Category Archives: Uncategorized

Payee Denied Computer Fraud Coverage in Email Phishing Scams


This entry was posted by on .

Business Email Scams (BEC) are becoming an increasing source of loss (think billions of dollars since 2013) to U.S. businesses, big and small. In Posco Daewoo Am. Corp. v. Allnex USA, Inc., 2017 U.S. Dist. LEXIS 180069 (D.N.J. Oct. 31, 2017) a payee whose invoices totaling $630,058 mistakenly were paid by a customer to a third party as a result of a phishing scam, sought coverage for the loss under its own computer fraud coverage. A New Jersey federal district court held that no such coverage existed.

Posco Daewoo, which imported and exported chemicals, supplied its customer Allnex with a chemical product for which Allnex owed payment. In early 2016, an impostor posing as an employee of Posco Daewoo’s accounts receivable department, sent emails to an employee of Allnex, instructing Allnex to wire payments to four separate Wells Fargo bank accounts. Id. at *2. Allnex, without confirming the authenticity of the email or the Wells Fargo bank accounts, wired three separate payments to the Wells Fargo accounts, totaling $630,058. Id. After the fraud was discovered, Allnex recovered $262,444 of the stolen $630,058. The remaining $367,613.46 was not recovered. Id. at *3. Posco Daewoo alleged that Allnex still owed it the remaining $367,613.46 to satisfy the original outstanding receivables. Allnex, on the other hand, contended that the unrecovered wire payments satisfied the balance it owed to Posco Daewoo. Id.

Posco Daewoo sought coverage for the lost funds under its “computer fraud” coverage in a crime policy. Id. The insurance policy insured Posco Daewoo for several types of loss resulting from criminal activity, including computer crime. The computer crime coverage read in part as follows:

  1. Computer Fraud

The Company will pay the Insured for the Insured’s direct loss of, or direct loss from damage to, Money, Securities, and Other Property directly caused by Computer Fraud.

The Policy defined “Computer Fraud” to mean:

The use of any computer to fraudulently cause a transfer of Money, Securities, or Other Property from the inside the Premises or Financial Institution Premises:

  1.  to a person (other than a Messenger) outside the Premises or Financial Institution Premises; or

2.  to a place outside the Premises or Financial Institution Premises.

Id. at *4

The policy also limited coverage to certain property, stating as follows:

5. Ownership of Property; Interests Covered

a. The property covered under this Crime Policy except as provided in 5.b. below is limited to a property:

i. that the Insured owns or leases;

ii. that the Insured holds for others:

(a) on the Insured’s Premises or the Insured’s Financial Institution Premises; or

(b) while in transit and in the care and custody of a Messenger; or

iii. for which the Insured is legally liable, except for property located inside the Insured’s Client’s Premises or the Insured’s Client’s Financial Institution Premises :

Id. at *6. If the alleged loss property did not fall within this provision, there would be no coverage.

Posco Daewoo argued that the phishing emails sent to Allnex constituted “The use of any computer to fraudulently cause a transfer of Money” to implicate the computer fraud coverage. The insurer, citing the Fifth Circuit decision in Apache Corp. v. Great American Ins. Co., argued that the use of a computer to send phishing emails was too incidental to satisfy the meaning of “computer fraud” or loss “directly” caused by “computer fraud.” Id. at *12-13.

The court, however, did not address either argument. Instead, it focused on the “Ownership of Property; Interests Covered” coverage limitation under the policy. Id. at *13.

Identifying subparagraph (i) of the provision – “that the Insured owns or leases” – as the only possible provision that could be applicable, the court held that because Posco Daewoo did not lease or own the mis-wired money in question, it had no right under the “Ownership of Property; Interests Covered” provision to recover under the policy. The court looked to Black’s Law Dictionary to determine the “plain and ordinary” meaning of the “own,” which defined the word to mean “[t]o rightfully have or possess as property; to have legal title to.” Id. at *14.

Because Posco Daewoo did not plead that it had owned the money that was mis-wired, and could not plead that it had owned the money, its coverage claims were subject to dismissal. The court explained:

Plaintiff has not plausibly pled sufficient facts for the Court to find that it rightfully had, possessed, or had legal title to the money Allnex transferred into the Wells Fargo accounts. Plaintiff’s strongest claim to owning that money stems from Allnex’s intention. The parties do not dispute that Allnex intended Plaintiff to receive the wired money as payment for a debt. [Citation omitted.] However, a party’s intention of transferring legal title does not equate to an actual transfer of legal title without more.

Id. at *15. Thus, the court concluded that before payment, Posco Daewoo did not own the wired money, but only “a receivable, or a right to payment, as well as a potential cause of action for payment if it was not made.” Id. at *16. “In other words, Daewoo did ‘own’ something of value, but it was not the cash in the Wells Fargo accounts.” Id.

What this case means. The court never addressed the meaning of “use of a computer” in the context of a phishing scam, a topic that is being debated among several courts around the country. (For what it is worth, I think Posco Daewoo would have lost this argument.) Instead, the court addressed a separate, but just as meaningful issue, the limitation of insured interests for computer fraud coverage under a crime policy, as expressly provided for by the policy. Thus, this decision highlights another boundary for computer fraud coverage.

Although the loss caused by the mis-wired funds was felt both by Allnex and Posco Daewoo, the court clearly saw Allnex as the “owner” of the transferred money and thus the crime victim. The court also appeared to point a finger of blame at Allnex, albeit subtly. The court’s opinion noted how the transfer of funds to the Wells Fargo accounts had not gone “smoothly,” stating that:

After Allnex wired the first payment of $140,800 to an account numbered 3xxxxxx378, the impostor emailed Allnex that there was a “mix-up/typo” and asked Allnex to wire the other payments to an account numbered 2xxxxxx238. [Citation omitted.] Less than a month later, the Daewoo impostor emailed Allnex to once again change the receiving bank account to one numbered 2xxxxxx346. [Id.] When this third account rejected two payments from Allnex, the impostor gave Allnex a fourth account numbered 2xxxxxx246. [Id.] Allnex then completed the payment by wiring money to this fourth account.

These sorts of complications are red flags to a potential phishing fraud, and one wonders whether the court, by reciting these facts, was acknowledging the issue. Here, policy did not insure the negligence of third parties, which Posco Daewoo ultimately was asking its own insurer to cover. 

This entry was posted in Uncategorized.

PA Court: Employers Have No Duty To Protect Employee PI


This entry was posted by on .

In Dittman v. UPMC d/b/a The University of Pittsburgh Medical Center, 2017 PA Super. 8 (Jan. 12, 2017), the Superior Court of Pennsylvania held that an employer does not owe employees a duty to protect and safeguard personal and financial information from disclosure in a data breach resulting from an intrusion in its computer network. While Dittman represents an important decision in emerging case law that declines to impose upon employers a common-law duty to protect employee information, the decision has important limitations. Those limitations may be exploited in future employment litigation and further illustrates the need for companies to adequately review their cybersecurity protocols with the assistance of cyber counsel.

The facts of Dittman are straightforward. In 2014, University of Pittsburgh Medical Center (UPMC) suffered a data breach that compromised the personal and financial information of approximately 62,000 current and former employees. Dittman, slip op. at 1-2. The stolen information included employees’ names, birth dates, social security numbers, tax information, addresses, salaries, and bank information. The information later was used to file fraudulent tax returns to steal the tax refunds. Id. at 2. Soon after UPMC announced the breach, two separate class action lawsuits were filed against the company. One lawsuit was comprised of current and former UPMC employees who had been victimized by identity theft; the other lawsuit involved current and former UPMC employees who had not been victims of identity theft, and instead alleged that they were at an increased risk of identity theft as a result of the data breach. Id. at 3.

Both lawsuits claimed that UPMC improperly failed to keep plaintiffs’ information safe and prevent vulnerabilities in its computer system, including the failure to properly encrypt data, establish adequate firewalls, and implement adequate authentication protocols to protect the information on its network. Id. at 2-3. They asserted two causes of action, one based on negligence and a common-law duty to protect the information; the second in breach of contract. Id. The trial court dismissed both lawsuits on the grounds that no contract or implied contract existed between UPMC and its employees to support a breach of contract claim, and that no common-law duty existed under tort law to impose upon UPMC (or other employers) a duty to safeguard data of its employees. Id. at 4-5. In so holding, the court explicitly declined to create such a duty, deferring to the state legislature instead of what it saw as a request of the judiciary to overreach by creating a duty. Id. On appeal, the Superior Court of Pennsylvania affirmed. This article focuses upon the court’s declination to create a common-law duty.

Under Pennsylvania law, whether a duty of care exists between parties to support a claim in tort depends upon an evaluation of five factors, sometimes known as the Althaus test. Those factors are:

(1) the relationship between the parties;

(2) the social utility of the actor’s conduct;

(3) the nature of the risk imposed and foreseeability of the harm incurred;

(4) the consequences of imposing a duty upon the actor; and

(5) the overall public interest in the proposed solution.

Id. at 6 (citing Althaus ex. rel. Althaus v. Cohen, 756 A.2d 1166, 1169 (Pa. 2000)).

Courts impose a common law duty upon a party “where the balance of these factors weighs in favor of placing such a burden on a defendant.” Id. (quoting Phillips v. Cricket Lighters, 841 A.2d 1000, 1008 (Pa. 2003)). In Dittman, the court held that these factors did not support the imposition of a common-law duty upon UPMC.

The first factor, the relationship of the parties, weighed in favor of imposing a duty. An employer-employee relationship existed between the parties, and the court recognized that the law imposed other duties of the parties based on the existence of the relationship. Id. at 7. This was the only factor that the court found weighed in favor of a common-law duty.

Under the Althaus test, the second factor, the social utility of the actor’s conduct, is weighed against the third factor, the nature of the risk imposed and foreseeability of the harm incurred. Here, weighing both factors together, the court found that they did not support imposition of a common-law duty. Id. at 7. On the one hand, the court recognized the “obvious need [of employers] to collect and store personal information about their employees,” as well as the foreseeability of harm from data breaches, which are becoming more commonplace. Id. However, the fact that the data breach had been caused by a third-party hacker was dispositive of how these factors weighed. Under Pennsylvania law, the criminal acts of a third-party actor are a superseding cause. Id. (citing Ford v. Jeffries, 379 A.2d 111, 115 (Pa. 1977)). “It is well established that a defendant does not have a duty to guard against the criminal acts of superseding third-parties unless he realized, or should have realized, the likelihood of such a situation.” Id. at 7-8 (citation omitted); see also In re: The Home Depot, Inc. Customer Data Security Breach Litig., 2016 WL 2897520 (N.D. Ga. May 18, 2016) (independent duty to protect customer information where company knew of substantial security risks data back several years). Here, because the data breach was caused by a third-party, and because there was no indication that UPMC knew about a specific threat or security flaw in its computer network, the foreseeability of a data breach did not support imposition of a duty upon UPMC:

While a data breach (and its ensuing harm) is generally foreseeable, we do not believe that this possibility outweighs the social utility of electronically storing employee information . . . . Although breaches of electronically stored data are a potential risk, this generalized risk does not outweigh the social utility of maintaining electronically stored information. We note here that Appellants do not allege that UPMC encountered a specific threat of intrusion into its computer systems.

Id. at 8.

The court held that the fourth factor, which examines the consequences of imposing a common-law duty upon the defendant, also weighed against imposing a duty. The court reasoned that given that data breaches are “widespread,” and that no “safe harbor” existed for the storage of confidential information, “[n]o judicially created duty of care is needed to incentivize companies to protect their confidential information.” Id. at 9. In other words, given the costs of responding to a data breach, the potential liability that already existed from regulatory law enforcement actions and lawsuits, as well as harm in the marketplace caused by data breaches, there was no need to motivate employers to protect their employers’ information. The court explained:

We find it unnecessary to require employers to incur potentially significant costs to increase security measures when there is no true way to prevent data breaches altogether. Employers strive to run their businesses efficiently and they have an incentive to protect employee information and prevent these types of occurrences. As the trial court correctly found, the fourth factor weighs in favor of not imposing a duty.

Id. at 9-10.

The Dittman court held that the fifth factor, which examines “the overall public interest” in imposing a duty, also weighed against creating one. Agreeing with the trial court, the appellate court stated that imposing a common-law duty on employers to safeguard employee information would greatly expend and strain limited judicial resources. Id. at 10. The court found that creating a unilateral, judicially imposed duty in lieu of the legislative branch also would overstep its authority. Id. Quoting the trial court, the court stated:

The General Assembly has considered and continues to consider the same issues that [Appellants] are requesting [the] court to consider under the Seebold/Althaus line of cases. The only duty that the General Assembly has chosen to impose as of today is notification of a data breach. It is not for the courts to alter the direction of the General Assembly because public policy is a matter for the Legislature.

Id. 

Finally, the Dittman court held that plaintiffs’ negligence claim was barred by the economic loss doctrine; although, admittedly, the court’s decision rested upon its analysis of the Althaus test. Under the economic loss doctrine, “no cause of action exists for negligence that results solely in economic damages unaccompanied by physical injury or property damage.” Id. at 11. Under Bilt-Rite Contractors, Inc. v. The Architectural Studio, 866 A.2d 270, 274 (Pa. 2005), an exception to the economic loss doctrine exists where the economic harm was caused by a breach of a duty imposed by law. “Without a duty imposed by law or a legally recognized special relationship,” the economic loss doctrine bars recovery for purely economic losses. Id. at 10-11. Here, because the Althaus test weighed against imposing a duty upon UPMC to protect and safeguard its employees’ personal and financial information, and the court expressly declined to create such a duty, no exception to the economic loss doctrine existed to permit recovery. Id. at 12.

Despite the appellate court’s unwillingness to impose a common-law duty on employers to safeguard employee information, the citation in the majority opinion to the Home Depot data breach litigation may signal an important limit to that reluctance. See id. at 8 n.4 (citing In re Home Depot, Inc. Customer Data Security Breach Litig., 2016 U.S. Dist. LEXIS 65111 (N.D. Ga. May 18, 2016)).

In Home Depot, the Georgia federal court refused to dismiss a putative class action lawsuit of financial institutions where Home Depot allegedly had been warned repeatedly of its cybersecurity vulnerabilities and took no action to remedy them prior to the data breach at issue. Home Depot, 2016 U.S. Dist. LEXIS 65111 at *22-24. Those warnings included reports from IT of security concerns, third-party vendors warning about the company’s failure to encrypt customer data, an understaffed IT group, and events of prior data security incidents on its network.  Id. at *22. The federal court held that, given the prior warnings Home Depot had received, a duty of care did exist to protect consumer information, thereby barring application of the economic loss doctrine. Id. at *29 (“A retailer’s actions and inactions, such as disabling security features and ignoring warning signs of a data breach, are sufficient to show that the retailer caused foreseeable harm to a plaintiff and therefore owed a duty in tort.”). The court reasoned that to hold otherwise would incentivize companies to “turn a blind eye” toward cyber risks and the protection of data:

The Court declines the Defendant’s invitation to hold that it had no legal duty to safeguard information even though it had warnings that its data security was inadequate and failed to heed them. To hold that no such duty existed would allow retailers to use outdated security measures and turn a blind eye to the ever-increasing risk of cyber attacks, leaving consumers with no recourse to recover damages even though the retailer was in a superior position to safeguard the public from such a risk.

Id. at *29-30.

In Dittman, the Pennsylvania appellate court specifically noted that there were no allegations of prior warning that might have shifted the level of UPMC’s duty of care. Dittman, slip op. at 8-9. Had UPMC received prior warning of vulnerabilities in its network that later were exploited, or if evidence suggested that UPMC had disregarded cyber risks and had ignored the issue, the Dittman court could have very well found an exception to the economic loss doctrine to permit the lawsuits to proceed. In fact, Justice Stabile in his concurring opinion made this sentiment clear, stating “[h]ad UPMC been on notice of factual or potential security breaches of its systems, or reasonably should have anticipated that the negligent handling of confidential information would have left it vulnerable to criminal activity, a different conclusion may have been reached under the factors of the Althaus test.” (Stabile, J., concurring, slip op. at 2.)

With this one observation by the appellate court, Pennsylvania companies can expect future lawsuits to plead accordingly. In addition, some of the alleged lax cybersecurity protocols against UPMC are steps required by NIST’s voluntary Cybersecurity Framework. The expectation of companies to follow this framework as evidence of a reasonable standard of care is increasing. Thus, the full effect of the Dittman decision may be more limited than first thought. The best way to mitigate loss from a cybersecurity event is to prepare for one. Such precautions also may be the best defense for an employer seeking refuge under Dittman in claims brought by its employees.

This entry was posted in Uncategorized.

TCPA Claims Excluded by “Unsolicited Communications” Endorsement


This entry was posted by on .

Yesterday, the Missouri federal court in Travelers Indem. Co. v. Max Margulis & Surrey Vacation Resorts, 2016 U.S. Dist. LEXIS 173420 (E.D. Mo. Dec. 15, 2016), held that coverage for an underlying Telephone Consumer Protection Act (“TCPA”) lawsuit for “robo” calls to cell phones was prohibited by the “unsolicited communications” endorsement.  Because this endorsement is being used more often, and because it does not receive as much fanfare as its sister-exclusion for “Distribution of Material,” I decided to write about it here in The Coverage Inkwell.

The insured, Surrey Vacation Resorts, Inc., d/b/a Grand Crowne Resorts (“Surrey”), was sued for an alleged, unsolicited June 18, 2013 call to his cell phone through use of an automated telephone dialing system and without his prior consent.  Id. at *1.  Plaintiff filed suit under the TCPA, alleging that plaintiff “incurred ‘damages’ due to receipt of one telephone call from Surrey on June 18, 2013, which he did not specifically request to receive.”  Id. at *6.  The TCPA makes it unlawful “to make any call (other than a call made for emergency purposes or made with the prior express consent of the called party) using any automatic telephone dialing system…to any telephone number assigned to a paging service, cellular telephone service, specialized mobile radio service, or other radio common carrier service, or any service for which the called party is charged for the call….” Id. at *8.  Travelers defended the insured under a reservation of rights and commenced coverage litigation.  Id. at *1.

In the coverage action, the United States Court for the District of Missouri determined that Travelers had no duty to defend.  First, it noted that many of the policies at issue had incepted and expired prior to the June 18, 2013, and therefore – as a matter of law – there could be no coverage under them.  Id. at *6.  (You would think this conclusion is a no-brainer, but you’d be surprised what some policyholders argue.)

Next, the court further held that there was no coverage under an “unsolicited communications” endorsement, which prohibited coverage for “injury or damage arising out of any actual or alleged violation of any law restricting or prohibiting the sending, transmitting, or distribution of ‘unsolicited communication’.”  Id. at *6.  The policies defined “unsolicited communications” as “any form of communication, including but not limited to facsimile, electronic mail, posted mail or telephone, in which the recipient has not specifically requested the communication.”  Id. at *6-7.  The court held that the underlying lawsuit fell squarely within the exclusion: because the TCPA prohibits unsolicited “robo” calls without prior consent, the statute “restricts or prohibits the sending, transmitting or distributing of ‘unsolicited communication’ as the phrase appears in the ‘Unsolicited Communications’ Endorsements.”  Id. at *8.

What this case means:  This is a straightforward case.  What I found interesting is that the decision highlighted and discussed, albeit without much analysis, the unsolicited communications exclusion, an exclusion that may be added to a policy by endorsement to preclude coverage for the bombardment of unsolicited communications we received by fax, email, cell phone, and landline every day.

This entry was posted in Uncategorized and tagged , .

OHIO COURT HOLDS THAT REQUESTED SELF-AUDIT CAN BE A “CLAIM”


This entry was posted by on .

In Eighth Promotions v. Cincinnati Ins. Cos., 2016 Ohio App. LEXIS 4119 (Ohio Ct. App. Oct. 11, 2016), the Ohio appellate court held that a letter forwarded to the insured by a copyright holder requesting that the company conduct a self-audit into its alleged copyright violations constituted a demand for non-monetary relief and thus fell within a policy’s definition for “claim.”  The same court also held that the insured could not stretch the scope of the claim or subsequent settlement to circumvent the policy’s copyright infringement exclusion.

The insured, Eighth Promotions, manufactured and sold sports awards and business gifts.  The company’s Operating Agreement provided indemnification protection to its officers and directors, stating that the company would “indemnify and hold harmless” its officers and directors “[i]n any “threatened . . . claim, action or proceeding to which any officer or any [director] . . . is [a] party or is threatened to be made a party by reason of its or his activities on behalf of [Eighth Floor].”  Id. at *1-2.  The company purchased a D&O liability policy, which contained an insuring agreement covering “all ‘loss’ which the ‘company’ is required to pay as indemnification to the ‘individual insureds’ resulting from any ‘claim’ first made during the ‘policy period’ . . . for a ‘wrongful act’.”  Id. at *15-16.  The policy defined a “claim” in part as:

  1. A written demand for monetary damages or non-monetary relief; or

  2. A civil proceeding commenced by filing of a complaint or similar pleading[.]

Id.  “Loss” included “defense costs.”  Id. at *16.

The policy also had an intellectual property exclusion, but the exclusion did not apply to claims brought against “individual insureds,” such as the company’s officers or directors.  The exclusion stated that the insurer was not liable to pay, indemnify or defend any “claim”:

K. Based upon, arising out of, or in consequence of, or in any way involving actual or alleged infringement of copyright, patent, trademark, trade secret, service mark, trade name, or misappropriation of ideas or trade secrets or other intellectual property rights; provided, however, this exclusion shall not apply to any ‘claim’ against any ‘individual insureds’;

Id. at *17.

In May 2011, the insured received a letter from a trade group, the Business Software Alliance (BSA), investigating on behalf of its member companies “possible instances of illegal duplication of certain software.”  The letter contended that Eighth Promotions had installed on its computers more copies of software programs than it was licensed to use.  Id. at *1.  In lieu of litigation, BSA requested that the insured investigate and audit all of the software published by the BSA members on its computers, as well as the software licenses and proofs of purchase for those licenses, and share the results of its self-audit with BSA.  Id. at *3-4.  The insured tendered the letter to its insurer, which denied coverage on the ground that the letter did not constitute a “claim” because it was neither a “written demand for monetary damages or non-monetary relief” nor a “civil proceeding commenced by filing a complaint or similar pleading.”  Id. at *5.

The insured retained counsel and conducted an audit, revealing numerous instances of unauthorized software installations.  Id. at *6.  After sharing the results of the audit with BSA, BSA offered to settle the dispute under certain terms and conditions, including a payment of $179,393.  Id. at *8.  By entering the proposed settlement, BSA promised that its member clubs would “forego the filing any lawsuit against Eighth Floor and will release Eighth Floor from any liability related to past infringement of the copyrights in the software products listed below due to Eighth Floor’s use and/or installation of those products on Eighth Floor’s computers.”  Id. at *9.  The insured tendered the settlement offer to its insurance carrier, which denied coverage under the intellectual property exclusion.  Id. at *10.  The insured settled the dispute, obtaining a release for the company, as well as for its officers and directors.  Coverage litigation ensued.

The trial court in the coverage litigation granted the insurer summary judgment, holding that the initial “audit” letter did not constitute a claim and that the intellectual property exclusion barred coverage.  On appeal, the appellate court reversed in part.  Id. at *11.

The appellate court held that the May 2011 BSA letter, which inquired about instances of copyright infringement and offered to permit the insured to conduct a self-audit in lieu of litigation, constituted a “claim” to implicate coverage under the policy.  The court rejected the insurer’s characterization of the audit letter as giving “Eighth Floor an opportunity to conduct its own company-wide investigation to determine whether any copyright infringement had occurred.”  Id. at *18.  Instead, the court concluded that the letter provided the insured an opportunity to determine “the extent of Eighth Floor’s copyright violations—not whether Eighth Floor had committed copyright violations.”

The court next looked to the dictionary definitions for “demand,” “non-monetary” and “relief,” all used within the phrase “A written demand for monetary damages or non-monetary relief” to determine the meaning of “claim.”  The court attributed broad meanings to these terms, observing:

“Demand” is defined as “the assertion of a legal right or procedural right.”  Black’s Law Dictionary 522 (10th Ed.2014).

“Non” is defined as “not; no.” Id. at 1212. “Monetary” is defined as “of, relating to, or involving money.” Id. at 1158.

“Relief” is defined as “the redress or benefit, esp. equitable in nature (such as injunction or specific performance), that a party asks of a court.  Also termed remedy.” (Emphasis sic.)  Id. at 1482. “Remedy” is defined as “the means of enforcing a right or preventing or redressing a wrong; legal or equitable relief.” Id. at 1485.  [Internal brackets removed.]

Based on these broad meanings, the court held that the audit letter satisfied the definition for “claim.”  The court explained:

. . . [A]lthough the audit request gave Eighth Floor the “opportunity” to conduct a company-wide software audit, it implied that if Eighth Floor did not take up this “opportunity,” then the matter would proceed to litigation, where the BSA could have achieved the same result. The audit request also sought the preservation of evidence and stated that Willis should not attempt to purchase any software from sales representative of these companies until the matter was resolved.

These measures were the BSA’s “means of enforcing a right” and “preventing a wrong” within the plain and ordinary meaning of “remedy.” See Gold Tip, LLC v. Carolina Cas. Ins. Co., D. Utah No. 2:11-CV-00765-BSJ, 2012 WL 3638538, *4 (Aug. 23, 2012) (a written demand for non-monetary relief can encompass a letter that coerces conduct of the policyholder through the threat of using the legal process to compel that conduct.).

Id. at *22.

The court, however, held that the intellectual property exclusion prohibited coverage for the settlement.  Eighth Promotions argued that the exclusion’s exception for claims against “individual insureds” (meaning, the insured’s directors and officers) applied to trump the coverage denial.  Id. at *23.  To support its argument, Eighth Promotions relied upon the broad standard of interpreting pleadings for evaluating the duty to defend.  Under Ohio law (and the law of most jurisdictions), a duty to defend can be implicated where the allegations in a complaint support or allege an unpled claim that potentially is within the policy coverage.  Id. at *26.  Here, Eighth Promotions argued that although BSA’s demands were directed at the company, because the company’s officers and directors could be held vicariously liable for copyright infringement if BSA filed suit against the company, BSA’s demands contained a claim against the directors and officers that fell within the exception of the intellectual property exclusion.  Eighth Promotions argued:

Vicarious ‘liability for copyright infringement may be imposed upon an officer, directors, or shareholder so long as the individual ‘has the right and ability to supervise the infringing activity’ and also [2] has a direct financial interest in such activities. . . . As such, the Eighth Floor officers and directors were jointly and severally liable on [the] BSA’s claim. . . .

Had the matter not settled, the BSA would have named the officers and directors in its complaint because Eighth Floor was not solvent to the full extent of the potential damages. Because copyright infringement allows for joint and several liability, because the BSA was aware that Eighth Floor was closely held, and because the directors and officers constituted a viable source of recovery who necessarily shared equally in the liability, any lawyer drafting the complaint would be obligated to include the directors and officers as defendants.  [Internal brackets omitted.]

Id. at *25.  As further proof of the existence of a claim against Eighth Promotions’ officers and directors, the company also pointed to the release it had obtained for them.

The appellate court rejected the argument, stating that Ohio law did not support the proposition that “an insurer has a duty to defend an otherwise excluded ‘claim’ where the allegations in that ‘claim’ could potentially or arguably lead to another ‘claim’ which may be within the policy’s coverage.”  According to the court, the only “real” claim was made against the company:

The only real “claim” at issue here is the settlement offer which did not demand any monetary relief from Eighth Floor’s officers or directors or contain any language that could potentially or arguably be construed as a written demand for monetary (or non-monetary) relief against Eighth Floor’s officers and directors.

Id. at 27.  Nor could an insured use a release provision in a settlement agreement to bootstrap coverage by characterizing the release as a written demand for monetary or non-monetary relief:

It included a provision offering to release Eighth Floor’s officers and directors from liability if Eighth Floor complied with its demands, but this provision cannot potentially or arguably be construed as a written demand for monetary (or non-monetary) relief against Eighth Floor’s officers and directors

Id.  The case was remanded back to the trial court to determine whether the exclusion barred the insurer’s duty to defend for the audit letter.

What this case means:  This case serves as a reminder that for claims-made policies that define the meaning of “claim,” the definition “written demand for monetary damages or non-monetary relief” can have a very broad meaning.  Here, the court concluded that a self-audit committed by the insured pursuant to a claimant’s notice letter satisfied this definition.  At the same time, the court rejected the insured’s attempt to broaden the scope of a claim, or to bootstrap coverage through a broad release in a settlement (even if obtaining additional releases in such a settlement was customary).  In essence, the court concluded that an insured may not goldmine for unstated claims or causes of action to broaden the scope of a settlement agreement from the uncovered to the covered.

This entry was posted in Uncategorized.

PIRATED TELEVISION PROGRAMMING IS NOT “DATA” UNDER MEDIA POLICY


This entry was posted by on .

It’s hard to believe that we are less than two months away from Coverage College (September 22). If you have not signed up yet, please do by visiting White and Williams’ website. This year, I will be teaching a class on coverage issues in privacy and cyber liability litigation. It should be an exciting and fast-paced class. We’ll have a lot to talk about.  

Last Friday, in Ellicott City Cable, LLC v. AXIS Ins. Co., 2016 U.S. Dist. LEXIS 95819 (D. Md. July 22, 2016), the federal district court of Maryland rejected the contention that pirated digital television programming constituted “data” under a media policy. Even broad terms do not have boundless meanings. Terms must be read within the context of their use and the policy as a whole.

In the case, the insured, Ellicott City Cable (ECC) provided television, internet, and telephone services to residents of two separate residential communities, Taylor Village and Waverly Woods.  Id. at *3-4. To achieve the goal of proving television, ECC contracted to obtain satellite television programming from DirecTV, LLC through DirecTV agents Sky Cable, LLC (Sky Cable) and North American Cable Equipment (NACE). (ECC never contracted with DirecTV to provide internet or telephone services.) Id. at *4. Under the contract, ECC distributed the DirecTV programming through equipment and credentials provided by Sky Cable and NACE, and made monthly payments directly to DirecTV for access to its programming. Id.

ECC later terminated its contract with DirecTV. Thereafter, DirecTV commenced an action against ECC and Sky Cable asserting that defendants had “fraudulently” obtained, and assisted others to obtain, DirecTV’s satellite television programming and distributed the programming through unauthorized cable television systems.  Id. at *5.  DirecTV asserted that ECC, through Sky Cable, set up private cable systems to deliver programming to more units in the Taylor Village and Waverly Woods communities than permitted under the DirecTV contract. DirecTV also asserted that ECC created multiple dwelling unit accounts with DirecTV for both properties, but distributed the programming to occupants and residents outside of the scope of those agreements, including by used wiring to traverse public rights of way.  Id.

ECC sought coverage under its media liability insurer, which had issued a media policy providing coverage for damages “as a result of an Occurrence in connection with Scheduled Media during the Policy Period that gives rise to a Claim . . . .”  Id. at *11.  Occurrence was defined in part as “the actual or alleged . . . publication, broadcast or other dissemination of Matter[.]”  Id. at *11, n.10. Matter was defined as in part as “communicative or informational content regardless of the nature or form.”  Id.

The media policy had an exclusion that prohibited coverage for claims:

for or arising out of any actual or alleged . . . unauthorized access to, unauthorized use of, or unauthorized alteration of any computer or system, hardware, software, program, network, data, database, communication network or service, including the introduction of malicious code or virus by any person . . .

Id. at *11-12 (emphasis added).

The policy also had additional coverage under Endorsement 3 for claims “for or arising out of the failure to prevent a party from unauthorized access to, unauthorized use of, tampering with or introduction of a computer virus or malicious code into data or systems.” However, coverage under Endorsement 3 did not apply to claims for:

intentional unauthorized access to, unauthorized use of, tampering with or introduction of a computer virus or malicious code into data or systems by any Insured or person who would qualify as an Insured but for their acts being outside the scope of their duties as a partner, . . . except that this exclusion shall not apply to any Insured who did not commit, acquiesce or participate in the actions that gave rise to the Claim.

Id. at *12-13 (emphasis added). As later noted by the Ellicott City Cable Court in its opinion, both policy provisions apply to claims for or arising out of unauthorized access to “data”; with the coverage exception in Endorsement 3 adding the qualifier that the unauthorized access be “intentional.” Id. at *14.

The insurer contended that it had no duty to defend under the exclusion and the exception to coverage under Endorsement 3, contending that DirecTV’s lawsuit for the unauthorized distribution of television programming alleged unauthorized access to data. ECC disagreed, contending that television programming is not “data.”  The Ellicott City Cable Court agreed with the insured.

The court recognized that the term “data” is very broad, and this may have been the insurer’s hope when asserting the policy’s exclusions. Merriam’s Dictionary defines the word “data” as “facts or information used usually to calculate, analyze, or plan something” or “information that is produced or stored by a computer.” Id. at *15. However, the court found that the term was so broad as to be ambiguous. “Given the breadth of this definition [for data],” the court employed the construction canons of ejusdem generis and noscitur a sociis, which require a court, when determining the broad meaning of a word, to consider “the accompanying words so that . . . general and specific words, capable of analogous meaning, when associated together, take color from each other[.]”  Id. at *16. Based on these cannons, the court concluded that the word “data” referred to computers, not television programming.

First, the court noted that DirecTV did not use the term “data” to describe its television programming that ECC had allegedly accessed without authorization.  Id. at *15.  The court then looked to the wording of the exclusions at issue, determining that the list of terms in the exclusions limited the meaning of the term “data,” not expanded it.  The exclusion applied to unauthorized access of “any computer or system, hardware, software, program, network, data, database, communication network or service, including the introduction of malicious code or virus by any person . . . .”  Id. at *16.  The common denominator of these terms was the internet and computers, not television programming:

The common factor underlying all terms listed is their relation to the internet or digital matters in general.  Indeed, the inclusion of “introduction of malicious code or virus” speaks directly to a common risk associated with the internet (and computers). “Data,” in this context, thus appears to concern information related to the internet, and not television programming.

Id. at *17 (emphasis added).

The insurer argued that DirecTV’s programming did involve digital compression and encryption of its signal and thus fell within the umbrella of “digital matters.”  The court rejected the argument in part because DirecTV also provided analog signals.  Under the insurer’s contention, the policy would cover analog signals, but exclude digital signals, a result that the court would not endorse:

Yet, this argument ignores that DirecTV’s television programming takes both digital and analog forms. Under Axis’s reasoning, ECC would receive insurance coverage for unauthorized access to analog television programming, and not digital television programming. Neither Axis nor the Policies themselves present any persuasive argument in favor of such a distinction.

Id. at *16-17.

The court applied the same reasoning to the coverage exception for Endorsement 3, which employed “the same broad term accompanied by terms like ‘computer virus’ and ‘malicious code.’”  The court explained:

Similarly, the exclusion of Endorsement No. 3 applies to intentional unauthorized access of “data or systems[.]”  While this exclusion does not include all terms of the first exclusion, it employs the same broad term accompanied by terms like “computer virus” and “malicious code.” Even if the exclusion uses the disjunctive “or” in describing the excluded conduct, this use does not negate the inference that “data or systems” concern information related to the internet or computers generally.

Id. (internal citations omitted).

The court also looked to coverage provided elsewhere in the policy for piracy claims to conclude that the term “data” could not encompass media programming. The court observed that the policy covered claims “for or arising out of . . . any form of infringement of copyright, violation of Droit Moral, passing-off, plagiarism, Piracy or misappropriation of ideas,” defining “piracy” as “the wrongful use, reprinting or reproduction of copyrighted intellectual property.” Id. at *18.  According to the court, “piracy” described “precisely” DirecTV’s allegations against ECC and Sky Cable.  Thus, “[t]o interpret ‘data’ as including DirecTV’s television programming would effectively broaden the scope of the exclusion to eliminate any coverage for piracy.”  Id.  “Rather than create such a contradiction,” the court held it must construe the ambiguity of “data” against the insurer.  Id. at *18-19.

As a result, the court determined that DirecTV’s television programming is not “data” within the meaning of either exclusion.  Id. at *19.

What this case means:   Media policies and cybersecurity policies sometimes employ very broad terms that remain undefined in the policies themselves.  Examples of such terms can include “matter,” “network,” “systems,” “electronic,” and even “data.”  Ellicott City Cable is a good remainder that even broad terms do not have boundless meaning – both in terms of coverage grants and coverage exclusions. Terms must be read within the context of their use and the policy.

This entry was posted in Uncategorized.

FINANCIAL INSTITUTION BOND COVERS LOSS FROM HACKING


This entry was posted by on .

In State Bank v. BancInsure, Inc., 2016 U.S. App. LEXIS 9235 (8th Cir. May 20, 2016), the United States Court of Appeals for the Eighth Circuit held that a $485,000 fraudulent wire transfer perpetrated through the use of malware residing on a bank employee’s computer was covered under the bank’s financial institution bond.  The facts are straightforward.

The insured used the Federal Reserve’s FedLine Advantage Plus system to perform wire transfers. The transfers were made through a desktop computer connected to a Virtual Private Network device provided by the Federal Reserve. In order to complete a transfer, two bank employees had to enter their individual user names, and each had to insert individual physical tokens into the computer, and provide individual passwords and passphrases.

In the matter at issue, a bank employee completed a FedLine wire transfer. However, instead of following company policy and protocol by engaging the participation of a second employee, as required, the bank employee instead completed the transfer using her token, password, and passphrase as well as the token, password, and passphrase of a second employee on the same computer.  At the end of the work day, the employee then left the two tokens in her computer and left the computer running overnight.  When the employee returned to work the next morning, she discovered that two unauthorized wire transfers had been made from the bank’s Federal Reserve account.  Money from one of the transfers was recovered.  However, $485,000 wired in the second transfer was not recovered.  Id. at *1-2.

An investigation revealed that malware resided on the computer, permitting infiltration that allowed completion of the fraudulent transfers. Id. at *2.  The bank sought coverage under its financial institution bond, which provided coverage for losses caused by computer system fraud.  The insuring agreement covered, in part:

Loss resulting directly from a fraudulent

(1) entry of Electronic Data or Computer Program into, or

(2) change of Electronic Data or Computer Program within

any Computer System operated by the Insured, whether owned or leased, or any Computer System identified in the application for this Bond, or a Computer System first used by the Insured during the Bond Period, provided the entry or change causes

(1) property to be transferred, paid or delivered,

(2) an account of the Insured or of its customer to be added, deleted, debited or credited, or

(3) an unauthorized account or fictitious account to be debited or credited.

Id. at *3-4, n.2.

The carrier denied coverage, citing certain exclusions in the bond for loss based on employee-caused loss, theft of confidential information, and mechanical breakdown or deterioration of a computer system.  Id. at *3.  The carrier cited the following exclusions, which prohibited coverage for:

(h) loss caused by an Employee . . . resulting directly from misplacement, mysterious unexplainable disappearance or destruction of or damage to Property;

. . . .

(bb) (4) loss resulting directly or indirectly from theft of confidential information,

. . . .

(bb) (12) loss resulting directly or indirectly from

(a) mechanical failure, faulty construction, error in design, latent defect, fire, wear or tear, gradual deterioration, electrical disturbance or electrical surge which affects a Computer System,

(b) failure or breakdown of electronic data processing media, or

(c) error or omission in programming or processing,

. . . .

(bb) (17) loss caused by a director or Employee of the Insured . . . .

Id. at *4, n.3.

Coverage litigation ensued.  The carrier argued that the employee’s breach of company policy caused the loss and thus the loss was excluded.  Specifically, the carrier contended that the malware would not have allowed the hacker to fraudulently transfer the lost money had the bank employee (1) engaged a second employee to perform the original wire transfer, and (2) had not left the computer running overnight with two tokens in it.  Based on Minnesota’s concurrent-causation doctrine, the trial court nevertheless held that the bond covered the loss.  The trial court concluded that “the computer systems fraud was the efficient and proximate cause of [Bellingham’s] loss,” and that “neither the employees’ violations of policies and practices (no matter how numerous), the taking of confidential passwords, nor the failure to update the computer’s antivirus software was the efficient and proximate cause of [Bellingham’s] loss.”  Id. at *6.  The court further held that “it was not then a ‘foreseeable and natural consequence’ that a hacker would make a fraudulent wire transfer. Thus even if those circumstances ‘played an essential role’ in the loss, they were not ‘independent and efficient causes’ of the loss.”  Id. at *6-7.  The carrier appealed and the Eighth Circuit affirmed.

On appeal, the carrier first argued that the concurrent-causation doctrine, which applies to insurance contracts, did not apply to financial institution bonds because a financial institution bond requires the insured to initially show that its loss directly and immediately resulted from dishonest, criminal, or malicious conduct.  Id. at *8.  The Eighth Circuit disagreed, stating that Minnesota courts adhere to the general rule of “treating financial institution bonds as insurance policies and interpreting those bonds in accordance with the principles of insurance law.”  Id. at *9.

The carrier next argued that exclusions 2(bb)(4) and 2(bb)(12) contracted around the concurrent-causation doctrine because those exclusions applied to both direct and “indirect” causation.  Id. at *10.  The Eighth Circuit disagreed.  Although noting that “[p]arties may include ‘anti-concurrent causation’ language in contracts to prevent the application of the concurrent-causation doctrine,” such language must be “clear and specific.”  Id.  The court concluded that, “[a]s a matter of law, the Bond’s reference to ‘indirectly’” was not clear and specific, and was insufficient to circumvent the doctrine.  Id. at *11.

Finally, the carrier argued that even if the district court correctly applied the concurrent-causation doctrine, it erred in concluding that the fraudulent hacking of the computer system by a criminal third party was the overriding, or efficient and proximate, cause of the loss.  At a minimum, the carrier contended, the issue should have been one for the jury to decide.  Id. at *11.  Again, the court disagreed, concluding that the fraudulent wire transfers was not a foreseeable or inevitable result of the employees’ negligence and actions:

We agree with the district court’s conclusion that “the efficient and proximate cause” of the loss in this situation was the illegal transfer of the money and not the employees’ violations of policies and procedures. . . .  an illegal wire transfer is not a “foreseeable and natural consequence” of the bank employees’ failure to follow proper computer security policies, procedures, and protocols.  Even if the employees’ negligent actions “played an essential role” in the loss and those actions created a risk of intrusion into Bellingham’s computer system by a malicious and larcenous virus, the intrusion and the ensuing loss of bank funds was not “certain” or “inevitable.”

Id. at *13-14.  According to the court, “[t]he ‘overriding cause’ of the loss Bellingham suffered remains the criminal activity of a third party.”  Id. at *14.  Therefore, it held that the district court properly granted the bank summary judgment.

This entry was posted in Data Breach Insurance Coverage, Uncategorized.

EVEN IN THE CYBER WORLD, INTENTIONAL MISCONDUCT IS NOT NEGLIGENCE


This entry was posted by on .

Yesterday, Travelers Prop. Cas. Co. of Amer. v. Federal Recovery Services, Inc., No. 14-170 (D. Utah) determined that no coverage existed under a Technology Errors and Omissions Liability Form found in a cyber insurance policy after the insured data processer had failed to return valuable personal identification information it held on behalf of the information’s owner.  This case is going to get a lot of attention simply because it is the first published decision involving a cyber insurance policy form.  What it shows is that, even in the cyber world, intentional misconduct is not negligence.

The facts of the case are straightforward.  The underlying plaintiff, Global Fitness, owned and operated fitness centers in several states.  As part of its operations, Global Fitness had numerous members who would provide credit card or bank account information through which Global Fitness could bill them (“Member Accounts Data.”).  (Slip. op. at 3.)  Defendants were engaged in the business of providing processing, storage, transmission, and other handling of electronic data for customers.  (Id. at 1.)  Global Fitness entered into a contract with Defendants to process the Member Accounts and transfer the members’ fees to Global Fitness.  (Id. at 3.)

Global Fitness later entered into an asset purchase agreement with L.A. Fitness, which included as part of the sale, the transfer of Global Fitness’s Member Accounts Data.  Global Fitness requested that Defendants return the Member Accounts Data to Global Fitness for inclusion in the asset purchase.  Although Defendants stated that they would cooperate and transfer the data back to Global Fitness, according to the litigation that ensured, they did not.  (Id. at 3-4.)

Defendants produced the Member Accounts Data, but data was missing.  Defendants produced the data in an alternative format that included some, but not all of, the missing information.  (Id. at 4.)  According to the underlying complaint, Defendants did not produce credit card, checking account, and savings account information contained in the Member Accounts Data.  (Id.)  Global Fitness requested this information, and then requested that Defendants transfer the billing information back to Global Fitness.

Nevertheless, the information was not produced.  Instead, according to the underlying complaint, Defendants “withheld the Member Accounts Data until Global Fitness satisfied several vague demands for significant compensation.”  In addition, Defendants “refused to transfer funds it received in servicing the Member Accounts for the past week until all matters were resolved.”

Global Fitness filed a lawsuit, asserting claims against Defendants for conversion, tortious interference, and breach of contract.  An amended complaint further alleged that Defendants purposefully withheld pieces of the Member Accounts Data for payment:

Global Fitness alleged that “[Defendants] withheld the Billing Data unless and until Global Fitness satisfied several demands for significant compensation above and beyond what were provided in the Agreement.”  In addition, Global Fitness alleged that “[Defendants] retained possession of Member Accounts Data, including the Billing Data, which was the property of Global Fitness and was only provided to Paramount pursuant to the terms of the Agreement.”  “[Defendants] willfully interfered with Global Fitness’s property and refused to return Global Fitness’s property without cause or justification.”  “[Defendants] actions deprived Global Fitness of the use of its Member Accounts Data and its monies and threatened its ability to comply with its obligations under the APA with L.A. Fitness.”

(Id. at 4-5.)

The amended complaint asserted that, “[a]s a result of the delay caused by [Defendants’] actions, the purchase price of the APA decreased dramatically,” and Defendants “knowingly harmed Global Fitness’s rights under the APA with L.A. Fitness thereby causing Global Fitness irreparable harm and loss.”  (Id. at 5.)

The insureds purchased a cyber insurance policy with a Network and Information Security Liability Form and a Technology Errors and Omissions Liability Form under which they sought defense coverage.  (Id. at 1-2.)  The insuring agreement stated as follows:

SECTION I – ERRORS AND OMISSIONS LIABILITY COVERAGE

  1. Insuring Agreement

  2. We will pay those sums that the insured must pay as “damages” because of loss to which this insurance applies. The amount we will pay for “damages” is limited as described in Section III- Limits Of Insurance in your CyberFirst General Provisions Form.

  3. This insurance applies to loss only if:

(1) The loss arises out of “your product” provided to others or “your work” provided or performed for others;

(2) The loss is caused by an “errors and omissions wrongful act” committed in the “coverage territory”;

(3) The “errors and omissions wrongful act” was not committed before the Errors and Omissions Retroactive Date shown in the CyberFirst Declarations or after the end of the policy period; and

(4) A claim or “suit” by a person or organization that seeks “damages” because of the loss is first made or brought against any insured . . . .

(Id. at 2.)  Thus, the cyber policy provided coverage for loss caused by an “errors and omissions wrongful act.”  (Id. at 7.)  “Errors and omissions wrongful act” was defined as “any error, omission or negligent act.”  (Id. at 7.)

In the ensuing coverage litigation, the insurer contended that the cyber policy did not apply because the underlying action did not allege damages from an “error, omission or negligent act.”  Instead, the underlying complaints alleged intentional wrongdoing.  (Id.).  The Defendant insureds, on the other hand, contended that defense coverage existed because of the potential that they “may be found liable for an error, omission or negligent act relating to the holding, transferring or storing of data.”  (Id. at 7-.8)  Defendants contended that “Global’s claims that [Defendants] ‘withheld’ the data is broad enough to encompass possible error, omission or negligent act by [Defendants].”  (Id.)

The Utah federal court disagreed with the insureds.  Even in the cyber world, intentional misconduct is not negligence:

While the policy covers errors, omissions, and negligent acts, Global’s claims against Defendants allege far different justifications for the data to be withheld.  Global does not allege that Defendants withheld the data because of an error, omission, or negligence.  Global alleges that Defendants knowingly withheld this information and refused to turn it over until Global met certain demands.  Defendants allegedly did so despite repeated requests from Global to provide the data. Instead of alleging errors, omissions, or negligence, Global alleges knowledge, willfulness, and malice.

(Id. at 8 (emphasis added).)  The court concluded: To trigger Travelers’ duty to defend, there must be allegations in the Global action that sound in negligence. As discussed above, there are no such allegations.”  (Id.)  Therefore, the policy was not implicated and there was no duty to defend.

One cannot argue with that logic.

This entry was posted in Uncategorized.

ANOTHER DATA BREACH CLASS ACTION DISMISSED FOR LACK OF INJURY


This entry was posted by on .

On the heels of the Target settlement, another security data breach class action has been dismissed for lack of standing under Article III.  In the lawsuit In re Horizon Healthcare Servs., Inc. Data Breach Litig., 2015 WL 1472483 (D.N.J. Mar. 31, 2015), a federal district court held that class plaintiffs alleged neither sufficient injury nor causation to establish standing.

In that case, an unknown thief stole from the company’s headquarters two password-protected laptop computers containing personal information of company members.  Id. at *1.  The company reported the theft to law enforcement the next day.  A month later, it notified potentially affected members of the theft by letter and press release.  Id.  In its notification, the company informed members that “[d]ue to the way the stolen laptops were configured, we are not certain that all of the member information contained on the laptops is accessible.”  It also offered credit-monitoring protection.  Id.

Plaintiffs filed a putative class action on behalf of themselves and other company members whose information was housed in the stolen laptops.  Plaintiffs alleged they were “placed at an imminent, immediate, and continuing increased risk of harm from identity theft, identity fraud, and medical fraud, requiring them to take the time and effort to mitigate the actual and potential impact of the Data Breach on their lives.”  Id.  The company moved to dismiss on the basis that plaintiffs had not alleged injury or causation to satisfy standing under Article III of the United States Constitution.

To establish standing , a plaintiff must show:

(1) an ‘injury in fact,’ i.e., an actual or imminently threatened injury that is ‘concrete and particularized’ to the plaintiff; (2) causation, i.e., traceability of the injury to the actions of the defendant; and (3) redressability of the injury by a favorable decision by the Court.

Id. at *2.  While all three elements are constitutionally required for standing, the injury-in-fact requirement is perhaps the one litigated most often in data breach cases.

An alleged future injury must be “imminent” and “certainly impending” to constitute an injury-in-fact.  Allegations of possible future injury are insufficient.  E.g., Clapper v. Amnesty Int’l USA, — U.S. –, 133 S. Ct. 1138 (2013).  A plaintiff must also show a “causal connection” between the injury and the alleged wrongful conduct.  The standard for this criterion is less than that of proximate causation in tort law, but requires more than mere speculation.  Id. at *3.  “[T]he injury has to be fairly traceable to the challenged action of the defendant, and not the result of the independent action of some third party not before the court.”  Id. (emphasis added).

The case involved four named plaintiffs, three of whom alleged injury based on economic injury, violation of statutory law, and imminent risk of future harm (i.e., increased risk of fraud and identity theft).  The company argued that because these plaintiffs did not allege that their personal information had been accessed or misused, or that they had suffered unauthorized withdrawals from bank accounts, or identity theft, they failed to allege concrete and particularized harm to satisfy standing.  Id. at *4.  The Court agreed.

The Court, comparing the claims before it with another case in which plaintiffs suffered identity theft, and in which fraudulent bank accounts and credit cards had been opened and charged, concluded that plaintiffs’ generalized allegations did not show particularized injury.  Because plaintiffs did not allege they had carefully guarded their information, or suffered monetary loss, or injuries like identity theft or medical fraud, they did not allege “economic injury” to satisfy standing.  Id. at *5.  The Court also held that violations of statute or common law do not create standing.  The Court explained:

Standing does not merely require a showing that the law has been violated, or that a statute will reward litigants in general upon showing of a violation.  Rather, standing demands some form of injury—some showing that the legal violation harmed you in particular, and that you are therefore an appropriate advocate in federal court. [Brackets and quotation marks in text omitted.]

Id.  Simply put, a  plaintiff cannot rely upon legal violations to bootstrap standing.

Finally, the Court determined that allegations of increased risk of identity theft do not confer standing – an issue that is perhaps the most hotly-disputed area of Article III standing in data breach cases.  Many courts have held that allegations of increased risk of identity theft, and accompanying claims of economic injury from subscriptions to credit-monitoring services, do not allege imminent, “certainly impending” injury necessary to confer standing.  E.g., In re Science Applications Int’l Corp. (SAIC), — F. Supp. 2d –, (D.D.C. May 9, 2014); Galaria v. Nationwide Mut. Ins. Co., 998 F. Supp. 2d 646 (S.D. Ohio 2014).  However, other federal courts have held differently.  E.g., In re Adobe Sys. Inc. Privacy Litig., (N.D. Cal. Sept. 4, 2014).   The critical factor appears to be whether the stolen data was targeted by data thieves in a manner that would suggest the data’s later use.

Horizon did not depart from this evolving line of jurisprudence, holding that the absence of evidence indicating that the laptop thief would or could use plaintiffs’ information foreclosed any standing from mere allegations of increased risk.  The Court guided its conclusion under the Third Circuit’s decision in Reilly v. Ceridian Corp., 664 F.3d 38 (3d Cir. 2011), a network breach case, and also by Polanco v. Omnicell, Inc., 988 F. Supp. 2d 451 (D.N.J. 2013), a stolen laptop case.

Reilly involved an unknown hacker who infiltrated a payroll processing firm’s computer system, potentially gaining access to the information of approximately 27,000 employees.  Id. at * 5.  In Reilly, as in the present case, the company worked with law enforcement and investigators to identify the information the hacker may have accessed, notified affected persons, and offered free credit-monitoring protection.  Id.  In the ensuing data breach litigation, the Reilly court held that “an increased risk of identity theft resulting from a security breach was insufficient to secure standing” because there was no indication that the hacker had read and understood the stolen personal information, intended to misuse it, or even had the ability to do so.  Id.  To suggest otherwise without proof was speculation.  Id.  In the present case, the Court held that the same circumstance was in the case before it:

With respect to “an imminent risk of future harm”, Plaintiffs contend that, despite their lack of injury thus far, “identity theft could occur at moment”. (Pls.’ Opp’n at 15.) The Third Circuit’s decision in Reilly is both squarely on point and binding on this Court.

Id.

In so holding, the Court also rejected plaintiffs’ argument that “[t]he imminence of future harm in data breach cases depends upon two factors:  (1) whether any of the compromised data was misused post-breach, causing injury, and (2) whether the facts surrounding the data breach indicate that the data theft was sophisticated, intentional, or malicious.”  Id. at *6.  Even assuming that such a standard were applicable, the Court held that plaintiffs failed to satisfy it.  Plaintiffs had not alleged post-breach misuse of compromised data.  Id.  They also failed to allege a sophisticated breach:

With respect to the “sophisticated, intentional, or malicious” nature of the data breach—a factor supported only by oblique dicta in Reilly—the Court fails to see how the theft of Horizon laptops here is any more “sophisticated, intentional, or malicious” than the taking of a laptop from a locked car in Polanco or the hacking of a computer system in Reilly.  If anything, hacking a computer seems to require more planning, savvy, and sophistication than the simple theft of two laptops.

Id. at *6.

Finally, the Court reasoned that plaintiffs’ claims of increased risk ultimately rested on the same conjecture rejected in Reilly:

Additionally, compared to hypothetical string of events identified in Reilly, Plaintiff’s injury is even more attenuated: (1) the crook must gain access to the information on the password-protected laptops, (2) he or she must read, copy, and understand the personal information; (3) he or she must intend to commit future criminal acts by misusing the information; and (4) the perpetrator must then be able to use such information to the detriment of Plaintiffs by making unauthorized transactions in Plaintiffs’ names.  See Reilly, 664 F.3d at 42.  As in Reilly and other data breach cases, Plaintiffs’ future injuries stem from the conjectural conduct of a third party bandit and are therefore inadequate to confer standing.

Id.  For these reasons, the claims of increased risk did not satisfy standing.

The lawsuit’s fourth named plaintiff alleged fraudulent charges to his credit card and that the laptop thief had filed a fraudulent joint tax return under his and his wife’s names.  However, these allegations failed to show causation.  There was no evidence that the filed tax return had any connection to the stolen laptops.  Underscoring this conclusion was (1) personal information belonging to plaintiff’s wife was not on either stolen laptop and (2) no other putative class member alleged identity theft.  Id.  In addition, plaintiff admitted to receiving his tax refund.  Id. at *8.  Therefore, even if there were a casual connection, there was no injury.

Similarly, because plaintiff’s credit card information had not been on the laptops, any alleged injury from fraudulent charges to the card were not “fairly traceable” to the laptops’ theft.  The Court explained:

Defendant points out, and Rindner does not contest, that current credit card information (as opposed to a new credit card, which can be fraudulently obtained using a stolen Social Security number) was not on the stolen laptops. (Def.’s Reply at 2.) Thus, any harm stemming from the fraudulent use of Rindner’s current credit card is not “fairly traceable” to Defendant.

Id. at *9.

What This Case Means.  Most data breach class actions assert some form of injury from increased risk of identity theft.  A few also allege fraudulent financial charges.  Realistically, however, not every data breach results in actual injury.  Nor is every fraudulent charge on a credit card the result of a headlined data breach.  For this reason, Article III standing has become a golden defense in the relatively early stages of data breach litigation.  For more information, see Mooney, J., “Standing In Data Breach Litigation: Lessons From 2014,” Law360 Privacy, 1/6/2015.

This case continues the emerging line of case law that holds, in the absence of evidence indicating imminent use of stolen data, claims of increased risk of identity theft do not meet the imminent and certainly impending injury requirement for standing.  The case also shows that allegations of fraudulent charges and actual identity theft are not enough – a plaintiff still must plead enough evidence to show a causal connection between the injury and the data breach.

This entry was posted in Uncategorized and tagged .

Knowing The Knowing Violation Exclusion


This entry was posted by on .

The Knowing Violation of Rights of Another exclusion, found in Coverage B of most CGL policies, can be difficult to apply in the context of determining the duty to defend.  A recent decision issued by the United States Court of Appeals for the Eleventh Circuit, in Travelers Pro. Cas. Co. of America v. Kansas City Landsmen, — Fed. App’x –, 2015 WL 137816 (11th Cir. Jan. 12, 2015), provides a good example of why.

The case involved whether the insurer owed a duty to defend its insureds, car rental companies, against an underlying lawsuit alleging that the insureds willfully violated 15 U.S.C. §1681c(g)(1), a provision of the Fair and Accurate Credit Transaction Act (“FACTA”) that prohibits the printing of more than the last five digits of a credit card number or the expiration date on a receipt provided to the cardholder.  The underlying litigation, a putative class action, alleged that insured car rental companies had printed credit-card receipts that included more than the last five digits of the card number as well as the card’s expiration date, and accordingly, had “failed to protect” plaintiff and class members “against identity theft and credit card and debit card fraud.”  Id. at *2.  The action sought statutory and punitive damages under 15 U.S.C. §1681n(a), which imposes liability on “[a]ny person who willfully fails to comply with any requirement” of FACTA.

Coverage litigation ensued over the obligations to defend and indemnify the insureds.  The policies at issue had slightly different versions of the “Knowing Violation” exclusion.  One set had a “Knowing Violation of Rights of Another” exclusion, which prohibited “personal injury”:

caused by or at the direction of the insured with the knowledge that the act would violate the rights of another and would inflict “personal injury”

Id. at *3.  The second set had a “Known Violation of Rights” exclusion that prohibited coverage for personal injury:

caused by or committed at the direction of the Insured, or by an offense committed at the direction of the Insured, with knowledge that the rights of another would be violated and that Personal Injury or Advertising Injury would result.

Id.  The Eleventh Circuit ultimately held that neither applied.

Importantly, the United States Supreme Court has held that “willfulness,” as defined in §1681n of FACTA, encompasses two levels of intent: “knowing” violations and violations committed in “reckless disregard” of the statute’s requirements.  Safeco Ins. Co. v. Burr, 551 U.S. 47, 71 (2007).  As noted by the Eleventh Circuit, for purposes of defense coverage, the distinction between the two levels of “willful” intent is important:  “‘knowing’ violations are excluded from coverage, but violations committed with ‘reckless disregard’ are not.”  Kansas City Landsmen, 2015 WL 137816 at *5.

In the decision before it, the district court had concluded that the underlying action only asserted “willful” FACTA violations under the “knowing” level of intent, thereby precluding coverage under the policies’ Knowing Violation exclusions.  In reaching its conclusion, the court relied on the following allegations in the complaint:

57. At the time of the FACTA violations identified in this Complaint and before, Defendants knew of their obligations under FACTA ….

60. Despite knowledge of FACTA’s requirements …, Defendants continued to willfully disregard FACTA’s requirements ….

63. Defendants knew of and failed to comply with their legal duty [under FACTA] ….

65. Notwithstanding all of the publicity and the Defendants’ knowledge of the statute’s requirements, they willfully failed to comply with FACTA ….

The Eleventh Circuit disagreed with the trial court and reversed.  Examining these same allegations, the Eleventh Circuit held that the alleged “knowledge” only described the insureds’ “alleged knowledge of FACTA’s requirements, not their knowledge of any alleged violations of its requirements.”  Id. at *6.  The court explained that it believed the complaint had drawn a distinction between the insureds’ mental state for the FACTA requirements and their alleged violations of the statute:

Paragraph 65 . . . reads, “Notwithstanding … the Defendants’ knowledge of the statute’s requirements, they willfully failed to comply with FACTA …,” meaning that they both knew of FACTA’s requirements and that they failed to comply with them either knowingly or with reckless disregard.  . . .  Conspicuously absent from the complaint is any allegation that the violations were knowing.

Id. at *6.  Because statutory violations committed in “reckless disregard” do not implicate the Knowing Violation exclusions, the underlying court’s grant of summary judgment was reversed.

Notably, the Eleventh Circuit held it was irrelevant that the complaint never used the term “reckless disregard”:

It matters not that the Galloway complaint does not use the phrase “reckless disregard” specifically because the [underlying] complaint alleges that the [insureds] acted “willfully” when they violated §1681c(g)(1).  Under Safeco, this means that the Galloway plaintiffs can succeed on their claims if they show that the Car Rental Companies acted either “knowingly” or with “reckless disregard.”  See 51 U.S. at 71.

Id.  Because the alleged “willful“ intent could not be isolated to knowing intent, the exclusions could not apply for purposes of the duty to defend.

What This case Means.  Kansas City Landsmen highlights that careful attention should be given before denying defense coverage  under a Knowing Violation exclusion.  In addition to a careful analysis of the underlying complaint, analysis of the applicable causes of action, including associated statutory provisions and culpable standards of conduct, should be performed to understand all potential bases of liability.

This entry was posted in Uncategorized and tagged , .

Article III Standing: The First Wall of Defense In Security Data Breach Litigation


This entry was posted by on .

2014 witnessed a proliferation of cyber security data breaches and resulting data breach litigation.  Most class actions filed in the wake of a data breach assert injuries for increased risk of identity theft, fraudulent financial charges on credit cards, and costs incurred from having to enroll in third-party credit-monitoring services.  But realistically, not every data breach results in an injury.  Article III standing can be a significant defense for disposing security data breach claims in the relatively early stages of litigation.

Standing derives from Article III of the U.S. Constitution, which limits the powers of the federal judiciary to the resolution of “cases” and “controversies.”  U.S. Const. Art. III, §2.  To maintain a lawsuit, every plaintiff must plead and ultimately prove that he or she has suffered sufficient injury to satisfy the “case or controversy” requirement.  At the pleading stage, a plaintiff must allege: (1) an injury-in-fact that is concrete and particularized, as well as actual or imminent; (2) that the injury is fairly traceable to the challenged action of the defendant; and (3) that the injury can be remedied by a favorable ruling.  If the plaintiff cannot satisfy this criteria, the claim must be dismissed.  This article discusses some recent data breach decisions that address standing.

Clapper v. Amnesty Int’l USA.  Much of the recent standing litigation stems from the United States Supreme Court decision in Clapper v. Amnesty Int’l USA, — U.S. –, 133 S. Ct. 1138 (2013).  In Clapper, respondents, whose work required them to engage in international communications with individuals potentially targeted under the Foreign Intelligence Surveillance Act, sought to have the Act declared unconstitutional and/or to obtain an injunction against the surveillance.  Clapper, 133 S. Ct. at 1142-43.   To establish Article III standing, the respondents alleged injury from the objectively reasonable likelihood that their communications would at some point be targeted under the Act; and (2) the fact that they already had undertaken costly measures to protect the confidentiality of their international sources.  Id. at 1147.  The Supreme Court rejected both arguments.

For the first argument, the Supreme Court concluded that although it may be “objectively reasonable” that plaintiffs’ communications could be intercepted, they had failed to show that the “threatened injury” was “certainly impending.”  The Supreme Court held that a “speculative chain of possibilities … based on potential future surveillance” was insufficient.  For the second argument, the Supreme Court determined that if parties could establish Article III standing on reasonably incurred costs to avoid the risk of future harm, such a result could “water down” the requirements of Article III:

If the law were otherwise, an enterprising plaintiff would be able to secure a lower standard for Article III standing simply by making an expenditure based on a nonparanoid fear.

Id. at 1150-51.  Although the respondents’ costs to avoid surveillance was not “fanciful, paranoid, or otherwise unreasonable,” the Supreme Court held they could not “manufacture standing merely by inflicting harm on themselves based on fears of hypothetical harm that was not ‘certainly impending.’”

Standing in Security Data Breach Litigation.  A key issue in cyber security data breach cases is whether allegations of injuries from increased risk of identity theft and costs incurred from credit-monitoring services are sufficient to establish standing.  In other words, do these boilerplate claims allege an injury that is concrete and particularized, as well as actual or imminent.  Some courts have held that they do not.  In re Science Applications Int’l Corp. (SAIC), — F. Supp. 2d –, 2014 WL 1858458 (D.D.C. May 9, 2014) is a good example.

SAIC involved the break-in of an employee’s car in which the car’s GPS system and stereo were stolen, as well as data tapes containing personal and medical records of approximately 4.7 million people.  SAIC, 2014 WL 1858458 at *1.  Notably, the data tapes contained no financial information of the persons, and they required special hardware in order to access the data on them.  SAIC notified affected persons of the breach, and lawsuits followed, alleging various for increased risk of identity theft, violation of privacy, and costs incurred from class members enrolling in credit monitoring services.  Following consolidation of the lawsuits and the filing of an amended consolidated complaint, SAIC moved to dismiss.  The court dismissed claims for increased risk of identity theft.  Looking to the U.S. Supreme Court’s recent discussion on standing in Clapper, the court concluded the claims did not allege a concrete injury, let alone one that was “certainly impending.”

The court first determined that increased risk alone was insufficient to confer standing.  Although the lawsuit alleged that plaintiffs were 9.5 times more likely to suffer identity theft as a result of the data breach, the statistical data was irrelevant because it had nothing to do with whether the alleged injury was “certainly impending”:

Plaintiffs begin by asserting that an increased risk of harm alone constitutes an injury sufficient to confer standing to sue.  Due to the data breach, they claim that they are 9.5 times more likely than the average person to become victims of identity theft.  Compl., ¶ 23. That increased risk, they maintain, in and of itself confers standing.  But as Clapper makes clear, that is not true.  The degree by which the risk of harm has increased is irrelevant—instead, the question is whether the harm is certainly impending.

Id. at *6 (emphasis added); see also Galaria v. Nationwide Mut. Ins. Co., 998 F. Supp. 2d 646, 654 (S.D. Ohio 2014) (“That is, a factual allegation as to how much more likely they are to become victims than the general public is not the same as a factual allegation showing how likely they are to become victims.”).

The court then concluded that claims for increased risk of identity theft were too speculative to be “certainly impending” because they depended upon too many contingencies, including whether the thief realized that the stolen tapes contained data, had access to machinery to extract and decrypt the data, and whether the thief would use the data.  Although the fear of identity theft was reasonable, fear is not enough:

. . . it is reasonable to fear the worst in the wake of such a [data] theft, and it is understandably frustrating to know that the safety of your most personal information could be in danger.  The Supreme Court, however, has held that an “objectively reasonable likelihood” of harm is not enough to create standing, even if it is enough to engender some anxiety. [Citation omitted.]  Plaintiffs thus do not have standing based on risk alone, even if their fears are rational.

SAIC, 2014 WL 1858458, at *7; see also Strautins v. Trustwave Holdings, Inc., 2014 WL 960816 (N.D. Ill. Mar. 12, 2014) (increased risk of future harm did not confer standing); In re Barnes & Noble Pin Pad Litig., 2013 WL 4759588 (N.D. Ill. Sept. 3, 2013) (same).

Along this same reasoning, the SAIC court also concluded that costs incurred from enrolling in credit monitoring services to prevent identity theft were insufficient to confer standing, even if enrolling in such services was “sensible”:

Nor is the cost involved in preventing future harm enough to confer standing, even when such efforts are sensible. . . . the Supreme Court has determined that proactive measures based on “fears of … future harm that is not certainly impending” do not create an injury in fact, even where such fears are not unfounded.

SAIC, 2014 WL 1858458, at *7.

In Galaria, a Ohio District Court also determined that claims for increased risk of identity theft did not satisfy Article III standing in the absence of facts showing that “such harm is ‘certainly impending.’”  Galaria, 998 F. Supp. 2d at 654.  According to the court, the defendant’s offer to pay for credit monitoring services as a result of the data breach into its system further minimized the likelihood of an impending injury:  “Moreover, Named Plaintiffs’ allegation that Defendant offered a free year of credit monitoring and identity theft protection further supports the Court’s conclusion that risk of injury is not certainly impending.”

More recently, an Illinois District Court in Remijas v. The Nieman Marcus Group, LLC, 2014 WL 4627893 (N.D. Ill. Sept. 16, 2014) rendered similar holdings.  The case involved the December 2013 Nieman Marcus security data breach in which credit card information for approximately 350,000 customers was stolen.  At the time of the litigation, and unlike in SAIC and Galaria, approximately 9,200 cards holders already had incurred fraudulent charges on their credit cards.  Nieman Marcus, 2014 WL 4627893 at *3.  The fraudulent charges, according to the court, allowed the court to infer that the 3,200 cardholders did have their data stolen, and that the remaining cardholders were at a “certainly impending” risk of seeing similar fraudulent charges on their cards.  However, the court concluded that the allegations did not permit a plausible inference that the cardholders had suffered a concrete injury to permit standing because the fraudulent charges had been reimbursed or forgiven.  The court explained:

. . . I am satisfied that the potential future fraudulent charges are sufficiently “imminent” for purposes of standing.  But of course, even having conceded imminence, both injuries (present and future) must still be concrete.  Here, as common experience might lead one to expect, Plaintiffs have not alleged that any of the fraudulent charges were unreimbursed.  On these pleadings, I am not persuaded that unauthorized credit card charges for which none of the plaintiffs are financially responsible qualify as “concrete” injuries.  [Citations omitted.]   Without a more detailed description of some fairly substantial attendant hardship, I cannot agree with Plaintiffs that such “injuries” confer Article III standing.

Id. at *3; see also Burton v. MAPCO Express, Inc., 2014 WL 4686479, at *5 (N.D. Ala. Sept. 12, 2014) (dismissing action with leave to amend, but explaining that because fraudulent charges from cyber data breach had been forgiven, plaintiffs were unlikely to meet the jurisdictional amount in controversy requirement).  Nor did the Niemen Marcus court believe that the risk of identity theft conferred standing:

And again, I accept the inference from this that additional customers are at a “certainly impending” risk of future fraudulent charges on their credit cards.  But to assert on this basis that either set of customers is also at a certainly impending risk of identity theft is, in my view, a leap too far.  The complaint does not adequately allege standing on the basis of increased risk of future identity theft.

Nieman Marcus, 2014 WL 4627893 at *3-4

Costs incurred from credit monitoring services to guard against the risk of identity theft also did not confer standing because the risk of identity theft did not constitute a cognizable injury for purposes of standing:

The cost of guarding against a risk is an injury sufficient to confer standing only if the underlying harm the plaintiff is seeking to avoid is itself a cognizable Article III injury.  [Citation omitted.]  As discussed above, however, on these pleadings I am not satisfied that either of the future injuries claimed in the complaint are themselves sufficient to confer standing.

Id. at *4.

However, not every federal court has concluded that allegations of increased risk of identity theft do not confer standing.  A critical factual issue appears to be whether the stolen personal data was specifically targeted by the data thieves.  If so, standing may be found.  In re Adobe Sys., Inc. Privacy Litig., 2014 WL 4379916 (N.D. Cal. Sept. 4, 2014), is instructive.

Adobe involved the August 2013 cyber data breach suffered by Adobe that resulted in the theft of software source code and the personal information of approximately 38 million customers, including names, passwords, credit/debit card information, and addresses.  Auditors later concluded that Adobe’s security protocols were flawed and did not conform with industry standards.  Adobe, 2014 WL 4379916 at *2.  Subsequent class actions alleging violation of California’s Customer Records Act (“CRA”), and seeking declaratory and injunctive relief, were filed and consolidated.  Adobe moved to dismiss the CRA claim for lack of standing.

Plaintiffs alleged they suffered cognizable injuries-in-fact through an increased risk of identity theft and costs incurred from purchasing credit-monitoring services.  The Adobe court agreed.  Because the plaintiffs’ personal data had been targeted by the hackers, and that the hackers had used Adobe’s systems to decrypt the plaintiffs’ credit card information, the court determined that risk that the data would be misused was “immediate and very real.”

Not only did the hackers deliberately target Adobe’s servers, but Plaintiffs allege that the hackers used Adobe’s own systems to decrypt customer credit card numbers. . . . Indeed, the threatened injury here could be more imminent only if Plaintiffs could allege that their stolen personal information had already been misused. However, to require Plaintiffs to wait until they actually suffer identity theft or credit card fraud in order to have standing would run counter to the well-established principle that harm need not have already occurred or be “literally certain” in order to constitute injury-in-fact.

Id. at *8.

The Adobe court distinguished the case before it from others, including SAIC, on the basis that the personal information at issue had been targeted, thereby making its potential use “certainly impending”:

The facts of SAIC stand in sharp contrast to those alleged here, where hackers targeted Adobe’s servers in order to steal customer data, at least some of that data has been successfully decrypted, and some of the information stolen in the 2013 data breach has already surfaced on websites used by hackers.

Id.; see also In re Sony Gaming Networks & Customer Data Security Breach Litig., 996 F. Supp. 2d 942, 962-63 (S.D. Cal. 2014) (denying motion to dismiss and holding allegations of disclosure of personal data from data breach conferred Article III standing because of threat of resulting harm).   Because the court found that the increased risk of identity theft was a cognizable injury for purposes of standing, so were costs incurred to enroll in credit monitoring services:

. . . in order for costs incurred in an effort to mitigate the risk of future harm to constitute injury-in-fact, the future harm being mitigated must itself be imminent.  As the Court has found that all Plaintiffs adequately alleged that they face a certainly impending future harm from the theft of their personal data, see supra Part III.A.1.a, the Court finds that the costs . . . incurred to mitigate this future harm constitute an additional injury-in-fact.

Adobe, 2014 WL 4379916 at *9.

This entry was posted in Uncategorized.