Technology

In Internet of Things Era Cybersecurity for Autonomous Vehicles Will Require Restraint

The vulnerability of America’s physical infrastructure has long been at the top of mind for national security officials, but the growing threat of cyberattacks, both state-sponsored and criminal, has led state and federal officialdom to take note. Their concern has been magnified by the increasing number of significant cyber targets in the nation, including key infrastructure. This has prompted the National Highway Traffic Safety Administration and industry stakeholders to work together to combat potential cyberattacks on automated vehicles. In a rapidly evolving and expanding internet of things environment, federal regulators must be flexible to accommodate change, and must resist the urge to ensconce autonomous vehicle cybersecurity guidance in law.

Please click here to read an overview of their strategy, which appeared in Bloomberg BNA, authored by Orrick’s Darren Teshima and Ian Adams.

5 Insurance Issues To Consider In Tech Transactions

A version of this article originally appeared in Law360 on August 25, 2016.

Technology services and software companies frequently face insurance issues when negotiating their intellectual property license or other services agreements, particularly in this era of data breaches and cloud computing. Numerous questions present themselves. Which party bears the risk in the event of a data breach? Does the company providing the indemnities have insurance to stand behind them? Whether your company is providing a service, engaging a vendor or negotiating a license agreement, keeping these five insurance issues top of mind can help safeguard your continued success.

Insurance as an Indemnity Backstop

Indemnification provisions are standard in commercial agreements, and these provisions frequently include boilerplate language that may be overlooked by a party. While such a provision will serve as the primary risk transfer mechanism in the agreement, insurance can provide an important backstop. If your company is providing the indemnity, you will want to check your policies to see if they provide coverage for the potential liabilities at issue. Many policies, including commercial general liability (CGL) policies, exclude coverage for liabilities assumed under a contract. For example, the Insurance Services Office (ISO) standard CGL form includes an exclusion barring coverage for bodily injury or property damage the policyholder is obligated to pay “by reason of the assumption of liability in a contract or agreement.” The exceptions to this are if the policyholder has the liability absent the contract or if the contract was previously identified as a covered “insured contract.” Other policies, however, such as technology errors and omissions (tech E&O) policies, do not include this limitation. Some tech E&O policies state that a breach of contract exclusion does not apply (and thus the policy provides coverage for) liability “assumed in any hold harmless or indemnity agreement.” If your company is being indemnified by the counterparty party, you will want to know whether that company has the financial resources, including insurance coverage, to stand behind the indemnity.

READ MORE

Court Rejects Insurer’s Expansive Reading of Data Breach Exclusion and Undefined Term “Data”

Many non-cyber policies include data breach exclusions, but few cases have addressed their scope.  In a recent case, a federal district court rejected an insurer’s broad interpretation of the term “data” as it was used in data breach exclusions in a multimedia liability policy. In Ellicott City Cable, the insurer contended that satellite television programming was “data” within the meaning of the exclusions.  The court found the term ambiguous, construed the ambiguity against the insurer, and ruled that the underlying lawsuit triggered the insurer’s duty to defend.  While the case did not involve a data breach, the decision demonstrates that data breach exclusions should be narrowly construed and also offers helpful guidance about interpreting the term “data” if it is undefined in a policy.

The underlying case involved a distribution arrangement between Ellicott City Cable and DirecTV, whereby Ellicott City Cable distributed satellite television programming to its customers. Apparently Ellicott City Cable was overzealous in serving its customers and allegedly distributed DirecTV’s programming beyond the scope of the contracts.  DirecTV sued Ellicott City Cable, alleging that Ellicott City Cable fraudulently obtained and distributed DirecTV’s programming.

READ MORE

Renowned Intellectual Property Jurist Restricts Applicability of IP Exclusion

A company facing IP-related claims might not look to its CGL policy (or other policies) for coverage. However, a recent decision from a leading voice on intellectual property suggests taking a closer look at the allegations and the policy. Last week, U.S. District Court Judge Ronald M. Whyte of the Northern District of California ruled that an intellectual property exclusion in a CGL policy does not apply to claims of breach of a patent license or patent misuse, or to allegations of harm resulting from false accusations of patent infringement. Judge Whyte’s order finding a duty to defend is an initial victory for Tessera, a developer of semiconductor technologies, in an ongoing battle with its insurer over coverage for a lawsuit brought against Tessera by Powertech Technology (PTI) in 2011.

In the underlying lawsuit, PTI alleged that Tessera had breached a patent licensing contract between the parties by initiating an investigation by the U.S. International Trade Commission (ITC). In that ITC investigation, Tessera allegedly falsely accused PTI’s products of infringing on Tessera’s patents and thereby disrupted PTI’s relationships with its customers. PTI also alleged a damages claim for patent misuse, but that claim was dismissed. Tessera and PTI settled the suit in 2014.

Tessera sought defense and indemnity against PTI’s claims under the personal injury coverage in its CGL policy. According to Tessera, PTI’s allegations supported covered claims for defamation, disparagement, malicious prosecution, and abuse of process under the policy. In response, the insurer sought a declaratory judgment that it had no duty to defend Tessera. Initially, the court agreed with the insurer. The Court found that PTI would be barred from bringing a defamation or disparagement claim under California’s statutory litigation privilege and that PTI could not bring a malicious prosecution or abuse of process claim because it was not a named party in the ITC proceeding. The court did not reach the applicability of the intellectual property exclusion.

On appeal, however, the Ninth Circuit reversed, finding that PTI had alleged facts that would have supported a potential claim for product disparagement. This was sufficient to trigger the insurer’s duty to defend under the policy’s personal injury coverage. (We recently covered a similar decision in Illinois in which a potential disparagement claim triggered the duty to defend.) The panel disagreed with the district court on the significance of California’s litigation privilege, explaining that even a “slam-dunk” privilege or defense does not affect an insurer’s duty to defend. The Ninth Circuit remanded for the district court to consider the applicability of the intellectual property exclusion in the first instance.

READ MORE

Early Data Breach Insurance Case Discusses Cyber Policy Coverage for Traditional Risks

shutterstock_287179454Last May, we told you that the “waiting has ended“ for courts to start weighing in on cyber insurance policies, as the District of Utah issued one of the first federal court decisions construing such a policy in Travelers Property Casualty, et al. v. Federal Recovery Services, Inc., et al., No. 2:14-CV-170. Although the claims at issue were not the sort of data breach and cybersecurity liability claims for which policyholders eagerly anticipate guidance, it was, as we noted, an important step in understanding how a court may approach these policies. In the first weeks of 2016, the Travelers court revisited the May 2015 decision, and affirmed its prior findings in favor of the insurer.

In the May decision, the court had found that under the cyber policy at issue, the insurer had no duty to defend its insured, a payment and account processing company, against tort claims alleging that the insured improperly—and intentionally—withheld customer payment and account data from the plaintiff, a gym network, the plaintiff had entrusted to it.

The policy at issue was a Travelers CyberFirst Technology Errors and Omissions Liability Form Policy. Under the policy, the duty to defend attaches when the plaintiff’s suit alleges an action by the insured that, if true, would constitute a covered claim under the policy. The insured sought coverage through an E&O module that provided coverage for “any error, omission, or negligent act.” The plaintiff alleged, however, that the insured acted with “knowledge, willfulness, and malice.” The court held that because the complaint alleged intentional, instead of negligent misconduct, the insurer did not have a duty to defend.

READ MORE

Does the Schrems Decision Open the Door to New Cyber Insurance Exclusions?

shutterstock_57724609-2The shockwaves continue from the October 6, 2015 ruling of the Court of Justice of the European Union (CJEU), the European Union’s highest court, invalidating the U.S.-EU “Safe Harbor” data transfer regime in a controversy arising out of Maximillian Schrems’ complaint to the Irish Data Protection Commissioner. The Schrems decision obviously has huge privacy implications for companies that transferred data under the Safe Harbor regime, but it may also impact such companies’ cyber insurance.

The Safe Harbor program has been in place since 2000 and was meant to bridge the gap between the regulatory requirements for handling of personal data in the EU and U.S. The Safe Harbor created a self-certification mechanism by which companies in the U.S. could opt into a set of rules governing the handling of EU personal information in order to meet EU privacy law requirements. If a company opted in, it was then able to receive data transfers from the EU to the U.S. without further approval.

The Schrems ruling, explained in detail here by our privacy team, found that the Safe Harbor protections afforded were in fact not adequate. The CJEU noted that the protections required to meet Safe Harbor obligations could actually be disregarded for a number of reasons, including at the request of certain government entities or where preempted by U.S. law. The CJEU held that a company’s decision to opt into the Safe Harbor therefore does not necessarily protect the personal data of EU citizens and it would no longer consider such Safe Harbor participation by a U.S. company sufficient to meet the requirements of EU privacy laws.

Although the sharing of information between the EU and U.S. will not be immediately halted – the ruling allows an EU nation’s supervisory authorities to evaluate the treatment of data in a particular case – if no resolution is reached by January, there is a possibility (discussed here) that at least some EU nations will follow the CJEU’s lead and commence regulatory investigations and proceedings to evaluate specific data transfers to U.S. companies. For companies that once relied on the Safe Harbor program, there may be implications for their purchase or renewal of cyber insurance.

READ MORE

When a Cyber Attack Has Physical Impact

 

October ordinarily brings the return of crisp air, fall foliage, and Halloween.  This year, for the first time, it also brings National Cyber Security Awareness Month.  Yet designating a month to increase cybersecurity awareness seems redundant.  We are reminded almost daily of the importance of cybersecurity, as media reports of cyber breaches have become commonplace.  Of course, the most widely reported cyber incidents have been data privacy breaches that have affected tens of millions of consumers nationwide.  These are the sorts of incidents that have spawned a growing market for so-called “cyber policies” (although as we wrote recently, the CEO of one of the largest insurers has acknowledged that cyber insurance capacity remains relatively small).

READ MORE

Five Things to Look For in Your Cyber Coverage

shutterstock_227707615The data breach earlier this month that potentially exposed information about millions of federal government employees is yet another reminder that any organization that maintains data is at risk of being hacked. And rest assured that if you get hacked, you will incur substantial costs as a result, including substantial notice and related costs and potentially massive third-party liability claims.

We have written extensively about so-called “cyber” insurance, including how cyber insurance is neither comprehensive nor standardized. As a result, when you are shopping for your first (or next) cyber policy it is important to understand what types of coverages, exclusions and conditions are in the market. Making a well-informed purchase starts with knowing your options.

There are too many differences between cyber policies to cover in one blog post, and the market, still in its youth, is rapidly evolving. But here is a list of five important things—in no particular order—to consider when you’re in the market for cyber insurance: READ MORE

Policyholders Beware – Cyber Coverage May Provide a False Sense of Security

shutterstock_57774832There has been no recent shortage of high-profile cyberattacks and data breaches leaving businesses with millions of dollars in losses. Verizon’s 2015 Data Breach Investigations Report counted 79,790 security incidents (including 2,122 confirmed data breaches) in the last year alone. If you’re a business that stores information electronically—that is, if you’re any business at all—you’re probably sufficiently worried about cyber threats just by reading the news. But if you haven’t fully appreciated the seriousness of the problem yet, the insurance industry is happy to help. As one insurer warns in its marketing materials, “many companies don’t realize that whether they experience a data security breach isn’t as much a matter of if it will happen as when.” Sufficiently terrified of cyber threats? Don’t worry—these same insurers will let you know they offer coverage that will help mitigate your risk. As one insurer puts it, “when a security breach happens, you’ll need comprehensive protection from an insurer that specializes in handling cyber risks, offers a full suite of integrated insurance solutions to help minimize gaps in coverage, and understands how to tailor coverage to your business.”

READ MORE

Coverage Takes Flight: Insurers Launch Programs to Use Drones in Claims Handling and Underwriting

shutterstock_258012884Insurers have taken to the skies!  Unmanned aircraft systems, or drones, are, in the estimation of the Federal Aviation Administration, “the most dynamic growth sector within the aviation industry”—and insurers are in on the action, with some of them recently having taken steps to use drones in their business operations.

In the past month, at least four insurers—AIG, USAA, Erie Insurance Group, and ADM Crop Risk Services—have obtained approval from the FAA to operate drones to assist in their claims, risk assessment and underwriting practices, and for research and development into future deployment of the remotely controlled craft. State Farm also won such approval earlier this year.

The authorizations last for up to two years, and each comes with many conditions and limitations on the use of drones. For example, the drones may be operated only over privately controlled property with the permission of the owner. They must generally stay at least 500 feet from all “nonparticipating” persons, vessels, vehicles and structures. They can only be operated up to 400 feet above ground level, and cannot move at a speed above 50 or 100 miles per hour, depending on the drone. A drone also must remain within the visual line of sight of its operators at all times, and night flights are not permitted. The conditions appear to closely track the FAA’s proposed drone regulations (which are discussed in greater detail in our colleagues’ recent analysis).

READ MORE