Read full biography at www.orrick.com

Posts by: Harry Moren

Ninth Circuit Reviews Order Finding No Coverage for Business E-Mail Compromise (BEC) Scam

Insurers’ recalcitrance to providing coverage for the “Business E-mail Compromise” (BEC) scam is a topic we’ve frequently discussed.  On Monday, the Ninth Circuit heard oral argument in a BEC coverage action, Taylor & Lieberman v. Federal Insurance Company, a California case we’ve previously described.

The fraudster in that case sent spoofed e-mails in 2012 to an accounting firm purporting to be from one of the firm’s clients. At the “client’s” request, the accounting firm executed two wire transfers from the client’s bank account, over which the firm had power of attorney, in amounts just under $100,000 each to banks in Malaysia and Singapore.  The firm finally detected the scheme when it called the client for confirmation after receiving a third e-mail requesting another transfer of $128,000 to Malaysia.  The accounting firm was able to recover most of the first wire transfer but nothing from the second, resulting in a $100,000 loss to the client’s account, which the firm restored.

READ MORE

Fifth Circuit Decision Raises Uncertainty About Computer Fraud Coverage for Vendor-Impersonation E-mail Scam

Vendor impersonation is one of the typical varieties of “Business E-mail Compromise” (BEC) scams. In spoofing the e-mail of a trusted vendor, the fraudster persuades a company to redirect its vendor payments to a fraudulent bank account. While courts have found that commercial crime policies cover loss from BEC scams, a recent Fifth Circuit decision found no coverage for the victim of a vendor-impersonation BEC scam under the computer fraud provision of the company’s crime protection policy. Rejecting the company’s arguments that the coverage provision was ambiguous, the court held that the fraudulent e-mail was not the cause of the fraudulent transfer. Orrick attorneys Russell Cohen, Aravind Swaminathan, and Harry Moren comment on this troubling decision at our sister blog, Trust Anchor.

Court Grants Summary Judgment in Favor of Policyholder Seeking Coverage for the Business E-Mail Compromise (BEC) Scam

“Business E-mail Compromise” (BEC) scams, which we have previously discussed, are becoming an increasing concern. The FBI’s most recent report in June 2016 identified a 1,300% increase in reported incidents, reaching 22,000 victims targeted for $3.1 billion. Policyholders victimized by BEC scams should cheer the most recent decision addressing coverage for such scams. In Principle Solutions Group v. Ironshore Indemnity, a federal district court in Georgia ruled on summary judgment that a commercial crime policy covered a BEC scam in which a fraudster deceived a Principle Solutions employee into wiring $1.72 million to an account in China. The court rejected the insurer’s argument that the wire transfer was not directly caused by the BEC scam.

Principle Solutions suffered a hallmark BEC scam. The fraudster sent a spoofed email, purportedly from Principle Solutions’ CEO, to the company’s controller. The spoofed email instructed the controller to work with a specified attorney to wire funds that day for a highly confidential company acquisition. The controller then received an email from the named “attorney” with the wiring instructions. The “attorney” called the controller, representing that the CEO had approved execution of the wire and emphasizing the urgency of the funds transfer.

The controller initiated the necessary steps to execute the transfer that day. She logged into the company’s online account at its financial institution to enable the transfer approval, instructed another employee to create the wire instructions, and approved the wire transfer. The financial institution’s fraud prevention unit flagged the transaction and requested verification of the wire. The controller called the “attorney” to verify how he had received the wire instructions. The “attorney” told her he had received the instructions verbally from the CEO. The controller relayed this information to the financial institution, which then allowed the transaction to proceed.

The company discovered the fraud the next day when the controller told the CEO she had completed the wire transfer. The company immediately reported the fraud but unfortunately could not recover the funds.

READ MORE

Court Rejects Insurer’s Expansive Reading of Data Breach Exclusion and Undefined Term “Data”

Many non-cyber policies include data breach exclusions, but few cases have addressed their scope.  In a recent case, a federal district court rejected an insurer’s broad interpretation of the term “data” as it was used in data breach exclusions in a multimedia liability policy. In Ellicott City Cable, the insurer contended that satellite television programming was “data” within the meaning of the exclusions.  The court found the term ambiguous, construed the ambiguity against the insurer, and ruled that the underlying lawsuit triggered the insurer’s duty to defend.  While the case did not involve a data breach, the decision demonstrates that data breach exclusions should be narrowly construed and also offers helpful guidance about interpreting the term “data” if it is undefined in a policy.

The underlying case involved a distribution arrangement between Ellicott City Cable and DirecTV, whereby Ellicott City Cable distributed satellite television programming to its customers. Apparently Ellicott City Cable was overzealous in serving its customers and allegedly distributed DirecTV’s programming beyond the scope of the contracts.  DirecTV sued Ellicott City Cable, alleging that Ellicott City Cable fraudulently obtained and distributed DirecTV’s programming.

READ MORE

Renowned Intellectual Property Jurist Restricts Applicability of IP Exclusion

A company facing IP-related claims might not look to its CGL policy (or other policies) for coverage. However, a recent decision from a leading voice on intellectual property suggests taking a closer look at the allegations and the policy. Last week, U.S. District Court Judge Ronald M. Whyte of the Northern District of California ruled that an intellectual property exclusion in a CGL policy does not apply to claims of breach of a patent license or patent misuse, or to allegations of harm resulting from false accusations of patent infringement. Judge Whyte’s order finding a duty to defend is an initial victory for Tessera, a developer of semiconductor technologies, in an ongoing battle with its insurer over coverage for a lawsuit brought against Tessera by Powertech Technology (PTI) in 2011.

In the underlying lawsuit, PTI alleged that Tessera had breached a patent licensing contract between the parties by initiating an investigation by the U.S. International Trade Commission (ITC). In that ITC investigation, Tessera allegedly falsely accused PTI’s products of infringing on Tessera’s patents and thereby disrupted PTI’s relationships with its customers. PTI also alleged a damages claim for patent misuse, but that claim was dismissed. Tessera and PTI settled the suit in 2014.

Tessera sought defense and indemnity against PTI’s claims under the personal injury coverage in its CGL policy. According to Tessera, PTI’s allegations supported covered claims for defamation, disparagement, malicious prosecution, and abuse of process under the policy. In response, the insurer sought a declaratory judgment that it had no duty to defend Tessera. Initially, the court agreed with the insurer. The Court found that PTI would be barred from bringing a defamation or disparagement claim under California’s statutory litigation privilege and that PTI could not bring a malicious prosecution or abuse of process claim because it was not a named party in the ITC proceeding. The court did not reach the applicability of the intellectual property exclusion.

On appeal, however, the Ninth Circuit reversed, finding that PTI had alleged facts that would have supported a potential claim for product disparagement. This was sufficient to trigger the insurer’s duty to defend under the policy’s personal injury coverage. (We recently covered a similar decision in Illinois in which a potential disparagement claim triggered the duty to defend.) The panel disagreed with the district court on the significance of California’s litigation privilege, explaining that even a “slam-dunk” privilege or defense does not affect an insurer’s duty to defend. The Ninth Circuit remanded for the district court to consider the applicability of the intellectual property exclusion in the first instance.

READ MORE

Eighth Circuit Affirms Coverage for Fraudulent Wire Transfer Despite Employee Negligence

The Eighth Circuit’s decision last Friday in State Bank of Bellingham v. BancInsure, holding that computer systems fraud insurance indeed insures against such fraud, even where employee negligence was a contributing factor, was a positive development for financial institutions as well as any crime insurance policyholder. The Eighth Circuit agreed with the district court that under Minnesota’s concurrent-causation doctrine, the insured could recover under a standard Computer Systems Fraud insuring agreement regardless of whether any excluded peril, i.e., employee negligence, contributed to the loss because the covered peril of computer systems fraud was the “efficient and proximate cause” of the loss.

The case involved a small Minnesota bank that was the victim of a computer fraud attack. It began with a bank employee, who initiated a legitimate wire transfer through a bank computer using a security USB token issued to her by the Federal Reserve, the password provided by the security token, and her personal passphrase. The employee inappropriately verified the wire transfer using another employee’s security token, password, and passphrase. She then improperly left both security tokens in the computer and the computer running when she left the bank for the day.

Unbeknownst to anyone at the bank, a hacker had previously infected the computer with a Trojan horse virus. The next morning, the hacker accessed the bank computer through the malware delivered via the virus. The hacker used the security tokens that had been left in the computer, along with the passwords and passphrases of the two bank employees, to complete two fraudulent wire transfers to bank accounts in Poland totaling $940,000. The bank employee discovered the fraudulent transfers within an hour. The bank was able to recover the funds from one of the wire transfers, but could not recover the funds from the other wire transfer.

The bank sought coverage for the loss of these bank funds under its financial institution bond, which provides coverage similar to a crime insurance policy. The policy had a Computer Systems Fraud insuring agreement, which covered loss resulting directly from a fraudulent entry or change of electronic data or computer program on the bank’s computer systems. The issuer of the policy apparently conceded that the Computer Systems Fraud insuring agreement would cover the loss but argued that several exclusions operated to preclude coverage: exclusions for loss caused by an employee, for loss resulting from theft of confidential information, and for loss resulting from mechanical failure or gradual deterioration of a computer system.

READ MORE

FIFA Official Beats the Offside Trap: Court Orders Insurers to Advance Defense Costs

Last week, in a coverage match hosted by the Eastern District of New York, the referee ordered insurers to advance defense costs to Eduardo Li, a former president of the Costa Rican soccer federation and a former official of the Federation Internationale de Football Association (FIFA), the governing body of international soccer. In 2015, the United States red-carded Li along with twenty-nine other figures in international soccer, charging them with participation in an international racketeering conspiracy. The prosecutors alleged more than twenty years of rampant corruption at the highest levels of FIFA, smearing the beautiful game with tales of bribery and money laundering as marketing and broadcast contracts were illicitly awarded for briefcases of cash passed under the table or financed through murky transactions.

Li tendered his request for advancement of defense costs under FIFA’s $50 million D&O policy while he was detained in Switzerland pending extradition to the United States. The insurers quickly denied coverage based on a so-called “RICO exclusion” in the policy—an argument they later dropped—and their position that Li’s indictment did not constitute an “investigative proceeding.” They also disputed whether Li was an insured under the policy.

In his coverage action against the insurers Li kept a clean sheet before Judge Raymond J. Dearie, the same judge presiding over the criminal racketeering case, who denied the insurers’ motion to dismiss and granted Li’s request for a preliminary injunction requiring the insurers to advance his criminal defense costs. In granting the preliminary injunction, Judge Dearie explained that a policyholder’s inability to timely receive defense costs under a professional liability policy constitutes irreparable harm. The Court also determined that Li made a sufficient showing that he would be entitled to advancement of costs under the policy’s broad, world-wide coverage for defense, investigation, and extradition costs. The Court inferred the duty to contemporaneously advance costs from a policy provision stating that “[s]hould the question of any wrongful intent be at issue, cover shall be granted for the defence costs” but an insured person “found guilty of wrongful intent . . . will be obliged to reimburse the Insurer for all payments made on his or her behalf.”

READ MORE

Fourth Circuit Finds Potential Coverage For Data Leak As Publication Under CGL Policy

shutterstock_72943936_400x300This week, a Fourth Circuit panel in an unpublished decision validated arguments long made by policyholders: that commercial general liability policies may provide coverage for certain data breach liabilities. In this case, Travelers Indemnity Company v. Portal Healthcare Solutions, the appellate court affirmed the district court’s 2014 ruling that an insurer had the duty to defend a company that provides electronic medical record management services in a class action alleging that the company made patients’ confidential records publicly accessible by posting the records to an unsecured public website.

The policyholder, Portal Healthcare Solutions, under a contract with a New York hospital for the storage and maintenance of its patients’ confidential medical records, arranged to store the records electronically. The records were allegedly not stored in a secure manner. Two patients discovered that their hospital records were publicly viewable through the first link returned by a Google search on their names. In 2013, the patients brought a class action suit in New York against Portal for negligent storage of confidential medical records.

Portal had coverage under the personal or advertising injury provisions of its commercial general liability policy for damages arising from “the electronic publication of material” that “gives unreasonable publicity to a person’s private life” or that “discloses information about a person’s private life.” In a declaratory judgment action initiated by the insurer, the Eastern District of Virginia granted summary judgment to Portal, holding that the insurer had a duty to defend Portal against the class action.

The Fourth Circuit affirmed the district court’s judgment on its reasoning.  Portal’s alleged conduct of exposing medical records to online searching of a patient’s name fell within the plain meaning of “publication”: “to place before the public.” The court rejected the insurer’s arguments that (i) there was no publication, because Portal never intended to expose the records and (ii) there was no allegation that any unauthorized person actually accessed any of the records.

This week’s decision contrasts with an earlier decision of the Connecticut Supreme Court in Recall Total Information Management v. Federal Insurance Company, which we discussed last year. In that case, the Connecticut high court found no CGL coverage for claims arising from computer tapes containing employees’ personal information that fell off a van and were apparently taken by an unknown person. The district court in Portal Healthcare Solutions distinguished a single thief’s accessing the tapes in Recall from the posting of information on the internet before three billion people in Portal.

We have long asserted that there is coverage for certain data breach claims under the personal and advertising injury provisions of CGL policies. And while the Fourth Circuit’s decision validates that view, its impact may be limited. First, insurers will certainly argue that the facts of this unpublished decision—the posting of unsecured information on the internet—is different from situations in which hackers gain unauthorized entry to protected information. And, second, fewer and fewer policyholders are relying on CGL policies for coverage of data breach and cyber risks. For years now, insurers have marketed specialized cyber policies, in part by persuading policyholders that their CGL policies did not cover such risks, and by adding cyber exclusions to CGL policies. But even so, Portal may make a meaningful difference for insureds who do not have a cyber exclusion on their CGL policy if they don’t have any cyber insurance at all or if data breach litigation exhausts their cyber policy limits.

Second Circuit Holds Ambiguity of Phrase “Caused Only By” Permits Coverage Where Uncovered Perils Contribute to Property Damage

shutterstock_283537649Imprecise usage of the word “only” in policy language may create ambiguities favorable to policyholders. The Second Circuit recently agreed with policyholders that their homeowners’ policy, which insured for property damage involving the collapse of a part of a building “caused only by one or more of the following” specifically named perils, provided coverage so long as a collapse was caused by one of the enumerated perils, regardless of whether a non-enumerated peril also contributed to the collapse. In an unpublished opinion, the Court rejected the insurer’s interpretation, which the district court had accepted, that coverage was limited to collapses exclusively caused by one of the enumerated perils.

The Court found not only that both interpretations of the plain language were reasonable, which should lead to a resolution of the ambiguity in the policyholder’s favor, but further determined that several considerations supported the homeowners’ interpretation. First, the Court explained that under settled New York case law on insurance contracts, the word “caused” implicates the concepts of proximate causation:  if a covered peril is the predominant cause of the loss, the concurrent operation of a non-covered peril will not defeat coverage. (See our recent coverage of the Fifth Circuit’s application of the concurrent-cause doctrine under Texas law.) The policy did not indicate any intent to override this established rule by drafting reasonably clear language. Moreover, the Court pointed out that the insurer obviously knew how to draft language to that effect because another provision in the same policy included a so-called “anti-concurrent cause” claims, which excluded certain perils from coverage “regardless of any other cause or event contributing concurrently.” Additionally, the Court observed that it would be reasonable for a homeowner whose home collapsed predominantly due to a listed peril to expect coverage.

The Court also dismissed the insurer’s contention that the charge from the district court to the jury was proper because the jury instructions used the same “caused only by” language as the policy. Rather, the Court found that the actual use of that phrase in the jury instructions either improperly altered the phase’s context from that in the policy or else preserved the ambiguity and impermissibly relegated the task of contract interpretation to the jury.

This decision reinforces the point that policyholders who pay close attention to the grammatical construction of policy provisions may find the key to obtaining the policy benefits for which they have paid. As the Second Circuit stressed, “most fundamentally, insurance policies are to be construed, and ambiguity assessed, in light of the reasonable expectations of the insured.”

Insurer’s Duty to Defend Is Triggered by Cause of Action Not Specifically Alleged in Complaint

shutterstock_245321842_400x300A recent federal district court decision demonstrates how the expansive duty to defend can even include unstated causes of action arising out of minimally alleged facts. U.S. District Judge Jon S. Tigar of the Northern District of California ruled that Federal Insurance Company had a duty to defend MedeAnalytics, a healthcare data analytics provider, against a breach of contract complaint by former business partners under the personal injury coverage of MedeAnalytics commercial liability policies—even though the complaint did not assert a cause of action for personal injury. Instead, the complaint alleged that MedeAnalytics made disparaging comments about its former business partners to their employees to lure away the employees. Federal refused to defend MedeAnalytics, which subsequently settled the underlying lawsuit.

The Court granted MedeAnalytics’ motion for partial summary judgment and held that the underlying complaint, although short of detail, sufficed to give rise to potentially covered liability for a libel or slander claim because it alleged publication to third persons and alleged disparaging content. These allegations, the Court explained, are sufficient to trigger the duty to defend under California law, which does not require additional detail in the complaint. The court also rejected the insurer’s contention that the complaint needed to allege that the disparaging statements were false. Even though the underlying complaint did not state a cause of action for libel or slander, the duty to defend nevertheless arose where, under the facts alleged, the complaint could be amended to state a potentially covered claim.

The Court also rejected the insurer’s argument that a breach of contract exclusion eliminated the potential for coverage. Instead, the exclusion for “personal injury arising out of breach of contract” applied only to actual breaches of contract rather than alleged breaches of contract. Other provisions in the policy that included “actual or alleged” language demonstrated that the parties had known how to exclude alleged breaches of contract if that had been their intent. The exclusion did not eliminate the potential for coverage because Federal failed to advance conclusive evidence of an actual breach of contract.

This decision affirms the expansive scope of the duty to defend and illustrates that policyholders should not dismiss out of hand the possibility of coverage where a complaint does not expressly assert a covered cause of action.