Monthly Archives: November 2017

No Coverage for Data Breach Where Insured Isn’t Accused of Publishing

This entry was posted by on .

In the lawsuit Innovak Int’l, Inc. v. Hanover Ins. Co., the federal court for the middle district of Florida recently held that an underlying data breach class action lawsuit did not implicate “personal and advertising injury” coverage because the insured was not the entity accused of publishing the compromised personal information (PI).

The decision is relevant because not only did the court reject claims for cyber coverage under a CGL policy, but also because the decision is following a recent trend in litigation over Coverage B: namely, if the insured is not the one accused of publishing the information at issue, there is no “personal and advertising liability” coverage. In other words, Coverage B does not apply to third-party publications, even if the insured is the entity ultimately sued. E.g., Steadfast Ins. Co. v. Tomei, 2016 Pa. Super. Unpub. LEXIS 1864, at *17 (Pa. Super. Ct. May 24, 2016); Zurich Am. Ins. Co. v. Sony Corp., No. 651982/2011 (N.Y. Supr. Ct. Feb. 21, 2014).

The facts in Innovak are straightforward. Innovak was sued in a putative class action following a data breach that compromised the underlying plaintiffs’ personal information. According to the lawsuit,  Innovak “designs, develops, and sells accounting and payroll computer software systems to schools, school districts, and to other entities across the United States.” Id. at *3. The lawsuit alleged that “Innovak’s software and database provides up-to-date W2 and paystub information to end users, which is accessible remotely via an internet portal,” and that Innovak suffered the data breach “when hackers appropriated the personal private information (‘PPI’) stored on its software, database, and/or its portals … from numerous individuals in several different states whose PPI was stored and made accessible through Innovak’s internet portal.” Id. at *3-4. The suit was filed because of “Innovak’s alleged failure to protect adequately the Underlying Claimants’ PPI and to timely disclose the data breach to end users.” Id. at *4.

Innovak sought a defense under the “personal and advertising injury” coverage in its CGL policy. The policy defined “personal and advertising injury” in part as “[o]ral or written publication, in any manner, of material that violates a person’s right of privacy.” Id. at *16. The carrier denied coverage and coverage litigation ensued.

The federal court, applying South Carolina law, held that the underlying lawsuit did not implicate Coverage B “personal and advertising injury” coverage because Innovak was not accused of publishing the PI in question. The court observed:

The Court notes that Innovak materially mischaracterizes the allegations of the Underlying Complaint. Nowhere in the Underlying Complaint do the Underlying Claimants contend that their PPI was “published,” whether by third party hackers or by Innovak. However, even if the Court views the alleged data breach as an alleged publication of the Underlying Claimants’ PPI, the Underlying Claimants do not allege that Innovak published their information.

Id. at *16. Citing the reasoning of the New York trial court in Zurich Am. Ins. Co. v. Sony Corp., the Florida court held that “the only plausible interpretation of Coverage B is that it requires the insured to be the publisher of the PPI.” Id. at *18. Allegations that the insured failed to protect PI adequately is not a publication, whether direct or indirect. Id.

What this case means. The insurance industry has attempted to shift coverage for liability for cyber risk from CGL policies to cybersecurity policies through promulgation of the Access Or Disclosure Of Confidential Or Personal Information And Data-related Liability Damages exclusion.

Thus, the real significance of this case is that it is yet another decision in which courts have limited Coverage B to claims in which the insured – and not a third party – has committed the publication. This limitation has a reach well beyond the scope of cybersecurity. It goes to an increasingly common theme in litigation where the insured is sued not for invading someone’s privacy, but for failing to prevent the invasion of privacy committed by a third party, whether by e-surveillance or vulnerabilities in the insured’s informational security, or from actions taken by rogue employees.

This entry was posted in Data Breach Insurance Coverage, Privacy Rights.

Payee Denied Computer Fraud Coverage in Email Phishing Scams

This entry was posted by on .

Business Email Scams (BEC) are becoming an increasing source of loss (think billions of dollars since 2013) to U.S. businesses, big and small. In Posco Daewoo Am. Corp. v. Allnex USA, Inc., 2017 U.S. Dist. LEXIS 180069 (D.N.J. Oct. 31, 2017) a payee whose invoices totaling $630,058 mistakenly were paid by a customer to a third party as a result of a phishing scam, sought coverage for the loss under its own computer fraud coverage. A New Jersey federal district court held that no such coverage existed.

Posco Daewoo, which imported and exported chemicals, supplied its customer Allnex with a chemical product for which Allnex owed payment. In early 2016, an impostor posing as an employee of Posco Daewoo’s accounts receivable department, sent emails to an employee of Allnex, instructing Allnex to wire payments to four separate Wells Fargo bank accounts. Id. at *2. Allnex, without confirming the authenticity of the email or the Wells Fargo bank accounts, wired three separate payments to the Wells Fargo accounts, totaling $630,058. Id. After the fraud was discovered, Allnex recovered $262,444 of the stolen $630,058. The remaining $367,613.46 was not recovered. Id. at *3. Posco Daewoo alleged that Allnex still owed it the remaining $367,613.46 to satisfy the original outstanding receivables. Allnex, on the other hand, contended that the unrecovered wire payments satisfied the balance it owed to Posco Daewoo. Id.

Posco Daewoo sought coverage for the lost funds under its “computer fraud” coverage in a crime policy. Id. The insurance policy insured Posco Daewoo for several types of loss resulting from criminal activity, including computer crime. The computer crime coverage read in part as follows:

  1. Computer Fraud

The Company will pay the Insured for the Insured’s direct loss of, or direct loss from damage to, Money, Securities, and Other Property directly caused by Computer Fraud.

The Policy defined “Computer Fraud” to mean:

The use of any computer to fraudulently cause a transfer of Money, Securities, or Other Property from the inside the Premises or Financial Institution Premises:

  1.  to a person (other than a Messenger) outside the Premises or Financial Institution Premises; or

2.  to a place outside the Premises or Financial Institution Premises.

Id. at *4

The policy also limited coverage to certain property, stating as follows:

5. Ownership of Property; Interests Covered

a. The property covered under this Crime Policy except as provided in 5.b. below is limited to a property:

i. that the Insured owns or leases;

ii. that the Insured holds for others:

(a) on the Insured’s Premises or the Insured’s Financial Institution Premises; or

(b) while in transit and in the care and custody of a Messenger; or

iii. for which the Insured is legally liable, except for property located inside the Insured’s Client’s Premises or the Insured’s Client’s Financial Institution Premises :

Id. at *6. If the alleged loss property did not fall within this provision, there would be no coverage.

Posco Daewoo argued that the phishing emails sent to Allnex constituted “The use of any computer to fraudulently cause a transfer of Money” to implicate the computer fraud coverage. The insurer, citing the Fifth Circuit decision in Apache Corp. v. Great American Ins. Co., argued that the use of a computer to send phishing emails was too incidental to satisfy the meaning of “computer fraud” or loss “directly” caused by “computer fraud.” Id. at *12-13.

The court, however, did not address either argument. Instead, it focused on the “Ownership of Property; Interests Covered” coverage limitation under the policy. Id. at *13.

Identifying subparagraph (i) of the provision – “that the Insured owns or leases” – as the only possible provision that could be applicable, the court held that because Posco Daewoo did not lease or own the mis-wired money in question, it had no right under the “Ownership of Property; Interests Covered” provision to recover under the policy. The court looked to Black’s Law Dictionary to determine the “plain and ordinary” meaning of the “own,” which defined the word to mean “[t]o rightfully have or possess as property; to have legal title to.” Id. at *14.

Because Posco Daewoo did not plead that it had owned the money that was mis-wired, and could not plead that it had owned the money, its coverage claims were subject to dismissal. The court explained:

Plaintiff has not plausibly pled sufficient facts for the Court to find that it rightfully had, possessed, or had legal title to the money Allnex transferred into the Wells Fargo accounts. Plaintiff’s strongest claim to owning that money stems from Allnex’s intention. The parties do not dispute that Allnex intended Plaintiff to receive the wired money as payment for a debt. [Citation omitted.] However, a party’s intention of transferring legal title does not equate to an actual transfer of legal title without more.

Id. at *15. Thus, the court concluded that before payment, Posco Daewoo did not own the wired money, but only “a receivable, or a right to payment, as well as a potential cause of action for payment if it was not made.” Id. at *16. “In other words, Daewoo did ‘own’ something of value, but it was not the cash in the Wells Fargo accounts.” Id.

What this case means. The court never addressed the meaning of “use of a computer” in the context of a phishing scam, a topic that is being debated among several courts around the country. (For what it is worth, I think Posco Daewoo would have lost this argument.) Instead, the court addressed a separate, but just as meaningful issue, the limitation of insured interests for computer fraud coverage under a crime policy, as expressly provided for by the policy. Thus, this decision highlights another boundary for computer fraud coverage.

Although the loss caused by the mis-wired funds was felt both by Allnex and Posco Daewoo, the court clearly saw Allnex as the “owner” of the transferred money and thus the crime victim. The court also appeared to point a finger of blame at Allnex, albeit subtly. The court’s opinion noted how the transfer of funds to the Wells Fargo accounts had not gone “smoothly,” stating that:

After Allnex wired the first payment of $140,800 to an account numbered 3xxxxxx378, the impostor emailed Allnex that there was a “mix-up/typo” and asked Allnex to wire the other payments to an account numbered 2xxxxxx238. [Citation omitted.] Less than a month later, the Daewoo impostor emailed Allnex to once again change the receiving bank account to one numbered 2xxxxxx346. [Id.] When this third account rejected two payments from Allnex, the impostor gave Allnex a fourth account numbered 2xxxxxx246. [Id.] Allnex then completed the payment by wiring money to this fourth account.

These sorts of complications are red flags to a potential phishing fraud, and one wonders whether the court, by reciting these facts, was acknowledging the issue. Here, policy did not insure the negligence of third parties, which Posco Daewoo ultimately was asking its own insurer to cover. 

This entry was posted in Uncategorized.

NAIC Passes Model Law for Insurers and Brokers on Cybersecurity

This entry was posted by on .

By Joshua Mooney and Laura Schmidt

On October 24, 2017, the National Association of Insurance Commissioners (NAIC) passed its Insurance Data Security Model Law, intended to serve as model legislation for states to enact in order to govern cybersecurity and data protection practices of insurers, insurance agents, and other licensed entities registered under state insurance laws (defined therein as Licensees).

The Model Law applies to “Licensees” that handle, process, store or transmit “Nonpublic Information.” (Insurers that are acting as an assuming insurer domiciled in another state or jurisdiction and purchasing groups or risk retention groups that are licensed and chartered in another state are not “Licensees.”) The definition for “Nonpublic Information” (NPI) is broader than state laws that typically focus on personally identifiable information (PII), and closely follows the meaning of “Nonpublic Information” under the New York Department of Financial Service’s (NYDFS) recently enacted Cybersecurity Regulations, 23 NYCRR § 500.00 et seq. (NYDFS cyber regulations). NPI under the Model Law includes:

  • business-related information of the Licensee that, if tampered with or disclosed, would have a material adverse impact on the Licensee’s business, operations or security;
  • information concerning a consumer that, because of an identifier in combination with certain data elements, can be used to identify the consumer; and
  • any information that is created by or derived from a heath care provider or consumer that qualifies as protected health information (PHI) under the Health Insurance Portability and Accountability Act (HIPAA).

In fact, a quick glance of the law reveals that its drafters were influenced significantly by the NYDFS cyber regulations. Like the cyber regulations, the Model Law requires Licensees to develop an information security program based upon a security assessment, and investigate and notify regulators of “Cybersecurity Events” the Licensee sustains. A drafting note in the law states that if a Licensee complies with the NYDFS’s cyber regulations, then the Licensee is deemed to comply with the requirements of the Model Law.

However, the Model Law also contains some noteworthy differences to the NYDFS cyber regulations regarding the establishment of an information security program and requirements for investigating and providing notice of a Cybersecurity Event.

Establishing an Information Security Program

Like the NYDFS cyber regulations, the Model Law requires insurers to develop an information security program designed to protect NPI and the Licensee’s information systems. The Licensee’s information security program must be based upon a risk assessment that identifies reasonably foreseeable internal or external threats (including the security of NPI and Information Systems accessible to or held by Third-Party Service Providers); the likelihood and potential damage of these threats; and the sufficiency of policies, procedures, Information Systems and other safeguards to manage these threats. Assessments and evaluations of cybersecurity risk must be included in the Licensee’s enterprise risk management process, and the Licensee must remain informed of emerging threats and vulnerabilities. Licensees also are required to develop an incident response plan to address a Cybersecurity Event.

Consistent with the NYDFS cyber regulations, the Model Law expressly imposes responsibility upon the Licensee’s board of directors to oversee the Licensee’s management of cybersecurity risk. The board of directors must direct senior management to develop, implement and maintain the information security program, and receive an annual report on the status of the entity’s information security program, including further assessments and third-party service provider arrangements. Gone are the days when cybersecurity was an IT or CIO problem. By expressly imposing responsibility upon the Licensee’s board of directors, the Model Law increases the directors’ and officers’ exposure should a cybersecurity incident occur. Like the NYDFS cyber regulations, the Model Law also requires the Licensee to certify in writing to the state commissioner every February 15 that its information security program complies with the law’s requirements. Like under the cyber regulations, if there are areas, systems, or processes that need improvement or are noncompliant, the Licensee must address the issue and identify remedial efforts that are planned or underway to remedy such issues.

Despite similarities between the Model Law and the NYDFS cyber regulations for establishing an information security program, there also are some material differences. The Model Law allows the information security program to be “commensurate with the size and the complexity of the Licensee, the nature and scope of the Licensee’s activities (including the use of third-party vendors), and the sensitivity of the NPI in the Licensee’s possession, custody, or control[.]” This qualifier is more akin to information security requirements under HIPAA than the NYDFS cyber regulations.

The Model Law also requires the Licensees to implement a risk management program to mitigate identified risks, but the program may be custom-tailored to the size and complexity of the Licensee. The Model Law identifies several security measures that the Licensee may implement if it determines the measures are appropriate, including using effective controls for individual access to NPI, implementing audit trails within the program to detect cybersecurity events, and instituting measures to protect against the loss, destruction or damage to NPI due to environmental hazards.

Additionally, The Model Law provides that the Licensee’s information security program must include the oversight of third-party service providers. However, unlike the NYDFS cyber regulations, the Model Law does not expressly require a Licensee to develop policies and procedures for conducting due diligence and oversight over third party service providers. Instead, Licensees only must exercise due diligence in selecting third-party service providers and require such providers to implement administrative, technical, and physical measures to protect and secure the Licensee’s NPI to which it has accesses or possession.

Investigation and Notification of a “Cybersecurity Event”

The Model Law requires Licensees to promptly investigate “Cybersecurity Events.” The Model Law is similar to the NYDFS cyber regulations in that it requires a Licensee to notify the state insurance commissioner no later than 72 hours from a determination that a Cybersecurity Event. However, there are material differences between the NYDFS cyber regulations and the Model Law for notice requirements.

First, the criteria for triggering notice under the Model Law are broader. Notice under the Model Law is required if the insurer is domiciled in the state in which the Model Law was enacted; or if the Licensee reasonably believes that the NPI involved is of 250 or more consumers residing in the state, and either: (a) the Licensee is required to provide notice of the Cybersecurity Event to any government body, self-regulatory agency or any other supervisory body pursuant to any state or federal law; or (b) there is a “reasonable likelihood” of the Cybersecurity Event  materially harming: (i) any Consumer residing in the state; or (ii) any material part of the normal operations of the Licensee. Under the NYDFS cyber regulations, notice is required only if the Cybersecurity Event requires notice to any government body, self-regulatory agency or any other supervisory body; or if the Cybersecurity Event has a “reasonable likelihood” of materially harming any Covered Entity’s normal operations.

Second, the Model Law has a narrower definition for “Cybersecurity Event.” Whereas the NYDFS cyber regulations defines a “Cybersecurity Event” as “means any act or attempt, successful or unsuccessful, to gain unauthorized access to, disrupt or misuse an Information System or information stored on such Information System,” the Model Law defines the term as “an event resulting in unauthorized access to, disruption or misuse of, an Information System or information stored on such Information System” (emphasis added). Under the Model Law, a Licensee also must conduct an investigation if it learns that a Cybersecurity Event occurred or may have occurred in a system maintained by one of its third-party vendors.

Any investigation must be geared toward determining: (1) whether a Cybersecurity Event occurred; (2) the nature and scope of the event; (3) the NPI implicated or compromised; and (4) necessary measures to restore the security of the Licensee’s Information Systems.

Third and finally, the Model Law recognizes the unique business to business relationships that exist within the insurance industry by including different notification requirements for reinsurers to insurers and insurers to producers of record.

Quick Takeaways

Regulators and lawmakers are identifying standards in cybersecurity that companies should be implementing to protect business operations and consumer information. The NAIC’s Model Law joins a growing group of laws and regulations instituted by New York, Connecticut, Massachusetts, Colorado, and Vermont that specifically require companies to institute cybersecurity programs, policies, and procedures. The Model Law has many similarities with the NYDFS cyber regulations, but there are some differences. Both regimes recognize that protecting critical business operations is just as important as protecting consumers information.

These laws and regulations will serve as a roadmap for plaintiffs and shareholders pursuing civil litigation against Licensees. The FTC also can be expected to look to these laws when determining whether a company engaged in “deceptive” or “unfair” practices. Companies that fail to implement these standards can expect enforcement, and perhaps significant fines. For some companies, a regulatory enforcement action piled on to the effects of a data breach or ransomware-type event can mean the difference between recovery and bankruptcy. Now is the time to act. Brokers and insurers should start preparing for cybersecurity compliance by conducting necessary risk assessments and building a solid information security program.

This entry was posted in Data Breach Insurance Coverage, Privacy Rights and tagged .