S8 | MONDAY, FEBRUARY 22, 2016 | Litigation
| NYLJ.COM
Cyber Insurance
Cyber Insurance
Litigation: Litigation:
Is It a Ripple
Is It a Ripple
Or a Tidal Wave?
Or a Tidal Wave?
BY ROBERT D. CHESLER AND ANNA M. PIAZZA
On Sept. 9, 2015, Excellus BlueCross BlueShield announced a data breach that compromised about 10.5 million people’s personal information, including Social Security numbers and medical and financial information. Excellus discovered the data breach during an investigation of its computer system. The breach had occurred on Dec. 23, 2013. A class action has already been filed, and Excellus is cooperating with the FBI.
One of the most interesting circumstances arising from the Excellus data breach is the “ho-hum” attitude with which most readers will greet it. Data breach has become a fact of corporate life. Phishing, malware, cyber extortion, and hacking are now terms with which we are all familiar. Readers do not need another article to warn them of the dangers of data breach.
Federal courts recently have done little to protect corporate data breach victims. In Remijas v. Nieman Marcus Group, 794 F.3d 688 (7th Cir. 2015), for example, class action plaintiffs were not required to show that they incurred any direct damage as a result of identity theft. In Federal Trade Commission v. Wyndham Worldwide, 799 F.3d 236 (3d Cir. 2015), the court held that the FTC maintained enforcement power over data breaches and
ROBERT D. CHESLER and ANNA M. PIAZZA are share- holders in Anderson Kill’s insurance recovery group in the Newark and New York offices, respectively.
could find, as a basis of liability, that the company’s internal privacy network was inferior to what was portrayed in its public statements. Finally, in the Target Corpora- tion Customer Data Security Breach Litigation, Case No. 0:14-md-02522 (D. Minn.), the court certified a class action of banks and other credit card issuers for the damages that they incurred in replacing credit cards.
In times of financial danger, corpora- tions turn to their insurance companies for protection. All too often, however, those insurance companies fail their policyhold- ers. This pattern began with environmental insurance litigation. The passage of Super- fund confronted corporate America with hundreds of millions of dollars of exposure to environmental claims. When policyholders sought coverage under their general liability policies, their insurance companies rebuffed them. The environmental insurance wars that followed have lasted until the present, often with vicious litigation that has cost untold hundreds of millions of dollars and seems never-ending. Policyholders believe that insurance companies invented any reason, no matter how far-fetched or intel- lectually dishonest, to deny coverage. Of course, insurance companies believe that policyholders proffered equally unrealis- tic and unsupported reasons in favor of coverage.
How insurance companies will react to cyber claims presents a big question. These claims share key characteristics with envi- ronmental claims. In both situations, any company could find itself a victim. Both risks involve potentially huge amounts. The courts are setting forth rigorous standards of
liability. How will the insurance companies respond to a possible flood of claims?
Policyholders have made claims for data breach damages under three types of poli- cies: traditional general liability policies; cyber policies; and computer endorsements or riders to crime, banker’s bond, or execu- tive risk policies. Litigation quickly ensued under general liability policies, but that avenue of coverage has essentially closed with the advent of total cyber exclusions. Whether the insurance industry will honor their cyber policies or another insurance coverage litigation bloodbath will follow remains to be seen. Anecdotally, insurance companies have made payments under cyber policies. However, that trend could change. For the first time, an insurance company has sued its policyholder under a cyber policy.
Junk-Fax Insurance Coverage Litigation
“Junk-fax” insurance coverage litigation presents an important and instructive prelude to cyber insurance litigation. Pursuant to the Telephone Consumers Protection Act (TCPA), a company that sends an unrequested fax (or robocall) faces liability of $500 per offense. If the company sends 50,000 faxes, for example, it faces a $25,000,000 exposure. Some com- panies have sent hundreds of thousands of unrequested faxes.
The availability of such damages has led attorneys to seek out plaintiffs and to bring suits seeking statutory damages. The defendants have turned to their insurance companies, setting forth a torrent of litiga- tion. Maniloff & Stempel, General Liability Insurance Coverage (2d ed.) lists about 50
junk fax insurance coverage cases that have gone to judgment. Plaintiffs continue to file new junk fax cases, and now junk robocall cases. However, new exclusions in general liability policies may put a halt to insurance coverage for junk-fax litigation going forward.
The junk fax insurance litigation centered on two insurance policy terms—“privacy” and “publication.” The general liability pol- icy grants coverage for a “publication” that invades “privacy.” Insurance companies asserted that “privacy” had two meanings— secrecy and seclusion. They further argued that the insurance policy’s use of the term “privacy” applied only to the invasion of a person’s right to secrecy because the insur- ance policy couples “privacy” with “publica- tion.” Insurance companies then argued that junk-faxes involved only the injured party’s receipt of the fax, which implicated only seclusion—the right to be left alone. Valley Forge Ins. v. Swiderski Electronics, 860 N.E. 2d 307 (Ill. 2006).
Policyholders contended that courts should give “privacy” its ordinary meaning, as a typical policyholder would understand it. Such a person would not distinguish between secrecy and seclusion, but would construe “privacy” as a broad grant of coverage. The majority of courts have agreed. Penzer v. Transportation Ins., 29 So. 3d 1000 (Fla. 2010).
The junk fax coverage litigation demon- strates that the construction of a single word can unleash a wave of litigation. For example, in the environmental insurance coverage set- ting, almost every state litigated the meaning of the term “damages.” Further, policyhold- ers will construe terms broadly, as indeed the rules of insurance policy construction
iSTOCKPHOTO