Vendor impersonation is one of the typical varieties of “Business E-mail Compromise” (BEC) scams. In spoofing the e-mail of a trusted vendor, the fraudster persuades a company to redirect its vendor payments to a fraudulent bank account. While courts have found that commercial crime policies cover loss from BEC scams, a recent Fifth Circuit decision found no coverage for the victim of a vendor-impersonation BEC scam under the computer fraud provision of the company’s crime protection policy. Rejecting the company’s arguments that the coverage provision was ambiguous, the court held that the fraudulent e-mail was not the cause of the fraudulent transfer. Orrick attorneys Russell Cohen, Aravind Swaminathan, and Harry Moren comment on this troubling decision at our sister blog, Trust Anchor.
Posts by: Russell Cohen
In one of the first court decisions to consider the scope of cyber insurance and whether it covers credit card brand fraud recovery assessments, the policyholder, PF Chang’s, came up short. Following a 2014 data breach in which hackers accessed and posted online 60,000 credit card numbers belonging to PF Chang’s customers, MasterCard levied a $1.9 million fraud recovery charge against the restaurant chain. PF Chang’s tendered those charges to its cyber insurer but Federal refused to provide coverage. Coverage litigation followed and last week a federal judge in Arizona handed down a decision in favor of Federal. For a discussion of the case and its implication for cyber insurance policyholders—or those considering it—you can read the full article by Russell Cohen and Darren Teshima at Orrick’s Trust Anchor blog.
The Eighth Circuit’s decision last Friday in State Bank of Bellingham v. BancInsure, holding that computer systems fraud insurance indeed insures against such fraud, even where employee negligence was a contributing factor, was a positive development for financial institutions as well as any crime insurance policyholder. The Eighth Circuit agreed with the district court that under Minnesota’s concurrent-causation doctrine, the insured could recover under a standard Computer Systems Fraud insuring agreement regardless of whether any excluded peril, i.e., employee negligence, contributed to the loss because the covered peril of computer systems fraud was the “efficient and proximate cause” of the loss.
The case involved a small Minnesota bank that was the victim of a computer fraud attack. It began with a bank employee, who initiated a legitimate wire transfer through a bank computer using a security USB token issued to her by the Federal Reserve, the password provided by the security token, and her personal passphrase. The employee inappropriately verified the wire transfer using another employee’s security token, password, and passphrase. She then improperly left both security tokens in the computer and the computer running when she left the bank for the day.
Unbeknownst to anyone at the bank, a hacker had previously infected the computer with a Trojan horse virus. The next morning, the hacker accessed the bank computer through the malware delivered via the virus. The hacker used the security tokens that had been left in the computer, along with the passwords and passphrases of the two bank employees, to complete two fraudulent wire transfers to bank accounts in Poland totaling $940,000. The bank employee discovered the fraudulent transfers within an hour. The bank was able to recover the funds from one of the wire transfers, but could not recover the funds from the other wire transfer.
The bank sought coverage for the loss of these bank funds under its financial institution bond, which provides coverage similar to a crime insurance policy. The policy had a Computer Systems Fraud insuring agreement, which covered loss resulting directly from a fraudulent entry or change of electronic data or computer program on the bank’s computer systems. The issuer of the policy apparently conceded that the Computer Systems Fraud insuring agreement would cover the loss but argued that several exclusions operated to preclude coverage: exclusions for loss caused by an employee, for loss resulting from theft of confidential information, and for loss resulting from mechanical failure or gradual deterioration of a computer system.
This week, a Fourth Circuit panel in an unpublished decision validated arguments long made by policyholders: that commercial general liability policies may provide coverage for certain data breach liabilities. In this case, Travelers Indemnity Company v. Portal Healthcare Solutions, the appellate court affirmed the district court’s 2014 ruling that an insurer had the duty to defend a company that provides electronic medical record management services in a class action alleging that the company made patients’ confidential records publicly accessible by posting the records to an unsecured public website.
The policyholder, Portal Healthcare Solutions, under a contract with a New York hospital for the storage and maintenance of its patients’ confidential medical records, arranged to store the records electronically. The records were allegedly not stored in a secure manner. Two patients discovered that their hospital records were publicly viewable through the first link returned by a Google search on their names. In 2013, the patients brought a class action suit in New York against Portal for negligent storage of confidential medical records.
Portal had coverage under the personal or advertising injury provisions of its commercial general liability policy for damages arising from “the electronic publication of material” that “gives unreasonable publicity to a person’s private life” or that “discloses information about a person’s private life.” In a declaratory judgment action initiated by the insurer, the Eastern District of Virginia granted summary judgment to Portal, holding that the insurer had a duty to defend Portal against the class action.
The Fourth Circuit affirmed the district court’s judgment on its reasoning. Portal’s alleged conduct of exposing medical records to online searching of a patient’s name fell within the plain meaning of “publication”: “to place before the public.” The court rejected the insurer’s arguments that (i) there was no publication, because Portal never intended to expose the records and (ii) there was no allegation that any unauthorized person actually accessed any of the records.
This week’s decision contrasts with an earlier decision of the Connecticut Supreme Court in Recall Total Information Management v. Federal Insurance Company, which we discussed last year. In that case, the Connecticut high court found no CGL coverage for claims arising from computer tapes containing employees’ personal information that fell off a van and were apparently taken by an unknown person. The district court in Portal Healthcare Solutions distinguished a single thief’s accessing the tapes in Recall from the posting of information on the internet before three billion people in Portal.
We have long asserted that there is coverage for certain data breach claims under the personal and advertising injury provisions of CGL policies. And while the Fourth Circuit’s decision validates that view, its impact may be limited. First, insurers will certainly argue that the facts of this unpublished decision—the posting of unsecured information on the internet—is different from situations in which hackers gain unauthorized entry to protected information. And, second, fewer and fewer policyholders are relying on CGL policies for coverage of data breach and cyber risks. For years now, insurers have marketed specialized cyber policies, in part by persuading policyholders that their CGL policies did not cover such risks, and by adding cyber exclusions to CGL policies. But even so, Portal may make a meaningful difference for insureds who do not have a cyber exclusion on their CGL policy if they don’t have any cyber insurance at all or if data breach litigation exhausts their cyber policy limits.
Cyber insurance has reached a tipping point. The rising costs faced by data breach victims, which can exceed $100 million for the largest breaches, have spurred an increasing number of companies across industries to turn to cyber insurance in an effort to transfer at least some of those costs to an insurer. But cyber insurance is still relatively new, at least as a mass-market insurance product, and it is evolving quickly, although not as quickly as the threat itself. The policies are complex and not standardized, and courts have yet to provide any guidance about what will be covered and what will not. This state of affairs leaves many companies that have or are considering buying cyber insurance uncertain—not only whether they will be a victim of a data breach but also whether insurance will provide them with the coverage they need if they do become a victim.
Data breaches and cyberattacks occur across all sectors. In the past year there have been highly publicized mega-breaches of technology companies, entertainment companies, retailers, financial services companies, health insurers, manufacturers, and the federal government’s Office of Personnel Management. Even the most sophisticated systems are vulnerable to a data breach. And companies with any potential exposure—which includes any company that maintains employee information—are increasingly looking to cyber insurance as one way to manage the cost of a data breach.
Our article “Cyber Insurance: An Overview of an Evolving Coverage” provides an overview of cyber insurance. The first section (What Is Cyber Insurance?) describes the risks faced by companies and the coverage offered by cyber insurance. The second section (The Development of Cyber Insurance) describes the development of cyber insurance as a specialized coverage, the impact on cyber insurance development of breach notification laws, and the limits of coverage of existing insurance. The third section (Where Is Cyber Insurance Heading?) discusses the key coverage and exclusion battlegrounds in these policies, the emergence of cyber insurance litigation, and the challenges presented by the Internet of Things. We hope that companies will benefit from a better understanding of the scope and value of cyber insurance in making decisions about its value as one among different means of proactively enhancing their IT Security posture.
The shockwaves continue from the October 6, 2015 ruling of the Court of Justice of the European Union (CJEU), the European Union’s highest court, invalidating the U.S.-EU “Safe Harbor” data transfer regime in a controversy arising out of Maximillian Schrems’ complaint to the Irish Data Protection Commissioner. The Schrems decision obviously has huge privacy implications for companies that transferred data under the Safe Harbor regime, but it may also impact such companies’ cyber insurance.
The Safe Harbor program has been in place since 2000 and was meant to bridge the gap between the regulatory requirements for handling of personal data in the EU and U.S. The Safe Harbor created a self-certification mechanism by which companies in the U.S. could opt into a set of rules governing the handling of EU personal information in order to meet EU privacy law requirements. If a company opted in, it was then able to receive data transfers from the EU to the U.S. without further approval.
The Schrems ruling, explained in detail here by our privacy team, found that the Safe Harbor protections afforded were in fact not adequate. The CJEU noted that the protections required to meet Safe Harbor obligations could actually be disregarded for a number of reasons, including at the request of certain government entities or where preempted by U.S. law. The CJEU held that a company’s decision to opt into the Safe Harbor therefore does not necessarily protect the personal data of EU citizens and it would no longer consider such Safe Harbor participation by a U.S. company sufficient to meet the requirements of EU privacy laws.
Although the sharing of information between the EU and U.S. will not be immediately halted – the ruling allows an EU nation’s supervisory authorities to evaluate the treatment of data in a particular case – if no resolution is reached by January, there is a possibility (discussed here) that at least some EU nations will follow the CJEU’s lead and commence regulatory investigations and proceedings to evaluate specific data transfers to U.S. companies. For companies that once relied on the Safe Harbor program, there may be implications for their purchase or renewal of cyber insurance.
Cyber criminals posing as company executives have successfully made off with millions from company coffers by tricking company employees into sending them the cash. Insurers are increasingly taking the position that this type of fraud is not covered under cybercrime policies.
As we recently discussed in a client alert, in a “Business E-mail Compromise” or “BEC” scam, criminals identify and target employees at a company who are responsible for transmitting the company’s money. An impostor then poses as a high-level executive and contacts a mid-level employee via e-mail, directing that employee to transfer company funds to an external bank account (that is usually overseas). By the time the employee—or the company—realizes that this “boss” is not his or her actual boss, the funds are long gone. According to the FBI, BEC scams have claimed nearly 2,000 victims and almost $215 million since 2013. While it would seem that the losses stemming from such a scam should fall squarely within a company’s cybercrime policy, insurance companies may disagree.
The data breach earlier this month that potentially exposed information about millions of federal government employees is yet another reminder that any organization that maintains data is at risk of being hacked. And rest assured that if you get hacked, you will incur substantial costs as a result, including substantial notice and related costs and potentially massive third-party liability claims.
We have written extensively about so-called “cyber” insurance, including how cyber insurance is neither comprehensive nor standardized. As a result, when you are shopping for your first (or next) cyber policy it is important to understand what types of coverages, exclusions and conditions are in the market. Making a well-informed purchase starts with knowing your options.
There are too many differences between cyber policies to cover in one blog post, and the market, still in its youth, is rapidly evolving. But here is a list of five important things—in no particular order—to consider when you’re in the market for cyber insurance: READ MORE
Large scale cyber-attacks and data breaches are, regrettably, a daily occurrence in today’s world. Countless companies – including some of the world’s largest – already have been victims of cyber-attacks, countless others will be victims in the future, and others already are victims but simply do not know it yet. By now, many companies purchase specialized insurance that covers many of the types of costs that the company may incur in the aftermath of a cyber-attack. But these policies do not provide coverage for every consequence of a cyber-attack, and that reality may hit home for makers or users of smart devices in an expensive way. This is a cautionary tale for participants in the Internet of Things.