Author Archives: Joshua Mooney

No Coverage for Data Breach Where Insured Isn’t Accused of Publishing

This entry was posted by on .

In the lawsuit Innovak Int’l, Inc. v. Hanover Ins. Co., the federal court for the middle district of Florida recently held that an underlying data breach class action lawsuit did not implicate “personal and advertising injury” coverage because the insured was not the entity accused of publishing the compromised personal information (PI).

The decision is relevant because not only did the court reject claims for cyber coverage under a CGL policy, but also because the decision is following a recent trend in litigation over Coverage B: namely, if the insured is not the one accused of publishing the information at issue, there is no “personal and advertising liability” coverage. In other words, Coverage B does not apply to third-party publications, even if the insured is the entity ultimately sued. E.g., Steadfast Ins. Co. v. Tomei, 2016 Pa. Super. Unpub. LEXIS 1864, at *17 (Pa. Super. Ct. May 24, 2016); Zurich Am. Ins. Co. v. Sony Corp., No. 651982/2011 (N.Y. Supr. Ct. Feb. 21, 2014).

The facts in Innovak are straightforward. Innovak was sued in a putative class action following a data breach that compromised the underlying plaintiffs’ personal information. According to the lawsuit,  Innovak “designs, develops, and sells accounting and payroll computer software systems to schools, school districts, and to other entities across the United States.” Id. at *3. The lawsuit alleged that “Innovak’s software and database provides up-to-date W2 and paystub information to end users, which is accessible remotely via an internet portal,” and that Innovak suffered the data breach “when hackers appropriated the personal private information (‘PPI’) stored on its software, database, and/or its portals … from numerous individuals in several different states whose PPI was stored and made accessible through Innovak’s internet portal.” Id. at *3-4. The suit was filed because of “Innovak’s alleged failure to protect adequately the Underlying Claimants’ PPI and to timely disclose the data breach to end users.” Id. at *4.

Innovak sought a defense under the “personal and advertising injury” coverage in its CGL policy. The policy defined “personal and advertising injury” in part as “[o]ral or written publication, in any manner, of material that violates a person’s right of privacy.” Id. at *16. The carrier denied coverage and coverage litigation ensued.

The federal court, applying South Carolina law, held that the underlying lawsuit did not implicate Coverage B “personal and advertising injury” coverage because Innovak was not accused of publishing the PI in question. The court observed:

The Court notes that Innovak materially mischaracterizes the allegations of the Underlying Complaint. Nowhere in the Underlying Complaint do the Underlying Claimants contend that their PPI was “published,” whether by third party hackers or by Innovak. However, even if the Court views the alleged data breach as an alleged publication of the Underlying Claimants’ PPI, the Underlying Claimants do not allege that Innovak published their information.

Id. at *16. Citing the reasoning of the New York trial court in Zurich Am. Ins. Co. v. Sony Corp., the Florida court held that “the only plausible interpretation of Coverage B is that it requires the insured to be the publisher of the PPI.” Id. at *18. Allegations that the insured failed to protect PI adequately is not a publication, whether direct or indirect. Id.

What this case means. The insurance industry has attempted to shift coverage for liability for cyber risk from CGL policies to cybersecurity policies through promulgation of the Access Or Disclosure Of Confidential Or Personal Information And Data-related Liability Damages exclusion.

Thus, the real significance of this case is that it is yet another decision in which courts have limited Coverage B to claims in which the insured – and not a third party – has committed the publication. This limitation has a reach well beyond the scope of cybersecurity. It goes to an increasingly common theme in litigation where the insured is sued not for invading someone’s privacy, but for failing to prevent the invasion of privacy committed by a third party, whether by e-surveillance or vulnerabilities in the insured’s informational security, or from actions taken by rogue employees.

This entry was posted in Data Breach Insurance Coverage, Privacy Rights.

Payee Denied Computer Fraud Coverage in Email Phishing Scams

This entry was posted by on .

Business Email Scams (BEC) are becoming an increasing source of loss (think billions of dollars since 2013) to U.S. businesses, big and small. In Posco Daewoo Am. Corp. v. Allnex USA, Inc., 2017 U.S. Dist. LEXIS 180069 (D.N.J. Oct. 31, 2017) a payee whose invoices totaling $630,058 mistakenly were paid by a customer to a third party as a result of a phishing scam, sought coverage for the loss under its own computer fraud coverage. A New Jersey federal district court held that no such coverage existed.

Posco Daewoo, which imported and exported chemicals, supplied its customer Allnex with a chemical product for which Allnex owed payment. In early 2016, an impostor posing as an employee of Posco Daewoo’s accounts receivable department, sent emails to an employee of Allnex, instructing Allnex to wire payments to four separate Wells Fargo bank accounts. Id. at *2. Allnex, without confirming the authenticity of the email or the Wells Fargo bank accounts, wired three separate payments to the Wells Fargo accounts, totaling $630,058. Id. After the fraud was discovered, Allnex recovered $262,444 of the stolen $630,058. The remaining $367,613.46 was not recovered. Id. at *3. Posco Daewoo alleged that Allnex still owed it the remaining $367,613.46 to satisfy the original outstanding receivables. Allnex, on the other hand, contended that the unrecovered wire payments satisfied the balance it owed to Posco Daewoo. Id.

Posco Daewoo sought coverage for the lost funds under its “computer fraud” coverage in a crime policy. Id. The insurance policy insured Posco Daewoo for several types of loss resulting from criminal activity, including computer crime. The computer crime coverage read in part as follows:

  1. Computer Fraud

The Company will pay the Insured for the Insured’s direct loss of, or direct loss from damage to, Money, Securities, and Other Property directly caused by Computer Fraud.

The Policy defined “Computer Fraud” to mean:

The use of any computer to fraudulently cause a transfer of Money, Securities, or Other Property from the inside the Premises or Financial Institution Premises:

  1.  to a person (other than a Messenger) outside the Premises or Financial Institution Premises; or

2.  to a place outside the Premises or Financial Institution Premises.

Id. at *4

The policy also limited coverage to certain property, stating as follows:

5. Ownership of Property; Interests Covered

a. The property covered under this Crime Policy except as provided in 5.b. below is limited to a property:

i. that the Insured owns or leases;

ii. that the Insured holds for others:

(a) on the Insured’s Premises or the Insured’s Financial Institution Premises; or

(b) while in transit and in the care and custody of a Messenger; or

iii. for which the Insured is legally liable, except for property located inside the Insured’s Client’s Premises or the Insured’s Client’s Financial Institution Premises :

Id. at *6. If the alleged loss property did not fall within this provision, there would be no coverage.

Posco Daewoo argued that the phishing emails sent to Allnex constituted “The use of any computer to fraudulently cause a transfer of Money” to implicate the computer fraud coverage. The insurer, citing the Fifth Circuit decision in Apache Corp. v. Great American Ins. Co., argued that the use of a computer to send phishing emails was too incidental to satisfy the meaning of “computer fraud” or loss “directly” caused by “computer fraud.” Id. at *12-13.

The court, however, did not address either argument. Instead, it focused on the “Ownership of Property; Interests Covered” coverage limitation under the policy. Id. at *13.

Identifying subparagraph (i) of the provision – “that the Insured owns or leases” – as the only possible provision that could be applicable, the court held that because Posco Daewoo did not lease or own the mis-wired money in question, it had no right under the “Ownership of Property; Interests Covered” provision to recover under the policy. The court looked to Black’s Law Dictionary to determine the “plain and ordinary” meaning of the “own,” which defined the word to mean “[t]o rightfully have or possess as property; to have legal title to.” Id. at *14.

Because Posco Daewoo did not plead that it had owned the money that was mis-wired, and could not plead that it had owned the money, its coverage claims were subject to dismissal. The court explained:

Plaintiff has not plausibly pled sufficient facts for the Court to find that it rightfully had, possessed, or had legal title to the money Allnex transferred into the Wells Fargo accounts. Plaintiff’s strongest claim to owning that money stems from Allnex’s intention. The parties do not dispute that Allnex intended Plaintiff to receive the wired money as payment for a debt. [Citation omitted.] However, a party’s intention of transferring legal title does not equate to an actual transfer of legal title without more.

Id. at *15. Thus, the court concluded that before payment, Posco Daewoo did not own the wired money, but only “a receivable, or a right to payment, as well as a potential cause of action for payment if it was not made.” Id. at *16. “In other words, Daewoo did ‘own’ something of value, but it was not the cash in the Wells Fargo accounts.” Id.

What this case means. The court never addressed the meaning of “use of a computer” in the context of a phishing scam, a topic that is being debated among several courts around the country. (For what it is worth, I think Posco Daewoo would have lost this argument.) Instead, the court addressed a separate, but just as meaningful issue, the limitation of insured interests for computer fraud coverage under a crime policy, as expressly provided for by the policy. Thus, this decision highlights another boundary for computer fraud coverage.

Although the loss caused by the mis-wired funds was felt both by Allnex and Posco Daewoo, the court clearly saw Allnex as the “owner” of the transferred money and thus the crime victim. The court also appeared to point a finger of blame at Allnex, albeit subtly. The court’s opinion noted how the transfer of funds to the Wells Fargo accounts had not gone “smoothly,” stating that:

After Allnex wired the first payment of $140,800 to an account numbered 3xxxxxx378, the impostor emailed Allnex that there was a “mix-up/typo” and asked Allnex to wire the other payments to an account numbered 2xxxxxx238. [Citation omitted.] Less than a month later, the Daewoo impostor emailed Allnex to once again change the receiving bank account to one numbered 2xxxxxx346. [Id.] When this third account rejected two payments from Allnex, the impostor gave Allnex a fourth account numbered 2xxxxxx246. [Id.] Allnex then completed the payment by wiring money to this fourth account.

These sorts of complications are red flags to a potential phishing fraud, and one wonders whether the court, by reciting these facts, was acknowledging the issue. Here, policy did not insure the negligence of third parties, which Posco Daewoo ultimately was asking its own insurer to cover. 

This entry was posted in Uncategorized.

NAIC Passes Model Law for Insurers and Brokers on Cybersecurity

This entry was posted by on .

By Joshua Mooney and Laura Schmidt

On October 24, 2017, the National Association of Insurance Commissioners (NAIC) passed its Insurance Data Security Model Law, intended to serve as model legislation for states to enact in order to govern cybersecurity and data protection practices of insurers, insurance agents, and other licensed entities registered under state insurance laws (defined therein as Licensees).

The Model Law applies to “Licensees” that handle, process, store or transmit “Nonpublic Information.” (Insurers that are acting as an assuming insurer domiciled in another state or jurisdiction and purchasing groups or risk retention groups that are licensed and chartered in another state are not “Licensees.”) The definition for “Nonpublic Information” (NPI) is broader than state laws that typically focus on personally identifiable information (PII), and closely follows the meaning of “Nonpublic Information” under the New York Department of Financial Service’s (NYDFS) recently enacted Cybersecurity Regulations, 23 NYCRR § 500.00 et seq. (NYDFS cyber regulations). NPI under the Model Law includes:

  • business-related information of the Licensee that, if tampered with or disclosed, would have a material adverse impact on the Licensee’s business, operations or security;
  • information concerning a consumer that, because of an identifier in combination with certain data elements, can be used to identify the consumer; and
  • any information that is created by or derived from a heath care provider or consumer that qualifies as protected health information (PHI) under the Health Insurance Portability and Accountability Act (HIPAA).

In fact, a quick glance of the law reveals that its drafters were influenced significantly by the NYDFS cyber regulations. Like the cyber regulations, the Model Law requires Licensees to develop an information security program based upon a security assessment, and investigate and notify regulators of “Cybersecurity Events” the Licensee sustains. A drafting note in the law states that if a Licensee complies with the NYDFS’s cyber regulations, then the Licensee is deemed to comply with the requirements of the Model Law.

However, the Model Law also contains some noteworthy differences to the NYDFS cyber regulations regarding the establishment of an information security program and requirements for investigating and providing notice of a Cybersecurity Event.

Establishing an Information Security Program

Like the NYDFS cyber regulations, the Model Law requires insurers to develop an information security program designed to protect NPI and the Licensee’s information systems. The Licensee’s information security program must be based upon a risk assessment that identifies reasonably foreseeable internal or external threats (including the security of NPI and Information Systems accessible to or held by Third-Party Service Providers); the likelihood and potential damage of these threats; and the sufficiency of policies, procedures, Information Systems and other safeguards to manage these threats. Assessments and evaluations of cybersecurity risk must be included in the Licensee’s enterprise risk management process, and the Licensee must remain informed of emerging threats and vulnerabilities. Licensees also are required to develop an incident response plan to address a Cybersecurity Event.

Consistent with the NYDFS cyber regulations, the Model Law expressly imposes responsibility upon the Licensee’s board of directors to oversee the Licensee’s management of cybersecurity risk. The board of directors must direct senior management to develop, implement and maintain the information security program, and receive an annual report on the status of the entity’s information security program, including further assessments and third-party service provider arrangements. Gone are the days when cybersecurity was an IT or CIO problem. By expressly imposing responsibility upon the Licensee’s board of directors, the Model Law increases the directors’ and officers’ exposure should a cybersecurity incident occur. Like the NYDFS cyber regulations, the Model Law also requires the Licensee to certify in writing to the state commissioner every February 15 that its information security program complies with the law’s requirements. Like under the cyber regulations, if there are areas, systems, or processes that need improvement or are noncompliant, the Licensee must address the issue and identify remedial efforts that are planned or underway to remedy such issues.

Despite similarities between the Model Law and the NYDFS cyber regulations for establishing an information security program, there also are some material differences. The Model Law allows the information security program to be “commensurate with the size and the complexity of the Licensee, the nature and scope of the Licensee’s activities (including the use of third-party vendors), and the sensitivity of the NPI in the Licensee’s possession, custody, or control[.]” This qualifier is more akin to information security requirements under HIPAA than the NYDFS cyber regulations.

The Model Law also requires the Licensees to implement a risk management program to mitigate identified risks, but the program may be custom-tailored to the size and complexity of the Licensee. The Model Law identifies several security measures that the Licensee may implement if it determines the measures are appropriate, including using effective controls for individual access to NPI, implementing audit trails within the program to detect cybersecurity events, and instituting measures to protect against the loss, destruction or damage to NPI due to environmental hazards.

Additionally, The Model Law provides that the Licensee’s information security program must include the oversight of third-party service providers. However, unlike the NYDFS cyber regulations, the Model Law does not expressly require a Licensee to develop policies and procedures for conducting due diligence and oversight over third party service providers. Instead, Licensees only must exercise due diligence in selecting third-party service providers and require such providers to implement administrative, technical, and physical measures to protect and secure the Licensee’s NPI to which it has accesses or possession.

Investigation and Notification of a “Cybersecurity Event”

The Model Law requires Licensees to promptly investigate “Cybersecurity Events.” The Model Law is similar to the NYDFS cyber regulations in that it requires a Licensee to notify the state insurance commissioner no later than 72 hours from a determination that a Cybersecurity Event. However, there are material differences between the NYDFS cyber regulations and the Model Law for notice requirements.

First, the criteria for triggering notice under the Model Law are broader. Notice under the Model Law is required if the insurer is domiciled in the state in which the Model Law was enacted; or if the Licensee reasonably believes that the NPI involved is of 250 or more consumers residing in the state, and either: (a) the Licensee is required to provide notice of the Cybersecurity Event to any government body, self-regulatory agency or any other supervisory body pursuant to any state or federal law; or (b) there is a “reasonable likelihood” of the Cybersecurity Event  materially harming: (i) any Consumer residing in the state; or (ii) any material part of the normal operations of the Licensee. Under the NYDFS cyber regulations, notice is required only if the Cybersecurity Event requires notice to any government body, self-regulatory agency or any other supervisory body; or if the Cybersecurity Event has a “reasonable likelihood” of materially harming any Covered Entity’s normal operations.

Second, the Model Law has a narrower definition for “Cybersecurity Event.” Whereas the NYDFS cyber regulations defines a “Cybersecurity Event” as “means any act or attempt, successful or unsuccessful, to gain unauthorized access to, disrupt or misuse an Information System or information stored on such Information System,” the Model Law defines the term as “an event resulting in unauthorized access to, disruption or misuse of, an Information System or information stored on such Information System” (emphasis added). Under the Model Law, a Licensee also must conduct an investigation if it learns that a Cybersecurity Event occurred or may have occurred in a system maintained by one of its third-party vendors.

Any investigation must be geared toward determining: (1) whether a Cybersecurity Event occurred; (2) the nature and scope of the event; (3) the NPI implicated or compromised; and (4) necessary measures to restore the security of the Licensee’s Information Systems.

Third and finally, the Model Law recognizes the unique business to business relationships that exist within the insurance industry by including different notification requirements for reinsurers to insurers and insurers to producers of record.

Quick Takeaways

Regulators and lawmakers are identifying standards in cybersecurity that companies should be implementing to protect business operations and consumer information. The NAIC’s Model Law joins a growing group of laws and regulations instituted by New York, Connecticut, Massachusetts, Colorado, and Vermont that specifically require companies to institute cybersecurity programs, policies, and procedures. The Model Law has many similarities with the NYDFS cyber regulations, but there are some differences. Both regimes recognize that protecting critical business operations is just as important as protecting consumers information.

These laws and regulations will serve as a roadmap for plaintiffs and shareholders pursuing civil litigation against Licensees. The FTC also can be expected to look to these laws when determining whether a company engaged in “deceptive” or “unfair” practices. Companies that fail to implement these standards can expect enforcement, and perhaps significant fines. For some companies, a regulatory enforcement action piled on to the effects of a data breach or ransomware-type event can mean the difference between recovery and bankruptcy. Now is the time to act. Brokers and insurers should start preparing for cybersecurity compliance by conducting necessary risk assessments and building a solid information security program.

This entry was posted in Data Breach Insurance Coverage, Privacy Rights and tagged .

Court Holds No Insurance Coverage for Phishing Scam

This entry was posted by on .

Yesterday, a federal court held that a company’s financial losses for mis-wiring funds as a result of a phishing scam were not covered under a computer crime insurance policy. The decision, American Tooling Ctr. v. Travelers Cas. & Sur. Co. of Am., No. 16-12108 (E.D. Mich. Aug. 1, 2017) is another case in which financial losses resulting from a phishing scam were held to be unrecoverable under insurance.

In that case, the insured, American Tooling Center (“ATC”), was a tool and die manufacturer that outsourced some of its work to other die manufacturing companies overseas, including a vendor called Shanghai YiFeng Automotive Die Manufacture Co., Ltd. (“YiFeng”). As part of its normal business practice, ATC issued purchase orders to YiFeng, which in turn manufactured the requested dies. ATC paid YiFeng in stages based upon completion of certain milestones. To receive payment, YiFeng submitted its invoices to ATC by email. Once ATC verified that the milestone had been met, it wired the appropriate payment to YiFeng. Id. at 2.

In March 2015, ATC’s Vice President/Treasurer emailed his contact at YiFeng, requesting copies of all outstanding invoices.  In response, the ATC officer received an email purportedly from YiFeng, but which really was a spoofed email from a third party. (The third party made the email appear to be from YiFeng by using the email domain “yifeng-rnould” domain, not the correct domain “”).  Id. The third party, pretending to be from YiFeng, instructed ATC to send payments for several legitimate outstanding invoices to a new bank account.  Without verifying these new instructions, ATC wire transferred approximately $800,000 to a bank account that was not controlled by YiFeng.  When the fraud was detected, the money was gone.  Id. at 3.

ATC sought recovery under its computer crime policy.  The policy provided that “The Company will pay the Insured for the Insured’s direct loss of, or direct loss from damage to, Money, Securities and Other Property directly caused by Computer Fraud.” The policy defined “Computer Fraud” as:

The use of any computer to fraudulently cause a transfer of Money, Securities or Other Property from inside the Premises or Financial Institution Premises:

  1. to a person (other than a Messenger) outside the Premises or Financial Institution Premises; or

  2. to a place outside the Premises or Financial Institution Premises.

Id. at 3.  The carrier argued that coverage did not exist because there was no “direct loss” that was “directly caused by the use of a computer,” as required by the policy.  Id.

Noting that the Sixth Circuit, applying Michigan law, previously had held that the term “direct” means “immediate” and without intervening acts, the American Tooling court concluded that there was no direct loss directly caused by a computer to implicate coverage.  Simply put: there were too many intervening acts between the phishing email and the transfer of money to satisfy the insuring language of the policy. Id. at 5 (citing Manufacturing & Technologies Ass’n v. Hartford Fire Ins. Co., 693 F.3d 665, 673 (6th Cir. 2012)). The court stated that the “intervening events between ATC’s receipt of the fraudulent emails and the transfer of funds (ATC verified production milestones, authorized the transfers, and initiated the transfers without verifying bank account information) preclude a finding of ‘direct’ loss ‘directly caused’ by the use of any computer.”  Id.

Agreeing with the reasoning of the Fifth Circuit in Apache Corp. v. Great American Ins. Co., 662 Fed. App’x 252 (5th Cir. 2016) (written about in The Coverage Inkwell in October 2016), the American Tooling court stated that “the mere sending/receipt of fraudulent emails did not constitute ‘the use of any computer to fraudulently cause a transfer.’” Id. at 6. The court explained:

Although fraudulent emails were used to impersonate a vendor and dupe ATC into making a transfer of funds, such emails do not constitute the “use of any computer to fraudulently cause a transfer.” There was no infiltration or “hacking” of ATC’s computer system. The emails themselves did not directly cause the transfer of funds; rather, ATC authorized the transfer based upon the information received in the emails.

Further, because of the wide  spread use of computers as a means of communication, the court, like the Fifth and Ninth Circuits, feared that to allow the email to implicate coverage for computer fraud would transform the “computer fraud” coverage into coverage for any fraud: “Because computers are used in almost every business transaction, reading this provision to cover all transfers that involve both a computer and fraud at some point in the transaction would convert this Crime Policy into a ‘General Fraud’ Policy.”  Id. at 7 (quoting Apache and Pestmaster Servs., Inc. v. Travelers Cas. & Sur. Co. of Am., 656 Fed. App’x 332 (9th Cir. 2016)).

This case shows that to implicate computer fraud, the computer must be a critical instrumentality of the fraud, and not merely incidental to it. The case also highlights the costs of phishing attacks.  According to a May 4, 2017 FBI Bulletin, between October 2013 and December 2016, American businesses saw losses from phishing scams approach $1.6 billion: $500 million every year with dollar figures climbing sharply – up 2370% between January 2015 and December 2016.  Companies must implement appropriate cybersecurity measures, including employee training, to prevent such loss.  A small investment in appropriate cybersecurity processes today can save your company hundreds of thousands or millions of dollars tomorrow.

This entry was posted in Data Breach Insurance Coverage and tagged .

PA Court: Employers Have No Duty To Protect Employee PI

This entry was posted by on .

In Dittman v. UPMC d/b/a The University of Pittsburgh Medical Center, 2017 PA Super. 8 (Jan. 12, 2017), the Superior Court of Pennsylvania held that an employer does not owe employees a duty to protect and safeguard personal and financial information from disclosure in a data breach resulting from an intrusion in its computer network. While Dittman represents an important decision in emerging case law that declines to impose upon employers a common-law duty to protect employee information, the decision has important limitations. Those limitations may be exploited in future employment litigation and further illustrates the need for companies to adequately review their cybersecurity protocols with the assistance of cyber counsel.

The facts of Dittman are straightforward. In 2014, University of Pittsburgh Medical Center (UPMC) suffered a data breach that compromised the personal and financial information of approximately 62,000 current and former employees. Dittman, slip op. at 1-2. The stolen information included employees’ names, birth dates, social security numbers, tax information, addresses, salaries, and bank information. The information later was used to file fraudulent tax returns to steal the tax refunds. Id. at 2. Soon after UPMC announced the breach, two separate class action lawsuits were filed against the company. One lawsuit was comprised of current and former UPMC employees who had been victimized by identity theft; the other lawsuit involved current and former UPMC employees who had not been victims of identity theft, and instead alleged that they were at an increased risk of identity theft as a result of the data breach. Id. at 3.

Both lawsuits claimed that UPMC improperly failed to keep plaintiffs’ information safe and prevent vulnerabilities in its computer system, including the failure to properly encrypt data, establish adequate firewalls, and implement adequate authentication protocols to protect the information on its network. Id. at 2-3. They asserted two causes of action, one based on negligence and a common-law duty to protect the information; the second in breach of contract. Id. The trial court dismissed both lawsuits on the grounds that no contract or implied contract existed between UPMC and its employees to support a breach of contract claim, and that no common-law duty existed under tort law to impose upon UPMC (or other employers) a duty to safeguard data of its employees. Id. at 4-5. In so holding, the court explicitly declined to create such a duty, deferring to the state legislature instead of what it saw as a request of the judiciary to overreach by creating a duty. Id. On appeal, the Superior Court of Pennsylvania affirmed. This article focuses upon the court’s declination to create a common-law duty.

Under Pennsylvania law, whether a duty of care exists between parties to support a claim in tort depends upon an evaluation of five factors, sometimes known as the Althaus test. Those factors are:

(1) the relationship between the parties;

(2) the social utility of the actor’s conduct;

(3) the nature of the risk imposed and foreseeability of the harm incurred;

(4) the consequences of imposing a duty upon the actor; and

(5) the overall public interest in the proposed solution.

Id. at 6 (citing Althaus ex. rel. Althaus v. Cohen, 756 A.2d 1166, 1169 (Pa. 2000)).

Courts impose a common law duty upon a party “where the balance of these factors weighs in favor of placing such a burden on a defendant.” Id. (quoting Phillips v. Cricket Lighters, 841 A.2d 1000, 1008 (Pa. 2003)). In Dittman, the court held that these factors did not support the imposition of a common-law duty upon UPMC.

The first factor, the relationship of the parties, weighed in favor of imposing a duty. An employer-employee relationship existed between the parties, and the court recognized that the law imposed other duties of the parties based on the existence of the relationship. Id. at 7. This was the only factor that the court found weighed in favor of a common-law duty.

Under the Althaus test, the second factor, the social utility of the actor’s conduct, is weighed against the third factor, the nature of the risk imposed and foreseeability of the harm incurred. Here, weighing both factors together, the court found that they did not support imposition of a common-law duty. Id. at 7. On the one hand, the court recognized the “obvious need [of employers] to collect and store personal information about their employees,” as well as the foreseeability of harm from data breaches, which are becoming more commonplace. Id. However, the fact that the data breach had been caused by a third-party hacker was dispositive of how these factors weighed. Under Pennsylvania law, the criminal acts of a third-party actor are a superseding cause. Id. (citing Ford v. Jeffries, 379 A.2d 111, 115 (Pa. 1977)). “It is well established that a defendant does not have a duty to guard against the criminal acts of superseding third-parties unless he realized, or should have realized, the likelihood of such a situation.” Id. at 7-8 (citation omitted); see also In re: The Home Depot, Inc. Customer Data Security Breach Litig., 2016 WL 2897520 (N.D. Ga. May 18, 2016) (independent duty to protect customer information where company knew of substantial security risks data back several years). Here, because the data breach was caused by a third-party, and because there was no indication that UPMC knew about a specific threat or security flaw in its computer network, the foreseeability of a data breach did not support imposition of a duty upon UPMC:

While a data breach (and its ensuing harm) is generally foreseeable, we do not believe that this possibility outweighs the social utility of electronically storing employee information . . . . Although breaches of electronically stored data are a potential risk, this generalized risk does not outweigh the social utility of maintaining electronically stored information. We note here that Appellants do not allege that UPMC encountered a specific threat of intrusion into its computer systems.

Id. at 8.

The court held that the fourth factor, which examines the consequences of imposing a common-law duty upon the defendant, also weighed against imposing a duty. The court reasoned that given that data breaches are “widespread,” and that no “safe harbor” existed for the storage of confidential information, “[n]o judicially created duty of care is needed to incentivize companies to protect their confidential information.” Id. at 9. In other words, given the costs of responding to a data breach, the potential liability that already existed from regulatory law enforcement actions and lawsuits, as well as harm in the marketplace caused by data breaches, there was no need to motivate employers to protect their employers’ information. The court explained:

We find it unnecessary to require employers to incur potentially significant costs to increase security measures when there is no true way to prevent data breaches altogether. Employers strive to run their businesses efficiently and they have an incentive to protect employee information and prevent these types of occurrences. As the trial court correctly found, the fourth factor weighs in favor of not imposing a duty.

Id. at 9-10.

The Dittman court held that the fifth factor, which examines “the overall public interest” in imposing a duty, also weighed against creating one. Agreeing with the trial court, the appellate court stated that imposing a common-law duty on employers to safeguard employee information would greatly expend and strain limited judicial resources. Id. at 10. The court found that creating a unilateral, judicially imposed duty in lieu of the legislative branch also would overstep its authority. Id. Quoting the trial court, the court stated:

The General Assembly has considered and continues to consider the same issues that [Appellants] are requesting [the] court to consider under the Seebold/Althaus line of cases. The only duty that the General Assembly has chosen to impose as of today is notification of a data breach. It is not for the courts to alter the direction of the General Assembly because public policy is a matter for the Legislature.


Finally, the Dittman court held that plaintiffs’ negligence claim was barred by the economic loss doctrine; although, admittedly, the court’s decision rested upon its analysis of the Althaus test. Under the economic loss doctrine, “no cause of action exists for negligence that results solely in economic damages unaccompanied by physical injury or property damage.” Id. at 11. Under Bilt-Rite Contractors, Inc. v. The Architectural Studio, 866 A.2d 270, 274 (Pa. 2005), an exception to the economic loss doctrine exists where the economic harm was caused by a breach of a duty imposed by law. “Without a duty imposed by law or a legally recognized special relationship,” the economic loss doctrine bars recovery for purely economic losses. Id. at 10-11. Here, because the Althaus test weighed against imposing a duty upon UPMC to protect and safeguard its employees’ personal and financial information, and the court expressly declined to create such a duty, no exception to the economic loss doctrine existed to permit recovery. Id. at 12.

Despite the appellate court’s unwillingness to impose a common-law duty on employers to safeguard employee information, the citation in the majority opinion to the Home Depot data breach litigation may signal an important limit to that reluctance. See id. at 8 n.4 (citing In re Home Depot, Inc. Customer Data Security Breach Litig., 2016 U.S. Dist. LEXIS 65111 (N.D. Ga. May 18, 2016)).

In Home Depot, the Georgia federal court refused to dismiss a putative class action lawsuit of financial institutions where Home Depot allegedly had been warned repeatedly of its cybersecurity vulnerabilities and took no action to remedy them prior to the data breach at issue. Home Depot, 2016 U.S. Dist. LEXIS 65111 at *22-24. Those warnings included reports from IT of security concerns, third-party vendors warning about the company’s failure to encrypt customer data, an understaffed IT group, and events of prior data security incidents on its network.  Id. at *22. The federal court held that, given the prior warnings Home Depot had received, a duty of care did exist to protect consumer information, thereby barring application of the economic loss doctrine. Id. at *29 (“A retailer’s actions and inactions, such as disabling security features and ignoring warning signs of a data breach, are sufficient to show that the retailer caused foreseeable harm to a plaintiff and therefore owed a duty in tort.”). The court reasoned that to hold otherwise would incentivize companies to “turn a blind eye” toward cyber risks and the protection of data:

The Court declines the Defendant’s invitation to hold that it had no legal duty to safeguard information even though it had warnings that its data security was inadequate and failed to heed them. To hold that no such duty existed would allow retailers to use outdated security measures and turn a blind eye to the ever-increasing risk of cyber attacks, leaving consumers with no recourse to recover damages even though the retailer was in a superior position to safeguard the public from such a risk.

Id. at *29-30.

In Dittman, the Pennsylvania appellate court specifically noted that there were no allegations of prior warning that might have shifted the level of UPMC’s duty of care. Dittman, slip op. at 8-9. Had UPMC received prior warning of vulnerabilities in its network that later were exploited, or if evidence suggested that UPMC had disregarded cyber risks and had ignored the issue, the Dittman court could have very well found an exception to the economic loss doctrine to permit the lawsuits to proceed. In fact, Justice Stabile in his concurring opinion made this sentiment clear, stating “[h]ad UPMC been on notice of factual or potential security breaches of its systems, or reasonably should have anticipated that the negligent handling of confidential information would have left it vulnerable to criminal activity, a different conclusion may have been reached under the factors of the Althaus test.” (Stabile, J., concurring, slip op. at 2.)

With this one observation by the appellate court, Pennsylvania companies can expect future lawsuits to plead accordingly. In addition, some of the alleged lax cybersecurity protocols against UPMC are steps required by NIST’s voluntary Cybersecurity Framework. The expectation of companies to follow this framework as evidence of a reasonable standard of care is increasing. Thus, the full effect of the Dittman decision may be more limited than first thought. The best way to mitigate loss from a cybersecurity event is to prepare for one. Such precautions also may be the best defense for an employer seeking refuge under Dittman in claims brought by its employees.

This entry was posted in Uncategorized.

TCPA Claims Excluded by “Unsolicited Communications” Endorsement

This entry was posted by on .

Yesterday, the Missouri federal court in Travelers Indem. Co. v. Max Margulis & Surrey Vacation Resorts, 2016 U.S. Dist. LEXIS 173420 (E.D. Mo. Dec. 15, 2016), held that coverage for an underlying Telephone Consumer Protection Act (“TCPA”) lawsuit for “robo” calls to cell phones was prohibited by the “unsolicited communications” endorsement.  Because this endorsement is being used more often, and because it does not receive as much fanfare as its sister-exclusion for “Distribution of Material,” I decided to write about it here in The Coverage Inkwell.

The insured, Surrey Vacation Resorts, Inc., d/b/a Grand Crowne Resorts (“Surrey”), was sued for an alleged, unsolicited June 18, 2013 call to his cell phone through use of an automated telephone dialing system and without his prior consent.  Id. at *1.  Plaintiff filed suit under the TCPA, alleging that plaintiff “incurred ‘damages’ due to receipt of one telephone call from Surrey on June 18, 2013, which he did not specifically request to receive.”  Id. at *6.  The TCPA makes it unlawful “to make any call (other than a call made for emergency purposes or made with the prior express consent of the called party) using any automatic telephone dialing system…to any telephone number assigned to a paging service, cellular telephone service, specialized mobile radio service, or other radio common carrier service, or any service for which the called party is charged for the call….” Id. at *8.  Travelers defended the insured under a reservation of rights and commenced coverage litigation.  Id. at *1.

In the coverage action, the United States Court for the District of Missouri determined that Travelers had no duty to defend.  First, it noted that many of the policies at issue had incepted and expired prior to the June 18, 2013, and therefore – as a matter of law – there could be no coverage under them.  Id. at *6.  (You would think this conclusion is a no-brainer, but you’d be surprised what some policyholders argue.)

Next, the court further held that there was no coverage under an “unsolicited communications” endorsement, which prohibited coverage for “injury or damage arising out of any actual or alleged violation of any law restricting or prohibiting the sending, transmitting, or distribution of ‘unsolicited communication’.”  Id. at *6.  The policies defined “unsolicited communications” as “any form of communication, including but not limited to facsimile, electronic mail, posted mail or telephone, in which the recipient has not specifically requested the communication.”  Id. at *6-7.  The court held that the underlying lawsuit fell squarely within the exclusion: because the TCPA prohibits unsolicited “robo” calls without prior consent, the statute “restricts or prohibits the sending, transmitting or distributing of ‘unsolicited communication’ as the phrase appears in the ‘Unsolicited Communications’ Endorsements.”  Id. at *8.

What this case means:  This is a straightforward case.  What I found interesting is that the decision highlighted and discussed, albeit without much analysis, the unsolicited communications exclusion, an exclusion that may be added to a policy by endorsement to preclude coverage for the bombardment of unsolicited communications we received by fax, email, cell phone, and landline every day.

This entry was posted in Uncategorized and tagged , .


This entry was posted by on .

In Apache Corp. v. Great American Ins. Co., 2016 U.S. App. LEXIS 18748 (5th Cir. Oct. 18, 2016), the United States Court of Appeals for the Fifth Circuit held that loss from a phishing scam, which led to misdirected payments in the amount of $7 million, was not covered under a policy’s computer fraud coverage.  Although the fraudulent scheme was initiated through emails, the court held that the emails were too incidental to classify the insured’s subsequent loss as one “resulting directly from the use of any computer to fraudulently cause a transfer of that property.”

The facts of the case are straightforward and serve as a good illustration as to why double verification practices should be practiced by every company as a preventive measure against cyber fraud.  In the case, the insured, Apache Corporation was an oil-production company.  An employee in Scotland received a telephone call from a person identifying herself as a representative of Petrofac, an Apache vendor.  The caller instructed Apache to change the bank-account information for payments Apache made to Petrofac.  The Apache employee replied that the change-request could not be processed without a formal request on Petrofac letterhead.  Id. at *2.

A week later, Apache’s accounts-payable department received an email from a “” address.   (Petrofac’s real email domain name was “”)  The fraudulent email sent from the “” address advised Apache that Petrofac’s “accounts details have now been changed”; and “[t]he new account takes . . . immediate effect and all future payments must now be made into this account.”  Attached to the email was a signed letter on Petrofac letterhead providing both Petrofac’s old-bank-account information and the new-bank-account information, along with instructions to use the new account immediately.  Id. at *2-3.  Apache took the bait.  In response to the email and attached letter, an Apache employee called the telephone number provided on the letter to verify the request and concluded that the change-request was authentic.  Id. at *3.  A different Apache employee approved and implemented the change-request, and a week later, Apache began transferring funds for payment of Petrofac’s invoices to the new bank account.  Id.  Uh oh.

Within one month, Apache received notification from Petrofac that it had not received over £4.3 million (approximately $7 million) due from outstanding invoices (and which Apache had transferred to the new (fraudulent) account).  Apache soon discovered it had fallen victim to a fraudulent scheme and was able to recoup all but $2.4 million of the payments previously made.  Id.

Apache submitted a claim under its “Computer Fraud” coverage, which provided that:

We will pay for loss of, and loss from damage to, money, securities and other property resulting directly from the use of any computer to fraudulently cause a transfer of that property from inside the premises or banking premises:

  1. to a person (other than a messenger) outside those premises; or

  2. to a place outside those premises.

Id. at *3-4 (emphasis added).  The insurer denied coverage, concluding that Apache’s “loss did not result directly from the use of a computer nor did the use of a computer cause the transfer of funds.”  Id.

Coverage litigation ensued.  The insurer argued that Apache’s loss “was not a covered occurrence because: the email did not ‘cause a transfer’”; and that coverage under the computer fraud provision was “‘unambiguously limited’ to losses from ‘hacking and other incidents of unauthorized computer use’.”  Id. at *6.  Apache, on the other hand, argued that the computer fraud provision was ambiguous; because the provision says nothing about “hacking,” Apache need only to show that “any computer was used to fraudulently cause the transfer of funds.”  Id.  The parties cross moved for summary judgment.  The trial court granted judgment in favor of Apache, concluding that “the intervening steps of the [post-email] confirmation phone call and supervisory approval do not rise to the level of negating the email [and computer] as being a ‘substantial factor'” of the loss to implicate coverage.  The Fifth Circuit reversed.

On appeal, the insurer argued that the fraudulent transfer of funds resulted from events other than the email, including the initial phone call and steps Apache took (and did not take) to authenticate the request.

GAIC maintains the transfer of funds to the fraudulent bank account resulted from other events: before the email, the telephone call directing Apache to change the account information; and, after the email, the telephone call by Apache to the criminals to confirm the change-request, followed by the Apache supervisor’s review and approval of the emailed request, Petrofac’s submission of invoices, the review and approval of them by Apache employees, and Apache’s authorized and intentional transfer of funds, even though to the fraudulent bank account.

Id. at *8.  As a result of all of these actions, the insurer argued that Apache’s loss did not “result[] directly from the use of any computer to fraudulently cause a transfer of that property.”

The Fifth Circuit agreed, concluding that although the fraudulent email sent to Apache “was part of the scheme” to defraud Apache, it was “merely incidental to the occurrence of the authorized transfer of money.”  Id. at *16.  The court explained:

Here, the “computer use” was an email with instructions to change a vendor’s payment information and make “all future payments” to it; the email, with the letter on Petrofac letterhead as an attachment, followed the initial telephone call from the criminals and was sent in response to Apache’s directive to send the request on the vendor’s letterhead. Once the email was received, an Apache employee called the telephone number provided on the fraudulent letterhead in the attachment to the email, instead of, for example, calling an independently-provided telephone contact for the vendor, such as the pre-existing contact information Apache would have used in past communications. Doubtless, had the confirmation call been properly directed, or had Apache performed a more thorough investigation, it would never have changed the vendor-payment account information.  Moreover, Apache changed the account information, and the transfers of money to the fraudulent account were initiated by Apache to pay legitimate invoices.

Id. at *15-16.

Given the wide use of computers as a means of communication, the court feared that to allow the email to implicate coverage for computer fraud would transform the “computer fraud” coverage into coverage for any fraud:

The email was part of the scheme; but, the email was merely incidental to the occurrence of the authorized transfer of money. To interpret the computer-fraud provision as reaching any fraudulent scheme in which an email communication was part of the process would, as stated in Pestmaster II, convert the computer-fraud provision to one for general fraud. . . . We take judicial notice that, when the policy was issued in 2012, electronic communications were, as they are now, ubiquitous, and even the line between “computer” and “telephone” was already blurred. In short, few-if any-fraudulent schemes would not involve some form of computer-facilitated communication.

Id. at *16-17 (emphasis added).

In addition, the court observed that Apache’s failure to properly investigate the fraudulent change-request also took Apache’s loss outside of the scope of the computer fraud’s insuring agreement:

No doubt, the better, safer procedure was to require the change-request to be made on letterhead, especially for future payment of Petrofac’s very large invoices. But the request must still be investigated properly to verify it is legitimate.  In any event, based on the evidence in the summary-judgment record, Apache followed-up on the request in the email and its attachment.  In other words, the authorized transfer was made to the fraudulent account only because, after receiving the email, Apache failed to investigate accurately the new, but fraudulent, information provided to it.  [Emphasis added.]

Id. at *18 (emphasis added).

The court further reasoned that the invoices themselves could be viewed as the direct cause of the transfer of funds, not the use of a computer.

Moreover, viewing the multi-step process in its simplest form, the transfers were made not because of fraudulent information, but because Apache elected to pay legitimate invoices. Regrettably, it sent the payments to the wrong bank account. Restated, the invoices, not the email, were the reason for the funds transfers.

Id.  In other words, the email was too remote to classify the fraudulent payments as being a direct result of the use of a computer.

What this case means:  Here, the Fifth Circuit in essence rejected a syllogistic fallacy akin to “all tigers have stripes; all tigers are mammals; therefore, all mammals must have stripes.”  The syllogism presented here was: Apache used a computer. Apache suffered a fraud. Therefore, the fraud was from Apache’s use of a computer.  Coverage can’t work that way.  Computers are a dominant presence in our lives. They are perhaps the primary means of communication.  (Yes, our mobile phones are computers.)  Does that mean that any fraud that can be linked to the use of a computer is computer fraud?  No.  Given the wide use of computers, the Fifth Circuit clearly feared that to allow use of email to implicate coverage for computer fraud would transform “computer fraud” coverage into coverage for any fraud.

This case also provides another illustration as to why companies need to purchase cyber coverage. And why companies need cyber counsel to help train employees and help improve cybersecurity measures.  Cyber risk is very broad. Purchasing computer fraud coverage doesn’t come close to covering many of the risks out there.

This entry was posted in Data Breach Insurance Coverage.


This entry was posted by on .

In Eighth Promotions v. Cincinnati Ins. Cos., 2016 Ohio App. LEXIS 4119 (Ohio Ct. App. Oct. 11, 2016), the Ohio appellate court held that a letter forwarded to the insured by a copyright holder requesting that the company conduct a self-audit into its alleged copyright violations constituted a demand for non-monetary relief and thus fell within a policy’s definition for “claim.”  The same court also held that the insured could not stretch the scope of the claim or subsequent settlement to circumvent the policy’s copyright infringement exclusion.

The insured, Eighth Promotions, manufactured and sold sports awards and business gifts.  The company’s Operating Agreement provided indemnification protection to its officers and directors, stating that the company would “indemnify and hold harmless” its officers and directors “[i]n any “threatened . . . claim, action or proceeding to which any officer or any [director] . . . is [a] party or is threatened to be made a party by reason of its or his activities on behalf of [Eighth Floor].”  Id. at *1-2.  The company purchased a D&O liability policy, which contained an insuring agreement covering “all ‘loss’ which the ‘company’ is required to pay as indemnification to the ‘individual insureds’ resulting from any ‘claim’ first made during the ‘policy period’ . . . for a ‘wrongful act’.”  Id. at *15-16.  The policy defined a “claim” in part as:

  1. A written demand for monetary damages or non-monetary relief; or

  2. A civil proceeding commenced by filing of a complaint or similar pleading[.]

Id.  “Loss” included “defense costs.”  Id. at *16.

The policy also had an intellectual property exclusion, but the exclusion did not apply to claims brought against “individual insureds,” such as the company’s officers or directors.  The exclusion stated that the insurer was not liable to pay, indemnify or defend any “claim”:

K. Based upon, arising out of, or in consequence of, or in any way involving actual or alleged infringement of copyright, patent, trademark, trade secret, service mark, trade name, or misappropriation of ideas or trade secrets or other intellectual property rights; provided, however, this exclusion shall not apply to any ‘claim’ against any ‘individual insureds’;

Id. at *17.

In May 2011, the insured received a letter from a trade group, the Business Software Alliance (BSA), investigating on behalf of its member companies “possible instances of illegal duplication of certain software.”  The letter contended that Eighth Promotions had installed on its computers more copies of software programs than it was licensed to use.  Id. at *1.  In lieu of litigation, BSA requested that the insured investigate and audit all of the software published by the BSA members on its computers, as well as the software licenses and proofs of purchase for those licenses, and share the results of its self-audit with BSA.  Id. at *3-4.  The insured tendered the letter to its insurer, which denied coverage on the ground that the letter did not constitute a “claim” because it was neither a “written demand for monetary damages or non-monetary relief” nor a “civil proceeding commenced by filing a complaint or similar pleading.”  Id. at *5.

The insured retained counsel and conducted an audit, revealing numerous instances of unauthorized software installations.  Id. at *6.  After sharing the results of the audit with BSA, BSA offered to settle the dispute under certain terms and conditions, including a payment of $179,393.  Id. at *8.  By entering the proposed settlement, BSA promised that its member clubs would “forego the filing any lawsuit against Eighth Floor and will release Eighth Floor from any liability related to past infringement of the copyrights in the software products listed below due to Eighth Floor’s use and/or installation of those products on Eighth Floor’s computers.”  Id. at *9.  The insured tendered the settlement offer to its insurance carrier, which denied coverage under the intellectual property exclusion.  Id. at *10.  The insured settled the dispute, obtaining a release for the company, as well as for its officers and directors.  Coverage litigation ensued.

The trial court in the coverage litigation granted the insurer summary judgment, holding that the initial “audit” letter did not constitute a claim and that the intellectual property exclusion barred coverage.  On appeal, the appellate court reversed in part.  Id. at *11.

The appellate court held that the May 2011 BSA letter, which inquired about instances of copyright infringement and offered to permit the insured to conduct a self-audit in lieu of litigation, constituted a “claim” to implicate coverage under the policy.  The court rejected the insurer’s characterization of the audit letter as giving “Eighth Floor an opportunity to conduct its own company-wide investigation to determine whether any copyright infringement had occurred.”  Id. at *18.  Instead, the court concluded that the letter provided the insured an opportunity to determine “the extent of Eighth Floor’s copyright violations—not whether Eighth Floor had committed copyright violations.”

The court next looked to the dictionary definitions for “demand,” “non-monetary” and “relief,” all used within the phrase “A written demand for monetary damages or non-monetary relief” to determine the meaning of “claim.”  The court attributed broad meanings to these terms, observing:

“Demand” is defined as “the assertion of a legal right or procedural right.”  Black’s Law Dictionary 522 (10th Ed.2014).

“Non” is defined as “not; no.” Id. at 1212. “Monetary” is defined as “of, relating to, or involving money.” Id. at 1158.

“Relief” is defined as “the redress or benefit, esp. equitable in nature (such as injunction or specific performance), that a party asks of a court.  Also termed remedy.” (Emphasis sic.)  Id. at 1482. “Remedy” is defined as “the means of enforcing a right or preventing or redressing a wrong; legal or equitable relief.” Id. at 1485.  [Internal brackets removed.]

Based on these broad meanings, the court held that the audit letter satisfied the definition for “claim.”  The court explained:

. . . [A]lthough the audit request gave Eighth Floor the “opportunity” to conduct a company-wide software audit, it implied that if Eighth Floor did not take up this “opportunity,” then the matter would proceed to litigation, where the BSA could have achieved the same result. The audit request also sought the preservation of evidence and stated that Willis should not attempt to purchase any software from sales representative of these companies until the matter was resolved.

These measures were the BSA’s “means of enforcing a right” and “preventing a wrong” within the plain and ordinary meaning of “remedy.” See Gold Tip, LLC v. Carolina Cas. Ins. Co., D. Utah No. 2:11-CV-00765-BSJ, 2012 WL 3638538, *4 (Aug. 23, 2012) (a written demand for non-monetary relief can encompass a letter that coerces conduct of the policyholder through the threat of using the legal process to compel that conduct.).

Id. at *22.

The court, however, held that the intellectual property exclusion prohibited coverage for the settlement.  Eighth Promotions argued that the exclusion’s exception for claims against “individual insureds” (meaning, the insured’s directors and officers) applied to trump the coverage denial.  Id. at *23.  To support its argument, Eighth Promotions relied upon the broad standard of interpreting pleadings for evaluating the duty to defend.  Under Ohio law (and the law of most jurisdictions), a duty to defend can be implicated where the allegations in a complaint support or allege an unpled claim that potentially is within the policy coverage.  Id. at *26.  Here, Eighth Promotions argued that although BSA’s demands were directed at the company, because the company’s officers and directors could be held vicariously liable for copyright infringement if BSA filed suit against the company, BSA’s demands contained a claim against the directors and officers that fell within the exception of the intellectual property exclusion.  Eighth Promotions argued:

Vicarious ‘liability for copyright infringement may be imposed upon an officer, directors, or shareholder so long as the individual ‘has the right and ability to supervise the infringing activity’ and also [2] has a direct financial interest in such activities. . . . As such, the Eighth Floor officers and directors were jointly and severally liable on [the] BSA’s claim. . . .

Had the matter not settled, the BSA would have named the officers and directors in its complaint because Eighth Floor was not solvent to the full extent of the potential damages. Because copyright infringement allows for joint and several liability, because the BSA was aware that Eighth Floor was closely held, and because the directors and officers constituted a viable source of recovery who necessarily shared equally in the liability, any lawyer drafting the complaint would be obligated to include the directors and officers as defendants.  [Internal brackets omitted.]

Id. at *25.  As further proof of the existence of a claim against Eighth Promotions’ officers and directors, the company also pointed to the release it had obtained for them.

The appellate court rejected the argument, stating that Ohio law did not support the proposition that “an insurer has a duty to defend an otherwise excluded ‘claim’ where the allegations in that ‘claim’ could potentially or arguably lead to another ‘claim’ which may be within the policy’s coverage.”  According to the court, the only “real” claim was made against the company:

The only real “claim” at issue here is the settlement offer which did not demand any monetary relief from Eighth Floor’s officers or directors or contain any language that could potentially or arguably be construed as a written demand for monetary (or non-monetary) relief against Eighth Floor’s officers and directors.

Id. at 27.  Nor could an insured use a release provision in a settlement agreement to bootstrap coverage by characterizing the release as a written demand for monetary or non-monetary relief:

It included a provision offering to release Eighth Floor’s officers and directors from liability if Eighth Floor complied with its demands, but this provision cannot potentially or arguably be construed as a written demand for monetary (or non-monetary) relief against Eighth Floor’s officers and directors

Id.  The case was remanded back to the trial court to determine whether the exclusion barred the insurer’s duty to defend for the audit letter.

What this case means:  This case serves as a reminder that for claims-made policies that define the meaning of “claim,” the definition “written demand for monetary damages or non-monetary relief” can have a very broad meaning.  Here, the court concluded that a self-audit committed by the insured pursuant to a claimant’s notice letter satisfied this definition.  At the same time, the court rejected the insured’s attempt to broaden the scope of a claim, or to bootstrap coverage through a broad release in a settlement (even if obtaining additional releases in such a settlement was customary).  In essence, the court concluded that an insured may not goldmine for unstated claims or causes of action to broaden the scope of a settlement agreement from the uncovered to the covered.

This entry was posted in Uncategorized.

Article III Standing in Data Breach Litigation and Problems Galaria Poses for Data Breach Responses

This entry was posted by on .

Last week, in Galaria v. Nationwide Mut. Ins. Co., 2016 U.S. App. LEXIS 16840 (6th Cir. Sept. 12, 2016), the United States Court of Appeals for the Sixth Circuit weighed in on the issue of Article III standing for data breach litigation and effectively lowered the threshold to establish standing.  The decision echoes sentiments expressed by the Seventh Circuit in Lewert v. P.F. Chang’s China Bistro, Inc., 819 F.3d 963 (7th Cir. 2016), and Remijas v. Neiman Marcus Group, LLC, 794 F.3d 688 (7th Cir. 2015).  The facts are straightforward, and it is part of an ongoing trend by courts to make it easier to allege injury and bring data breach litigation. This will drive up litigation. Yet, here is a bigger problem: the Sixth Circuit based its determination that standing existed to sue a breach victim on actions undertaken by the breach victim to mitigate damage and help consumers prevent the very harm that plaintiffs later sued over. Is the message of “darned if you do” one that courts want to establish? Can decisions like Galaria create an adverse impact on response efforts undertaken by breach victims? These are issues that a breach victim will have to wrestle with early on and provide one more reason why cyber counsel should be retained.

The facts of Galaria are straightforward. In that case, the breach victim, Nationwide, maintained records containing personal information of customers and potential customers, including names, dates of birth, marital statuses, employers, Social Security numbers, and driver’s license numbers. On October 3, 2012, hackers breached Nationwide’s computer network and stole the personal information of 1.1 million people. Id. at *3. In the underlying data breach litigation that followed, putative class actions alleged violation of the Fair Credit Reporting Act (“FCRA”) through Nationwide’s failure to adopt required procedures to protect against wrongful dissemination of plaintiffs’ data. Plaintiffs also alleged claims for negligence, and invasion of privacy by public disclosure of private facts – all based on Nationwide’s failure to secure Plaintiffs’ data.  Id. at *4.

In support of their claims, plaintiffs alleged that an illicit international market exists for stolen personal data. According to the complaints, Nationwide’s data breach created an “imminent, immediate and continuing increased risk” that plaintiffs would be subject to identity theft. They cited a study purporting to show that in 2011 recipients of data-breach notifications were 9.6 times more likely to experience identity fraud, and had a fraud incidence rate of 19%.  They also alleged that victims of identity theft “typically spend hundreds of hours in personal time and hundreds of dollars in personal funds,” incurring an average of $354 in out-of-pocket expenses and $1,513 in total economic loss.  Id. at *5.

The federal district court dismissed the lawsuits, concluding that plaintiffs lacked statutory standing for the FCRA claims and lacked Article III standing for the negligence and bailment claims. The court also concluded that while plaintiffs had standing for their invasion of privacy claims, such claims failed to allege a cognizable injury. Plaintiffs appealed the trial court’s order, except for the dismissal of the invasion of privacy claims.  Id. at *6-7. The Sixth Circuit reversed.

In order to bring a lawsuit, a plaintiff must have standing under Article III of the United States Constitution; “[t]he doctrine of standing gives meaning to these constitutional limits by ‘identify[ing] those disputes which are appropriately resolved through the judicial process.'” Id. at *8 (citation omitted). In Spokeo v. Robins, 136 S. Ct. 1540, 1547 (2016), the United States Supreme Court explained that “the ‘irreducible constitutional minimum’ of standing consists of three elements.” Those elements are that a plaintiff “must have (1) suffered an injury in fact, (2) that is fairly traceable to the challenged conduct of a defendant, and (3) that is likely to be redressed by a favorable judicial decision.” Spokeo, 136 S. Ct. at 1547; Galaria, 2016 U.S. App. LEXIS 16840 at *8. A plaintiff must prove those elements.  Id. Focusing on the first two elements, the Sixth Circuit in Galaria concluded that plaintiffs met their burden of proof and established had Article III standing at the pleading stage to survive a motion to dismiss. As litigators know, that is half the battle.

The Galaria court explained that”[t]o establish injury in fact, a plaintiff must show that he or she suffered ‘an invasion of a legally protected interest’ that is ‘concrete and particularized’ and ‘actual or imminent, not conjectural or hypothetical.'” Galaria, 2016 U.S. App. LEXIS 16840 at *8 (quoting Spokeo, at 1548). Where a plaintiffs seeks to establish standing based on an imminent injury, “that ‘threatened injury must be certainly impending to constitute injury in fact’”; “'[a]llegations of possible future injury’ are not sufficient.” Id. at *9 (quoting Clapper v. Amnesty Int’l USA, 133 S. Ct. 1138, 1147 (2013)).

In the case before it, the Sixth Circuit concluded that plaintiffs’ allegations of increased risk of identity theft, coupled with “reasonably incurred mitigation costs,” established a concrete and particularized imminent injury for purposes of standing. Critically, the court based its decision on the fact that (1) there was proof that the plaintiffs’ information was in fact stolen, (2) hackers had targeted it, and (3) Nationwide had offered free credit monitoring services to help consumers mitigate their danger:

There is no need for speculation where Plaintiffs allege that their data has already been stolen and is now in the hands of ill-intentioned criminals.  Indeed, Nationwide seems to recognize the severity of the risk, given its offer to provide credit-monitoring and identity-theft protection for a full year. Where a data breach targets personal information, a reasonable inference can be drawn that the hackers will use the victims’ data for the fraudulent purposes alleged in Plaintiffs’ complaints. [Bold added.]

Id. at *9-10.

The fact that plaintiffs also could identify specific costs incurred by them from steps recommended by Nationwide in its data breach notification letter further supported the court’s finding that the underlying complaints alleged an imminent injury:

Although Nationwide offered to provide some of these services for a limited time, Plaintiffs allege that the risk is continuing, and that they have also incurred costs to obtain protections—namely, credit freezes—that Nationwide recommended but did not cover. This is not a case where Plaintiffs seek to “manufacture standing by incurring costs in anticipation of non-imminent harm.” [Citing Clapper, at 1155.]  Rather, these costs are a concrete injury suffered to mitigate an imminent harm, and satisfy the injury requirement of Article III standing.  [Bold added.]

Id. at *10-11.

Under the second element, the Sixth Circuit in Galaria held that the alleged harm was “fairly traceable” to Nationwide’s alleged conduct to satisfy Article III standing. Id. at *13. To satisfy the “fairly traceable” element, a plaintiff need not allege proximate causation. “Indirect” injury is sufficient.  Id. at *14. Here, the Galaria court held that plaintiffs had sufficiently alleged that their injuries were “fairly traceable” to Nationwide’s conduct, because Nationwide’s alleged negligence allowed the breach to happen:

Although hackers are the direct cause of Plaintiffs’ injuries, the hackers were able to access Plaintiffs’ data only because Nationwide allegedly failed to secure the sensitive personal information entrusted to its custody. In other words, but for Nationwide’s allegedly lax security, the hackers would not have been able to steal Plaintiffs’ data. These allegations meet the threshold for Article III traceability, which requires “more than speculative but less than but-for” causation.  [Bold added.]

Id. at *15.

Finally, the Sixth Circuit concluded that plaintiffs had statutory standing to bring their FCRA claims. Because plaintiffs had Article III standing to bring the lawsuit in general, they had standing to bring their FCRA claims, and there was no need to evaluate the causes of action allege din the complaints themselves.  Id. at *17-18.

What does this case mean? This case goes beyond the lowering of the standing threshold.  It also demonstrates why a data breach victim needs a cyber law attorney to help navigate the inevitable legal minefield that will follow a data breach. For instance, when a company suffers a data breach, state notification statutes require those companies to notify persons whose information has been compromised. Many state laws actually will require that notification letters include information explaining to consumers what steps may be taken to mitigate or monitor against any potential harm. Connecticut law requires that credit monitoring services be offered.  Many companies offer credit monitoring services as an act of goodwill.

Yet, in Galaria, the Sixth Circuit used the content of a breach victim’s notification letter and offer of credit monitoring services to permit multiple lawsuits to proceed against it. Does that leave a breach victim with an untenable, Hobson’s choice: comply with state notification laws and get sued, or potentially violate those laws to avoid creating Article III standing for future class actions? Some may say so. These are issues that breach victims are going to need to address when first responding to a breach. It’s another reason to have cyber counsel involved as early as possible when a breach has occurred.

This entry was posted in Data Breach Insurance Coverage, Privacy Rights and tagged .


This entry was posted by on .

It’s hard to believe that we are less than two months away from Coverage College (September 22). If you have not signed up yet, please do by visiting White and Williams’ website. This year, I will be teaching a class on coverage issues in privacy and cyber liability litigation. It should be an exciting and fast-paced class. We’ll have a lot to talk about.  

Last Friday, in Ellicott City Cable, LLC v. AXIS Ins. Co., 2016 U.S. Dist. LEXIS 95819 (D. Md. July 22, 2016), the federal district court of Maryland rejected the contention that pirated digital television programming constituted “data” under a media policy. Even broad terms do not have boundless meanings. Terms must be read within the context of their use and the policy as a whole.

In the case, the insured, Ellicott City Cable (ECC) provided television, internet, and telephone services to residents of two separate residential communities, Taylor Village and Waverly Woods.  Id. at *3-4. To achieve the goal of proving television, ECC contracted to obtain satellite television programming from DirecTV, LLC through DirecTV agents Sky Cable, LLC (Sky Cable) and North American Cable Equipment (NACE). (ECC never contracted with DirecTV to provide internet or telephone services.) Id. at *4. Under the contract, ECC distributed the DirecTV programming through equipment and credentials provided by Sky Cable and NACE, and made monthly payments directly to DirecTV for access to its programming. Id.

ECC later terminated its contract with DirecTV. Thereafter, DirecTV commenced an action against ECC and Sky Cable asserting that defendants had “fraudulently” obtained, and assisted others to obtain, DirecTV’s satellite television programming and distributed the programming through unauthorized cable television systems.  Id. at *5.  DirecTV asserted that ECC, through Sky Cable, set up private cable systems to deliver programming to more units in the Taylor Village and Waverly Woods communities than permitted under the DirecTV contract. DirecTV also asserted that ECC created multiple dwelling unit accounts with DirecTV for both properties, but distributed the programming to occupants and residents outside of the scope of those agreements, including by used wiring to traverse public rights of way.  Id.

ECC sought coverage under its media liability insurer, which had issued a media policy providing coverage for damages “as a result of an Occurrence in connection with Scheduled Media during the Policy Period that gives rise to a Claim . . . .”  Id. at *11.  Occurrence was defined in part as “the actual or alleged . . . publication, broadcast or other dissemination of Matter[.]”  Id. at *11, n.10. Matter was defined as in part as “communicative or informational content regardless of the nature or form.”  Id.

The media policy had an exclusion that prohibited coverage for claims:

for or arising out of any actual or alleged . . . unauthorized access to, unauthorized use of, or unauthorized alteration of any computer or system, hardware, software, program, network, data, database, communication network or service, including the introduction of malicious code or virus by any person . . .

Id. at *11-12 (emphasis added).

The policy also had additional coverage under Endorsement 3 for claims “for or arising out of the failure to prevent a party from unauthorized access to, unauthorized use of, tampering with or introduction of a computer virus or malicious code into data or systems.” However, coverage under Endorsement 3 did not apply to claims for:

intentional unauthorized access to, unauthorized use of, tampering with or introduction of a computer virus or malicious code into data or systems by any Insured or person who would qualify as an Insured but for their acts being outside the scope of their duties as a partner, . . . except that this exclusion shall not apply to any Insured who did not commit, acquiesce or participate in the actions that gave rise to the Claim.

Id. at *12-13 (emphasis added). As later noted by the Ellicott City Cable Court in its opinion, both policy provisions apply to claims for or arising out of unauthorized access to “data”; with the coverage exception in Endorsement 3 adding the qualifier that the unauthorized access be “intentional.” Id. at *14.

The insurer contended that it had no duty to defend under the exclusion and the exception to coverage under Endorsement 3, contending that DirecTV’s lawsuit for the unauthorized distribution of television programming alleged unauthorized access to data. ECC disagreed, contending that television programming is not “data.”  The Ellicott City Cable Court agreed with the insured.

The court recognized that the term “data” is very broad, and this may have been the insurer’s hope when asserting the policy’s exclusions. Merriam’s Dictionary defines the word “data” as “facts or information used usually to calculate, analyze, or plan something” or “information that is produced or stored by a computer.” Id. at *15. However, the court found that the term was so broad as to be ambiguous. “Given the breadth of this definition [for data],” the court employed the construction canons of ejusdem generis and noscitur a sociis, which require a court, when determining the broad meaning of a word, to consider “the accompanying words so that . . . general and specific words, capable of analogous meaning, when associated together, take color from each other[.]”  Id. at *16. Based on these cannons, the court concluded that the word “data” referred to computers, not television programming.

First, the court noted that DirecTV did not use the term “data” to describe its television programming that ECC had allegedly accessed without authorization.  Id. at *15.  The court then looked to the wording of the exclusions at issue, determining that the list of terms in the exclusions limited the meaning of the term “data,” not expanded it.  The exclusion applied to unauthorized access of “any computer or system, hardware, software, program, network, data, database, communication network or service, including the introduction of malicious code or virus by any person . . . .”  Id. at *16.  The common denominator of these terms was the internet and computers, not television programming:

The common factor underlying all terms listed is their relation to the internet or digital matters in general.  Indeed, the inclusion of “introduction of malicious code or virus” speaks directly to a common risk associated with the internet (and computers). “Data,” in this context, thus appears to concern information related to the internet, and not television programming.

Id. at *17 (emphasis added).

The insurer argued that DirecTV’s programming did involve digital compression and encryption of its signal and thus fell within the umbrella of “digital matters.”  The court rejected the argument in part because DirecTV also provided analog signals.  Under the insurer’s contention, the policy would cover analog signals, but exclude digital signals, a result that the court would not endorse:

Yet, this argument ignores that DirecTV’s television programming takes both digital and analog forms. Under Axis’s reasoning, ECC would receive insurance coverage for unauthorized access to analog television programming, and not digital television programming. Neither Axis nor the Policies themselves present any persuasive argument in favor of such a distinction.

Id. at *16-17.

The court applied the same reasoning to the coverage exception for Endorsement 3, which employed “the same broad term accompanied by terms like ‘computer virus’ and ‘malicious code.’”  The court explained:

Similarly, the exclusion of Endorsement No. 3 applies to intentional unauthorized access of “data or systems[.]”  While this exclusion does not include all terms of the first exclusion, it employs the same broad term accompanied by terms like “computer virus” and “malicious code.” Even if the exclusion uses the disjunctive “or” in describing the excluded conduct, this use does not negate the inference that “data or systems” concern information related to the internet or computers generally.

Id. (internal citations omitted).

The court also looked to coverage provided elsewhere in the policy for piracy claims to conclude that the term “data” could not encompass media programming. The court observed that the policy covered claims “for or arising out of . . . any form of infringement of copyright, violation of Droit Moral, passing-off, plagiarism, Piracy or misappropriation of ideas,” defining “piracy” as “the wrongful use, reprinting or reproduction of copyrighted intellectual property.” Id. at *18.  According to the court, “piracy” described “precisely” DirecTV’s allegations against ECC and Sky Cable.  Thus, “[t]o interpret ‘data’ as including DirecTV’s television programming would effectively broaden the scope of the exclusion to eliminate any coverage for piracy.”  Id.  “Rather than create such a contradiction,” the court held it must construe the ambiguity of “data” against the insurer.  Id. at *18-19.

As a result, the court determined that DirecTV’s television programming is not “data” within the meaning of either exclusion.  Id. at *19.

What this case means:   Media policies and cybersecurity policies sometimes employ very broad terms that remain undefined in the policies themselves.  Examples of such terms can include “matter,” “network,” “systems,” “electronic,” and even “data.”  Ellicott City Cable is a good remainder that even broad terms do not have boundless meaning – both in terms of coverage grants and coverage exclusions. Terms must be read within the context of their use and the policy.

This entry was posted in Uncategorized.