Articles Posted in Policy Terms

Here is how it is supposed to work.  Something bad happens.  You’re insurance company pays for it.  Then, your carrier sues the bad guy who harmed you.  That’s subrogation.

In the data breach context, this timeless construct presents numerous challenges.  The most notable is the difficulty associated with finding the bad guys.  But that isn’t your problem.

The contract you have with your data hosting service, credit card processor or other vendor, on the other hand, might very much be your problem.  You probably pay a monthly fee.  Depending on the size of your company, that fee is probably a modest amount.  For smaller organizations, it might only be $20 or so per month.  Now, consider what this vendor is holding – all of your data.  Yikes.

Cyberinsurance policies typically provide first and third party coverage.  First party coverage relates to an insured’s own expenses in investigating and remediating a data breach, and recovering the insured’s data and other information assets.  Third party coverage kicks in when customers and regulators seek to hold the insured accountable for the breach.

But we know this already, right?

We also know that underwriters started with commercial general liability (CGL) forms when they started writing cyber policies because, well, it was the closest thing they had on file and nobody likes to start from scratch.  I’ve previously discussed how this has led to some CGL provisions spilling into cyber policies even though they really don’t belong.  The contractual liability exclusion, the acts of war/terror exclusions, etc.

On May 31, 2016, the U.S. District Court for the District of Arizona held that P.F. Chang’s obligation to pay its credit card processor nearly $2M following a 2014 data breach was contractual, and therefore not covered under its cyberinsurance policy.  Ouch.  Let’s back up.

In 2014, hackers posted the credit card numbers of 60,000 P.F. Chang’s customers on the internet.  P.F. Chang’s had a Chubb cyberinsurance policy in place, for which it paid a $134,052.00 annual premium.  Chubb paid P.F. Chang’s $1.7M in policy benefits to cover forensic investigation, litigation defense and other costs, but that was less than half of the cost of this breach.

Really?  Yes, really.

Those new, old-school Air Jordans are retro cool (and I have them).  Those new cyberinsurance retroactive dates – eh.

I blogged about retroactive dates here.  Reminder: an insurance policy retroactive date is the day prior to which otherwise covered occurrences are not covered.  In the first policy placed with a particular carrier, this will usually be the policy’s inception date as well.  In my prior post, I discussed the problem of data breaches that occur prior to the retroactive date, but which are not discovered (and litigated, regulated, remediated etc.) until after that date.  Since many data breaches are not immediately discovered, this sequence could seriously impact coverage, particularly for new entrants to the market.

Here’s another twist.  What about the alleged “wrongful act” that purportedly caused the breach (the “occurrence” if you want to get technical about it)?  A plaintiff or regulator may contend that the “wrongful act” was the failure to implement particular security measures, and that may have occurred years before the breach.  If the policy ties the retroactive date to not only the “occurrence,” but also the”wrongful act” that did or allegedly caused it, double whammy.  And because the wrongful act could be at least alleged to have occurred at any time, this language could be placing coverage determinations in the hands of plaintiffs and regulators.  Dangerous.

FYI, NBD is “internet slang” for “no big deal.”  “Internet slang” is what my little brother uses in text messages.

Anyway.

Last week, the Fourth Circuit affirmed an Eastern District of Virginia ruling that Travelers had a duty to defend Portal Healthcare Solutions with respect to a class action data breach lawsuit filed after patients found their medical records online, sans permission.  The opinion analyzed a commercial general liability policy (CGL), specifically the “publication” issue that was also at the forefront in the 2015 Sony Playstation coverage dispute.  In Sony, a New York City trial court held that CGL carriers had no duty to defend a data breach class action, a ruling many saw as a sign that the days of finding data breach coverage in CGL policies was coming to an end.  There have therefore been a number of commentators suggesting that Travelers is a pendulum swing in the other direction, a sign that the viability of data breach coverage under CGL policies remains.

You probably are not.  The FBI, however, is reporting that an increasing number of cybercriminals are running “business e-mail compromise” scams.  A “B.E.C.” is when someone misuses social media or electronic credentials to assume the identity of a high level executive or trusted employee/consultant and then, posing as that person, requests fraudulent wire transfers from others inside the company.  The FBI reports that law enforcement has received reports of this activity in every state, that in the past three years there have been an estimated 17,642 victims and that the cost of these scams likely exceeds $2.3 billion over that span.

Whoa.

Now, remember when I told you that some of these fake e-mails scams were not being treated as covered occurrences?  The treatment of a claim like this sometimes depends on whether the sender of funds is an authorized user, and whether the loss is therefore not the result of a ‘network security failure’ or ‘unauthorized network access.’  Without “unauthorized access,” coverage may be hard to come by.  But the B.E.C. is an interesting twist on the familiar ‘fake e-mail from real bank customer’ scam.  In the context of a B.E.C., there arguably is an unauthorized use or entry – the assumption of an internal figure’s identity to cause another internal figure to aid the fraud.

Most of you are probably aware of the Hollywood Presbyterian Medical Center data breach.  On February 5, 2016, hackers froze the hospital out of its electronic patient records.  Reports have indicated that the hospital had no access to those records until it paid a $17,000 ransom almost two weeks later.  Over the past month, there have been at least 14 similar attacks reported by hospitals in California, Kentucky, D.C. and Maryland.  The critical nature of data security for heavily regulated healthcare institutions is nothing new, but the threat that hackers will encrypt health records for ransom – sort of the opposite of the more traditional threat of improper disclosure – is a relatively new risk.  It is one, however, that a cyberinsurance can cover.

“Can.”  Not necessarily “does.”

Policies have drawn a distinction between cyber extortion and other types of network security breaches.  At the most general level, there seems to be little difference.  It all starts with unauthorized access.  A “ransomware” attack, one form of cyber extortion, is different only with respect to what the hacker does after gaining network access – the hacker encrypts the data and demands payment to “unlock” the records.  Up until that payment demand, the event would likely fit within almost any cyberinsurance policy’s definition of a network security claim, or whatever term the policy uses to describe first party coverage for data breach response and remediation.

ALERT: Companies have been receiving emails and other electronic instructions to make payments or transfer funds that – oops – are not truly authorized to be paid or transferred.  This is fraud.  But is it “computer fraud”?

In Universal American Corp. v. National Union Fire Insurance Co. of Pittsburgh, PA., 25 N.Y.3d 675 (N.Y. Ct. App. June 25, 2015), it wasn’t.  New York’s highest court held that a “computer fraud” endorsement to a fidelity bond covered a hacker’s unauthorized “entry” into the insured’s computer system and subsequent fraudulent transfer of funds.  It did not, however, cover an authorized user’s input of information to transfer funds based on the receipt of fraudulent instructions to do so.  The policy defined “Computer Systems Fraud” as follows: “Loss resulting directly from a fraudulent (1) entry of Electronic Data or Computer Program into, or (2) change of Electronic Data or Computer Program within the Insured’s proprietary Computer System…provided that the entry of change causes (a) Property to be transferred, paid or delivered…”.  The court reasoned that a fraudulent “entry” was not the input of fraudulent data into the system, as had occurred, but the unauthorized penetration of the system by a third party – i.e., a hacker.  Since the fraudster never entered the insured’s computer system, the court concluded that there was no coverage.

In Apache Corporation v. Great American Insurance Co., 2015 WL 7709584 (S.D. Tex. Aug. 7, 2015), the court reached the opposite conclusion.  A “computer fraud” provision in a Crime Prevention Policy did cover an authorized user’s transfer of funds based on fraudulent email instructions.  The definition of “computer fraud” in this case, however, was the very language distinguished by the Universal American court as broader than the language there at issue: “We will pay for loss…resulting directly from the use of any computer to fraudulently cause a transfer of that property from inside the premises… (a) to a person…outside the premises; or (b) to a place outside the premises.”  The court reasoned that the email-centric nature of the fraud made computer use a “substantial factor” in causing the fraudulent transfer, and the insured therefore had coverage.

Health and Human Services’ (HHS) Office for Civil Rights recently issued a $239,000.00 HIPAA fine to Lincare, Inc.  I don’t know if the fine will be covered by cyberinsurance.  I don’t even know whether the company has cyberinsurance.

What I do know is that the fact pattern highlights a critical coverage issue for healthcare entities.  The Lincare breach did not involve electronic records.  An employee had stored physical records for 278 patients in his home.  When the employee moved, he left the records behind.  They were discovered by a third party who was – surprise – not authorized to access them.  Earlier this month, an administrative law judge affirmed the relatively hefty fine in light of the modest number of compromised records.

Had Lincare’s breach been of the electronic variety, a cyberinsurance policy with regulatory coverage would likely pick up the tab (dependent on policy language, of course).  The situation is  more complicated when physical documents are involved.  There’s case law on how physical data breaches interact with other types of insurance, such as commercial general liability (CGL), but I’m not aware of any reported case determining whether a physical breach triggers cyberinsurance coverage (if you are, let me know).

And your policy may or may not have you covered.  If you want to know a little bit more (I know you do), follow this link to TheEmployerHandbook.com, where my colleague, Eric Meyer (aka “The Blog King, ” aka, “I’m Very Important,” aka “The Rock Star“) has graciously allowed me to guest post on the topic.  While you’re there, feel free to poke around and get some good information about employment law from a management-side employment attorney.  He’s much funnier than I am, in his not-that-humble opinion.