Category Archives: Data Breach Insurance Coverage

Second Circuit Holds Phishing Email Using PHP Script is Covered “Computer Fraud”

This entry was posted by Joshua Mooney on July 6, 2018.

Scams from business compromise emails (BECs) have been labeled by the FBI as a “$5 billion” problem. Sometimes known as “CEO Fraud,” BECs are where an email, purportedly coming from a high-ranking company official or vendor, instructs an employee to wire a sum of money to a bank account, or instructs the employee to wire money owed to a new bank account. The company thereafter authorizes and wires the money to the new account, which is controlled by fraudsters. The fraudsters then withdraw the money before the fraud is discovered.

On July 6, 2018, the United States Court of Appeals for the Second Circuit, in Medidata Solutions, Inc. v. Federal Ins. Co., 17-2492 (July 6, 2018), became the first U.S. Court of Appeals to determine that a BEC perpetrated using a PHP script as a spoofing tool implicates “computer fraud” coverage under a crime policy. Read More

This entry was posted in Counterfeiting, Data Breach Insurance Coverage.

No Coverage for Data Breach Where Insured Isn’t Accused of Publishing

This entry was posted by Joshua Mooney on November 29, 2017.

In the lawsuit Innovak Int’l, Inc. v. Hanover Ins. Co., the federal court for the middle district of Florida recently held that an underlying data breach class action lawsuit did not implicate “personal and advertising injury” coverage because the insured was not the entity accused of publishing the compromised personal information (PI).

The decision is relevant because not only did the court reject claims for cyber coverage under a CGL policy, but also because the decision is following a recent trend in litigation over Coverage B: namely, if the insured is not the one accused of publishing the information at issue, there is no “personal and advertising liability” coverage. In other words, Coverage B does not apply to third-party publications, even if the insured is the entity ultimately sued. E.g., Steadfast Ins. Co. v. Tomei, 2016 Pa. Super. Unpub. LEXIS 1864, at *17 (Pa. Super. Ct. May 24, 2016); Zurich Am. Ins. Co. v. Sony Corp., No. 651982/2011 (N.Y. Supr. Ct. Feb. 21, 2014). Read More

This entry was posted in Data Breach Insurance Coverage, Privacy Rights.

NAIC Passes Model Law for Insurers and Brokers on Cybersecurity

This entry was posted by Joshua Mooney on November 3, 2017.

By Joshua Mooney and Laura Schmidt

On October 24, 2017, the National Association of Insurance Commissioners (NAIC) passed its Insurance Data Security Model Law, intended to serve as model legislation for states to enact in order to govern cybersecurity and data protection practices of insurers, insurance agents, and other licensed entities registered under state insurance laws (defined therein as Licensees). Read More

This entry was posted in Data Breach Insurance Coverage, Privacy Rights and tagged Cybersecurity.

Court Holds No Insurance Coverage for Phishing Scam

This entry was posted by Joshua Mooney on August 2, 2017.

Yesterday, a federal court held that a company’s financial losses for mis-wiring funds as a result of a phishing scam were not covered under a computer crime insurance policy. The decision, American Tooling Ctr. v. Travelers Cas. & Sur. Co. of Am., No. 16-12108 (E.D. Mich. Aug. 1, 2017) is another case in which financial losses resulting from a phishing scam were held to be unrecoverable under insurance.

In that case, the insured, American Tooling Center (“ATC”), was a tool and die manufacturer that outsourced some of its work to other die manufacturing companies overseas, including a vendor called Shanghai YiFeng Automotive Die Manufacture Co., Ltd. (“YiFeng”). As part of its normal business practice, ATC issued purchase orders to YiFeng, which in turn manufactured the requested dies. ATC paid YiFeng in stages based upon completion of certain milestones. To receive payment, YiFeng submitted its invoices to ATC by email. Once ATC verified that the milestone had been met, it wired the appropriate payment to YiFeng. Id. at 2. Read More

This entry was posted in Data Breach Insurance Coverage and tagged Phishing.

5th Circuit Holds That Phishing Scam Does Not Implicate Computer Fraud Coverage

This entry was posted by Joshua Mooney on October 20, 2016.

In Apache Corp. v. Great American Ins. Co., 2016 U.S. App. LEXIS 18748 (5^th Cir. Oct. 18, 2016), the United States Court of Appeals for the Fifth Circuit held that loss from a phishing scam, which led to misdirected payments in the amount of $7 million, was not covered under a policy’s computer fraud coverage. Although the fraudulent scheme was initiated through emails, the court held that the emails were too incidental to classify the insured’s subsequent loss as one “resulting directly from the use of any computer to fraudulently cause a transfer of that property.”

The facts of the case are straightforward and serve as a good illustration as to why double verification practices should be practiced by every company as a preventive measure against cyber fraud. In the case, the insured, Apache Corporation was an oil-production company. An employee in Scotland received a telephone call from a person identifying herself as a representative of Petrofac, an Apache vendor. The caller instructed Apache to change the bank-account information for payments Apache made to Petrofac. The Apache employee replied that the change-request could not be processed without a formal request on Petrofac letterhead. Id. at *2. Read More

This entry was posted in Data Breach Insurance Coverage.

Article III Standing in Data Breach Litigation and Problems Galaria Poses for Data Breach Responses

This entry was posted by Joshua Mooney on September 19, 2016.

Last week, in Galaria v. Nationwide Mut. Ins. Co., 2016 U.S. App. LEXIS 16840 (6^th Cir. Sept. 12, 2016), the United States Court of Appeals for the Sixth Circuit weighed in on the issue of Article III standing for data breach litigation and effectively lowered the threshold to establish standing. The decision echoes sentiments expressed by the Seventh Circuit in Lewert v. P.F. Chang’s China Bistro, Inc., 819 F.3d 963 (7th Cir. 2016), and Remijas v. Neiman Marcus Group, LLC, 794 F.3d 688 (7th Cir. 2015). The facts are straightforward, and it is part of an ongoing trend by courts to make it easier to allege injury and bring data breach litigation. This will drive up litigation. Yet, here is a bigger problem: the Sixth Circuit based its determination that standing existed to sue a breach victim on actions undertaken by the breach victim to mitigate damage and help consumers prevent the very harm that plaintiffs later sued over. Is the message of “darned if you do” one that courts want to establish? Can decisions like Galaria create an adverse impact on response efforts undertaken by breach victims? These are issues that a breach victim will have to wrestle with early on and provide one more reason why cyber counsel should be retained.

The facts of Galaria are straightforward. In that case, the breach victim, Nationwide, maintained records containing personal information of customers and potential customers, including names, dates of birth, marital statuses, employers, Social Security numbers, and driver’s license numbers. On October 3, 2012, hackers breached Nationwide’s computer network and stole the personal information of 1.1 million people. Id. at *3. In the underlying data breach litigation that followed, putative class actions alleged violation of the Fair Credit Reporting Act (“FCRA”) through Nationwide’s failure to adopt required procedures to protect against wrongful dissemination of plaintiffs’ data. Plaintiffs also alleged claims for negligence, and invasion of privacy by public disclosure of private facts – all based on Nationwide’s failure to secure Plaintiffs’ data. Id. at *4. Read More

This entry was posted in Data Breach Insurance Coverage, Privacy Rights and tagged Data Breach Litigation.

No Coverage for PCI Assessment Liability Under Cybersecurity Policy

This entry was posted by Joshua Mooney on June 8, 2016.

In P.F. Chang’s China Bistro, Inc. v. Federal Ins. Co., 2016 WL 3055111 (D. Ariz. May 31, 2016), the United States District Court of District of Arizona held that liability for PCI assessments following a data breach of 60,000 credit card numbers was excluded under a cybersecurity policy. This case demonstrates the importance and ability of carriers to define the risk insured under a policy, including cybersecurity insurance.

In PF Chang’s, the insured purchased a cybersecurity insurance policy. The insurer’s underwriters classified the insured as a high risk, “PCI Level 1”, because the insured conducted more than 6 million transactions per year, a large number of which were with credit cards, thus creating a high exposure to potential customer identity theft. Id. at *1. The insured, like many merchants, was unable to process credit card transactions themselves, and therefore entered into an agreement with the credit card processor to process credit card transactions with the banks who issue the credit cards (“Issuers”), such as Chase or Wells Fargo. Here, Chang’s entered into a Masters Service Agreement (“MSA”) with the credit card processer Bank of America Merchant Services (“BAMS”) to process credit card payments made by customers of Chang’s. Id. Under the MSA, Chang’s delivered customer credit card payment information to BAMS who then settled the transaction through an automated clearinghouse. BAMS thereafter credited the Chang’s account for the amount of the payments. Id. Read More

This entry was posted in Data Breach Insurance Coverage.

Financial Institution Bond Covers Loss From Hacking

This entry was posted by Joshua Mooney on May 31, 2016.

In State Bank v. BancInsure, Inc., 2016 U.S. App. LEXIS 9235 (8^th Cir. May 20, 2016), the United States Court of Appeals for the Eighth Circuit held that a $485,000 fraudulent wire transfer perpetrated through the use of malware residing on a bank employee’s computer was covered under the bank’s financial institution bond. The facts are straightforward.

The insured used the Federal Reserve’s FedLine Advantage Plus system to perform wire transfers. The transfers were made through a desktop computer connected to a Virtual Private Network device provided by the Federal Reserve. In order to complete a transfer, two bank employees had to enter their individual user names, and each had to insert individual physical tokens into the computer, and provide individual passwords and passphrases. Read More

This entry was posted in Data Breach Insurance Coverage, Uncategorized.

Making Records Accessible on the Internet Is a “Publication”

This entry was posted by Joshua Mooney on April 12, 2016.

We have all heard the question “if a tree falls in the forest…,” a philosophical experiment that raises questions of observation, knowledge, and reality. Whether or not the philosopher George Berkeley deserves credit for first raising the question, if still alive, he may have been disappointed in yesterday’s decision, Travelers Indem. Co. of Am. v. Portal Healthcare Solutions, LLC, No. 14-1944 (4^th Cir. Apr. 11, 2016). In that case, the trial court had addressed the legal question of “whether materials are published if they are posted on the Internet, but no one reads them?” As discussed by The Coverage Inkwell in August 2014, the trial court answered the question in the affirmative. Yesterday, the Fourth Circuit affirmed the decision, but never really weighed in on the question. That’s too bad.

The facts of the case are straightforward. The insured Portal Healthcare Solution (“Portal”) specialized in the electronic safekeeping of medical records for hospitals, clinics, and other medical providers. Travelers Indem. Co. of Am. v. Portal Healthcare Solutions, LLC, 35 F. Supp. 3d 765, 767-78 (E.D. Va. 2014). A New York putative class action was filed against it, alleging that Portal had failed to safeguard the confidentiality of the medical records of patients at Glen Falls Hospital (“Glen Falls”) by posting them on the Internet and making them publicly accessible through Internet searches. Id. Two patients of Glen Falls discovered the breach when they conducted a Google search for their names and found links that directed them to their Glen Falls medical records. Id. Read More

This entry was posted in Data Breach Insurance Coverage, Privacy Rights and tagged personal and advertising injury, Publication.

Electronic Data and Distribution of Material Exclusion Does Not Bar Coverage for Disclosure of Genetic Data

This entry was posted by Joshua Mooney on January 13, 2016.

Last week, the United States District Court for the Southern District of Texas held that an Electronic Data and Distribution of Material in Violation of Statutes exclusion, a variant of the Telephone Consumer Protection Act (“TCPA”) exclusion, did not prohibit coverage for an insured’s wrongful, online publication of genetic data in violation of a statute. Evanston Ins. Co. v. Gene By Gene, Ltd., 2016 WL 102294 (S.D. Texas, Jan. 6, 2016). In so holding, the court construed the exclusion to address solely intrusion upon seclusion claims. The facts of the case are straightforward.

The insured, Gene by Gene Ltd. (“GBG”), owned and operated a genealogy website whereby users of the site were offered the opportunity to take DNA tests and then use their genetic information from the tests to learn more about their ancestry and connect with other users whose results matched their own results in varying degrees. Gene By Gene, 2016 WL 102294 at *1. An underlying plaintiff sued GBG in Alaska federal court, alleging that GBG improperly published his DNA test results on its website without his consent and in violation of Alaska’s Genetic Privacy Act. Id. The Genetic Privacy Act prohibits disclosure of a person’s DNA analysis without written and informed consent. See AS §18.13.010. Read More

This entry was posted in Data Breach Insurance Coverage, Privacy Rights.