Yesterday, the U.S. Court of Appeals for the Eighth Circuit held that an insurer had provided adequate notice of the Distribution of Material exclusion in a renewal policy to make the exclusion enforceable in the context of an underlying Telephone Consumer Protection Act (TCPA) lawsuit. American Family Mutual Insurance Company v. Vein Centers for Excellence, Inc., 2019 U.S. App. LEXIS 98 (8^th Cir. Jan. 3, 2019). What makes this decision interesting is that the insurer had to rely on deposition testimony to establish a standard business practice. As more and more plaintiffs’ attorneys are using lack of notice to argue that the Distribution of Material exclusion is ineffective, American Family illustrates an effective way to establish adequate notice where actual documentation may be lacking.

In American Family, the insured was sued in a putative class action for violation of the TCPA arising from the dissemination of unsolicited facsimiles. Id. at *2. The insured, Vein Centers, tendered the lawsuit to its insurer, which undertook the defense subject to a full reservation of rights. Id. The insurer thereafter commenced coverage litigation seeking a declaration that it had no duty to defend or indemnify, later adding the underlying named plaintiff to the lawsuit. Id. The parties cross-moved for summary judgment, with the insurer arguing that coverage was prohibited by the Distribution of Material exclusion (sometimes referred to as the TCPA exclusion). Id at *3-4. The claimant argued that the exclusion was unenforceable because the insurer had failed to properly notify its insured of the exclusion’s addition when the policy had been renewed. Id. at *4. The trial court rejected the argument and granted the insurer summary judgment. Id. Read More

Last week, the Vermont Supreme Court in Rainforest Chocolate, LLC v. Sentinel Insurance Company, 2018 VT LEXIS 240 (Vt. Dec. 28, 2018), held that the “False Pretense” exclusion in a business-owner policy did not exclude loss from a phishing scam.

Rainforest Chocolate involved an underlying business email compromise (BEC), a category of phishing attacks whereby a third-party fraudster impersonates a trusted source to trick the email’s recipient into wiring money to them. The Vermont Supreme Court held that the exclusion was ambiguous given the different use of the terms “physical loss and physical damage” versus “loss and damage” throughout the provisions of the policy. The court then remanded the case for determination of whether the loss qualified under insuring agreements for Forgery, and for Money and Securities. This case illustrates another example of how factual scenarios found in phishing scams can create perceived uncertainties in coverage in older provisions, and courts’ intolerance for such uncertainties. Read More

On April 16, 2018, Beazley Group issued a report highlighting increased attacks on Microsoft’s cloud-based business products and services. The report stated that successful attacks typically are achieved by tricking employees into opening spoofed emails with malicious links or fraudulent instructions to credential harvest. These attacks allow hackers entry into the insured’s system, where they can search for personal information and bank records to initiate wire transfers or redirect payments to hacker-controlled bank accounts.

As serendipity would have it, the next day, the United States Court of Appeals for the Ninth Circuit affirmed a Washington federal court decision holding that a crime policy providing coverage for computer fraud did not cover financial loss for mis-wired payments resulting from a phishing scam. The case, Aqua Star United States Corporation v. Travelers Casualty and Surety Company of America, 2016 U.S. Dist. LEXIS 88985 (D. Wash. July 8, 2016), aff’d, 2018 U.S. App. LEXIS 9660 (9^th Cir. Apr. 17, 2018), joins a growing collection of decisions denying computer fraud coverage for phishing scams and business email compromises. Read More

Business Email Scams (BEC) are becoming an increasing source of loss (think billions of dollars since 2013) to U.S. businesses, big and small. In Posco Daewoo Am. Corp. v. Allnex USA, Inc., 2017 U.S. Dist. LEXIS 180069 (D.N.J. Oct. 31, 2017) a payee whose invoices totaling $630,058 mistakenly were paid by a customer to a third party as a result of a phishing scam, sought coverage for the loss under its own computer fraud coverage. A New Jersey federal district court held that no such coverage existed.

Posco Daewoo, which imported and exported chemicals, supplied its customer Allnex with a chemical product for which Allnex owed payment. In early 2016, an impostor posing as an employee of Posco Daewoo’s accounts receivable department, sent emails to an employee of Allnex, instructing Allnex to wire payments to four separate Wells Fargo bank accounts. Id. at *2. Allnex, without confirming the authenticity of the email or the Wells Fargo bank accounts, wired three separate payments to the Wells Fargo accounts, totaling $630,058. Id. After the fraud was discovered, Allnex recovered $262,444 of the stolen $630,058. The remaining $367,613.46 was not recovered. Id. at *3. Posco Daewoo alleged that Allnex still owed it the remaining $367,613.46 to satisfy the original outstanding receivables. Allnex, on the other hand, contended that the unrecovered wire payments satisfied the balance it owed to Posco Daewoo. Id. Read More

In Dittman v. UPMC d/b/a The University of Pittsburgh Medical Center, 2017 PA Super. 8 (Jan. 12, 2017), the Superior Court of Pennsylvania held that an employer does not owe employees a duty to protect and safeguard personal and financial information from disclosure in a data breach resulting from an intrusion in its computer network. While Dittman represents an important decision in emerging case law that declines to impose upon employers a common-law duty to protect employee information, the decision has important limitations. Those limitations may be exploited in future employment litigation and further illustrates the need for companies to adequately review their cybersecurity protocols with the assistance of cyber counsel.

The facts of Dittman are straightforward. In 2014, University of Pittsburgh Medical Center (UPMC) suffered a data breach that compromised the personal and financial information of approximately 62,000 current and former employees. Dittman, slip op. at 1-2. The stolen information included employees’ names, birth dates, social security numbers, tax information, addresses, salaries, and bank information. The information later was used to file fraudulent tax returns to steal the tax refunds. Id. at 2. Soon after UPMC announced the breach, two separate class action lawsuits were filed against the company. One lawsuit was comprised of current and former UPMC employees who had been victimized by identity theft; the other lawsuit involved current and former UPMC employees who had not been victims of identity theft, and instead alleged that they were at an increased risk of identity theft as a result of the data breach. Id. at 3. Read More

In Eighth Promotions v. Cincinnati Ins. Cos., 2016 Ohio App. LEXIS 4119 (Ohio Ct. App. Oct. 11, 2016), the Ohio appellate court held that a letter forwarded to the insured by a copyright holder requesting that the company conduct a self-audit into its alleged copyright violations constituted a demand for non-monetary relief and thus fell within a policy’s definition for “claim.”  The same court also held that the insured could not stretch the scope of the claim or subsequent settlement to circumvent the policy’s copyright infringement exclusion.

The insured, Eighth Promotions, manufactured and sold sports awards and business gifts.  The company’s Operating Agreement provided indemnification protection to its officers and directors, stating that the company would “indemnify and hold harmless” its officers and directors “[i]n any “threatened . . . claim, action or proceeding to which any officer or any [director] . . . is [a] party or is threatened to be made a party by reason of its or his activities on behalf of [Eighth Floor].”  Id. at *1-2.  The company purchased a D&O liability policy, which contained an insuring agreement covering “all ‘loss’ which the ‘company’ is required to pay as indemnification to the ‘individual insureds’ resulting from any ‘claim’ first made during the ‘policy period’ . . . for a ‘wrongful act’.”  Id. at *15-16.  The policy defined a “claim” in part as: Read More

It’s hard to believe that we are less than two months away from Coverage College (September 22). If you have not signed up yet, please do by visiting White and Williams’ website. This year, I will be teaching a class on coverage issues in privacy and cyber liability litigation. It should be an exciting and fast-paced class. We’ll have a lot to talk about.  

Last Friday, in Ellicott City Cable, LLC v. AXIS Ins. Co., 2016 U.S. Dist. LEXIS 95819 (D. Md. July 22, 2016), the federal district court of Maryland rejected the contention that pirated digital television programming constituted “data” under a media policy. Even broad terms do not have boundless meanings. Terms must be read within the context of their use and the policy as a whole. Read More

Yesterday, Travelers Prop. Cas. Co. of Amer. v. Federal Recovery Services, Inc., No. 14-170 (D. Utah) determined that no coverage existed under a Technology Errors and Omissions Liability Form found in a cyber insurance policy after the insured data processer had failed to return valuable personal identification information it held on behalf of the information’s owner.  This case is going to get a lot of attention simply because it is the first published decision involving a cyber insurance policy form.  What it shows is that, even in the cyber world, intentional misconduct is not negligence.

The facts of the case are straightforward.  The underlying plaintiff, Global Fitness, owned and operated fitness centers in several states.  As part of its operations, Global Fitness had numerous members who would provide credit card or bank account information through which Global Fitness could bill them (“Member Accounts Data.”).  (Slip. op. at 3.)  Defendants were engaged in the business of providing processing, storage, transmission, and other handling of electronic data for customers.  (Id. at 1.)  Global Fitness entered into a contract with Defendants to process the Member Accounts and transfer the members’ fees to Global Fitness.  (Id. at 3.) Read More