PIRATED TELEVISION PROGRAMMING IS NOT “DATA” UNDER MEDIA POLICY


This entry was posted by on .
FacebookTwitterLinkedIn

It’s hard to believe that we are less than two months away from Coverage College (September 22). If you have not signed up yet, please do by visiting White and Williams’ website. This year, I will be teaching a class on coverage issues in privacy and cyber liability litigation. It should be an exciting and fast-paced class. We’ll have a lot to talk about.  

Last Friday, in Ellicott City Cable, LLC v. AXIS Ins. Co., 2016 U.S. Dist. LEXIS 95819 (D. Md. July 22, 2016), the federal district court of Maryland rejected the contention that pirated digital television programming constituted “data” under a media policy. Even broad terms do not have boundless meanings. Terms must be read within the context of their use and the policy as a whole.

In the case, the insured, Ellicott City Cable (ECC) provided television, internet, and telephone services to residents of two separate residential communities, Taylor Village and Waverly Woods.  Id. at *3-4. To achieve the goal of proving television, ECC contracted to obtain satellite television programming from DirecTV, LLC through DirecTV agents Sky Cable, LLC (Sky Cable) and North American Cable Equipment (NACE). (ECC never contracted with DirecTV to provide internet or telephone services.) Id. at *4. Under the contract, ECC distributed the DirecTV programming through equipment and credentials provided by Sky Cable and NACE, and made monthly payments directly to DirecTV for access to its programming. Id.

ECC later terminated its contract with DirecTV. Thereafter, DirecTV commenced an action against ECC and Sky Cable asserting that defendants had “fraudulently” obtained, and assisted others to obtain, DirecTV’s satellite television programming and distributed the programming through unauthorized cable television systems.  Id. at *5.  DirecTV asserted that ECC, through Sky Cable, set up private cable systems to deliver programming to more units in the Taylor Village and Waverly Woods communities than permitted under the DirecTV contract. DirecTV also asserted that ECC created multiple dwelling unit accounts with DirecTV for both properties, but distributed the programming to occupants and residents outside of the scope of those agreements, including by used wiring to traverse public rights of way.  Id.

ECC sought coverage under its media liability insurer, which had issued a media policy providing coverage for damages “as a result of an Occurrence in connection with Scheduled Media during the Policy Period that gives rise to a Claim . . . .”  Id. at *11.  Occurrence was defined in part as “the actual or alleged . . . publication, broadcast or other dissemination of Matter[.]”  Id. at *11, n.10. Matter was defined as in part as “communicative or informational content regardless of the nature or form.”  Id.

The media policy had an exclusion that prohibited coverage for claims:

for or arising out of any actual or alleged . . . unauthorized access to, unauthorized use of, or unauthorized alteration of any computer or system, hardware, software, program, network, data, database, communication network or service, including the introduction of malicious code or virus by any person . . .

Id. at *11-12 (emphasis added).

The policy also had additional coverage under Endorsement 3 for claims “for or arising out of the failure to prevent a party from unauthorized access to, unauthorized use of, tampering with or introduction of a computer virus or malicious code into data or systems.” However, coverage under Endorsement 3 did not apply to claims for:

intentional unauthorized access to, unauthorized use of, tampering with or introduction of a computer virus or malicious code into data or systems by any Insured or person who would qualify as an Insured but for their acts being outside the scope of their duties as a partner, . . . except that this exclusion shall not apply to any Insured who did not commit, acquiesce or participate in the actions that gave rise to the Claim.

Id. at *12-13 (emphasis added). As later noted by the Ellicott City Cable Court in its opinion, both policy provisions apply to claims for or arising out of unauthorized access to “data”; with the coverage exception in Endorsement 3 adding the qualifier that the unauthorized access be “intentional.” Id. at *14.

The insurer contended that it had no duty to defend under the exclusion and the exception to coverage under Endorsement 3, contending that DirecTV’s lawsuit for the unauthorized distribution of television programming alleged unauthorized access to data. ECC disagreed, contending that television programming is not “data.”  The Ellicott City Cable Court agreed with the insured.

The court recognized that the term “data” is very broad, and this may have been the insurer’s hope when asserting the policy’s exclusions. Merriam’s Dictionary defines the word “data” as “facts or information used usually to calculate, analyze, or plan something” or “information that is produced or stored by a computer.” Id. at *15. However, the court found that the term was so broad as to be ambiguous. “Given the breadth of this definition [for data],” the court employed the construction canons of ejusdem generis and noscitur a sociis, which require a court, when determining the broad meaning of a word, to consider “the accompanying words so that . . . general and specific words, capable of analogous meaning, when associated together, take color from each other[.]”  Id. at *16. Based on these cannons, the court concluded that the word “data” referred to computers, not television programming.

First, the court noted that DirecTV did not use the term “data” to describe its television programming that ECC had allegedly accessed without authorization.  Id. at *15.  The court then looked to the wording of the exclusions at issue, determining that the list of terms in the exclusions limited the meaning of the term “data,” not expanded it.  The exclusion applied to unauthorized access of “any computer or system, hardware, software, program, network, data, database, communication network or service, including the introduction of malicious code or virus by any person . . . .”  Id. at *16.  The common denominator of these terms was the internet and computers, not television programming:

The common factor underlying all terms listed is their relation to the internet or digital matters in general.  Indeed, the inclusion of “introduction of malicious code or virus” speaks directly to a common risk associated with the internet (and computers). “Data,” in this context, thus appears to concern information related to the internet, and not television programming.

Id. at *17 (emphasis added).

The insurer argued that DirecTV’s programming did involve digital compression and encryption of its signal and thus fell within the umbrella of “digital matters.”  The court rejected the argument in part because DirecTV also provided analog signals.  Under the insurer’s contention, the policy would cover analog signals, but exclude digital signals, a result that the court would not endorse:

Yet, this argument ignores that DirecTV’s television programming takes both digital and analog forms. Under Axis’s reasoning, ECC would receive insurance coverage for unauthorized access to analog television programming, and not digital television programming. Neither Axis nor the Policies themselves present any persuasive argument in favor of such a distinction.

Id. at *16-17.

The court applied the same reasoning to the coverage exception for Endorsement 3, which employed “the same broad term accompanied by terms like ‘computer virus’ and ‘malicious code.’”  The court explained:

Similarly, the exclusion of Endorsement No. 3 applies to intentional unauthorized access of “data or systems[.]”  While this exclusion does not include all terms of the first exclusion, it employs the same broad term accompanied by terms like “computer virus” and “malicious code.” Even if the exclusion uses the disjunctive “or” in describing the excluded conduct, this use does not negate the inference that “data or systems” concern information related to the internet or computers generally.

Id. (internal citations omitted).

The court also looked to coverage provided elsewhere in the policy for piracy claims to conclude that the term “data” could not encompass media programming. The court observed that the policy covered claims “for or arising out of . . . any form of infringement of copyright, violation of Droit Moral, passing-off, plagiarism, Piracy or misappropriation of ideas,” defining “piracy” as “the wrongful use, reprinting or reproduction of copyrighted intellectual property.” Id. at *18.  According to the court, “piracy” described “precisely” DirecTV’s allegations against ECC and Sky Cable.  Thus, “[t]o interpret ‘data’ as including DirecTV’s television programming would effectively broaden the scope of the exclusion to eliminate any coverage for piracy.”  Id.  “Rather than create such a contradiction,” the court held it must construe the ambiguity of “data” against the insurer.  Id. at *18-19.

As a result, the court determined that DirecTV’s television programming is not “data” within the meaning of either exclusion.  Id. at *19.

What this case means:   Media policies and cybersecurity policies sometimes employ very broad terms that remain undefined in the policies themselves.  Examples of such terms can include “matter,” “network,” “systems,” “electronic,” and even “data.”  Ellicott City Cable is a good remainder that even broad terms do not have boundless meaning – both in terms of coverage grants and coverage exclusions. Terms must be read within the context of their use and the policy.

This entry was posted in Uncategorized.

NO COVERAGE FOR PCI ASSESSMENT LIABILITY UNDER CYBERSECURITY POLICY


This entry was posted by on .
FacebookTwitterLinkedIn

In P.F. Chang’s China Bistro, Inc. v. Federal Ins. Co., 2016 WL 3055111 (D. Ariz. May 31, 2016), the United States District Court of District of Arizona held that liability for PCI assessments following a data breach of 60,000 credit card numbers was excluded under a cybersecurity policy.  This case demonstrates the importance and ability of carriers to define the risk insured under a policy, including cybersecurity insurance.

In PF Chang’s, the insured purchased a cybersecurity insurance policy.  The insurer’s underwriters classified the insured as a high risk, “PCI Level 1”, because the insured conducted more than 6 million transactions per year, a large number of which were with credit cards, thus creating a high exposure to potential customer identity theft.  Id. at *1.  The insured, like many merchants, was unable to process credit card transactions themselves, and therefore entered into an agreement with the credit card processor  to process credit card transactions with the banks who issue the credit cards (“Issuers”), such as Chase or Wells Fargo.  Here, Chang’s entered into a Masters Service Agreement (“MSA”) with the credit card processer Bank of America Merchant Services (“BAMS”) to process credit card payments made by customers of Chang’s.  Id.  Under the MSA, Chang’s delivered customer credit card payment information to BAMS who then settled the transaction through an automated clearinghouse.  BAMS thereafter credited the Chang’s account for the amount of the payments.  Id. 

Importantly, credit card processors like BAMS perform their services under agreements entered into with the credit card associations like MasterCard and Visa. Id.  Here, BAMS’s agreement with MasterCard, which was governed by the MasterCard Rules and incorporated into the MSA with Chang’s, obligated BAMS to pay certain fees/fines and assessments to MasterCard in the event of a data breach involving credit card information.  The assessments included “Operational Reimbursement” fees and “Fraud Recovery” fees.  Id.  Under the Chang’s MSA, Chang’s agreed to compensate or reimburse BAMS for “fees,” “fines,” “penalties,” or “assessments” imposed on BAMS by credit card associations like MasterCard.  Id. at *2.  The MSA read in part:

[Chang’s] agrees to pay [BAMS] any fines, fees, or penalties imposed on [BAMS] by any Associations, resulting from Chargebacks and any other fines, fees or penalties imposed by an Association with respect to acts or omissions of [Chang’s] . . . . In addition to the interchange rates, [BAMS] may pass through to [Chang’s] any fees assessed to [BAMS] by the [Associations], including but not limited to, new fees, fines, penalties and assessments imposed by the [Associations].

 Id. at *2.  Assessments levied by MasterCard against BAMS, for which Chang’s was responsible under the Chang’s MSA, became the focus of a coverage dispute.

 On June 10, 2014, Chang’s learned that computer hackers had obtained and posted on the Internet approximately 60,000 credit card numbers belonging to its customers.  Chang’s notified its insurer of the data breach that very same day.  Id.  Almost one year later, on March 2, 2015, MasterCard issued an “ADC Operational Reimbursement/Fraud Recovery Final Acquirer Financial Responsibility Report” to BAMS, assessing over $1.9 million in fines and assessments against BAMS for the data breach.  The fines were “a Fraud Recovery Assessment of $1,716,798.85, an Operational Reimbursement Assessment of $163,122.72 for Chang’s data breach, and a Case Management Fee of $50,000.”  Id.  “The Fraud Recovery Assessment reflects costs, as calculated by MasterCard, associated with fraudulent charges that may have arisen from, or may be related to, the security compromise. The Operational Reimbursement Assessment reflects costs to notify cardholders affected by the security compromise and to reissue and deliver payment cards, new account numbers, and security codes to those cardholders. The Case Management Fee is a flat fee and relates to considerations regarding Chang’s compliance with Payment Card Industry Data Security Standards.”  Id.

BAMS sought indemnity from Chang’s.  Pursuant to the Chang’s MSA, and in order to continue operations and not lose its ability to process credit card transactions, Chang’s reimbursed BAMS on April 15, 2015.  Chang’s sought coverage for the $1.9 million payment under three insuring agreements under the cybersecurity policy: Insuring Agreement A, Insuring Agreement B, and Insuring Agreement D.2.  The insurer denied coverage and litigation ensued.  Id.

No Privacy Injury Under Insuring Agreement A

Insuring Agreement A paid for “‘Loss’ on behalf of an ‘Insured’ on account of any ‘Claim’ first made against such ‘Insured’ . . .  for ‘Injury’,” which included a “Privacy Injury.”  Id. at *4.  “Privacy Injury” was defined as “injury sustained or allegedly sustained by a Person because of actual or potential unauthorized access to such Person’s Record, or exceeding access to such Person’s Record.”  Id.  The insurer argued that Chang’s did not sustain a Privacy Injury because its own Records were not compromised during the data breach.  Id. at *5.  Chang’s acknowledged that it was the credit card issuers who suffered a Privacy Injury because it was their Records which were compromised in the data breach.  However, Chang’s argued that the owner of the “Records” was immaterial to the issue of coverage because the injury “first passed through BAMS before BAMS in turn charged Chang’s” pursuant to industry standards.  Id.  As the Court generalized, “[b]asically, Chang’s argues that because a Privacy Injury exists and was levied against it, regardless of who suffered it, the Injury is covered under the Policy.”  Id.

 The Court disagreed with Chang’s and held that there was no Privacy Injury to implicate coverage under Insuring Agreement A because BAMS own Records had not been compromised.  Thus, there was no coverage for BAMS’s liability under the MasterCard ADC Fraud Recovery Assessment:

The Court agrees with [the insurer]l; BAMS did not sustain a Privacy Injury itself, and therefore cannot maintain a valid Claim for Injury against Chang’s. The definition of Privacy Injury requires an “actual or potential unauthorized access to such Person’s Record, or exceeding access to such Person’s Record.” (Doc. 8-1) (emphasis added).  The usage of the word “such” means that only the Person whose Record is actually or potentially accessed without authorization suffers a Privacy Injury.  Here, because the customers’ information that was the subject of the data breach was not part of BAMS’ Record, but rather the Record of the issuing banks, BAMS did not sustain a Privacy Injury.  Thus, BAMS did not make a valid Claim of the type covered under Insuring Clause A against Chang’s.

Id. at *5.

Coverage Under Insuring Agreement B Initially Implicated

Insuring Agreement B of the policy stated that the insurer would “pay ‘Privacy Notification Expenses’ incurred by an ‘Insured’ resulting from [Privacy] Injury.”  Id. at *5.  The policy defined “Privacy Notification Expenses” as “the reasonable and necessary cost[s] of notifying those Persons who may be directly affected by the potential or actual unauthorized access of a Record, and changing such Person’s account numbers, other identification numbers and security codes….”  Id.

Chang’s contended that the ADC Operational Reimbursement fee was a “Privacy Notification Expense” because it compensated credit card issuers for the cost of reissuing bankcards and new account numbers and security codes to Chang’s customers.  The insurer argued that coverage did not exist because the ADC Operational Recovery fee was not personally incurred by Chang’s, but rather was incurred by BAMS.  It also argued that the fee did not qualify as “Privacy Notification Expenses” because there is no evidence that the fee was used to “notify[ ] those Persons who may be directly affected by the potential or actual unauthorized access of a Record, and changing such Person’s account numbers, other identification numbers and security codes.”  Id. at *6.

The Court agreed with Chang’s.  Relying on Arizona courts’ broad interpretation of the term “incurred,” which merely required that an insured become liable for the expense, even if the expense originally was paid by others, the Court held that the ADC Operational Recovery fee was “incurred by” Chang’s “resulting from [Privacy] Injury.”  Id. The Court explained:

Although the ADC Operational Reimbursement fee was originally incurred by BAMS, Chang’s is liable for it pursuant to its MSA with BAMS.

Id. at *6.

The Court also held that sufficient evidence existed – and the insurer did not identify any contrary evidence – that the assessment was to be used to compensate credit card issuers for the costs of notifying about the security compromise and reissuing credit cards to Chang’s customers to have the damages fall within the meaning of a “Privacy Notification Expense.”  Id.  As discussed further below, ultimately the Court held that two exclusions applied to bar coverage.

Coverage Under Insuring Agreement D.2 Potentially Implicated

The Court also held that it could not summarily hold, as a matter of law, that the requirements of Insuring Agreement D.2 were unsatisfied ti implicate coverage.  The Insuring Agreement covered “’Extra Expenses’ an ‘Insured’ incurs during the ‘Period of Recovery of Services’ due to the actual or potential impairment or denial of ‘Operations’ resulting directly from ‘Fraudulent Access or Transmission’.” Id. at *6.  The policy defined “Extra Expenses” to include “reasonable expenses an Insured incurs in an attempt to continue Operations that are over and above the expenses such Insured would have normally incurred. Extra Expenses do not include any costs of updating, upgrading or remediation of an Insured’s System that are not otherwise covered under [the] Policy.”  Id.  Critically, the policy defined “Period of Recovery of Services” as beginning:

. . . immediately after the actual or potential impairment or denial of Operations occurs; and will continue until the earlier of…the date Operations are restored,…to the condition that would have existed had there been no impairment or denial; or sixty (60) days after the date an Insured’s Services are fully restored…to the level that would have existed had there been no impairment or denial.

Id. at *6.

The insurer argued that Insuring Clause D.2. did not apply because Chang’s had not submitted evidence demonstrating that the data breach caused “actual or potential impairment or denial” of business activities.  Id. at *7.  The insurer also argued that Chang’s did not incur Loss during the “Period of Recovery of Services” because it did not pay the Case Management Fee until April 15, 2015, nearly one year after it discovered the data breach.  Id.  Chang’s contended that its ability to operate was impaired because BAMS would have terminated the MSA and eliminated Chang’s ability to process credit card transactions if it did not pay BAMS.  Further, the Chang’s MSA prohibited Chang’s to use another servicer while contracting with BAMS for its services.  Id.  Chang’s also contended that its business activities were still not fully restored; therefore, the “Period of Recovery of Services” remained ongoing.  Id.

The Court agreed with Chang’s in part, concluding evidence showed that “Chang’s experienced a Fraudulent Access during the data breach and that its ability to perform its regular business activities would be potentially impaired if it did not immediately pay the Case Management Fee imposed by BAMS.”  Id.  However, whether Chang’s operations were not yet fully restored, thereby extending the “Period of Recovery of Services,” was an issue of fact the Court could not resolve on Summary Judgment and was best suited for trial.  Id. at *7.  However, as discussed below, ultimately the Court held that two exclusions applied to bar coverage.

Two Contractual Liability Exclusions Prohibit Coverage  

Although the Court held that the requirements of Insuring Agreement B were met, and refrained from ruling on the requirements of Insuring Agreement D.2., the court held that coverage under the Insuring Agreements was prohibited by two policy exclusions.  The two exclusions prohibited coverage as follows:

With respect to all Insuring Clauses, [the insurer] shall not be liable for any Loss on account of any Claim, or for any Expense . . . based upon, arising from or in consequence of any . . . liability assumed by any Insured under any contract or agreement.

* * *

With respect to Insuring Clauses B through H, [the insurer] shall not be liable for…any costs or expenses incurred to perform any obligation assumed by, on behalf of, or with the consent of any Insured.

Id. at *7.  The Court characterized these two exclusions as “the same in that they bar coverage for contractual obligations an insured assumes with a third-party outside of the Policy.”  Id.  In addition, “Loss” was defined to exclude “any costs or expenses incurred to perform any obligation assumed by, on behalf of, or with the consent of any Insured.”  Id.

Notably, the Court “turned to cases analyzing commercial general liability insurance policies for guidance, because cybersecurity insurance policies are relatively new to the market but the fundamental principles are the same.”  Id. at *8.  Observing that “Arizona courts, as well as those across the nation, hold that such contractual liability exclusions apply to ‘the assumption of another’s liability, such as an agreement to indemnify or hold another harmless’,” the Court  held that both exclusions, as well as the definition of “Loss,” applied to prohibit coverage under Insuring Agreement B.  The Court explained:

In no less than three places in the MSA does Chang’s agree to reimburse or compensate BAMS for any “fees,” “fines,” “penalties,” or “assessments” imposed on BAMS by the Associations, or, in other words, indemnify BAMS. . . . Furthermore, the Court is unable to find and Chang’s does not direct the Court’s attention to any evidence in the record indicating that Chang’s would have been liable for these Assessments absent its agreement with BAMS. While such an exception to an exclusion of this nature may exist in the law, it is not applicable here.

Id. at *8.

What This Case Means:  This case has a number of takeaways.  Briefly, and perhaps most important, this case illustrates that although cybersecurity insurance can provide significant  amounts of coverage – here, the Court noted that the insurer already had provided $1.7 million in coverage under the policy to Chang’s – coverage is not limitless.  Some may say that a policyholder should “read the fine print,” but I say that the policyholder should understand its risk and ensure it purchases the insurance it needs.  A carrier has an unfettered right to limit the scope of the cyber risk it is willing to insure.  This case also raises the issue of coverage for third-party contracts, which can be a significant source of liability in a data breach.  This case also illustrates how sometimes the timing of liability and payments can affect coverage.  “Extra Expenses” coverage, sometimes overlooked, also can play a significant role in a data breach.  Questions are welcome.

This entry was posted in Data Breach Insurance Coverage.

FINANCIAL INSTITUTION BOND COVERS LOSS FROM HACKING


This entry was posted by on .
FacebookTwitterLinkedIn

In State Bank v. BancInsure, Inc., 2016 U.S. App. LEXIS 9235 (8th Cir. May 20, 2016), the United States Court of Appeals for the Eighth Circuit held that a $485,000 fraudulent wire transfer perpetrated through the use of malware residing on a bank employee’s computer was covered under the bank’s financial institution bond.  The facts are straightforward.

The insured used the Federal Reserve’s FedLine Advantage Plus system to perform wire transfers. The transfers were made through a desktop computer connected to a Virtual Private Network device provided by the Federal Reserve. In order to complete a transfer, two bank employees had to enter their individual user names, and each had to insert individual physical tokens into the computer, and provide individual passwords and passphrases.

In the matter at issue, a bank employee completed a FedLine wire transfer. However, instead of following company policy and protocol by engaging the participation of a second employee, as required, the bank employee instead completed the transfer using her token, password, and passphrase as well as the token, password, and passphrase of a second employee on the same computer.  At the end of the work day, the employee then left the two tokens in her computer and left the computer running overnight.  When the employee returned to work the next morning, she discovered that two unauthorized wire transfers had been made from the bank’s Federal Reserve account.  Money from one of the transfers was recovered.  However, $485,000 wired in the second transfer was not recovered.  Id. at *1-2.

An investigation revealed that malware resided on the computer, permitting infiltration that allowed completion of the fraudulent transfers. Id. at *2.  The bank sought coverage under its financial institution bond, which provided coverage for losses caused by computer system fraud.  The insuring agreement covered, in part:

Loss resulting directly from a fraudulent

(1) entry of Electronic Data or Computer Program into, or

(2) change of Electronic Data or Computer Program within

any Computer System operated by the Insured, whether owned or leased, or any Computer System identified in the application for this Bond, or a Computer System first used by the Insured during the Bond Period, provided the entry or change causes

(1) property to be transferred, paid or delivered,

(2) an account of the Insured or of its customer to be added, deleted, debited or credited, or

(3) an unauthorized account or fictitious account to be debited or credited.

Id. at *3-4, n.2.

The carrier denied coverage, citing certain exclusions in the bond for loss based on employee-caused loss, theft of confidential information, and mechanical breakdown or deterioration of a computer system.  Id. at *3.  The carrier cited the following exclusions, which prohibited coverage for:

(h) loss caused by an Employee . . . resulting directly from misplacement, mysterious unexplainable disappearance or destruction of or damage to Property;

. . . .

(bb) (4) loss resulting directly or indirectly from theft of confidential information,

. . . .

(bb) (12) loss resulting directly or indirectly from

(a) mechanical failure, faulty construction, error in design, latent defect, fire, wear or tear, gradual deterioration, electrical disturbance or electrical surge which affects a Computer System,

(b) failure or breakdown of electronic data processing media, or

(c) error or omission in programming or processing,

. . . .

(bb) (17) loss caused by a director or Employee of the Insured . . . .

Id. at *4, n.3.

Coverage litigation ensued.  The carrier argued that the employee’s breach of company policy caused the loss and thus the loss was excluded.  Specifically, the carrier contended that the malware would not have allowed the hacker to fraudulently transfer the lost money had the bank employee (1) engaged a second employee to perform the original wire transfer, and (2) had not left the computer running overnight with two tokens in it.  Based on Minnesota’s concurrent-causation doctrine, the trial court nevertheless held that the bond covered the loss.  The trial court concluded that “the computer systems fraud was the efficient and proximate cause of [Bellingham’s] loss,” and that “neither the employees’ violations of policies and practices (no matter how numerous), the taking of confidential passwords, nor the failure to update the computer’s antivirus software was the efficient and proximate cause of [Bellingham’s] loss.”  Id. at *6.  The court further held that “it was not then a ‘foreseeable and natural consequence’ that a hacker would make a fraudulent wire transfer. Thus even if those circumstances ‘played an essential role’ in the loss, they were not ‘independent and efficient causes’ of the loss.”  Id. at *6-7.  The carrier appealed and the Eighth Circuit affirmed.

On appeal, the carrier first argued that the concurrent-causation doctrine, which applies to insurance contracts, did not apply to financial institution bonds because a financial institution bond requires the insured to initially show that its loss directly and immediately resulted from dishonest, criminal, or malicious conduct.  Id. at *8.  The Eighth Circuit disagreed, stating that Minnesota courts adhere to the general rule of “treating financial institution bonds as insurance policies and interpreting those bonds in accordance with the principles of insurance law.”  Id. at *9.

The carrier next argued that exclusions 2(bb)(4) and 2(bb)(12) contracted around the concurrent-causation doctrine because those exclusions applied to both direct and “indirect” causation.  Id. at *10.  The Eighth Circuit disagreed.  Although noting that “[p]arties may include ‘anti-concurrent causation’ language in contracts to prevent the application of the concurrent-causation doctrine,” such language must be “clear and specific.”  Id.  The court concluded that, “[a]s a matter of law, the Bond’s reference to ‘indirectly’” was not clear and specific, and was insufficient to circumvent the doctrine.  Id. at *11.

Finally, the carrier argued that even if the district court correctly applied the concurrent-causation doctrine, it erred in concluding that the fraudulent hacking of the computer system by a criminal third party was the overriding, or efficient and proximate, cause of the loss.  At a minimum, the carrier contended, the issue should have been one for the jury to decide.  Id. at *11.  Again, the court disagreed, concluding that the fraudulent wire transfers was not a foreseeable or inevitable result of the employees’ negligence and actions:

We agree with the district court’s conclusion that “the efficient and proximate cause” of the loss in this situation was the illegal transfer of the money and not the employees’ violations of policies and procedures. . . .  an illegal wire transfer is not a “foreseeable and natural consequence” of the bank employees’ failure to follow proper computer security policies, procedures, and protocols.  Even if the employees’ negligent actions “played an essential role” in the loss and those actions created a risk of intrusion into Bellingham’s computer system by a malicious and larcenous virus, the intrusion and the ensuing loss of bank funds was not “certain” or “inevitable.”

Id. at *13-14.  According to the court, “[t]he ‘overriding cause’ of the loss Bellingham suffered remains the criminal activity of a third party.”  Id. at *14.  Therefore, it held that the district court properly granted the bank summary judgment.

This entry was posted in Data Breach Insurance Coverage, Uncategorized.

MAKING RECORDS ACCESSIBLE ON THE INTERNET IS A “PUBLICATION”


This entry was posted by on .
FacebookTwitterLinkedIn

We have all heard the question “if a tree falls in the forest…,” a philosophical experiment that raises questions of observation, knowledge, and reality. Whether or not the philosopher George Berkeley deserves credit for first raising the question, if still alive, he may have been disappointed in yesterday’s decision, Travelers Indem. Co. of Am. v. Portal Healthcare Solutions, LLC, No. 14-1944 (4th Cir. Apr. 11, 2016). In that case, the trial court had addressed the legal question of “whether materials are published if they are posted on the Internet, but no one reads them?”  As discussed by The Coverage Inkwell in August 2014, the trial court answered the question in the affirmative. Yesterday, the Fourth Circuit affirmed the decision, but never really weighed in on the question. That’s too bad.

The facts of the case are straightforward. The insured Portal Healthcare Solution (“Portal”) specialized in the electronic safekeeping of medical records for hospitals, clinics, and other medical providers.  Travelers Indem. Co. of Am. v. Portal Healthcare Solutions, LLC, 35 F. Supp. 3d 765, 767-78 (E.D. Va. 2014). A New York putative class action was filed against it, alleging that Portal had failed to safeguard the confidentiality of the medical records of patients at Glen Falls Hospital (“Glen Falls”) by posting them on the Internet and making them publicly accessible through Internet searches. Id. Two patients of Glen Falls discovered the breach when they conducted a Google search for their names and found links that directed them to their Glen Falls medical records. Id.

Travelers issued two policies, each having slightly different language. One covered injury arising from the “electronic publication of material that … gives unreasonable publicity to a person’s private life.” The second covered injury arising from the “electronic publication of material that … discloses information about a person’s private life.”  Id. at 767. The key issue in the trial court was whether making medical records accessible on the Internet constituted a “publication” under the terms of the policies, even if no one had read the information.

Looking to dictionary definitions for the word “publication,” the trial court concluded that the meaning of “publication” includes “to place before the public (as through a mass medium).” Id. at 770. Thus, making the records accessible constituted a “publication.”

Exposing medical records to the online searching of a patient’s name, followed by a click on the first result, at least “potentially or arguably” places those records before the public.  Any member of the public could retrieve the records of a Glen Falls patient, whether he or she was actively seeking those records or searching a patient’s name for other purposes, like a background check.  Because medical records were placed before the public, the Court finds that Portal’s conduct falls within the plain meaning of “publication.”

Id. at 770 (bold added). The trial court summarily rejected the argument that because Portal Healthcare had not intended to release the information, there was no “publication,” stating that “the issue cannot be whether Portal intentionally exposed the records to public viewing since the definition of ‘publication’ does not hinge on the would-be publisher’s intent.” Id.

Importantly, the court also rejected the argument that because no one had read the records, there was no “publication.” In other words, the court took the approach that if a tree falls, of course it makes a sound:

Publication occurs when information is “placed before the public,” not when a member of the public reads the information placed before it.  By Travelers’ logic, a book that is bound and placed on the shelves of Barnes & Noble is not “published” until a customer takes the book off the shelf and reads it.  Travelers’ understanding of the term “publication” does not comport with the term’s plain meaning, and the medical records were published the moment they became accessible to the public via an online search.

Id. at 771.

On appeal, the Fourth Circuit “commended” the trial court for its “sound legal analysis,” but did not add more, including on the scope of the term “publication.” Noting that Virginia is an “eight corners rule” state and that the duty to defend is broader than the duty to indemnify, the appellate court referred to the trial court’s conclusion that “the class-action complaint ‘at least potentially or arguably’ alleges a ‘publication’ of private medical information by Portal that constitutes conduct covered under the Policies.” (Slip Op. at 6.) Thus, the trial court reasoned, the release of information on the Internet, if proven, “would have given ‘unreasonable publicity to, and disclose[d] information about, patients’ private lives,’ because any member of the public with an internet connection could have viewed the plaintiffs’ private medical records during the time the records were available online.” (Id.) Under the broad scope of the duty to defend, the Fourth Circuit could not disagree:

Put succinctly, we agree with the Opinion that Travelers has a duty to defend Portal against the class-action complaint.  Given the eight corners of the pertinent documents, Travelers’s efforts to parse alternative dictionary definitions do not absolve it of the duty to defend Portal.  [Citation omitted.]   See Seals v. Erie Ins. Exch., 674 S.E.2d 860, 862 (Va. 2009) (observing that the courts “have been consistent in construing the language of [insurance] policies, where there is doubt as to their meaning, in favor of that interpretation which grants coverage, rather than that which withholds it” (quoting St. Paul Fire & Marine Ins. Co., 316 S.E.2d at 736)).

(Id. at 6-7.)

What this case means.  Two years ago, I noted that this was a difficult case for an insurer to win.  It was undisputed that the records were available on the Internet.  Typically, when determining whether an underlying complaint alleges a “publication,” many courts look to dictionary definitions, which define the term to mean distribution to the public at large.  That is what the trial court did here, and the Fourth Circuit agreed.  Typically, the question of whether the material at issue was read is not asked or addressed.

The trial court rejected the contention that if material is not read, it is not published.  In doing so, the court used a persuasive analogy of an untouched book on a shelf.  The Fourth Circuit appeared to have no interest in delving into that question, at least in the context of the duty to defend.  That is too bad because the argument does raise interesting issues, not the least of which is whether a ”publication” is just the release of information or also the consumption of it?

This entry was posted in Data Breach Insurance Coverage, Privacy Rights and tagged , .

ELECTRONIC DATA AND DISTRIBUTION OF MATERIAL EXCLUSION DOES NOT BAR COVERAGE FOR DISCLOSURE OF GENETIC DATA


This entry was posted by on .
FacebookTwitterLinkedIn

Last week, the United States District Court for the Southern District of Texas held that an Electronic Data and Distribution of Material in Violation of Statutes exclusion, a variant of the Telephone Consumer Protection Act (“TCPA”) exclusion, did not prohibit coverage for an insured’s wrongful, online publication of genetic data in violation of a statute.  Evanston Ins. Co. v. Gene By Gene, Ltd., 2016 WL 102294 (S.D. Texas, Jan. 6, 2016).  In so holding, the court construed the exclusion to address solely intrusion upon seclusion claims.  The facts of the case are straightforward.

The insured, Gene by Gene Ltd. (“GBG”), owned and operated a genealogy website whereby users of the site were offered the opportunity to take DNA tests and then use their genetic information from the tests to learn more about their ancestry and connect with other users whose results matched their own results in varying degrees.  Gene By Gene, 2016 WL 102294 at *1.  An underlying plaintiff sued GBG in Alaska federal court, alleging that GBG improperly published his DNA test results on its website without his consent and in violation of Alaska’s Genetic Privacy Act.  Id.  The Genetic Privacy Act prohibits disclosure of a person’s DNA analysis without written and informed consent.  See AS §18.13.010.

GBG tendered its defense to its insurer, which issued four professional liability policies providing coverage for “personal injury,” defined therein as injury arising out of “oral or written publication of material that violates a person’s right of privacy.”  Id. at *1, *3.  The insurer, however, denied coverage based on an “Electronic Data and Distribution of Material in Violation of Statutes” exclusion.  Id. at *1.  Coverage litigation ensued and GBG moved for summary judgment.

GBG contended that defense coverage existed because the underlying action alleged injury that arises out of the written publication of material that violates a person’s right of privacy.  The insurer contended that Distribution of Material exclusion applied because the exclusion prohibited coverage for violation of “any other statute, law, rule, ordinance, or regulation that prohibits or limits the sending, transmitting, communication or distribution of information or other material.”  Id. *2.  Specifically, the insurer argued that the exclusion applied because the underlying action was brought pursuant to a statute (the Genetic Privacy Act), which prohibits the transmission, communication, or distribution of information or other material, namely, the public disclosure of a person’s DNA analysis on Gene by Gene’s website.  Id. at *4.  The court held that the underlying action alleged “personal injury” because the action asserted “the publication of material—the DNA analysis—that allegedly violates a person’s right to privacy.”  Id. at *3.  It then held that the Distribution of Material exclusion did not apply.

The court concluded that the insurer’s reading of the exclusion was too broad and would render the policies’ advertising injury and personal injury coverage illusory.  Id. at *4-5.  The exclusion prohibited both statutory and common law violations.  Because both advertising injury (libel and defamation) and personal injury (invasion of privacy) inherently involved communications in violation of law, the court reasoned that, under the insurer’s reading of the Distribution of Material exclusion, the exclusion would preclude coverage for all instances advertising injury and personal injury.  Id. at *5.  The court further noted that in some states, such as Texas, “traditional defamation” injuries, like libel and disparagement of goods and services, are regulated by statute.  Id.  The court concluded that the exclusion was not intended to preclude such claims.

Yet, perhaps most compelling to the court was its conclusion that the intent and protected interests behind the Distribution of Material exclusion and the Genetic Privacy Act differed.  The court held that the Distribution of Material exclusion, another variant of the TCPA exclusion, was intended to address intrusion upon seclusion claims, a protection that was not contemplated by the Genetic Privacy Act:

The Genetic Privacy Act does not concern unsolicited communication to consumers, but instead regulates the disclosure of a person’s DNA analysis.  The facts upon which the claim is based deal solely with Gene by Gene’s alleged improper disclosure of DNA test results on its public website and to third-parties.  The facts alleged in the complaint do not address the type of unsolicited seclusion invasion contemplated by the Exclusion.  Accordingly, the Underlying Lawsuit is not excluded from Gene by Gene’s policy coverage.  [Emphasis added.]

Id. at *6.  Because of this mismatch, the exclusion did not apply.

What this case means.  This case is interesting because it addresses a new twist on the TCPA exclusions.  Are cybersecurity claims next?  Some might herald this decision as a defeat for insurers and a scaling back of the exclusion.  My thought – not really.  The court construed the exclusion to address solely intrusion upon seclusion claims, which is not that remarkable – although, maybe unwarranted.  Yet, it is important remember that by including violations of mere “law” within its scope, the form of the exclusion at issue was very broad – indeed, broader than many variants of the TCPA exclusion.  That distinction was not lost on the court, which believed (and perhaps rightly so) that the fundamental logic for applying the exclusion in the case before it would have eviscerated coverage under the policy’s “advertising injury and personal injury” insuring agreement.  The court also recognized a potential mismatch between the exclusion and the Genetic Privacy Act.  It’s an interesting observation.  However, by then, the Court already had made its decision.

This entry was posted in Data Breach Insurance Coverage, Privacy Rights.

THE NINTH CIRCUIT HOLDS THERE IS NO COVERAGE FOR VIOLATION OF THE SONG-BEVERLY ACT


This entry was posted by on .
FacebookTwitterLinkedIn

This week, the United States Court of Appeals affirmed Big 5 Sporting Goods Corporation, a case in which the trial court had held that “personal and advertising injury” coverage did not exist for violation of California’s Song-Beverly Act, even where common law allegations of invasion of privacy were alleged in connection with the unlawful collection of ZIP Codes.  See Big 5 Sporting Goods Corporation v. Zurich American Ins. Co., No. 13-6249 (9th Cir. Dec. 7, 2015), affirming Big 5 Sporting Goods Corporation v. Zurich American Ins. Co., 957 F. Supp. 2d 1135 (C.D. Cal. 2013). 

In Big 5, the insured was sued in multiple underlying class action lawsuits alleging invasion of privacy and violation of the Song-Beverly Act from the practice of requesting ZIP Code information during credit card transactions.  See Big 5 Sporting Goods, 957 F. Supp. 2d at 1138.  Some of the class actions alleged both violation of the Song-Beverly Act as well as common law negligence and invasion of privacy claims.  Id.  The insured sought coverage under “personal and advertising injury,” defined in part as injury arising out of “[o]ral or written publication, in any manner, of material that violates a person’s right of privacy.”  Id. at 1140. 

The insurers argued that defense and indemnity coverage for the underlying actions was barred by the  statutory violation exclusion, one of which barred coverage for “personal and advertising injury” “arising directly or indirectly out of” any act or omission that violates or is alleged to violate:

c. Any statute, ordinance or regulation, other than the TCPA or CAN–SPAM Act of 2003, that prohibits or limits the sending, transmitting, communicating or distribution of material or information. 

Id. at 1149.  The trial court agreed, and now, the Ninth Circuit has affirmed.

Perhaps the most significant component of the Ninth Circuit’s decision was that the allegations of common law claims, which were not accounted for in the statutory violation exclusion, nevertheless did not preclude application of the exclusion because the factual allegations did not assert actionable causes of action. 

Specifically, the insured argued that because some of the lawsuits alleged common law claims for invasion of privacy, for purposes of the duty to defend, the statutory violation exclusion could not apply.  Big 5, slip op., at 4.  The Ninth Circuit disagreed.  Holding that because “California does not recognize any common law or constitutional privacy causes of action for requesting, sending, transmitting, communicating, distributing, or commercially using ZIP Codes,” the Court concluded that the only possible claim for recovery was for penalties, not damages, under the Song-Beverly Act.  Id. at 45, citing Fogelstrom v. Lamps Plus, Inc., 195 Cal. App. 4th 986, 992 (2d Dist. 2011).  In Fogelstrom, the California Court of Appeal held that requesting ZIP Codes during credit card transactions does not assert an actionable claim for invasion of privacy, concluding that the action of “obtaining plaintiff’s address without his knowledge or permission, and using it to mail him coupons and other advertisements … is not an egregious breach of social norms, but routine commercial behavior.”  Fogelstrom, 195 Cal. App. 4th at 992. 

The Ninth Circuit also rejected the insured’s argument that the invasion of privacy and negligence claims were merely frivolous, and thus could not be discounted for purposes of the duty to defend because an insurance carrier has the duty to defend both meritorious and frivolous claims.  The Ninth Circuit distinguished frivolous claims form those that are not actionable, explaining that the privacy claims did not merely lack merit, they were not recognized under the law:

Under settled California law, they are not even recognized as cognizable causes of action, a status one step below “unmeritorious.”  Allowing Big 5’s fact pattern to rise to the level of a claim would require an insurance company to insure and defend against non-existent risks.

Id. at 6. 

Borrowing from Shakespeare, the Court similarly dispensed with the underlying negligence claims as mere “artful” pleading that could not circumvent an unambiguous policy exclusion:

Big 5’s negligence theory fares no better.  Just as a rose by another name is still a rose, so a ZIP Code case under any other label remains a ZIP Code case.  See Swain v. Cal. Cas. Ins. Co., 99 Cal. App. 4th 1, 8-9 (2002) (“A general boilerplate pleading of ‘negligence’ adds nothing to a complaint otherwise devoid of facts giving rise to a potential for covered liability.”).  As the district court recognized, the California Court of Appeal has discouraged the “artful drafting” of alleging superfluous negligence claims, saying to allow such a practice would inappropriately “erase exclusions in any policy.”  Fire Ins. Exch. v. Jimenez, 184 Cal. App. 3d 437, 443 n.2 (1986).

Id.

What does this case mean?  Like the Third Circuit in Urban Outfitters (also discussed in The Coverage Inkwell), a second United States Court of Appeals now has held that “personal and advertising injury” does not exist for underlying allegations of unlawful ZIP Code collection.  A unique aspect to this decision, however, is that where an underlying action alleges a cause of action that is not recognized under the law, that cause of action cannot be used to implicate a duty to defend. 

This entry was posted in Privacy Rights and tagged , , , .

THIRD CIRCUIT HOLDS “PRIVACY” MEANS SECRECY, “PUBLICATION” MEANS DISSEMINATION TO PUBLIC, AND “IN ANY MANNER” DOES NOT CHANGE MEANING OF “PUBLICATION”


This entry was posted by on .
FacebookTwitterLinkedIn

In OneBeacon Amer. Ins. Co. v. Urban Outfitters, 2015 WL 5333845 (3d. Cir. Sept. 15, 2015), the United States Court of Appeals for the Third Circuit held that three underlying class action lawsuits filed against Urban Outfitters and Anthropologie, Inc. did not allege “personal and advertising injury.”  The Third Circuit held that for Coverage B “oral or written publication, in any manner, of material that violates  person’s right of privacy,” (1)“privacy” refers only to the right of secrecy, not the right of seclusion; (2) “publication” requires dissemination of information to the public at large, and (3) “in any manner” does not modify or change the meaning of “publication” to a lesser standard.

In the spirit of full disclosure, I represented OneBeacon America in the litigation with my colleagues at White and Williams LLP.  The facts of the matter are straightforward.

Urban Outfitters and Anthropologie (collectively, “Urban Outfitters”) were sued in three separate class actions filed in California, Massachusetts, and the District of Columbia.  (The California class action was actually a consolidation of multiple class actions.)  In each action, plaintiffs alleged that that Urban Outfitters wrongfully collected and used consumers’ ZIP codes and other data for marketing and purchase-tracking in violation of state statutes and privacy rights.  Urban Outfitters sought defense coverage for each lawsuit under “personal and advertising injury,” defined in part as “oral or written publication, in any manner, of material that violations a person’s right of privacy.”

In the first lawsuit, Hancock, the underlying complaint alleged that Urban Outfitters unlawfully collected consumers’ ZIP code information during credit card transactions in violation of District of Columbia statute.  Id. at *1.  By obtaining the consumers’ ZIP codes, Urban Outfitters was then able to obtain the consumers’ home and business addresses to use for marketing.  Id.  Urban Outfitters contended the exchange of data between the retailer and the consumers constituted a “publication” for purposes of “personal and advertising injury” coverage.  The Third Circuit disagreed and accepted the insurers’ arguments that “‘publication’ requires dissemination to the public.”  Id. at *2.  The court rejected the contention that the failure to define the term “publication” in the policy made the term ambiguous:

Although neither the policies nor the Pennsylvania Supreme Court have defined “publication,” that does not render the term ambiguous.  Rather, “[w]ords of common usage in an insurance policy are to be construed in their natural, plain, and ordinary sense, and we may inform our understanding of these terms by considering their dictionary definitions.”  Madison Constr. Co. v. Harleysville Mut. Ins. Co., 735 A.2d 100, 106 (PA. 1999).  The District Court cited three separate dictionary definitions of “publication,” all of which support the conclusion that “publication” requires dissemination to the public. [Emphasis added.]

Id.

Significantly, the Court also rejected the contention that the phrase “in any manner” changed the meaning of “publication”:

The fact that the policies specify that “publication” may be made “in any manner” does not alter the analysis; as the Eleventh Circuit correctly noted, the phrase “in any manner” “merely expands the categories of publication (such as e-mail, handwritten letters, and, perhaps, ‘blast-faxes’) covered by the [p]olicy,” but “cannot change the plain meaning of the underlying term ‘publication.’”  Creative Hosp. Ventures, Inc. v. U.S. Liab. Ins. Co., 444 F. App’x 370, 375 (11th Cir. 2011).  [Emphasis added.]

Id.

In the second lawsuit, Miller, the underlying complaint alleged that Urban Outfitters unlawfully collected consumers’ ZIP code information to use for marketing purposes, including to send unsolicited promotional materials and “junk mail.”  Id. at *3.  Noting that the Pennsylvania Superior Court has recognized that the privacy right contemplated in “personal and advertising injury” is the right to secrecy, not the right to seclusion, the Third Circuit concluded that Miller did not allege a violation of a person’s “right of privacy.”  Importantly, in reaching its conclusion, the Third Circuit ejected the contention that the consumers had a right of privacy in their ZIP codes, or that the lawsuit alleged violation of consumers’ rights to keep their addresses secret from the retailers:

[T]he factual allegations of the Miller complaint evince a concern with seclusion, and not secrecy. The complaint asserts that plaintiffs “have suffered an injury as a result of Defendant’s unlawful conduct by receiving unsolicited marketing and promotional materials, or ‘junk mail,’ from Defendant.” [Record citation omitted.] Although the complaint asserts that Urban Outfitters did collect plaintiffs’ ZIP code information, that information was collected allegedly “to identify the customer’s address and/or telephone number … to send unsolicited marketing and promotional materials.” . . .  Put simply, the complaint does not assert harms based on the plaintiffs’ interests in keeping their ZIP codes secret. Accordingly, it does not allege publication of material that violates a person’s “right to privacy” under the policies . . . .

Id.  at *4.

For the final lawsuit, Dremak, the Court held that the Recording and Distribution of Material of Information In Violation of Law exclusion barred coverage, because the lawsuit was brought under California’s Song-Beverly Credit Card Act.  Id. at *3. The lawsuit originally had alleged common law claims, but those causes of action were dismissed without prejudice while the coverage litigation was pending in the Pennsylvania federal district court.  Urban Outfitters argued that the dismissal of those claims was not dispositive because the factual allegations supporting the common law claims remained in the complaint, and Pennsylvania law required that the factual allegations, not the causes of action, determined an insurer’s duty to defend.  Id.  The Court rejected the argument because the same alleged facts that gave rise to common law claims also alleged the statutory violations.

[T]he Court looked to the factual allegations of the complaint in determining that the complaint alleged “action[s] or omission[s]” that were alleged to violate the Song–Beverly Credit Card Act.  The fact that those same “action[s] or omission[s]” were also alleged to give rise to common law claims (claims that were dismissed) is irrelevant to the analysis.  [Emphasis added.]

Id.

What does this case mean?  This decision is a significant one.  It is one of only a few appellate-level decisions holding that (1) “publication” requires dissemination to the public at large, and (2) that “right of privacy” means the right of secrecy, not the right of seclusion.  The decision is the only the second to address and debunk the myth that the phrase “in any manner” changes the meaning of “publication” in Coverage B.

This entry was posted in Privacy Rights and tagged , .

NEW YORK’S HIGHEST COURTS SAYS COVERAGE FOR LOSS FROM “FRAUDULENT ENTRY” INTO COMPUTER SYSTEM LIMITED TO HACKING


This entry was posted by on .
FacebookTwitterLinkedIn

A source of computer fraud is the rogue employee or authorized user whose abuses access into a network system for unlawful purposes.  Readers of The Coverage Inkwell will know that the Inkwell has addressed the meaning of unauthorized access in the context of cyber insurance for a few years.

In the context of the Computer Fraud and Abuse Act, 18 U.S.C. §1030, the United States Court of Appeals for the Ninth Circuit, in U.S. v. Nosal, 676 F.3d 854 (9th Cir. 2012), in essence limited the meaning “exceeds authorized access” to hackers, not inside corporate personnel accessing a computer network for unauthorized (i.e., illegal) purposes.  Yesterday, the New York Court of Appeals, in Universal American Corp. v. National Union Fire Ins. Co. of Pittsburgh, PA, 2015 N.Y. Slip Op. 05516, 2015 WL 3885816 (N.Y. June 25, 2015) held that the phrase “fraudulent entry” into a computer system was limited to instances of outside hackers, not fraudulent content submitted by authorized users.

In the case, the insured Universal American Corp. (“Universal”) was a health insurance company that offers a choice of federal government-regulated alternatives to Medicare, known as medical advantage plans.  (Please note, because the decision was published only yesterday, page references currently are unavailable.)  Universal had a computerized billing system that allowed health care providers to submit bills for the medical advantage plans directly into the system.  A majority of such claims were approved and paid by Universal automatically and without manual review.  Universal ultimately suffered over $18 million in losses for payments of fraudulent claims for services that were never performed under the plans.

Universal sought coverage under had an insurance, which provided coverage by endorsement for computer systems fraud.  The endorsement stated as follows:

COMPUTER SYSTEMS

It is agreed that:

  1. the attached bond is amended by adding an Insuring Agreement as follows:

COMPUTER SYSTEMS FRAUD

Loss resulting directly from a fraudulent

(1) entry of Electronic Data or Computer Program into, or

(2) change of Electronic Data or Computer Program within the Insured’s proprietary Computer System

provided that the entry or change causes

(a) Property to be transferred, paid or delivered,

(b) an account of the insured, or of its customer, to be added, deleted, debited or credited, or

(c) an unauthorized account or a fictitious account to be debited or credited[.]  (Emphasis added)

The insurer denied coverage on the ground that the endorsement did not cover Medicare fraud, i.e., losses from payment for fraudulent claims submitted by authorized health care providers.

In the ensuring coverage litigation, the trial court granted the insurer summary judgment.  Focusing on the words “fraudulent” “entry,” and “change,” the court concluded that coverage did not extend to fraudulent claims entered into Universal’s system by authorized users; instead, coverage extended only to unauthorized entries into the computer system by a hacker or through a computer virus.  The New York Appellate Division affirmed, stating that the policy did not cover fraudulent content entered by authorized users, but instead covered “wrongful acts in manipulation of the computer system, i.e., by hackers.”

The New York Court of Appeals affirmed, holding that the policy endorsement was clear and unambiguous.  The Court held that the policy “unambiguously applies to losses incurred from unauthorized access to Universal’s computer system, and not to losses resulting from fraudulent content submitted to the computer system by authorized users.”  The Court based its conclusion on the fact that the term “fraudulent” modified the terms “entry” or “change” to mean that coverage applied to a dishonest entry or change of electronic data or computer program by “hacking” into the computer system:

The term “fraudulent” is not defined in the Rider, but it refers to deceit and dishonesty (see Merriam Webster’s Collegiate Dictionary [10th ed. 1993] ).  While the Rider also does not define the terms “entry” and “change,” the common definition of the former includes “the act of entering” or “the right or privilege of entering, access,” and the latter means “to make different, alter” (id.).  In the Rider, “fraudulent” modifies “entry” or “change” of electronic data or computer program, meaning it qualifies the act of entering or changing data or a computer program.  Thus, the Rider covers losses resulting from a dishonest entry or change of electronic data or computer program, constituting what the parties agree would be “hacking” of the computer system.  The Rider’s reference to “fraudulent” does not also qualify what is actually acted upon, namely the “electronic data” or “computer program” itself.  [Emphasis added.]

According to the Court, “[t]he intentional word placement of ‘fraudulent’ before ‘entry’ and ‘change’ manifests the parties’ intent to provide coverage for a violation of the integrity of the computer system through deceitful and dishonest access.”

In so holding, the Court rejected Universal’s argument that “‘fraudulent entry’ means ‘fraudulent input’ because a loss due to a fraudulent entry by necessity can only result from the input of fraudulent information.”  The Court reasoned that such a conclusion would render the words “a” and “of” in the sentence “a fraudulent (1) entry of Electronic Data or Computer Program into” superfluous:

This would render superfluous the word “a” before “fraudulent,” and the word “of” before “electronic data or computer program.” Universal’s proposed interpretation is easily achieved by providing coverage for a “loss resulting directly from fraudulent data.”  Of course, that is not what the [endorsement] says.

Because the losses suffered by Universal were not the result of hacking, there was no coverage under the policy.

Questions are welcome.

This entry was posted in Data Breach Insurance Coverage, Privacy Rights and tagged .

PENNSYLVANIA COURT REFUSES TO IMPOSE NEW DUTY ON EMPLOYERS TO PROTECT PII FROM DATA BREACHES


This entry was posted by on .
FacebookTwitterLinkedIn

A common allegation in cyber security data breach litigation is that the data breach victim breached its duty of care in failing to adequately protect  plaintiffs’ personal identification information (“PII”) from a data breach.  Very recently, the Pennsylvania Court of Common Pleas of Allegheny County in Dutton v. UPMC, No. GD-14-003285 (May 28, 2015), dismissed such a claim, refusing requests to create a new duty of care on an employer who suffered a data breach resulting in the compromise of its employees’ PII.  In so holding, the court reasoned that to create such a duty would place too heavy of a burden on corporate entities already incentivized to protect PII.  It also would inundate the judiciary with a flood of litigation.  The court instead looked to the state legislature to determine whether to impose this obligation.

In the case, the plaintiffs filed a putative class action of current and former The University of Pittsburgh Medical Center (“UPMC” )employees whose PII had been stolen from UPMC’s computer systems.  Plaintiffs’ alleged that UPMC owed a duty to protect their PII and had breached that duty under theories of negligence and breach of contract.  Dutton v. UPMC, No. GD-14-003285, slip op., at 1-2.  Duties allegedly owed by UPMC included:

  • The duty to design, maintain, and test its security systems to protect against data breaches;
  • The duty to implement processes to detect security breaches “in a timely manner”;
  • The duty “to adopt, implement, and maintain adequate security measures”; and
  • The duty to satisfy “widespread industry standards relating to data security.”

Id. at 2-3.

Addressing the negligence claim first, the court concluded that because the alleged damages were economic only, under the economic loss doctrine, no cause of action based on negligence could exist.  Id. at 4.  Therefore, the claim was dismissed.  (The court also dismissed the breach of contract claim based on the lack of evidence that a contract existed, id. at 11-12, but the court’s discussion of the negligence claim is where the real interesting read is found.)

To save their case, Plaintiffs contended that a special duty should be imposed upon UPMC to protect employees’ PII.  Id. at 5.  The court refused to do so, concluding that to impose such a duty as means to combat the widespread problem of data breaches could overwhelm the judiciary and ill-serve public interest:

Plaintiffs’ proposed solution is the creation of a private negligence cause of action to recover actual damages, including damages for increased risks, upon a showing that the plaintiffs confidential information was made available to third persons through a data breach.

The public interest is not furthered by this proposed solution.  Data breaches are widespread. They frequently occur because of sophisticated criminal activity of third persons.  There is not a safe harbor for entities storing confidential information.  The creation of a private cause of action could result within Pennsylvania alone of the filing each year of possibly hundreds of thousands of lawsuits by persons whose confidential information may be in the hands of third persons.  Clearly, the judicial system is not equipped to handle this increased caseload of negligence actions.  Courts will not adopt a proposed solution that will overwhelm Pennsylvania’s judicial system.

Id. at 6.

The court also expressed concern over the lack of consensus standards for defining “adequate” security.  Id.  Litigation and “expert” testimony, the court observed, “is not a viable method for resolving the difficult issue of the minimum requirements of care that should be imposed in data breach litigation, assuming that any minimum requirements should be imposed.”  Id.  The court also worried that to create a new duty could place too heavy of a burden on companies already incentivized to combat data breaches:

Under plaintiffs’ proposed solution, in Pennsylvania alone, perhaps hundreds of profit and nonprofit entities would be required to expend substantial resources responding to the resulting lawsuits.  These entities are victims of the same criminal activity as the plaintiffs.  The courts should not, without guidance from the Legislature, create a body of law that does not allow entities that are victims of criminal activity to get on with their businesses.

Id. at 6-7.

Finally, the court concluded that the issue was best left to the legislative branch, not a single jurist:

I cannot say with reasonable certainty that the best interests of society would be served through the recognition of new affirmative duties of care imposing liability on health care providers and other entities electronically storing confidential information, the financial impact of which could even put these entities out of business.  Entities storing confidential information already have an incentive to protect confidential information because any breach will affect their operations. An “improved” system for storing confidential information will not necessarily prevent a breach of the system.  These entities are also victims of criminal activity.

It is appropriate for courts to consider the creation of a new duty where what the court is considering is sufficiently narrow that it is not on the radar screen of the Legislature. . . . However, where the Legislature is already considering what courts are being asked to consider, in the absence of constitutional issues, courts must defer to the Legislature.

Id. at 7-8.

Because “[t]he only duty that the General Assembly has chosen to impose as of today is notification of a data breach,” the court concluded that it should not create a new, additional duty on employers.  Id. at 10.  Quoting from the Illinois Court of appeals in Cooney v. Chicago Pub. Sch., 934 N.E.2d 23, 28-29 (Ill. Ct. App. 2010), the court stated:

While we do not minimize the importance of protecting this information, we do not believe that the creation of a new legal duty beyond legislative requirements already in place is part of our role on appellate review.  As noted, the legislature has specifically addressed the issue and only required the [defendant] to provide notice of the disclosure.

Id. at 10 (emphasis in original).

Thus, according to the Pennsylvania Court of Common Pleas, Allegheny County, the ball is in the court of the Pennsylvania General Assembly to determine whether the duty to protect employees’ PII form data breaches should be placed on employers.

What this case means.  Where should the responsibility (burden?) of protecting personal identification information from data breaches lay, and what are the standards by which to measure compliance with that responsibility?  These are straightforward questions that Judge Wettick asked and had no definitive answers for to convince him to recognize a legal duty assigning the responsibility of protecting employee PII to employers.

Should the  Pennsylvania General Assembly enact legislation creating an affirmative duty on employers to protect employees’ PII from data breaches, the duty would be state-specific, much like current data breach notification standards across the country.  Other jurisdictions may address the issue differently.  Courts in other states, for instance, may recognize a duty on employers outright in lieu of deferring to the legislative branch, or merely recognize a duty on employers to protect PII as an inherent component in a preexisting statute.  This area of law continues to develop rapidly.

I’d like to thank Laura Schmidt, an associate at White and Williams, for her invaluable assistance with this piece.

This entry was posted in Data Breach Insurance Coverage, Privacy Rights and tagged , .

IN IBM DATA BREACH CASE, THERE CAN BE NO PUBLICATION WITHOUT ACCESS


This entry was posted by on .
FacebookTwitterLinkedIn

In Recall Total Info. Management, Inc. v. Federal Ins. Co., No. SC 19291, the Connecticut Supreme Court upheld the appellate court’s decision that a data breach suffered by IBM was not covered under general liability policies’ “personal and advertising injury” coverage.

In that case, Recall Total had contracted with IBM to transport off-site and store computer tapes containing the encrypted personal information of current and former IBM employees.  Recall then subcontracted the transportation services to Ex Log.  Ex Log lost the computer tapes when they fell from Ex Log’s truck onto the roadside and were retrieved by an unknown individual.  Importantly, there was no evidence that anyone ever accessed the information on the tapes or that their loss caused injury to any IBM employee.  Nevertheless, IBM spent significant sums of money providing identity theft services and complying with state notification requirements.  IBM sought to recoup its losses from Recall Total and Ex Log.

Recall Total and Ex Log, in turn, sought recovery from their general liability insurers, which had issued general liability policies providing “personal and advertising injury” coverage.  “Personal and advertising injury” was defined in part as ‘‘injury . . . caused by an offense of . . . electronic, oral, written or other publication of material that . . . violates a person’s right of privacy.”  The trial court held that coverage was not implicated by the events, and the appellate court affirmed, see 83 A.3d 664 (Ct. App. Ct. 2014).

The Connecticut Supreme Court affirmed on the basis that there was no alleged “publication.”  In doing so, the court adopted in whole the appellate court’s decision, stating:

Because the Appellate Court’s well reasoned opinion fully addresses the certified issue, it would serve no purpose for us to repeat the discussion contained therein.  We therefore adopt the Appellate Court’s opinion as the proper statement of the issue and the applicable law concerning that issue.

Some may recall that, because there was no evidence that the IBM employees’ PII had been accessed, the appellate court declined to expound upon the meaning of “publication.”  Instead, the court concluded that without access to the information, there was no “publication” under any definition of the term:

Regardless of the precise definition of publication, we believe that access is a necessary prerequisite to the communication or disclosure of personal information. In this regard, the plaintiffs have failed to provide a factual basis that the information on the tapes was ever accessed by anyone.

See 83 A.3d at 672-73.

Further bolstering the court’s conclusion was the fact that the parties had stipulated that none of the IBM employees affected had been injured.  The court stated: “Moreover, because the parties stipulated that none of the IBM employees have suffered injury as a result of the tapes being lost, we are unable to infer that there has been a publication.”  Id. at 673.  (See also The Coverage Inkwell, 1/16/2014.)

Finally, the Connecticut Supreme Court’s holding also affirms the appellate court’s decision that costs incurred from complying with data breach notification statutes do not implicate “personal and advertising injury” coverage.

What this case means: It is very simple.  If there is no evidence of access of, or capability of access of, the information, there is no publication.  This decision especially will be significant the underlying factual context of lost or stolen laptops that contain encrypted corporate data and PII.

This entry was posted in Data Breach Insurance Coverage, Privacy Rights.