Articles Posted in Legal Developments

Yesterday, I wrote about the application of the “voluntary parting” exclusion in Schmidts v. Travelers, a 2015 case out of the Southern District of Ohio.  If you couldn’t tell, I didn’t agree with the result.

The Sixth Circuit offered a more reasoned and more recent view of insurance coverage for email/wire scams in American Tooling Center, Inc. v. Travelers (July 13, 2018).  An American manufacturer received an email purportedly from its Chinese subcontractor.  The sub said that the next payment should be wired to a new bank account due to an ongoing audit.  The company wired the money.  The sub emailed again, saying there was a problem with the account and asking for a new wire to a different account.  This happened four times.  $834,000 later, the real sub started asking where its payment was…

The company sought coverage under its Wrap+ business insurance, which contained “computer fraud” coverage.  It read: “The Company will pay the Insured for the Insured’s direct loss of…Money…directly caused by Computer Fraud.”  The policy defined “computer fraud” as the “use of any computer to fraudulently cause a transfer of Money…”.

It’s (approximately) the ides of National Cybersecurity Awareness Month.  Yes, it’s a thing.  A 15-year old thing.  Appropriately, I spent last night at a cybersecurity seminar hosted by Citrin Cooperman (thanks, by the way).  It sparked this first of a two-part blog post about the “voluntary parting” exclusion.  Get your popcorn ready.

First, the scene.  We’re at the Union League in Philadelphia.  It’s kind of dark, because it’s always kind of dark in there.  Everyone is wearing coats, because everyone has to wear coats there.  Despite the lighting and formality (to which I should really be more accustomed in my 11th year as a lawyer), the panel is exceptional.  An ethical hacker demonstrates the ease with which he can figure out all of our passwords using software that makes billions of guesses per second.  A valuation expert explains the process of quantifying cyber incident losses.  Of most interest to me, the general counsel of a sophisticated insurance brokerage offers specific claims insights (no names, of course).

Consistent with the narrative that many of us are hearing, she emphasizes that carriers are by and large responding quickly to, and paying, the majority of cyber claims.  So, I ask: “Are there any exclusions that you are seeing create some deviation from that narrative, maybe exclusions that could be addressed during the front-end application process given the tailored nature of cyber policies?”

The war to find data breach coverage under commercial general liability (CGL) policies continues to wage.  In St. Paul Fire & Marine Insurance v. Rosen Millennium, Inc. et al., filed in March 2017 (M.D. Fla. 6:17-CV-00540), an insurer is seeking a declaration that neither the insured’s 2014-15 nor its 2015-16 CGL policy cover data breach costs and a couple million dollars worth of PCI fines.

In 2016, the insured, a hotel, discovered that its payment network had been compromised by malware between September 2014 and February 2016, resulting in the disclosure of customer credit card information.  The hotel first tendered to Beazley, its cyber insurer, but Beazley denied coverage on the ground that the “occurrence” happened prior to the applicable retroactive date of the hotel’s 2015-16 policy.  More on those notorious retro dates here.

The hotel turned to its CGL carrier, St. Paul, which denied coverage for a variety of reasons.  Two are especially noteworthy.  First, St. Paul argues that the ready and known availability of cyber insurance for data breach losses is itself an indication that CGL policies are not intended to cover those losses.  Second, St. Paul points out that the insured actually purchased cyber insurance since 2015-16.  Relying on cases holding that courts should construe insurance policies so as not to find duplicative coverage, St. Paul argues that the CGL policies must be interpreted so as not to provide coverage for data breach losses because the insured’s Beazley policy did provide that coverage.

Like a brown-paper-bag-wrapped birthday present, the Fifth Circuit’s June 25th decision in Spec’s v. Hanover arrived in my in-box with a resounding ‘meh.’  You see, I get daily emails from Westlaw attaching opinions that may or may not implicate cyberinsurance coverage law.  I use the broadest search terms imaginable to make sure I don’t miss anything by being under-inclusive.  And when you ask for everything, you get, well, everything.  Most days I can tell from the caption of the attachment whether it’s a case I should read.  Most days, it isn’t.

But today the Fifth Circuit redefined the fairly typical contractual liability exclusion in the cyberinsurance context.  The fact pattern is common.  Retailer hires credit card processor.  The processor says, ‘ok, we’ll take your business, but you’ll sign a contract that makes you responsible if anything goes wrong.’  The retailer has no choice because you need a processor and they all use the same liability shifting language in their contracts.  Then the data breach…

Following the breach, the Payment Card Industry (PCI) comes down on the processor with considerable fines and enhanced security requirements.  The processor passes both along to the retailer.  The retailer is in the hole, big time.

In Spec’s Family Partners v. The Hanover Insurance Company, the Southern District of Texas became the second court to grapple with the interaction among Payment Card Industry (PCI) fines, payment card processor contracts and the infamous contractual liability exclusion that is still present in many cyberinsurance policies.

You can read about the first court to do so here.  Spoiler: also no coverage.

Spec’s, a family-owned retail chain, suffered two data breaches of its payment card system resulting in the loss of customer information and credit card numbers.  Spec’s processed its credit transactions through a third party, First Data Merchant Services.  Following the breaches, First Data was fined almost $10 million by MasterCard and Visa.  First Data invoked the indemnification provision in its processor agreement and demanded that Spec’s pay the fines.

There have been relatively few confirmed cyber attacks resulting in substantial physical harm to property (other than computer hardware) and people.  The first known event involved the 2008-2010 infiltration of a computer virus called “Stuxnet” into Iranian networks that controlled nuclear subterfuges.  The virus caused them to spin out of control, destroying about 20% of them.  Another involved a hacking attack on a German steel mill in 2014, causing a blast furnace to malfunction and resulting in massive damage.  Last year, an Iranian petrochemical company suffered a series of fires and explosions believed to have been caused by a hacking attack.  And for each of these types of events, there have been innumerable other attacks on that could have but did not result in physical harm.

While underwriters still struggle to accurately quantify this risk, there is an increased willingness to enter the cyber-physical coverage market in different, and sometimes fairly creative, ways.  But this risk doesn’t only impact cyber-coverage.  Cyber-physical attacks can have enormous consequences, with damages likely to exponentially exceed the coverage provided by these new products.  These attacks can be coordinated across multiple geographic regions, they can impact many people and businesses across numerous economic sectors and they appear to be easier than ever to anonymously effectuate.

The increased ease with which these attacks can be carried out coupled with the unprecedented level of harm they can cause requires likely targets to carefully explore the cyber-physical risk market.  These circumstances, however, also require renewed consideration of traditional coverages by those who may be impacted downstream and by those who might find themselves defendants when even cyber-physical coverage purchased by the targets of these attacks proves woefully insufficient in light of the extent of harm.  In fact, there are likely few companies that don’t need to revisit their entire insurance programs in light of the emerging cyber-physical risk.  Consider whether coverages and limits are still appropriate for cyber and traditional coverages.  This will get physical.

 

For relatively little expense, insureds can often add cyber endorsements to traditional CGL, professional liability or other insurance policies.  On October 25, 2016, the Northern District of Alabama issued a decision in Camp’s Grocery, Inc. v. State Farm, one of the few decisions interpreting cyber coverage to date, that demonstrates why insureds should be wary of opting for cyber endorsements instead of stand-alone policies.  Docket No. 4:16-cv-0204, 2016 WL 6217161.

Camp’s had a series of no good, very bad days.  First, hackers accessed its network and compromised customers’ credit card, debit card and check card information.  Yipes.  Then, three credit unions sued Camp’s to recover card reissuance, fraud reimbursement and fraud prevention expenses.  Double yipes.  Finally, Camp’s tendered the claim to State Farm, which informed Camp’s that the Computer Programs and Electronic Data Extension of Coverage and related endorsements to its property and casualty policy only covered Camp’s first party data breach losses.  The endorsements did not cover, in State Farm’s view, third party liability claims like the credit unions’.

The court agreed.  It held that State Farm and no duty to defend or indemnify Camp’s with respect to the credit union lawsuit.  It explained that “[i]nsurance contracts generally are assigned to one of two classes: either ‘first party coverage’ or ‘third party coverage’…’First party coverage’ pertains to loss or damage sustained by an insured to its property…In contrast, if the insurer’s duty to defend and pay runs to a third party claimant who is paid according to a judgment or settlement against the insured, then the insurance is classified as ‘third party insurance.’  Thus, wholly different interests are protected by ‘first-party coverage’ and ‘third-party coverage’.”  In holding that Camp’s endorsements offered only first party coverage, the essentially held that Camp’s had no coverage since it was only attempting to deal with the credit unions’ third party claims.

If you are a United States company that processes or maintains data from individuals living in the European Union, this matters to you.  The US/EU Data Privacy Shield self-certification process goes live on August 1, 2016.  There lots of good information out there already, but there is also a good bit of scrambling to put in place a framework for companies that want to enroll in this new program.  Do you want the high-level overview?  Of course you do.  Here is what Privacy Shield compliance will probably entail:

  1.  Revise your privacy policy to comply with the new requirements/language.
  2. Select a third-party dispute mechanism to handle complaints from EU data subjects.

On May 31, 2016, the U.S. District Court for the District of Arizona held that P.F. Chang’s obligation to pay its credit card processor nearly $2M following a 2014 data breach was contractual, and therefore not covered under its cyberinsurance policy.  Ouch.  Let’s back up.

In 2014, hackers posted the credit card numbers of 60,000 P.F. Chang’s customers on the internet.  P.F. Chang’s had a Chubb cyberinsurance policy in place, for which it paid a $134,052.00 annual premium.  Chubb paid P.F. Chang’s $1.7M in policy benefits to cover forensic investigation, litigation defense and other costs, but that was less than half of the cost of this breach.

Really?  Yes, really.