Eighth Circuit Holds Deposition Testimony Shows Adequate Notice Given for TCPA Exclusion

This entry was posted by on .

Yesterday, the U.S. Court of Appeals for the Eighth Circuit held that an insurer had provided adequate notice of the Distribution of Material exclusion in a renewal policy to make the exclusion enforceable in the context of an underlying Telephone Consumer Protection Act (TCPA) lawsuit. American Family Mutual Insurance Company v. Vein Centers for Excellence, Inc., 2019 U.S. App. LEXIS 98 (8th Cir. Jan. 3, 2019). What makes this decision interesting is that the insurer had to rely on deposition testimony to establish a standard business practice. As more and more plaintiffs’ attorneys are using lack of notice to argue that the Distribution of Material exclusion is ineffective, American Family illustrates an effective way to establish adequate notice where actual documentation may be lacking.

In American Family, the insured was sued in a putative class action for violation of the TCPA arising from the dissemination of unsolicited facsimiles. Id. at *2. The insured, Vein Centers, tendered the lawsuit to its insurer, which undertook the defense subject to a full reservation of rights. Id. The insurer thereafter commenced coverage litigation seeking a declaration that it had no duty to defend or indemnify, later adding the underlying named plaintiff to the lawsuit. Id. The parties cross-moved for summary judgment, with the insurer arguing that coverage was prohibited by the Distribution of Material exclusion (sometimes referred to as the TCPA exclusion). Id at *3-4. The claimant argued that the exclusion was unenforceable because the insurer had failed to properly notify its insured of the exclusion’s addition when the policy had been renewed. Id. at *4. The trial court rejected the argument and granted the insurer summary judgment. Id. Read More

This entry was posted in Uncategorized.

Vermont Supreme Court Holds “False Pretense” Exclusion Ambiguous in Phishing Scam

This entry was posted by on .

Last week, the Vermont Supreme Court in Rainforest Chocolate, LLC v. Sentinel Insurance Company, 2018 VT LEXIS 240 (Vt. Dec. 28, 2018), held that the “False Pretense” exclusion in a business-owner policy did not exclude loss from a phishing scam.

Rainforest Chocolate involved an underlying business email compromise (BEC), a category of phishing attacks whereby a third-party fraudster impersonates a trusted source to trick the email’s recipient into wiring money to them. The Vermont Supreme Court held that the exclusion was ambiguous given the different use of the terms “physical loss and physical damage” versus “loss and damage” throughout the provisions of the policy. The court then remanded the case for determination of whether the loss qualified under insuring agreements for Forgery, and for Money and Securities. This case illustrates another example of how factual scenarios found in phishing scams can create perceived uncertainties in coverage in older provisions, and courts’ intolerance for such uncertainties. Read More

This entry was posted in Uncategorized.

Second Circuit Holds Phishing Email Using PHP Script is Covered “Computer Fraud”

This entry was posted by on .

Scams from business compromise emails (BECs) have been labeled by the FBI as a “$5 billion” problem. Sometimes known as “CEO Fraud,” BECs are where an email, purportedly coming from a high-ranking company official or vendor, instructs an employee to wire a sum of money to a bank account, or instructs the employee to wire money owed to a new bank account. The company thereafter authorizes and wires the money to the new account, which is controlled by fraudsters. The fraudsters then withdraw the money before the fraud is discovered.

On July 6, 2018, the United States Court of Appeals for the Second Circuit, in Medidata Solutions, Inc. v. Federal Ins. Co., 17-2492 (July 6, 2018), became the first U.S. Court of Appeals to determine that a BEC perpetrated using a PHP script as a spoofing tool implicates “computer fraud” coverage under a crime policy. Read More

This entry was posted in Counterfeiting, Data Breach Insurance Coverage.

No Coverage for Seafood Importer Netted in Phishing Scam

This entry was posted by on .

On April 16, 2018, Beazley Group issued a report highlighting increased attacks on Microsoft’s cloud-based business products and services. The report stated that successful attacks typically are achieved by tricking employees into opening spoofed emails with malicious links or fraudulent instructions to credential harvest. These attacks allow hackers entry into the insured’s system, where they can search for personal information and bank records to initiate wire transfers or redirect payments to hacker-controlled bank accounts.

As serendipity would have it, the next day, the United States Court of Appeals for the Ninth Circuit affirmed a Washington federal court decision holding that a crime policy providing coverage for computer fraud did not cover financial loss for mis-wired payments resulting from a phishing scam. The case, Aqua Star United States Corporation v. Travelers Casualty and Surety Company of America, 2016 U.S. Dist. LEXIS 88985 (D. Wash. July 8, 2016), aff’d, 2018 U.S. App. LEXIS 9660 (9th Cir. Apr. 17, 2018), joins a growing collection of decisions denying computer fraud coverage for phishing scams and business email compromises. Read More

This entry was posted in Uncategorized.

No Coverage for Data Breach Where Insured Isn’t Accused of Publishing

This entry was posted by on .

In the lawsuit Innovak Int’l, Inc. v. Hanover Ins. Co., the federal court for the middle district of Florida recently held that an underlying data breach class action lawsuit did not implicate “personal and advertising injury” coverage because the insured was not the entity accused of publishing the compromised personal information (PI).

The decision is relevant because not only did the court reject claims for cyber coverage under a CGL policy, but also because the decision is following a recent trend in litigation over Coverage B: namely, if the insured is not the one accused of publishing the information at issue, there is no “personal and advertising liability” coverage. In other words, Coverage B does not apply to third-party publications, even if the insured is the entity ultimately sued. E.g., Steadfast Ins. Co. v. Tomei, 2016 Pa. Super. Unpub. LEXIS 1864, at *17 (Pa. Super. Ct. May 24, 2016); Zurich Am. Ins. Co. v. Sony Corp., No. 651982/2011 (N.Y. Supr. Ct. Feb. 21, 2014). Read More

This entry was posted in Data Breach Insurance Coverage, Privacy Rights.

Payee Denied Computer Fraud Coverage in Email Phishing Scams

This entry was posted by on .

Business Email Scams (BEC) are becoming an increasing source of loss (think billions of dollars since 2013) to U.S. businesses, big and small. In Posco Daewoo Am. Corp. v. Allnex USA, Inc., 2017 U.S. Dist. LEXIS 180069 (D.N.J. Oct. 31, 2017) a payee whose invoices totaling $630,058 mistakenly were paid by a customer to a third party as a result of a phishing scam, sought coverage for the loss under its own computer fraud coverage. A New Jersey federal district court held that no such coverage existed.

Posco Daewoo, which imported and exported chemicals, supplied its customer Allnex with a chemical product for which Allnex owed payment. In early 2016, an impostor posing as an employee of Posco Daewoo’s accounts receivable department, sent emails to an employee of Allnex, instructing Allnex to wire payments to four separate Wells Fargo bank accounts. Id. at *2. Allnex, without confirming the authenticity of the email or the Wells Fargo bank accounts, wired three separate payments to the Wells Fargo accounts, totaling $630,058. Id. After the fraud was discovered, Allnex recovered $262,444 of the stolen $630,058. The remaining $367,613.46 was not recovered. Id. at *3. Posco Daewoo alleged that Allnex still owed it the remaining $367,613.46 to satisfy the original outstanding receivables. Allnex, on the other hand, contended that the unrecovered wire payments satisfied the balance it owed to Posco Daewoo. Id. Read More

This entry was posted in Uncategorized.

NAIC Passes Model Law for Insurers and Brokers on Cybersecurity

This entry was posted by on .

By Joshua Mooney and Laura Schmidt

On October 24, 2017, the National Association of Insurance Commissioners (NAIC) passed its Insurance Data Security Model Law, intended to serve as model legislation for states to enact in order to govern cybersecurity and data protection practices of insurers, insurance agents, and other licensed entities registered under state insurance laws (defined therein as Licensees). Read More

This entry was posted in Data Breach Insurance Coverage, Privacy Rights and tagged .

Court Holds No Insurance Coverage for Phishing Scam

This entry was posted by on .

Yesterday, a federal court held that a company’s financial losses for mis-wiring funds as a result of a phishing scam were not covered under a computer crime insurance policy. The decision, American Tooling Ctr. v. Travelers Cas. & Sur. Co. of Am., No. 16-12108 (E.D. Mich. Aug. 1, 2017) is another case in which financial losses resulting from a phishing scam were held to be unrecoverable under insurance.

In that case, the insured, American Tooling Center (“ATC”), was a tool and die manufacturer that outsourced some of its work to other die manufacturing companies overseas, including a vendor called Shanghai YiFeng Automotive Die Manufacture Co., Ltd. (“YiFeng”). As part of its normal business practice, ATC issued purchase orders to YiFeng, which in turn manufactured the requested dies. ATC paid YiFeng in stages based upon completion of certain milestones. To receive payment, YiFeng submitted its invoices to ATC by email. Once ATC verified that the milestone had been met, it wired the appropriate payment to YiFeng. Id. at 2. Read More

This entry was posted in Data Breach Insurance Coverage and tagged .

PA Court: Employers Have No Duty To Protect Employee PI

This entry was posted by on .

In Dittman v. UPMC d/b/a The University of Pittsburgh Medical Center, 2017 PA Super. 8 (Jan. 12, 2017), the Superior Court of Pennsylvania held that an employer does not owe employees a duty to protect and safeguard personal and financial information from disclosure in a data breach resulting from an intrusion in its computer network. While Dittman represents an important decision in emerging case law that declines to impose upon employers a common-law duty to protect employee information, the decision has important limitations. Those limitations may be exploited in future employment litigation and further illustrates the need for companies to adequately review their cybersecurity protocols with the assistance of cyber counsel.

The facts of Dittman are straightforward. In 2014, University of Pittsburgh Medical Center (UPMC) suffered a data breach that compromised the personal and financial information of approximately 62,000 current and former employees. Dittman, slip op. at 1-2. The stolen information included employees’ names, birth dates, social security numbers, tax information, addresses, salaries, and bank information. The information later was used to file fraudulent tax returns to steal the tax refunds. Id. at 2. Soon after UPMC announced the breach, two separate class action lawsuits were filed against the company. One lawsuit was comprised of current and former UPMC employees who had been victimized by identity theft; the other lawsuit involved current and former UPMC employees who had not been victims of identity theft, and instead alleged that they were at an increased risk of identity theft as a result of the data breach. Id. at 3. Read More

This entry was posted in Uncategorized.

TCPA Claims Excluded by “Unsolicited Communications” Endorsement

This entry was posted by on .

Yesterday, the Missouri federal court in Travelers Indem. Co. v. Max Margulis & Surrey Vacation Resorts, 2016 U.S. Dist. LEXIS 173420 (E.D. Mo. Dec. 15, 2016), held that coverage for an underlying Telephone Consumer Protection Act (“TCPA”) lawsuit for “robo” calls to cell phones was prohibited by the “unsolicited communications” endorsement.  Because this endorsement is being used more often, and because it does not receive as much fanfare as its sister-exclusion for “Distribution of Material,” I decided to write about it here in The Coverage Inkwell.

The insured, Surrey Vacation Resorts, Inc., d/b/a Grand Crowne Resorts (“Surrey”), was sued for an alleged, unsolicited June 18, 2013 call to his cell phone through use of an automated telephone dialing system and without his prior consent.  Id. at *1.  Plaintiff filed suit under the TCPA, alleging that plaintiff “incurred ‘damages’ due to receipt of one telephone call from Surrey on June 18, 2013, which he did not specifically request to receive.”  Id. at *6.  The TCPA makes it unlawful “to make any call (other than a call made for emergency purposes or made with the prior express consent of the called party) using any automatic telephone dialing system…to any telephone number assigned to a paging service, cellular telephone service, specialized mobile radio service, or other radio common carrier service, or any service for which the called party is charged for the call….” Id. at *8.  Travelers defended the insured under a reservation of rights and commenced coverage litigation.  Id. at *1. Read More

This entry was posted in Uncategorized and tagged , .