds can often add cyber endorsements to traditional CGL, professional liability or other insurance policies.  On October 25, 2016, the Northern District of Alabama issued a decision in Camp’s Grocery, Inc. v. State Farm, one of the few decisions interpreting cyber coverage to date, that demonstrates why insureds should be wary of opting for cyber endorsements instead of stand-alone policies.  Docket No. 4:16-cv-0204, 2016 WL 6217161.

Camp’s had a series of no good, very bad days.  First, hackers accessed its network and compromised customers’ credit card, debit card and check card information.  Yipes.  Then, three credit unions sued Camp’s to recover card reissuance, fraud reimbursement and fraud prevention expenses.  Double yipes.  Finally, Camp’s tendered the claim to State Farm, which informed Camp’s that the Computer Programs and Electronic Data Extension of Coverage and related endorsements to its property and casualty policy only covered Camp’s first party data breach losses.  The endorsements did not cover, in State Farm’s view, third party liability claims like the credit unions’.

The court agreed.  It held that State Farm and no duty to defend or indemnify Camp’s with respect to the credit union lawsuit.  It explained that “[i]nsurance contracts generally are assigned to one of two classes: either ‘first party coverage’ or ‘third party coverage’…’First party coverage’ pertains to loss or damage sustained by an insured to its property…In contrast, if the insurer’s duty to defend and pay runs to a third party claimant who is paid according to a judgment or settlement against the insured, then the insurance is classified as ‘third party insurance.’  Thus, wholly different interests are protected by ‘first-party coverage’ and ‘third-party coverage’.”  In holding that Camp’s endorsements offered only first party coverage, the essentially held that Camp’s had no coverage since it was only attempting to deal with the credit unions’ third party claims.

Unless you already know the answer, you might want to check out a recent webinar presented by Angie Singer Keating (of the IT firm Reclamere), Brian Courtney (The Safegard Group, insurance brokerage), Renee Martin (my Partner at Dilworth) and little old me.  You can check it out here.  Enjoy!

If you are a United States company that processes or maintains data from individuals living in the European Union, this matters to you.  The US/EU Data Privacy Shield self-certification process goes live on August 1, 2016.  There lots of good information out there already, but there is also a good bit of scrambling to put in place a framework for companies that want to enroll in this new program.  Do you want the high-level overview?  Of course you do.  Here is what Privacy Shield compliance will probably entail:

  1.  Revise your privacy policy to comply with the new requirements/language.
  2. Select a third-party dispute mechanism to handle complaints from EU data subjects.

On May 31, 2016, the U.S. District Court for the District of Arizona held that P.F. Chang’s obligation to pay its credit card processor nearly $2M following a 2014 data breach was contractual, and therefore not covered under its cyberinsurance policy.  Ouch.  Let’s back up.

In 2014, hackers posted the credit card numbers of 60,000 P.F. Chang’s customers on the internet.  P.F. Chang’s had a Chubb cyberinsurance policy in place, for which it paid a $134,052.00 annual premium.  Chubb paid P.F. Chang’s $1.7M in policy benefits to cover forensic investigation, litigation defense and other costs, but that was less than half of the cost of this breach.

Really?  Yes, really.

FYI, NBD is “internet slang” for “no big deal.”  “Internet slang” is what my little brother uses in text messages.

Anyway.

Last week, the Fourth Circuit affirmed an Eastern District of Virginia ruling that Travelers had a duty to defend Portal Healthcare Solutions with respect to a class action data breach lawsuit filed after patients found their medical records online, sans permission.  The opinion analyzed a commercial general liability policy (CGL), specifically the “publication” issue that was also at the forefront in the 2015 Sony Playstation coverage dispute.  In Sony, a New York City trial court held that CGL carriers had no duty to defend a data breach class action, a ruling many saw as a sign that the days of finding data breach coverage in CGL policies was coming to an end.  There have therefore been a number of commentators suggesting that Travelers is a pendulum swing in the other direction, a sign that the viability of data breach coverage under CGL policies remains.

ALERT: Companies have been receiving emails and other electronic instructions to make payments or transfer funds that – oops – are not truly authorized to be paid or transferred.  This is fraud.  But is it “computer fraud”?

In Universal American Corp. v. National Union Fire Insurance Co. of Pittsburgh, PA., 25 N.Y.3d 675 (N.Y. Ct. App. June 25, 2015), it wasn’t.  New York’s highest court held that a “computer fraud” endorsement to a fidelity bond covered a hacker’s unauthorized “entry” into the insured’s computer system and subsequent fraudulent transfer of funds.  It did not, however, cover an authorized user’s input of information to transfer funds based on the receipt of fraudulent instructions to do so.  The policy defined “Computer Systems Fraud” as follows: “Loss resulting directly from a fraudulent (1) entry of Electronic Data or Computer Program into, or (2) change of Electronic Data or Computer Program within the Insured’s proprietary Computer System…provided that the entry of change causes (a) Property to be transferred, paid or delivered…”.  The court reasoned that a fraudulent “entry” was not the input of fraudulent data into the system, as had occurred, but the unauthorized penetration of the system by a third party – i.e., a hacker.  Since the fraudster never entered the insured’s computer system, the court concluded that there was no coverage.

In Apache Corporation v. Great American Insurance Co., 2015 WL 7709584 (S.D. Tex. Aug. 7, 2015), the court reached the opposite conclusion.  A “computer fraud” provision in a Crime Prevention Policy did cover an authorized user’s transfer of funds based on fraudulent email instructions.  The definition of “computer fraud” in this case, however, was the very language distinguished by the Universal American court as broader than the language there at issue: “We will pay for loss…resulting directly from the use of any computer to fraudulently cause a transfer of that property from inside the premises… (a) to a person…outside the premises; or (b) to a place outside the premises.”  The court reasoned that the email-centric nature of the fraud made computer use a “substantial factor” in causing the fraudulent transfer, and the insured therefore had coverage.

It’s been four months since the EU invalidated the Safe Harbor agreement that had been allowing US companies to transfer data into and out of the EU despite the EU’s more stringent privacy laws.  I wrote about that here.

In the ensuing clusterkerfuffle (trademarked term), US companies have scrambled to adopt policies incorporating the EU’s Model Contractual Clauses.  These clauses, however, have given rise to complicated issues of interpretation, particularly with respect to the distinction between “data processors” and “data controllers.”  These designations drive the applicability of particular clauses and dictate the range of responsibilities of parties dealing in EU data.  As companies have struggled to define themselves in this context, most have been holding out hope for a clearer, more streamlined arrangement akin to the prior EU/US safe harbor agreement.

Well, it’s here.  Sort of.

Yes, I’m late to the party.  President Obama signed the Cybersecurity Act of 2015 into law over a month ago.  Plenty of ink has already been spilled about it.  The act encourages, but does not require, companies to share information about data breaches and responses with each other and with the federal government.  Most of the ‘controversy’ has centered on the act’s perceived lack of privacy protections for individuals whose information is shared.

Yawn.

Privacy is important.  Measures should be taken to protect individuals’ data, and the act does include at least some level of protection.  Whether it’s enough remains to be seen.

There are few cases interpreting stand-alone cyberinsurance policies.  So, when there is a development in one of them, however unrelated to the novel construction issues raised by these new(ish) policies, it’s worth a word.  Or 350.

Travelers v. Federal Recovery Services, Inc. (D. Utah No. 2:14-CV-170) is not a remarkably interesting case.  It was one of the first times that a court issued a written opinion deciding whether a claim implicating electronic data misuse was covered by a cyberinsurance policy.  But the Court found that the insured’s intentional withholding of the data from its rightful owner triggered an exclusion barring coverage for the insured’s intentional misconduct.  A CGL decision in cyber-clothing.

Armed with the court’s holding that Travelers had no duty to defend or indemnify, Travelers filed a motion for summary judgment.  In the bag, right?

Contact Information