5th Circuit Holds That Phishing Scam Does Not Implicate Computer Fraud Coverage

This entry was posted by Joshua Mooney on October 20, 2016.

In Apache Corp. v. Great American Ins. Co., 2016 U.S. App. LEXIS 18748 (5^th Cir. Oct. 18, 2016), the United States Court of Appeals for the Fifth Circuit held that loss from a phishing scam, which led to misdirected payments in the amount of $7 million, was not covered under a policy’s computer fraud coverage. Although the fraudulent scheme was initiated through emails, the court held that the emails were too incidental to classify the insured’s subsequent loss as one “resulting directly from the use of any computer to fraudulently cause a transfer of that property.”

The facts of the case are straightforward and serve as a good illustration as to why double verification practices should be practiced by every company as a preventive measure against cyber fraud. In the case, the insured, Apache Corporation was an oil-production company. An employee in Scotland received a telephone call from a person identifying herself as a representative of Petrofac, an Apache vendor. The caller instructed Apache to change the bank-account information for payments Apache made to Petrofac. The Apache employee replied that the change-request could not be processed without a formal request on Petrofac letterhead. Id. at *2. Read More

This entry was posted in Data Breach Insurance Coverage.

Ohio Court Holds That Requested Self-Audit Can Be a “Claim”

This entry was posted by Joshua Mooney on October 17, 2016.

In Eighth Promotions v. Cincinnati Ins. Cos., 2016 Ohio App. LEXIS 4119 (Ohio Ct. App. Oct. 11, 2016), the Ohio appellate court held that a letter forwarded to the insured by a copyright holder requesting that the company conduct a self-audit into its alleged copyright violations constituted a demand for non-monetary relief and thus fell within a policy’s definition for “claim.” The same court also held that the insured could not stretch the scope of the claim or subsequent settlement to circumvent the policy’s copyright infringement exclusion.

The insured, Eighth Promotions, manufactured and sold sports awards and business gifts. The company’s Operating Agreement provided indemnification protection to its officers and directors, stating that the company would “indemnify and hold harmless” its officers and directors “[i]n any “threatened . . . claim, action or proceeding to which any officer or any [director] . . . is [a] party or is threatened to be made a party by reason of its or his activities on behalf of [Eighth Floor].” Id. at *1-2. The company purchased a D&O liability policy, which contained an insuring agreement covering “all ‘loss’ which the ‘company’ is required to pay as indemnification to the ‘individual insureds’ resulting from any ‘claim’ first made during the ‘policy period’ . . . for a ‘wrongful act’.” Id. at *15-16. The policy defined a “claim” in part as: Read More

This entry was posted in Uncategorized.

Article III Standing in Data Breach Litigation and Problems Galaria Poses for Data Breach Responses

This entry was posted by Joshua Mooney on September 19, 2016.

Last week, in Galaria v. Nationwide Mut. Ins. Co., 2016 U.S. App. LEXIS 16840 (6^th Cir. Sept. 12, 2016), the United States Court of Appeals for the Sixth Circuit weighed in on the issue of Article III standing for data breach litigation and effectively lowered the threshold to establish standing. The decision echoes sentiments expressed by the Seventh Circuit in Lewert v. P.F. Chang’s China Bistro, Inc., 819 F.3d 963 (7th Cir. 2016), and Remijas v. Neiman Marcus Group, LLC, 794 F.3d 688 (7th Cir. 2015). The facts are straightforward, and it is part of an ongoing trend by courts to make it easier to allege injury and bring data breach litigation. This will drive up litigation. Yet, here is a bigger problem: the Sixth Circuit based its determination that standing existed to sue a breach victim on actions undertaken by the breach victim to mitigate damage and help consumers prevent the very harm that plaintiffs later sued over. Is the message of “darned if you do” one that courts want to establish? Can decisions like Galaria create an adverse impact on response efforts undertaken by breach victims? These are issues that a breach victim will have to wrestle with early on and provide one more reason why cyber counsel should be retained.

The facts of Galaria are straightforward. In that case, the breach victim, Nationwide, maintained records containing personal information of customers and potential customers, including names, dates of birth, marital statuses, employers, Social Security numbers, and driver’s license numbers. On October 3, 2012, hackers breached Nationwide’s computer network and stole the personal information of 1.1 million people. Id. at *3. In the underlying data breach litigation that followed, putative class actions alleged violation of the Fair Credit Reporting Act (“FCRA”) through Nationwide’s failure to adopt required procedures to protect against wrongful dissemination of plaintiffs’ data. Plaintiffs also alleged claims for negligence, and invasion of privacy by public disclosure of private facts – all based on Nationwide’s failure to secure Plaintiffs’ data. Id. at *4. Read More

Pirated Television Programming Is Not “Data” Under Media Policy

This entry was posted by Joshua Mooney on July 29, 2016.

It’s hard to believe that we are less than two months away from Coverage College (September 22). If you have not signed up yet, please do by visiting White and Williams’ website. This year, I will be teaching a class on coverage issues in privacy and cyber liability litigation. It should be an exciting and fast-paced class. We’ll have a lot to talk about.

Last Friday, in Ellicott City Cable, LLC v. AXIS Ins. Co., 2016 U.S. Dist. LEXIS 95819 (D. Md. July 22, 2016), the federal district court of Maryland rejected the contention that pirated digital television programming constituted “data” under a media policy. Even broad terms do not have boundless meanings. Terms must be read within the context of their use and the policy as a whole. Read More

This entry was posted in Uncategorized.

No Coverage for PCI Assessment Liability Under Cybersecurity Policy

This entry was posted by Joshua Mooney on June 8, 2016.

In P.F. Chang’s China Bistro, Inc. v. Federal Ins. Co., 2016 WL 3055111 (D. Ariz. May 31, 2016), the United States District Court of District of Arizona held that liability for PCI assessments following a data breach of 60,000 credit card numbers was excluded under a cybersecurity policy. This case demonstrates the importance and ability of carriers to define the risk insured under a policy, including cybersecurity insurance.

In PF Chang’s, the insured purchased a cybersecurity insurance policy. The insurer’s underwriters classified the insured as a high risk, “PCI Level 1”, because the insured conducted more than 6 million transactions per year, a large number of which were with credit cards, thus creating a high exposure to potential customer identity theft. Id. at *1. The insured, like many merchants, was unable to process credit card transactions themselves, and therefore entered into an agreement with the credit card processor to process credit card transactions with the banks who issue the credit cards (“Issuers”), such as Chase or Wells Fargo. Here, Chang’s entered into a Masters Service Agreement (“MSA”) with the credit card processer Bank of America Merchant Services (“BAMS”) to process credit card payments made by customers of Chang’s. Id. Under the MSA, Chang’s delivered customer credit card payment information to BAMS who then settled the transaction through an automated clearinghouse. BAMS thereafter credited the Chang’s account for the amount of the payments. Id. Read More

This entry was posted in Data Breach Insurance Coverage.

Financial Institution Bond Covers Loss From Hacking

This entry was posted by Joshua Mooney on May 31, 2016.

In State Bank v. BancInsure, Inc., 2016 U.S. App. LEXIS 9235 (8^th Cir. May 20, 2016), the United States Court of Appeals for the Eighth Circuit held that a $485,000 fraudulent wire transfer perpetrated through the use of malware residing on a bank employee’s computer was covered under the bank’s financial institution bond. The facts are straightforward.

The insured used the Federal Reserve’s FedLine Advantage Plus system to perform wire transfers. The transfers were made through a desktop computer connected to a Virtual Private Network device provided by the Federal Reserve. In order to complete a transfer, two bank employees had to enter their individual user names, and each had to insert individual physical tokens into the computer, and provide individual passwords and passphrases. Read More

This entry was posted in Data Breach Insurance Coverage, Uncategorized.

Making Records Accessible on the Internet Is a “Publication”

This entry was posted by Joshua Mooney on April 12, 2016.

We have all heard the question “if a tree falls in the forest…,” a philosophical experiment that raises questions of observation, knowledge, and reality. Whether or not the philosopher George Berkeley deserves credit for first raising the question, if still alive, he may have been disappointed in yesterday’s decision, Travelers Indem. Co. of Am. v. Portal Healthcare Solutions, LLC, No. 14-1944 (4^th Cir. Apr. 11, 2016). In that case, the trial court had addressed the legal question of “whether materials are published if they are posted on the Internet, but no one reads them?” As discussed by The Coverage Inkwell in August 2014, the trial court answered the question in the affirmative. Yesterday, the Fourth Circuit affirmed the decision, but never really weighed in on the question. That’s too bad.

The facts of the case are straightforward. The insured Portal Healthcare Solution (“Portal”) specialized in the electronic safekeeping of medical records for hospitals, clinics, and other medical providers. Travelers Indem. Co. of Am. v. Portal Healthcare Solutions, LLC, 35 F. Supp. 3d 765, 767-78 (E.D. Va. 2014). A New York putative class action was filed against it, alleging that Portal had failed to safeguard the confidentiality of the medical records of patients at Glen Falls Hospital (“Glen Falls”) by posting them on the Internet and making them publicly accessible through Internet searches. Id. Two patients of Glen Falls discovered the breach when they conducted a Google search for their names and found links that directed them to their Glen Falls medical records. Id. Read More

This entry was posted in Data Breach Insurance Coverage, Privacy Rights and tagged personal and advertising injury, Publication.

Electronic Data and Distribution of Material Exclusion Does Not Bar Coverage for Disclosure of Genetic Data

This entry was posted by Joshua Mooney on January 13, 2016.

Last week, the United States District Court for the Southern District of Texas held that an Electronic Data and Distribution of Material in Violation of Statutes exclusion, a variant of the Telephone Consumer Protection Act (“TCPA”) exclusion, did not prohibit coverage for an insured’s wrongful, online publication of genetic data in violation of a statute. Evanston Ins. Co. v. Gene By Gene, Ltd., 2016 WL 102294 (S.D. Texas, Jan. 6, 2016). In so holding, the court construed the exclusion to address solely intrusion upon seclusion claims. The facts of the case are straightforward.

The insured, Gene by Gene Ltd. (“GBG”), owned and operated a genealogy website whereby users of the site were offered the opportunity to take DNA tests and then use their genetic information from the tests to learn more about their ancestry and connect with other users whose results matched their own results in varying degrees. Gene By Gene, 2016 WL 102294 at *1. An underlying plaintiff sued GBG in Alaska federal court, alleging that GBG improperly published his DNA test results on its website without his consent and in violation of Alaska’s Genetic Privacy Act. Id. The Genetic Privacy Act prohibits disclosure of a person’s DNA analysis without written and informed consent. See AS §18.13.010. Read More

This entry was posted in Data Breach Insurance Coverage, Privacy Rights.

The Ninth Circuit Holds There Is No Coverage for Violation of the Song-Beverly Act

This entry was posted by Joshua Mooney on December 9, 2015.

This week, the United States Court of Appeals affirmed Big 5 Sporting Goods Corporation, a case in which the trial court had held that “personal and advertising injury” coverage did not exist for violation of California’s Song-Beverly Act, even where common law allegations of invasion of privacy were alleged in connection with the unlawful collection of ZIP Codes. See Big 5 Sporting Goods Corporation v. Zurich American Ins. Co., No. 13-6249 (9^th Cir. Dec. 7, 2015), affirming Big 5 Sporting Goods Corporation v. Zurich American Ins. Co., 957 F. Supp. 2d 1135 (C.D. Cal. 2013).

In Big 5, the insured was sued in multiple underlying class action lawsuits alleging invasion of privacy and violation of the Song-Beverly Act from the practice of requesting ZIP Code information during credit card transactions. See Big 5 Sporting Goods, 957 F. Supp. 2d at 1138. Some of the class actions alleged both violation of the Song-Beverly Act as well as common law negligence and invasion of privacy claims. Id. The insured sought coverage under “personal and advertising injury,” defined in part as injury arising out of “[o]ral or written publication, in any manner, of material that violates a person’s right of privacy.” Id. at 1140. Read More

This entry was posted in Privacy Rights and tagged personal and advertising injury, Song-Beverly Act, Statutory Violation Exclusion, ZIP Codes.

Third Circuit Holds “Privacy” Means Secrecy, “Publication” Means Dissemination to Public, and “in Any Manner” Does Not Change Meaning of “Publication”

This entry was posted by Joshua Mooney on October 2, 2015.

In OneBeacon Amer. Ins. Co. v. Urban Outfitters, 2015 WL 5333845 (3d. Cir. Sept. 15, 2015), the United States Court of Appeals for the Third Circuit held that three underlying class action lawsuits filed against Urban Outfitters and Anthropologie, Inc. did not allege “personal and advertising injury.” The Third Circuit held that for Coverage B “oral or written publication, in any manner, of material that violates person’s right of privacy,” (1)“privacy” refers only to the right of secrecy, not the right of seclusion; (2) “publication” requires dissemination of information to the public at large, and (3) “in any manner” does not modify or change the meaning of “publication” to a lesser standard.

In the spirit of full disclosure, I represented OneBeacon America in the litigation with my colleagues at White and Williams LLP. The facts of the matter are straightforward. Read More

This entry was posted in Privacy Rights and tagged Coverage B, ZIP Codes.