Wildfires have wreaked havoc on, and caused incalculable losses to, individuals and businesses in California over the last three years. These disasters—caused by a series of conflating events, including massive shifts to the climate—are not limited to the Golden State, as fires have devastated many western communities, and fires as well as other unprecedented weather events, including hurricanes, flash flooding, cyclone rains, and extreme-cold freezes have disrupted businesses across the world.

Most businesses know how to protect their physical offices and facilities with commercial property insurance, including business interruption coverage, in case they are directly affected by physical disasters. But, in today’s business environment, a company may be closely tied to and dependent on third-party suppliers. What happens if a major player in your supply chain is adversely affected by one of these (unfortunately) all-too common climate disasters? Unless you operate at ground zero in vulnerable environmental zones, you may not be aware of the fact that your vendors may be the ones most directly affected, and this might have a devastating ripple effect on your ability to operate a successful business. Continue Reading Are Climate Events Threatening Your Supply Chains?

Most firms that provide technology services or products have insurance to protect them against the risk that a dissatisfied customer will bring a claim or a lawsuit against them for damages arising out of the company’s products or services. It is very likely that such firms purchase general liability insurance, which is an important product that covers many different risks, including property damage, bodily injury, advertising injury, and other business-related claims. Most importantly, general liability insurance policies often require the insurer to defend the company in the event of litigation, making it a particularly valuable type of insurance. But will general liability insurance protect your tech company in the event of a claim by a client for purely financial damages? The short answer is, probably not. This is the reason for tech firms to consider a Technology Errors and Omissions (Tech E&O) policy as part of their overall coverage program. Using the examples below, this article discusses the coverage such policies can provide.

Example 1: Tech Product

Let’s say your company designs and provides building design software to architecture firms. Due to a problem with your software, several architectural designs for major projects have incorrect specifications, which impact many large projects. As a result, your company’s clients lose revenue because they have to revise the design plans for these projects, which takes additional weeks of architect time. If the architects then sue your company for damages, it will have to defend itself in the lawsuit and possibly pay a settlement or judgment to the architecture firms.  Continue Reading Technology E&O Insurance

As the risks associated with cyber liability continue to evolve, so do the insurance products that are theoretically meant to protect against those risks. As the insurance industry attempts to keep pace, the applications that insurers are using to capture the data they believe is necessary to underwriting these risks are also evolving and vary to a large degree. Regardless of whether an application is long or short or seeks information in generalities or in detail, all prospective policyholders must take care in completing these applications, enlisting the help of a data security professional (whether within the organization or a consultant) and possibly of a good broker that specializes in this area. Indeed, a failure to provide accurate information could cause an insurer to resist providing coverage for a claim, or attempt to rescind the policy, on the purported grounds that there was a material misrepresentation in the policy application.

This article first provides an overview of the key categories of information that most cyber-liability insurance applications seek, followed by some of the key principles of which a policyholder should be aware in the event an insurer attempts to deny a claim or rescind a policy based on alleged misrepresentations or omissions in the policy application.  Continue Reading Filling Out a Cyber Insurance Policy Application: Do Not Give Insurers a Material Misrepresentation Defense

Data breaches are up significantly in 2019, exposing billions of confidential records and costing companies millions of dollars on average per breach. Security experts counsel their clients that data breaches are inevitable as even the largest, most secure systems may be breached. In spite of this environment, many tech companies are woefully unprepared to respond to a cyber intrusion, data breach, or other cyber-related event. Are you ready?

As insurance coverage lawyers, we often work with clients to confront this organization-wide challenge after a breach has occurred. The better approach, however, is to prepare in advance by understanding your risks, building a team, securing and monitoring your data, having a well developed and rehearsed response plan, and tailoring your insurance program to a possible breach. Additionally, having counsel involved throughout the preparation and response process is critical to protect privilege, minimize legal liability, and maximize insurance coverage.  Continue Reading Preparing for Data Breaches: Data Mapping, Response Team and Insurance

This author has previously discussed the inevitability of security hacks and attempts to require companies holding third-party data to pay some type of damages to the alleged victims of a hack. Even though damage from such hacks is often hard to prove, those who claim to have been victimized and their lawyers, who often operate on contingencies, will continue to file lawsuits that often result in the imposition of at least defense costs and, at times, of some indemnity payments. Hacked companies also suffer actual damage from loss of customers when the hacks are reported as required by multiple laws. Companies should thus take reasonable precautions against data breaches. But if a company takes such reasonable precautions, it should be able to buy insurance for the inevitable hack that actually provides coverage for resulting defense expenses, indemnity payments, and loss of business income. Continue Reading Watch Out for the Statutory/Governmental Exclusion and Any Restriction on Paying Ransom Demands for Malware Attacks

Why is this technology so exciting?

The National Highway Traffic Safety Administration (NHTSA) has noted that 94% of auto accidents are attributed to some form of human error on the part of drivers. In 2014, there were an estimated 1.25 million deaths worldwide due to vehicle crashes. There is a potential for autonomous vehicle technology to dramatically re-shape these statistics. The Insurance Institute for Highway Safety anticipates that there will be 3.5 million self-driving vehicles on US roads by 2025 and 4.5 million by 2030. Continue Reading Self-Driving Cars Coming to a Store Near You!

Your company receives a demand letter and you realize that the claim stems from a vendor’s product or service. What do you do next? The first step for most companies will be to review the operative contract for any indemnification provisions. Next on the list will be to review any certificates of insurance issued by the vendor. All too often, however, companies at this phase learn that they were never actually added as additional insureds to their vendors’ policies or that their vendor’s coverage is inadequate. Continue Reading Issues With Vendor Certificates of Insurance

Companies enter an array of technology transactions with third-parties that allow vendors access to the Company’s source code, customer data, employee information, cybersecurity measures, and other critical data and infrastructure. These relationships inevitably increase the potential of a cyber attack impacting the Company through an attack against the vendor. Continue Reading How Does Your Company Transfer Risk in Its Technology Transactions?

A merger, acquisition, or other corporate transaction can raise a number of issues for the insurance coverage of the parties involved.  The transaction may affect the parties’ current coverage and their rights under their historic policies.  The parties will want to specify clearly the intended interplay of other aspects of the deal, such as indemnities, with available insurance.  And the parties may wish to consider purchasing various types of insurance for aspects of the deal itself. Continue Reading Insurance and Mergers & Acquisitions

As previously reported here, (Nov. 8, 2017), companies falling victim to electronic impersonation (“spoofing”) schemes have frequently turned to “computer fraud” coverage found in typical crime policies. In this type of fraud, someone impersonates a vendor, contract partner, or company executive via email or other electronic means, and directs the transfer of funds to an account connected to the fraudster. Courts adjudicating insurance coverage actions arising out of these schemes have reached quite disparate results, with some decisions affirming coverage and some finding no coverage because the loss does not “result directly” from the “use of a computer” or because certain exclusions apply. Since our last update, several more decisions have been issued with potential implications for policyholders pursuing coverage or renewing crime policies. These recent decisions have generally affirmed that spoofing schemes fall within standard computer fraud coverage, though courts have also been willing to apply targeted exclusions for data entry or fraudulent transfers in policies that have them. Purchasers should therefore pay particular attention to any such exclusions in their policies.

A district court in New Jersey recently held that an insured stated a claim for relief under the policy’s “computer fraud” coverage after someone had impersonated a Thailand-based vendor through substitution of email domain names and had directed payment to an account operated by the imposter. Childrens Place, Inc. v. Great Am. Ins. Co., No. 18-11963 (ES) (JAD) (D.N.J. Apr. 25, 2019). The fraudsters also accessed and altered an electronic “vendor setup form” so that it provided false payment instructions. The insurer argued that the imposters did not have “direct access” to the computer system, as required under the insuring agreement, and that the fraud did not “directly cause” the transfer of money from the insured’s account to an account outside its control because of the independent acts undertaken by employees. But the court was persuaded that the complaint alleged sufficient facts to constitute both direct access by the impersonators and a direct causal link to the transfer.

The Second Circuit similarly affirmed coverage under a computer fraud provision, which applied to the “fraudulent . . . entry of Data into . . . or change to Data elements or program logic of . . . a Computer System.” Medidata Solutions Inc. v. Fed. Ins. Co., 729 Fed. Appx. 117 (2018). The insured argued that someone had fraudulently entered data into Medidata’s computer system by using code to cause an email address to appear as that of the company’s president, along with the company president’s photo.  The court held that the “unambiguous language of the policy covers the losses” because the imposters “crafted a computer-based attack” that created messages that appeared to be from high-ranking company officials. The attack met the policy criteria because the email’s appearance was “altered by the spoofing code to misleadingly indicate the sender.” The court also applied New York’s proximate cause standard and held that the insured had suffered a direct loss, noting that any independent acts taken by employees to effectuate the transfer were not “sufficient to sever the causal relationship between the spoofing attack and the losses incurred.”

Similarly, the Sixth Circuit found coverage for a manufacturer who fell victim to an imposter posing as a vendor. Am. Tooling Ctr., Inc. v. Travelers Cas. & Surety Co., 895 F.3d 455 (6th Cir. 2018). The fraudster directed payment to be made to a different bank account through a series of emails to the company’s vice president. The court agreed with the insured that the payments constituted “direct loss” because the policyholder “immediately lost its money” when it transferred the funds, and “there was no intervening event.” Moreover, the loss satisfied the “use of a computer” component of the “computer fraud” provision because the imposters “sent [the insured] fraudulent emails using a computer and these emails fraudulently caused [the insured] to transfer the money.”

While the reasoning in these three decisions should prove helpful for policyholders seeking coverage for spoofing schemes, two other recent decisions have denied coverage based on exclusions for fraudulent transfers or data entry. A Washington district court upheld an insurer’s denial of “computer fraud” coverage after an accounts payable clerk altered the instructions for payment to a general contractor in response to a fraudulent external email. Tidewater Holdings, Inc. v. Westchester Fire Ins. Co., No. C18-6006 BHS (W.D. Wash. May 31, 2019). Although the court concluded that the scheme fell within the coverage grant, the court also found that an exclusion for “loss resulting from any Fraudulent Transfer Request” applied to the claim. The policy defined “Fraudulent Transfer Request” as “the intentional misleading of an Employee, through a misrepresentation of a material fact which is relied upon by an Employee, sent via an email, text, instant message, social media related communication, or any other electronic . . . instruction.” The court rejected the insured’s argument that application of the exclusion was ambiguous as applied to different coverage sections. Furthermore, unlike the exclusions discussed in the blog update of January 8 of this year, the exclusion at issue here was not limited to “physical” loss.

Addressing another case filed in Washington district court, the Ninth Circuit upheld the denial of coverage for a fraudulent scheme that caused company employees to alter wiring instructions and to send four payments to a fraudster’s account. Aqua Star (USA) Corp. v. Travelers Cas. & Surety Co. of America, 719 Fed. Appx. 701 (9th Cir. 2018). Although the court assumed without deciding that the policy generally covered that type of “computer fraud,” the court focused on an exclusion for “loss or damages resulting directly or indirectly from the input of Electronic Data by a natural person having the authority to enter the Insured’s Computer System.” The court noted that the employees plainly had authority to access the system and had entered the data causing the loss.

Overall, these recent cases provide strong support for placement of spoofing and similar schemes within the general parameters of computer fraud coverage.  At the same time, coverage for this type of loss under any particular crime policy will depend upon the existence and precise wording of any exclusions for fraudulent transfers or data entry.  As ever, purchasers of crime policies should scrutinize the potential scope of any such exclusion.

Children’s Place
American Tooling
Aqua Star