Articles Posted in Policy Terms

Sexy title, I know.  Here’s the thing – this is a big deal.  Particularly for employers, and likely for any entity that collects and stores personal data, the law in Pennsylvania just changed dramatically.

First, a bit of law 101.  The “economic loss rule” is a legal concept that recognizes the division of the law into essentially two worlds: tort (i.e., negligence) and contract.  Under the rule, no claim exists for negligence that results solely in economic damages without physical injury or property damage.  Example:  You pay a painter to paint your house.  He doesn’t.  You want to sue for everything, including the emotional distress that comes with living in a home the color of which does not reflect the “real you.”  But you (probably) can’t.  Under the economic loss rule, the economic injury suffered when you paid for nothing does not give rise to a negligence claim or to the broader range of damages that may recoverable in tort.  You’re stuck with a breach of contract claim for your money back and maybe the increased cost of hiring somebody else to paint your house.  There are exceptions and nuances, but that’s all you need to know for this post.

Courts have reached different conclusions as to whether the economic loss rule bars negligence claims for financial losses caused by data breaches.  And some states don’t even recognize an independent tort duty to support a negligence claim for a data breach that is accompanied by physical damage (say, to your hardware). The United States District Court for the District of Minnesota examined this state-by-state variation in the Target data breach class action.  The court held that, at least of 2014, negligence claims for data breaches were barred by the economic loss rule in Alaska, California, Illinois, Iowa, Massachusetts and…Pennsylvania.  As for class members from the District of Columbia, Georgia, Idaho, New Hampshire and New York, the law was still sufficiently unsettled in those jurisdictions that their negligence claims survived Target’s motion to dismiss.

Yesterday, I wrote about the application of the “voluntary parting” exclusion in Schmidts v. Travelers, a 2015 case out of the Southern District of Ohio.  If you couldn’t tell, I didn’t agree with the result.

The Sixth Circuit offered a more reasoned and more recent view of insurance coverage for email/wire scams in American Tooling Center, Inc. v. Travelers (July 13, 2018).  An American manufacturer received an email purportedly from its Chinese subcontractor.  The sub said that the next payment should be wired to a new bank account due to an ongoing audit.  The company wired the money.  The sub emailed again, saying there was a problem with the account and asking for a new wire to a different account.  This happened four times.  $834,000 later, the real sub started asking where its payment was…

The company sought coverage under its Wrap+ business insurance, which contained “computer fraud” coverage.  It read: “The Company will pay the Insured for the Insured’s direct loss of…Money…directly caused by Computer Fraud.”  The policy defined “computer fraud” as the “use of any computer to fraudulently cause a transfer of Money…”.

It’s (approximately) the ides of National Cybersecurity Awareness Month.  Yes, it’s a thing.  A 15-year old thing.  Appropriately, I spent last night at a cybersecurity seminar hosted by Citrin Cooperman (thanks, by the way).  It sparked this first of a two-part blog post about the “voluntary parting” exclusion.  Get your popcorn ready.

First, the scene.  We’re at the Union League in Philadelphia.  It’s kind of dark, because it’s always kind of dark in there.  Everyone is wearing coats, because everyone has to wear coats there.  Despite the lighting and formality (to which I should really be more accustomed in my 11th year as a lawyer), the panel is exceptional.  An ethical hacker demonstrates the ease with which he can figure out all of our passwords using software that makes billions of guesses per second.  A valuation expert explains the process of quantifying cyber incident losses.  Of most interest to me, the general counsel of a sophisticated insurance brokerage offers specific claims insights (no names, of course).

Consistent with the narrative that many of us are hearing, she emphasizes that carriers are by and large responding quickly to, and paying, the majority of cyber claims.  So, I ask: “Are there any exclusions that you are seeing create some deviation from that narrative, maybe exclusions that could be addressed during the front-end application process given the tailored nature of cyber policies?”

Like a brown-paper-bag-wrapped birthday present, the Fifth Circuit’s June 25th decision in Spec’s v. Hanover arrived in my in-box with a resounding ‘meh.’  You see, I get daily emails from Westlaw attaching opinions that may or may not implicate cyberinsurance coverage law.  I use the broadest search terms imaginable to make sure I don’t miss anything by being under-inclusive.  And when you ask for everything, you get, well, everything.  Most days I can tell from the caption of the attachment whether it’s a case I should read.  Most days, it isn’t.

But today the Fifth Circuit redefined the fairly typical contractual liability exclusion in the cyberinsurance context.  The fact pattern is common.  Retailer hires credit card processor.  The processor says, ‘ok, we’ll take your business, but you’ll sign a contract that makes you responsible if anything goes wrong.’  The retailer has no choice because you need a processor and they all use the same liability shifting language in their contracts.  Then the data breach…

Following the breach, the Payment Card Industry (PCI) comes down on the processor with considerable fines and enhanced security requirements.  The processor passes both along to the retailer.  The retailer is in the hole, big time.

The 2018 Verizon Data Breach Investigations Report indicates that in the education industry (yes, it’s an industry), the most prevalent type of data breach is “social attacks.”  What’s a social attack?

Phishing is a social attack.  That’s when you get an email with a link or attachment that just begs to be clicked.  And clicking is the functional equivalent of leaving your front door open when you go on vacation.

A more nuanced social attack is now referred to as “pretexting.”  This is sort of like phishing, though it involves more detailed back-and-forth dialogue with the malicious actor, who often takes on a specific persona to facilitate the scheme.  As Verizon more eloquently explains, pretexting is the “creation of a false narrative to obtain information or influence behavior.”  Think impersonating executives or your Facebook friends.

On Tuesday, I was privileged to be part of a panel discussing cyberinsurance for public pension funds at Kessler Topaz’s Evolving Fiduciary Obligations for Institutional Investors conference, joining Victoria Hale, General Counsel of the Denver Employees Retirement Plan, and pension attorney Chris Waddell.  We emphasized that the cyberinsurance procurement process is unique as compared to the renewal of traditional lines.  The coverage is highly negotiable and definitely not one-size-fits-all.  Here are a few pension-fund specific tips.

First, make sure intentional employee misconduct is covered.  Insider misuse is among the most prevalent causes of data breaches for financial and public institutions.  Yet, because cyberinsurance forms largely trace their roots back to commercial general liability policies, some of them still contain the traditional ‘intentional acts’ exclusion that bars coverage for an insured’s intentional misconduct.  To make sure that your policy covers one of the most common breach causes, push back on this exclusion.  Carriers will typically agree to a carve-out for ‘rogue employees,’ or will limit the definition of “insured” to employees only when acting within their scopes of employment.  Either should leave coverage in tact when employees purposefully misbehave.

Second, be wary of cyber-endorsements to E&O and D&O policies.  These endorsements are presented as low-cost alternatives to stand-alone cyberinsurance, but, as I covered here, you may be purchasing dangerously limited coverage.  Many of these endorsements cover only third party risks – i.e., the class action lawsuit filed by individuals whose data has been compromised.  This is likely not the most significant risk faced by funds.  In fact, the most expensive elements of a data breach for public and financial institutions are legal advice for breach notification, forensic IT work to identify the problem and fix it and the breach notification itself, which generally costs $2-3 per notice recipient.  Cyber-endorsements can be inexpensive, but they are only valuable if they contain an appropriate mix of first and third party coverages, the former of which must include breach coaching, IT response and breach notification.

There have been relatively few confirmed cyber attacks resulting in substantial physical harm to property (other than computer hardware) and people.  The first known event involved the 2008-2010 infiltration of a computer virus called “Stuxnet” into Iranian networks that controlled nuclear subterfuges.  The virus caused them to spin out of control, destroying about 20% of them.  Another involved a hacking attack on a German steel mill in 2014, causing a blast furnace to malfunction and resulting in massive damage.  Last year, an Iranian petrochemical company suffered a series of fires and explosions believed to have been caused by a hacking attack.  And for each of these types of events, there have been innumerable other attacks on that could have but did not result in physical harm.

While underwriters still struggle to accurately quantify this risk, there is an increased willingness to enter the cyber-physical coverage market in different, and sometimes fairly creative, ways.  But this risk doesn’t only impact cyber-coverage.  Cyber-physical attacks can have enormous consequences, with damages likely to exponentially exceed the coverage provided by these new products.  These attacks can be coordinated across multiple geographic regions, they can impact many people and businesses across numerous economic sectors and they appear to be easier than ever to anonymously effectuate.

The increased ease with which these attacks can be carried out coupled with the unprecedented level of harm they can cause requires likely targets to carefully explore the cyber-physical risk market.  These circumstances, however, also require renewed consideration of traditional coverages by those who may be impacted downstream and by those who might find themselves defendants when even cyber-physical coverage purchased by the targets of these attacks proves woefully insufficient in light of the extent of harm.  In fact, there are likely few companies that don’t need to revisit their entire insurance programs in light of the emerging cyber-physical risk.  Consider whether coverages and limits are still appropriate for cyber and traditional coverages.  This will get physical.

 

Stand-alone cyberinsurance is a critical component of enterprise risk management.  But even companies with traditional and cyber coverage may, and usually do, have gaps in coverage created by what I’ve referred to as the ‘hot potato’ problem.  This is when neither the cyber policy nor the relevant traditional coverage is truly designed for a relatively new kind of risk.

One example is physical damage caused by cyber events.  Particularly as the Internet of Things increases the connectivity of physical devices, cyber attacks can hurt people and property.  Cyberinsurance likely covers network security failures and unauthorized access to these devices, but ‘standard’ cyber policies typically exclude coverage when these events result in physical damage.  And property and casualty policies that would otherwise cover physical harm generally exclude damages arising out of cyber events.  Rock, meet hard place.

Gap, meet AIG’s Cyber Edge products.  These products are designed to fill this gap by, in addition to covering the relatively standard range of cyber risks, including the ability to add coverage for cyber events that cause physical damage to people or property.

This article was first published in the Fall 2016 issue of “The Bulletin,” a quarterly newsletter published by Kessler Topaz Meltzer & Check, a renowned law firm representing institutional investors and classes in securities, shareholder and other complex litigation.  I’ve included the full publication on my Resources page.

Find me a centralized repository of personal, financial and health information, and I will find you millions of attempts per day to access, steal or corrupt it. Even absent a malicious actor, there is an increasing likelihood that private data will be inadvertently made public.  This is our world.

First, I have to say that Paul Stockman at McGuireWoods has beaten me to the punch in his article, “Cyber Risk ‘IRL’.”  So, read that.

Stockman addresses a coverage issue I’ve noted in cyber policies across carriers.  They tend to say something like: “The Company shall not be liable for Loss on account of any Claim or for any Expense…for bodily injury…or damage to or destruction of any tangible property.”  Carrier’s position: If the data breach or malware attack causes an explosion, that’s on somebody else.  My take – well, it would depend on the facts, the policy wording and the state of the law in the relevant jurisdiction.  Of course.

It’s now clear, however, that cyber attacks can do more than corrupt and steal electronic data.  Cyber attacks can also result in machine malfunctions that cause physical harm ‘IRL,” or “in real life.”  Consider a hacker taking control of an HVAC system, or a car or a nuclear centrifuge (it separates uranium isotopes to make nuclear bombs).  The result: IRL, broken stuff, injured people damage.