Russell Cohen is a partner in Orrick's San Francisco office with experience litigating antitrust and other complex business disputes on behalf of companies and individuals, particularly in the technology sector.
Russell has extensive experience with the antitrust laws, especially as they apply to technology companies, implicating issues such as platform economics and strategy, software interoperability and the duty to disclose interface information; IP-related claims, including Walker Process and patent misuse; and non-compete and other employee arrangements. He has represented clients in direct and indirect purchaser antitrust class actions, unfair competition cases and competitor suits in state and federal court, as well as in arbitration and international forums.
Russell is also a member of Orrick's Cyber,
Privacy & Data Innovation practice, working with clients on incident planning and data-breach response efforts, including utilizing cyber insurance as part of a coordinated, comprehensive strategy for managing and recovering from data breaches. Exclusively on behalf of policyholders, he has pursued claims and litigated complex insurance disputes to recover for cyber attacks, employee sabotage, phishing schemes and other losses. He speaks and publishes frequently in the United States and Canada on cybersecurity litigation and cyber insurance.
Russell has also represented clients in other complex business disputes, including venture capital investor disputes, insurance recovery for financial, property and other losses and other commercial matters in federal and state court, and in arbitration proceedings.
Russell is committed to pro bono legal work and community service. He was counsel in the successful Alien Tort Statute case against one of the assassins of Archbishop Oscar Romero, who was murdered in El Salvador in 1980. He represented former Guantanamo detainees seeking damages for torture and unlawful detention and was amicus counsel for a group of Canadian and international human rights organizations and scholars in the U.S. Supreme Court in Arar v. Ashcroft.
The number of decisions considering claims for insurance coverage resulting from Business Email Compromise (“BEC”) scams has been increasing, providing policyholders with some hope, and some clarity, in this muddy area. (Here and here).
Policyholders got a recent win when a federal court in New York found in Medidata Solutions, Inc. that a data-services provider’s commercial crime policy covered an almost $5 million loss suffered as a result of a BEC scam. The Court in Medidata found coverage under the insured’s computer fraud and funds transfer rider, reasoning that “fraudulent access to a computer system” extends to email spoofing. Parting company with the Fifth Circuit in Apache , the Court in Medidata recognized that such spoofing can be a legal cause of the insured’s loss. And even though an authorized employee willingly initiated the transfer, the funds were not transferred with Medidata’s “knowledge or consent.”
Despite recent wins, there remains enough uncertainty in the coverage landscape (here and here) that we suspect insurers will continue their full-on fight against coverage for these losses. To help policyholders prepare for battle, here are five things you can do NOW to maximize insurance coverage for losses from a BEC scam. READ MORE
The coverage landscape for “Business E-mail Compromise” (BEC) scams remains somewhat tenuous, as organizations and carriers continue to battle in court over the extent of coverage. Although recent positive, policyholder-friendly trends in the Eighth Circuit (hacker who took over a bank’s computer system) and federal district court in Georgia (scheme based on spoofing a CEO’s e-mail) found insurance coverage for fraudulently transferred funds, a recent unpublished Fifth Circuit opinion moves in the other direction. Unfortunately, this new ruling—and the uncertainty it creates—may embolden insurers in fighting coverage for these scams under crime insurance policies.
In one of the first court decisions to analyze in depth the coverage provided by a cyber policy, a federal judge has found that PF Chang’s policy came up short. Following a 2014 data breach in which hackers accessed and posted online 60,000 credit card numbers belonging to PF Chang’s customers, the company sought coverage under its “CyberSecurity by Chubb” insurance policy. Although PF Chang’s insurer, Federal Insurance Company (“Federal”), agreed to reimburse nearly $1.7 million for customer claims and other breach-related expenses, it refused to reimburse an additional $2 million in fees and assessments levied against P.F. Chang’s by the credit card brands. Last week a federal district judge in Arizona, applying Arizona law, denied PF Chang’s claim for reimbursement and granted summary judgment for Federal. While it held that these fees and assessments fell within the scope of coverage, the court held that the “contractual liability” exclusion barred coverage.
The Eighth Circuit’s decision last Friday in State Bank of Bellingham v. BancInsure, holding that computer systems fraud insurance indeed insures against such fraud, even where employee negligence was a contributing factor, was a positive development for financial institutions as well as any crime insurance policyholder. The Eighth Circuit agreed with the district court that under Minnesota’s concurrent-causation doctrine, the insured could recover under a standard Computer Systems Fraud insuring agreement regardless of whether any excluded peril, i.e., employee negligence, contributed to the loss because the covered peril of computer systems fraud was the “efficient and proximate cause” of the loss.
In June 2015, Canada made significant amendments to its data privacy law, the Personal Information Protection and Electronic Documents Act (PIPEDA). These amendments to PIPEDA will require businesses to inform the Canadian Privacy Commissioner of certain data breaches, provide notice to affected individuals and maintain a log of any breaches of their cybersecurity safeguards. Regulations implementing the amendments are being developed and we expect, with a new government in place, to see something soon.
This week, a Fourth Circuit panel in an unpublished decision validated arguments long made by policyholders: that commercial general liability policies may provide coverage for certain data breach liabilities. In this case, Travelers Indemnity Company v. Portal Healthcare Solutions, the appellate court affirmed the district court’s 2014 ruling that an insurer had the duty to defend a company that provides electronic medical record management services in a class action alleging that the company made patients’ confidential records publicly accessible by posting the records to an unsecured public website.
The insurance industry has been making the case to Congress that cyberinsurance can be a path to good security practices, encouraging different groups inside an organization to better communicate with one another. The process of investigating, applying for and being approved for cyberinsurance may indeed prompt important discussions inside organizations about cybersecurity. And it may be a subject that prompts board-level discussion of cyber preparedness. But in our view, relying on cyberinsurance as the spark for those conversations is the tail wagging the dog or the chicken not the egg or the egg not the chicken.
Cyber insurance has reached a tipping point. The rising costs faced by data breach victims, which can exceed $100 million for the largest breaches, have spurred an increasing number of companies across industries to turn to cyber insurance in an effort to transfer at least some of those costs to an insurer. But cyber insurance is still relatively new, at least as a mass-market insurance product, and it is evolving quickly, although not as quickly as the threat itself. The policies are complex and not standardized, and courts have yet to provide any guidance about what will be covered and what will not. This state of affairs leaves many companies that have or are considering buying cyber insurance uncertain—not only whether they will be a victim of a data breach but also whether insurance will provide them with the coverage they need if they do become a victim.
The shockwaves continue from the October 6, 2015 ruling of the Court of Justice of the European Union (CJEU), the European Union’s highest court, invalidating the U.S.-EU “Safe Harbor” data transfer regime in a controversy arising out of Maximillian Schrems’ complaint to the Irish Data Protection Commissioner. The Schrems decision obviously has huge privacy implications for companies that transferred data under the Safe Harbor regime, but it may also impact such companies’ cyber insurance.
Cyber criminals posing as company executives have successfully made off with millions from company coffers by tricking company employees into sending them the cash. Insurers are increasingly taking the position that this type of fraud is not covered under cybercrime policies.