Category Archives: Data Breach Insurance Coverage

No Coverage for Data Breach Where Insured Isn’t Accused of Publishing

This entry was posted by on .

In the lawsuit Innovak Int’l, Inc. v. Hanover Ins. Co., the federal court for the middle district of Florida recently held that an underlying data breach class action lawsuit did not implicate “personal and advertising injury” coverage because the insured was not the entity accused of publishing the compromised personal information (PI).

The decision is relevant because not only did the court reject claims for cyber coverage under a CGL policy, but also because the decision is following a recent trend in litigation over Coverage B: namely, if the insured is not the one accused of publishing the information at issue, there is no “personal and advertising liability” coverage. In other words, Coverage B does not apply to third-party publications, even if the insured is the entity ultimately sued. E.g., Steadfast Ins. Co. v. Tomei, 2016 Pa. Super. Unpub. LEXIS 1864, at *17 (Pa. Super. Ct. May 24, 2016); Zurich Am. Ins. Co. v. Sony Corp., No. 651982/2011 (N.Y. Supr. Ct. Feb. 21, 2014).

The facts in Innovak are straightforward. Innovak was sued in a putative class action following a data breach that compromised the underlying plaintiffs’ personal information. According to the lawsuit,  Innovak “designs, develops, and sells accounting and payroll computer software systems to schools, school districts, and to other entities across the United States.” Id. at *3. The lawsuit alleged that “Innovak’s software and database provides up-to-date W2 and paystub information to end users, which is accessible remotely via an internet portal,” and that Innovak suffered the data breach “when hackers appropriated the personal private information (‘PPI’) stored on its software, database, and/or its portals … from numerous individuals in several different states whose PPI was stored and made accessible through Innovak’s internet portal.” Id. at *3-4. The suit was filed because of “Innovak’s alleged failure to protect adequately the Underlying Claimants’ PPI and to timely disclose the data breach to end users.” Id. at *4.

Innovak sought a defense under the “personal and advertising injury” coverage in its CGL policy. The policy defined “personal and advertising injury” in part as “[o]ral or written publication, in any manner, of material that violates a person’s right of privacy.” Id. at *16. The carrier denied coverage and coverage litigation ensued.

The federal court, applying South Carolina law, held that the underlying lawsuit did not implicate Coverage B “personal and advertising injury” coverage because Innovak was not accused of publishing the PI in question. The court observed:

The Court notes that Innovak materially mischaracterizes the allegations of the Underlying Complaint. Nowhere in the Underlying Complaint do the Underlying Claimants contend that their PPI was “published,” whether by third party hackers or by Innovak. However, even if the Court views the alleged data breach as an alleged publication of the Underlying Claimants’ PPI, the Underlying Claimants do not allege that Innovak published their information.

Id. at *16. Citing the reasoning of the New York trial court in Zurich Am. Ins. Co. v. Sony Corp., the Florida court held that “the only plausible interpretation of Coverage B is that it requires the insured to be the publisher of the PPI.” Id. at *18. Allegations that the insured failed to protect PI adequately is not a publication, whether direct or indirect. Id.

What this case means. The insurance industry has attempted to shift coverage for liability for cyber risk from CGL policies to cybersecurity policies through promulgation of the Access Or Disclosure Of Confidential Or Personal Information And Data-related Liability Damages exclusion.

Thus, the real significance of this case is that it is yet another decision in which courts have limited Coverage B to claims in which the insured – and not a third party – has committed the publication. This limitation has a reach well beyond the scope of cybersecurity. It goes to an increasingly common theme in litigation where the insured is sued not for invading someone’s privacy, but for failing to prevent the invasion of privacy committed by a third party, whether by e-surveillance or vulnerabilities in the insured’s informational security, or from actions taken by rogue employees.

This entry was posted in Data Breach Insurance Coverage, Privacy Rights.

NAIC Passes Model Law for Insurers and Brokers on Cybersecurity

This entry was posted by on .

By Joshua Mooney and Laura Schmidt

On October 24, 2017, the National Association of Insurance Commissioners (NAIC) passed its Insurance Data Security Model Law, intended to serve as model legislation for states to enact in order to govern cybersecurity and data protection practices of insurers, insurance agents, and other licensed entities registered under state insurance laws (defined therein as Licensees).

The Model Law applies to “Licensees” that handle, process, store or transmit “Nonpublic Information.” (Insurers that are acting as an assuming insurer domiciled in another state or jurisdiction and purchasing groups or risk retention groups that are licensed and chartered in another state are not “Licensees.”) The definition for “Nonpublic Information” (NPI) is broader than state laws that typically focus on personally identifiable information (PII), and closely follows the meaning of “Nonpublic Information” under the New York Department of Financial Service’s (NYDFS) recently enacted Cybersecurity Regulations, 23 NYCRR § 500.00 et seq. (NYDFS cyber regulations). NPI under the Model Law includes:

  • business-related information of the Licensee that, if tampered with or disclosed, would have a material adverse impact on the Licensee’s business, operations or security;
  • information concerning a consumer that, because of an identifier in combination with certain data elements, can be used to identify the consumer; and
  • any information that is created by or derived from a heath care provider or consumer that qualifies as protected health information (PHI) under the Health Insurance Portability and Accountability Act (HIPAA).

In fact, a quick glance of the law reveals that its drafters were influenced significantly by the NYDFS cyber regulations. Like the cyber regulations, the Model Law requires Licensees to develop an information security program based upon a security assessment, and investigate and notify regulators of “Cybersecurity Events” the Licensee sustains. A drafting note in the law states that if a Licensee complies with the NYDFS’s cyber regulations, then the Licensee is deemed to comply with the requirements of the Model Law.

However, the Model Law also contains some noteworthy differences to the NYDFS cyber regulations regarding the establishment of an information security program and requirements for investigating and providing notice of a Cybersecurity Event.

Establishing an Information Security Program

Like the NYDFS cyber regulations, the Model Law requires insurers to develop an information security program designed to protect NPI and the Licensee’s information systems. The Licensee’s information security program must be based upon a risk assessment that identifies reasonably foreseeable internal or external threats (including the security of NPI and Information Systems accessible to or held by Third-Party Service Providers); the likelihood and potential damage of these threats; and the sufficiency of policies, procedures, Information Systems and other safeguards to manage these threats. Assessments and evaluations of cybersecurity risk must be included in the Licensee’s enterprise risk management process, and the Licensee must remain informed of emerging threats and vulnerabilities. Licensees also are required to develop an incident response plan to address a Cybersecurity Event.

Consistent with the NYDFS cyber regulations, the Model Law expressly imposes responsibility upon the Licensee’s board of directors to oversee the Licensee’s management of cybersecurity risk. The board of directors must direct senior management to develop, implement and maintain the information security program, and receive an annual report on the status of the entity’s information security program, including further assessments and third-party service provider arrangements. Gone are the days when cybersecurity was an IT or CIO problem. By expressly imposing responsibility upon the Licensee’s board of directors, the Model Law increases the directors’ and officers’ exposure should a cybersecurity incident occur. Like the NYDFS cyber regulations, the Model Law also requires the Licensee to certify in writing to the state commissioner every February 15 that its information security program complies with the law’s requirements. Like under the cyber regulations, if there are areas, systems, or processes that need improvement or are noncompliant, the Licensee must address the issue and identify remedial efforts that are planned or underway to remedy such issues.

Despite similarities between the Model Law and the NYDFS cyber regulations for establishing an information security program, there also are some material differences. The Model Law allows the information security program to be “commensurate with the size and the complexity of the Licensee, the nature and scope of the Licensee’s activities (including the use of third-party vendors), and the sensitivity of the NPI in the Licensee’s possession, custody, or control[.]” This qualifier is more akin to information security requirements under HIPAA than the NYDFS cyber regulations.

The Model Law also requires the Licensees to implement a risk management program to mitigate identified risks, but the program may be custom-tailored to the size and complexity of the Licensee. The Model Law identifies several security measures that the Licensee may implement if it determines the measures are appropriate, including using effective controls for individual access to NPI, implementing audit trails within the program to detect cybersecurity events, and instituting measures to protect against the loss, destruction or damage to NPI due to environmental hazards.

Additionally, The Model Law provides that the Licensee’s information security program must include the oversight of third-party service providers. However, unlike the NYDFS cyber regulations, the Model Law does not expressly require a Licensee to develop policies and procedures for conducting due diligence and oversight over third party service providers. Instead, Licensees only must exercise due diligence in selecting third-party service providers and require such providers to implement administrative, technical, and physical measures to protect and secure the Licensee’s NPI to which it has accesses or possession.

Investigation and Notification of a “Cybersecurity Event”

The Model Law requires Licensees to promptly investigate “Cybersecurity Events.” The Model Law is similar to the NYDFS cyber regulations in that it requires a Licensee to notify the state insurance commissioner no later than 72 hours from a determination that a Cybersecurity Event. However, there are material differences between the NYDFS cyber regulations and the Model Law for notice requirements.

First, the criteria for triggering notice under the Model Law are broader. Notice under the Model Law is required if the insurer is domiciled in the state in which the Model Law was enacted; or if the Licensee reasonably believes that the NPI involved is of 250 or more consumers residing in the state, and either: (a) the Licensee is required to provide notice of the Cybersecurity Event to any government body, self-regulatory agency or any other supervisory body pursuant to any state or federal law; or (b) there is a “reasonable likelihood” of the Cybersecurity Event  materially harming: (i) any Consumer residing in the state; or (ii) any material part of the normal operations of the Licensee. Under the NYDFS cyber regulations, notice is required only if the Cybersecurity Event requires notice to any government body, self-regulatory agency or any other supervisory body; or if the Cybersecurity Event has a “reasonable likelihood” of materially harming any Covered Entity’s normal operations.

Second, the Model Law has a narrower definition for “Cybersecurity Event.” Whereas the NYDFS cyber regulations defines a “Cybersecurity Event” as “means any act or attempt, successful or unsuccessful, to gain unauthorized access to, disrupt or misuse an Information System or information stored on such Information System,” the Model Law defines the term as “an event resulting in unauthorized access to, disruption or misuse of, an Information System or information stored on such Information System” (emphasis added). Under the Model Law, a Licensee also must conduct an investigation if it learns that a Cybersecurity Event occurred or may have occurred in a system maintained by one of its third-party vendors.

Any investigation must be geared toward determining: (1) whether a Cybersecurity Event occurred; (2) the nature and scope of the event; (3) the NPI implicated or compromised; and (4) necessary measures to restore the security of the Licensee’s Information Systems.

Third and finally, the Model Law recognizes the unique business to business relationships that exist within the insurance industry by including different notification requirements for reinsurers to insurers and insurers to producers of record.

Quick Takeaways

Regulators and lawmakers are identifying standards in cybersecurity that companies should be implementing to protect business operations and consumer information. The NAIC’s Model Law joins a growing group of laws and regulations instituted by New York, Connecticut, Massachusetts, Colorado, and Vermont that specifically require companies to institute cybersecurity programs, policies, and procedures. The Model Law has many similarities with the NYDFS cyber regulations, but there are some differences. Both regimes recognize that protecting critical business operations is just as important as protecting consumers information.

These laws and regulations will serve as a roadmap for plaintiffs and shareholders pursuing civil litigation against Licensees. The FTC also can be expected to look to these laws when determining whether a company engaged in “deceptive” or “unfair” practices. Companies that fail to implement these standards can expect enforcement, and perhaps significant fines. For some companies, a regulatory enforcement action piled on to the effects of a data breach or ransomware-type event can mean the difference between recovery and bankruptcy. Now is the time to act. Brokers and insurers should start preparing for cybersecurity compliance by conducting necessary risk assessments and building a solid information security program.

This entry was posted in Data Breach Insurance Coverage, Privacy Rights and tagged .

Court Holds No Insurance Coverage for Phishing Scam

This entry was posted by on .

Yesterday, a federal court held that a company’s financial losses for mis-wiring funds as a result of a phishing scam were not covered under a computer crime insurance policy. The decision, American Tooling Ctr. v. Travelers Cas. & Sur. Co. of Am., No. 16-12108 (E.D. Mich. Aug. 1, 2017) is another case in which financial losses resulting from a phishing scam were held to be unrecoverable under insurance.

In that case, the insured, American Tooling Center (“ATC”), was a tool and die manufacturer that outsourced some of its work to other die manufacturing companies overseas, including a vendor called Shanghai YiFeng Automotive Die Manufacture Co., Ltd. (“YiFeng”). As part of its normal business practice, ATC issued purchase orders to YiFeng, which in turn manufactured the requested dies. ATC paid YiFeng in stages based upon completion of certain milestones. To receive payment, YiFeng submitted its invoices to ATC by email. Once ATC verified that the milestone had been met, it wired the appropriate payment to YiFeng. Id. at 2.

In March 2015, ATC’s Vice President/Treasurer emailed his contact at YiFeng, requesting copies of all outstanding invoices.  In response, the ATC officer received an email purportedly from YiFeng, but which really was a spoofed email from a third party. (The third party made the email appear to be from YiFeng by using the email domain “yifeng-rnould” domain, not the correct domain “”).  Id. The third party, pretending to be from YiFeng, instructed ATC to send payments for several legitimate outstanding invoices to a new bank account.  Without verifying these new instructions, ATC wire transferred approximately $800,000 to a bank account that was not controlled by YiFeng.  When the fraud was detected, the money was gone.  Id. at 3.

ATC sought recovery under its computer crime policy.  The policy provided that “The Company will pay the Insured for the Insured’s direct loss of, or direct loss from damage to, Money, Securities and Other Property directly caused by Computer Fraud.” The policy defined “Computer Fraud” as:

The use of any computer to fraudulently cause a transfer of Money, Securities or Other Property from inside the Premises or Financial Institution Premises:

  1. to a person (other than a Messenger) outside the Premises or Financial Institution Premises; or

  2. to a place outside the Premises or Financial Institution Premises.

Id. at 3.  The carrier argued that coverage did not exist because there was no “direct loss” that was “directly caused by the use of a computer,” as required by the policy.  Id.

Noting that the Sixth Circuit, applying Michigan law, previously had held that the term “direct” means “immediate” and without intervening acts, the American Tooling court concluded that there was no direct loss directly caused by a computer to implicate coverage.  Simply put: there were too many intervening acts between the phishing email and the transfer of money to satisfy the insuring language of the policy. Id. at 5 (citing Manufacturing & Technologies Ass’n v. Hartford Fire Ins. Co., 693 F.3d 665, 673 (6th Cir. 2012)). The court stated that the “intervening events between ATC’s receipt of the fraudulent emails and the transfer of funds (ATC verified production milestones, authorized the transfers, and initiated the transfers without verifying bank account information) preclude a finding of ‘direct’ loss ‘directly caused’ by the use of any computer.”  Id.

Agreeing with the reasoning of the Fifth Circuit in Apache Corp. v. Great American Ins. Co., 662 Fed. App’x 252 (5th Cir. 2016) (written about in The Coverage Inkwell in October 2016), the American Tooling court stated that “the mere sending/receipt of fraudulent emails did not constitute ‘the use of any computer to fraudulently cause a transfer.’” Id. at 6. The court explained:

Although fraudulent emails were used to impersonate a vendor and dupe ATC into making a transfer of funds, such emails do not constitute the “use of any computer to fraudulently cause a transfer.” There was no infiltration or “hacking” of ATC’s computer system. The emails themselves did not directly cause the transfer of funds; rather, ATC authorized the transfer based upon the information received in the emails.

Further, because of the wide  spread use of computers as a means of communication, the court, like the Fifth and Ninth Circuits, feared that to allow the email to implicate coverage for computer fraud would transform the “computer fraud” coverage into coverage for any fraud: “Because computers are used in almost every business transaction, reading this provision to cover all transfers that involve both a computer and fraud at some point in the transaction would convert this Crime Policy into a ‘General Fraud’ Policy.”  Id. at 7 (quoting Apache and Pestmaster Servs., Inc. v. Travelers Cas. & Sur. Co. of Am., 656 Fed. App’x 332 (9th Cir. 2016)).

This case shows that to implicate computer fraud, the computer must be a critical instrumentality of the fraud, and not merely incidental to it. The case also highlights the costs of phishing attacks.  According to a May 4, 2017 FBI Bulletin, between October 2013 and December 2016, American businesses saw losses from phishing scams approach $1.6 billion: $500 million every year with dollar figures climbing sharply – up 2370% between January 2015 and December 2016.  Companies must implement appropriate cybersecurity measures, including employee training, to prevent such loss.  A small investment in appropriate cybersecurity processes today can save your company hundreds of thousands or millions of dollars tomorrow.

This entry was posted in Data Breach Insurance Coverage and tagged .


This entry was posted by on .

In Apache Corp. v. Great American Ins. Co., 2016 U.S. App. LEXIS 18748 (5th Cir. Oct. 18, 2016), the United States Court of Appeals for the Fifth Circuit held that loss from a phishing scam, which led to misdirected payments in the amount of $7 million, was not covered under a policy’s computer fraud coverage.  Although the fraudulent scheme was initiated through emails, the court held that the emails were too incidental to classify the insured’s subsequent loss as one “resulting directly from the use of any computer to fraudulently cause a transfer of that property.”

The facts of the case are straightforward and serve as a good illustration as to why double verification practices should be practiced by every company as a preventive measure against cyber fraud.  In the case, the insured, Apache Corporation was an oil-production company.  An employee in Scotland received a telephone call from a person identifying herself as a representative of Petrofac, an Apache vendor.  The caller instructed Apache to change the bank-account information for payments Apache made to Petrofac.  The Apache employee replied that the change-request could not be processed without a formal request on Petrofac letterhead.  Id. at *2.

A week later, Apache’s accounts-payable department received an email from a “” address.   (Petrofac’s real email domain name was “”)  The fraudulent email sent from the “” address advised Apache that Petrofac’s “accounts details have now been changed”; and “[t]he new account takes . . . immediate effect and all future payments must now be made into this account.”  Attached to the email was a signed letter on Petrofac letterhead providing both Petrofac’s old-bank-account information and the new-bank-account information, along with instructions to use the new account immediately.  Id. at *2-3.  Apache took the bait.  In response to the email and attached letter, an Apache employee called the telephone number provided on the letter to verify the request and concluded that the change-request was authentic.  Id. at *3.  A different Apache employee approved and implemented the change-request, and a week later, Apache began transferring funds for payment of Petrofac’s invoices to the new bank account.  Id.  Uh oh.

Within one month, Apache received notification from Petrofac that it had not received over £4.3 million (approximately $7 million) due from outstanding invoices (and which Apache had transferred to the new (fraudulent) account).  Apache soon discovered it had fallen victim to a fraudulent scheme and was able to recoup all but $2.4 million of the payments previously made.  Id.

Apache submitted a claim under its “Computer Fraud” coverage, which provided that:

We will pay for loss of, and loss from damage to, money, securities and other property resulting directly from the use of any computer to fraudulently cause a transfer of that property from inside the premises or banking premises:

  1. to a person (other than a messenger) outside those premises; or

  2. to a place outside those premises.

Id. at *3-4 (emphasis added).  The insurer denied coverage, concluding that Apache’s “loss did not result directly from the use of a computer nor did the use of a computer cause the transfer of funds.”  Id.

Coverage litigation ensued.  The insurer argued that Apache’s loss “was not a covered occurrence because: the email did not ‘cause a transfer’”; and that coverage under the computer fraud provision was “‘unambiguously limited’ to losses from ‘hacking and other incidents of unauthorized computer use’.”  Id. at *6.  Apache, on the other hand, argued that the computer fraud provision was ambiguous; because the provision says nothing about “hacking,” Apache need only to show that “any computer was used to fraudulently cause the transfer of funds.”  Id.  The parties cross moved for summary judgment.  The trial court granted judgment in favor of Apache, concluding that “the intervening steps of the [post-email] confirmation phone call and supervisory approval do not rise to the level of negating the email [and computer] as being a ‘substantial factor'” of the loss to implicate coverage.  The Fifth Circuit reversed.

On appeal, the insurer argued that the fraudulent transfer of funds resulted from events other than the email, including the initial phone call and steps Apache took (and did not take) to authenticate the request.

GAIC maintains the transfer of funds to the fraudulent bank account resulted from other events: before the email, the telephone call directing Apache to change the account information; and, after the email, the telephone call by Apache to the criminals to confirm the change-request, followed by the Apache supervisor’s review and approval of the emailed request, Petrofac’s submission of invoices, the review and approval of them by Apache employees, and Apache’s authorized and intentional transfer of funds, even though to the fraudulent bank account.

Id. at *8.  As a result of all of these actions, the insurer argued that Apache’s loss did not “result[] directly from the use of any computer to fraudulently cause a transfer of that property.”

The Fifth Circuit agreed, concluding that although the fraudulent email sent to Apache “was part of the scheme” to defraud Apache, it was “merely incidental to the occurrence of the authorized transfer of money.”  Id. at *16.  The court explained:

Here, the “computer use” was an email with instructions to change a vendor’s payment information and make “all future payments” to it; the email, with the letter on Petrofac letterhead as an attachment, followed the initial telephone call from the criminals and was sent in response to Apache’s directive to send the request on the vendor’s letterhead. Once the email was received, an Apache employee called the telephone number provided on the fraudulent letterhead in the attachment to the email, instead of, for example, calling an independently-provided telephone contact for the vendor, such as the pre-existing contact information Apache would have used in past communications. Doubtless, had the confirmation call been properly directed, or had Apache performed a more thorough investigation, it would never have changed the vendor-payment account information.  Moreover, Apache changed the account information, and the transfers of money to the fraudulent account were initiated by Apache to pay legitimate invoices.

Id. at *15-16.

Given the wide use of computers as a means of communication, the court feared that to allow the email to implicate coverage for computer fraud would transform the “computer fraud” coverage into coverage for any fraud:

The email was part of the scheme; but, the email was merely incidental to the occurrence of the authorized transfer of money. To interpret the computer-fraud provision as reaching any fraudulent scheme in which an email communication was part of the process would, as stated in Pestmaster II, convert the computer-fraud provision to one for general fraud. . . . We take judicial notice that, when the policy was issued in 2012, electronic communications were, as they are now, ubiquitous, and even the line between “computer” and “telephone” was already blurred. In short, few-if any-fraudulent schemes would not involve some form of computer-facilitated communication.

Id. at *16-17 (emphasis added).

In addition, the court observed that Apache’s failure to properly investigate the fraudulent change-request also took Apache’s loss outside of the scope of the computer fraud’s insuring agreement:

No doubt, the better, safer procedure was to require the change-request to be made on letterhead, especially for future payment of Petrofac’s very large invoices. But the request must still be investigated properly to verify it is legitimate.  In any event, based on the evidence in the summary-judgment record, Apache followed-up on the request in the email and its attachment.  In other words, the authorized transfer was made to the fraudulent account only because, after receiving the email, Apache failed to investigate accurately the new, but fraudulent, information provided to it.  [Emphasis added.]

Id. at *18 (emphasis added).

The court further reasoned that the invoices themselves could be viewed as the direct cause of the transfer of funds, not the use of a computer.

Moreover, viewing the multi-step process in its simplest form, the transfers were made not because of fraudulent information, but because Apache elected to pay legitimate invoices. Regrettably, it sent the payments to the wrong bank account. Restated, the invoices, not the email, were the reason for the funds transfers.

Id.  In other words, the email was too remote to classify the fraudulent payments as being a direct result of the use of a computer.

What this case means:  Here, the Fifth Circuit in essence rejected a syllogistic fallacy akin to “all tigers have stripes; all tigers are mammals; therefore, all mammals must have stripes.”  The syllogism presented here was: Apache used a computer. Apache suffered a fraud. Therefore, the fraud was from Apache’s use of a computer.  Coverage can’t work that way.  Computers are a dominant presence in our lives. They are perhaps the primary means of communication.  (Yes, our mobile phones are computers.)  Does that mean that any fraud that can be linked to the use of a computer is computer fraud?  No.  Given the wide use of computers, the Fifth Circuit clearly feared that to allow use of email to implicate coverage for computer fraud would transform “computer fraud” coverage into coverage for any fraud.

This case also provides another illustration as to why companies need to purchase cyber coverage. And why companies need cyber counsel to help train employees and help improve cybersecurity measures.  Cyber risk is very broad. Purchasing computer fraud coverage doesn’t come close to covering many of the risks out there.

This entry was posted in Data Breach Insurance Coverage.

Article III Standing in Data Breach Litigation and Problems Galaria Poses for Data Breach Responses

This entry was posted by on .

Last week, in Galaria v. Nationwide Mut. Ins. Co., 2016 U.S. App. LEXIS 16840 (6th Cir. Sept. 12, 2016), the United States Court of Appeals for the Sixth Circuit weighed in on the issue of Article III standing for data breach litigation and effectively lowered the threshold to establish standing.  The decision echoes sentiments expressed by the Seventh Circuit in Lewert v. P.F. Chang’s China Bistro, Inc., 819 F.3d 963 (7th Cir. 2016), and Remijas v. Neiman Marcus Group, LLC, 794 F.3d 688 (7th Cir. 2015).  The facts are straightforward, and it is part of an ongoing trend by courts to make it easier to allege injury and bring data breach litigation. This will drive up litigation. Yet, here is a bigger problem: the Sixth Circuit based its determination that standing existed to sue a breach victim on actions undertaken by the breach victim to mitigate damage and help consumers prevent the very harm that plaintiffs later sued over. Is the message of “darned if you do” one that courts want to establish? Can decisions like Galaria create an adverse impact on response efforts undertaken by breach victims? These are issues that a breach victim will have to wrestle with early on and provide one more reason why cyber counsel should be retained.

The facts of Galaria are straightforward. In that case, the breach victim, Nationwide, maintained records containing personal information of customers and potential customers, including names, dates of birth, marital statuses, employers, Social Security numbers, and driver’s license numbers. On October 3, 2012, hackers breached Nationwide’s computer network and stole the personal information of 1.1 million people. Id. at *3. In the underlying data breach litigation that followed, putative class actions alleged violation of the Fair Credit Reporting Act (“FCRA”) through Nationwide’s failure to adopt required procedures to protect against wrongful dissemination of plaintiffs’ data. Plaintiffs also alleged claims for negligence, and invasion of privacy by public disclosure of private facts – all based on Nationwide’s failure to secure Plaintiffs’ data.  Id. at *4.

In support of their claims, plaintiffs alleged that an illicit international market exists for stolen personal data. According to the complaints, Nationwide’s data breach created an “imminent, immediate and continuing increased risk” that plaintiffs would be subject to identity theft. They cited a study purporting to show that in 2011 recipients of data-breach notifications were 9.6 times more likely to experience identity fraud, and had a fraud incidence rate of 19%.  They also alleged that victims of identity theft “typically spend hundreds of hours in personal time and hundreds of dollars in personal funds,” incurring an average of $354 in out-of-pocket expenses and $1,513 in total economic loss.  Id. at *5.

The federal district court dismissed the lawsuits, concluding that plaintiffs lacked statutory standing for the FCRA claims and lacked Article III standing for the negligence and bailment claims. The court also concluded that while plaintiffs had standing for their invasion of privacy claims, such claims failed to allege a cognizable injury. Plaintiffs appealed the trial court’s order, except for the dismissal of the invasion of privacy claims.  Id. at *6-7. The Sixth Circuit reversed.

In order to bring a lawsuit, a plaintiff must have standing under Article III of the United States Constitution; “[t]he doctrine of standing gives meaning to these constitutional limits by ‘identify[ing] those disputes which are appropriately resolved through the judicial process.'” Id. at *8 (citation omitted). In Spokeo v. Robins, 136 S. Ct. 1540, 1547 (2016), the United States Supreme Court explained that “the ‘irreducible constitutional minimum’ of standing consists of three elements.” Those elements are that a plaintiff “must have (1) suffered an injury in fact, (2) that is fairly traceable to the challenged conduct of a defendant, and (3) that is likely to be redressed by a favorable judicial decision.” Spokeo, 136 S. Ct. at 1547; Galaria, 2016 U.S. App. LEXIS 16840 at *8. A plaintiff must prove those elements.  Id. Focusing on the first two elements, the Sixth Circuit in Galaria concluded that plaintiffs met their burden of proof and established had Article III standing at the pleading stage to survive a motion to dismiss. As litigators know, that is half the battle.

The Galaria court explained that”[t]o establish injury in fact, a plaintiff must show that he or she suffered ‘an invasion of a legally protected interest’ that is ‘concrete and particularized’ and ‘actual or imminent, not conjectural or hypothetical.'” Galaria, 2016 U.S. App. LEXIS 16840 at *8 (quoting Spokeo, at 1548). Where a plaintiffs seeks to establish standing based on an imminent injury, “that ‘threatened injury must be certainly impending to constitute injury in fact’”; “'[a]llegations of possible future injury’ are not sufficient.” Id. at *9 (quoting Clapper v. Amnesty Int’l USA, 133 S. Ct. 1138, 1147 (2013)).

In the case before it, the Sixth Circuit concluded that plaintiffs’ allegations of increased risk of identity theft, coupled with “reasonably incurred mitigation costs,” established a concrete and particularized imminent injury for purposes of standing. Critically, the court based its decision on the fact that (1) there was proof that the plaintiffs’ information was in fact stolen, (2) hackers had targeted it, and (3) Nationwide had offered free credit monitoring services to help consumers mitigate their danger:

There is no need for speculation where Plaintiffs allege that their data has already been stolen and is now in the hands of ill-intentioned criminals.  Indeed, Nationwide seems to recognize the severity of the risk, given its offer to provide credit-monitoring and identity-theft protection for a full year. Where a data breach targets personal information, a reasonable inference can be drawn that the hackers will use the victims’ data for the fraudulent purposes alleged in Plaintiffs’ complaints. [Bold added.]

Id. at *9-10.

The fact that plaintiffs also could identify specific costs incurred by them from steps recommended by Nationwide in its data breach notification letter further supported the court’s finding that the underlying complaints alleged an imminent injury:

Although Nationwide offered to provide some of these services for a limited time, Plaintiffs allege that the risk is continuing, and that they have also incurred costs to obtain protections—namely, credit freezes—that Nationwide recommended but did not cover. This is not a case where Plaintiffs seek to “manufacture standing by incurring costs in anticipation of non-imminent harm.” [Citing Clapper, at 1155.]  Rather, these costs are a concrete injury suffered to mitigate an imminent harm, and satisfy the injury requirement of Article III standing.  [Bold added.]

Id. at *10-11.

Under the second element, the Sixth Circuit in Galaria held that the alleged harm was “fairly traceable” to Nationwide’s alleged conduct to satisfy Article III standing. Id. at *13. To satisfy the “fairly traceable” element, a plaintiff need not allege proximate causation. “Indirect” injury is sufficient.  Id. at *14. Here, the Galaria court held that plaintiffs had sufficiently alleged that their injuries were “fairly traceable” to Nationwide’s conduct, because Nationwide’s alleged negligence allowed the breach to happen:

Although hackers are the direct cause of Plaintiffs’ injuries, the hackers were able to access Plaintiffs’ data only because Nationwide allegedly failed to secure the sensitive personal information entrusted to its custody. In other words, but for Nationwide’s allegedly lax security, the hackers would not have been able to steal Plaintiffs’ data. These allegations meet the threshold for Article III traceability, which requires “more than speculative but less than but-for” causation.  [Bold added.]

Id. at *15.

Finally, the Sixth Circuit concluded that plaintiffs had statutory standing to bring their FCRA claims. Because plaintiffs had Article III standing to bring the lawsuit in general, they had standing to bring their FCRA claims, and there was no need to evaluate the causes of action allege din the complaints themselves.  Id. at *17-18.

What does this case mean? This case goes beyond the lowering of the standing threshold.  It also demonstrates why a data breach victim needs a cyber law attorney to help navigate the inevitable legal minefield that will follow a data breach. For instance, when a company suffers a data breach, state notification statutes require those companies to notify persons whose information has been compromised. Many state laws actually will require that notification letters include information explaining to consumers what steps may be taken to mitigate or monitor against any potential harm. Connecticut law requires that credit monitoring services be offered.  Many companies offer credit monitoring services as an act of goodwill.

Yet, in Galaria, the Sixth Circuit used the content of a breach victim’s notification letter and offer of credit monitoring services to permit multiple lawsuits to proceed against it. Does that leave a breach victim with an untenable, Hobson’s choice: comply with state notification laws and get sued, or potentially violate those laws to avoid creating Article III standing for future class actions? Some may say so. These are issues that breach victims are going to need to address when first responding to a breach. It’s another reason to have cyber counsel involved as early as possible when a breach has occurred.

This entry was posted in Data Breach Insurance Coverage, Privacy Rights and tagged .


This entry was posted by on .

In P.F. Chang’s China Bistro, Inc. v. Federal Ins. Co., 2016 WL 3055111 (D. Ariz. May 31, 2016), the United States District Court of District of Arizona held that liability for PCI assessments following a data breach of 60,000 credit card numbers was excluded under a cybersecurity policy.  This case demonstrates the importance and ability of carriers to define the risk insured under a policy, including cybersecurity insurance.

In PF Chang’s, the insured purchased a cybersecurity insurance policy.  The insurer’s underwriters classified the insured as a high risk, “PCI Level 1”, because the insured conducted more than 6 million transactions per year, a large number of which were with credit cards, thus creating a high exposure to potential customer identity theft.  Id. at *1.  The insured, like many merchants, was unable to process credit card transactions themselves, and therefore entered into an agreement with the credit card processor  to process credit card transactions with the banks who issue the credit cards (“Issuers”), such as Chase or Wells Fargo.  Here, Chang’s entered into a Masters Service Agreement (“MSA”) with the credit card processer Bank of America Merchant Services (“BAMS”) to process credit card payments made by customers of Chang’s.  Id.  Under the MSA, Chang’s delivered customer credit card payment information to BAMS who then settled the transaction through an automated clearinghouse.  BAMS thereafter credited the Chang’s account for the amount of the payments.  Id. 

Importantly, credit card processors like BAMS perform their services under agreements entered into with the credit card associations like MasterCard and Visa. Id.  Here, BAMS’s agreement with MasterCard, which was governed by the MasterCard Rules and incorporated into the MSA with Chang’s, obligated BAMS to pay certain fees/fines and assessments to MasterCard in the event of a data breach involving credit card information.  The assessments included “Operational Reimbursement” fees and “Fraud Recovery” fees.  Id.  Under the Chang’s MSA, Chang’s agreed to compensate or reimburse BAMS for “fees,” “fines,” “penalties,” or “assessments” imposed on BAMS by credit card associations like MasterCard.  Id. at *2.  The MSA read in part:

[Chang’s] agrees to pay [BAMS] any fines, fees, or penalties imposed on [BAMS] by any Associations, resulting from Chargebacks and any other fines, fees or penalties imposed by an Association with respect to acts or omissions of [Chang’s] . . . . In addition to the interchange rates, [BAMS] may pass through to [Chang’s] any fees assessed to [BAMS] by the [Associations], including but not limited to, new fees, fines, penalties and assessments imposed by the [Associations].

 Id. at *2.  Assessments levied by MasterCard against BAMS, for which Chang’s was responsible under the Chang’s MSA, became the focus of a coverage dispute.

 On June 10, 2014, Chang’s learned that computer hackers had obtained and posted on the Internet approximately 60,000 credit card numbers belonging to its customers.  Chang’s notified its insurer of the data breach that very same day.  Id.  Almost one year later, on March 2, 2015, MasterCard issued an “ADC Operational Reimbursement/Fraud Recovery Final Acquirer Financial Responsibility Report” to BAMS, assessing over $1.9 million in fines and assessments against BAMS for the data breach.  The fines were “a Fraud Recovery Assessment of $1,716,798.85, an Operational Reimbursement Assessment of $163,122.72 for Chang’s data breach, and a Case Management Fee of $50,000.”  Id.  “The Fraud Recovery Assessment reflects costs, as calculated by MasterCard, associated with fraudulent charges that may have arisen from, or may be related to, the security compromise. The Operational Reimbursement Assessment reflects costs to notify cardholders affected by the security compromise and to reissue and deliver payment cards, new account numbers, and security codes to those cardholders. The Case Management Fee is a flat fee and relates to considerations regarding Chang’s compliance with Payment Card Industry Data Security Standards.”  Id.

BAMS sought indemnity from Chang’s.  Pursuant to the Chang’s MSA, and in order to continue operations and not lose its ability to process credit card transactions, Chang’s reimbursed BAMS on April 15, 2015.  Chang’s sought coverage for the $1.9 million payment under three insuring agreements under the cybersecurity policy: Insuring Agreement A, Insuring Agreement B, and Insuring Agreement D.2.  The insurer denied coverage and litigation ensued.  Id.

No Privacy Injury Under Insuring Agreement A

Insuring Agreement A paid for “‘Loss’ on behalf of an ‘Insured’ on account of any ‘Claim’ first made against such ‘Insured’ . . .  for ‘Injury’,” which included a “Privacy Injury.”  Id. at *4.  “Privacy Injury” was defined as “injury sustained or allegedly sustained by a Person because of actual or potential unauthorized access to such Person’s Record, or exceeding access to such Person’s Record.”  Id.  The insurer argued that Chang’s did not sustain a Privacy Injury because its own Records were not compromised during the data breach.  Id. at *5.  Chang’s acknowledged that it was the credit card issuers who suffered a Privacy Injury because it was their Records which were compromised in the data breach.  However, Chang’s argued that the owner of the “Records” was immaterial to the issue of coverage because the injury “first passed through BAMS before BAMS in turn charged Chang’s” pursuant to industry standards.  Id.  As the Court generalized, “[b]asically, Chang’s argues that because a Privacy Injury exists and was levied against it, regardless of who suffered it, the Injury is covered under the Policy.”  Id.

 The Court disagreed with Chang’s and held that there was no Privacy Injury to implicate coverage under Insuring Agreement A because BAMS own Records had not been compromised.  Thus, there was no coverage for BAMS’s liability under the MasterCard ADC Fraud Recovery Assessment:

The Court agrees with [the insurer]l; BAMS did not sustain a Privacy Injury itself, and therefore cannot maintain a valid Claim for Injury against Chang’s. The definition of Privacy Injury requires an “actual or potential unauthorized access to such Person’s Record, or exceeding access to such Person’s Record.” (Doc. 8-1) (emphasis added).  The usage of the word “such” means that only the Person whose Record is actually or potentially accessed without authorization suffers a Privacy Injury.  Here, because the customers’ information that was the subject of the data breach was not part of BAMS’ Record, but rather the Record of the issuing banks, BAMS did not sustain a Privacy Injury.  Thus, BAMS did not make a valid Claim of the type covered under Insuring Clause A against Chang’s.

Id. at *5.

Coverage Under Insuring Agreement B Initially Implicated

Insuring Agreement B of the policy stated that the insurer would “pay ‘Privacy Notification Expenses’ incurred by an ‘Insured’ resulting from [Privacy] Injury.”  Id. at *5.  The policy defined “Privacy Notification Expenses” as “the reasonable and necessary cost[s] of notifying those Persons who may be directly affected by the potential or actual unauthorized access of a Record, and changing such Person’s account numbers, other identification numbers and security codes….”  Id.

Chang’s contended that the ADC Operational Reimbursement fee was a “Privacy Notification Expense” because it compensated credit card issuers for the cost of reissuing bankcards and new account numbers and security codes to Chang’s customers.  The insurer argued that coverage did not exist because the ADC Operational Recovery fee was not personally incurred by Chang’s, but rather was incurred by BAMS.  It also argued that the fee did not qualify as “Privacy Notification Expenses” because there is no evidence that the fee was used to “notify[ ] those Persons who may be directly affected by the potential or actual unauthorized access of a Record, and changing such Person’s account numbers, other identification numbers and security codes.”  Id. at *6.

The Court agreed with Chang’s.  Relying on Arizona courts’ broad interpretation of the term “incurred,” which merely required that an insured become liable for the expense, even if the expense originally was paid by others, the Court held that the ADC Operational Recovery fee was “incurred by” Chang’s “resulting from [Privacy] Injury.”  Id. The Court explained:

Although the ADC Operational Reimbursement fee was originally incurred by BAMS, Chang’s is liable for it pursuant to its MSA with BAMS.

Id. at *6.

The Court also held that sufficient evidence existed – and the insurer did not identify any contrary evidence – that the assessment was to be used to compensate credit card issuers for the costs of notifying about the security compromise and reissuing credit cards to Chang’s customers to have the damages fall within the meaning of a “Privacy Notification Expense.”  Id.  As discussed further below, ultimately the Court held that two exclusions applied to bar coverage.

Coverage Under Insuring Agreement D.2 Potentially Implicated

The Court also held that it could not summarily hold, as a matter of law, that the requirements of Insuring Agreement D.2 were unsatisfied ti implicate coverage.  The Insuring Agreement covered “’Extra Expenses’ an ‘Insured’ incurs during the ‘Period of Recovery of Services’ due to the actual or potential impairment or denial of ‘Operations’ resulting directly from ‘Fraudulent Access or Transmission’.” Id. at *6.  The policy defined “Extra Expenses” to include “reasonable expenses an Insured incurs in an attempt to continue Operations that are over and above the expenses such Insured would have normally incurred. Extra Expenses do not include any costs of updating, upgrading or remediation of an Insured’s System that are not otherwise covered under [the] Policy.”  Id.  Critically, the policy defined “Period of Recovery of Services” as beginning:

. . . immediately after the actual or potential impairment or denial of Operations occurs; and will continue until the earlier of…the date Operations are restored,…to the condition that would have existed had there been no impairment or denial; or sixty (60) days after the date an Insured’s Services are fully restored…to the level that would have existed had there been no impairment or denial.

Id. at *6.

The insurer argued that Insuring Clause D.2. did not apply because Chang’s had not submitted evidence demonstrating that the data breach caused “actual or potential impairment or denial” of business activities.  Id. at *7.  The insurer also argued that Chang’s did not incur Loss during the “Period of Recovery of Services” because it did not pay the Case Management Fee until April 15, 2015, nearly one year after it discovered the data breach.  Id.  Chang’s contended that its ability to operate was impaired because BAMS would have terminated the MSA and eliminated Chang’s ability to process credit card transactions if it did not pay BAMS.  Further, the Chang’s MSA prohibited Chang’s to use another servicer while contracting with BAMS for its services.  Id.  Chang’s also contended that its business activities were still not fully restored; therefore, the “Period of Recovery of Services” remained ongoing.  Id.

The Court agreed with Chang’s in part, concluding evidence showed that “Chang’s experienced a Fraudulent Access during the data breach and that its ability to perform its regular business activities would be potentially impaired if it did not immediately pay the Case Management Fee imposed by BAMS.”  Id.  However, whether Chang’s operations were not yet fully restored, thereby extending the “Period of Recovery of Services,” was an issue of fact the Court could not resolve on Summary Judgment and was best suited for trial.  Id. at *7.  However, as discussed below, ultimately the Court held that two exclusions applied to bar coverage.

Two Contractual Liability Exclusions Prohibit Coverage  

Although the Court held that the requirements of Insuring Agreement B were met, and refrained from ruling on the requirements of Insuring Agreement D.2., the court held that coverage under the Insuring Agreements was prohibited by two policy exclusions.  The two exclusions prohibited coverage as follows:

With respect to all Insuring Clauses, [the insurer] shall not be liable for any Loss on account of any Claim, or for any Expense . . . based upon, arising from or in consequence of any . . . liability assumed by any Insured under any contract or agreement.

* * *

With respect to Insuring Clauses B through H, [the insurer] shall not be liable for…any costs or expenses incurred to perform any obligation assumed by, on behalf of, or with the consent of any Insured.

Id. at *7.  The Court characterized these two exclusions as “the same in that they bar coverage for contractual obligations an insured assumes with a third-party outside of the Policy.”  Id.  In addition, “Loss” was defined to exclude “any costs or expenses incurred to perform any obligation assumed by, on behalf of, or with the consent of any Insured.”  Id.

Notably, the Court “turned to cases analyzing commercial general liability insurance policies for guidance, because cybersecurity insurance policies are relatively new to the market but the fundamental principles are the same.”  Id. at *8.  Observing that “Arizona courts, as well as those across the nation, hold that such contractual liability exclusions apply to ‘the assumption of another’s liability, such as an agreement to indemnify or hold another harmless’,” the Court  held that both exclusions, as well as the definition of “Loss,” applied to prohibit coverage under Insuring Agreement B.  The Court explained:

In no less than three places in the MSA does Chang’s agree to reimburse or compensate BAMS for any “fees,” “fines,” “penalties,” or “assessments” imposed on BAMS by the Associations, or, in other words, indemnify BAMS. . . . Furthermore, the Court is unable to find and Chang’s does not direct the Court’s attention to any evidence in the record indicating that Chang’s would have been liable for these Assessments absent its agreement with BAMS. While such an exception to an exclusion of this nature may exist in the law, it is not applicable here.

Id. at *8.

What This Case Means:  This case has a number of takeaways.  Briefly, and perhaps most important, this case illustrates that although cybersecurity insurance can provide significant  amounts of coverage – here, the Court noted that the insurer already had provided $1.7 million in coverage under the policy to Chang’s – coverage is not limitless.  Some may say that a policyholder should “read the fine print,” but I say that the policyholder should understand its risk and ensure it purchases the insurance it needs.  A carrier has an unfettered right to limit the scope of the cyber risk it is willing to insure.  This case also raises the issue of coverage for third-party contracts, which can be a significant source of liability in a data breach.  This case also illustrates how sometimes the timing of liability and payments can affect coverage.  “Extra Expenses” coverage, sometimes overlooked, also can play a significant role in a data breach.  Questions are welcome.

This entry was posted in Data Breach Insurance Coverage.


This entry was posted by on .

In State Bank v. BancInsure, Inc., 2016 U.S. App. LEXIS 9235 (8th Cir. May 20, 2016), the United States Court of Appeals for the Eighth Circuit held that a $485,000 fraudulent wire transfer perpetrated through the use of malware residing on a bank employee’s computer was covered under the bank’s financial institution bond.  The facts are straightforward.

The insured used the Federal Reserve’s FedLine Advantage Plus system to perform wire transfers. The transfers were made through a desktop computer connected to a Virtual Private Network device provided by the Federal Reserve. In order to complete a transfer, two bank employees had to enter their individual user names, and each had to insert individual physical tokens into the computer, and provide individual passwords and passphrases.

In the matter at issue, a bank employee completed a FedLine wire transfer. However, instead of following company policy and protocol by engaging the participation of a second employee, as required, the bank employee instead completed the transfer using her token, password, and passphrase as well as the token, password, and passphrase of a second employee on the same computer.  At the end of the work day, the employee then left the two tokens in her computer and left the computer running overnight.  When the employee returned to work the next morning, she discovered that two unauthorized wire transfers had been made from the bank’s Federal Reserve account.  Money from one of the transfers was recovered.  However, $485,000 wired in the second transfer was not recovered.  Id. at *1-2.

An investigation revealed that malware resided on the computer, permitting infiltration that allowed completion of the fraudulent transfers. Id. at *2.  The bank sought coverage under its financial institution bond, which provided coverage for losses caused by computer system fraud.  The insuring agreement covered, in part:

Loss resulting directly from a fraudulent

(1) entry of Electronic Data or Computer Program into, or

(2) change of Electronic Data or Computer Program within

any Computer System operated by the Insured, whether owned or leased, or any Computer System identified in the application for this Bond, or a Computer System first used by the Insured during the Bond Period, provided the entry or change causes

(1) property to be transferred, paid or delivered,

(2) an account of the Insured or of its customer to be added, deleted, debited or credited, or

(3) an unauthorized account or fictitious account to be debited or credited.

Id. at *3-4, n.2.

The carrier denied coverage, citing certain exclusions in the bond for loss based on employee-caused loss, theft of confidential information, and mechanical breakdown or deterioration of a computer system.  Id. at *3.  The carrier cited the following exclusions, which prohibited coverage for:

(h) loss caused by an Employee . . . resulting directly from misplacement, mysterious unexplainable disappearance or destruction of or damage to Property;

. . . .

(bb) (4) loss resulting directly or indirectly from theft of confidential information,

. . . .

(bb) (12) loss resulting directly or indirectly from

(a) mechanical failure, faulty construction, error in design, latent defect, fire, wear or tear, gradual deterioration, electrical disturbance or electrical surge which affects a Computer System,

(b) failure or breakdown of electronic data processing media, or

(c) error or omission in programming or processing,

. . . .

(bb) (17) loss caused by a director or Employee of the Insured . . . .

Id. at *4, n.3.

Coverage litigation ensued.  The carrier argued that the employee’s breach of company policy caused the loss and thus the loss was excluded.  Specifically, the carrier contended that the malware would not have allowed the hacker to fraudulently transfer the lost money had the bank employee (1) engaged a second employee to perform the original wire transfer, and (2) had not left the computer running overnight with two tokens in it.  Based on Minnesota’s concurrent-causation doctrine, the trial court nevertheless held that the bond covered the loss.  The trial court concluded that “the computer systems fraud was the efficient and proximate cause of [Bellingham’s] loss,” and that “neither the employees’ violations of policies and practices (no matter how numerous), the taking of confidential passwords, nor the failure to update the computer’s antivirus software was the efficient and proximate cause of [Bellingham’s] loss.”  Id. at *6.  The court further held that “it was not then a ‘foreseeable and natural consequence’ that a hacker would make a fraudulent wire transfer. Thus even if those circumstances ‘played an essential role’ in the loss, they were not ‘independent and efficient causes’ of the loss.”  Id. at *6-7.  The carrier appealed and the Eighth Circuit affirmed.

On appeal, the carrier first argued that the concurrent-causation doctrine, which applies to insurance contracts, did not apply to financial institution bonds because a financial institution bond requires the insured to initially show that its loss directly and immediately resulted from dishonest, criminal, or malicious conduct.  Id. at *8.  The Eighth Circuit disagreed, stating that Minnesota courts adhere to the general rule of “treating financial institution bonds as insurance policies and interpreting those bonds in accordance with the principles of insurance law.”  Id. at *9.

The carrier next argued that exclusions 2(bb)(4) and 2(bb)(12) contracted around the concurrent-causation doctrine because those exclusions applied to both direct and “indirect” causation.  Id. at *10.  The Eighth Circuit disagreed.  Although noting that “[p]arties may include ‘anti-concurrent causation’ language in contracts to prevent the application of the concurrent-causation doctrine,” such language must be “clear and specific.”  Id.  The court concluded that, “[a]s a matter of law, the Bond’s reference to ‘indirectly’” was not clear and specific, and was insufficient to circumvent the doctrine.  Id. at *11.

Finally, the carrier argued that even if the district court correctly applied the concurrent-causation doctrine, it erred in concluding that the fraudulent hacking of the computer system by a criminal third party was the overriding, or efficient and proximate, cause of the loss.  At a minimum, the carrier contended, the issue should have been one for the jury to decide.  Id. at *11.  Again, the court disagreed, concluding that the fraudulent wire transfers was not a foreseeable or inevitable result of the employees’ negligence and actions:

We agree with the district court’s conclusion that “the efficient and proximate cause” of the loss in this situation was the illegal transfer of the money and not the employees’ violations of policies and procedures. . . .  an illegal wire transfer is not a “foreseeable and natural consequence” of the bank employees’ failure to follow proper computer security policies, procedures, and protocols.  Even if the employees’ negligent actions “played an essential role” in the loss and those actions created a risk of intrusion into Bellingham’s computer system by a malicious and larcenous virus, the intrusion and the ensuing loss of bank funds was not “certain” or “inevitable.”

Id. at *13-14.  According to the court, “[t]he ‘overriding cause’ of the loss Bellingham suffered remains the criminal activity of a third party.”  Id. at *14.  Therefore, it held that the district court properly granted the bank summary judgment.

This entry was posted in Data Breach Insurance Coverage, Uncategorized.


This entry was posted by on .

We have all heard the question “if a tree falls in the forest…,” a philosophical experiment that raises questions of observation, knowledge, and reality. Whether or not the philosopher George Berkeley deserves credit for first raising the question, if still alive, he may have been disappointed in yesterday’s decision, Travelers Indem. Co. of Am. v. Portal Healthcare Solutions, LLC, No. 14-1944 (4th Cir. Apr. 11, 2016). In that case, the trial court had addressed the legal question of “whether materials are published if they are posted on the Internet, but no one reads them?”  As discussed by The Coverage Inkwell in August 2014, the trial court answered the question in the affirmative. Yesterday, the Fourth Circuit affirmed the decision, but never really weighed in on the question. That’s too bad.

The facts of the case are straightforward. The insured Portal Healthcare Solution (“Portal”) specialized in the electronic safekeeping of medical records for hospitals, clinics, and other medical providers.  Travelers Indem. Co. of Am. v. Portal Healthcare Solutions, LLC, 35 F. Supp. 3d 765, 767-78 (E.D. Va. 2014). A New York putative class action was filed against it, alleging that Portal had failed to safeguard the confidentiality of the medical records of patients at Glen Falls Hospital (“Glen Falls”) by posting them on the Internet and making them publicly accessible through Internet searches. Id. Two patients of Glen Falls discovered the breach when they conducted a Google search for their names and found links that directed them to their Glen Falls medical records. Id.

Travelers issued two policies, each having slightly different language. One covered injury arising from the “electronic publication of material that … gives unreasonable publicity to a person’s private life.” The second covered injury arising from the “electronic publication of material that … discloses information about a person’s private life.”  Id. at 767. The key issue in the trial court was whether making medical records accessible on the Internet constituted a “publication” under the terms of the policies, even if no one had read the information.

Looking to dictionary definitions for the word “publication,” the trial court concluded that the meaning of “publication” includes “to place before the public (as through a mass medium).” Id. at 770. Thus, making the records accessible constituted a “publication.”

Exposing medical records to the online searching of a patient’s name, followed by a click on the first result, at least “potentially or arguably” places those records before the public.  Any member of the public could retrieve the records of a Glen Falls patient, whether he or she was actively seeking those records or searching a patient’s name for other purposes, like a background check.  Because medical records were placed before the public, the Court finds that Portal’s conduct falls within the plain meaning of “publication.”

Id. at 770 (bold added). The trial court summarily rejected the argument that because Portal Healthcare had not intended to release the information, there was no “publication,” stating that “the issue cannot be whether Portal intentionally exposed the records to public viewing since the definition of ‘publication’ does not hinge on the would-be publisher’s intent.” Id.

Importantly, the court also rejected the argument that because no one had read the records, there was no “publication.” In other words, the court took the approach that if a tree falls, of course it makes a sound:

Publication occurs when information is “placed before the public,” not when a member of the public reads the information placed before it.  By Travelers’ logic, a book that is bound and placed on the shelves of Barnes & Noble is not “published” until a customer takes the book off the shelf and reads it.  Travelers’ understanding of the term “publication” does not comport with the term’s plain meaning, and the medical records were published the moment they became accessible to the public via an online search.

Id. at 771.

On appeal, the Fourth Circuit “commended” the trial court for its “sound legal analysis,” but did not add more, including on the scope of the term “publication.” Noting that Virginia is an “eight corners rule” state and that the duty to defend is broader than the duty to indemnify, the appellate court referred to the trial court’s conclusion that “the class-action complaint ‘at least potentially or arguably’ alleges a ‘publication’ of private medical information by Portal that constitutes conduct covered under the Policies.” (Slip Op. at 6.) Thus, the trial court reasoned, the release of information on the Internet, if proven, “would have given ‘unreasonable publicity to, and disclose[d] information about, patients’ private lives,’ because any member of the public with an internet connection could have viewed the plaintiffs’ private medical records during the time the records were available online.” (Id.) Under the broad scope of the duty to defend, the Fourth Circuit could not disagree:

Put succinctly, we agree with the Opinion that Travelers has a duty to defend Portal against the class-action complaint.  Given the eight corners of the pertinent documents, Travelers’s efforts to parse alternative dictionary definitions do not absolve it of the duty to defend Portal.  [Citation omitted.]   See Seals v. Erie Ins. Exch., 674 S.E.2d 860, 862 (Va. 2009) (observing that the courts “have been consistent in construing the language of [insurance] policies, where there is doubt as to their meaning, in favor of that interpretation which grants coverage, rather than that which withholds it” (quoting St. Paul Fire & Marine Ins. Co., 316 S.E.2d at 736)).

(Id. at 6-7.)

What this case means.  Two years ago, I noted that this was a difficult case for an insurer to win.  It was undisputed that the records were available on the Internet.  Typically, when determining whether an underlying complaint alleges a “publication,” many courts look to dictionary definitions, which define the term to mean distribution to the public at large.  That is what the trial court did here, and the Fourth Circuit agreed.  Typically, the question of whether the material at issue was read is not asked or addressed.

The trial court rejected the contention that if material is not read, it is not published.  In doing so, the court used a persuasive analogy of an untouched book on a shelf.  The Fourth Circuit appeared to have no interest in delving into that question, at least in the context of the duty to defend.  That is too bad because the argument does raise interesting issues, not the least of which is whether a ”publication” is just the release of information or also the consumption of it?

This entry was posted in Data Breach Insurance Coverage, Privacy Rights and tagged , .


This entry was posted by on .

Last week, the United States District Court for the Southern District of Texas held that an Electronic Data and Distribution of Material in Violation of Statutes exclusion, a variant of the Telephone Consumer Protection Act (“TCPA”) exclusion, did not prohibit coverage for an insured’s wrongful, online publication of genetic data in violation of a statute.  Evanston Ins. Co. v. Gene By Gene, Ltd., 2016 WL 102294 (S.D. Texas, Jan. 6, 2016).  In so holding, the court construed the exclusion to address solely intrusion upon seclusion claims.  The facts of the case are straightforward.

The insured, Gene by Gene Ltd. (“GBG”), owned and operated a genealogy website whereby users of the site were offered the opportunity to take DNA tests and then use their genetic information from the tests to learn more about their ancestry and connect with other users whose results matched their own results in varying degrees.  Gene By Gene, 2016 WL 102294 at *1.  An underlying plaintiff sued GBG in Alaska federal court, alleging that GBG improperly published his DNA test results on its website without his consent and in violation of Alaska’s Genetic Privacy Act.  Id.  The Genetic Privacy Act prohibits disclosure of a person’s DNA analysis without written and informed consent.  See AS §18.13.010.

GBG tendered its defense to its insurer, which issued four professional liability policies providing coverage for “personal injury,” defined therein as injury arising out of “oral or written publication of material that violates a person’s right of privacy.”  Id. at *1, *3.  The insurer, however, denied coverage based on an “Electronic Data and Distribution of Material in Violation of Statutes” exclusion.  Id. at *1.  Coverage litigation ensued and GBG moved for summary judgment.

GBG contended that defense coverage existed because the underlying action alleged injury that arises out of the written publication of material that violates a person’s right of privacy.  The insurer contended that Distribution of Material exclusion applied because the exclusion prohibited coverage for violation of “any other statute, law, rule, ordinance, or regulation that prohibits or limits the sending, transmitting, communication or distribution of information or other material.”  Id. *2.  Specifically, the insurer argued that the exclusion applied because the underlying action was brought pursuant to a statute (the Genetic Privacy Act), which prohibits the transmission, communication, or distribution of information or other material, namely, the public disclosure of a person’s DNA analysis on Gene by Gene’s website.  Id. at *4.  The court held that the underlying action alleged “personal injury” because the action asserted “the publication of material—the DNA analysis—that allegedly violates a person’s right to privacy.”  Id. at *3.  It then held that the Distribution of Material exclusion did not apply.

The court concluded that the insurer’s reading of the exclusion was too broad and would render the policies’ advertising injury and personal injury coverage illusory.  Id. at *4-5.  The exclusion prohibited both statutory and common law violations.  Because both advertising injury (libel and defamation) and personal injury (invasion of privacy) inherently involved communications in violation of law, the court reasoned that, under the insurer’s reading of the Distribution of Material exclusion, the exclusion would preclude coverage for all instances advertising injury and personal injury.  Id. at *5.  The court further noted that in some states, such as Texas, “traditional defamation” injuries, like libel and disparagement of goods and services, are regulated by statute.  Id.  The court concluded that the exclusion was not intended to preclude such claims.

Yet, perhaps most compelling to the court was its conclusion that the intent and protected interests behind the Distribution of Material exclusion and the Genetic Privacy Act differed.  The court held that the Distribution of Material exclusion, another variant of the TCPA exclusion, was intended to address intrusion upon seclusion claims, a protection that was not contemplated by the Genetic Privacy Act:

The Genetic Privacy Act does not concern unsolicited communication to consumers, but instead regulates the disclosure of a person’s DNA analysis.  The facts upon which the claim is based deal solely with Gene by Gene’s alleged improper disclosure of DNA test results on its public website and to third-parties.  The facts alleged in the complaint do not address the type of unsolicited seclusion invasion contemplated by the Exclusion.  Accordingly, the Underlying Lawsuit is not excluded from Gene by Gene’s policy coverage.  [Emphasis added.]

Id. at *6.  Because of this mismatch, the exclusion did not apply.

What this case means.  This case is interesting because it addresses a new twist on the TCPA exclusions.  Are cybersecurity claims next?  Some might herald this decision as a defeat for insurers and a scaling back of the exclusion.  My thought – not really.  The court construed the exclusion to address solely intrusion upon seclusion claims, which is not that remarkable – although, maybe unwarranted.  Yet, it is important remember that by including violations of mere “law” within its scope, the form of the exclusion at issue was very broad – indeed, broader than many variants of the TCPA exclusion.  That distinction was not lost on the court, which believed (and perhaps rightly so) that the fundamental logic for applying the exclusion in the case before it would have eviscerated coverage under the policy’s “advertising injury and personal injury” insuring agreement.  The court also recognized a potential mismatch between the exclusion and the Genetic Privacy Act.  It’s an interesting observation.  However, by then, the Court already had made its decision.

This entry was posted in Data Breach Insurance Coverage, Privacy Rights.


This entry was posted by on .

A source of computer fraud is the rogue employee or authorized user whose abuses access into a network system for unlawful purposes.  Readers of The Coverage Inkwell will know that the Inkwell has addressed the meaning of unauthorized access in the context of cyber insurance for a few years.

In the context of the Computer Fraud and Abuse Act, 18 U.S.C. §1030, the United States Court of Appeals for the Ninth Circuit, in U.S. v. Nosal, 676 F.3d 854 (9th Cir. 2012), in essence limited the meaning “exceeds authorized access” to hackers, not inside corporate personnel accessing a computer network for unauthorized (i.e., illegal) purposes.  Yesterday, the New York Court of Appeals, in Universal American Corp. v. National Union Fire Ins. Co. of Pittsburgh, PA, 2015 N.Y. Slip Op. 05516, 2015 WL 3885816 (N.Y. June 25, 2015) held that the phrase “fraudulent entry” into a computer system was limited to instances of outside hackers, not fraudulent content submitted by authorized users.

In the case, the insured Universal American Corp. (“Universal”) was a health insurance company that offers a choice of federal government-regulated alternatives to Medicare, known as medical advantage plans.  (Please note, because the decision was published only yesterday, page references currently are unavailable.)  Universal had a computerized billing system that allowed health care providers to submit bills for the medical advantage plans directly into the system.  A majority of such claims were approved and paid by Universal automatically and without manual review.  Universal ultimately suffered over $18 million in losses for payments of fraudulent claims for services that were never performed under the plans.

Universal sought coverage under had an insurance, which provided coverage by endorsement for computer systems fraud.  The endorsement stated as follows:


It is agreed that:

  1. the attached bond is amended by adding an Insuring Agreement as follows:


Loss resulting directly from a fraudulent

(1) entry of Electronic Data or Computer Program into, or

(2) change of Electronic Data or Computer Program within the Insured’s proprietary Computer System

provided that the entry or change causes

(a) Property to be transferred, paid or delivered,

(b) an account of the insured, or of its customer, to be added, deleted, debited or credited, or

(c) an unauthorized account or a fictitious account to be debited or credited[.]  (Emphasis added)

The insurer denied coverage on the ground that the endorsement did not cover Medicare fraud, i.e., losses from payment for fraudulent claims submitted by authorized health care providers.

In the ensuring coverage litigation, the trial court granted the insurer summary judgment.  Focusing on the words “fraudulent” “entry,” and “change,” the court concluded that coverage did not extend to fraudulent claims entered into Universal’s system by authorized users; instead, coverage extended only to unauthorized entries into the computer system by a hacker or through a computer virus.  The New York Appellate Division affirmed, stating that the policy did not cover fraudulent content entered by authorized users, but instead covered “wrongful acts in manipulation of the computer system, i.e., by hackers.”

The New York Court of Appeals affirmed, holding that the policy endorsement was clear and unambiguous.  The Court held that the policy “unambiguously applies to losses incurred from unauthorized access to Universal’s computer system, and not to losses resulting from fraudulent content submitted to the computer system by authorized users.”  The Court based its conclusion on the fact that the term “fraudulent” modified the terms “entry” or “change” to mean that coverage applied to a dishonest entry or change of electronic data or computer program by “hacking” into the computer system:

The term “fraudulent” is not defined in the Rider, but it refers to deceit and dishonesty (see Merriam Webster’s Collegiate Dictionary [10th ed. 1993] ).  While the Rider also does not define the terms “entry” and “change,” the common definition of the former includes “the act of entering” or “the right or privilege of entering, access,” and the latter means “to make different, alter” (id.).  In the Rider, “fraudulent” modifies “entry” or “change” of electronic data or computer program, meaning it qualifies the act of entering or changing data or a computer program.  Thus, the Rider covers losses resulting from a dishonest entry or change of electronic data or computer program, constituting what the parties agree would be “hacking” of the computer system.  The Rider’s reference to “fraudulent” does not also qualify what is actually acted upon, namely the “electronic data” or “computer program” itself.  [Emphasis added.]

According to the Court, “[t]he intentional word placement of ‘fraudulent’ before ‘entry’ and ‘change’ manifests the parties’ intent to provide coverage for a violation of the integrity of the computer system through deceitful and dishonest access.”

In so holding, the Court rejected Universal’s argument that “‘fraudulent entry’ means ‘fraudulent input’ because a loss due to a fraudulent entry by necessity can only result from the input of fraudulent information.”  The Court reasoned that such a conclusion would render the words “a” and “of” in the sentence “a fraudulent (1) entry of Electronic Data or Computer Program into” superfluous:

This would render superfluous the word “a” before “fraudulent,” and the word “of” before “electronic data or computer program.” Universal’s proposed interpretation is easily achieved by providing coverage for a “loss resulting directly from fraudulent data.”  Of course, that is not what the [endorsement] says.

Because the losses suffered by Universal were not the result of hacking, there was no coverage under the policy.

Questions are welcome.

This entry was posted in Data Breach Insurance Coverage, Privacy Rights and tagged .