Cyber Risks: Evolving Threats, Emerging Coverages, and Ensuing Case Law
- Penn State Law Review
Social media, electronic communication, mobile devices, the sharing economy, voice-activated smart home assistants, biometric authentication, unmanned aerial and autonomous vehicles, digital health monitors, not to mention the promise of artificial intelligence to enhance all of these, are but a sample of the trends and innovations that have transformed and now define much of human endeavor and industry. The collection, manipulation, and management of the data generated from these activities are at the core of their applications and systems. Securing and protecting that data is a fundamental undertaking for enterprises and institutions on a global scale. The associated risks and exposures have progressed from concerns over personal privacy and the confidentiality of corporate assets to threats of widespread organizational interference and operational disruptions, including direct monetary hits involving the illegitimate transfer of funds, and ultimately, to the potential for actual physical harm, injury, or loss. Should or can these emerging risks be subject to the norms and practices customarily employed to address concerns of a brick-and-mortar world? Has the landscape changed so profoundly that entirely new approaches are required? In the discussion to follow, we seek to put some context around how the insurance industry, one segment of the financial services sector, has been responding to advances related to information-sharing and technology products and services. The discussion necessarily involves how the insurers’ clients, the policyholders, seek to allay liabilities and recover losses related to these evolving threats. Not surprisingly, given little precedent regarding how best to resolve liabilities and losses involving untraditional scenarios or untested terminology, some of these disputes are only just beginning to make their way to the courts and, from this relatively modest sample of decisions, certain themes appear to be developing, which hopefully provide some clarity and focus for the benefit of all affected participants.
In the enclosed article, we discuss matters involving policyholders seeking coverage under commercial crime types of policies, following social engineering scams (so-called “phishing” or “spoofing”). The matters involved rulings that, on the surface, appeared to produce divergent results, and both rulings were the subjects of appeals. See Cyber Risks 745-751 (citing Medidata Sols., Inc. v. Fed. Ins. Co., 268 F. Supp. 3d 471 (S.D.N.Y.) and Am. Tooling Ctr., Inc. v. Travelers Cas. & Sur. Co. of Am., No. 16-12108, 2017 WL 3263356 (E.D. Mich. Aug. 1, 2017)). Recently, the Second Circuit affirmed the district court’s ruling in favor of coverage in one matter and the Sixth Circuit reversed the lower court’s ruling in favor of the Insurer in the other. See Medidata Solutions Inc. v. Federal Insurance Co., Case No.17-2492 (2nd Cir. 2018) and American Tooling Center, Inc v. Travelers Casualty and Surety Company of America, Case No. 17-2014 (6th Cir. 2018). The American Tooling court found that, in fact, the Insured suffered a “direct loss” “when it transferred…approximately $834,000 to [an] impersonator,” stating there was “no intervening event.” The Insurer has requested that the full Sixth Circuit review the three-panel decision. See Appellee Travelers Casualty and Surety Company of America’s Petition for Rehearing or Rehearing En Banc, Case No. 17-2014 (6th Cir. Jul 27, 2018).
In connection with our discussion of the American Tooling case, we note another case in which the Court discussed whether a fraud was accomplished through “use of a computer,” and whether the loss “resulted directly” from such use. (See Cyber Risks at 750, fn. 141, InComm Holdings, Inc. v. Great Am. Ins. Co., 1:15-cv-2671-WSD, 2017 WL 1021749 (N.D. Ga.)). The Eleventh Circuit Court of Appeals agreed with the lower court that where fraudsters manipulated a glitch in a computerized interactive-telephone system to redeem duplicative “chits,” such loss was not covered under a “Computer Fraud” policy. See, Interactive Commc’ns Int’l, Inc. v. Great Am. Ins. Co., No. 17-11712, 2018 WL 2149769 (11th Cir. May 10, 2018). However, in an unpublished opinion, the Appellate Court disagreed that the fraud was not perpetrated through the “use” of a computer system, noting that the fraudsters interfaced directly with the computer system to effectuate their duplicate redemptions. The Appellate Court ultimately agreed that the loss did not “result directly” from the initial computer fraud (there was a chain of causation that involved intervening acts and actors).
In a related discussion of what is a loss “directly” from fraudulent computer use, we note the case of Aqua Star (USA) Corp. v. Travelers Cas. & Sur. Co. of Am., No. C14-1368, 2016 WL 3655265 (see, Cyber Risks at 750-751, fn. 143). In a short not-for-publication ruling, the Ninth Circuit affirmed the lower court ruling. The Court found that an exclusion “unambiguously provid[ed] that the policy ‘will not apply to loss or damages resulting directly or indirectly from the input of Electronic Data by a natural person,” noting that the losses were the result of employees who were authorized to enter the Insured’s system, who then changed wiring instructions, which resulted in wire transfers fraudulently induced by the schemers. See Aqua Star (USA) Corp. v. Travelers Cas. & Sur. Co. of Am., Case No. 16-35614 (9th Cir. Apr. 17, 2018).
Finally, in a matter involving cyber breach and stolen credit card data, we discuss a policyholder’s attempt to seek indemnification and a defense under a Directors/Officers policy relating to demands from card brands (Visa/MasterCard) further to terms in the Insured’s Merchant Agreements regarding PCI DSS compliance standards. (See Cyber Risks at 752; Spec’s Family Partners v. Hanover Ins. Co., No. H-16-438, 2017 WL 3278060 (S.D. Tex. Mar. 15, 2017). The Fifth Circuit now has reversed the District Court’s ruling in favor of the Insurer, remanding the matter to the lower court. See Spec’s Family Partners v. Hanover Ins. Co., Case No. 17-20263 (5th Cir. Jun. 25, 2018). The Appellate Court found that the Insurer owed the Insured a duty to defend because there were allegations in the demand letters that went beyond the Insured’s contractual obligations, stating that “when construed liberally…[the allegations] implicate theories of negligence and general contract law…”
View the PDF for the full article.