Legal Developments

November 1, 2016

“The Danger of the Cyber Endorsement”

For relatively little expense, insureds can often add cyber endorsements to traditional CGL, professional liability or other insurance policies. On October 25, 2016, the Northern District of Alabama issued a decision in Camp’s Grocery, Inc. v. State Farm, one of the few decisions interpreting cyber coverage to date, that demonstrates why insureds should be wary of opting for cyber endorsements instead of stand-alone policies. Docket No. 4:16-cv-0204, 2016 WL 6217161.

Camp’s had a series of no good, very bad days. First, hackers accessed its network and compromised customers’ credit card, debit card and check card information. Yipes. Then, three credit unions sued Camp’s to recover card reissuance, fraud reimbursement and fraud prevention expenses. Double yipes. Finally, Camp’s tendered the claim to State Farm, which informed Camp’s that the Computer Programs and Electronic Data Extension of Coverage and related endorsements to its property and casualty policy only covered Camp’s first party data breach losses. The endorsements did not cover, in State Farm’s view, third party liability claims like the credit unions’.

The court agreed. It held that State Farm and no duty to defend or indemnify Camp’s with respect to the credit union lawsuit. It explained that “[i]nsurance contracts generally are assigned to one of two classes: either ‘first party coverage’ or ‘third party coverage’…’First party coverage’ pertains to loss or damage sustained by an insured to its property…In contrast, if the insurer’s duty to defend and pay runs to a third party claimant who is paid according to a judgment or settlement against the insured, then the insurance is classified as ‘third party insurance.’ Thus, wholly different interests are protected by ‘first-party coverage’ and ‘third-party coverage’.” In holding that Camp’s endorsements offered only first party coverage, the essentially held that Camp’s had no coverage since it was only attempting to deal with the credit unions’ third party claims.

September 12, 2016

“What’s on the Horizon in Privacy and Data Security?”

By Jordan M. Rand

Unless you already know the answer, you might want to check out a recent webinar presented by Angie Singer Keating (of the IT firm Reclamere), Brian Courtney (The Safegard Group, insurance brokerage), Renee Martin and little old me. You can check it out here. Enjoy!

July 28, 2016

“Ew All Over Again – The New, New US/EU Data Privacy Deal”

By Jordan M. Rand

If you are a United States company that processes or maintains data from individuals living in the European Union, this matters to you. The US/EU Data Privacy Shield self-certification process goes live on August 1, 2016. There lots of good information out there already, but there is also a good bit of scrambling to put in place a framework for companies that want to enroll in this new program. Do you want the high-level overview? Of course you do. Here is what Privacy Shield compliance will probably entail:

Revise your privacy policy to comply with the new requirements/language.
Select a third-party dispute mechanism to handle complaints from EU data subjects.

June 10, 2016

“P.F. Chang’s On the Hook for Contractual Liabilities”

By Jordan M. Rand

On May 31, 2016, the U.S. District Court for the District of Arizona held that P.F. Chang’s obligation to pay its credit card processor nearly $2M following a 2014 data breach was contractual, and therefore not covered under its cyberinsurance policy. Ouch. Let’s back up.

In 2014, hackers posted the credit card numbers of 60,000 P.F. Chang’s customers on the internet. P.F. Chang’s had a Chubb cyberinsurance policy in place, for which it paid a $134,052.00 annual premium. Chubb paid P.F. Chang’s $1.7M in policy benefits to cover forensic investigation, litigation defense and other costs, but that was less than half of the cost of this breach.

Really? Yes, really.

April 18, 2016

“Travelers v. Portal Healthcare Solutions – NBD”

By Jordan M. Rand

FYI, NBD is “internet slang” for “no big deal.” “Internet slang” is what my little brother uses in text messages.

Anyway.

Last week, the Fourth Circuit affirmed an Eastern District of Virginia ruling that Travelers had a duty to defend Portal Healthcare Solutions with respect to a class action data breach lawsuit filed after patients found their medical records online, sans permission. The opinion analyzed a commercial general liability policy (CGL), specifically the “publication” issue that was also at the forefront in the 2015 Sony Playstation coverage dispute. In Sony, a New York City trial court held that CGL carriers had no duty to defend a data breach class action, a ruling many saw as a sign that the days of finding data breach coverage in CGL policies was coming to an end. There have therefore been a number of commentators suggesting that Travelers is a pendulum swing in the other direction, a sign that the viability of data breach coverage under CGL policies remains.

February 24, 2016

“Show Me the Money – Seriously, Because We Can’t Find It”

By Jordan M. Rand

ALERT: Companies have been receiving emails and other electronic instructions to make payments or transfer funds that – oops – are not truly authorized to be paid or transferred. This is fraud. But is it “computer fraud”?

In Universal American Corp. v. National Union Fire Insurance Co. of Pittsburgh, PA., 25 N.Y.3d 675 (N.Y. Ct. App. June 25, 2015), it wasn’t. New York’s highest court held that a “computer fraud” endorsement to a fidelity bond covered a hacker’s unauthorized “entry” into the insured’s computer system and subsequent fraudulent transfer of funds. It did not, however, cover an authorized user’s input of information to transfer funds based on the receipt of fraudulent instructions to do so. The policy defined “Computer Systems Fraud” as follows: “Loss resulting directly from a fraudulent (1) entry of Electronic Data or Computer Program into, or (2) change of Electronic Data or Computer Program within the Insured’s proprietary Computer System…provided that the entry of change causes (a) Property to be transferred, paid or delivered…”. The court reasoned that a fraudulent “entry” was not the input of fraudulent data into the system, as had occurred, but the unauthorized penetration of the system by a third party – i.e., a hacker. Since the fraudster never entered the insured’s computer system, the court concluded that there was no coverage.

In Apache Corporation v. Great American Insurance Co., 2015 WL 7709584 (S.D. Tex. Aug. 7, 2015), the court reached the opposite conclusion. A “computer fraud” provision in a Crime Prevention Policy did cover an authorized user’s transfer of funds based on fraudulent email instructions. The definition of “computer fraud” in this case, however, was the very language distinguished by the Universal American court as broader than the language there at issue: “We will pay for loss…resulting directly from the use of any computer to fraudulently cause a transfer of that property from inside the premises… (a) to a person…outside the premises; or (b) to a place outside the premises.” The court reasoned that the email-centric nature of the fraud made computer use a “substantial factor” in causing the fraudulent transfer, and the insured therefore had coverage.

February 10, 2016

“Ew Part II: EU/US Reach Privacy Shield Agreement”

By Jordan M. Rand

It’s been four months since the EU invalidated the Safe Harbor agreement that had been allowing US companies to transfer data into and out of the EU despite the EU’s more stringent privacy laws. I wrote about that here.

In the ensuing clusterkerfuffle (trademarked term), US companies have scrambled to adopt policies incorporating the EU’s Model Contractual Clauses. These clauses, however, have given rise to complicated issues of interpretation, particularly with respect to the distinction between “data processors” and “data controllers.” These designations drive the applicability of particular clauses and dictate the range of responsibilities of parties dealing in EU data. As companies have struggled to define themselves in this context, most have been holding out hope for a clearer, more streamlined arrangement akin to the prior EU/US safe harbor agreement.

Well, it’s here. Sort of.

January 27, 2016

“Bark But No Bite for Cybersecurity Act of 2015?”

By Jordan M. Rand

Yes, I’m late to the party. President Obama signed the Cybersecurity Act of 2015 into law over a month ago. Plenty of ink has already been spilled about it. The act encourages, but does not require, companies to share information about data breaches and responses with each other and with the federal government. Most of the ‘controversy’ has centered on the act’s perceived lack of privacy protections for individuals whose information is shared.

Yawn.

Privacy is important. Measures should be taken to protect individuals’ data, and the act does include at least some level of protection. Whether it’s enough remains to be seen.

January 14, 2016

“Cyberinsured Staying Alive – After Summary Judgment”

By Jordan M. Rand

There are few cases interpreting stand-alone cyberinsurance policies. So, when there is a development in one of them, however unrelated to the novel construction issues raised by these new(ish) policies, it’s worth a word. Or 350.

Travelers v. Federal Recovery Services, Inc. (D. Utah No. 2:14-CV-170) is not a remarkably interesting case. It was one of the first times that a court issued a written opinion deciding whether a claim implicating electronic data misuse was covered by a cyberinsurance policy. But the Court found that the insured’s intentional withholding of the data from its rightful owner triggered an exclusion barring coverage for the insured’s intentional misconduct. A CGL decision in cyber-clothing.

Armed with the court’s holding that Travelers had no duty to defend or indemnify, Travelers filed a motion for summary judgment. In the bag, right?

November 17, 2015

“There’s No C-I-O in T-E-A-M, And That’s A Problem”

By Jordan M. Rand

I frequently hear that cyberinsurance decisions are made solely by Risk Managers. In the typical circumstance, that makes sense. Risk Managers manage risk. But cyberliability, at this stage, is not a universe of typical circumstances.

The nature of the risk is new and rapidly changing. Actuarial data is sparse. Carriers and Risk Managers frequently have incomplete understandings of insureds’ IT infrastructure and exposure. As a result, unlike the standard policy forms that have evolved over decades in other contexts, cyberinsurance policies are all over the place in terms of coverage grants and exclusions. Amid this lack of uniformity, many insureds likely have coverage that is inappropriate or incomplete.

There is good news.