Articles Posted in Legal Developments

On May 31, 2016, the U.S. District Court for the District of Arizona held that P.F. Chang’s obligation to pay its credit card processor nearly $2M following a 2014 data breach was contractual, and therefore not covered under its cyberinsurance policy.  Ouch.  Let’s back up.

In 2014, hackers posted the credit card numbers of 60,000 P.F. Chang’s customers on the internet.  P.F. Chang’s had a Chubb cyberinsurance policy in place, for which it paid a $134,052.00 annual premium.  Chubb paid P.F. Chang’s $1.7M in policy benefits to cover forensic investigation, litigation defense and other costs, but that was less than half of the cost of this breach.

Really?  Yes, really.

FYI, NBD is “internet slang” for “no big deal.”  “Internet slang” is what my little brother uses in text messages.

Anyway.

Last week, the Fourth Circuit affirmed an Eastern District of Virginia ruling that Travelers had a duty to defend Portal Healthcare Solutions with respect to a class action data breach lawsuit filed after patients found their medical records online, sans permission.  The opinion analyzed a commercial general liability policy (CGL), specifically the “publication” issue that was also at the forefront in the 2015 Sony Playstation coverage dispute.  In Sony, a New York City trial court held that CGL carriers had no duty to defend a data breach class action, a ruling many saw as a sign that the days of finding data breach coverage in CGL policies was coming to an end.  There have therefore been a number of commentators suggesting that Travelers is a pendulum swing in the other direction, a sign that the viability of data breach coverage under CGL policies remains.

ALERT: Companies have been receiving emails and other electronic instructions to make payments or transfer funds that – oops – are not truly authorized to be paid or transferred.  This is fraud.  But is it “computer fraud”?

In Universal American Corp. v. National Union Fire Insurance Co. of Pittsburgh, PA., 25 N.Y.3d 675 (N.Y. Ct. App. June 25, 2015), it wasn’t.  New York’s highest court held that a “computer fraud” endorsement to a fidelity bond covered a hacker’s unauthorized “entry” into the insured’s computer system and subsequent fraudulent transfer of funds.  It did not, however, cover an authorized user’s input of information to transfer funds based on the receipt of fraudulent instructions to do so.  The policy defined “Computer Systems Fraud” as follows: “Loss resulting directly from a fraudulent (1) entry of Electronic Data or Computer Program into, or (2) change of Electronic Data or Computer Program within the Insured’s proprietary Computer System…provided that the entry of change causes (a) Property to be transferred, paid or delivered…”.  The court reasoned that a fraudulent “entry” was not the input of fraudulent data into the system, as had occurred, but the unauthorized penetration of the system by a third party – i.e., a hacker.  Since the fraudster never entered the insured’s computer system, the court concluded that there was no coverage.

In Apache Corporation v. Great American Insurance Co., 2015 WL 7709584 (S.D. Tex. Aug. 7, 2015), the court reached the opposite conclusion.  A “computer fraud” provision in a Crime Prevention Policy did cover an authorized user’s transfer of funds based on fraudulent email instructions.  The definition of “computer fraud” in this case, however, was the very language distinguished by the Universal American court as broader than the language there at issue: “We will pay for loss…resulting directly from the use of any computer to fraudulently cause a transfer of that property from inside the premises… (a) to a person…outside the premises; or (b) to a place outside the premises.”  The court reasoned that the email-centric nature of the fraud made computer use a “substantial factor” in causing the fraudulent transfer, and the insured therefore had coverage.

It’s been four months since the EU invalidated the Safe Harbor agreement that had been allowing US companies to transfer data into and out of the EU despite the EU’s more stringent privacy laws.  I wrote about that here.

In the ensuing clusterkerfuffle (trademarked term), US companies have scrambled to adopt policies incorporating the EU’s Model Contractual Clauses.  These clauses, however, have given rise to complicated issues of interpretation, particularly with respect to the distinction between “data processors” and “data controllers.”  These designations drive the applicability of particular clauses and dictate the range of responsibilities of parties dealing in EU data.  As companies have struggled to define themselves in this context, most have been holding out hope for a clearer, more streamlined arrangement akin to the prior EU/US safe harbor agreement.

Well, it’s here.  Sort of.

Yes, I’m late to the party.  President Obama signed the Cybersecurity Act of 2015 into law over a month ago.  Plenty of ink has already been spilled about it.  The act encourages, but does not require, companies to share information about data breaches and responses with each other and with the federal government.  Most of the ‘controversy’ has centered on the act’s perceived lack of privacy protections for individuals whose information is shared.

Yawn.

Privacy is important.  Measures should be taken to protect individuals’ data, and the act does include at least some level of protection.  Whether it’s enough remains to be seen.

There are few cases interpreting stand-alone cyberinsurance policies.  So, when there is a development in one of them, however unrelated to the novel construction issues raised by these new(ish) policies, it’s worth a word.  Or 350.

Travelers v. Federal Recovery Services, Inc. (D. Utah No. 2:14-CV-170) is not a remarkably interesting case.  It was one of the first times that a court issued a written opinion deciding whether a claim implicating electronic data misuse was covered by a cyberinsurance policy.  But the Court found that the insured’s intentional withholding of the data from its rightful owner triggered an exclusion barring coverage for the insured’s intentional misconduct.  A CGL decision in cyber-clothing.

Armed with the court’s holding that Travelers had no duty to defend or indemnify, Travelers filed a motion for summary judgment.  In the bag, right?

I frequently hear that cyberinsurance decisions are made solely by Risk Managers.  In the typical circumstance, that makes sense.  Risk Managers manage risk.  But cyberliability, at this stage, is not a universe of typical circumstances.

The nature of the risk is new and rapidly changing.  Actuarial data is sparse.  Carriers and Risk Managers frequently have incomplete understandings of insureds’ IT infrastructure and exposure.  As a result, unlike the standard policy forms that have evolved over decades in other contexts, cyberinsurance policies are all over the place in terms of coverage grants and exclusions.  Amid this lack of uniformity, many insureds likely have coverage that is inappropriate or incomplete.

There is good news.

In the European Union, data privacy is a fundamental right.  Think life, liberty and the sanctity of your Gmail inbox.  The EU’s data privacy laws are therefore more stringent than similar laws in the United States.  From 1995, when the EU’s laws came into effect, until 2000, this was a big problem for US companies doing business internationally.  Compliance with stricter data privacy laws is expensive, logistically difficult, and – well – really, really expensive.

On July 26, 2000, everything changed.  The European Commission adopted the “Safe Harbor Adequacy Decision.”  This allowed US companies to opt-in a self-certify that they complied with a stipulated set of US/EU data privacy standards.

On October 6, 2015, everything changed.  Again.

private-keep-out-sign.jpg
Beware of the checks your on-line privacy and security policies write. If your you-know-whats can’t cash them, plaintiffs might.

Increasingly, plaintiffs are filing lawsuits after “hackers” access their personal information through undersecured websites or electronic databases. Almost every company holds some type of customer information in electronic form. As companies enhance their web presences, many have posted security and privacy policies. If you’re a business owner, you likely have one (if you don’t, you should). And if you’ve ever used the internet (if you haven’t, you’re not reading this article), you’ve seen links to these at the bottom of web pages, and you’ve probably ignored them. I certainly have.

Here’s the problem for businesses – hackers are hard to find and are usually judgment proof. If your data security is breached, and if your customers want to sue somebody, they are going to sue you.