Insurance coverage for “Business Email Compromise” (BEC) scams is a hot issue being litigated by companies and their insurance providers in jurisdictions across the country. The Ninth Circuit is poised to issue what may be an influential decision after hearing oral argument this week in a coverage action initiated by an accounting firm that lost its client’s money to a BEC scam. Learn more from Orrick attorneys Darren Teshima and Harry Moren at our sister blog, Policyholder Insider.
Posts by: Darren S. Teshima
“Business Email Compromise” (BEC) scams are becoming an increasingly prevalent concern for businesses—the FBI reports that incidents have increased 1,300% since January 2015. A federal district court in Georgia recently ruled that a BEC scam in which a fraudster deceived an employee into wiring $1.72 million to an account in China was covered a under a commercial crime policy. The court rejected the insurer’s argument that the wire transfer was not directly caused by the BEC scam, and determined that the policy language was ambiguous about whether intervening events affected coverage, thus resolving the ambiguity in favor of the policyholder. At our sister blog Policyholder Insider, Darren Teshima and Harry Moren discuss why this ruling is good news for policyholders who have fallen victim to a BEC scam.
Non-cyber insurance policies often contain exclusions to limit or preclude coverage for data breaches. A Maryland federal district court recently addressed the scope of such exclusions. The court analyzed the meaning of “data” in data breach policy exclusions in a multimedia liability policy and concluded that the undefined term “data” did not include satellite television programming. Having found that the exclusions did not apply, the court held that the underlying lawsuit involving allegations of unauthorized access to satellite television programming triggered the insurer’s duty to defend the policyholder. At Orrick’s Policyholder Insider blog, Darren Teshima and Harry Moren discuss this decision’s rejection of an insurer’s attempt to avoid coverage by broadening the scope of these data breach exclusions.
In one of the first court decisions to analyze in depth the coverage provided by a cyber policy, a federal judge has found that PF Chang’s policy came up short. Following a 2014 data breach in which hackers accessed and posted online 60,000 credit card numbers belonging to PF Chang’s customers, the company sought coverage under its “CyberSecurity by Chubb” insurance policy. Although PF Chang’s insurer, Federal Insurance Company (“Federal”), agreed to reimburse nearly $1.7 million for customer claims and other breach-related expenses, it refused to reimburse an additional $2 million in fees and assessments levied against P.F. Chang’s by the credit card brands. Last week a federal district judge in Arizona, applying Arizona law, denied PF Chang’s claim for reimbursement and granted summary judgment for Federal. While it held that these fees and assessments fell within the scope of coverage, the court held that the “contractual liability” exclusion barred coverage.
A recent Eighth Circuit ruling on cybercrime coverage held that the issuer of a financial institution bond must cover a bank’s losses after a hacker’s malware attack resulted in unauthorized fund transfers. The court rejected the insurer’s claim that employee negligence—a factor in the loss—excluded coverage. This is a good decision for financial institutions and crime insurance policyholders, and Orrick attorneys Russell Cohen, Darren Teshima, and Harry Moren discuss the decision and its potential impact on coverage for the trending Business E-mail Compromise (BEC) scam.
This week, a Fourth Circuit panel in an unpublished decision validated arguments long made by policyholders: that commercial general liability policies may provide coverage for certain data breach liabilities. In this case, Travelers Indemnity Company v. Portal Healthcare Solutions, the appellate court affirmed the district court’s 2014 ruling that an insurer had the duty to defend a company that provides electronic medical record management services in a class action alleging that the company made patients’ confidential records publicly accessible by posting the records to an unsecured public website.
Your insurer wrongfully denies coverage—so you file a complaint in court, right? Not so fast! Many new insurance policies now include mandatory arbitration provisions. While at one time arbitration clauses were common only in policies issued by foreign insurers, they are now finding their way into policies issued by domestic insurers and in all types of coverages, including commercial liability insurance policies, D&O, E&O, employment liability, and cyber insurance. While the terms of these clauses vary, to the extent they are enforceable or cannot be negotiated out of the coverage, arbitration provisions close the courthouse doors to insurance disputes and force policyholders and their insurers to resolve disputed issues in private and free from judicial scrutiny. READ MORE
As previously discussed, the question of whether Commercial General Liability (“CGL”) coverage applies to cyber-attacks or data breaches is a hot point of contention between policyholders and insurers. One of our cases to watch in 2015—Zurich American Insurance Company v. Sony Corporation of America—may resolve this question in New York shortly.
On February 25, 2015, a hearing was held in a closely-watched New York appeal involving coverage under CGL policies for privacy claims filed in the wake of a data breach.Zurich American Insurance Company v. Sony Corporation of America is pending in the New York Supreme Court Appellate Division. The Sony parties are represented by Richard DeNatale and Steve Foresta of Orrick’s Insurance group. They are seeking coverage under a clause that appears in all standard CGL policies and covers claims for “publication, in any manner, of material that violates a person’s right of privacy.” The lower court ruled that there was no duty to defend because the alleged publication of information was perpetrated by the hackers rather than by the policyholder. In their appeal, the Sony parties argue that this ruling is contrary to the plain language of the insurance policies. The hearing on February 25 lasted about 30 minutes, with active questioning from the panel of five justices. A decision from the Appellate Division is pending.
Happy New Year! For a sneak peek at the developments the year may bring to the legal landscape for insurance policyholders, here are five cases worth watching in 2015:
- Fluor Corporation v. Superior Court (Hartford Accident and Indemnity Company), No. S205889 (Cal. filed Oct. 10, 2012)
The California Supreme Court likely will issue its long-awaited decision in Fluor and, in doing so, may overturn its controversial 2003 decision concerning the assignment of insurance policies to successor corporations in Henkel Corporation v. Hartford Accident and Indemnity Company, 29 Cal. 4th 934 (2003). If the Court overturns Henkel,California would join the majority of states that permit a successor corporation to recover under the predecessor’s liability insurance policies for pre-assignment liabilities, regardless of a “no-assignment” provision in the policies. The Fluor case has been fully briefed for more than a year, and many California attorneys expected the Court to issue its decision in 2014. In the interim, California Governor Jerry Brown has recently appointed two new justices to the Court, which some commentators believe may push the court in a more liberal direction and could affect the Court’s decision. READ MORE