As previously reported here, (Nov. 8, 2017), companies falling victim to electronic impersonation (“spoofing”) schemes have frequently turned to “computer fraud” coverage found in typical crime policies. In this type of fraud, someone impersonates a vendor, contract partner, or company executive via email or other electronic means, and directs the transfer of funds to an account connected to the fraudster. Courts adjudicating insurance coverage actions arising out of these schemes have reached quite disparate results, with some decisions affirming coverage and some finding no coverage because the loss does not “result directly” from the “use of a computer” or because certain exclusions apply. Since our last update, several more decisions have been issued with potential implications for policyholders pursuing coverage or renewing crime policies. These recent decisions have generally affirmed that spoofing schemes fall within standard computer fraud coverage, though courts have also been willing to apply targeted exclusions for data entry or fraudulent transfers in policies that have them. Purchasers should therefore pay particular attention to any such exclusions in their policies.

A district court in New Jersey recently held that an insured stated a claim for relief under the policy’s “computer fraud” coverage after someone had impersonated a Thailand-based vendor through substitution of email domain names and had directed payment to an account operated by the imposter. Childrens Place, Inc. v. Great Am. Ins. Co., No. 18-11963 (ES) (JAD) (D.N.J. Apr. 25, 2019). The fraudsters also accessed and altered an electronic “vendor setup form” so that it provided false payment instructions. The insurer argued that the imposters did not have “direct access” to the computer system, as required under the insuring agreement, and that the fraud did not “directly cause” the transfer of money from the insured’s account to an account outside its control because of the independent acts undertaken by employees. But the court was persuaded that the complaint alleged sufficient facts to constitute both direct access by the impersonators and a direct causal link to the transfer.

The Second Circuit similarly affirmed coverage under a computer fraud provision, which applied to the “fraudulent . . . entry of Data into . . . or change to Data elements or program logic of . . . a Computer System.” Medidata Solutions Inc. v. Fed. Ins. Co., 729 Fed. Appx. 117 (2018). The insured argued that someone had fraudulently entered data into Medidata’s computer system by using code to cause an email address to appear as that of the company’s president, along with the company president’s photo.  The court held that the “unambiguous language of the policy covers the losses” because the imposters “crafted a computer-based attack” that created messages that appeared to be from high-ranking company officials. The attack met the policy criteria because the email’s appearance was “altered by the spoofing code to misleadingly indicate the sender.” The court also applied New York’s proximate cause standard and held that the insured had suffered a direct loss, noting that any independent acts taken by employees to effectuate the transfer were not “sufficient to sever the causal relationship between the spoofing attack and the losses incurred.”

Similarly, the Sixth Circuit found coverage for a manufacturer who fell victim to an imposter posing as a vendor. Am. Tooling Ctr., Inc. v. Travelers Cas. & Surety Co., 895 F.3d 455 (6th Cir. 2018). The fraudster directed payment to be made to a different bank account through a series of emails to the company’s vice president. The court agreed with the insured that the payments constituted “direct loss” because the policyholder “immediately lost its money” when it transferred the funds, and “there was no intervening event.” Moreover, the loss satisfied the “use of a computer” component of the “computer fraud” provision because the imposters “sent [the insured] fraudulent emails using a computer and these emails fraudulently caused [the insured] to transfer the money.”

While the reasoning in these three decisions should prove helpful for policyholders seeking coverage for spoofing schemes, two other recent decisions have denied coverage based on exclusions for fraudulent transfers or data entry. A Washington district court upheld an insurer’s denial of “computer fraud” coverage after an accounts payable clerk altered the instructions for payment to a general contractor in response to a fraudulent external email. Tidewater Holdings, Inc. v. Westchester Fire Ins. Co., No. C18-6006 BHS (W.D. Wash. May 31, 2019). Although the court concluded that the scheme fell within the coverage grant, the court also found that an exclusion for “loss resulting from any Fraudulent Transfer Request” applied to the claim. The policy defined “Fraudulent Transfer Request” as “the intentional misleading of an Employee, through a misrepresentation of a material fact which is relied upon by an Employee, sent via an email, text, instant message, social media related communication, or any other electronic . . . instruction.” The court rejected the insured’s argument that application of the exclusion was ambiguous as applied to different coverage sections. Furthermore, unlike the exclusions discussed in the blog update of January 8 of this year, the exclusion at issue here was not limited to “physical” loss.

Addressing another case filed in Washington district court, the Ninth Circuit upheld the denial of coverage for a fraudulent scheme that caused company employees to alter wiring instructions and to send four payments to a fraudster’s account. Aqua Star (USA) Corp. v. Travelers Cas. & Surety Co. of America, 719 Fed. Appx. 701 (9th Cir. 2018). Although the court assumed without deciding that the policy generally covered that type of “computer fraud,” the court focused on an exclusion for “loss or damages resulting directly or indirectly from the input of Electronic Data by a natural person having the authority to enter the Insured’s Computer System.” The court noted that the employees plainly had authority to access the system and had entered the data causing the loss.

Overall, these recent cases provide strong support for placement of spoofing and similar schemes within the general parameters of computer fraud coverage.  At the same time, coverage for this type of loss under any particular crime policy will depend upon the existence and precise wording of any exclusions for fraudulent transfers or data entry.  As ever, purchasers of crime policies should scrutinize the potential scope of any such exclusion.

Children’s Place
Medidata
American Tooling
Tidewater
Aqua Star

It is becoming increasingly important for tech companies considering a merger, acquisition, or other corporate transaction to understand the use of Representation & Warranty Insurance (“R&W Insurance”). R&W Insurance is a type of insurance policy purchased in connection with corporate transactions; it covers the indemnification for certain breaches of the representations and warranties in the transaction agreements. It is designed to provide additional flexibility in addressing these obligations by, for example, reducing or eliminating the need for an escrow by the Seller.  Continue Reading Representation and Warranty Insurance Coverage for Corporate Transactions

I have several times discussed the need for cyber insurance that will actually cover reasonable claims; a need that still seems to exist. The case of Hub Parking Technology USA v. Illinois National Insurance Company (https://www.law360.com/articles/1170778/parking-tech-co-says-aig-must-defend-it-in-privacy-row) that was brought in Pennsylvania District Court in June of this year illustrates this problem. Hub bought security and privacy insurance that was intended to cover security breaches and disclosure of personal data in violation of privacy rules. Hub was then sued in underlying litigation for printing parking receipts at the Cleveland Airport that showed eight digits of credit card numbers instead of the standard last four digits permitted under various state statutes and case law. When Hub submitted the claim to its cyber insurer, the cyber insurer rejected the claim based on its conclusion that there had been no loss of privacy or security information, as well as on several exclusions, such as those for contractually assumed liability and intentional acts. Although the insurer may have had a legitimate complaint that there really was no damage from this alleged violation (and the plaintiffs had not alleged that anyone suffered actual damage or identity theft arising from the parking receipts at issue; they rather relied on an FTC study showing that similar incidents have caused actual damage, so that the potential for damage existed), that should not have prevented the insurer from providing at least a defense.   Continue Reading Will Your Cyber Insurance Actually Pay Claims?

A policyholder is usually thrilled when its insurer agrees to provide a defense of a claim. However, all too often, an insurer’s position on how that defense is to be provided surprises the policyholder. Sometimes, the policyholder learns for the first time that it does not have the right to select defense counsel. Other times, it learns that it is allowed to select defense counsel but must do so from a list of pre-approved panel counsel. In yet other circumstances, the policyholder is permitted to select its own defense counsel but may be limited to the rates approved by the insurance company (which are sometimes far below what the policyholder’s preferred counsel is charging).   Continue Reading Who Gets to Select Defense Counsel?

CCPA Week Webinar (FREE), July 17, 2019 1:00 p.m. PT

Insurance policies are some of a company’s most valuable assets during times of increased risk and uncertainty. Yet, corporate policyholders often leave money on the table by failing to thoughtfully construct their insurance program to respond to the risks inherent in their business and neglecting to properly manage potential insurance claims. In recent years, data privacy and security has become a growing source of corporate risk for businesses and presenting new, evolving challenges for risk managers and insurers. Continue Reading CCPA Insurance Coverage Issues: Avoid Gaps in Your Program

Directors & Officers liability insurance—commonly known simply as D&O insurance—is meant to protect corporate directors and officers from, among other things, claims alleging breaches of duty and management failings that adversely affect the value of the company’s stock. And any event in which directors or officers are deemed to have had an oversight function could ultimately result in a claim that floats up to the director- or officer-level if the company’s stock suffers.  Continue Reading D&O Coverage for Tech Risks – Don’t Let the “Invasion of Privacy” and “Professional Services” Exclusions Take You by Surprise

In the wake of numerous high-profile electronic data breaches, companies are justifiably concerned about beefing up their cybersecurity programs and ensuring that they have adequate insurance coverage in the event of an electronic data breach. While the unauthorized disclosure of sensitive electronic data, whether through cyberattacks, insider malfeasance, inadvertence, or otherwise, is, of course, a substantial risk that must be addressed in any cyber insurance program, businesses should also understand and insure against their potential exposure in the event of an old-fashioned breach of sensitive information by way of paper or other non-computerized records.

These types of ink-and-paper data breaches happen more often than one might expect, given the media attention paid to electronic data heists. The healthcare industry, for example, is especially plagued by non-electronic data breaches, despite wide-spread adoption of electronic health records. According to a recent study by the American Journal of Managed Care, paper and films were the most frequent storage media at issue in data breaches that occurred in hospitals during the study period, whereas network servers were the least common. Statistics from the Office of Civil Rights Annual Report to Congress on Breaches of Unsecured Protected Health Information, published by HHS in 2012, revealed that paper records were involved in 23 percent of major breaches of protected health information (those affecting 500 or more individuals) and 61 percent of smaller breaches. See also Prevent Breaches: Don’t Forget Paper. This problem has not gone away in the intervening years: 11 major breaches of protected health information reported to date in 2019 involve paper or film records.  Continue Reading Lookout for Luddites: Don’t Overlook the Risk of a Non-Electronic Data Breach When Evaluating Your Cyber Insurance Program

The consequences of a data breach can be far-reaching. While the initial issues in the wake of a breach often involve investigation into the cause of the breach and sending notification to those affected (both of which are covered by most cyber insurance policies), coverage for certain types of third-party claims stemming from cyber breaches may be available under Commercial General Liability (“CGL”) insurance policies.

CGL insurance policies provide coverage for claims of “Bodily Injury,” “Property Damage,” and “Personal and Advertising Injury.” Bodily Injury and Property Damage claims are covered under Coverage A of CGL policies, while Personal and Advertising Injury claims are covered under Coverage B. This blog post briefly summarizes the major issues policyholders encounter when seeking coverage for Personal and Advertising Injury (Coverage B) under CGL policies that arise out of a cyber incident.  Continue Reading Are Cyber Claims Covered Under Coverage B of CGL Policies?

Can an intentional attack carried out through social media trigger liability coverage? A recent Pennsylvania case found potential coverage under a homeowner’s policy for a case of cyber bullying that ended in the suicide of the victim. The court found that the intentional actions of the insured’s son constituted an accident, and therefore an occurrence, because the claim in part alleged negligence and because the actions of the victim were not necessarily expected from the standpoint of the insured. This specific situation is, of course, unlikely to arise in the context of a businesses concerned about social media risks, but the underlying reasoning may be useful in assessing potential coverage for other intentional acts carried out over social media or other communications technology. Continue Reading Can There Be a Duty to Defend Intentional Acts on Social Media?

In my previous blogs, I pointed out that security breaches are like death and taxes (i.e., unavoidable), and that insureds simply need a product that will pay for any losses from the inevitable security breaches. I also pointed out that insurance companies could help by certifying security products that were good enough to guarantee a payment under the companies’ policies if there were a breach. The recent Mondelez case points out why insureds often wonder whether carriers really intend to pay claims. There, the maker of Oreo cookies bought a policy which covered intrusions into the company’s computer code. After the advent of the Notpeya ransomware, the carrier refused claims valued in the millions based on the war exclusion. Continue Reading Insurers Band Together To Certify Security Products