Author Archives: Joshua Mooney

New York’s Highest Courts Says Coverage for Loss From “Fraudulent Entry” Into Computer System Limited to Hacking


This entry was posted by on .

A source of computer fraud is the rogue employee or authorized user whose abuses access into a network system for unlawful purposes.  Readers of The Coverage Inkwell will know that the Inkwell has addressed the meaning of unauthorized access in the context of cyber insurance for a few years.

In the context of the Computer Fraud and Abuse Act, 18 U.S.C. §1030, the United States Court of Appeals for the Ninth Circuit, in U.S. v. Nosal, 676 F.3d 854 (9th Cir. 2012), in essence limited the meaning “exceeds authorized access” to hackers, not inside corporate personnel accessing a computer network for unauthorized (i.e., illegal) purposes.  Yesterday, the New York Court of Appeals, in Universal American Corp. v. National Union Fire Ins. Co. of Pittsburgh, PA, 2015 N.Y. Slip Op. 05516, 2015 WL 3885816 (N.Y. June 25, 2015) held that the phrase “fraudulent entry” into a computer system was limited to instances of outside hackers, not fraudulent content submitted by authorized users. Read More

This entry was posted in Data Breach Insurance Coverage, Privacy Rights and tagged .

Pennsylvania Court Refuses to Impose New Duty on Employers to Protect PII From Data Breaches


This entry was posted by on .

A common allegation in cyber security data breach litigation is that the data breach victim breached its duty of care in failing to adequately protect  plaintiffs’ personal identification information (“PII”) from a data breach.  Very recently, the Pennsylvania Court of Common Pleas of Allegheny County in Dutton v. UPMC, No. GD-14-003285 (May 28, 2015), dismissed such a claim, refusing requests to create a new duty of care on an employer who suffered a data breach resulting in the compromise of its employees’ PII.  In so holding, the court reasoned that to create such a duty would place too heavy of a burden on corporate entities already incentivized to protect PII.  It also would inundate the judiciary with a flood of litigation.  The court instead looked to the state legislature to determine whether to impose this obligation.

In the case, the plaintiffs filed a putative class action of current and former The University of Pittsburgh Medical Center (“UPMC” )employees whose PII had been stolen from UPMC’s computer systems.  Plaintiffs’ alleged that UPMC owed a duty to protect their PII and had breached that duty under theories of negligence and breach of contract.  Dutton v. UPMC, No. GD-14-003285, slip op., at 1-2.  Duties allegedly owed by UPMC included: Read More

This entry was posted in Data Breach Insurance Coverage, Privacy Rights and tagged , .

In IBM Data Breach Case, There Can Be No Publication Without Access


This entry was posted by on .

In Recall Total Info. Management, Inc. v. Federal Ins. Co., No. SC 19291, the Connecticut Supreme Court upheld the appellate court’s decision that a data breach suffered by IBM was not covered under general liability policies’ “personal and advertising injury” coverage.

In that case, Recall Total had contracted with IBM to transport off-site and store computer tapes containing the encrypted personal information of current and former IBM employees.  Recall then subcontracted the transportation services to Ex Log.  Ex Log lost the computer tapes when they fell from Ex Log’s truck onto the roadside and were retrieved by an unknown individual.  Importantly, there was no evidence that anyone ever accessed the information on the tapes or that their loss caused injury to any IBM employee.  Nevertheless, IBM spent significant sums of money providing identity theft services and complying with state notification requirements.  IBM sought to recoup its losses from Recall Total and Ex Log. Read More

This entry was posted in Data Breach Insurance Coverage, Privacy Rights.

Even in the Cyber World, Intentional Misconduct Is Not Negligence


This entry was posted by on .

Yesterday, Travelers Prop. Cas. Co. of Amer. v. Federal Recovery Services, Inc., No. 14-170 (D. Utah) determined that no coverage existed under a Technology Errors and Omissions Liability Form found in a cyber insurance policy after the insured data processer had failed to return valuable personal identification information it held on behalf of the information’s owner.  This case is going to get a lot of attention simply because it is the first published decision involving a cyber insurance policy form.  What it shows is that, even in the cyber world, intentional misconduct is not negligence.

The facts of the case are straightforward.  The underlying plaintiff, Global Fitness, owned and operated fitness centers in several states.  As part of its operations, Global Fitness had numerous members who would provide credit card or bank account information through which Global Fitness could bill them (“Member Accounts Data.”).  (Slip. op. at 3.)  Defendants were engaged in the business of providing processing, storage, transmission, and other handling of electronic data for customers.  (Id. at 1.)  Global Fitness entered into a contract with Defendants to process the Member Accounts and transfer the members’ fees to Global Fitness.  (Id. at 3.) Read More

This entry was posted in Uncategorized.

Sony Data Breach Coverage Litigation Settles


This entry was posted by on .

As reported in news outlets, including Law360, Sony and its insurers have settled their data breach coverage litigation, two months after the New York appellate division heard oral argument.

Sony had sought coverage for numerous data breach class action lawsuits filed against it following the 2011 data breach into its PlayStation network.  Its general liability policies provided personal and advertising injury coverage for oral or written publication, in any manner, of material that violates a person’s right to privacy.  The trial court held that the insurers had no duty to defend because coverage applied only for violations of privacy committed by Sony, as the policyholder, and not by third parties who hacked into Sony’s network and stole personally identifiable information (“PII”). Read More

This entry was posted in Data Breach Insurance Coverage, Privacy Rights and tagged , .

Another Data Breach Class Action Dismissed for Lack of Injury


This entry was posted by on .

On the heels of the Target settlement, another security data breach class action has been dismissed for lack of standing under Article III.  In the lawsuit In re Horizon Healthcare Servs., Inc. Data Breach Litig., 2015 WL 1472483 (D.N.J. Mar. 31, 2015), a federal district court held that class plaintiffs alleged neither sufficient injury nor causation to establish standing.

In that case, an unknown thief stole from the company’s headquarters two password-protected laptop computers containing personal information of company members.  Id. at *1.  The company reported the theft to law enforcement the next day.  A month later, it notified potentially affected members of the theft by letter and press release.  Id.  In its notification, the company informed members that “[d]ue to the way the stolen laptops were configured, we are not certain that all of the member information contained on the laptops is accessible.”  It also offered credit-monitoring protection.  Id. Read More

This entry was posted in Uncategorized and tagged .

Two Recent TCPA Cases: A Look at How They Can Affect Privacy Litigation


This entry was posted by on .

Last week saw two separate Telephone Consumer Protection Act (“TCPA”) decisions in which federal district courts, one for the Eastern District of Pennsylvania, the other for the Northern District of Illinois, held no coverage existed for underlying TCPA litigation.  The decisions’ results were not surprising, as TCPA coverage claims have been wilting like Wisconsin’s lead over Duke in last night’s final.  What is interesting in the cases, Auto-Owners Ins. Co. v. Stevens & Ricci, Inc., No. 12-7228, 2015 WL 1456085 (E.D. Pa. Mar. 31, 2015) and Addison Automatics, Inc. v. Hartford Cas. Ins. Co., No. 13-1922, slip op. (N.D. Ill. Mar. 31, 2015), is that the courts reached their decisions on different bases.  The reasoning behind each basis can apply to other privacy litigation.

In Stevens & Ricci, the insured was sued in a class action for faxing over 18,000 unsolicited fax advertisements in violation of the TCPA, 47 U.S.C. § 227.  The underlying litigation alleged, among other claims, that the unsolicited faxes violated the privacy rights of class members who received them.  Id. at *1.  The insured’s policy defined “personal injury” and “advertising injury” in part as “oral or written publication of material that violates a person’s right of privacy.”  Id. at *2-3. Read More

This entry was posted in Privacy Rights and tagged .

No Coverage for Cyber Comments Posted Under False Names


This entry was posted by on .

People post comments on the Internet.  Sometimes, people troll, and trolling can turn extreme when people use an Internet persona or a false identity, believing in the Internet’s anonymity.  Sometimes, comments on the Internet create legal liability.

In Sletten & Brettin v. Continental Cas. Co., slip op., No. 13-2918 (8th Cir., Mar. 19, 2015), a dental practice found out the hard way that defamatory comments made on the Internet can be traced, can create legal liability, and can be excluded from insurance. Read More

This entry was posted in Trade Libel and tagged , , .

March Madness: A Man’s Advertisement Is His Castle (Or Converting Coverage B Into IP Insurance)


This entry was posted by on .

Two and-a-half months into 2015, and we are having a different kind of march madness for Coverage B advertising injury decisions.  The latest is Mid-Continental Cas. Co. v. Kipp Flores Architects, LLC, — Fed. App’x –, 2015 WL 795822 (5th Cir. Feb. 26, 2015), where the United States Court of Appeals for the Fifth Circuit held that a house is an advertisement for purposes of the duty to indemnify under Coverage B.

The background facts for the case are straightforward and unremarkable.  Plaintiffs, Kipp Flores Architects (“KFA”) is an architecture firm that designs homes and licenses its designs to builders.  The insured, Hallmark Design Homes (“Hallmark”) built a large number of homes using KFA’s designs without a license.  KFA sued Hallmark for copyright infringement, seeking damages under the Copyright Act.  Id. at *1.  KFA alleged that: Read More

This entry was posted in Counterfeiting and tagged , , , , .

A Picture Is Worth a Thousand Words — and a Duty to Defend


This entry was posted by on .

Every now and then, a decision comes along that could have a broad impact in coverage, even if the court that issued the decision ostensibly wishes otherwise.  Selective Ins. Co. of SE v. Creation Supply, Inc., 2015 WL 522247 (Ill. Ct. App. Feb. 9, 2015), is one of those cases.  It is well settled that, for intellectual property cases, the sale of an infringing product in of itself does not implicate coverage under “personal and advertising injury.”  Nor should it.  Yet, should the mere presence of a placard on a shelf display in a store alter that analysis?  In Creation Supply, the court thought so.

The facts of the case are straightforward.  Underlying plaintiffs filed a lawsuit alleging that the insured, Creation Supply, infringed their trademarks by copying their brand of “COPIC” double-ended, alcohol-based colored markers.  According to the lawsuit, the insured’s brand of markers, called “MEPXY” markers, possessed the same squarish bodies and end-caps as the COPIC markers, thereby making the two brands look alike.  Id. at *1.  Plaintiffs contended that Creation Supply’s copy-cat design caused consumer confusion in violation of the Lanham Act.  Id. Read More

This entry was posted in Counterfeiting and tagged , , .