INSIGHTS: Cyber Risks & Coverage: Developing Case Law
Cyber Risks & Coverage: Developing Case Law
From CGL to cyber coverage and beyond
Courts have addressed cyber risk questions asserted through CGL policies which involve “tangible property” as that term is used in these policies and exclusions for “impaired property” where the underlying issues are related to the impaired performance of software and systems. Policyholders typically seek coverage for these matters under Coverage A of their CGL policies for bodily injury or property damage.
Cases and Synopses
Retail Systems, Inc. v. CNA Insurance Company, 469 N.W. 2d 735
Computer tape and data integrated completely with physical property; court found coverage under CGL as “tangible property”
Am. Guarantee & Liab. Ins. Co. v. Ingram Micro, 2000 WL 726789
(D.Ariz. Apr. 18, 2000)
Electrical outage where Insurer said there was no “physical damage” further to “all risks” policy language but court found “physical damage” is not restricted to physical destruction or harm of computer circuitry but includes loss of access, loss of use, and loss of functionality.
NMS Services, Inc. v. Hartford Insurance Company, 62 Fed. Appx. 511 (4th Cir. 2002)
Property coverage with computer and media endorsement; court found acts of destruction by employees do not preclude coverage
America Online, Inc. v. St. Paul Mercury Ins. Co., 347 F .3s 89 (4th Cir. 2003)
Data, information, instructions are not “tangible property” and “impaired property” exclusion precluded coverage for loss of use of tangible property that is not physically damaged
Ward General Ins. Serv., Inc. v. Employees Fire Ins. Co., 114 Cal.App.4th 548 (2003)
No coverage for costs of recovery of data or business interruption; no loss of or damage to tangible property
Eyeblaster, Inc. v. Fed. Ins. Co. 613 F .3D 797 (8th Cir. 2010)
Alleged advertising tracking software installed spyware on the nonconsenting plaintiff; invasion of privacy, deceptive practices allegations; Appellate court found “loss of use” of computer allegations fell within “tangible property” terms of GL policy
Alternatively, policyholders have sought coverage through their CGL policy under Coverage B for personal and advertising injury liability when the loss involves personal information and the potential that the subject event is considered a “publication” of information.
Cases and Synopses
Tamm v. Hartford Fire Ins. Co., 16 Mass.L.Rptr. (Mass. Super. Ct. 2003)
Insurer owed duty to defend per “personal injury” provision where former employee threatened to disseminate information from private email accounts
Cynosure In. v. St. Paul Fire & Marine Ins. Co., 645 F .3d 1, 2 (1st Cir. Mass 2011)
Invasion of privacy under Coverage B referred to “disclosure, not intrusion;” no coverage for underlying civil action involving blast faxes, alleged violations of TCPA
Creative Hospitality Ventures, Inc. v. United States Liab. Ins. Co., 444 Fed. Appx. 370 (11th Cir. Sept 30, 2011)
Allegations of violations of Fair and Accurate Credit Transactions Act; court held that providing a customer a receipt revealing the customer’s own account information was not “publication”
Recall Total Information Management, Inc. v. Federal Insurance Company, No. 19291, 2015 WL 2371957 (Conn. May 26, 2015)
Personal employment data stored on computer tapes for IBM past/present employees was lost in transit when the tapes fell out of the back of a van; IBM pursued transport carrier’s CGL insurers; Court held IBM’s losses were not covered by the personal injury clauses of the CGL policy because there had been no “publication” of the information stored on the tape
Zurich Am. Ins. v. Sony Corp. of Am., 2014 N.Y. Misc. LEXIS 5141 (N.Y. Sup. Ct. 2015)
Insured sought coverage under CGL terms for alleged transmission of private information by hackers; Case settled and dismissed
Innovak Int’l, Inc. v. Hanover Ins. Co., 2017 WL 5632718 (M.D. Fla. Nov. 17, 2017)
Innovak sought coverage under its CGL policy for a putative class action resulting from the release of employee’s private information via a data breach; because the class action did not allege a publication by Innovak, it was not a covered personal and advertising injury
The advent of true “cyber” policies has led to case law necessarily analyzing the specifics of cyber, technology, or privacy coverages. The insuring agreements often include security or privacy liability coverage meant to respond to an allegation against a policyholder that failed to secure private or confidential information.
Cases & Synopses
P.F. Chang’s China Bistro, Inc. v. Fed. Ins., Co., 2016 WL 3055111 (D. Ariz. May 31, 2016)
Potential coverage for certain bank “assessments” stemming from payments by the insured arising out of a credit card breach. Court found that the fees assessed arose only as a result of the insured contractual arrangement with the issuing banks which were subject to third-party contract exclusions in the policy
Doctors Direct Ins., Inc. v. Bochenek, 2015 IL App (1st) 142919, 38 N.E.3d
Transfer of medical information from a spa to a medical provider resulted in TCPA allegations. Court found not a “privacy wrongful act” 116 because regulations were not connected with the “control of use of personally identifiable financial credit or medical information”
Victoria Flores v. ACE Am. Ins. Co., Case No. 1:17-cv-08674 (S.D.N.Y. 2017)
Explicit exclusion for TCPA claims resulting from unsolicited communications “to multiple actual or prospective customers” Plaintiff argues for coverage because exclusion should only apply to communications en masse; Insurers argues that nothing in the exclusion requires that all communications be identical or delivered at once.
Travelers Prop. Cas. Co. of Am. v. Fed. Recovery Servs. Inc., 156 F. Supp 3d 1330 (D. Utah 2016)
Data and fee processing company withheld data from a fitness chain after an asset purchase agreement. The court found that “withholding data” was intentional conduct and the actions were not rooted in negligence as required by the policy
Ellicott City Cable, LLC v. Axis Ins. Co., 196 F. Supp. 3d 577 (D. Md. 2016)
Court found for the policyholder after finding that a “data” exclusion under a multimedia policy excluding “unauthorized access to . . . any computer or system . . . data” did not apply to “television programming” as data
Travelers Indem. Co. of Am. v. Portal Healthcare Sols., LLC, 644 F. App’x 245 (4th Cir. 2016)
Insurer had a duty to defend class actions alleging that confidential medical records were posted on the internet and therefore “published” under the policy’s personal injury, advertising injury and website liability coverage
Columbia Cas. Co. v. Cottage Health System 2:15-cv-03432 (C.D. Cal 2015)
Breach exposed confidential health records of patients whose information was stored on a system accessible via the internet and not protected by encryption; policy includes an exclusion for “Failure to Follow Minimum Required Practices” Insurer argues that the breach was caused by a failure to continuously implement procedures or controls and a failure to replace default security settings. Currently stayed in federal court and litigating in state court action
Certain Underwriters at Lloyd’s, London Wunderland, 2015-CH-18139 (Cir. Ct. Cook County, Ill.)
In a dispute over noncompete terms, do allegations of misappropriation of trade secrets arise out of media or user-generated content under cyber policy?
AIG Specialty v. Laboratory Corporation of America Holdings, Case 0:17-cv-6159-BB 9 (So. Dist. Fla. 2017)
Whether alleged willful violations of FACTA include any claim for “damages” since class action plaintiffs only sought statutory amounts Illinois National Insurance v. Experian
Information Solutions, Case No. 17-cv-6668 (No. Dist. Ill. Sept. 15, 2017)
Insurer seeks declaratory relief that tech professional services policy terms do not respond to findings of fraudulent misrepresentation
Because of the rise in schemes meant to infiltrate a policyholder’s computer system and the inherent elements of fraud and theft underlying those schemes, policyholders have also sought coverage under crime policies.
Cases and Synopses
Medidata Solutions Inc. v. Federal Insurance Co., Case number 17-2492 (2nd Circuit)
Accounts payable employee received email purportedly from company president requesting $4.8 million to be transferred to bank account, insurer denied because the emails did not require access to/manipulation of Medidata’s computer system and because the transfer was “authorized” thus made with “knowledge and consent”; court found coverage under Computer Fraud and Funds Transfer provisions. The court determined that the manipulation of code in email messages constituted “deceitful and dishonest access” and that the consent was only obtained by trick. On appeal to 2nd Circuit
Universal Am. Corp. v. Nat’l Union Fire Ins. Co., 25 N.Y.3D 675 (2015)
Health insurance company defrauded by authorized healthcare providers who entered claims for reimbursement of services never rendered; court found no coverage because the fraud was caused by the submission of fraudulent data entered by authorized users
Postmasters Servs., Inc. v. Travelers Cas. & Sur. Co. of Am., No. 13-cv-5039 (C.D. Cal. July 17, 2014) , affirmed by 9th Circuit (2016)
Computer Crime insuring agreement did not provide coverage for an automated transfer of funds from the insured to a third party pursuant to authorization from the insured. Court interpreted the phrase “fraudulently cause a transfer” to require “an unauthorized transfer of funds.”
Am. Tooling Ctr., Inc. v. Travelers Cas. & Sur. Co. of Am., 2017 WL 3263356 (E.D. Mich. Aug. 1, 2017)
The Court held that a vendor impersonation fraud loss did not fall within the terms of a crime policy’s computer fraud coverage; there was no direct causal link between the receipt of fraudulent emails by an insured requesting payment to the fraudster’s bank account, and the insured’s authorized a transfer of funds to that bank account. On appeal to 6th Circuit
Apache Corp. v. Great American Insurance Co. 662 F. App’x 252 (5th Cir. 2016)
Caller claiming to be a vendor contacts an account payable employee requesting change for future payments, caller sends an email with a letter on“official letterhead” pursuant to employee’s request; insured “verifies” and remits $2.4 million; Court found that loss did not result directly from the computer fraud because the email was part of the scheme but incidental to the occurrence of the authorized transfer or money
Directors & Officers and Others
Because of the amounts underlying certain losses as well as the unique sets of facts of the claim, policyholders will also seek coverage under a wide array of policies such as their D&O policy or any other potentially applicable means of coverage.
Cases & Synopses
Los Angeles Lakers, Inc. v. Fed. Ins. Co., 869 F.3d 795 (9th Cir. 2017)
Lakers sought coverage for a suit involving an automated text response campaign that alleged an invasion of privacy but was asserted as a TCPA claim. D&O policy excluded claims arising from an invasion of privacy. Court found that the text of the statute is intended to protect privacy rights and thus in pleading a TCPA claim, a plaintiff pleads an invasion of privacy claim.
Spec’s Family Partners, Ltd. v. The Hanover Ins. Co., 2017 WL 3278060 (S.D. Tex. Mar. 15, 2017)
Insured can’t force its insurer to pay for a suit seeking to recover about $4 million charged by its credit card processor following two data breaches; claims arising from the data breaches relied upon the merchant agreement between the parties, not upon the insurance policy, and so insurer had no duty to defend the data-breach claims
Mendes & Mount publications should not be construed as legal advice on any specific facts or circumstances. The contents are intended for general information purposes only and may not be quoted or referred to in any other publication without the prior written consent of the Firm. The distribution of these materials is not intended to create, and receipt of such does not constitute an attorney-client relationship. The views set forth herein are the personal views of the authors and do not necessarily reflect those of the firm.