This entry was posted by on .

In Apache Corp. v. Great American Ins. Co., 2016 U.S. App. LEXIS 18748 (5th Cir. Oct. 18, 2016), the United States Court of Appeals for the Fifth Circuit held that loss from a phishing scam, which led to misdirected payments in the amount of $7 million, was not covered under a policy’s computer fraud coverage.  Although the fraudulent scheme was initiated through emails, the court held that the emails were too incidental to classify the insured’s subsequent loss as one “resulting directly from the use of any computer to fraudulently cause a transfer of that property.”

The facts of the case are straightforward and serve as a good illustration as to why double verification practices should be practiced by every company as a preventive measure against cyber fraud.  In the case, the insured, Apache Corporation was an oil-production company.  An employee in Scotland received a telephone call from a person identifying herself as a representative of Petrofac, an Apache vendor.  The caller instructed Apache to change the bank-account information for payments Apache made to Petrofac.  The Apache employee replied that the change-request could not be processed without a formal request on Petrofac letterhead.  Id. at *2.

A week later, Apache’s accounts-payable department received an email from a “petrofacltd.com” address.   (Petrofac’s real email domain name was “petrofac.com.”)  The fraudulent email sent from the “petrofacltd.com” address advised Apache that Petrofac’s “accounts details have now been changed”; and “[t]he new account takes . . . immediate effect and all future payments must now be made into this account.”  Attached to the email was a signed letter on Petrofac letterhead providing both Petrofac’s old-bank-account information and the new-bank-account information, along with instructions to use the new account immediately.  Id. at *2-3.  Apache took the bait.  In response to the email and attached letter, an Apache employee called the telephone number provided on the letter to verify the request and concluded that the change-request was authentic.  Id. at *3.  A different Apache employee approved and implemented the change-request, and a week later, Apache began transferring funds for payment of Petrofac’s invoices to the new bank account.  Id.  Uh oh.

Within one month, Apache received notification from Petrofac that it had not received over £4.3 million (approximately $7 million) due from outstanding invoices (and which Apache had transferred to the new (fraudulent) account).  Apache soon discovered it had fallen victim to a fraudulent scheme and was able to recoup all but $2.4 million of the payments previously made.  Id.

Apache submitted a claim under its “Computer Fraud” coverage, which provided that:

We will pay for loss of, and loss from damage to, money, securities and other property resulting directly from the use of any computer to fraudulently cause a transfer of that property from inside the premises or banking premises:

  1. to a person (other than a messenger) outside those premises; or

  2. to a place outside those premises.

Id. at *3-4 (emphasis added).  The insurer denied coverage, concluding that Apache’s “loss did not result directly from the use of a computer nor did the use of a computer cause the transfer of funds.”  Id.

Coverage litigation ensued.  The insurer argued that Apache’s loss “was not a covered occurrence because: the email did not ‘cause a transfer’”; and that coverage under the computer fraud provision was “‘unambiguously limited’ to losses from ‘hacking and other incidents of unauthorized computer use’.”  Id. at *6.  Apache, on the other hand, argued that the computer fraud provision was ambiguous; because the provision says nothing about “hacking,” Apache need only to show that “any computer was used to fraudulently cause the transfer of funds.”  Id.  The parties cross moved for summary judgment.  The trial court granted judgment in favor of Apache, concluding that “the intervening steps of the [post-email] confirmation phone call and supervisory approval do not rise to the level of negating the email [and computer] as being a ‘substantial factor'” of the loss to implicate coverage.  The Fifth Circuit reversed.

On appeal, the insurer argued that the fraudulent transfer of funds resulted from events other than the email, including the initial phone call and steps Apache took (and did not take) to authenticate the request.

GAIC maintains the transfer of funds to the fraudulent bank account resulted from other events: before the email, the telephone call directing Apache to change the account information; and, after the email, the telephone call by Apache to the criminals to confirm the change-request, followed by the Apache supervisor’s review and approval of the emailed request, Petrofac’s submission of invoices, the review and approval of them by Apache employees, and Apache’s authorized and intentional transfer of funds, even though to the fraudulent bank account.

Id. at *8.  As a result of all of these actions, the insurer argued that Apache’s loss did not “result[] directly from the use of any computer to fraudulently cause a transfer of that property.”

The Fifth Circuit agreed, concluding that although the fraudulent email sent to Apache “was part of the scheme” to defraud Apache, it was “merely incidental to the occurrence of the authorized transfer of money.”  Id. at *16.  The court explained:

Here, the “computer use” was an email with instructions to change a vendor’s payment information and make “all future payments” to it; the email, with the letter on Petrofac letterhead as an attachment, followed the initial telephone call from the criminals and was sent in response to Apache’s directive to send the request on the vendor’s letterhead. Once the email was received, an Apache employee called the telephone number provided on the fraudulent letterhead in the attachment to the email, instead of, for example, calling an independently-provided telephone contact for the vendor, such as the pre-existing contact information Apache would have used in past communications. Doubtless, had the confirmation call been properly directed, or had Apache performed a more thorough investigation, it would never have changed the vendor-payment account information.  Moreover, Apache changed the account information, and the transfers of money to the fraudulent account were initiated by Apache to pay legitimate invoices.

Id. at *15-16.

Given the wide use of computers as a means of communication, the court feared that to allow the email to implicate coverage for computer fraud would transform the “computer fraud” coverage into coverage for any fraud:

The email was part of the scheme; but, the email was merely incidental to the occurrence of the authorized transfer of money. To interpret the computer-fraud provision as reaching any fraudulent scheme in which an email communication was part of the process would, as stated in Pestmaster II, convert the computer-fraud provision to one for general fraud. . . . We take judicial notice that, when the policy was issued in 2012, electronic communications were, as they are now, ubiquitous, and even the line between “computer” and “telephone” was already blurred. In short, few-if any-fraudulent schemes would not involve some form of computer-facilitated communication.

Id. at *16-17 (emphasis added).

In addition, the court observed that Apache’s failure to properly investigate the fraudulent change-request also took Apache’s loss outside of the scope of the computer fraud’s insuring agreement:

No doubt, the better, safer procedure was to require the change-request to be made on letterhead, especially for future payment of Petrofac’s very large invoices. But the request must still be investigated properly to verify it is legitimate.  In any event, based on the evidence in the summary-judgment record, Apache followed-up on the request in the email and its attachment.  In other words, the authorized transfer was made to the fraudulent account only because, after receiving the email, Apache failed to investigate accurately the new, but fraudulent, information provided to it.  [Emphasis added.]

Id. at *18 (emphasis added).

The court further reasoned that the invoices themselves could be viewed as the direct cause of the transfer of funds, not the use of a computer.

Moreover, viewing the multi-step process in its simplest form, the transfers were made not because of fraudulent information, but because Apache elected to pay legitimate invoices. Regrettably, it sent the payments to the wrong bank account. Restated, the invoices, not the email, were the reason for the funds transfers.

Id.  In other words, the email was too remote to classify the fraudulent payments as being a direct result of the use of a computer.

What this case means:  Here, the Fifth Circuit in essence rejected a syllogistic fallacy akin to “all tigers have stripes; all tigers are mammals; therefore, all mammals must have stripes.”  The syllogism presented here was: Apache used a computer. Apache suffered a fraud. Therefore, the fraud was from Apache’s use of a computer.  Coverage can’t work that way.  Computers are a dominant presence in our lives. They are perhaps the primary means of communication.  (Yes, our mobile phones are computers.)  Does that mean that any fraud that can be linked to the use of a computer is computer fraud?  No.  Given the wide use of computers, the Fifth Circuit clearly feared that to allow use of email to implicate coverage for computer fraud would transform “computer fraud” coverage into coverage for any fraud.

This case also provides another illustration as to why companies need to purchase cyber coverage. And why companies need cyber counsel to help train employees and help improve cybersecurity measures.  Cyber risk is very broad. Purchasing computer fraud coverage doesn’t come close to covering many of the risks out there.

This entry was posted in Data Breach Insurance Coverage.


This entry was posted by on .

In Eighth Promotions v. Cincinnati Ins. Cos., 2016 Ohio App. LEXIS 4119 (Ohio Ct. App. Oct. 11, 2016), the Ohio appellate court held that a letter forwarded to the insured by a copyright holder requesting that the company conduct a self-audit into its alleged copyright violations constituted a demand for non-monetary relief and thus fell within a policy’s definition for “claim.”  The same court also held that the insured could not stretch the scope of the claim or subsequent settlement to circumvent the policy’s copyright infringement exclusion.

The insured, Eighth Promotions, manufactured and sold sports awards and business gifts.  The company’s Operating Agreement provided indemnification protection to its officers and directors, stating that the company would “indemnify and hold harmless” its officers and directors “[i]n any “threatened . . . claim, action or proceeding to which any officer or any [director] . . . is [a] party or is threatened to be made a party by reason of its or his activities on behalf of [Eighth Floor].”  Id. at *1-2.  The company purchased a D&O liability policy, which contained an insuring agreement covering “all ‘loss’ which the ‘company’ is required to pay as indemnification to the ‘individual insureds’ resulting from any ‘claim’ first made during the ‘policy period’ . . . for a ‘wrongful act’.”  Id. at *15-16.  The policy defined a “claim” in part as:

  1. A written demand for monetary damages or non-monetary relief; or

  2. A civil proceeding commenced by filing of a complaint or similar pleading[.]

Id.  “Loss” included “defense costs.”  Id. at *16.

The policy also had an intellectual property exclusion, but the exclusion did not apply to claims brought against “individual insureds,” such as the company’s officers or directors.  The exclusion stated that the insurer was not liable to pay, indemnify or defend any “claim”:

K. Based upon, arising out of, or in consequence of, or in any way involving actual or alleged infringement of copyright, patent, trademark, trade secret, service mark, trade name, or misappropriation of ideas or trade secrets or other intellectual property rights; provided, however, this exclusion shall not apply to any ‘claim’ against any ‘individual insureds’;

Id. at *17.

In May 2011, the insured received a letter from a trade group, the Business Software Alliance (BSA), investigating on behalf of its member companies “possible instances of illegal duplication of certain software.”  The letter contended that Eighth Promotions had installed on its computers more copies of software programs than it was licensed to use.  Id. at *1.  In lieu of litigation, BSA requested that the insured investigate and audit all of the software published by the BSA members on its computers, as well as the software licenses and proofs of purchase for those licenses, and share the results of its self-audit with BSA.  Id. at *3-4.  The insured tendered the letter to its insurer, which denied coverage on the ground that the letter did not constitute a “claim” because it was neither a “written demand for monetary damages or non-monetary relief” nor a “civil proceeding commenced by filing a complaint or similar pleading.”  Id. at *5.

The insured retained counsel and conducted an audit, revealing numerous instances of unauthorized software installations.  Id. at *6.  After sharing the results of the audit with BSA, BSA offered to settle the dispute under certain terms and conditions, including a payment of $179,393.  Id. at *8.  By entering the proposed settlement, BSA promised that its member clubs would “forego the filing any lawsuit against Eighth Floor and will release Eighth Floor from any liability related to past infringement of the copyrights in the software products listed below due to Eighth Floor’s use and/or installation of those products on Eighth Floor’s computers.”  Id. at *9.  The insured tendered the settlement offer to its insurance carrier, which denied coverage under the intellectual property exclusion.  Id. at *10.  The insured settled the dispute, obtaining a release for the company, as well as for its officers and directors.  Coverage litigation ensued.

The trial court in the coverage litigation granted the insurer summary judgment, holding that the initial “audit” letter did not constitute a claim and that the intellectual property exclusion barred coverage.  On appeal, the appellate court reversed in part.  Id. at *11.

The appellate court held that the May 2011 BSA letter, which inquired about instances of copyright infringement and offered to permit the insured to conduct a self-audit in lieu of litigation, constituted a “claim” to implicate coverage under the policy.  The court rejected the insurer’s characterization of the audit letter as giving “Eighth Floor an opportunity to conduct its own company-wide investigation to determine whether any copyright infringement had occurred.”  Id. at *18.  Instead, the court concluded that the letter provided the insured an opportunity to determine “the extent of Eighth Floor’s copyright violations—not whether Eighth Floor had committed copyright violations.”

The court next looked to the dictionary definitions for “demand,” “non-monetary” and “relief,” all used within the phrase “A written demand for monetary damages or non-monetary relief” to determine the meaning of “claim.”  The court attributed broad meanings to these terms, observing:

“Demand” is defined as “the assertion of a legal right or procedural right.”  Black’s Law Dictionary 522 (10th Ed.2014).

“Non” is defined as “not; no.” Id. at 1212. “Monetary” is defined as “of, relating to, or involving money.” Id. at 1158.

“Relief” is defined as “the redress or benefit, esp. equitable in nature (such as injunction or specific performance), that a party asks of a court.  Also termed remedy.” (Emphasis sic.)  Id. at 1482. “Remedy” is defined as “the means of enforcing a right or preventing or redressing a wrong; legal or equitable relief.” Id. at 1485.  [Internal brackets removed.]

Based on these broad meanings, the court held that the audit letter satisfied the definition for “claim.”  The court explained:

. . . [A]lthough the audit request gave Eighth Floor the “opportunity” to conduct a company-wide software audit, it implied that if Eighth Floor did not take up this “opportunity,” then the matter would proceed to litigation, where the BSA could have achieved the same result. The audit request also sought the preservation of evidence and stated that Willis should not attempt to purchase any software from sales representative of these companies until the matter was resolved.

These measures were the BSA’s “means of enforcing a right” and “preventing a wrong” within the plain and ordinary meaning of “remedy.” See Gold Tip, LLC v. Carolina Cas. Ins. Co., D. Utah No. 2:11-CV-00765-BSJ, 2012 WL 3638538, *4 (Aug. 23, 2012) (a written demand for non-monetary relief can encompass a letter that coerces conduct of the policyholder through the threat of using the legal process to compel that conduct.).

Id. at *22.

The court, however, held that the intellectual property exclusion prohibited coverage for the settlement.  Eighth Promotions argued that the exclusion’s exception for claims against “individual insureds” (meaning, the insured’s directors and officers) applied to trump the coverage denial.  Id. at *23.  To support its argument, Eighth Promotions relied upon the broad standard of interpreting pleadings for evaluating the duty to defend.  Under Ohio law (and the law of most jurisdictions), a duty to defend can be implicated where the allegations in a complaint support or allege an unpled claim that potentially is within the policy coverage.  Id. at *26.  Here, Eighth Promotions argued that although BSA’s demands were directed at the company, because the company’s officers and directors could be held vicariously liable for copyright infringement if BSA filed suit against the company, BSA’s demands contained a claim against the directors and officers that fell within the exception of the intellectual property exclusion.  Eighth Promotions argued:

Vicarious ‘liability for copyright infringement may be imposed upon an officer, directors, or shareholder so long as the individual ‘has the right and ability to supervise the infringing activity’ and also [2] has a direct financial interest in such activities. . . . As such, the Eighth Floor officers and directors were jointly and severally liable on [the] BSA’s claim. . . .

Had the matter not settled, the BSA would have named the officers and directors in its complaint because Eighth Floor was not solvent to the full extent of the potential damages. Because copyright infringement allows for joint and several liability, because the BSA was aware that Eighth Floor was closely held, and because the directors and officers constituted a viable source of recovery who necessarily shared equally in the liability, any lawyer drafting the complaint would be obligated to include the directors and officers as defendants.  [Internal brackets omitted.]

Id. at *25.  As further proof of the existence of a claim against Eighth Promotions’ officers and directors, the company also pointed to the release it had obtained for them.

The appellate court rejected the argument, stating that Ohio law did not support the proposition that “an insurer has a duty to defend an otherwise excluded ‘claim’ where the allegations in that ‘claim’ could potentially or arguably lead to another ‘claim’ which may be within the policy’s coverage.”  According to the court, the only “real” claim was made against the company:

The only real “claim” at issue here is the settlement offer which did not demand any monetary relief from Eighth Floor’s officers or directors or contain any language that could potentially or arguably be construed as a written demand for monetary (or non-monetary) relief against Eighth Floor’s officers and directors.

Id. at 27.  Nor could an insured use a release provision in a settlement agreement to bootstrap coverage by characterizing the release as a written demand for monetary or non-monetary relief:

It included a provision offering to release Eighth Floor’s officers and directors from liability if Eighth Floor complied with its demands, but this provision cannot potentially or arguably be construed as a written demand for monetary (or non-monetary) relief against Eighth Floor’s officers and directors

Id.  The case was remanded back to the trial court to determine whether the exclusion barred the insurer’s duty to defend for the audit letter.

What this case means:  This case serves as a reminder that for claims-made policies that define the meaning of “claim,” the definition “written demand for monetary damages or non-monetary relief” can have a very broad meaning.  Here, the court concluded that a self-audit committed by the insured pursuant to a claimant’s notice letter satisfied this definition.  At the same time, the court rejected the insured’s attempt to broaden the scope of a claim, or to bootstrap coverage through a broad release in a settlement (even if obtaining additional releases in such a settlement was customary).  In essence, the court concluded that an insured may not goldmine for unstated claims or causes of action to broaden the scope of a settlement agreement from the uncovered to the covered.

This entry was posted in Uncategorized.

Article III Standing in Data Breach Litigation and Problems Galaria Poses for Data Breach Responses

This entry was posted by on .

Last week, in Galaria v. Nationwide Mut. Ins. Co., 2016 U.S. App. LEXIS 16840 (6th Cir. Sept. 12, 2016), the United States Court of Appeals for the Sixth Circuit weighed in on the issue of Article III standing for data breach litigation and effectively lowered the threshold to establish standing.  The decision echoes sentiments expressed by the Seventh Circuit in Lewert v. P.F. Chang’s China Bistro, Inc., 819 F.3d 963 (7th Cir. 2016), and Remijas v. Neiman Marcus Group, LLC, 794 F.3d 688 (7th Cir. 2015).  The facts are straightforward, and it is part of an ongoing trend by courts to make it easier to allege injury and bring data breach litigation. This will drive up litigation. Yet, here is a bigger problem: the Sixth Circuit based its determination that standing existed to sue a breach victim on actions undertaken by the breach victim to mitigate damage and help consumers prevent the very harm that plaintiffs later sued over. Is the message of “darned if you do” one that courts want to establish? Can decisions like Galaria create an adverse impact on response efforts undertaken by breach victims? These are issues that a breach victim will have to wrestle with early on and provide one more reason why cyber counsel should be retained.

The facts of Galaria are straightforward. In that case, the breach victim, Nationwide, maintained records containing personal information of customers and potential customers, including names, dates of birth, marital statuses, employers, Social Security numbers, and driver’s license numbers. On October 3, 2012, hackers breached Nationwide’s computer network and stole the personal information of 1.1 million people. Id. at *3. In the underlying data breach litigation that followed, putative class actions alleged violation of the Fair Credit Reporting Act (“FCRA”) through Nationwide’s failure to adopt required procedures to protect against wrongful dissemination of plaintiffs’ data. Plaintiffs also alleged claims for negligence, and invasion of privacy by public disclosure of private facts – all based on Nationwide’s failure to secure Plaintiffs’ data.  Id. at *4.

In support of their claims, plaintiffs alleged that an illicit international market exists for stolen personal data. According to the complaints, Nationwide’s data breach created an “imminent, immediate and continuing increased risk” that plaintiffs would be subject to identity theft. They cited a study purporting to show that in 2011 recipients of data-breach notifications were 9.6 times more likely to experience identity fraud, and had a fraud incidence rate of 19%.  They also alleged that victims of identity theft “typically spend hundreds of hours in personal time and hundreds of dollars in personal funds,” incurring an average of $354 in out-of-pocket expenses and $1,513 in total economic loss.  Id. at *5.

The federal district court dismissed the lawsuits, concluding that plaintiffs lacked statutory standing for the FCRA claims and lacked Article III standing for the negligence and bailment claims. The court also concluded that while plaintiffs had standing for their invasion of privacy claims, such claims failed to allege a cognizable injury. Plaintiffs appealed the trial court’s order, except for the dismissal of the invasion of privacy claims.  Id. at *6-7. The Sixth Circuit reversed.

In order to bring a lawsuit, a plaintiff must have standing under Article III of the United States Constitution; “[t]he doctrine of standing gives meaning to these constitutional limits by ‘identify[ing] those disputes which are appropriately resolved through the judicial process.'” Id. at *8 (citation omitted). In Spokeo v. Robins, 136 S. Ct. 1540, 1547 (2016), the United States Supreme Court explained that “the ‘irreducible constitutional minimum’ of standing consists of three elements.” Those elements are that a plaintiff “must have (1) suffered an injury in fact, (2) that is fairly traceable to the challenged conduct of a defendant, and (3) that is likely to be redressed by a favorable judicial decision.” Spokeo, 136 S. Ct. at 1547; Galaria, 2016 U.S. App. LEXIS 16840 at *8. A plaintiff must prove those elements.  Id. Focusing on the first two elements, the Sixth Circuit in Galaria concluded that plaintiffs met their burden of proof and established had Article III standing at the pleading stage to survive a motion to dismiss. As litigators know, that is half the battle.

The Galaria court explained that”[t]o establish injury in fact, a plaintiff must show that he or she suffered ‘an invasion of a legally protected interest’ that is ‘concrete and particularized’ and ‘actual or imminent, not conjectural or hypothetical.'” Galaria, 2016 U.S. App. LEXIS 16840 at *8 (quoting Spokeo, at 1548). Where a plaintiffs seeks to establish standing based on an imminent injury, “that ‘threatened injury must be certainly impending to constitute injury in fact’”; “'[a]llegations of possible future injury’ are not sufficient.” Id. at *9 (quoting Clapper v. Amnesty Int’l USA, 133 S. Ct. 1138, 1147 (2013)).

In the case before it, the Sixth Circuit concluded that plaintiffs’ allegations of increased risk of identity theft, coupled with “reasonably incurred mitigation costs,” established a concrete and particularized imminent injury for purposes of standing. Critically, the court based its decision on the fact that (1) there was proof that the plaintiffs’ information was in fact stolen, (2) hackers had targeted it, and (3) Nationwide had offered free credit monitoring services to help consumers mitigate their danger:

There is no need for speculation where Plaintiffs allege that their data has already been stolen and is now in the hands of ill-intentioned criminals.  Indeed, Nationwide seems to recognize the severity of the risk, given its offer to provide credit-monitoring and identity-theft protection for a full year. Where a data breach targets personal information, a reasonable inference can be drawn that the hackers will use the victims’ data for the fraudulent purposes alleged in Plaintiffs’ complaints. [Bold added.]

Id. at *9-10.

The fact that plaintiffs also could identify specific costs incurred by them from steps recommended by Nationwide in its data breach notification letter further supported the court’s finding that the underlying complaints alleged an imminent injury:

Although Nationwide offered to provide some of these services for a limited time, Plaintiffs allege that the risk is continuing, and that they have also incurred costs to obtain protections—namely, credit freezes—that Nationwide recommended but did not cover. This is not a case where Plaintiffs seek to “manufacture standing by incurring costs in anticipation of non-imminent harm.” [Citing Clapper, at 1155.]  Rather, these costs are a concrete injury suffered to mitigate an imminent harm, and satisfy the injury requirement of Article III standing.  [Bold added.]

Id. at *10-11.

Under the second element, the Sixth Circuit in Galaria held that the alleged harm was “fairly traceable” to Nationwide’s alleged conduct to satisfy Article III standing. Id. at *13. To satisfy the “fairly traceable” element, a plaintiff need not allege proximate causation. “Indirect” injury is sufficient.  Id. at *14. Here, the Galaria court held that plaintiffs had sufficiently alleged that their injuries were “fairly traceable” to Nationwide’s conduct, because Nationwide’s alleged negligence allowed the breach to happen:

Although hackers are the direct cause of Plaintiffs’ injuries, the hackers were able to access Plaintiffs’ data only because Nationwide allegedly failed to secure the sensitive personal information entrusted to its custody. In other words, but for Nationwide’s allegedly lax security, the hackers would not have been able to steal Plaintiffs’ data. These allegations meet the threshold for Article III traceability, which requires “more than speculative but less than but-for” causation.  [Bold added.]

Id. at *15.

Finally, the Sixth Circuit concluded that plaintiffs had statutory standing to bring their FCRA claims. Because plaintiffs had Article III standing to bring the lawsuit in general, they had standing to bring their FCRA claims, and there was no need to evaluate the causes of action allege din the complaints themselves.  Id. at *17-18.

What does this case mean? This case goes beyond the lowering of the standing threshold.  It also demonstrates why a data breach victim needs a cyber law attorney to help navigate the inevitable legal minefield that will follow a data breach. For instance, when a company suffers a data breach, state notification statutes require those companies to notify persons whose information has been compromised. Many state laws actually will require that notification letters include information explaining to consumers what steps may be taken to mitigate or monitor against any potential harm. Connecticut law requires that credit monitoring services be offered.  Many companies offer credit monitoring services as an act of goodwill.

Yet, in Galaria, the Sixth Circuit used the content of a breach victim’s notification letter and offer of credit monitoring services to permit multiple lawsuits to proceed against it. Does that leave a breach victim with an untenable, Hobson’s choice: comply with state notification laws and get sued, or potentially violate those laws to avoid creating Article III standing for future class actions? Some may say so. These are issues that breach victims are going to need to address when first responding to a breach. It’s another reason to have cyber counsel involved as early as possible when a breach has occurred.

This entry was posted in Data Breach Insurance Coverage, Privacy Rights and tagged .


This entry was posted by on .

It’s hard to believe that we are less than two months away from Coverage College (September 22). If you have not signed up yet, please do by visiting White and Williams’ website. This year, I will be teaching a class on coverage issues in privacy and cyber liability litigation. It should be an exciting and fast-paced class. We’ll have a lot to talk about.  

Last Friday, in Ellicott City Cable, LLC v. AXIS Ins. Co., 2016 U.S. Dist. LEXIS 95819 (D. Md. July 22, 2016), the federal district court of Maryland rejected the contention that pirated digital television programming constituted “data” under a media policy. Even broad terms do not have boundless meanings. Terms must be read within the context of their use and the policy as a whole.

In the case, the insured, Ellicott City Cable (ECC) provided television, internet, and telephone services to residents of two separate residential communities, Taylor Village and Waverly Woods.  Id. at *3-4. To achieve the goal of proving television, ECC contracted to obtain satellite television programming from DirecTV, LLC through DirecTV agents Sky Cable, LLC (Sky Cable) and North American Cable Equipment (NACE). (ECC never contracted with DirecTV to provide internet or telephone services.) Id. at *4. Under the contract, ECC distributed the DirecTV programming through equipment and credentials provided by Sky Cable and NACE, and made monthly payments directly to DirecTV for access to its programming. Id.

ECC later terminated its contract with DirecTV. Thereafter, DirecTV commenced an action against ECC and Sky Cable asserting that defendants had “fraudulently” obtained, and assisted others to obtain, DirecTV’s satellite television programming and distributed the programming through unauthorized cable television systems.  Id. at *5.  DirecTV asserted that ECC, through Sky Cable, set up private cable systems to deliver programming to more units in the Taylor Village and Waverly Woods communities than permitted under the DirecTV contract. DirecTV also asserted that ECC created multiple dwelling unit accounts with DirecTV for both properties, but distributed the programming to occupants and residents outside of the scope of those agreements, including by used wiring to traverse public rights of way.  Id.

ECC sought coverage under its media liability insurer, which had issued a media policy providing coverage for damages “as a result of an Occurrence in connection with Scheduled Media during the Policy Period that gives rise to a Claim . . . .”  Id. at *11.  Occurrence was defined in part as “the actual or alleged . . . publication, broadcast or other dissemination of Matter[.]”  Id. at *11, n.10. Matter was defined as in part as “communicative or informational content regardless of the nature or form.”  Id.

The media policy had an exclusion that prohibited coverage for claims:

for or arising out of any actual or alleged . . . unauthorized access to, unauthorized use of, or unauthorized alteration of any computer or system, hardware, software, program, network, data, database, communication network or service, including the introduction of malicious code or virus by any person . . .

Id. at *11-12 (emphasis added).

The policy also had additional coverage under Endorsement 3 for claims “for or arising out of the failure to prevent a party from unauthorized access to, unauthorized use of, tampering with or introduction of a computer virus or malicious code into data or systems.” However, coverage under Endorsement 3 did not apply to claims for:

intentional unauthorized access to, unauthorized use of, tampering with or introduction of a computer virus or malicious code into data or systems by any Insured or person who would qualify as an Insured but for their acts being outside the scope of their duties as a partner, . . . except that this exclusion shall not apply to any Insured who did not commit, acquiesce or participate in the actions that gave rise to the Claim.

Id. at *12-13 (emphasis added). As later noted by the Ellicott City Cable Court in its opinion, both policy provisions apply to claims for or arising out of unauthorized access to “data”; with the coverage exception in Endorsement 3 adding the qualifier that the unauthorized access be “intentional.” Id. at *14.

The insurer contended that it had no duty to defend under the exclusion and the exception to coverage under Endorsement 3, contending that DirecTV’s lawsuit for the unauthorized distribution of television programming alleged unauthorized access to data. ECC disagreed, contending that television programming is not “data.”  The Ellicott City Cable Court agreed with the insured.

The court recognized that the term “data” is very broad, and this may have been the insurer’s hope when asserting the policy’s exclusions. Merriam’s Dictionary defines the word “data” as “facts or information used usually to calculate, analyze, or plan something” or “information that is produced or stored by a computer.” Id. at *15. However, the court found that the term was so broad as to be ambiguous. “Given the breadth of this definition [for data],” the court employed the construction canons of ejusdem generis and noscitur a sociis, which require a court, when determining the broad meaning of a word, to consider “the accompanying words so that . . . general and specific words, capable of analogous meaning, when associated together, take color from each other[.]”  Id. at *16. Based on these cannons, the court concluded that the word “data” referred to computers, not television programming.

First, the court noted that DirecTV did not use the term “data” to describe its television programming that ECC had allegedly accessed without authorization.  Id. at *15.  The court then looked to the wording of the exclusions at issue, determining that the list of terms in the exclusions limited the meaning of the term “data,” not expanded it.  The exclusion applied to unauthorized access of “any computer or system, hardware, software, program, network, data, database, communication network or service, including the introduction of malicious code or virus by any person . . . .”  Id. at *16.  The common denominator of these terms was the internet and computers, not television programming:

The common factor underlying all terms listed is their relation to the internet or digital matters in general.  Indeed, the inclusion of “introduction of malicious code or virus” speaks directly to a common risk associated with the internet (and computers). “Data,” in this context, thus appears to concern information related to the internet, and not television programming.

Id. at *17 (emphasis added).

The insurer argued that DirecTV’s programming did involve digital compression and encryption of its signal and thus fell within the umbrella of “digital matters.”  The court rejected the argument in part because DirecTV also provided analog signals.  Under the insurer’s contention, the policy would cover analog signals, but exclude digital signals, a result that the court would not endorse:

Yet, this argument ignores that DirecTV’s television programming takes both digital and analog forms. Under Axis’s reasoning, ECC would receive insurance coverage for unauthorized access to analog television programming, and not digital television programming. Neither Axis nor the Policies themselves present any persuasive argument in favor of such a distinction.

Id. at *16-17.

The court applied the same reasoning to the coverage exception for Endorsement 3, which employed “the same broad term accompanied by terms like ‘computer virus’ and ‘malicious code.’”  The court explained:

Similarly, the exclusion of Endorsement No. 3 applies to intentional unauthorized access of “data or systems[.]”  While this exclusion does not include all terms of the first exclusion, it employs the same broad term accompanied by terms like “computer virus” and “malicious code.” Even if the exclusion uses the disjunctive “or” in describing the excluded conduct, this use does not negate the inference that “data or systems” concern information related to the internet or computers generally.

Id. (internal citations omitted).

The court also looked to coverage provided elsewhere in the policy for piracy claims to conclude that the term “data” could not encompass media programming. The court observed that the policy covered claims “for or arising out of . . . any form of infringement of copyright, violation of Droit Moral, passing-off, plagiarism, Piracy or misappropriation of ideas,” defining “piracy” as “the wrongful use, reprinting or reproduction of copyrighted intellectual property.” Id. at *18.  According to the court, “piracy” described “precisely” DirecTV’s allegations against ECC and Sky Cable.  Thus, “[t]o interpret ‘data’ as including DirecTV’s television programming would effectively broaden the scope of the exclusion to eliminate any coverage for piracy.”  Id.  “Rather than create such a contradiction,” the court held it must construe the ambiguity of “data” against the insurer.  Id. at *18-19.

As a result, the court determined that DirecTV’s television programming is not “data” within the meaning of either exclusion.  Id. at *19.

What this case means:   Media policies and cybersecurity policies sometimes employ very broad terms that remain undefined in the policies themselves.  Examples of such terms can include “matter,” “network,” “systems,” “electronic,” and even “data.”  Ellicott City Cable is a good remainder that even broad terms do not have boundless meaning – both in terms of coverage grants and coverage exclusions. Terms must be read within the context of their use and the policy.

This entry was posted in Uncategorized.


This entry was posted by on .

In P.F. Chang’s China Bistro, Inc. v. Federal Ins. Co., 2016 WL 3055111 (D. Ariz. May 31, 2016), the United States District Court of District of Arizona held that liability for PCI assessments following a data breach of 60,000 credit card numbers was excluded under a cybersecurity policy.  This case demonstrates the importance and ability of carriers to define the risk insured under a policy, including cybersecurity insurance.

In PF Chang’s, the insured purchased a cybersecurity insurance policy.  The insurer’s underwriters classified the insured as a high risk, “PCI Level 1”, because the insured conducted more than 6 million transactions per year, a large number of which were with credit cards, thus creating a high exposure to potential customer identity theft.  Id. at *1.  The insured, like many merchants, was unable to process credit card transactions themselves, and therefore entered into an agreement with the credit card processor  to process credit card transactions with the banks who issue the credit cards (“Issuers”), such as Chase or Wells Fargo.  Here, Chang’s entered into a Masters Service Agreement (“MSA”) with the credit card processer Bank of America Merchant Services (“BAMS”) to process credit card payments made by customers of Chang’s.  Id.  Under the MSA, Chang’s delivered customer credit card payment information to BAMS who then settled the transaction through an automated clearinghouse.  BAMS thereafter credited the Chang’s account for the amount of the payments.  Id. 

Importantly, credit card processors like BAMS perform their services under agreements entered into with the credit card associations like MasterCard and Visa. Id.  Here, BAMS’s agreement with MasterCard, which was governed by the MasterCard Rules and incorporated into the MSA with Chang’s, obligated BAMS to pay certain fees/fines and assessments to MasterCard in the event of a data breach involving credit card information.  The assessments included “Operational Reimbursement” fees and “Fraud Recovery” fees.  Id.  Under the Chang’s MSA, Chang’s agreed to compensate or reimburse BAMS for “fees,” “fines,” “penalties,” or “assessments” imposed on BAMS by credit card associations like MasterCard.  Id. at *2.  The MSA read in part:

[Chang’s] agrees to pay [BAMS] any fines, fees, or penalties imposed on [BAMS] by any Associations, resulting from Chargebacks and any other fines, fees or penalties imposed by an Association with respect to acts or omissions of [Chang’s] . . . . In addition to the interchange rates, [BAMS] may pass through to [Chang’s] any fees assessed to [BAMS] by the [Associations], including but not limited to, new fees, fines, penalties and assessments imposed by the [Associations].

 Id. at *2.  Assessments levied by MasterCard against BAMS, for which Chang’s was responsible under the Chang’s MSA, became the focus of a coverage dispute.

 On June 10, 2014, Chang’s learned that computer hackers had obtained and posted on the Internet approximately 60,000 credit card numbers belonging to its customers.  Chang’s notified its insurer of the data breach that very same day.  Id.  Almost one year later, on March 2, 2015, MasterCard issued an “ADC Operational Reimbursement/Fraud Recovery Final Acquirer Financial Responsibility Report” to BAMS, assessing over $1.9 million in fines and assessments against BAMS for the data breach.  The fines were “a Fraud Recovery Assessment of $1,716,798.85, an Operational Reimbursement Assessment of $163,122.72 for Chang’s data breach, and a Case Management Fee of $50,000.”  Id.  “The Fraud Recovery Assessment reflects costs, as calculated by MasterCard, associated with fraudulent charges that may have arisen from, or may be related to, the security compromise. The Operational Reimbursement Assessment reflects costs to notify cardholders affected by the security compromise and to reissue and deliver payment cards, new account numbers, and security codes to those cardholders. The Case Management Fee is a flat fee and relates to considerations regarding Chang’s compliance with Payment Card Industry Data Security Standards.”  Id.

BAMS sought indemnity from Chang’s.  Pursuant to the Chang’s MSA, and in order to continue operations and not lose its ability to process credit card transactions, Chang’s reimbursed BAMS on April 15, 2015.  Chang’s sought coverage for the $1.9 million payment under three insuring agreements under the cybersecurity policy: Insuring Agreement A, Insuring Agreement B, and Insuring Agreement D.2.  The insurer denied coverage and litigation ensued.  Id.

No Privacy Injury Under Insuring Agreement A

Insuring Agreement A paid for “‘Loss’ on behalf of an ‘Insured’ on account of any ‘Claim’ first made against such ‘Insured’ . . .  for ‘Injury’,” which included a “Privacy Injury.”  Id. at *4.  “Privacy Injury” was defined as “injury sustained or allegedly sustained by a Person because of actual or potential unauthorized access to such Person’s Record, or exceeding access to such Person’s Record.”  Id.  The insurer argued that Chang’s did not sustain a Privacy Injury because its own Records were not compromised during the data breach.  Id. at *5.  Chang’s acknowledged that it was the credit card issuers who suffered a Privacy Injury because it was their Records which were compromised in the data breach.  However, Chang’s argued that the owner of the “Records” was immaterial to the issue of coverage because the injury “first passed through BAMS before BAMS in turn charged Chang’s” pursuant to industry standards.  Id.  As the Court generalized, “[b]asically, Chang’s argues that because a Privacy Injury exists and was levied against it, regardless of who suffered it, the Injury is covered under the Policy.”  Id.

 The Court disagreed with Chang’s and held that there was no Privacy Injury to implicate coverage under Insuring Agreement A because BAMS own Records had not been compromised.  Thus, there was no coverage for BAMS’s liability under the MasterCard ADC Fraud Recovery Assessment:

The Court agrees with [the insurer]l; BAMS did not sustain a Privacy Injury itself, and therefore cannot maintain a valid Claim for Injury against Chang’s. The definition of Privacy Injury requires an “actual or potential unauthorized access to such Person’s Record, or exceeding access to such Person’s Record.” (Doc. 8-1) (emphasis added).  The usage of the word “such” means that only the Person whose Record is actually or potentially accessed without authorization suffers a Privacy Injury.  Here, because the customers’ information that was the subject of the data breach was not part of BAMS’ Record, but rather the Record of the issuing banks, BAMS did not sustain a Privacy Injury.  Thus, BAMS did not make a valid Claim of the type covered under Insuring Clause A against Chang’s.

Id. at *5.

Coverage Under Insuring Agreement B Initially Implicated

Insuring Agreement B of the policy stated that the insurer would “pay ‘Privacy Notification Expenses’ incurred by an ‘Insured’ resulting from [Privacy] Injury.”  Id. at *5.  The policy defined “Privacy Notification Expenses” as “the reasonable and necessary cost[s] of notifying those Persons who may be directly affected by the potential or actual unauthorized access of a Record, and changing such Person’s account numbers, other identification numbers and security codes….”  Id.

Chang’s contended that the ADC Operational Reimbursement fee was a “Privacy Notification Expense” because it compensated credit card issuers for the cost of reissuing bankcards and new account numbers and security codes to Chang’s customers.  The insurer argued that coverage did not exist because the ADC Operational Recovery fee was not personally incurred by Chang’s, but rather was incurred by BAMS.  It also argued that the fee did not qualify as “Privacy Notification Expenses” because there is no evidence that the fee was used to “notify[ ] those Persons who may be directly affected by the potential or actual unauthorized access of a Record, and changing such Person’s account numbers, other identification numbers and security codes.”  Id. at *6.

The Court agreed with Chang’s.  Relying on Arizona courts’ broad interpretation of the term “incurred,” which merely required that an insured become liable for the expense, even if the expense originally was paid by others, the Court held that the ADC Operational Recovery fee was “incurred by” Chang’s “resulting from [Privacy] Injury.”  Id. The Court explained:

Although the ADC Operational Reimbursement fee was originally incurred by BAMS, Chang’s is liable for it pursuant to its MSA with BAMS.

Id. at *6.

The Court also held that sufficient evidence existed – and the insurer did not identify any contrary evidence – that the assessment was to be used to compensate credit card issuers for the costs of notifying about the security compromise and reissuing credit cards to Chang’s customers to have the damages fall within the meaning of a “Privacy Notification Expense.”  Id.  As discussed further below, ultimately the Court held that two exclusions applied to bar coverage.

Coverage Under Insuring Agreement D.2 Potentially Implicated

The Court also held that it could not summarily hold, as a matter of law, that the requirements of Insuring Agreement D.2 were unsatisfied ti implicate coverage.  The Insuring Agreement covered “’Extra Expenses’ an ‘Insured’ incurs during the ‘Period of Recovery of Services’ due to the actual or potential impairment or denial of ‘Operations’ resulting directly from ‘Fraudulent Access or Transmission’.” Id. at *6.  The policy defined “Extra Expenses” to include “reasonable expenses an Insured incurs in an attempt to continue Operations that are over and above the expenses such Insured would have normally incurred. Extra Expenses do not include any costs of updating, upgrading or remediation of an Insured’s System that are not otherwise covered under [the] Policy.”  Id.  Critically, the policy defined “Period of Recovery of Services” as beginning:

. . . immediately after the actual or potential impairment or denial of Operations occurs; and will continue until the earlier of…the date Operations are restored,…to the condition that would have existed had there been no impairment or denial; or sixty (60) days after the date an Insured’s Services are fully restored…to the level that would have existed had there been no impairment or denial.

Id. at *6.

The insurer argued that Insuring Clause D.2. did not apply because Chang’s had not submitted evidence demonstrating that the data breach caused “actual or potential impairment or denial” of business activities.  Id. at *7.  The insurer also argued that Chang’s did not incur Loss during the “Period of Recovery of Services” because it did not pay the Case Management Fee until April 15, 2015, nearly one year after it discovered the data breach.  Id.  Chang’s contended that its ability to operate was impaired because BAMS would have terminated the MSA and eliminated Chang’s ability to process credit card transactions if it did not pay BAMS.  Further, the Chang’s MSA prohibited Chang’s to use another servicer while contracting with BAMS for its services.  Id.  Chang’s also contended that its business activities were still not fully restored; therefore, the “Period of Recovery of Services” remained ongoing.  Id.

The Court agreed with Chang’s in part, concluding evidence showed that “Chang’s experienced a Fraudulent Access during the data breach and that its ability to perform its regular business activities would be potentially impaired if it did not immediately pay the Case Management Fee imposed by BAMS.”  Id.  However, whether Chang’s operations were not yet fully restored, thereby extending the “Period of Recovery of Services,” was an issue of fact the Court could not resolve on Summary Judgment and was best suited for trial.  Id. at *7.  However, as discussed below, ultimately the Court held that two exclusions applied to bar coverage.

Two Contractual Liability Exclusions Prohibit Coverage  

Although the Court held that the requirements of Insuring Agreement B were met, and refrained from ruling on the requirements of Insuring Agreement D.2., the court held that coverage under the Insuring Agreements was prohibited by two policy exclusions.  The two exclusions prohibited coverage as follows:

With respect to all Insuring Clauses, [the insurer] shall not be liable for any Loss on account of any Claim, or for any Expense . . . based upon, arising from or in consequence of any . . . liability assumed by any Insured under any contract or agreement.

* * *

With respect to Insuring Clauses B through H, [the insurer] shall not be liable for…any costs or expenses incurred to perform any obligation assumed by, on behalf of, or with the consent of any Insured.

Id. at *7.  The Court characterized these two exclusions as “the same in that they bar coverage for contractual obligations an insured assumes with a third-party outside of the Policy.”  Id.  In addition, “Loss” was defined to exclude “any costs or expenses incurred to perform any obligation assumed by, on behalf of, or with the consent of any Insured.”  Id.

Notably, the Court “turned to cases analyzing commercial general liability insurance policies for guidance, because cybersecurity insurance policies are relatively new to the market but the fundamental principles are the same.”  Id. at *8.  Observing that “Arizona courts, as well as those across the nation, hold that such contractual liability exclusions apply to ‘the assumption of another’s liability, such as an agreement to indemnify or hold another harmless’,” the Court  held that both exclusions, as well as the definition of “Loss,” applied to prohibit coverage under Insuring Agreement B.  The Court explained:

In no less than three places in the MSA does Chang’s agree to reimburse or compensate BAMS for any “fees,” “fines,” “penalties,” or “assessments” imposed on BAMS by the Associations, or, in other words, indemnify BAMS. . . . Furthermore, the Court is unable to find and Chang’s does not direct the Court’s attention to any evidence in the record indicating that Chang’s would have been liable for these Assessments absent its agreement with BAMS. While such an exception to an exclusion of this nature may exist in the law, it is not applicable here.

Id. at *8.

What This Case Means:  This case has a number of takeaways.  Briefly, and perhaps most important, this case illustrates that although cybersecurity insurance can provide significant  amounts of coverage – here, the Court noted that the insurer already had provided $1.7 million in coverage under the policy to Chang’s – coverage is not limitless.  Some may say that a policyholder should “read the fine print,” but I say that the policyholder should understand its risk and ensure it purchases the insurance it needs.  A carrier has an unfettered right to limit the scope of the cyber risk it is willing to insure.  This case also raises the issue of coverage for third-party contracts, which can be a significant source of liability in a data breach.  This case also illustrates how sometimes the timing of liability and payments can affect coverage.  “Extra Expenses” coverage, sometimes overlooked, also can play a significant role in a data breach.  Questions are welcome.

This entry was posted in Data Breach Insurance Coverage.


This entry was posted by on .

In State Bank v. BancInsure, Inc., 2016 U.S. App. LEXIS 9235 (8th Cir. May 20, 2016), the United States Court of Appeals for the Eighth Circuit held that a $485,000 fraudulent wire transfer perpetrated through the use of malware residing on a bank employee’s computer was covered under the bank’s financial institution bond.  The facts are straightforward.

The insured used the Federal Reserve’s FedLine Advantage Plus system to perform wire transfers. The transfers were made through a desktop computer connected to a Virtual Private Network device provided by the Federal Reserve. In order to complete a transfer, two bank employees had to enter their individual user names, and each had to insert individual physical tokens into the computer, and provide individual passwords and passphrases.

In the matter at issue, a bank employee completed a FedLine wire transfer. However, instead of following company policy and protocol by engaging the participation of a second employee, as required, the bank employee instead completed the transfer using her token, password, and passphrase as well as the token, password, and passphrase of a second employee on the same computer.  At the end of the work day, the employee then left the two tokens in her computer and left the computer running overnight.  When the employee returned to work the next morning, she discovered that two unauthorized wire transfers had been made from the bank’s Federal Reserve account.  Money from one of the transfers was recovered.  However, $485,000 wired in the second transfer was not recovered.  Id. at *1-2.

An investigation revealed that malware resided on the computer, permitting infiltration that allowed completion of the fraudulent transfers. Id. at *2.  The bank sought coverage under its financial institution bond, which provided coverage for losses caused by computer system fraud.  The insuring agreement covered, in part:

Loss resulting directly from a fraudulent

(1) entry of Electronic Data or Computer Program into, or

(2) change of Electronic Data or Computer Program within

any Computer System operated by the Insured, whether owned or leased, or any Computer System identified in the application for this Bond, or a Computer System first used by the Insured during the Bond Period, provided the entry or change causes

(1) property to be transferred, paid or delivered,

(2) an account of the Insured or of its customer to be added, deleted, debited or credited, or

(3) an unauthorized account or fictitious account to be debited or credited.

Id. at *3-4, n.2.

The carrier denied coverage, citing certain exclusions in the bond for loss based on employee-caused loss, theft of confidential information, and mechanical breakdown or deterioration of a computer system.  Id. at *3.  The carrier cited the following exclusions, which prohibited coverage for:

(h) loss caused by an Employee . . . resulting directly from misplacement, mysterious unexplainable disappearance or destruction of or damage to Property;

. . . .

(bb) (4) loss resulting directly or indirectly from theft of confidential information,

. . . .

(bb) (12) loss resulting directly or indirectly from

(a) mechanical failure, faulty construction, error in design, latent defect, fire, wear or tear, gradual deterioration, electrical disturbance or electrical surge which affects a Computer System,

(b) failure or breakdown of electronic data processing media, or

(c) error or omission in programming or processing,

. . . .

(bb) (17) loss caused by a director or Employee of the Insured . . . .

Id. at *4, n.3.

Coverage litigation ensued.  The carrier argued that the employee’s breach of company policy caused the loss and thus the loss was excluded.  Specifically, the carrier contended that the malware would not have allowed the hacker to fraudulently transfer the lost money had the bank employee (1) engaged a second employee to perform the original wire transfer, and (2) had not left the computer running overnight with two tokens in it.  Based on Minnesota’s concurrent-causation doctrine, the trial court nevertheless held that the bond covered the loss.  The trial court concluded that “the computer systems fraud was the efficient and proximate cause of [Bellingham’s] loss,” and that “neither the employees’ violations of policies and practices (no matter how numerous), the taking of confidential passwords, nor the failure to update the computer’s antivirus software was the efficient and proximate cause of [Bellingham’s] loss.”  Id. at *6.  The court further held that “it was not then a ‘foreseeable and natural consequence’ that a hacker would make a fraudulent wire transfer. Thus even if those circumstances ‘played an essential role’ in the loss, they were not ‘independent and efficient causes’ of the loss.”  Id. at *6-7.  The carrier appealed and the Eighth Circuit affirmed.

On appeal, the carrier first argued that the concurrent-causation doctrine, which applies to insurance contracts, did not apply to financial institution bonds because a financial institution bond requires the insured to initially show that its loss directly and immediately resulted from dishonest, criminal, or malicious conduct.  Id. at *8.  The Eighth Circuit disagreed, stating that Minnesota courts adhere to the general rule of “treating financial institution bonds as insurance policies and interpreting those bonds in accordance with the principles of insurance law.”  Id. at *9.

The carrier next argued that exclusions 2(bb)(4) and 2(bb)(12) contracted around the concurrent-causation doctrine because those exclusions applied to both direct and “indirect” causation.  Id. at *10.  The Eighth Circuit disagreed.  Although noting that “[p]arties may include ‘anti-concurrent causation’ language in contracts to prevent the application of the concurrent-causation doctrine,” such language must be “clear and specific.”  Id.  The court concluded that, “[a]s a matter of law, the Bond’s reference to ‘indirectly’” was not clear and specific, and was insufficient to circumvent the doctrine.  Id. at *11.

Finally, the carrier argued that even if the district court correctly applied the concurrent-causation doctrine, it erred in concluding that the fraudulent hacking of the computer system by a criminal third party was the overriding, or efficient and proximate, cause of the loss.  At a minimum, the carrier contended, the issue should have been one for the jury to decide.  Id. at *11.  Again, the court disagreed, concluding that the fraudulent wire transfers was not a foreseeable or inevitable result of the employees’ negligence and actions:

We agree with the district court’s conclusion that “the efficient and proximate cause” of the loss in this situation was the illegal transfer of the money and not the employees’ violations of policies and procedures. . . .  an illegal wire transfer is not a “foreseeable and natural consequence” of the bank employees’ failure to follow proper computer security policies, procedures, and protocols.  Even if the employees’ negligent actions “played an essential role” in the loss and those actions created a risk of intrusion into Bellingham’s computer system by a malicious and larcenous virus, the intrusion and the ensuing loss of bank funds was not “certain” or “inevitable.”

Id. at *13-14.  According to the court, “[t]he ‘overriding cause’ of the loss Bellingham suffered remains the criminal activity of a third party.”  Id. at *14.  Therefore, it held that the district court properly granted the bank summary judgment.

This entry was posted in Data Breach Insurance Coverage, Uncategorized.


This entry was posted by on .

We have all heard the question “if a tree falls in the forest…,” a philosophical experiment that raises questions of observation, knowledge, and reality. Whether or not the philosopher George Berkeley deserves credit for first raising the question, if still alive, he may have been disappointed in yesterday’s decision, Travelers Indem. Co. of Am. v. Portal Healthcare Solutions, LLC, No. 14-1944 (4th Cir. Apr. 11, 2016). In that case, the trial court had addressed the legal question of “whether materials are published if they are posted on the Internet, but no one reads them?”  As discussed by The Coverage Inkwell in August 2014, the trial court answered the question in the affirmative. Yesterday, the Fourth Circuit affirmed the decision, but never really weighed in on the question. That’s too bad.

The facts of the case are straightforward. The insured Portal Healthcare Solution (“Portal”) specialized in the electronic safekeeping of medical records for hospitals, clinics, and other medical providers.  Travelers Indem. Co. of Am. v. Portal Healthcare Solutions, LLC, 35 F. Supp. 3d 765, 767-78 (E.D. Va. 2014). A New York putative class action was filed against it, alleging that Portal had failed to safeguard the confidentiality of the medical records of patients at Glen Falls Hospital (“Glen Falls”) by posting them on the Internet and making them publicly accessible through Internet searches. Id. Two patients of Glen Falls discovered the breach when they conducted a Google search for their names and found links that directed them to their Glen Falls medical records. Id.

Travelers issued two policies, each having slightly different language. One covered injury arising from the “electronic publication of material that … gives unreasonable publicity to a person’s private life.” The second covered injury arising from the “electronic publication of material that … discloses information about a person’s private life.”  Id. at 767. The key issue in the trial court was whether making medical records accessible on the Internet constituted a “publication” under the terms of the policies, even if no one had read the information.

Looking to dictionary definitions for the word “publication,” the trial court concluded that the meaning of “publication” includes “to place before the public (as through a mass medium).” Id. at 770. Thus, making the records accessible constituted a “publication.”

Exposing medical records to the online searching of a patient’s name, followed by a click on the first result, at least “potentially or arguably” places those records before the public.  Any member of the public could retrieve the records of a Glen Falls patient, whether he or she was actively seeking those records or searching a patient’s name for other purposes, like a background check.  Because medical records were placed before the public, the Court finds that Portal’s conduct falls within the plain meaning of “publication.”

Id. at 770 (bold added). The trial court summarily rejected the argument that because Portal Healthcare had not intended to release the information, there was no “publication,” stating that “the issue cannot be whether Portal intentionally exposed the records to public viewing since the definition of ‘publication’ does not hinge on the would-be publisher’s intent.” Id.

Importantly, the court also rejected the argument that because no one had read the records, there was no “publication.” In other words, the court took the approach that if a tree falls, of course it makes a sound:

Publication occurs when information is “placed before the public,” not when a member of the public reads the information placed before it.  By Travelers’ logic, a book that is bound and placed on the shelves of Barnes & Noble is not “published” until a customer takes the book off the shelf and reads it.  Travelers’ understanding of the term “publication” does not comport with the term’s plain meaning, and the medical records were published the moment they became accessible to the public via an online search.

Id. at 771.

On appeal, the Fourth Circuit “commended” the trial court for its “sound legal analysis,” but did not add more, including on the scope of the term “publication.” Noting that Virginia is an “eight corners rule” state and that the duty to defend is broader than the duty to indemnify, the appellate court referred to the trial court’s conclusion that “the class-action complaint ‘at least potentially or arguably’ alleges a ‘publication’ of private medical information by Portal that constitutes conduct covered under the Policies.” (Slip Op. at 6.) Thus, the trial court reasoned, the release of information on the Internet, if proven, “would have given ‘unreasonable publicity to, and disclose[d] information about, patients’ private lives,’ because any member of the public with an internet connection could have viewed the plaintiffs’ private medical records during the time the records were available online.” (Id.) Under the broad scope of the duty to defend, the Fourth Circuit could not disagree:

Put succinctly, we agree with the Opinion that Travelers has a duty to defend Portal against the class-action complaint.  Given the eight corners of the pertinent documents, Travelers’s efforts to parse alternative dictionary definitions do not absolve it of the duty to defend Portal.  [Citation omitted.]   See Seals v. Erie Ins. Exch., 674 S.E.2d 860, 862 (Va. 2009) (observing that the courts “have been consistent in construing the language of [insurance] policies, where there is doubt as to their meaning, in favor of that interpretation which grants coverage, rather than that which withholds it” (quoting St. Paul Fire & Marine Ins. Co., 316 S.E.2d at 736)).

(Id. at 6-7.)

What this case means.  Two years ago, I noted that this was a difficult case for an insurer to win.  It was undisputed that the records were available on the Internet.  Typically, when determining whether an underlying complaint alleges a “publication,” many courts look to dictionary definitions, which define the term to mean distribution to the public at large.  That is what the trial court did here, and the Fourth Circuit agreed.  Typically, the question of whether the material at issue was read is not asked or addressed.

The trial court rejected the contention that if material is not read, it is not published.  In doing so, the court used a persuasive analogy of an untouched book on a shelf.  The Fourth Circuit appeared to have no interest in delving into that question, at least in the context of the duty to defend.  That is too bad because the argument does raise interesting issues, not the least of which is whether a ”publication” is just the release of information or also the consumption of it?

This entry was posted in Data Breach Insurance Coverage, Privacy Rights and tagged , .


This entry was posted by on .

Last week, the United States District Court for the Southern District of Texas held that an Electronic Data and Distribution of Material in Violation of Statutes exclusion, a variant of the Telephone Consumer Protection Act (“TCPA”) exclusion, did not prohibit coverage for an insured’s wrongful, online publication of genetic data in violation of a statute.  Evanston Ins. Co. v. Gene By Gene, Ltd., 2016 WL 102294 (S.D. Texas, Jan. 6, 2016).  In so holding, the court construed the exclusion to address solely intrusion upon seclusion claims.  The facts of the case are straightforward.

The insured, Gene by Gene Ltd. (“GBG”), owned and operated a genealogy website whereby users of the site were offered the opportunity to take DNA tests and then use their genetic information from the tests to learn more about their ancestry and connect with other users whose results matched their own results in varying degrees.  Gene By Gene, 2016 WL 102294 at *1.  An underlying plaintiff sued GBG in Alaska federal court, alleging that GBG improperly published his DNA test results on its website without his consent and in violation of Alaska’s Genetic Privacy Act.  Id.  The Genetic Privacy Act prohibits disclosure of a person’s DNA analysis without written and informed consent.  See AS §18.13.010.

GBG tendered its defense to its insurer, which issued four professional liability policies providing coverage for “personal injury,” defined therein as injury arising out of “oral or written publication of material that violates a person’s right of privacy.”  Id. at *1, *3.  The insurer, however, denied coverage based on an “Electronic Data and Distribution of Material in Violation of Statutes” exclusion.  Id. at *1.  Coverage litigation ensued and GBG moved for summary judgment.

GBG contended that defense coverage existed because the underlying action alleged injury that arises out of the written publication of material that violates a person’s right of privacy.  The insurer contended that Distribution of Material exclusion applied because the exclusion prohibited coverage for violation of “any other statute, law, rule, ordinance, or regulation that prohibits or limits the sending, transmitting, communication or distribution of information or other material.”  Id. *2.  Specifically, the insurer argued that the exclusion applied because the underlying action was brought pursuant to a statute (the Genetic Privacy Act), which prohibits the transmission, communication, or distribution of information or other material, namely, the public disclosure of a person’s DNA analysis on Gene by Gene’s website.  Id. at *4.  The court held that the underlying action alleged “personal injury” because the action asserted “the publication of material—the DNA analysis—that allegedly violates a person’s right to privacy.”  Id. at *3.  It then held that the Distribution of Material exclusion did not apply.

The court concluded that the insurer’s reading of the exclusion was too broad and would render the policies’ advertising injury and personal injury coverage illusory.  Id. at *4-5.  The exclusion prohibited both statutory and common law violations.  Because both advertising injury (libel and defamation) and personal injury (invasion of privacy) inherently involved communications in violation of law, the court reasoned that, under the insurer’s reading of the Distribution of Material exclusion, the exclusion would preclude coverage for all instances advertising injury and personal injury.  Id. at *5.  The court further noted that in some states, such as Texas, “traditional defamation” injuries, like libel and disparagement of goods and services, are regulated by statute.  Id.  The court concluded that the exclusion was not intended to preclude such claims.

Yet, perhaps most compelling to the court was its conclusion that the intent and protected interests behind the Distribution of Material exclusion and the Genetic Privacy Act differed.  The court held that the Distribution of Material exclusion, another variant of the TCPA exclusion, was intended to address intrusion upon seclusion claims, a protection that was not contemplated by the Genetic Privacy Act:

The Genetic Privacy Act does not concern unsolicited communication to consumers, but instead regulates the disclosure of a person’s DNA analysis.  The facts upon which the claim is based deal solely with Gene by Gene’s alleged improper disclosure of DNA test results on its public website and to third-parties.  The facts alleged in the complaint do not address the type of unsolicited seclusion invasion contemplated by the Exclusion.  Accordingly, the Underlying Lawsuit is not excluded from Gene by Gene’s policy coverage.  [Emphasis added.]

Id. at *6.  Because of this mismatch, the exclusion did not apply.

What this case means.  This case is interesting because it addresses a new twist on the TCPA exclusions.  Are cybersecurity claims next?  Some might herald this decision as a defeat for insurers and a scaling back of the exclusion.  My thought – not really.  The court construed the exclusion to address solely intrusion upon seclusion claims, which is not that remarkable – although, maybe unwarranted.  Yet, it is important remember that by including violations of mere “law” within its scope, the form of the exclusion at issue was very broad – indeed, broader than many variants of the TCPA exclusion.  That distinction was not lost on the court, which believed (and perhaps rightly so) that the fundamental logic for applying the exclusion in the case before it would have eviscerated coverage under the policy’s “advertising injury and personal injury” insuring agreement.  The court also recognized a potential mismatch between the exclusion and the Genetic Privacy Act.  It’s an interesting observation.  However, by then, the Court already had made its decision.

This entry was posted in Data Breach Insurance Coverage, Privacy Rights.


This entry was posted by on .

This week, the United States Court of Appeals affirmed Big 5 Sporting Goods Corporation, a case in which the trial court had held that “personal and advertising injury” coverage did not exist for violation of California’s Song-Beverly Act, even where common law allegations of invasion of privacy were alleged in connection with the unlawful collection of ZIP Codes.  See Big 5 Sporting Goods Corporation v. Zurich American Ins. Co., No. 13-6249 (9th Cir. Dec. 7, 2015), affirming Big 5 Sporting Goods Corporation v. Zurich American Ins. Co., 957 F. Supp. 2d 1135 (C.D. Cal. 2013). 

In Big 5, the insured was sued in multiple underlying class action lawsuits alleging invasion of privacy and violation of the Song-Beverly Act from the practice of requesting ZIP Code information during credit card transactions.  See Big 5 Sporting Goods, 957 F. Supp. 2d at 1138.  Some of the class actions alleged both violation of the Song-Beverly Act as well as common law negligence and invasion of privacy claims.  Id.  The insured sought coverage under “personal and advertising injury,” defined in part as injury arising out of “[o]ral or written publication, in any manner, of material that violates a person’s right of privacy.”  Id. at 1140. 

The insurers argued that defense and indemnity coverage for the underlying actions was barred by the  statutory violation exclusion, one of which barred coverage for “personal and advertising injury” “arising directly or indirectly out of” any act or omission that violates or is alleged to violate:

c. Any statute, ordinance or regulation, other than the TCPA or CAN–SPAM Act of 2003, that prohibits or limits the sending, transmitting, communicating or distribution of material or information. 

Id. at 1149.  The trial court agreed, and now, the Ninth Circuit has affirmed.

Perhaps the most significant component of the Ninth Circuit’s decision was that the allegations of common law claims, which were not accounted for in the statutory violation exclusion, nevertheless did not preclude application of the exclusion because the factual allegations did not assert actionable causes of action. 

Specifically, the insured argued that because some of the lawsuits alleged common law claims for invasion of privacy, for purposes of the duty to defend, the statutory violation exclusion could not apply.  Big 5, slip op., at 4.  The Ninth Circuit disagreed.  Holding that because “California does not recognize any common law or constitutional privacy causes of action for requesting, sending, transmitting, communicating, distributing, or commercially using ZIP Codes,” the Court concluded that the only possible claim for recovery was for penalties, not damages, under the Song-Beverly Act.  Id. at 45, citing Fogelstrom v. Lamps Plus, Inc., 195 Cal. App. 4th 986, 992 (2d Dist. 2011).  In Fogelstrom, the California Court of Appeal held that requesting ZIP Codes during credit card transactions does not assert an actionable claim for invasion of privacy, concluding that the action of “obtaining plaintiff’s address without his knowledge or permission, and using it to mail him coupons and other advertisements … is not an egregious breach of social norms, but routine commercial behavior.”  Fogelstrom, 195 Cal. App. 4th at 992. 

The Ninth Circuit also rejected the insured’s argument that the invasion of privacy and negligence claims were merely frivolous, and thus could not be discounted for purposes of the duty to defend because an insurance carrier has the duty to defend both meritorious and frivolous claims.  The Ninth Circuit distinguished frivolous claims form those that are not actionable, explaining that the privacy claims did not merely lack merit, they were not recognized under the law:

Under settled California law, they are not even recognized as cognizable causes of action, a status one step below “unmeritorious.”  Allowing Big 5’s fact pattern to rise to the level of a claim would require an insurance company to insure and defend against non-existent risks.

Id. at 6. 

Borrowing from Shakespeare, the Court similarly dispensed with the underlying negligence claims as mere “artful” pleading that could not circumvent an unambiguous policy exclusion:

Big 5’s negligence theory fares no better.  Just as a rose by another name is still a rose, so a ZIP Code case under any other label remains a ZIP Code case.  See Swain v. Cal. Cas. Ins. Co., 99 Cal. App. 4th 1, 8-9 (2002) (“A general boilerplate pleading of ‘negligence’ adds nothing to a complaint otherwise devoid of facts giving rise to a potential for covered liability.”).  As the district court recognized, the California Court of Appeal has discouraged the “artful drafting” of alleging superfluous negligence claims, saying to allow such a practice would inappropriately “erase exclusions in any policy.”  Fire Ins. Exch. v. Jimenez, 184 Cal. App. 3d 437, 443 n.2 (1986).


What does this case mean?  Like the Third Circuit in Urban Outfitters (also discussed in The Coverage Inkwell), a second United States Court of Appeals now has held that “personal and advertising injury” does not exist for underlying allegations of unlawful ZIP Code collection.  A unique aspect to this decision, however, is that where an underlying action alleges a cause of action that is not recognized under the law, that cause of action cannot be used to implicate a duty to defend. 

This entry was posted in Privacy Rights and tagged , , , .


This entry was posted by on .

In OneBeacon Amer. Ins. Co. v. Urban Outfitters, 2015 WL 5333845 (3d. Cir. Sept. 15, 2015), the United States Court of Appeals for the Third Circuit held that three underlying class action lawsuits filed against Urban Outfitters and Anthropologie, Inc. did not allege “personal and advertising injury.”  The Third Circuit held that for Coverage B “oral or written publication, in any manner, of material that violates  person’s right of privacy,” (1)“privacy” refers only to the right of secrecy, not the right of seclusion; (2) “publication” requires dissemination of information to the public at large, and (3) “in any manner” does not modify or change the meaning of “publication” to a lesser standard.

In the spirit of full disclosure, I represented OneBeacon America in the litigation with my colleagues at White and Williams LLP.  The facts of the matter are straightforward.

Urban Outfitters and Anthropologie (collectively, “Urban Outfitters”) were sued in three separate class actions filed in California, Massachusetts, and the District of Columbia.  (The California class action was actually a consolidation of multiple class actions.)  In each action, plaintiffs alleged that that Urban Outfitters wrongfully collected and used consumers’ ZIP codes and other data for marketing and purchase-tracking in violation of state statutes and privacy rights.  Urban Outfitters sought defense coverage for each lawsuit under “personal and advertising injury,” defined in part as “oral or written publication, in any manner, of material that violations a person’s right of privacy.”

In the first lawsuit, Hancock, the underlying complaint alleged that Urban Outfitters unlawfully collected consumers’ ZIP code information during credit card transactions in violation of District of Columbia statute.  Id. at *1.  By obtaining the consumers’ ZIP codes, Urban Outfitters was then able to obtain the consumers’ home and business addresses to use for marketing.  Id.  Urban Outfitters contended the exchange of data between the retailer and the consumers constituted a “publication” for purposes of “personal and advertising injury” coverage.  The Third Circuit disagreed and accepted the insurers’ arguments that “‘publication’ requires dissemination to the public.”  Id. at *2.  The court rejected the contention that the failure to define the term “publication” in the policy made the term ambiguous:

Although neither the policies nor the Pennsylvania Supreme Court have defined “publication,” that does not render the term ambiguous.  Rather, “[w]ords of common usage in an insurance policy are to be construed in their natural, plain, and ordinary sense, and we may inform our understanding of these terms by considering their dictionary definitions.”  Madison Constr. Co. v. Harleysville Mut. Ins. Co., 735 A.2d 100, 106 (PA. 1999).  The District Court cited three separate dictionary definitions of “publication,” all of which support the conclusion that “publication” requires dissemination to the public. [Emphasis added.]


Significantly, the Court also rejected the contention that the phrase “in any manner” changed the meaning of “publication”:

The fact that the policies specify that “publication” may be made “in any manner” does not alter the analysis; as the Eleventh Circuit correctly noted, the phrase “in any manner” “merely expands the categories of publication (such as e-mail, handwritten letters, and, perhaps, ‘blast-faxes’) covered by the [p]olicy,” but “cannot change the plain meaning of the underlying term ‘publication.’”  Creative Hosp. Ventures, Inc. v. U.S. Liab. Ins. Co., 444 F. App’x 370, 375 (11th Cir. 2011).  [Emphasis added.]


In the second lawsuit, Miller, the underlying complaint alleged that Urban Outfitters unlawfully collected consumers’ ZIP code information to use for marketing purposes, including to send unsolicited promotional materials and “junk mail.”  Id. at *3.  Noting that the Pennsylvania Superior Court has recognized that the privacy right contemplated in “personal and advertising injury” is the right to secrecy, not the right to seclusion, the Third Circuit concluded that Miller did not allege a violation of a person’s “right of privacy.”  Importantly, in reaching its conclusion, the Third Circuit ejected the contention that the consumers had a right of privacy in their ZIP codes, or that the lawsuit alleged violation of consumers’ rights to keep their addresses secret from the retailers:

[T]he factual allegations of the Miller complaint evince a concern with seclusion, and not secrecy. The complaint asserts that plaintiffs “have suffered an injury as a result of Defendant’s unlawful conduct by receiving unsolicited marketing and promotional materials, or ‘junk mail,’ from Defendant.” [Record citation omitted.] Although the complaint asserts that Urban Outfitters did collect plaintiffs’ ZIP code information, that information was collected allegedly “to identify the customer’s address and/or telephone number … to send unsolicited marketing and promotional materials.” . . .  Put simply, the complaint does not assert harms based on the plaintiffs’ interests in keeping their ZIP codes secret. Accordingly, it does not allege publication of material that violates a person’s “right to privacy” under the policies . . . .

Id.  at *4.

For the final lawsuit, Dremak, the Court held that the Recording and Distribution of Material of Information In Violation of Law exclusion barred coverage, because the lawsuit was brought under California’s Song-Beverly Credit Card Act.  Id. at *3. The lawsuit originally had alleged common law claims, but those causes of action were dismissed without prejudice while the coverage litigation was pending in the Pennsylvania federal district court.  Urban Outfitters argued that the dismissal of those claims was not dispositive because the factual allegations supporting the common law claims remained in the complaint, and Pennsylvania law required that the factual allegations, not the causes of action, determined an insurer’s duty to defend.  Id.  The Court rejected the argument because the same alleged facts that gave rise to common law claims also alleged the statutory violations.

[T]he Court looked to the factual allegations of the complaint in determining that the complaint alleged “action[s] or omission[s]” that were alleged to violate the Song–Beverly Credit Card Act.  The fact that those same “action[s] or omission[s]” were also alleged to give rise to common law claims (claims that were dismissed) is irrelevant to the analysis.  [Emphasis added.]


What does this case mean?  This decision is a significant one.  It is one of only a few appellate-level decisions holding that (1) “publication” requires dissemination to the public at large, and (2) that “right of privacy” means the right of secrecy, not the right of seclusion.  The decision is the only the second to address and debunk the myth that the phrase “in any manner” changes the meaning of “publication” in Coverage B.

This entry was posted in Privacy Rights and tagged , .