Following on our report from last year, litigation over traditional property and casualty policies with respect to data breach claims continues to wane, especially as policies containing the Access or Disclosure of Confidential or Personal Information Exclusion become more prevalent. In its stead, this past year has seen a bevy of decisions analyzing coverage under computer crime policies. In particular, a recurring theme has been whether there is coverage for social engineering fraud. As explained below, case law is coalescing toward a uniform approach with regard to those claims.
Additionally, ransomware remains front and center of the cyber news cycle. Between the outbreak of the global WannaCry ransomware attack and a recently initiated lawsuit seeking coverage for a loss due to ransomware, it never has been clearer that having adequate cyberinsurance (including access to cryptocurrencies such as Bitcoin) is imperative for all businesses.
As coverage suits with respect to standalone cyberinsurance policies are still in their nascent stages, it is particularly interesting to see the emerging battlefronts. With respect to coverage under computer crime policies, one such battlefront has become the question of coverage for sending money in response to emails from tricksters. Several courts over the past year have considered this question.
Most notably, an unpublished decision handed down by the Ninth Circuit indicates there is no coverage under such circumstances. In Taylor & Lieberman v. Federal Insurance Co., No. 15-6102, 2017 WL 929211 (9th Cir. Mar. 9, 2017), the policyholder, a public accounting firm, received fraudulent emails requesting wire transfers. After discovering the emails were fraudulent, the firm was able to recover most of the payments, less roughly $100,000. The firm sought coverage under its computer crime policy for the outstanding amount, but the carrier denied the claim. Although the district court found in favor of the insurer determining there was no “direct loss” due to a series of intervening events, the Ninth Circuit instead opined that three coverage sections of the policy were not even implicated. First, there was no forgery coverage since the emails instructing the firm to wire money could not constitute forgeries of written instruments, e.g., checks or drafts. Second, there was no computer fraud because the fraudster’s emails did not constitute an unauthorized entry into the recipient’s computer system; nor were the instructions contained in those emails akin to malicious computer code, the introduction of which would be covered. Third, there was no transfer fraud coverage because, although the firm was unaware of the fraudulent nature of the emails, the firm requested and knew about the wire transfers.
In a decision pre-dating Taylor & Lieberman, the Ninth Circuit in Pestmaster Services, Inc. v. Travelers Casualty & Surety Co. of America, 656 Fed. Appx 332 (9th Cir. 2016), similarly found no coverage under a computer fraud provision for expressly authorized payments. Notably, the Ninth Circuit observed that holding otherwise would transform the computer crime policy into a general fraud policy. A subsequent decision by the Fifth Circuit, Apache Corp. v. Great American Insurance Co., 662 Fed. Appx. 252 (5th Cir. 2016), followed the reasoning in Pestmaster. In Apache a scheme conducted by the fraudster, mimicking the email of a vendor, resulted in the insured transferring approximately $7 million to a fraudulent account. A Texas federal district court initially determined the insurer owed coverage. However, on appeal, the Fifth Circuit favorably cited Pestmaster and concluded the “computer use” requirement was not satisfied since the emails sent were merely incidental to the occurrence of the authorized transfer of money.
Following the theme of computer fraud, a Georgia federal district court analyzed a similar issue of what constitutes the “use of any computer.” InComm Holdings, Inc. v. Great Am. Ins. Co., No. 15-cv-2671, 2017 WL 1021749 (N.D. Ga. Mar. 16, 2017). The issue arose when the policyholder, InComm Holdings, Inc. (“InComm”), a debit card processing business, had a vulnerability that caused credit to be loaded onto their customers’ debit cards in multiples of the credit amount actually purchased. Normally, the cardholders would purchase “chits” to add prepaid funds onto their cards, and the loading process occurred with assistance of a phone system. At some point, there was a coding error in the phone system, allowing cardholders to obtain more credit than they otherwise would have been entitled to receive. The total amount of unauthorized redemptions exceeded $10 million. InComm was insured for various risks, including computer fraud. InComm’s insurer denied the claim since the loss did not result from the “use of any computer,” the funds were not automatically transferred as a result of the cards being reloaded, and the losses, which constituted separate occurrences, did not exceed the deductible. The district court first concluded the “use of any computer” was not satisfied because the unauthorized redemptions by the perpetrators occurred via a telephone, not a computer. The court rejected the argument that a computer was used at some point. Moreover, the court reasoned that even if a computer was used to cause the loss, the loss did not result directly from the alleged computer use. In particular, the loss did not occur until the funds held by Bancorp, which had issued the debit cards, were paid to sellers to settle the cardholder’s expenditure. Also, the district court found compelling that coverage in computer fraud cases normally occurs where a computer is used to cause another computer to make an unauthorized, direct transfer of property or money. Here, InComm’s loss resulted directly from InComm’s decision to wire the funds to Bancorp, not from the cardholders’ redemptions.
In light of the insurer-friendly decisions above, it bears following litigation currently pending in a Michigan federal court concerning a similar loss. See Am. Tooling Ctr., Inc. v. Travelers Cas. & Sur. Co. of Am., (E.D. Mich. No. 16-cv-12108). Specifically, the insured, a die manufacturer, is seeking coverage under a computer crime policy in connection with a fraudulent email scheme that caused the insured to transfer over $800,000 of its own funds to cybercriminals. The insurer denied the policyholder’s claim on the basis that the loss was not directly caused by the use of a computer. The insured has since filed a motion for summary judgment and has advanced a broad interpretation of the terms “fraud” and “use of a computer.” If any indication can be drawn from recent precedent, it appears the insured faces an uphill battle.
In addition to cyberinsurance-specific issues, a few decisions over the past year have explored basic concepts concerning first-party versus third-party coverage and policy language interpretation against the backdrop of a data breach. These are useful reminders that cyberinsurance litigation does not solely revolve around cyber-specific issues. Therefore, insurers and insureds alike should be prepared to advance and defend against general coverage arguments before substantive cyber issues may need to be addressed.
For instance, Camp’s Grocery, Inc. v. State Farm Fire & Casualty Co., 16-cv-204, 2016 WL 6217161 (N.D. Ala. Oct. 25, 2016), involved a third-party coverage question. The insured, Camp’s Grocery, Inc. (“Camp”), was sued by three credit unions alleging that Camp’s computer network was hacked, thereby compromising the security of confidential information. In turn, Camp filed a declaratory judgment action seeking a ruling that State Farm had the duty to defend and indemnify Camp in connection with the lawsuit brought by the credit unions. The subject policy contained a run-of-the-mill business liability coverage section as well as specific endorsements that covered losses to Camp’s computer equipment or electronic data contained on computer storage media. On cross-motions to dismiss, the Alabama federal district court determined the endorsements only provided first-party coverage, not third-party coverage. Moreover, the court rejected the argument that the credit unions had alleged “property damage,” thereby triggering third-party coverage. The court reasoned that the credit unions did not allege “property damage” because no physical injury to tangible property, i.e., credit cards, occurred. The court further reasoned that electronic data on credit cards could not constitute tangible property. Accordingly, State Farm did not have a duty to defend Camp.
Loss resulting from ransomware is an increasingly common phenomenon sure to drive an increase in litigation. According to some estimates, ransomware causes losses in excess of $1 billion per year, and some believe that figure will double in 2017. This month’s WannaCry ransomware attack, which cut across many industries and more than 150 countries, and caused hundreds of thousands of infections, demonstrated the potential for ransomware to cause mass global disruption. We also saw in early 2017 the largest reported payment for unlocking ransomware, $28,000 paid in Bitcoin by Los Angeles Valley College.
For the uninitiated, a ransomware attack occurs when a fraudster infects the victim-business’s computer system with a virus or malware that encrypts the data on the system. The fraudster then informs the victim that the encryption will remain until the victim pays a ransom.
Ransomware gave rise to Moses Afonso Ryan Ltd v. Sentinel Insurance Co. (D.R.I. 1:17-cv-00157). In this case, a law firm is seeking insurance coverage for losses sustained due to an attack. The perpetrators of the attack took over and encrypted all of the documents contained on the law firm’s computer network and extorted over $25,000 from the law firm. The firm contends it had a $700,000 productivity loss during the three month ordeal. The coverage dispute stems from the policyholder’s insistence that the limit of liability for Business Income coverage applies (i.e., actual losses sustained over a 12-month period), whereas the insurer contends the applicable limits of liability are those for Computers And Media and Computers Fraud, which are subject to a $20,000 aggregate ($10,000 per coverage). This case bears monitoring given the high-volume nature of ransomware attacks.
Notably, this case reminds us of the importance of effective interplay between the policy’s various limits, sublimits, and retentions. Cyberinsurance, which is typically comprised of myriad first- and third-party coverages, can be subject to different sublimits and retentions for the various coverages. Before selling or purchasing cyberinsurance, it is critical that both parties have a full understanding of how a loss would implicate multiple coverages. How a claim implicates cyberextortion coverage and other policy coverages is significant because, for example, a ransomware claim can lead to claims under civil liability and regulatory coverages.
More generally, ransomware attacks serve as a valuable reminder of an essential principle with respect to cyberinsurance coverage. That is, the ransomware attack may merely be a prelude to a broader and more devastating attack down the line. Hence, notice to the cyberinsurer is a must, or else the policyholder risks losing coverage due to prior knowledge of a relatively minor data security breach that ripens into a catastrophic event.
Two cases we touched upon last year, Hotel Monteleone LLC v. Certain Underwriters at Lloyd’s of London (E.D. La. No. 2:16-cv-00061) (involving a failure to procure claim against the insurance broker), and Spec’s Family Partners, Ltd. v. The Hanover Insurance Company No. 16-cv-438 (S.D. Tex. Mar. 15, 2017) (involving the insurer’s duty to fund the offensive prosecution of a breach of contract claim), reached their end, albeit without substantive rulings on cyberinsurance coverage questions.
Additionally, 2017 witnessed yet another increase in the cost of responding to a data breach. The Ponemon Institute found the overall cost of a data breach to be approximately $7 million and the cost of each lost record to be $221. At the same time, the cyberinsurance market continues to boom. Fitch Ratings expects that insurers collected more than $3 billion in cyberinsurance premiums in 2016; they estimate this will increase to $20 billion by 2020. The cyberinsurance market, currently with more than 60 carriers participating, is so robust that certain cyberinsurers are beginning to make industry-specific policy offerings. These segmented policies tailored to a particular industry’s needs provide strong support for the forecast of significant growth in the cyberinsurance market.
A related driver of growth in the cyberinsurance market is the awareness of large sophisticated companies, especially in the aftermath of the Target breach, to require their vendors to purchase a substantial amount of cyberinsurance and to name the larger company as an additional insured. Those purchasing, brokering, and selling such policies should be mindful of the need for them to cover loss of data the policyholder is storing for others and loss caused by a breach of a third party’s data as a result of the policyholder’s misconduct. Those policies should also be customized to cover: (1) a breach caused by misconduct with respect to an employee’s personal or work-issued device, and (2) misconduct by not only the policyholder, itself, but also by its temporary employees, volunteers, interns, and independent contractors.
Nevertheless, all news is not rosy for cyberinsurers and cyberinsurance policyholders, as we have seen in 2017 more evidence of a disturbing trend of aftershock password breaches. Those breaches involve information obtained by hackers in earlier attacks that were sold and resold on the dark web and then used months or years later. This is most evident from the Yahoo! breach, which the company only discovered once it found that users’ account information was available for sale on the dark web. This practice presents a very significant problem for policyholders, as these “aftershocks” may implicate the retroactivity provisions in their cyberinsurance policies, especially if they did not report the initial breach to their carrier. Likewise, these “aftershocks” present difficulty for carriers, who now face potential prolonged exposure from what may seem to be at first blush a relatively minor claim. Moreover, we expect this practice to lead to future cyberinsurance coverage disputes.
Last, the law firm Johnson & Bell faced a suit in late 2016 from a putative class of plaintiffs comprised of current and former clients for allegedly failing to keep its clients’ private information confidential, risking a breach. It does not appear, however, that any information was actually breached. The matter is in arbitration. For those carriers who sell cyber add-ons to professional malpractice policies and professional services firms, this is the shot fired across the bow.
After reviewing the cases over the past year, we see litigation over data breach claims involving traditional liability products to continue to be on the decline while similar claims involving standalone cyberinsurance products to be on the rise. We expect this trend to continue unabated.
Nevertheless, commercial crime or computer crime coverage and phishing is the exception. Although some carriers are offering coverage for social engineering fraud under cyberinsurance policies, that is still not the norm. And, with commercial crime, computer crime, and cyberinsurance carriers refusing to cover phishing or whaling losses, it would behoove each to offer for sale a specific product that covers these losses, especially as such schemes continue to prove fruitful. We will continue to monitor this trend.
If you have any questions on how this could impact your business, please contact: