The vulnerability of America’s physical infrastructure has long been at the top of mind for national security officials, but the growing threat of cyberattacks, both state-sponsored and criminal, has led state and federal officialdom to take note. Their concern has been magnified by the increasing number of significant cyber targets in the nation, including key infrastructure. This has prompted the National Highway Traffic Safety Administration and industry stakeholders to work together to combat potential cyberattacks on automated vehicles. In a rapidly evolving and expanding internet of things environment, federal regulators must be flexible to accommodate change, and must resist the urge to ensconce autonomous vehicle cybersecurity guidance in law.
Please click here to read an overview of their strategy, which appeared in Bloomberg BNA, authored by Orrick’s Darren Teshima and Ian Adams.
Ransomware is one of the rising scourges of the business world, with approximately 50% of U.S. companies reporting being hit with a ransomware attack in the past year, according to a recent study. According to the FBI, a 2016 ransomware type that uses unbreakable key-based cryptography compromised an estimated 100,000 computers a day. New ransomware variants are appearing constantly, and companies need to prepare for the possibility of being victimized by this particular type of cyber-attack. The FBI, as well as other security professionals, has recommended a widely accepted, multifaceted preparation strategy—which includes having key insurance coverage in place—that reduces risks and decreases recovery time. Please click here to read an overview of this strategy that appeared in Law360, authored by Orrick’s Darren Teshima and Aravind Swaminathan.
Vendor impersonation is one of the typical varieties of “Business E-mail Compromise” (BEC) scams. In spoofing the e-mail of a trusted vendor, the fraudster persuades a company to redirect its vendor payments to a fraudulent bank account. While courts have found that commercial crime policies cover loss from BEC scams, a recent Fifth Circuit decision found no coverage for the victim of a vendor-impersonation BEC scam under the computer fraud provision of the company’s crime protection policy. Rejecting the company’s arguments that the coverage provision was ambiguous, the court held that the fraudulent e-mail was not the cause of the fraudulent transfer. Orrick attorneys Russell Cohen, Aravind Swaminathan, and Harry Moren comment on this troubling decision at our sister blog, Trust Anchor.
The Ninth Circuit recently held in St. Paul Mercury Insurance Co. v. Federal Deposit Insurance Corp. that a D&O policy’s insured-versus-insured exclusion does not prevent the Federal Deposit Insurance Corporation (“FDIC”), as receiver of an insured failed bank, from obtaining coverage under such policy. In so doing, the Court of Appeals follows the Eleventh Circuit and other courts that have addressed this issue and sided with the policyholder. This decision, while unpublished, is a timely one for policyholders, as regulators including the FDIC litigate these claims arising out of the financial crisis. Just this week, a Georgia jury returned a verdict in favor of the FDIC that awarded almost $5 million in damages for claims relating to a bank’s negligent management by its former officers and directors.
The FDIC brought claims against the former directors and officers of Pacific Coast National Bank for negligence, gross negligence, and breaches of fiduciary duty. The FDIC alleged that the former directors’ pursued an aggressive lending strategy, failed to ensure that loan practices complied with the bank’s policies, and inadequately supervised subordinate officers, which led the bank to suffer millions of dollars in losses. The insurer, The Travelers Companies, Inc., which comprises appellant Saint Paul Mercury Insurance Company, filed a declaratory judgment action to establish that the policy does not cover the FDIC’s claims. Considering the parties’ cross-motions for summary judgment on the action, the district court rejected Travelers’ contention that the exclusion barred coverage, holding that the exclusion did not expressly bar claims by the FDIC.
On appeal, the key issue was whether the language of the exclusion, which barred coverage for claims brought “by or on behalf of any Insured or Company,” was ambiguous. The FDIC argued that the phrase “on behalf of,” as applied to its action against the directors, was ambiguous, relying on the facts that it initiated the underlying case almost three years after the bank’s failure and that no person from the bank had any involvement in bringing its claims.
On October 12, 2016, the United States Court of Appeals for the Seventh Circuit, in an opinion authored by Judge Richard Posner, affirmed a district court decision finding that securities intermediary U.S. Bank, N.A. is entitled to $6 million in life insurance policy proceeds, plus statutory interest and bad faith damages, from insurer Sun Life Assurance Company of Canada. In its decision in the case, Sun Life Assurance Co. of Canada v. U.S. Bank National Association, as Securities Intermediary, the Seventh Circuit made clear that, pursuant to applicable Wisconsin statutory law, an insurance company cannot avoid its obligation to pay the death benefit on a life insurance policy, even if the policy was issued to a stranger lacking an insurable interest in the insured life. And if it fails to timely pay a claim on such a policy, a carrier may be held liable for statutory interest and additional damages for acting in bad faith. The ruling applies to policies governed by Wisconsin law that were issued prior to November 1, 2010, when the Wisconsin legislature amended the applicable law.
The insurance policy in this case was issued in 2007 by Sun Life on the life of wealthy octogenarian Charles Margolin. In 2011, U.S. Bank purchased the policy on behalf of an investor (i.e., as securities intermediary), and in 2014, Mr. Margolin died. Even though Sun Life had collected $2.5 million in premiums and knew about all of the transactions concerning the policy that occurred between 2007 and 2014, it refused to pay the policy proceeds without first investigating the policy’s validity. U.S. Bank, as the owner and beneficiary of the policy, invoked a Wisconsin statute requiring the insurer to pay claims within 30 days and brought a lawsuit against Sun Life to force a payment.
A federal district court in the Eastern District of New York recently held that a D&O policy’s definition of “Loss” that includes amounts an insured is “legally obligated to pay” extends to consent judgments that forebear collection by the underlying plaintiffs. In Intelligent Digital Systems, LLC, v. Beazley Insurance Co., Inc., the court joined a majority of courts in other jurisdictions that have addressed the issue and rejected the insurer’s argument that because individual directors and officers had entered consent judgments in which the plaintiffs agreed not to collect against them, they had not suffered any “Loss” as defined by the policy. This ruling arose out of a series of stipulated agreements made in an underlying lawsuit by plaintiff Intelligent Systems, LLC against some former directors of the surveillance technology company, Visual Management Systems, Inc. In exchange for the directors’ assigning their coverage rights under their policy to Intelligent Systems, LLC, the underlying plaintiff agreed to “unconditionally forebear” its collection of the judgments against the insured directors. The agreement, however, expressly provided that the insured directors did not waive the right to assert a claim against the D&O insurer.
To reach this ruling, the Court considered a legal question of first impression under New York law: Does a consent judgment, with conditions effectively exculpating an insured from satisfying a judgment for which he might otherwise be personally liable, constitute an amount that the insured had become “legally obligated” to pay?
“Business E-mail Compromise” (BEC) scams, which we have previously discussed, are becoming an increasing concern. The FBI’s most recent report in June 2016 identified a 1,300% increase in reported incidents, reaching 22,000 victims targeted for $3.1 billion. Policyholders victimized by BEC scams should cheer the most recent decision addressing coverage for such scams. In Principle Solutions Group v. Ironshore Indemnity, a federal district court in Georgia ruled on summary judgment that a commercial crime policy covered a BEC scam in which a fraudster deceived a Principle Solutions employee into wiring $1.72 million to an account in China. The court rejected the insurer’s argument that the wire transfer was not directly caused by the BEC scam.
Principle Solutions suffered a hallmark BEC scam. The fraudster sent a spoofed email, purportedly from Principle Solutions’ CEO, to the company’s controller. The spoofed email instructed the controller to work with a specified attorney to wire funds that day for a highly confidential company acquisition. The controller then received an email from the named “attorney” with the wiring instructions. The “attorney” called the controller, representing that the CEO had approved execution of the wire and emphasizing the urgency of the funds transfer.
The controller initiated the necessary steps to execute the transfer that day. She logged into the company’s online account at its financial institution to enable the transfer approval, instructed another employee to create the wire instructions, and approved the wire transfer. The financial institution’s fraud prevention unit flagged the transaction and requested verification of the wire. The controller called the “attorney” to verify how he had received the wire instructions. The “attorney” told her he had received the instructions verbally from the CEO. The controller relayed this information to the financial institution, which then allowed the transaction to proceed.
The company discovered the fraud the next day when the controller told the CEO she had completed the wire transfer. The company immediately reported the fraud but unfortunately could not recover the funds.
A version of this article originally appeared in Law360 on August 25, 2016.
Technology services and software companies frequently face insurance issues when negotiating their intellectual property license or other services agreements, particularly in this era of data breaches and cloud computing. Numerous questions present themselves. Which party bears the risk in the event of a data breach? Does the company providing the indemnities have insurance to stand behind them? Whether your company is providing a service, engaging a vendor or negotiating a license agreement, keeping these five insurance issues top of mind can help safeguard your continued success.
Insurance as an Indemnity Backstop
Indemnification provisions are standard in commercial agreements, and these provisions frequently include boilerplate language that may be overlooked by a party. While such a provision will serve as the primary risk transfer mechanism in the agreement, insurance can provide an important backstop. If your company is providing the indemnity, you will want to check your policies to see if they provide coverage for the potential liabilities at issue. Many policies, including commercial general liability (CGL) policies, exclude coverage for liabilities assumed under a contract. For example, the Insurance Services Office (ISO) standard CGL form includes an exclusion barring coverage for bodily injury or property damage the policyholder is obligated to pay “by reason of the assumption of liability in a contract or agreement.” The exceptions to this are if the policyholder has the liability absent the contract or if the contract was previously identified as a covered “insured contract.” Other policies, however, such as technology errors and omissions (tech E&O) policies, do not include this limitation. Some tech E&O policies state that a breach of contract exclusion does not apply (and thus the policy provides coverage for) liability “assumed in any hold harmless or indemnity agreement.” If your company is being indemnified by the counterparty party, you will want to know whether that company has the financial resources, including insurance coverage, to stand behind the indemnity.
A New York trial court recently recognized that insurers may not deny coverage for a claim, and then, if the denial was improper, object to a policyholder’s settlement without their consent. The July 11, 2016 decision was issued by Justice Ramos in J.P. Morgan Securities, Inc., v. Vigilant Insurance Company Co., a case in which the policyholder sought coverage for investigation demands issued by the Securities and Exchange Commission (SEC) and New York Stock Exchange (NYSE) as well as related class actions alleging that Bear Stearns facilitated deceptive market timing and late trading activities. The insurer denied coverage, contending that the investigative demands were not “claims” as defined in the professional liability policy, and that even if they were claims, they sought the uninsurable relief of disgorgement. After receiving the insurer’s denial of coverage, Bear Stearns then settled the claims against it. The insurer objected, asserting that Bear Stearns failed to obtain its consent to the settlement, and similarly failed to cooperate with the insurer.
Seeking summary judgment, Bear Stearns asserted that it was permitted to settle the underlying claims without first obtaining the insurer’s consent because the insurer had already denied coverage. The court agreed, holding that although the policy’s consent to settlement provision is a condition precedent to coverage, if the insurer denies coverage, a policyholder is excused from complying with the consent provision. The insurer here repeatedly asserted in its coverage correspondence that the investigations did not appear to be “claims” and that any resulting relief would be uninsurable as a matter of law. The court held that the insurer’s communications “effectively disclaimed” coverage—notwithstanding boilerplate reservation of rights language—relieving the policyholder, Bear Stearns, of its obligation to obtain the insurer’s prior consent to a reasonable settlement. Justice Ramos recognized that “[a]n insurer declines coverage at its own risk.”
Many non-cyber policies include data breach exclusions, but few cases have addressed their scope. In a recent case, a federal district court rejected an insurer’s broad interpretation of the term “data” as it was used in data breach exclusions in a multimedia liability policy. In Ellicott City Cable, the insurer contended that satellite television programming was “data” within the meaning of the exclusions. The court found the term ambiguous, construed the ambiguity against the insurer, and ruled that the underlying lawsuit triggered the insurer’s duty to defend. While the case did not involve a data breach, the decision demonstrates that data breach exclusions should be narrowly construed and also offers helpful guidance about interpreting the term “data” if it is undefined in a policy.
The underlying case involved a distribution arrangement between Ellicott City Cable and DirecTV, whereby Ellicott City Cable distributed satellite television programming to its customers. Apparently Ellicott City Cable was overzealous in serving its customers and allegedly distributed DirecTV’s programming beyond the scope of the contracts. DirecTV sued Ellicott City Cable, alleging that Ellicott City Cable fraudulently obtained and distributed DirecTV’s programming.