Court Holds No Insurance Coverage for Phishing Scam


This entry was posted by on .

Yesterday, a federal court held that a company’s financial losses for mis-wiring funds as a result of a phishing scam were not covered under a computer crime insurance policy. The decision, American Tooling Ctr. v. Travelers Cas. & Sur. Co. of Am., No. 16-12108 (E.D. Mich. Aug. 1, 2017) is another case in which financial losses resulting from a phishing scam were held to be unrecoverable under insurance.

In that case, the insured, American Tooling Center (“ATC”), was a tool and die manufacturer that outsourced some of its work to other die manufacturing companies overseas, including a vendor called Shanghai YiFeng Automotive Die Manufacture Co., Ltd. (“YiFeng”). As part of its normal business practice, ATC issued purchase orders to YiFeng, which in turn manufactured the requested dies. ATC paid YiFeng in stages based upon completion of certain milestones. To receive payment, YiFeng submitted its invoices to ATC by email. Once ATC verified that the milestone had been met, it wired the appropriate payment to YiFeng. Id. at 2.

In March 2015, ATC’s Vice President/Treasurer emailed his contact at YiFeng, requesting copies of all outstanding invoices.  In response, the ATC officer received an email purportedly from YiFeng, but which really was a spoofed email from a third party. (The third party made the email appear to be from YiFeng by using the email domain “yifeng-rnould” domain, not the correct domain “yifeng-mould.com”).  Id. The third party, pretending to be from YiFeng, instructed ATC to send payments for several legitimate outstanding invoices to a new bank account.  Without verifying these new instructions, ATC wire transferred approximately $800,000 to a bank account that was not controlled by YiFeng.  When the fraud was detected, the money was gone.  Id. at 3.

ATC sought recovery under its computer crime policy.  The policy provided that “The Company will pay the Insured for the Insured’s direct loss of, or direct loss from damage to, Money, Securities and Other Property directly caused by Computer Fraud.” The policy defined “Computer Fraud” as:

The use of any computer to fraudulently cause a transfer of Money, Securities or Other Property from inside the Premises or Financial Institution Premises:

  1. to a person (other than a Messenger) outside the Premises or Financial Institution Premises; or

  2. to a place outside the Premises or Financial Institution Premises.

Id. at 3.  The carrier argued that coverage did not exist because there was no “direct loss” that was “directly caused by the use of a computer,” as required by the policy.  Id.

Noting that the Sixth Circuit, applying Michigan law, previously had held that the term “direct” means “immediate” and without intervening acts, the American Tooling court concluded that there was no direct loss directly caused by a computer to implicate coverage.  Simply put: there were too many intervening acts between the phishing email and the transfer of money to satisfy the insuring language of the policy. Id. at 5 (citing Manufacturing & Technologies Ass’n v. Hartford Fire Ins. Co., 693 F.3d 665, 673 (6th Cir. 2012)). The court stated that the “intervening events between ATC’s receipt of the fraudulent emails and the transfer of funds (ATC verified production milestones, authorized the transfers, and initiated the transfers without verifying bank account information) preclude a finding of ‘direct’ loss ‘directly caused’ by the use of any computer.”  Id.

Agreeing with the reasoning of the Fifth Circuit in Apache Corp. v. Great American Ins. Co., 662 Fed. App’x 252 (5th Cir. 2016) (written about in The Coverage Inkwell in October 2016), the American Tooling court stated that “the mere sending/receipt of fraudulent emails did not constitute ‘the use of any computer to fraudulently cause a transfer.’” Id. at 6. The court explained:

Although fraudulent emails were used to impersonate a vendor and dupe ATC into making a transfer of funds, such emails do not constitute the “use of any computer to fraudulently cause a transfer.” There was no infiltration or “hacking” of ATC’s computer system. The emails themselves did not directly cause the transfer of funds; rather, ATC authorized the transfer based upon the information received in the emails.

Further, because of the wide  spread use of computers as a means of communication, the court, like the Fifth and Ninth Circuits, feared that to allow the email to implicate coverage for computer fraud would transform the “computer fraud” coverage into coverage for any fraud: “Because computers are used in almost every business transaction, reading this provision to cover all transfers that involve both a computer and fraud at some point in the transaction would convert this Crime Policy into a ‘General Fraud’ Policy.”  Id. at 7 (quoting Apache and Pestmaster Servs., Inc. v. Travelers Cas. & Sur. Co. of Am., 656 Fed. App’x 332 (9th Cir. 2016)).

This case shows that to implicate computer fraud, the computer must be a critical instrumentality of the fraud, and not merely incidental to it. The case also highlights the costs of phishing attacks.  According to a May 4, 2017 FBI Bulletin, between October 2013 and December 2016, American businesses saw losses from phishing scams approach $1.6 billion: $500 million every year with dollar figures climbing sharply – up 2370% between January 2015 and December 2016.  Companies must implement appropriate cybersecurity measures, including employee training, to prevent such loss.  A small investment in appropriate cybersecurity processes today can save your company hundreds of thousands or millions of dollars tomorrow.

This entry was posted in Data Breach Insurance Coverage and tagged .

PA Court: Employers Have No Duty To Protect Employee PI


This entry was posted by on .

In Dittman v. UPMC d/b/a The University of Pittsburgh Medical Center, 2017 PA Super. 8 (Jan. 12, 2017), the Superior Court of Pennsylvania held that an employer does not owe employees a duty to protect and safeguard personal and financial information from disclosure in a data breach resulting from an intrusion in its computer network. While Dittman represents an important decision in emerging case law that declines to impose upon employers a common-law duty to protect employee information, the decision has important limitations. Those limitations may be exploited in future employment litigation and further illustrates the need for companies to adequately review their cybersecurity protocols with the assistance of cyber counsel.

The facts of Dittman are straightforward. In 2014, University of Pittsburgh Medical Center (UPMC) suffered a data breach that compromised the personal and financial information of approximately 62,000 current and former employees. Dittman, slip op. at 1-2. The stolen information included employees’ names, birth dates, social security numbers, tax information, addresses, salaries, and bank information. The information later was used to file fraudulent tax returns to steal the tax refunds. Id. at 2. Soon after UPMC announced the breach, two separate class action lawsuits were filed against the company. One lawsuit was comprised of current and former UPMC employees who had been victimized by identity theft; the other lawsuit involved current and former UPMC employees who had not been victims of identity theft, and instead alleged that they were at an increased risk of identity theft as a result of the data breach. Id. at 3.

Both lawsuits claimed that UPMC improperly failed to keep plaintiffs’ information safe and prevent vulnerabilities in its computer system, including the failure to properly encrypt data, establish adequate firewalls, and implement adequate authentication protocols to protect the information on its network. Id. at 2-3. They asserted two causes of action, one based on negligence and a common-law duty to protect the information; the second in breach of contract. Id. The trial court dismissed both lawsuits on the grounds that no contract or implied contract existed between UPMC and its employees to support a breach of contract claim, and that no common-law duty existed under tort law to impose upon UPMC (or other employers) a duty to safeguard data of its employees. Id. at 4-5. In so holding, the court explicitly declined to create such a duty, deferring to the state legislature instead of what it saw as a request of the judiciary to overreach by creating a duty. Id. On appeal, the Superior Court of Pennsylvania affirmed. This article focuses upon the court’s declination to create a common-law duty.

Under Pennsylvania law, whether a duty of care exists between parties to support a claim in tort depends upon an evaluation of five factors, sometimes known as the Althaus test. Those factors are:

(1) the relationship between the parties;

(2) the social utility of the actor’s conduct;

(3) the nature of the risk imposed and foreseeability of the harm incurred;

(4) the consequences of imposing a duty upon the actor; and

(5) the overall public interest in the proposed solution.

Id. at 6 (citing Althaus ex. rel. Althaus v. Cohen, 756 A.2d 1166, 1169 (Pa. 2000)).

Courts impose a common law duty upon a party “where the balance of these factors weighs in favor of placing such a burden on a defendant.” Id. (quoting Phillips v. Cricket Lighters, 841 A.2d 1000, 1008 (Pa. 2003)). In Dittman, the court held that these factors did not support the imposition of a common-law duty upon UPMC.

The first factor, the relationship of the parties, weighed in favor of imposing a duty. An employer-employee relationship existed between the parties, and the court recognized that the law imposed other duties of the parties based on the existence of the relationship. Id. at 7. This was the only factor that the court found weighed in favor of a common-law duty.

Under the Althaus test, the second factor, the social utility of the actor’s conduct, is weighed against the third factor, the nature of the risk imposed and foreseeability of the harm incurred. Here, weighing both factors together, the court found that they did not support imposition of a common-law duty. Id. at 7. On the one hand, the court recognized the “obvious need [of employers] to collect and store personal information about their employees,” as well as the foreseeability of harm from data breaches, which are becoming more commonplace. Id. However, the fact that the data breach had been caused by a third-party hacker was dispositive of how these factors weighed. Under Pennsylvania law, the criminal acts of a third-party actor are a superseding cause. Id. (citing Ford v. Jeffries, 379 A.2d 111, 115 (Pa. 1977)). “It is well established that a defendant does not have a duty to guard against the criminal acts of superseding third-parties unless he realized, or should have realized, the likelihood of such a situation.” Id. at 7-8 (citation omitted); see also In re: The Home Depot, Inc. Customer Data Security Breach Litig., 2016 WL 2897520 (N.D. Ga. May 18, 2016) (independent duty to protect customer information where company knew of substantial security risks data back several years). Here, because the data breach was caused by a third-party, and because there was no indication that UPMC knew about a specific threat or security flaw in its computer network, the foreseeability of a data breach did not support imposition of a duty upon UPMC:

While a data breach (and its ensuing harm) is generally foreseeable, we do not believe that this possibility outweighs the social utility of electronically storing employee information . . . . Although breaches of electronically stored data are a potential risk, this generalized risk does not outweigh the social utility of maintaining electronically stored information. We note here that Appellants do not allege that UPMC encountered a specific threat of intrusion into its computer systems.

Id. at 8.

The court held that the fourth factor, which examines the consequences of imposing a common-law duty upon the defendant, also weighed against imposing a duty. The court reasoned that given that data breaches are “widespread,” and that no “safe harbor” existed for the storage of confidential information, “[n]o judicially created duty of care is needed to incentivize companies to protect their confidential information.” Id. at 9. In other words, given the costs of responding to a data breach, the potential liability that already existed from regulatory law enforcement actions and lawsuits, as well as harm in the marketplace caused by data breaches, there was no need to motivate employers to protect their employers’ information. The court explained:

We find it unnecessary to require employers to incur potentially significant costs to increase security measures when there is no true way to prevent data breaches altogether. Employers strive to run their businesses efficiently and they have an incentive to protect employee information and prevent these types of occurrences. As the trial court correctly found, the fourth factor weighs in favor of not imposing a duty.

Id. at 9-10.

The Dittman court held that the fifth factor, which examines “the overall public interest” in imposing a duty, also weighed against creating one. Agreeing with the trial court, the appellate court stated that imposing a common-law duty on employers to safeguard employee information would greatly expend and strain limited judicial resources. Id. at 10. The court found that creating a unilateral, judicially imposed duty in lieu of the legislative branch also would overstep its authority. Id. Quoting the trial court, the court stated:

The General Assembly has considered and continues to consider the same issues that [Appellants] are requesting [the] court to consider under the Seebold/Althaus line of cases. The only duty that the General Assembly has chosen to impose as of today is notification of a data breach. It is not for the courts to alter the direction of the General Assembly because public policy is a matter for the Legislature.

Id. 

Finally, the Dittman court held that plaintiffs’ negligence claim was barred by the economic loss doctrine; although, admittedly, the court’s decision rested upon its analysis of the Althaus test. Under the economic loss doctrine, “no cause of action exists for negligence that results solely in economic damages unaccompanied by physical injury or property damage.” Id. at 11. Under Bilt-Rite Contractors, Inc. v. The Architectural Studio, 866 A.2d 270, 274 (Pa. 2005), an exception to the economic loss doctrine exists where the economic harm was caused by a breach of a duty imposed by law. “Without a duty imposed by law or a legally recognized special relationship,” the economic loss doctrine bars recovery for purely economic losses. Id. at 10-11. Here, because the Althaus test weighed against imposing a duty upon UPMC to protect and safeguard its employees’ personal and financial information, and the court expressly declined to create such a duty, no exception to the economic loss doctrine existed to permit recovery. Id. at 12.

Despite the appellate court’s unwillingness to impose a common-law duty on employers to safeguard employee information, the citation in the majority opinion to the Home Depot data breach litigation may signal an important limit to that reluctance. See id. at 8 n.4 (citing In re Home Depot, Inc. Customer Data Security Breach Litig., 2016 U.S. Dist. LEXIS 65111 (N.D. Ga. May 18, 2016)).

In Home Depot, the Georgia federal court refused to dismiss a putative class action lawsuit of financial institutions where Home Depot allegedly had been warned repeatedly of its cybersecurity vulnerabilities and took no action to remedy them prior to the data breach at issue. Home Depot, 2016 U.S. Dist. LEXIS 65111 at *22-24. Those warnings included reports from IT of security concerns, third-party vendors warning about the company’s failure to encrypt customer data, an understaffed IT group, and events of prior data security incidents on its network.  Id. at *22. The federal court held that, given the prior warnings Home Depot had received, a duty of care did exist to protect consumer information, thereby barring application of the economic loss doctrine. Id. at *29 (“A retailer’s actions and inactions, such as disabling security features and ignoring warning signs of a data breach, are sufficient to show that the retailer caused foreseeable harm to a plaintiff and therefore owed a duty in tort.”). The court reasoned that to hold otherwise would incentivize companies to “turn a blind eye” toward cyber risks and the protection of data:

The Court declines the Defendant’s invitation to hold that it had no legal duty to safeguard information even though it had warnings that its data security was inadequate and failed to heed them. To hold that no such duty existed would allow retailers to use outdated security measures and turn a blind eye to the ever-increasing risk of cyber attacks, leaving consumers with no recourse to recover damages even though the retailer was in a superior position to safeguard the public from such a risk.

Id. at *29-30.

In Dittman, the Pennsylvania appellate court specifically noted that there were no allegations of prior warning that might have shifted the level of UPMC’s duty of care. Dittman, slip op. at 8-9. Had UPMC received prior warning of vulnerabilities in its network that later were exploited, or if evidence suggested that UPMC had disregarded cyber risks and had ignored the issue, the Dittman court could have very well found an exception to the economic loss doctrine to permit the lawsuits to proceed. In fact, Justice Stabile in his concurring opinion made this sentiment clear, stating “[h]ad UPMC been on notice of factual or potential security breaches of its systems, or reasonably should have anticipated that the negligent handling of confidential information would have left it vulnerable to criminal activity, a different conclusion may have been reached under the factors of the Althaus test.” (Stabile, J., concurring, slip op. at 2.)

With this one observation by the appellate court, Pennsylvania companies can expect future lawsuits to plead accordingly. In addition, some of the alleged lax cybersecurity protocols against UPMC are steps required by NIST’s voluntary Cybersecurity Framework. The expectation of companies to follow this framework as evidence of a reasonable standard of care is increasing. Thus, the full effect of the Dittman decision may be more limited than first thought. The best way to mitigate loss from a cybersecurity event is to prepare for one. Such precautions also may be the best defense for an employer seeking refuge under Dittman in claims brought by its employees.

This entry was posted in Uncategorized.

TCPA Claims Excluded by “Unsolicited Communications” Endorsement


This entry was posted by on .

Yesterday, the Missouri federal court in Travelers Indem. Co. v. Max Margulis & Surrey Vacation Resorts, 2016 U.S. Dist. LEXIS 173420 (E.D. Mo. Dec. 15, 2016), held that coverage for an underlying Telephone Consumer Protection Act (“TCPA”) lawsuit for “robo” calls to cell phones was prohibited by the “unsolicited communications” endorsement.  Because this endorsement is being used more often, and because it does not receive as much fanfare as its sister-exclusion for “Distribution of Material,” I decided to write about it here in The Coverage Inkwell.

The insured, Surrey Vacation Resorts, Inc., d/b/a Grand Crowne Resorts (“Surrey”), was sued for an alleged, unsolicited June 18, 2013 call to his cell phone through use of an automated telephone dialing system and without his prior consent.  Id. at *1.  Plaintiff filed suit under the TCPA, alleging that plaintiff “incurred ‘damages’ due to receipt of one telephone call from Surrey on June 18, 2013, which he did not specifically request to receive.”  Id. at *6.  The TCPA makes it unlawful “to make any call (other than a call made for emergency purposes or made with the prior express consent of the called party) using any automatic telephone dialing system…to any telephone number assigned to a paging service, cellular telephone service, specialized mobile radio service, or other radio common carrier service, or any service for which the called party is charged for the call….” Id. at *8.  Travelers defended the insured under a reservation of rights and commenced coverage litigation.  Id. at *1.

In the coverage action, the United States Court for the District of Missouri determined that Travelers had no duty to defend.  First, it noted that many of the policies at issue had incepted and expired prior to the June 18, 2013, and therefore – as a matter of law – there could be no coverage under them.  Id. at *6.  (You would think this conclusion is a no-brainer, but you’d be surprised what some policyholders argue.)

Next, the court further held that there was no coverage under an “unsolicited communications” endorsement, which prohibited coverage for “injury or damage arising out of any actual or alleged violation of any law restricting or prohibiting the sending, transmitting, or distribution of ‘unsolicited communication’.”  Id. at *6.  The policies defined “unsolicited communications” as “any form of communication, including but not limited to facsimile, electronic mail, posted mail or telephone, in which the recipient has not specifically requested the communication.”  Id. at *6-7.  The court held that the underlying lawsuit fell squarely within the exclusion: because the TCPA prohibits unsolicited “robo” calls without prior consent, the statute “restricts or prohibits the sending, transmitting or distributing of ‘unsolicited communication’ as the phrase appears in the ‘Unsolicited Communications’ Endorsements.”  Id. at *8.

What this case means:  This is a straightforward case.  What I found interesting is that the decision highlighted and discussed, albeit without much analysis, the unsolicited communications exclusion, an exclusion that may be added to a policy by endorsement to preclude coverage for the bombardment of unsolicited communications we received by fax, email, cell phone, and landline every day.

This entry was posted in Uncategorized and tagged , .

5TH CIRCUIT HOLDS THAT PHISHING SCAM DOES NOT IMPLICATE COMPUTER FRAUD COVERAGE


This entry was posted by on .

In Apache Corp. v. Great American Ins. Co., 2016 U.S. App. LEXIS 18748 (5th Cir. Oct. 18, 2016), the United States Court of Appeals for the Fifth Circuit held that loss from a phishing scam, which led to misdirected payments in the amount of $7 million, was not covered under a policy’s computer fraud coverage.  Although the fraudulent scheme was initiated through emails, the court held that the emails were too incidental to classify the insured’s subsequent loss as one “resulting directly from the use of any computer to fraudulently cause a transfer of that property.”

The facts of the case are straightforward and serve as a good illustration as to why double verification practices should be practiced by every company as a preventive measure against cyber fraud.  In the case, the insured, Apache Corporation was an oil-production company.  An employee in Scotland received a telephone call from a person identifying herself as a representative of Petrofac, an Apache vendor.  The caller instructed Apache to change the bank-account information for payments Apache made to Petrofac.  The Apache employee replied that the change-request could not be processed without a formal request on Petrofac letterhead.  Id. at *2.

A week later, Apache’s accounts-payable department received an email from a “petrofacltd.com” address.   (Petrofac’s real email domain name was “petrofac.com.”)  The fraudulent email sent from the “petrofacltd.com” address advised Apache that Petrofac’s “accounts details have now been changed”; and “[t]he new account takes . . . immediate effect and all future payments must now be made into this account.”  Attached to the email was a signed letter on Petrofac letterhead providing both Petrofac’s old-bank-account information and the new-bank-account information, along with instructions to use the new account immediately.  Id. at *2-3.  Apache took the bait.  In response to the email and attached letter, an Apache employee called the telephone number provided on the letter to verify the request and concluded that the change-request was authentic.  Id. at *3.  A different Apache employee approved and implemented the change-request, and a week later, Apache began transferring funds for payment of Petrofac’s invoices to the new bank account.  Id.  Uh oh.

Within one month, Apache received notification from Petrofac that it had not received over £4.3 million (approximately $7 million) due from outstanding invoices (and which Apache had transferred to the new (fraudulent) account).  Apache soon discovered it had fallen victim to a fraudulent scheme and was able to recoup all but $2.4 million of the payments previously made.  Id.

Apache submitted a claim under its “Computer Fraud” coverage, which provided that:

We will pay for loss of, and loss from damage to, money, securities and other property resulting directly from the use of any computer to fraudulently cause a transfer of that property from inside the premises or banking premises:

  1. to a person (other than a messenger) outside those premises; or

  2. to a place outside those premises.

Id. at *3-4 (emphasis added).  The insurer denied coverage, concluding that Apache’s “loss did not result directly from the use of a computer nor did the use of a computer cause the transfer of funds.”  Id.

Coverage litigation ensued.  The insurer argued that Apache’s loss “was not a covered occurrence because: the email did not ‘cause a transfer’”; and that coverage under the computer fraud provision was “‘unambiguously limited’ to losses from ‘hacking and other incidents of unauthorized computer use’.”  Id. at *6.  Apache, on the other hand, argued that the computer fraud provision was ambiguous; because the provision says nothing about “hacking,” Apache need only to show that “any computer was used to fraudulently cause the transfer of funds.”  Id.  The parties cross moved for summary judgment.  The trial court granted judgment in favor of Apache, concluding that “the intervening steps of the [post-email] confirmation phone call and supervisory approval do not rise to the level of negating the email [and computer] as being a ‘substantial factor'” of the loss to implicate coverage.  The Fifth Circuit reversed.

On appeal, the insurer argued that the fraudulent transfer of funds resulted from events other than the email, including the initial phone call and steps Apache took (and did not take) to authenticate the request.

GAIC maintains the transfer of funds to the fraudulent bank account resulted from other events: before the email, the telephone call directing Apache to change the account information; and, after the email, the telephone call by Apache to the criminals to confirm the change-request, followed by the Apache supervisor’s review and approval of the emailed request, Petrofac’s submission of invoices, the review and approval of them by Apache employees, and Apache’s authorized and intentional transfer of funds, even though to the fraudulent bank account.

Id. at *8.  As a result of all of these actions, the insurer argued that Apache’s loss did not “result[] directly from the use of any computer to fraudulently cause a transfer of that property.”

The Fifth Circuit agreed, concluding that although the fraudulent email sent to Apache “was part of the scheme” to defraud Apache, it was “merely incidental to the occurrence of the authorized transfer of money.”  Id. at *16.  The court explained:

Here, the “computer use” was an email with instructions to change a vendor’s payment information and make “all future payments” to it; the email, with the letter on Petrofac letterhead as an attachment, followed the initial telephone call from the criminals and was sent in response to Apache’s directive to send the request on the vendor’s letterhead. Once the email was received, an Apache employee called the telephone number provided on the fraudulent letterhead in the attachment to the email, instead of, for example, calling an independently-provided telephone contact for the vendor, such as the pre-existing contact information Apache would have used in past communications. Doubtless, had the confirmation call been properly directed, or had Apache performed a more thorough investigation, it would never have changed the vendor-payment account information.  Moreover, Apache changed the account information, and the transfers of money to the fraudulent account were initiated by Apache to pay legitimate invoices.

Id. at *15-16.

Given the wide use of computers as a means of communication, the court feared that to allow the email to implicate coverage for computer fraud would transform the “computer fraud” coverage into coverage for any fraud:

The email was part of the scheme; but, the email was merely incidental to the occurrence of the authorized transfer of money. To interpret the computer-fraud provision as reaching any fraudulent scheme in which an email communication was part of the process would, as stated in Pestmaster II, convert the computer-fraud provision to one for general fraud. . . . We take judicial notice that, when the policy was issued in 2012, electronic communications were, as they are now, ubiquitous, and even the line between “computer” and “telephone” was already blurred. In short, few-if any-fraudulent schemes would not involve some form of computer-facilitated communication.

Id. at *16-17 (emphasis added).

In addition, the court observed that Apache’s failure to properly investigate the fraudulent change-request also took Apache’s loss outside of the scope of the computer fraud’s insuring agreement:

No doubt, the better, safer procedure was to require the change-request to be made on letterhead, especially for future payment of Petrofac’s very large invoices. But the request must still be investigated properly to verify it is legitimate.  In any event, based on the evidence in the summary-judgment record, Apache followed-up on the request in the email and its attachment.  In other words, the authorized transfer was made to the fraudulent account only because, after receiving the email, Apache failed to investigate accurately the new, but fraudulent, information provided to it.  [Emphasis added.]

Id. at *18 (emphasis added).

The court further reasoned that the invoices themselves could be viewed as the direct cause of the transfer of funds, not the use of a computer.

Moreover, viewing the multi-step process in its simplest form, the transfers were made not because of fraudulent information, but because Apache elected to pay legitimate invoices. Regrettably, it sent the payments to the wrong bank account. Restated, the invoices, not the email, were the reason for the funds transfers.

Id.  In other words, the email was too remote to classify the fraudulent payments as being a direct result of the use of a computer.

What this case means:  Here, the Fifth Circuit in essence rejected a syllogistic fallacy akin to “all tigers have stripes; all tigers are mammals; therefore, all mammals must have stripes.”  The syllogism presented here was: Apache used a computer. Apache suffered a fraud. Therefore, the fraud was from Apache’s use of a computer.  Coverage can’t work that way.  Computers are a dominant presence in our lives. They are perhaps the primary means of communication.  (Yes, our mobile phones are computers.)  Does that mean that any fraud that can be linked to the use of a computer is computer fraud?  No.  Given the wide use of computers, the Fifth Circuit clearly feared that to allow use of email to implicate coverage for computer fraud would transform “computer fraud” coverage into coverage for any fraud.

This case also provides another illustration as to why companies need to purchase cyber coverage. And why companies need cyber counsel to help train employees and help improve cybersecurity measures.  Cyber risk is very broad. Purchasing computer fraud coverage doesn’t come close to covering many of the risks out there.

This entry was posted in Data Breach Insurance Coverage.

OHIO COURT HOLDS THAT REQUESTED SELF-AUDIT CAN BE A “CLAIM”


This entry was posted by on .

In Eighth Promotions v. Cincinnati Ins. Cos., 2016 Ohio App. LEXIS 4119 (Ohio Ct. App. Oct. 11, 2016), the Ohio appellate court held that a letter forwarded to the insured by a copyright holder requesting that the company conduct a self-audit into its alleged copyright violations constituted a demand for non-monetary relief and thus fell within a policy’s definition for “claim.”  The same court also held that the insured could not stretch the scope of the claim or subsequent settlement to circumvent the policy’s copyright infringement exclusion.

The insured, Eighth Promotions, manufactured and sold sports awards and business gifts.  The company’s Operating Agreement provided indemnification protection to its officers and directors, stating that the company would “indemnify and hold harmless” its officers and directors “[i]n any “threatened . . . claim, action or proceeding to which any officer or any [director] . . . is [a] party or is threatened to be made a party by reason of its or his activities on behalf of [Eighth Floor].”  Id. at *1-2.  The company purchased a D&O liability policy, which contained an insuring agreement covering “all ‘loss’ which the ‘company’ is required to pay as indemnification to the ‘individual insureds’ resulting from any ‘claim’ first made during the ‘policy period’ . . . for a ‘wrongful act’.”  Id. at *15-16.  The policy defined a “claim” in part as:

  1. A written demand for monetary damages or non-monetary relief; or

  2. A civil proceeding commenced by filing of a complaint or similar pleading[.]

Id.  “Loss” included “defense costs.”  Id. at *16.

The policy also had an intellectual property exclusion, but the exclusion did not apply to claims brought against “individual insureds,” such as the company’s officers or directors.  The exclusion stated that the insurer was not liable to pay, indemnify or defend any “claim”:

K. Based upon, arising out of, or in consequence of, or in any way involving actual or alleged infringement of copyright, patent, trademark, trade secret, service mark, trade name, or misappropriation of ideas or trade secrets or other intellectual property rights; provided, however, this exclusion shall not apply to any ‘claim’ against any ‘individual insureds’;

Id. at *17.

In May 2011, the insured received a letter from a trade group, the Business Software Alliance (BSA), investigating on behalf of its member companies “possible instances of illegal duplication of certain software.”  The letter contended that Eighth Promotions had installed on its computers more copies of software programs than it was licensed to use.  Id. at *1.  In lieu of litigation, BSA requested that the insured investigate and audit all of the software published by the BSA members on its computers, as well as the software licenses and proofs of purchase for those licenses, and share the results of its self-audit with BSA.  Id. at *3-4.  The insured tendered the letter to its insurer, which denied coverage on the ground that the letter did not constitute a “claim” because it was neither a “written demand for monetary damages or non-monetary relief” nor a “civil proceeding commenced by filing a complaint or similar pleading.”  Id. at *5.

The insured retained counsel and conducted an audit, revealing numerous instances of unauthorized software installations.  Id. at *6.  After sharing the results of the audit with BSA, BSA offered to settle the dispute under certain terms and conditions, including a payment of $179,393.  Id. at *8.  By entering the proposed settlement, BSA promised that its member clubs would “forego the filing any lawsuit against Eighth Floor and will release Eighth Floor from any liability related to past infringement of the copyrights in the software products listed below due to Eighth Floor’s use and/or installation of those products on Eighth Floor’s computers.”  Id. at *9.  The insured tendered the settlement offer to its insurance carrier, which denied coverage under the intellectual property exclusion.  Id. at *10.  The insured settled the dispute, obtaining a release for the company, as well as for its officers and directors.  Coverage litigation ensued.

The trial court in the coverage litigation granted the insurer summary judgment, holding that the initial “audit” letter did not constitute a claim and that the intellectual property exclusion barred coverage.  On appeal, the appellate court reversed in part.  Id. at *11.

The appellate court held that the May 2011 BSA letter, which inquired about instances of copyright infringement and offered to permit the insured to conduct a self-audit in lieu of litigation, constituted a “claim” to implicate coverage under the policy.  The court rejected the insurer’s characterization of the audit letter as giving “Eighth Floor an opportunity to conduct its own company-wide investigation to determine whether any copyright infringement had occurred.”  Id. at *18.  Instead, the court concluded that the letter provided the insured an opportunity to determine “the extent of Eighth Floor’s copyright violations—not whether Eighth Floor had committed copyright violations.”

The court next looked to the dictionary definitions for “demand,” “non-monetary” and “relief,” all used within the phrase “A written demand for monetary damages or non-monetary relief” to determine the meaning of “claim.”  The court attributed broad meanings to these terms, observing:

“Demand” is defined as “the assertion of a legal right or procedural right.”  Black’s Law Dictionary 522 (10th Ed.2014).

“Non” is defined as “not; no.” Id. at 1212. “Monetary” is defined as “of, relating to, or involving money.” Id. at 1158.

“Relief” is defined as “the redress or benefit, esp. equitable in nature (such as injunction or specific performance), that a party asks of a court.  Also termed remedy.” (Emphasis sic.)  Id. at 1482. “Remedy” is defined as “the means of enforcing a right or preventing or redressing a wrong; legal or equitable relief.” Id. at 1485.  [Internal brackets removed.]

Based on these broad meanings, the court held that the audit letter satisfied the definition for “claim.”  The court explained:

. . . [A]lthough the audit request gave Eighth Floor the “opportunity” to conduct a company-wide software audit, it implied that if Eighth Floor did not take up this “opportunity,” then the matter would proceed to litigation, where the BSA could have achieved the same result. The audit request also sought the preservation of evidence and stated that Willis should not attempt to purchase any software from sales representative of these companies until the matter was resolved.

These measures were the BSA’s “means of enforcing a right” and “preventing a wrong” within the plain and ordinary meaning of “remedy.” See Gold Tip, LLC v. Carolina Cas. Ins. Co., D. Utah No. 2:11-CV-00765-BSJ, 2012 WL 3638538, *4 (Aug. 23, 2012) (a written demand for non-monetary relief can encompass a letter that coerces conduct of the policyholder through the threat of using the legal process to compel that conduct.).

Id. at *22.

The court, however, held that the intellectual property exclusion prohibited coverage for the settlement.  Eighth Promotions argued that the exclusion’s exception for claims against “individual insureds” (meaning, the insured’s directors and officers) applied to trump the coverage denial.  Id. at *23.  To support its argument, Eighth Promotions relied upon the broad standard of interpreting pleadings for evaluating the duty to defend.  Under Ohio law (and the law of most jurisdictions), a duty to defend can be implicated where the allegations in a complaint support or allege an unpled claim that potentially is within the policy coverage.  Id. at *26.  Here, Eighth Promotions argued that although BSA’s demands were directed at the company, because the company’s officers and directors could be held vicariously liable for copyright infringement if BSA filed suit against the company, BSA’s demands contained a claim against the directors and officers that fell within the exception of the intellectual property exclusion.  Eighth Promotions argued:

Vicarious ‘liability for copyright infringement may be imposed upon an officer, directors, or shareholder so long as the individual ‘has the right and ability to supervise the infringing activity’ and also [2] has a direct financial interest in such activities. . . . As such, the Eighth Floor officers and directors were jointly and severally liable on [the] BSA’s claim. . . .

Had the matter not settled, the BSA would have named the officers and directors in its complaint because Eighth Floor was not solvent to the full extent of the potential damages. Because copyright infringement allows for joint and several liability, because the BSA was aware that Eighth Floor was closely held, and because the directors and officers constituted a viable source of recovery who necessarily shared equally in the liability, any lawyer drafting the complaint would be obligated to include the directors and officers as defendants.  [Internal brackets omitted.]

Id. at *25.  As further proof of the existence of a claim against Eighth Promotions’ officers and directors, the company also pointed to the release it had obtained for them.

The appellate court rejected the argument, stating that Ohio law did not support the proposition that “an insurer has a duty to defend an otherwise excluded ‘claim’ where the allegations in that ‘claim’ could potentially or arguably lead to another ‘claim’ which may be within the policy’s coverage.”  According to the court, the only “real” claim was made against the company:

The only real “claim” at issue here is the settlement offer which did not demand any monetary relief from Eighth Floor’s officers or directors or contain any language that could potentially or arguably be construed as a written demand for monetary (or non-monetary) relief against Eighth Floor’s officers and directors.

Id. at 27.  Nor could an insured use a release provision in a settlement agreement to bootstrap coverage by characterizing the release as a written demand for monetary or non-monetary relief:

It included a provision offering to release Eighth Floor’s officers and directors from liability if Eighth Floor complied with its demands, but this provision cannot potentially or arguably be construed as a written demand for monetary (or non-monetary) relief against Eighth Floor’s officers and directors

Id.  The case was remanded back to the trial court to determine whether the exclusion barred the insurer’s duty to defend for the audit letter.

What this case means:  This case serves as a reminder that for claims-made policies that define the meaning of “claim,” the definition “written demand for monetary damages or non-monetary relief” can have a very broad meaning.  Here, the court concluded that a self-audit committed by the insured pursuant to a claimant’s notice letter satisfied this definition.  At the same time, the court rejected the insured’s attempt to broaden the scope of a claim, or to bootstrap coverage through a broad release in a settlement (even if obtaining additional releases in such a settlement was customary).  In essence, the court concluded that an insured may not goldmine for unstated claims or causes of action to broaden the scope of a settlement agreement from the uncovered to the covered.

This entry was posted in Uncategorized.

Article III Standing in Data Breach Litigation and Problems Galaria Poses for Data Breach Responses


This entry was posted by on .

Last week, in Galaria v. Nationwide Mut. Ins. Co., 2016 U.S. App. LEXIS 16840 (6th Cir. Sept. 12, 2016), the United States Court of Appeals for the Sixth Circuit weighed in on the issue of Article III standing for data breach litigation and effectively lowered the threshold to establish standing.  The decision echoes sentiments expressed by the Seventh Circuit in Lewert v. P.F. Chang’s China Bistro, Inc., 819 F.3d 963 (7th Cir. 2016), and Remijas v. Neiman Marcus Group, LLC, 794 F.3d 688 (7th Cir. 2015).  The facts are straightforward, and it is part of an ongoing trend by courts to make it easier to allege injury and bring data breach litigation. This will drive up litigation. Yet, here is a bigger problem: the Sixth Circuit based its determination that standing existed to sue a breach victim on actions undertaken by the breach victim to mitigate damage and help consumers prevent the very harm that plaintiffs later sued over. Is the message of “darned if you do” one that courts want to establish? Can decisions like Galaria create an adverse impact on response efforts undertaken by breach victims? These are issues that a breach victim will have to wrestle with early on and provide one more reason why cyber counsel should be retained.

The facts of Galaria are straightforward. In that case, the breach victim, Nationwide, maintained records containing personal information of customers and potential customers, including names, dates of birth, marital statuses, employers, Social Security numbers, and driver’s license numbers. On October 3, 2012, hackers breached Nationwide’s computer network and stole the personal information of 1.1 million people. Id. at *3. In the underlying data breach litigation that followed, putative class actions alleged violation of the Fair Credit Reporting Act (“FCRA”) through Nationwide’s failure to adopt required procedures to protect against wrongful dissemination of plaintiffs’ data. Plaintiffs also alleged claims for negligence, and invasion of privacy by public disclosure of private facts – all based on Nationwide’s failure to secure Plaintiffs’ data.  Id. at *4.

In support of their claims, plaintiffs alleged that an illicit international market exists for stolen personal data. According to the complaints, Nationwide’s data breach created an “imminent, immediate and continuing increased risk” that plaintiffs would be subject to identity theft. They cited a study purporting to show that in 2011 recipients of data-breach notifications were 9.6 times more likely to experience identity fraud, and had a fraud incidence rate of 19%.  They also alleged that victims of identity theft “typically spend hundreds of hours in personal time and hundreds of dollars in personal funds,” incurring an average of $354 in out-of-pocket expenses and $1,513 in total economic loss.  Id. at *5.

The federal district court dismissed the lawsuits, concluding that plaintiffs lacked statutory standing for the FCRA claims and lacked Article III standing for the negligence and bailment claims. The court also concluded that while plaintiffs had standing for their invasion of privacy claims, such claims failed to allege a cognizable injury. Plaintiffs appealed the trial court’s order, except for the dismissal of the invasion of privacy claims.  Id. at *6-7. The Sixth Circuit reversed.

In order to bring a lawsuit, a plaintiff must have standing under Article III of the United States Constitution; “[t]he doctrine of standing gives meaning to these constitutional limits by ‘identify[ing] those disputes which are appropriately resolved through the judicial process.'” Id. at *8 (citation omitted). In Spokeo v. Robins, 136 S. Ct. 1540, 1547 (2016), the United States Supreme Court explained that “the ‘irreducible constitutional minimum’ of standing consists of three elements.” Those elements are that a plaintiff “must have (1) suffered an injury in fact, (2) that is fairly traceable to the challenged conduct of a defendant, and (3) that is likely to be redressed by a favorable judicial decision.” Spokeo, 136 S. Ct. at 1547; Galaria, 2016 U.S. App. LEXIS 16840 at *8. A plaintiff must prove those elements.  Id. Focusing on the first two elements, the Sixth Circuit in Galaria concluded that plaintiffs met their burden of proof and established had Article III standing at the pleading stage to survive a motion to dismiss. As litigators know, that is half the battle.

The Galaria court explained that”[t]o establish injury in fact, a plaintiff must show that he or she suffered ‘an invasion of a legally protected interest’ that is ‘concrete and particularized’ and ‘actual or imminent, not conjectural or hypothetical.'” Galaria, 2016 U.S. App. LEXIS 16840 at *8 (quoting Spokeo, at 1548). Where a plaintiffs seeks to establish standing based on an imminent injury, “that ‘threatened injury must be certainly impending to constitute injury in fact’”; “'[a]llegations of possible future injury’ are not sufficient.” Id. at *9 (quoting Clapper v. Amnesty Int’l USA, 133 S. Ct. 1138, 1147 (2013)).

In the case before it, the Sixth Circuit concluded that plaintiffs’ allegations of increased risk of identity theft, coupled with “reasonably incurred mitigation costs,” established a concrete and particularized imminent injury for purposes of standing. Critically, the court based its decision on the fact that (1) there was proof that the plaintiffs’ information was in fact stolen, (2) hackers had targeted it, and (3) Nationwide had offered free credit monitoring services to help consumers mitigate their danger:

There is no need for speculation where Plaintiffs allege that their data has already been stolen and is now in the hands of ill-intentioned criminals.  Indeed, Nationwide seems to recognize the severity of the risk, given its offer to provide credit-monitoring and identity-theft protection for a full year. Where a data breach targets personal information, a reasonable inference can be drawn that the hackers will use the victims’ data for the fraudulent purposes alleged in Plaintiffs’ complaints. [Bold added.]

Id. at *9-10.

The fact that plaintiffs also could identify specific costs incurred by them from steps recommended by Nationwide in its data breach notification letter further supported the court’s finding that the underlying complaints alleged an imminent injury:

Although Nationwide offered to provide some of these services for a limited time, Plaintiffs allege that the risk is continuing, and that they have also incurred costs to obtain protections—namely, credit freezes—that Nationwide recommended but did not cover. This is not a case where Plaintiffs seek to “manufacture standing by incurring costs in anticipation of non-imminent harm.” [Citing Clapper, at 1155.]  Rather, these costs are a concrete injury suffered to mitigate an imminent harm, and satisfy the injury requirement of Article III standing.  [Bold added.]

Id. at *10-11.

Under the second element, the Sixth Circuit in Galaria held that the alleged harm was “fairly traceable” to Nationwide’s alleged conduct to satisfy Article III standing. Id. at *13. To satisfy the “fairly traceable” element, a plaintiff need not allege proximate causation. “Indirect” injury is sufficient.  Id. at *14. Here, the Galaria court held that plaintiffs had sufficiently alleged that their injuries were “fairly traceable” to Nationwide’s conduct, because Nationwide’s alleged negligence allowed the breach to happen:

Although hackers are the direct cause of Plaintiffs’ injuries, the hackers were able to access Plaintiffs’ data only because Nationwide allegedly failed to secure the sensitive personal information entrusted to its custody. In other words, but for Nationwide’s allegedly lax security, the hackers would not have been able to steal Plaintiffs’ data. These allegations meet the threshold for Article III traceability, which requires “more than speculative but less than but-for” causation.  [Bold added.]

Id. at *15.

Finally, the Sixth Circuit concluded that plaintiffs had statutory standing to bring their FCRA claims. Because plaintiffs had Article III standing to bring the lawsuit in general, they had standing to bring their FCRA claims, and there was no need to evaluate the causes of action allege din the complaints themselves.  Id. at *17-18.

What does this case mean? This case goes beyond the lowering of the standing threshold.  It also demonstrates why a data breach victim needs a cyber law attorney to help navigate the inevitable legal minefield that will follow a data breach. For instance, when a company suffers a data breach, state notification statutes require those companies to notify persons whose information has been compromised. Many state laws actually will require that notification letters include information explaining to consumers what steps may be taken to mitigate or monitor against any potential harm. Connecticut law requires that credit monitoring services be offered.  Many companies offer credit monitoring services as an act of goodwill.

Yet, in Galaria, the Sixth Circuit used the content of a breach victim’s notification letter and offer of credit monitoring services to permit multiple lawsuits to proceed against it. Does that leave a breach victim with an untenable, Hobson’s choice: comply with state notification laws and get sued, or potentially violate those laws to avoid creating Article III standing for future class actions? Some may say so. These are issues that breach victims are going to need to address when first responding to a breach. It’s another reason to have cyber counsel involved as early as possible when a breach has occurred.

This entry was posted in Data Breach Insurance Coverage, Privacy Rights and tagged .

PIRATED TELEVISION PROGRAMMING IS NOT “DATA” UNDER MEDIA POLICY


This entry was posted by on .

It’s hard to believe that we are less than two months away from Coverage College (September 22). If you have not signed up yet, please do by visiting White and Williams’ website. This year, I will be teaching a class on coverage issues in privacy and cyber liability litigation. It should be an exciting and fast-paced class. We’ll have a lot to talk about.  

Last Friday, in Ellicott City Cable, LLC v. AXIS Ins. Co., 2016 U.S. Dist. LEXIS 95819 (D. Md. July 22, 2016), the federal district court of Maryland rejected the contention that pirated digital television programming constituted “data” under a media policy. Even broad terms do not have boundless meanings. Terms must be read within the context of their use and the policy as a whole.

In the case, the insured, Ellicott City Cable (ECC) provided television, internet, and telephone services to residents of two separate residential communities, Taylor Village and Waverly Woods.  Id. at *3-4. To achieve the goal of proving television, ECC contracted to obtain satellite television programming from DirecTV, LLC through DirecTV agents Sky Cable, LLC (Sky Cable) and North American Cable Equipment (NACE). (ECC never contracted with DirecTV to provide internet or telephone services.) Id. at *4. Under the contract, ECC distributed the DirecTV programming through equipment and credentials provided by Sky Cable and NACE, and made monthly payments directly to DirecTV for access to its programming. Id.

ECC later terminated its contract with DirecTV. Thereafter, DirecTV commenced an action against ECC and Sky Cable asserting that defendants had “fraudulently” obtained, and assisted others to obtain, DirecTV’s satellite television programming and distributed the programming through unauthorized cable television systems.  Id. at *5.  DirecTV asserted that ECC, through Sky Cable, set up private cable systems to deliver programming to more units in the Taylor Village and Waverly Woods communities than permitted under the DirecTV contract. DirecTV also asserted that ECC created multiple dwelling unit accounts with DirecTV for both properties, but distributed the programming to occupants and residents outside of the scope of those agreements, including by used wiring to traverse public rights of way.  Id.

ECC sought coverage under its media liability insurer, which had issued a media policy providing coverage for damages “as a result of an Occurrence in connection with Scheduled Media during the Policy Period that gives rise to a Claim . . . .”  Id. at *11.  Occurrence was defined in part as “the actual or alleged . . . publication, broadcast or other dissemination of Matter[.]”  Id. at *11, n.10. Matter was defined as in part as “communicative or informational content regardless of the nature or form.”  Id.

The media policy had an exclusion that prohibited coverage for claims:

for or arising out of any actual or alleged . . . unauthorized access to, unauthorized use of, or unauthorized alteration of any computer or system, hardware, software, program, network, data, database, communication network or service, including the introduction of malicious code or virus by any person . . .

Id. at *11-12 (emphasis added).

The policy also had additional coverage under Endorsement 3 for claims “for or arising out of the failure to prevent a party from unauthorized access to, unauthorized use of, tampering with or introduction of a computer virus or malicious code into data or systems.” However, coverage under Endorsement 3 did not apply to claims for:

intentional unauthorized access to, unauthorized use of, tampering with or introduction of a computer virus or malicious code into data or systems by any Insured or person who would qualify as an Insured but for their acts being outside the scope of their duties as a partner, . . . except that this exclusion shall not apply to any Insured who did not commit, acquiesce or participate in the actions that gave rise to the Claim.

Id. at *12-13 (emphasis added). As later noted by the Ellicott City Cable Court in its opinion, both policy provisions apply to claims for or arising out of unauthorized access to “data”; with the coverage exception in Endorsement 3 adding the qualifier that the unauthorized access be “intentional.” Id. at *14.

The insurer contended that it had no duty to defend under the exclusion and the exception to coverage under Endorsement 3, contending that DirecTV’s lawsuit for the unauthorized distribution of television programming alleged unauthorized access to data. ECC disagreed, contending that television programming is not “data.”  The Ellicott City Cable Court agreed with the insured.

The court recognized that the term “data” is very broad, and this may have been the insurer’s hope when asserting the policy’s exclusions. Merriam’s Dictionary defines the word “data” as “facts or information used usually to calculate, analyze, or plan something” or “information that is produced or stored by a computer.” Id. at *15. However, the court found that the term was so broad as to be ambiguous. “Given the breadth of this definition [for data],” the court employed the construction canons of ejusdem generis and noscitur a sociis, which require a court, when determining the broad meaning of a word, to consider “the accompanying words so that . . . general and specific words, capable of analogous meaning, when associated together, take color from each other[.]”  Id. at *16. Based on these cannons, the court concluded that the word “data” referred to computers, not television programming.

First, the court noted that DirecTV did not use the term “data” to describe its television programming that ECC had allegedly accessed without authorization.  Id. at *15.  The court then looked to the wording of the exclusions at issue, determining that the list of terms in the exclusions limited the meaning of the term “data,” not expanded it.  The exclusion applied to unauthorized access of “any computer or system, hardware, software, program, network, data, database, communication network or service, including the introduction of malicious code or virus by any person . . . .”  Id. at *16.  The common denominator of these terms was the internet and computers, not television programming:

The common factor underlying all terms listed is their relation to the internet or digital matters in general.  Indeed, the inclusion of “introduction of malicious code or virus” speaks directly to a common risk associated with the internet (and computers). “Data,” in this context, thus appears to concern information related to the internet, and not television programming.

Id. at *17 (emphasis added).

The insurer argued that DirecTV’s programming did involve digital compression and encryption of its signal and thus fell within the umbrella of “digital matters.”  The court rejected the argument in part because DirecTV also provided analog signals.  Under the insurer’s contention, the policy would cover analog signals, but exclude digital signals, a result that the court would not endorse:

Yet, this argument ignores that DirecTV’s television programming takes both digital and analog forms. Under Axis’s reasoning, ECC would receive insurance coverage for unauthorized access to analog television programming, and not digital television programming. Neither Axis nor the Policies themselves present any persuasive argument in favor of such a distinction.

Id. at *16-17.

The court applied the same reasoning to the coverage exception for Endorsement 3, which employed “the same broad term accompanied by terms like ‘computer virus’ and ‘malicious code.’”  The court explained:

Similarly, the exclusion of Endorsement No. 3 applies to intentional unauthorized access of “data or systems[.]”  While this exclusion does not include all terms of the first exclusion, it employs the same broad term accompanied by terms like “computer virus” and “malicious code.” Even if the exclusion uses the disjunctive “or” in describing the excluded conduct, this use does not negate the inference that “data or systems” concern information related to the internet or computers generally.

Id. (internal citations omitted).

The court also looked to coverage provided elsewhere in the policy for piracy claims to conclude that the term “data” could not encompass media programming. The court observed that the policy covered claims “for or arising out of . . . any form of infringement of copyright, violation of Droit Moral, passing-off, plagiarism, Piracy or misappropriation of ideas,” defining “piracy” as “the wrongful use, reprinting or reproduction of copyrighted intellectual property.” Id. at *18.  According to the court, “piracy” described “precisely” DirecTV’s allegations against ECC and Sky Cable.  Thus, “[t]o interpret ‘data’ as including DirecTV’s television programming would effectively broaden the scope of the exclusion to eliminate any coverage for piracy.”  Id.  “Rather than create such a contradiction,” the court held it must construe the ambiguity of “data” against the insurer.  Id. at *18-19.

As a result, the court determined that DirecTV’s television programming is not “data” within the meaning of either exclusion.  Id. at *19.

What this case means:   Media policies and cybersecurity policies sometimes employ very broad terms that remain undefined in the policies themselves.  Examples of such terms can include “matter,” “network,” “systems,” “electronic,” and even “data.”  Ellicott City Cable is a good remainder that even broad terms do not have boundless meaning – both in terms of coverage grants and coverage exclusions. Terms must be read within the context of their use and the policy.

This entry was posted in Uncategorized.

NO COVERAGE FOR PCI ASSESSMENT LIABILITY UNDER CYBERSECURITY POLICY


This entry was posted by on .

In P.F. Chang’s China Bistro, Inc. v. Federal Ins. Co., 2016 WL 3055111 (D. Ariz. May 31, 2016), the United States District Court of District of Arizona held that liability for PCI assessments following a data breach of 60,000 credit card numbers was excluded under a cybersecurity policy.  This case demonstrates the importance and ability of carriers to define the risk insured under a policy, including cybersecurity insurance.

In PF Chang’s, the insured purchased a cybersecurity insurance policy.  The insurer’s underwriters classified the insured as a high risk, “PCI Level 1”, because the insured conducted more than 6 million transactions per year, a large number of which were with credit cards, thus creating a high exposure to potential customer identity theft.  Id. at *1.  The insured, like many merchants, was unable to process credit card transactions themselves, and therefore entered into an agreement with the credit card processor  to process credit card transactions with the banks who issue the credit cards (“Issuers”), such as Chase or Wells Fargo.  Here, Chang’s entered into a Masters Service Agreement (“MSA”) with the credit card processer Bank of America Merchant Services (“BAMS”) to process credit card payments made by customers of Chang’s.  Id.  Under the MSA, Chang’s delivered customer credit card payment information to BAMS who then settled the transaction through an automated clearinghouse.  BAMS thereafter credited the Chang’s account for the amount of the payments.  Id. 

Importantly, credit card processors like BAMS perform their services under agreements entered into with the credit card associations like MasterCard and Visa. Id.  Here, BAMS’s agreement with MasterCard, which was governed by the MasterCard Rules and incorporated into the MSA with Chang’s, obligated BAMS to pay certain fees/fines and assessments to MasterCard in the event of a data breach involving credit card information.  The assessments included “Operational Reimbursement” fees and “Fraud Recovery” fees.  Id.  Under the Chang’s MSA, Chang’s agreed to compensate or reimburse BAMS for “fees,” “fines,” “penalties,” or “assessments” imposed on BAMS by credit card associations like MasterCard.  Id. at *2.  The MSA read in part:

[Chang’s] agrees to pay [BAMS] any fines, fees, or penalties imposed on [BAMS] by any Associations, resulting from Chargebacks and any other fines, fees or penalties imposed by an Association with respect to acts or omissions of [Chang’s] . . . . In addition to the interchange rates, [BAMS] may pass through to [Chang’s] any fees assessed to [BAMS] by the [Associations], including but not limited to, new fees, fines, penalties and assessments imposed by the [Associations].

 Id. at *2.  Assessments levied by MasterCard against BAMS, for which Chang’s was responsible under the Chang’s MSA, became the focus of a coverage dispute.

 On June 10, 2014, Chang’s learned that computer hackers had obtained and posted on the Internet approximately 60,000 credit card numbers belonging to its customers.  Chang’s notified its insurer of the data breach that very same day.  Id.  Almost one year later, on March 2, 2015, MasterCard issued an “ADC Operational Reimbursement/Fraud Recovery Final Acquirer Financial Responsibility Report” to BAMS, assessing over $1.9 million in fines and assessments against BAMS for the data breach.  The fines were “a Fraud Recovery Assessment of $1,716,798.85, an Operational Reimbursement Assessment of $163,122.72 for Chang’s data breach, and a Case Management Fee of $50,000.”  Id.  “The Fraud Recovery Assessment reflects costs, as calculated by MasterCard, associated with fraudulent charges that may have arisen from, or may be related to, the security compromise. The Operational Reimbursement Assessment reflects costs to notify cardholders affected by the security compromise and to reissue and deliver payment cards, new account numbers, and security codes to those cardholders. The Case Management Fee is a flat fee and relates to considerations regarding Chang’s compliance with Payment Card Industry Data Security Standards.”  Id.

BAMS sought indemnity from Chang’s.  Pursuant to the Chang’s MSA, and in order to continue operations and not lose its ability to process credit card transactions, Chang’s reimbursed BAMS on April 15, 2015.  Chang’s sought coverage for the $1.9 million payment under three insuring agreements under the cybersecurity policy: Insuring Agreement A, Insuring Agreement B, and Insuring Agreement D.2.  The insurer denied coverage and litigation ensued.  Id.

No Privacy Injury Under Insuring Agreement A

Insuring Agreement A paid for “‘Loss’ on behalf of an ‘Insured’ on account of any ‘Claim’ first made against such ‘Insured’ . . .  for ‘Injury’,” which included a “Privacy Injury.”  Id. at *4.  “Privacy Injury” was defined as “injury sustained or allegedly sustained by a Person because of actual or potential unauthorized access to such Person’s Record, or exceeding access to such Person’s Record.”  Id.  The insurer argued that Chang’s did not sustain a Privacy Injury because its own Records were not compromised during the data breach.  Id. at *5.  Chang’s acknowledged that it was the credit card issuers who suffered a Privacy Injury because it was their Records which were compromised in the data breach.  However, Chang’s argued that the owner of the “Records” was immaterial to the issue of coverage because the injury “first passed through BAMS before BAMS in turn charged Chang’s” pursuant to industry standards.  Id.  As the Court generalized, “[b]asically, Chang’s argues that because a Privacy Injury exists and was levied against it, regardless of who suffered it, the Injury is covered under the Policy.”  Id.

 The Court disagreed with Chang’s and held that there was no Privacy Injury to implicate coverage under Insuring Agreement A because BAMS own Records had not been compromised.  Thus, there was no coverage for BAMS’s liability under the MasterCard ADC Fraud Recovery Assessment:

The Court agrees with [the insurer]l; BAMS did not sustain a Privacy Injury itself, and therefore cannot maintain a valid Claim for Injury against Chang’s. The definition of Privacy Injury requires an “actual or potential unauthorized access to such Person’s Record, or exceeding access to such Person’s Record.” (Doc. 8-1) (emphasis added).  The usage of the word “such” means that only the Person whose Record is actually or potentially accessed without authorization suffers a Privacy Injury.  Here, because the customers’ information that was the subject of the data breach was not part of BAMS’ Record, but rather the Record of the issuing banks, BAMS did not sustain a Privacy Injury.  Thus, BAMS did not make a valid Claim of the type covered under Insuring Clause A against Chang’s.

Id. at *5.

Coverage Under Insuring Agreement B Initially Implicated

Insuring Agreement B of the policy stated that the insurer would “pay ‘Privacy Notification Expenses’ incurred by an ‘Insured’ resulting from [Privacy] Injury.”  Id. at *5.  The policy defined “Privacy Notification Expenses” as “the reasonable and necessary cost[s] of notifying those Persons who may be directly affected by the potential or actual unauthorized access of a Record, and changing such Person’s account numbers, other identification numbers and security codes….”  Id.

Chang’s contended that the ADC Operational Reimbursement fee was a “Privacy Notification Expense” because it compensated credit card issuers for the cost of reissuing bankcards and new account numbers and security codes to Chang’s customers.  The insurer argued that coverage did not exist because the ADC Operational Recovery fee was not personally incurred by Chang’s, but rather was incurred by BAMS.  It also argued that the fee did not qualify as “Privacy Notification Expenses” because there is no evidence that the fee was used to “notify[ ] those Persons who may be directly affected by the potential or actual unauthorized access of a Record, and changing such Person’s account numbers, other identification numbers and security codes.”  Id. at *6.

The Court agreed with Chang’s.  Relying on Arizona courts’ broad interpretation of the term “incurred,” which merely required that an insured become liable for the expense, even if the expense originally was paid by others, the Court held that the ADC Operational Recovery fee was “incurred by” Chang’s “resulting from [Privacy] Injury.”  Id. The Court explained:

Although the ADC Operational Reimbursement fee was originally incurred by BAMS, Chang’s is liable for it pursuant to its MSA with BAMS.

Id. at *6.

The Court also held that sufficient evidence existed – and the insurer did not identify any contrary evidence – that the assessment was to be used to compensate credit card issuers for the costs of notifying about the security compromise and reissuing credit cards to Chang’s customers to have the damages fall within the meaning of a “Privacy Notification Expense.”  Id.  As discussed further below, ultimately the Court held that two exclusions applied to bar coverage.

Coverage Under Insuring Agreement D.2 Potentially Implicated

The Court also held that it could not summarily hold, as a matter of law, that the requirements of Insuring Agreement D.2 were unsatisfied ti implicate coverage.  The Insuring Agreement covered “’Extra Expenses’ an ‘Insured’ incurs during the ‘Period of Recovery of Services’ due to the actual or potential impairment or denial of ‘Operations’ resulting directly from ‘Fraudulent Access or Transmission’.” Id. at *6.  The policy defined “Extra Expenses” to include “reasonable expenses an Insured incurs in an attempt to continue Operations that are over and above the expenses such Insured would have normally incurred. Extra Expenses do not include any costs of updating, upgrading or remediation of an Insured’s System that are not otherwise covered under [the] Policy.”  Id.  Critically, the policy defined “Period of Recovery of Services” as beginning:

. . . immediately after the actual or potential impairment or denial of Operations occurs; and will continue until the earlier of…the date Operations are restored,…to the condition that would have existed had there been no impairment or denial; or sixty (60) days after the date an Insured’s Services are fully restored…to the level that would have existed had there been no impairment or denial.

Id. at *6.

The insurer argued that Insuring Clause D.2. did not apply because Chang’s had not submitted evidence demonstrating that the data breach caused “actual or potential impairment or denial” of business activities.  Id. at *7.  The insurer also argued that Chang’s did not incur Loss during the “Period of Recovery of Services” because it did not pay the Case Management Fee until April 15, 2015, nearly one year after it discovered the data breach.  Id.  Chang’s contended that its ability to operate was impaired because BAMS would have terminated the MSA and eliminated Chang’s ability to process credit card transactions if it did not pay BAMS.  Further, the Chang’s MSA prohibited Chang’s to use another servicer while contracting with BAMS for its services.  Id.  Chang’s also contended that its business activities were still not fully restored; therefore, the “Period of Recovery of Services” remained ongoing.  Id.

The Court agreed with Chang’s in part, concluding evidence showed that “Chang’s experienced a Fraudulent Access during the data breach and that its ability to perform its regular business activities would be potentially impaired if it did not immediately pay the Case Management Fee imposed by BAMS.”  Id.  However, whether Chang’s operations were not yet fully restored, thereby extending the “Period of Recovery of Services,” was an issue of fact the Court could not resolve on Summary Judgment and was best suited for trial.  Id. at *7.  However, as discussed below, ultimately the Court held that two exclusions applied to bar coverage.

Two Contractual Liability Exclusions Prohibit Coverage  

Although the Court held that the requirements of Insuring Agreement B were met, and refrained from ruling on the requirements of Insuring Agreement D.2., the court held that coverage under the Insuring Agreements was prohibited by two policy exclusions.  The two exclusions prohibited coverage as follows:

With respect to all Insuring Clauses, [the insurer] shall not be liable for any Loss on account of any Claim, or for any Expense . . . based upon, arising from or in consequence of any . . . liability assumed by any Insured under any contract or agreement.

* * *

With respect to Insuring Clauses B through H, [the insurer] shall not be liable for…any costs or expenses incurred to perform any obligation assumed by, on behalf of, or with the consent of any Insured.

Id. at *7.  The Court characterized these two exclusions as “the same in that they bar coverage for contractual obligations an insured assumes with a third-party outside of the Policy.”  Id.  In addition, “Loss” was defined to exclude “any costs or expenses incurred to perform any obligation assumed by, on behalf of, or with the consent of any Insured.”  Id.

Notably, the Court “turned to cases analyzing commercial general liability insurance policies for guidance, because cybersecurity insurance policies are relatively new to the market but the fundamental principles are the same.”  Id. at *8.  Observing that “Arizona courts, as well as those across the nation, hold that such contractual liability exclusions apply to ‘the assumption of another’s liability, such as an agreement to indemnify or hold another harmless’,” the Court  held that both exclusions, as well as the definition of “Loss,” applied to prohibit coverage under Insuring Agreement B.  The Court explained:

In no less than three places in the MSA does Chang’s agree to reimburse or compensate BAMS for any “fees,” “fines,” “penalties,” or “assessments” imposed on BAMS by the Associations, or, in other words, indemnify BAMS. . . . Furthermore, the Court is unable to find and Chang’s does not direct the Court’s attention to any evidence in the record indicating that Chang’s would have been liable for these Assessments absent its agreement with BAMS. While such an exception to an exclusion of this nature may exist in the law, it is not applicable here.

Id. at *8.

What This Case Means:  This case has a number of takeaways.  Briefly, and perhaps most important, this case illustrates that although cybersecurity insurance can provide significant  amounts of coverage – here, the Court noted that the insurer already had provided $1.7 million in coverage under the policy to Chang’s – coverage is not limitless.  Some may say that a policyholder should “read the fine print,” but I say that the policyholder should understand its risk and ensure it purchases the insurance it needs.  A carrier has an unfettered right to limit the scope of the cyber risk it is willing to insure.  This case also raises the issue of coverage for third-party contracts, which can be a significant source of liability in a data breach.  This case also illustrates how sometimes the timing of liability and payments can affect coverage.  “Extra Expenses” coverage, sometimes overlooked, also can play a significant role in a data breach.  Questions are welcome.

This entry was posted in Data Breach Insurance Coverage.

FINANCIAL INSTITUTION BOND COVERS LOSS FROM HACKING


This entry was posted by on .

In State Bank v. BancInsure, Inc., 2016 U.S. App. LEXIS 9235 (8th Cir. May 20, 2016), the United States Court of Appeals for the Eighth Circuit held that a $485,000 fraudulent wire transfer perpetrated through the use of malware residing on a bank employee’s computer was covered under the bank’s financial institution bond.  The facts are straightforward.

The insured used the Federal Reserve’s FedLine Advantage Plus system to perform wire transfers. The transfers were made through a desktop computer connected to a Virtual Private Network device provided by the Federal Reserve. In order to complete a transfer, two bank employees had to enter their individual user names, and each had to insert individual physical tokens into the computer, and provide individual passwords and passphrases.

In the matter at issue, a bank employee completed a FedLine wire transfer. However, instead of following company policy and protocol by engaging the participation of a second employee, as required, the bank employee instead completed the transfer using her token, password, and passphrase as well as the token, password, and passphrase of a second employee on the same computer.  At the end of the work day, the employee then left the two tokens in her computer and left the computer running overnight.  When the employee returned to work the next morning, she discovered that two unauthorized wire transfers had been made from the bank’s Federal Reserve account.  Money from one of the transfers was recovered.  However, $485,000 wired in the second transfer was not recovered.  Id. at *1-2.

An investigation revealed that malware resided on the computer, permitting infiltration that allowed completion of the fraudulent transfers. Id. at *2.  The bank sought coverage under its financial institution bond, which provided coverage for losses caused by computer system fraud.  The insuring agreement covered, in part:

Loss resulting directly from a fraudulent

(1) entry of Electronic Data or Computer Program into, or

(2) change of Electronic Data or Computer Program within

any Computer System operated by the Insured, whether owned or leased, or any Computer System identified in the application for this Bond, or a Computer System first used by the Insured during the Bond Period, provided the entry or change causes

(1) property to be transferred, paid or delivered,

(2) an account of the Insured or of its customer to be added, deleted, debited or credited, or

(3) an unauthorized account or fictitious account to be debited or credited.

Id. at *3-4, n.2.

The carrier denied coverage, citing certain exclusions in the bond for loss based on employee-caused loss, theft of confidential information, and mechanical breakdown or deterioration of a computer system.  Id. at *3.  The carrier cited the following exclusions, which prohibited coverage for:

(h) loss caused by an Employee . . . resulting directly from misplacement, mysterious unexplainable disappearance or destruction of or damage to Property;

. . . .

(bb) (4) loss resulting directly or indirectly from theft of confidential information,

. . . .

(bb) (12) loss resulting directly or indirectly from

(a) mechanical failure, faulty construction, error in design, latent defect, fire, wear or tear, gradual deterioration, electrical disturbance or electrical surge which affects a Computer System,

(b) failure or breakdown of electronic data processing media, or

(c) error or omission in programming or processing,

. . . .

(bb) (17) loss caused by a director or Employee of the Insured . . . .

Id. at *4, n.3.

Coverage litigation ensued.  The carrier argued that the employee’s breach of company policy caused the loss and thus the loss was excluded.  Specifically, the carrier contended that the malware would not have allowed the hacker to fraudulently transfer the lost money had the bank employee (1) engaged a second employee to perform the original wire transfer, and (2) had not left the computer running overnight with two tokens in it.  Based on Minnesota’s concurrent-causation doctrine, the trial court nevertheless held that the bond covered the loss.  The trial court concluded that “the computer systems fraud was the efficient and proximate cause of [Bellingham’s] loss,” and that “neither the employees’ violations of policies and practices (no matter how numerous), the taking of confidential passwords, nor the failure to update the computer’s antivirus software was the efficient and proximate cause of [Bellingham’s] loss.”  Id. at *6.  The court further held that “it was not then a ‘foreseeable and natural consequence’ that a hacker would make a fraudulent wire transfer. Thus even if those circumstances ‘played an essential role’ in the loss, they were not ‘independent and efficient causes’ of the loss.”  Id. at *6-7.  The carrier appealed and the Eighth Circuit affirmed.

On appeal, the carrier first argued that the concurrent-causation doctrine, which applies to insurance contracts, did not apply to financial institution bonds because a financial institution bond requires the insured to initially show that its loss directly and immediately resulted from dishonest, criminal, or malicious conduct.  Id. at *8.  The Eighth Circuit disagreed, stating that Minnesota courts adhere to the general rule of “treating financial institution bonds as insurance policies and interpreting those bonds in accordance with the principles of insurance law.”  Id. at *9.

The carrier next argued that exclusions 2(bb)(4) and 2(bb)(12) contracted around the concurrent-causation doctrine because those exclusions applied to both direct and “indirect” causation.  Id. at *10.  The Eighth Circuit disagreed.  Although noting that “[p]arties may include ‘anti-concurrent causation’ language in contracts to prevent the application of the concurrent-causation doctrine,” such language must be “clear and specific.”  Id.  The court concluded that, “[a]s a matter of law, the Bond’s reference to ‘indirectly’” was not clear and specific, and was insufficient to circumvent the doctrine.  Id. at *11.

Finally, the carrier argued that even if the district court correctly applied the concurrent-causation doctrine, it erred in concluding that the fraudulent hacking of the computer system by a criminal third party was the overriding, or efficient and proximate, cause of the loss.  At a minimum, the carrier contended, the issue should have been one for the jury to decide.  Id. at *11.  Again, the court disagreed, concluding that the fraudulent wire transfers was not a foreseeable or inevitable result of the employees’ negligence and actions:

We agree with the district court’s conclusion that “the efficient and proximate cause” of the loss in this situation was the illegal transfer of the money and not the employees’ violations of policies and procedures. . . .  an illegal wire transfer is not a “foreseeable and natural consequence” of the bank employees’ failure to follow proper computer security policies, procedures, and protocols.  Even if the employees’ negligent actions “played an essential role” in the loss and those actions created a risk of intrusion into Bellingham’s computer system by a malicious and larcenous virus, the intrusion and the ensuing loss of bank funds was not “certain” or “inevitable.”

Id. at *13-14.  According to the court, “[t]he ‘overriding cause’ of the loss Bellingham suffered remains the criminal activity of a third party.”  Id. at *14.  Therefore, it held that the district court properly granted the bank summary judgment.

This entry was posted in Data Breach Insurance Coverage, Uncategorized.

MAKING RECORDS ACCESSIBLE ON THE INTERNET IS A “PUBLICATION”


This entry was posted by on .

We have all heard the question “if a tree falls in the forest…,” a philosophical experiment that raises questions of observation, knowledge, and reality. Whether or not the philosopher George Berkeley deserves credit for first raising the question, if still alive, he may have been disappointed in yesterday’s decision, Travelers Indem. Co. of Am. v. Portal Healthcare Solutions, LLC, No. 14-1944 (4th Cir. Apr. 11, 2016). In that case, the trial court had addressed the legal question of “whether materials are published if they are posted on the Internet, but no one reads them?”  As discussed by The Coverage Inkwell in August 2014, the trial court answered the question in the affirmative. Yesterday, the Fourth Circuit affirmed the decision, but never really weighed in on the question. That’s too bad.

The facts of the case are straightforward. The insured Portal Healthcare Solution (“Portal”) specialized in the electronic safekeeping of medical records for hospitals, clinics, and other medical providers.  Travelers Indem. Co. of Am. v. Portal Healthcare Solutions, LLC, 35 F. Supp. 3d 765, 767-78 (E.D. Va. 2014). A New York putative class action was filed against it, alleging that Portal had failed to safeguard the confidentiality of the medical records of patients at Glen Falls Hospital (“Glen Falls”) by posting them on the Internet and making them publicly accessible through Internet searches. Id. Two patients of Glen Falls discovered the breach when they conducted a Google search for their names and found links that directed them to their Glen Falls medical records. Id.

Travelers issued two policies, each having slightly different language. One covered injury arising from the “electronic publication of material that … gives unreasonable publicity to a person’s private life.” The second covered injury arising from the “electronic publication of material that … discloses information about a person’s private life.”  Id. at 767. The key issue in the trial court was whether making medical records accessible on the Internet constituted a “publication” under the terms of the policies, even if no one had read the information.

Looking to dictionary definitions for the word “publication,” the trial court concluded that the meaning of “publication” includes “to place before the public (as through a mass medium).” Id. at 770. Thus, making the records accessible constituted a “publication.”

Exposing medical records to the online searching of a patient’s name, followed by a click on the first result, at least “potentially or arguably” places those records before the public.  Any member of the public could retrieve the records of a Glen Falls patient, whether he or she was actively seeking those records or searching a patient’s name for other purposes, like a background check.  Because medical records were placed before the public, the Court finds that Portal’s conduct falls within the plain meaning of “publication.”

Id. at 770 (bold added). The trial court summarily rejected the argument that because Portal Healthcare had not intended to release the information, there was no “publication,” stating that “the issue cannot be whether Portal intentionally exposed the records to public viewing since the definition of ‘publication’ does not hinge on the would-be publisher’s intent.” Id.

Importantly, the court also rejected the argument that because no one had read the records, there was no “publication.” In other words, the court took the approach that if a tree falls, of course it makes a sound:

Publication occurs when information is “placed before the public,” not when a member of the public reads the information placed before it.  By Travelers’ logic, a book that is bound and placed on the shelves of Barnes & Noble is not “published” until a customer takes the book off the shelf and reads it.  Travelers’ understanding of the term “publication” does not comport with the term’s plain meaning, and the medical records were published the moment they became accessible to the public via an online search.

Id. at 771.

On appeal, the Fourth Circuit “commended” the trial court for its “sound legal analysis,” but did not add more, including on the scope of the term “publication.” Noting that Virginia is an “eight corners rule” state and that the duty to defend is broader than the duty to indemnify, the appellate court referred to the trial court’s conclusion that “the class-action complaint ‘at least potentially or arguably’ alleges a ‘publication’ of private medical information by Portal that constitutes conduct covered under the Policies.” (Slip Op. at 6.) Thus, the trial court reasoned, the release of information on the Internet, if proven, “would have given ‘unreasonable publicity to, and disclose[d] information about, patients’ private lives,’ because any member of the public with an internet connection could have viewed the plaintiffs’ private medical records during the time the records were available online.” (Id.) Under the broad scope of the duty to defend, the Fourth Circuit could not disagree:

Put succinctly, we agree with the Opinion that Travelers has a duty to defend Portal against the class-action complaint.  Given the eight corners of the pertinent documents, Travelers’s efforts to parse alternative dictionary definitions do not absolve it of the duty to defend Portal.  [Citation omitted.]   See Seals v. Erie Ins. Exch., 674 S.E.2d 860, 862 (Va. 2009) (observing that the courts “have been consistent in construing the language of [insurance] policies, where there is doubt as to their meaning, in favor of that interpretation which grants coverage, rather than that which withholds it” (quoting St. Paul Fire & Marine Ins. Co., 316 S.E.2d at 736)).

(Id. at 6-7.)

What this case means.  Two years ago, I noted that this was a difficult case for an insurer to win.  It was undisputed that the records were available on the Internet.  Typically, when determining whether an underlying complaint alleges a “publication,” many courts look to dictionary definitions, which define the term to mean distribution to the public at large.  That is what the trial court did here, and the Fourth Circuit agreed.  Typically, the question of whether the material at issue was read is not asked or addressed.

The trial court rejected the contention that if material is not read, it is not published.  In doing so, the court used a persuasive analogy of an untouched book on a shelf.  The Fourth Circuit appeared to have no interest in delving into that question, at least in the context of the duty to defend.  That is too bad because the argument does raise interesting issues, not the least of which is whether a ”publication” is just the release of information or also the consumption of it?

This entry was posted in Data Breach Insurance Coverage, Privacy Rights and tagged , .