NYLJ.COM |
Litigation | MONDAY, FEBRUARY 22, 2016 | S9
Click Listen
Earn
Stay compliant from the comfort of your own home or office at CLECenter.com. With new, accredited content updated daily, seamless online tracking and 24/7 access, CLECenter.com makes compliance easy.
Visit CLECenter.com
to click, listen, earn – anytime
or Call A CLE Counselor Today at (800) 348-0466
demand in almost every jurisdiction. Insur- ance companies will construe policy terms narrowly, in an attempt to repel new liabilities. While the general liability policy was sup- posed to be elastic to adapt to new exposures, the opposite has proven true. These trends have been true in every type of coverage litigation.
Data Breach Insurance Coverage
If “privacy” was the key term of conten- tion in the fight over insurance coverage for junk-fax liability, then “publication” served the same purpose in the struggle for insurance coverage for data breach under general liabil- ity policies. Only about six decisions address this issue. Whether other claims settled or whether new cyber exclusions choked off further claims remains unknown.
Zurich American Insurance v. Sony, No. 615982/2011 (N.Y. Sup. Ct. March 4, 2014) is a leading case in this area. The trial court held that a general liability policy did not cover data breach caused by hacking because the term “publish” required an affirmative act by the policyholder, and the data breach involved no such act. The case settled on appeal after oral argument.
Only one state supreme court case has addressed data breach under a general liabil- ity policy. That case—Recall Total Info. Mgmt. v. Federal Insurance, 115 A.3d 458 (Conn. 2015)—involved unusual facts, as will often be the case with cyber liability. Computer tapes containing personal information fell out of the back of a truck. When people went back to recover the tapes, they were gone. However, the tapes never surfaced, and no complaints arose that the loss compromised anyone’s personal information. The court held that no evidence of “publication” existed, and therefore, the policy provided no coverage. But see Travelers Indem. Co. of Am. v. Portal Healthcare Solutions, 35 F. Supp. 3d 765 (E.D. Va. 2014) (publication occurs when informa- tion is “placed before the public,” not when it is viewed).
The emerging TCPA and cyber exclusions follow a pattern wherein the insurance indus- try excludes a risk from general liability cover- age and formulates a specialty policy to cover that risk when the insurance industry thinks it has sufficient actuarial data. Certain of these policies, such as employment practices and pollution legal liability, have enjoyed a mea- sure of success. The issue now is whether the insurance industry can develop cyber insurance policies that meet the needs of their customers.
Computer Coverage by Endorsement
In recent months, at least four cyber insurance coverage cases have been filed or decided under the computer endorse- ments to financial institution bonds, crime policies, and executive risk policies. All of these cases involved “phishing,” a type of hacking wherein the phisher contacts a com- pany employee and convinces him or her, under false pretenses, to send money to a third party—which is, of course, the phisher. The insurance companies in these cases have all denied coverage for these phishing claims. The insurance companies distinguished
between an outside party hacking into the policyholder’s computer network, which they admit is covered, and a third party effecting a funds transfer by the company through phishing. Of course, the victim is defrauded regardless of the approach the hacker takes.
In Universal Am. v. National Union Fire Insurance Co. of Pittsburgh, Pa., 37 N.E.3d 78 (N.Y. 2015), the New York Court of Appeals interpreted a rider to a financial institution bond that stated:
COMPUTER SYSTEMS
It is agreed that:
1. The attached bond is amended by adding an Insuring Agreement as follows: COMPUTER SYSTEMS FRAUD
Loss resulting directly from a fraudulent (1) entry of Electronic Data or Computer Program into, or
(2) change of Electronic Data or Com- puter Program within the Insured’s pro- prietary Computer System
...
provided that the entry or change causes (a) Property to be transferred, paid or delivered,
(b) an account of the insured, or of its customer, to be added, deleted, debited or credited, or
(c) an unauthorized account or a ficti- tious account to be debited or credited
While the court’s factual exposition is sparse, this case appears to concern phish- ing—an authorized user’s entry of fraudu- lent data resulting in an $18,000,000 loss. The insurance company asserted that the rider applied only to a third party’s—as opposed to an authorized user’s—fraudulent entry of false data. The court held that the rider was not ambiguous, and ruled in the insurance company’s favor. But see Apache Corporation v. Great American Ins., No. 4:14-CV-237, 2015 U.S. Dist. LEXIS 161683, at *9 (S.D. Tex. Aug. 7, 2015) (finding coverage where phishing fraud constituted the “direct” cause of the loss).
Certainly, policyholders will challenge this decision, and argue that the rider is ambigu- ous in the context of fraudulent users versus fraudulent content. Several other cases with similar facts are pending. This issue could produce an outbreak of coverage litigation. It bears on the key aspect of coverage litiga- tion—an insurance company narrowly con- struing its policy to evade emerging liabilities.
‘Columbia Casualty’: Ripple or Tidal Wave
Columbia Casualty Company v. Cottage Health System, Case No. 2:15-cv-03432 (C.D. Cal. filed May 7, 2015) involves the first com- plaint filed under a cyber policy addressing a specifically cyber issue. Cottage was sued for a data breach resulting from its failure to encrypt data that was Internet-accessible.
Columbia Casualty’s policy had a “Mini- mum Required Practices” provision, which required Cottage to maintain the procedures and risk controls that Cottage had identi- fied in its application. The policy also had a provision stating that, inter alia, the rep- resentations in the application were mate- rial and that Columbia Casualty had relied on them. In its complaint, Columbia Casu- alty alleged that some of the » Page S10