Articles Posted in Legal Developments

Increasingly, businesses buy cyberinsurance to protect valuable electronic assets, including computer systems themselves and the data stored within them. These policies, however, are relatively young.  They frequently utilize terminology taken from traditional property/casualty policies, the meanings of which are informed by decades of case law.  These seemingly familiar words, however, are creating novel cyberinsurance issues that may impact the coverage you have, or think you have.

In Nat’l Ink & Stitch, LLC v. State Auto Prop. & Cas. Ins. Co., CV SAG-18-2138, 2020 WL 374460 (D. Md. Jan. 23, 2020), a court addressed a centuries old concept – physical loss – through the cyberinsurance lens.  After a screen-printing company suffered a ransomware attack, the company had data stolen and computers rendered partially inoperable. The company filed a claim under their cybersecurity policy, which familiarly stated that the carrier “will pay for direct physical loss of or damage to Covered Property…”.

The company obtained cyber coverage through an endorsement.  The Businessowners Special Form Computer Coverage endorsement refined the definition of “Covered Property” to include “Electronic Media and Records (Including Software).” It defined “Electronic Media and Records” to include:

Had my mother previewed this post, she would have cautioned me not to give myself a kenahorah (ken-a-ho-rah).  That’s a yiddish term.  It means doing or saying something to tempt evil, to invite bad things to come your way.  The title of this post, in light of what may or may not be warranted mass hysteria, would seem to flirt with something that, to be on the safe side, should not be flirted with.  Alas, like the names of my children, Bubby does not get a preview of my blogs.  She sees them after they are posted, just like you.  So, at the risk of a kenahorah…

My office is still open.  Will that be the case tomorrow?  Or the next day?  Unclear.  The NBA just suspended the entire season.  Schools are closing.  New Rochelle, New York has created a one-mile quarantine zone.  Anything is possible.  We are officially freaking out.

Many companies are either going remote or are preparing to do so.  But the fortunate employees who can do their jobs from home are more likely than those who cannot to access or process sensitive electronic data.  Think about it.  Many professionals are going this route.  Even manufacturing or other industrial processes that have become largely automated are probably able to control some or all of their operations remotely.  Because the volume of remote work is increasing, so too are the opportunities for cyber crime.  Here’s three simple, easily implementable tips to improve security as we all voluntarily quarantine ourselves in what I truly hope will prove to have been an unnecessary panic.  I’m just not sure at this point.  The tips…

Welcome back.  Unless you never left, in which case you’re probably having a smoother morning than I am.  If you’re reading this, we’re both having better mornings than Mondelez International, Inc. had on June 27, 2017, when the company was hit by the NotPetya attack that rocked pretty much the whole world. Think you never heard of Mondelez?  It’s the snack food mega company that makes Ritz crackers, Cadbury chocolates and milk’s and my favorite cookie – the Oreo.

Refresher on NotPetya – most (including the CIA) believe this attack was propagated by the Russian military against Ukraine, where it is estimated that 50-80% of damage occurred.  Many believe that the spread of this malware – the fastest ever as of the time of the attack – to multinational and US corporations was not even intentional.  That didn’t stop it from causing an estimated $10 billion in damages to hospitals, banks, shipping companies and others worldwide.

Mondelez, though, has a Zurich insurance policy that specifically covers “physical loss or damage to electronic data, programs or software, including physical loss or damage caused by the malicious introduction of machine code or instruction.”  When NotPetya hit Mondelez, it permanently destroyed 1,700 servers and 24,000 computers.  Mondelez claims that it lost over $100 million in the form of property damage, commercial supply and distribution disruptions, unfulfilled customer orders and reduced margins.  Mondelez tendered a claim to Zurich, and Zurich wasn’t exactly sure what to do.

Sexy title, I know.  Here’s the thing – this is a big deal.  Particularly for employers, and likely for any entity that collects and stores personal data, the law in Pennsylvania just changed dramatically.

First, a bit of law 101.  The “economic loss rule” is a legal concept that recognizes the division of the law into essentially two worlds: tort (i.e., negligence) and contract.  Under the rule, no claim exists for negligence that results solely in economic damages without physical injury or property damage.  Example:  You pay a painter to paint your house.  He doesn’t.  You want to sue for everything, including the emotional distress that comes with living in a home the color of which does not reflect the “real you.”  But you (probably) can’t.  Under the economic loss rule, the economic injury suffered when you paid for nothing does not give rise to a negligence claim or to the broader range of damages that may recoverable in tort.  You’re stuck with a breach of contract claim for your money back and maybe the increased cost of hiring somebody else to paint your house.  There are exceptions and nuances, but that’s all you need to know for this post.

Courts have reached different conclusions as to whether the economic loss rule bars negligence claims for financial losses caused by data breaches.  And some states don’t even recognize an independent tort duty to support a negligence claim for a data breach that is accompanied by physical damage (say, to your hardware). The United States District Court for the District of Minnesota examined this state-by-state variation in the Target data breach class action.  The court held that, at least of 2014, negligence claims for data breaches were barred by the economic loss rule in Alaska, California, Illinois, Iowa, Massachusetts and…Pennsylvania.  As for class members from the District of Columbia, Georgia, Idaho, New Hampshire and New York, the law was still sufficiently unsettled in those jurisdictions that their negligence claims survived Target’s motion to dismiss.

Yesterday, I wrote about the application of the “voluntary parting” exclusion in Schmidts v. Travelers, a 2015 case out of the Southern District of Ohio.  If you couldn’t tell, I didn’t agree with the result.

The Sixth Circuit offered a more reasoned and more recent view of insurance coverage for email/wire scams in American Tooling Center, Inc. v. Travelers (July 13, 2018).  An American manufacturer received an email purportedly from its Chinese subcontractor.  The sub said that the next payment should be wired to a new bank account due to an ongoing audit.  The company wired the money.  The sub emailed again, saying there was a problem with the account and asking for a new wire to a different account.  This happened four times.  $834,000 later, the real sub started asking where its payment was…

The company sought coverage under its Wrap+ business insurance, which contained “computer fraud” coverage.  It read: “The Company will pay the Insured for the Insured’s direct loss of…Money…directly caused by Computer Fraud.”  The policy defined “computer fraud” as the “use of any computer to fraudulently cause a transfer of Money…”.

It’s (approximately) the ides of National Cybersecurity Awareness Month.  Yes, it’s a thing.  A 15-year old thing.  Appropriately, I spent last night at a cybersecurity seminar hosted by Citrin Cooperman (thanks, by the way).  It sparked this first of a two-part blog post about the “voluntary parting” exclusion.  Get your popcorn ready.

First, the scene.  We’re at the Union League in Philadelphia.  It’s kind of dark, because it’s always kind of dark in there.  Everyone is wearing coats, because everyone has to wear coats there.  Despite the lighting and formality (to which I should really be more accustomed in my 11th year as a lawyer), the panel is exceptional.  An ethical hacker demonstrates the ease with which he can figure out all of our passwords using software that makes billions of guesses per second.  A valuation expert explains the process of quantifying cyber incident losses.  Of most interest to me, the general counsel of a sophisticated insurance brokerage offers specific claims insights (no names, of course).

Consistent with the narrative that many of us are hearing, she emphasizes that carriers are by and large responding quickly to, and paying, the majority of cyber claims.  So, I ask: “Are there any exclusions that you are seeing create some deviation from that narrative, maybe exclusions that could be addressed during the front-end application process given the tailored nature of cyber policies?”

The war to find data breach coverage under commercial general liability (CGL) policies continues to wage.  In St. Paul Fire & Marine Insurance v. Rosen Millennium, Inc. et al., filed in March 2017 (M.D. Fla. 6:17-CV-00540), an insurer is seeking a declaration that neither the insured’s 2014-15 nor its 2015-16 CGL policy cover data breach costs and a couple million dollars worth of PCI fines.

In 2016, the insured, a hotel, discovered that its payment network had been compromised by malware between September 2014 and February 2016, resulting in the disclosure of customer credit card information.  The hotel first tendered to Beazley, its cyber insurer, but Beazley denied coverage on the ground that the “occurrence” happened prior to the applicable retroactive date of the hotel’s 2015-16 policy.  More on those notorious retro dates here.

The hotel turned to its CGL carrier, St. Paul, which denied coverage for a variety of reasons.  Two are especially noteworthy.  First, St. Paul argues that the ready and known availability of cyber insurance for data breach losses is itself an indication that CGL policies are not intended to cover those losses.  Second, St. Paul points out that the insured actually purchased cyber insurance since 2015-16.  Relying on cases holding that courts should construe insurance policies so as not to find duplicative coverage, St. Paul argues that the CGL policies must be interpreted so as not to provide coverage for data breach losses because the insured’s Beazley policy did provide that coverage.

Like a brown-paper-bag-wrapped birthday present, the Fifth Circuit’s June 25th decision in Spec’s v. Hanover arrived in my in-box with a resounding ‘meh.’  You see, I get daily emails from Westlaw attaching opinions that may or may not implicate cyberinsurance coverage law.  I use the broadest search terms imaginable to make sure I don’t miss anything by being under-inclusive.  And when you ask for everything, you get, well, everything.  Most days I can tell from the caption of the attachment whether it’s a case I should read.  Most days, it isn’t.

But today the Fifth Circuit redefined the fairly typical contractual liability exclusion in the cyberinsurance context.  The fact pattern is common.  Retailer hires credit card processor.  The processor says, ‘ok, we’ll take your business, but you’ll sign a contract that makes you responsible if anything goes wrong.’  The retailer has no choice because you need a processor and they all use the same liability shifting language in their contracts.  Then the data breach…

Following the breach, the Payment Card Industry (PCI) comes down on the processor with considerable fines and enhanced security requirements.  The processor passes both along to the retailer.  The retailer is in the hole, big time.

In Spec’s Family Partners v. The Hanover Insurance Company, the Southern District of Texas became the second court to grapple with the interaction among Payment Card Industry (PCI) fines, payment card processor contracts and the infamous contractual liability exclusion that is still present in many cyberinsurance policies.

You can read about the first court to do so here.  Spoiler: also no coverage.

Spec’s, a family-owned retail chain, suffered two data breaches of its payment card system resulting in the loss of customer information and credit card numbers.  Spec’s processed its credit transactions through a third party, First Data Merchant Services.  Following the breaches, First Data was fined almost $10 million by MasterCard and Visa.  First Data invoked the indemnification provision in its processor agreement and demanded that Spec’s pay the fines.

There have been relatively few confirmed cyber attacks resulting in substantial physical harm to property (other than computer hardware) and people.  The first known event involved the 2008-2010 infiltration of a computer virus called “Stuxnet” into Iranian networks that controlled nuclear subterfuges.  The virus caused them to spin out of control, destroying about 20% of them.  Another involved a hacking attack on a German steel mill in 2014, causing a blast furnace to malfunction and resulting in massive damage.  Last year, an Iranian petrochemical company suffered a series of fires and explosions believed to have been caused by a hacking attack.  And for each of these types of events, there have been innumerable other attacks on that could have but did not result in physical harm.

While underwriters still struggle to accurately quantify this risk, there is an increased willingness to enter the cyber-physical coverage market in different, and sometimes fairly creative, ways.  But this risk doesn’t only impact cyber-coverage.  Cyber-physical attacks can have enormous consequences, with damages likely to exponentially exceed the coverage provided by these new products.  These attacks can be coordinated across multiple geographic regions, they can impact many people and businesses across numerous economic sectors and they appear to be easier than ever to anonymously effectuate.

The increased ease with which these attacks can be carried out coupled with the unprecedented level of harm they can cause requires likely targets to carefully explore the cyber-physical risk market.  These circumstances, however, also require renewed consideration of traditional coverages by those who may be impacted downstream and by those who might find themselves defendants when even cyber-physical coverage purchased by the targets of these attacks proves woefully insufficient in light of the extent of harm.  In fact, there are likely few companies that don’t need to revisit their entire insurance programs in light of the emerging cyber-physical risk.  Consider whether coverages and limits are still appropriate for cyber and traditional coverages.  This will get physical.

 

Contact Information