Category Archives: Data Breach Insurance Coverage

New York’s Highest Courts Says Coverage for Loss From “Fraudulent Entry” Into Computer System Limited to Hacking


This entry was posted by on .

A source of computer fraud is the rogue employee or authorized user whose abuses access into a network system for unlawful purposes.  Readers of The Coverage Inkwell will know that the Inkwell has addressed the meaning of unauthorized access in the context of cyber insurance for a few years.

In the context of the Computer Fraud and Abuse Act, 18 U.S.C. §1030, the United States Court of Appeals for the Ninth Circuit, in U.S. v. Nosal, 676 F.3d 854 (9th Cir. 2012), in essence limited the meaning “exceeds authorized access” to hackers, not inside corporate personnel accessing a computer network for unauthorized (i.e., illegal) purposes.  Yesterday, the New York Court of Appeals, in Universal American Corp. v. National Union Fire Ins. Co. of Pittsburgh, PA, 2015 N.Y. Slip Op. 05516, 2015 WL 3885816 (N.Y. June 25, 2015) held that the phrase “fraudulent entry” into a computer system was limited to instances of outside hackers, not fraudulent content submitted by authorized users. Read More

This entry was posted in Data Breach Insurance Coverage, Privacy Rights and tagged .

Pennsylvania Court Refuses to Impose New Duty on Employers to Protect PII From Data Breaches


This entry was posted by on .

A common allegation in cyber security data breach litigation is that the data breach victim breached its duty of care in failing to adequately protect  plaintiffs’ personal identification information (“PII”) from a data breach.  Very recently, the Pennsylvania Court of Common Pleas of Allegheny County in Dutton v. UPMC, No. GD-14-003285 (May 28, 2015), dismissed such a claim, refusing requests to create a new duty of care on an employer who suffered a data breach resulting in the compromise of its employees’ PII.  In so holding, the court reasoned that to create such a duty would place too heavy of a burden on corporate entities already incentivized to protect PII.  It also would inundate the judiciary with a flood of litigation.  The court instead looked to the state legislature to determine whether to impose this obligation.

In the case, the plaintiffs filed a putative class action of current and former The University of Pittsburgh Medical Center (“UPMC” )employees whose PII had been stolen from UPMC’s computer systems.  Plaintiffs’ alleged that UPMC owed a duty to protect their PII and had breached that duty under theories of negligence and breach of contract.  Dutton v. UPMC, No. GD-14-003285, slip op., at 1-2.  Duties allegedly owed by UPMC included: Read More

This entry was posted in Data Breach Insurance Coverage, Privacy Rights and tagged , .

In IBM Data Breach Case, There Can Be No Publication Without Access


This entry was posted by on .

In Recall Total Info. Management, Inc. v. Federal Ins. Co., No. SC 19291, the Connecticut Supreme Court upheld the appellate court’s decision that a data breach suffered by IBM was not covered under general liability policies’ “personal and advertising injury” coverage.

In that case, Recall Total had contracted with IBM to transport off-site and store computer tapes containing the encrypted personal information of current and former IBM employees.  Recall then subcontracted the transportation services to Ex Log.  Ex Log lost the computer tapes when they fell from Ex Log’s truck onto the roadside and were retrieved by an unknown individual.  Importantly, there was no evidence that anyone ever accessed the information on the tapes or that their loss caused injury to any IBM employee.  Nevertheless, IBM spent significant sums of money providing identity theft services and complying with state notification requirements.  IBM sought to recoup its losses from Recall Total and Ex Log. Read More

This entry was posted in Data Breach Insurance Coverage, Privacy Rights.

Sony Data Breach Coverage Litigation Settles


This entry was posted by on .

As reported in news outlets, including Law360, Sony and its insurers have settled their data breach coverage litigation, two months after the New York appellate division heard oral argument.

Sony had sought coverage for numerous data breach class action lawsuits filed against it following the 2011 data breach into its PlayStation network.  Its general liability policies provided personal and advertising injury coverage for oral or written publication, in any manner, of material that violates a person’s right to privacy.  The trial court held that the insurers had no duty to defend because coverage applied only for violations of privacy committed by Sony, as the policyholder, and not by third parties who hacked into Sony’s network and stole personally identifiable information (“PII”). Read More

This entry was posted in Data Breach Insurance Coverage, Privacy Rights and tagged , .

U.S. Treasury To Banks: Buy Cyber Insurance


This entry was posted by on .

Here’s a quick item of note, which ran in recent reports and is worth repeating.  Deputy Treasury Secretary Sarah Raskin, when speaking at conference of the Texas Bankers’ Association, advised that banks need to purchase cyber risk insurance – pointing to recent data breaches suffered by Target, Home Depot, and JP Morgan as evidence.  Raskin stated:

We have learned from these attacks that the prevalence of cyber risk creates a persistent and complex challenge for financial institutions spanning the sector, including financial institutions of all types and all sizes. Read More

This entry was posted in Data Breach Insurance Coverage and tagged .

Medical Records, The Internet, and A “Publication”


This entry was posted by on .

Last week, the federal District Court in Virginia issued a quasi security/data breach coverage case where the court concluded that making private medical records accessible online constituted a publication even though there was no evidence that a third party had accessed them.  Travelers Indem. Co. of Am. v. Portal Healthcare Solutions, LLC, No. 13-917, 2014 WL 3887797 (E.D. Va. Aug. 7, 2014).  The mere fact that the records were accessible satisfied the plain and ordinary meaning of the term “publication” to implicate the duty to defend.  What makes this decision noteworthy is how the Court distinguished the case before it from other decisions limiting the meaning of the term “publication.”  Given that many healthcare providers are introducing “online” services for medical records, brokers and underwriters also may want to take note of this decision. 

Portal Healthcare Solution (“Portal”) was a business specializing in the electronic safekeeping of medical records for hospitals, clinics, and other medical providers.  Id. at *1.  A New York putative class action was filed against it, alleging that Portal had failed to safeguard confidential medical records of patients at Glen Falls Hospital (“Glen Falls”), posting those records on the internet and causing them to become publicly accessible on the internet.  Id.  Two patients of Glen Falls discovered the breach when they ran a Google search of their names, and found links that directed them to their Glen Falls medical records.  Id. at *2.  (Honestly, how many of you are now going to Google your name?  I did.)  Read More

This entry was posted in Data Breach Insurance Coverage, Privacy Rights, Uncategorized and tagged .

Three Missed Takeaways From the Sony Data Breach Case


This entry was posted by on .

In Zurich Amer. Ins. Co. v. Sony Corp., Index No. 651982/2011 (N.Y. Supr. Ct. Feb. 21, 2014), the New York trial court held that Sony Corporation was not entitled to insurance coverage under general liability policies for the multitude of data breach lawsuits filed against it in connection with the Sony’s PlayStation data breach.  The Court reasoned that because none of the lawsuits alleged that Sony had been the entity publishing material, the lawsuits did not allege “oral or written publication, in any manner, of material that violates a person’s right of privacy” to satisfy the definition for “personal and advertising injury” under Coverage B of the policies.

Plenty has been written about this holding.  However, comparably little attention has been given to other conclusions rendered by the Court in its decision.  Arguably, given Sony’s notoriety, and the forthcoming ISO data breach exclusions for general liability policies, these other holdings could have a broader and more long-lasting impact in privacy litigation than the main holding that has caused such an uproar. Read More

This entry was posted in Data Breach Insurance Coverage and tagged , , .

Sony Data Breach: No Publication By Sony, No Coverage


This entry was posted by on .

Today, as reported by Law360, the New York Supreme Court (New York’s trial court) held that two insurers have no duty to defend Sony Corporation in approximately 60 underlying lawsuits filed in connection with the 2011 data breach of Sony’s PlayStation Network.  There is no written opinion available.

Following oral arguments, Judge Oing ruled from the bench that Sony’s liability policies, which provide personal and advertising injury coverage for oral or written publication of material that violates a person’s right to privacy, applies only to actions committed by Sony, as the policyholder, and not to the actions of third-parties who hacked into the network and stole personally identifiable information (PII). Read More

This entry was posted in Data Breach Insurance Coverage.

Data Breach Lawsuits Don’t Allege Viable Invasion of Privacy Claim


This entry was posted by on .

Last week, The Coverage Inkwell discussed a new data breach case, Galaria v. Nationwide Mut. Ins. Co., No. 13-118 (S.D. Ohio Feb. 10, 2014), in which an Ohio federal court held that a slew of allegations in two putative class action lawsuits, including increased risk of identity theft, and out-of-pocket credit monitoring expenses, did not constitute an injury for purposes of standing.  The court also addressed whether the lawsuits alleged viable claims of the tort of invasion of privacy.  This latter issue is now addressed here.

In Galaria, Nationwide Mutual Insurance Company was sued by two putative class actions after it notified class members that data thieves had hacked into its computer systems and stolen class members’ personally identifiable information (PII).  (Id. at 2-3.)  In its notification letter, Nationwide suggested that plaintiffs undertake steps to safeguard their PII, including to monitor their credit reports and bank statements, and it offered them one year of free credit monitoring and identity theft protection through Equifax. (Id. at 2.)  Nationwide also suggested that plaintiffs freeze on their credit reports at their own expense.  (Id.) Read More

This entry was posted in Data Breach Insurance Coverage.

Attention Shoppers: Increased Risk of Identity Theft From a Data Breach Is Not an Injury


This entry was posted by on .

A new data breach decision has just come out, Galaria v. Nationwide Mut. Ins. Co., No. 13-118 (S.D. Ohio Feb. 10, 2014).  The decision, a copy of which is attached, involves two putative class action lawsuits alleging increased risk of identity theft as a result of a data breach and theft of personally identifiable information (“PII”).  The issues addressed by the Court are whether such claims allege an injury, and whether they allege a viable claim for invasion of privacy.

Both issues are critical in data breach claims.  Because space afforded here is limited, The Coverage Inkwell will address each issue separately.  This issue focuses on the Court’s discussion of whether allegations of increased risk of identity theft, fraud, and phishing resulting from a data breach constitutes an actual injury to satisfy standing requirements.  The next issue will focus on the Court’s discussion of whether the data breach claim alleged a viable claim for invasion of privacy. Read More

This entry was posted in Data Breach Insurance Coverage.