Breaking Through on Cyber: Next Gen Coverage Disputes and Decisions
First Gen: Retrofit, Repurpose, or Retool
Of the cases where courts have attempted to address the application of insurance policy language to cyber liabilities, data losses, or related privacy/security issues, the reported decisions have surfaced mostly in the context of analyzing comprehensive general liability (CGL) policies. In those cases, courts have addressed whether data breaches, data losses, or alleged statutory violations trigger insuring agreements on the basis that it falls within a “personal and advertising injury” provision. The results have been mixed. Some decisions are based on a factual question: did a “data breach” result in the publication of a person’s private information?(1) Other cases examine whether the alleged wrongful conduct was an “intrusion upon seclusion” or an actual “invasion of privacy.”(2)
In earlier disputes, questions arose regarding whether loss of data is “property damage.”(3) Some crime and fidelity coverages are being tested for their responsiveness to the outbreak of phishing scams.(4) Other cases have addressed cyber coverages but the underlying allegations were found ultimately not to involve a “cyber” or “tech” related error or omission.(5)
Cracking the Code: “Cyber” Terms for “Cyber” Losses
The stage is set for additional scrutiny of what is covered under “cyber” coverages for “cyber” losses.(6) Results are starting to trickle in from front-line tests of these terms.
Fees Assessed Against Merchant Excluded
In P.F. Chang’s China Bistro Inc. v. Federal Insurance Co., a federal court resolved certain issues relating to “data breach” losses submitted under a “cyber” policy form.(7) Providing some context, the Court noted that during the underwriting process, the insurer, Federal, reportedly designated Chang’s as high risk (6 million plus credit card transactions annually; potential high exposure for customer identity theft).
Chang’s reported a data breach (hackers obtained 60,000 customer credit card numbers). Federal paid $1.7 million in related forensic costs, as well as expenses in defending litigation brought by the affected customers. Federal disputed a claim, however, for $1.9 million in assessment fees imposed by the merchant services provider, Bank of America Merchant Services (“BAMS”). Chang’s, like all merchants processing credit cards, entered into a master services agreement (MSA) with an issuing bank (Bank of America). These terms include various “fees,” “fines,” “penalties” or “assessments” imposed by the issuing bank, in the event that a merchant fails to meet certain security standards and the issuing bank identifies fraudulent activity related to a specific breach.
The issuing bank “assessed” its fees against Chang’s based on a MasterCard report, consisting of a fraud recovery assessment ($1.7 million), an operational reimbursement assessment ($160,000; costs of issuing bank cards, new account numbers, and new security codes), and a case management fee ($50,000). Pursuant to the MSA, and so as not to lose the ability to process credit card transactions, Chang’s paid the $1.9 million assessment. Chang’s submitted this to Federal under the cyber policy but Federal denied that part of the claim.
Chang’s argued that the fraud recovery assessment charge was covered because Federal agreed to pay for a loss made against the insured for a “Privacy Injury” (an “injury sustained or allegedly sustained by a ‘Person’ because of actual or potential unauthorized access to such ‘Person’s’ ‘record’ . . .”). Chang’s reasoned that it was irrelevant that the injury to MasterCard (compromise of customer data) was first passed through Bank of America, noting an industry standard practice, and arguing that, by compensating the issuing bank, Chang’s was effectively compensating MasterCard.
Federal argued that because Bank of America itself did not suffer an injury, there was no “claim” under the policy. Only MasterCard, whose accounts and financial information were impacted, sustained injuries. Ultimately, the court agreed with Federal, noting that the issuing bank was not even in a position to assert a Privacy Injury claim under the policy (“plain reading” of the language necessarily means that “only the Person whose Record is actually or potentially accessed without authorization suffers a Privacy Injury.”)(8)
The Court found in Chang’s favor with respect to other costs: operational reimbursement assessment (costs for reissuing bankcards, new numbers/codes); and case management fees. Chang’s argued the first was covered as “notification expenses” (insurer “shall pay Privacy Notification Expenses incurred by an Insured resulting from a [Privacy] Injury.”). Federal argued that it was the issuing bank that paid the fee and such sums were not incurred by Chang’s. The Court sided with Chang’s (expense “incurred” when insured becomes liable). The Court further held that the case management fee was covered as an “extra expense.”
Despite finding coverage for these sums, the Court ultimately found that exclusions were a bar to coverage. These exclusions stated that Federal would not be liable for “any liability assumed by any Insured under any contract or agreement” and for “any cost or expenses incurred to perform any obligation assumed by, on behalf of… any Insured.”(9) Federal argued that the fees assessed arose out of the MSA terms.
The court agreed with Federal. The court compared these terms to similar terms addressed by courts analyzing CGL forms and noted that such contractual exclusions apply to “the assumption of another’s liability, such as an agreement to indemnify or hold another harmless.” The court determined that the MSA terms met the relevant criteria and, therefore, such fees/assessments were appropriately excluded.
Chang’s also argued “reasonable expectations,” stating that Federal knew about all of the risks involved in its millions of credit card transactions and its contractual relationship with BAMS. Chang’s commented on Federal’s marketing of an all-encompassing policy addressing the “full breadth of risks.” The court rejected this argument, holding that Federal’s knowledge of risks and realities did not prove Chang’s expectations.
No Obligation to Defend Policyholder Who Knowingly Withheld Data
In another case involving “cyber” coverage terms, a different federal judge addressed whether Travelers owed a duty to defend a policyholder in a case where the Insured allegedly “withheld data.” In that matter, Travelers v. Federal Recovery,(10) the Insured was sued by a fitness company for not turning over member account information (billing), which data was to be part of an asset purchase transaction. The causes of action included conversion, tortious interference and breach of contract. Specifically, the Insured was accused of withholding billing data unless certain demands for compensation were satisfied (separate and apart from what was required under the original contract).
The Insured demanded that Travelers defend it and Travelers initially reserved rights but then sought declaratory relief on these points. The Court agreed with Travelers that the allegations against the Insured were not that the Insured withheld data as a result of an “error, omission, or negligence.” Rather, the claimant alleged that the Insured knowingly withheld data and refused to turn it over, subject to certain demands. The Court noted that there was no uncertainty as to whether there was a defense obligation because the allegations did not include any that sounded in negligence.
“Stigmatizing” List Is Not Personal
In another situation, this time via the use of a cyber claims endorsement in a cosmetic surgeon’s professional liability policy, an Illinois Appellate Court sorted through whether a TCPA class action triggered that policy’s “privacy wrongful act” (see Doctors Direct v. Bochenek).(11) The Court in Doctors delved into whether the conduct complained of involved the “control and use of personally identifiable financial, credit, or medical information,” the explicit terms used in this form. The Insured argued that any ambiguity must be resolved in favor of coverage and along the way the Insured noted that “[b]eing identified as someone who might consume cosmetic surgery is as stigmatizing as being identified… [as someone receiving psychotherapy].”
The court found that the alleged statutory violations (TCPA, Consumer Fraud Act) did not fall within a “privacy wrongful act” definition because the regulations are not connected with the control or use of personally identifiable financial, credit or medical information. The Court noted that the named Plaintiff did not mention Illinois’ Personal Information Protection Act (breach notification), and thus such claims were not asserted as part of any Consumer Fraud Act violation.(12) The Court also looked at whether the mere fact that a list of potential customers was allegedly transferred from a spa to a medical provider would render such a list “personally identifiable medical information;” it found that argument deficient. Accordingly, because the underlying allegations were not based on violations of statutes “associated with the control and use of personally identifiable…information,” there was no duty to defend.
Next Gen: Next?
These decisions provide some glimpses into how courts may analyze “cyber” terms in relation to data security and privacy events. While P.F. Chang’s arose out of a data breach and addressed a couple of unique features to those circumstances, ultimately, the court’s analysis came down to an evaluation of a more standardized exclusion, the contractual liability exclusion. Although not the holding of the case, that court also did tackle, in a way, another popular provision in cyber coverages, notification expenses.
The Travelers court got a little bit closer to analyzing a “data” question.(13) Neither of those courts had to address any issues regarding what some practitioners may consider real security or data protection questions.(14) The Doctors decision keenly focused on that policy’s “privacy wrongful act” definition. That Court’s review likely benefitted from the breadth of available analysis on the nature of TCPA disputes and how parties assert harm from (or argue defenses to) alleged violations. Despite the fact that there is not a huge body of case law to draw from relating to “cyber” coverages (of comfort to some), these decisions illustrate that most courts will give careful consideration to these terms, even where some veer toward the technical, or the factual issues appear novel.
For further information on this topic please contact Douglas Giombarrese, Gregory Mantych or Margaret Reetz at Mendes & Mount, LLP at (212 261 8ooo) or email
douglas.giombarrese@mendes.com gregory.mantych@mendes.com or margaret.reetz@mendes.com
(1) Zurich Am. Ins. v. Sony Corp. of Am., 2014 N.Y. Misc. LEXIS 5141 (N.Y. Sup. Ct. 2015)
(2) Los Angeles Lakers v. Federal Insurance Company, (Case No. 2:14-cv-07743-DMG-SH), April 17, 2015. “Some courts have come to the conclusion that CGL policies cover only ‘secrecy-based’ privacy interests rather than ‘seclusion-based’ privacy interest…”
(3) America Online, Inc. v. St. Paul Mercury Ins. Co., 347 F.3d 89 (4th Cir. 2003) [coverage for “physical damage to tangible property;” physical damage to circuits, switches, drives; did not encompass damage to data and software, “i.e., the abstract ideas, logic, instructions, and information.”]
(4) See, State Bank of Bellingham v. BancInsure, Inc., No. 14-3432, — F.3d —, 2016 WL 2943161 (8th Cir. May 20, 2016) (coverage for fraudulent wire transfer under a Financial Institution Bond form); Principle Sols. Grp., LLC v. Ironshore Indem., Inc., No. 1:15-CV-4130-RWS, 2016 WL 4618761, at *2 (N.D. Ga. Aug. 30, 2016)(Commercial Crime Policy; with specifically-defined categories, including “Computer and Funds Transfer Fraud” specifically “Loss resulting directly from a “fraudulent instruction” directing a “financial institution” to debit your “transfer account” and transfer, pay or deliver “money” or “securities” from that account.” Court stated that Insured could act only through its officers, employees. If some employee interaction between the fraud and the loss was sufficient to allow insurer to be relieved from paying, that provision would be rendered “almost pointless” and would result in illusory coverage.); see also, Apache Corp. v. Great American Ins. Co. (Case No. 4:14-CV-237 (S.D. Tex. Aug. 7, 2015)) (“fraudulent email was still a ‘substantial factor in bring about the injury”).
(5) Travelers Property Casualty Company of America, et al. v. Federal Recovery Services, Inc., et al (Case No. 2:14-CV-170 TS)
(6) “Cyber” coverages, broadly speaking, include liability coverages for security breaches, privacy breaches, breaches of privacy regulations, certain technology errors/omissions, and so-called “first-party” coverages for breach response costs, expenses related to loss of data as a result of a security breach, or reimbursement for expenses related to the disruption of systems or services.
(7) P.F. Chang’s China Bistro, Inc. v. Federal Insurance Company, 2016 WL 3055111 (D. Ariz. May 31, 2016).
(8) Chang’s at *8..
(9) Chang’s at *13.
(10) 103 F. Supp. 3d 1297 (D. Utah 2015).
(11) Doctors Direct Ins., Inc. v. Bochenek, 2015 IL App (1st) 142919, 38 N.E.3d 116
(12) The Court noted that the Insured “preserve[d] the argument that the list of [persons identified as prospects for…Botox…or surgery] is ‘personally identifiable medical information.”
(13) See also, Ellicott City Cable, LLC et al., v. Axis Insurance Company, (Case 1:15-cv-02506), insurer required to defend under a media liability policy; exclusion for claims arising out of “unauthorized access to…or…use of” “data” not applicable; court also noted that the exclusion was not applicable as television programming did not fit within that definition/interpretation of “data”.
(14) Compare, Columbia Cas. Co. v. Cottage Health Syst., (Case 2:15-cv-03432, 2015 U.S. Dist. LEXIS 93456 (C.D. Cal. July 17, 2015) (allegations that coverage was precluded based on an exclusion for “failure to follow minimum required practices.”)