Yesterday, the U.S. Court of Appeals for the Eighth Circuit held that an insurer had provided adequate notice of the Distribution of Material exclusion in a renewal policy to make the exclusion enforceable in the context of an underlying Telephone Consumer Protection Act (TCPA) lawsuit. American Family Mutual Insurance Company v. Vein Centers for Excellence, Inc., 2019 U.S. App. LEXIS 98 (8^th Cir. Jan. 3, 2019). What makes this decision interesting is that the insurer had to rely on deposition testimony to establish a standard business practice. As more and more plaintiffs’ attorneys are using lack of notice to argue that the Distribution of Material exclusion is ineffective, American Family illustrates an effective way to establish adequate notice where actual documentation may be lacking.

In American Family, the insured was sued in a putative class action for violation of the TCPA arising from the dissemination of unsolicited facsimiles. Id. at *2. The insured, Vein Centers, tendered the lawsuit to its insurer, which undertook the defense subject to a full reservation of rights. Id. The insurer thereafter commenced coverage litigation seeking a declaration that it had no duty to defend or indemnify, later adding the underlying named plaintiff to the lawsuit. Id. The parties cross-moved for summary judgment, with the insurer arguing that coverage was prohibited by the Distribution of Material exclusion (sometimes referred to as the TCPA exclusion). Id at *3-4. The claimant argued that the exclusion was unenforceable because the insurer had failed to properly notify its insured of the exclusion’s addition when the policy had been renewed. Id. at *4. The trial court rejected the argument and granted the insurer summary judgment. Id. Read More

Last week, the Vermont Supreme Court in Rainforest Chocolate, LLC v. Sentinel Insurance Company, 2018 VT LEXIS 240 (Vt. Dec. 28, 2018), held that the “False Pretense” exclusion in a business-owner policy did not exclude loss from a phishing scam.

Rainforest Chocolate involved an underlying business email compromise (BEC), a category of phishing attacks whereby a third-party fraudster impersonates a trusted source to trick the email’s recipient into wiring money to them. The Vermont Supreme Court held that the exclusion was ambiguous given the different use of the terms “physical loss and physical damage” versus “loss and damage” throughout the provisions of the policy. The court then remanded the case for determination of whether the loss qualified under insuring agreements for Forgery, and for Money and Securities. This case illustrates another example of how factual scenarios found in phishing scams can create perceived uncertainties in coverage in older provisions, and courts’ intolerance for such uncertainties. Read More

On April 16, 2018, Beazley Group issued a report highlighting increased attacks on Microsoft’s cloud-based business products and services. The report stated that successful attacks typically are achieved by tricking employees into opening spoofed emails with malicious links or fraudulent instructions to credential harvest. These attacks allow hackers entry into the insured’s system, where they can search for personal information and bank records to initiate wire transfers or redirect payments to hacker-controlled bank accounts.

As serendipity would have it, the next day, the United States Court of Appeals for the Ninth Circuit affirmed a Washington federal court decision holding that a crime policy providing coverage for computer fraud did not cover financial loss for mis-wired payments resulting from a phishing scam. The case, Aqua Star United States Corporation v. Travelers Casualty and Surety Company of America, 2016 U.S. Dist. LEXIS 88985 (D. Wash. July 8, 2016), aff’d, 2018 U.S. App. LEXIS 9660 (9^th Cir. Apr. 17, 2018), joins a growing collection of decisions denying computer fraud coverage for phishing scams and business email compromises. Read More

Business Email Scams (BEC) are becoming an increasing source of loss (think billions of dollars since 2013) to U.S. businesses, big and small. In Posco Daewoo Am. Corp. v. Allnex USA, Inc., 2017 U.S. Dist. LEXIS 180069 (D.N.J. Oct. 31, 2017) a payee whose invoices totaling $630,058 mistakenly were paid by a customer to a third party as a result of a phishing scam, sought coverage for the loss under its own computer fraud coverage. A New Jersey federal district court held that no such coverage existed.

Posco Daewoo, which imported and exported chemicals, supplied its customer Allnex with a chemical product for which Allnex owed payment. In early 2016, an impostor posing as an employee of Posco Daewoo’s accounts receivable department, sent emails to an employee of Allnex, instructing Allnex to wire payments to four separate Wells Fargo bank accounts. Id. at *2. Allnex, without confirming the authenticity of the email or the Wells Fargo bank accounts, wired three separate payments to the Wells Fargo accounts, totaling $630,058. Id. After the fraud was discovered, Allnex recovered $262,444 of the stolen $630,058. The remaining $367,613.46 was not recovered. Id. at *3. Posco Daewoo alleged that Allnex still owed it the remaining $367,613.46 to satisfy the original outstanding receivables. Allnex, on the other hand, contended that the unrecovered wire payments satisfied the balance it owed to Posco Daewoo. Id. Read More

In Dittman v. UPMC d/b/a The University of Pittsburgh Medical Center, 2017 PA Super. 8 (Jan. 12, 2017), the Superior Court of Pennsylvania held that an employer does not owe employees a duty to protect and safeguard personal and financial information from disclosure in a data breach resulting from an intrusion in its computer network. While Dittman represents an important decision in emerging case law that declines to impose upon employers a common-law duty to protect employee information, the decision has important limitations. Those limitations may be exploited in future employment litigation and further illustrates the need for companies to adequately review their cybersecurity protocols with the assistance of cyber counsel.

The facts of Dittman are straightforward. In 2014, University of Pittsburgh Medical Center (UPMC) suffered a data breach that compromised the personal and financial information of approximately 62,000 current and former employees. Dittman, slip op. at 1-2. The stolen information included employees’ names, birth dates, social security numbers, tax information, addresses, salaries, and bank information. The information later was used to file fraudulent tax returns to steal the tax refunds. Id. at 2. Soon after UPMC announced the breach, two separate class action lawsuits were filed against the company. One lawsuit was comprised of current and former UPMC employees who had been victimized by identity theft; the other lawsuit involved current and former UPMC employees who had not been victims of identity theft, and instead alleged that they were at an increased risk of identity theft as a result of the data breach. Id. at 3. Read More