Articles Posted in Policy Terms

Most of you are probably aware of the Hollywood Presbyterian Medical Center data breach.  On February 5, 2016, hackers froze the hospital out of its electronic patient records.  Reports have indicated that the hospital had no access to those records until it paid a $17,000 ransom almost two weeks later.  Over the past month, there have been at least 14 similar attacks reported by hospitals in California, Kentucky, D.C. and Maryland.  The critical nature of data security for heavily regulated healthcare institutions is nothing new, but the threat that hackers will encrypt health records for ransom – sort of the opposite of the more traditional threat of improper disclosure – is a relatively new risk.  It is one, however, that a cyberinsurance can cover.

“Can.”  Not necessarily “does.”

Policies have drawn a distinction between cyber extortion and other types of network security breaches.  At the most general level, there seems to be little difference.  It all starts with unauthorized access.  A “ransomware” attack, one form of cyber extortion, is different only with respect to what the hacker does after gaining network access – the hacker encrypts the data and demands payment to “unlock” the records.  Up until that payment demand, the event would likely fit within almost any cyberinsurance policy’s definition of a network security claim, or whatever term the policy uses to describe first party coverage for data breach response and remediation.

ALERT: Companies have been receiving emails and other electronic instructions to make payments or transfer funds that – oops – are not truly authorized to be paid or transferred.  This is fraud.  But is it “computer fraud”?

In Universal American Corp. v. National Union Fire Insurance Co. of Pittsburgh, PA., 25 N.Y.3d 675 (N.Y. Ct. App. June 25, 2015), it wasn’t.  New York’s highest court held that a “computer fraud” endorsement to a fidelity bond covered a hacker’s unauthorized “entry” into the insured’s computer system and subsequent fraudulent transfer of funds.  It did not, however, cover an authorized user’s input of information to transfer funds based on the receipt of fraudulent instructions to do so.  The policy defined “Computer Systems Fraud” as follows: “Loss resulting directly from a fraudulent (1) entry of Electronic Data or Computer Program into, or (2) change of Electronic Data or Computer Program within the Insured’s proprietary Computer System…provided that the entry of change causes (a) Property to be transferred, paid or delivered…”.  The court reasoned that a fraudulent “entry” was not the input of fraudulent data into the system, as had occurred, but the unauthorized penetration of the system by a third party – i.e., a hacker.  Since the fraudster never entered the insured’s computer system, the court concluded that there was no coverage.

In Apache Corporation v. Great American Insurance Co., 2015 WL 7709584 (S.D. Tex. Aug. 7, 2015), the court reached the opposite conclusion.  A “computer fraud” provision in a Crime Prevention Policy did cover an authorized user’s transfer of funds based on fraudulent email instructions.  The definition of “computer fraud” in this case, however, was the very language distinguished by the Universal American court as broader than the language there at issue: “We will pay for loss…resulting directly from the use of any computer to fraudulently cause a transfer of that property from inside the premises… (a) to a person…outside the premises; or (b) to a place outside the premises.”  The court reasoned that the email-centric nature of the fraud made computer use a “substantial factor” in causing the fraudulent transfer, and the insured therefore had coverage.

Health and Human Services’ (HHS) Office for Civil Rights recently issued a $239,000.00 HIPAA fine to Lincare, Inc.  I don’t know if the fine will be covered by cyberinsurance.  I don’t even know whether the company has cyberinsurance.

What I do know is that the fact pattern highlights a critical coverage issue for healthcare entities.  The Lincare breach did not involve electronic records.  An employee had stored physical records for 278 patients in his home.  When the employee moved, he left the records behind.  They were discovered by a third party who was – surprise – not authorized to access them.  Earlier this month, an administrative law judge affirmed the relatively hefty fine in light of the modest number of compromised records.

Had Lincare’s breach been of the electronic variety, a cyberinsurance policy with regulatory coverage would likely pick up the tab (dependent on policy language, of course).  The situation is  more complicated when physical documents are involved.  There’s case law on how physical data breaches interact with other types of insurance, such as commercial general liability (CGL), but I’m not aware of any reported case determining whether a physical breach triggers cyberinsurance coverage (if you are, let me know).

And your policy may or may not have you covered.  If you want to know a little bit more (I know you do), follow this link to TheEmployerHandbook.com, where my colleague, Eric Meyer (aka “The Blog King, ” aka, “I’m Very Important,” aka “The Rock Star“) has graciously allowed me to guest post on the topic.  While you’re there, feel free to poke around and get some good information about employment law from a management-side employment attorney.  He’s much funnier than I am, in his not-that-humble opinion.

Commercial property and liability insurance policies typically contain exclusions for terrorist acts.  Terrorism exclusions became industry standard following 9/11, the largest single insured loss ever, with estimated damages between $30 – $70 billion.  With reinsurers thereafter making the terrorism exclusion a condition of reinsurance, primary carriers quickly adopted terrorism exclusions that are so common today that it’s pretty much taken for granted that policies will include them.

The London-based Cyber Risk and Insurance Forum (CRIF) recently offered two statistics illustrating why the same fait accompli attitude cannot be taken with respect to cyberinsurance.  CRIF reported that 58% of hacking activity emanates from entities or individuals that could be characterized as terrorists, or “hacktivists,” meaning that the breach had political, social, religious or other similar motivations.  CRIF further reported that in the London market, nearly 80% of policies examined excluded this type of risk.  Simply stated, a majority of policies did not cover a majority of the relevant risk.

There is no case law illustrating what is and what isn’t cyber terrorism.  There have, however, been headline grabbing hacks that carriers would likely view as within the scope of a terrorism exclusion.  In 2014, the “Guardians of Peace” hacked into Sony Entertainment’s network and threatened 9/11 style attacks at theaters that showed the film, “The Interview,” a movie premised upon an assassination attempt on North Korean Supreme Leader Kim Jong-un.  Sony cancelled the movie release and President Obama increased sanctions on North Korea.

If this post gets lost amid the too-good-to-be-true Cyber Monday deals and e-mail ambushes, it won’t be a complete surprise but would be something of a shame.  Since arriving on the holiday shopping scene in 2005, Cyber Monday has become one of the biggest shopping days of the year.  In 2014, consumers spent $2.68 billion shopping on-line, and the average transaction was only about a hundred bucks.  I’m not great at math – a lot of lawyers aren’t – but that is a lot of transactions.  A lot of credit card numbers.  Physical addresses.  E-mail addresses.  A lot of data with significantly more resale value than the Tickle-Me-Elmo that still intermittently tee-hees from a cardboard box in your attic.

Which brings us neatly to a simple tip about retroactive dates: Policyholders should negotiate retroactive dates prior to Cyber Monday and, for that matter, Black Friday.

A retroactive date is the time point identified in an insurance policy to serve as a gatekeeper of sorts.  Events that occurred prior to that date, no matter when a resulting claim is made, are not covered.  When it comes to cyberinsurance, and really any insurance, it’s in the policyholder’s interest to push that date back as far as possible.  But it may be in the margins where the real difference is made.  Most people think of retroactive dates in terms of the number of years back a policy will go in terms of the triggering event.  Policyholders, however, should be equally attuned to key days, weeks and months of the year when the opportunity for cybercrime is most pronounced – i.e., right now.

Let’s play a word association game.  What is the first word that comes to mind when I say the phrase, “data breach”?  If you thought, “hacking,” you’re not the only one.  But according to many accounts, hacking accounts for only about a third of data breaches.

Plain old theft, in its more traditional, purse snatching form, accounts for another ten percent of breaches.  While laptop theft is the most common cause in this context, there have been many data breaches in the past year caused by the theft of desktop computers, thumb drivers and, of course, smart phones.  Obviously, thumb drives and phones are the easiest to snatch.  They are also increasingly becoming key operational elements in nearly every industry, and I expect the number of breaches caused by their theft to likewise trend upward.  Another ten percent of breaches are caused by “malicious insiders,” disgruntled current or former employees who damage or sell data for all of the obvious reasons.

You probably haven’t raised an eyebrow yet.  But we’ve only covered the causes of about half of data breaches.  What about the other half?

Contact Information