Insurers’ recalcitrance to providing coverage for the “Business E-mail Compromise” (BEC) scam is a topic we’ve frequently discussed. On Monday, the Ninth Circuit heard oral argument in a BEC coverage action, Taylor & Lieberman v. Federal Insurance Company.
The fraudster in that case sent spoofed e-mails in 2012 to an accounting firm purporting to be from one of the firm’s clients. At the “client’s” request, the accounting firm executed two wire transfers from the client’s bank account, over which the firm had power of attorney, in amounts just under $100,000 each to banks in Malaysia and Singapore. The firm finally detected the scheme when it called the client for confirmation after receiving a third e-mail requesting another transfer of $128,000 to Malaysia. The accounting firm was able to recover most of the first wire transfer but nothing from the second, resulting in a $100,000 loss to the client’s account, which the firm restored.
The shockwaves continue from the October 6, 2015 ruling of the Court of Justice of the European Union (CJEU), the European Union’s highest court, invalidating the U.S.-EU “Safe Harbor” data transfer regime in a controversy arising out of Maximillian Schrems’ complaint to the Irish Data Protection Commissioner. The Schrems decision obviously has huge privacy implications for companies that transferred data under the Safe Harbor regime, but it may also impact such companies’ cyber insurance.
October ordinarily brings the return of crisp air, fall foliage, and Halloween. This year, for the first time, it also brings National Cyber Security Awareness Month. Yet designating a month to increase cybersecurity awareness seems redundant. We are reminded almost daily of the importance of cybersecurity, as media reports of cyber breaches have become commonplace. Of course, the most widely reported cyber incidents have been data privacy breaches that have affected tens of millions of consumers nationwide. These are the sorts of incidents that have spawned a growing market for so-called “cyber policies” (although as we wrote recently, the CEO of one of the largest insurers has acknowledged that cyber insurance capacity remains relatively small).
Cyber criminals posing as company executives have successfully made off with millions from company coffers by tricking company employees into sending them the cash. Insurers are increasingly taking the position that this type of fraud is not covered under cybercrime policies.
In a stunning victory for the former Goldman Sachs programmer, New York State Justice Daniel Conviser threw out Sergey Aleynikov’s jury conviction on state law charges that he stole intellectual property from Goldman. Trade Secrets Watch has extensively covered this story, most recently reporting the start of Aleynikov’s new trial, but missing out on a (later-dismissed) juror’s tale of an errant avocado.
The data breach earlier this month that potentially exposed information about millions of federal government employees is yet another reminder that any organization that maintains data is at risk of being hacked. And rest assured that if you get hacked, you will incur substantial costs as a result, including substantial notice and related costs and potentially massive third-party liability claims.
We have written extensively about so-called “cyber” insurance, including how cyber insurance is neither comprehensive nor standardized. As a result, when you are shopping for your first (or next) cyber policy it is important to understand what types of coverages, exclusions and conditions are in the market. Making a well-informed purchase starts with knowing your options.
There are too many differences between cyber policies to cover in one blog post, and the market, still in its youth, is rapidly evolving. But here is a list of five important things—in no particular order—to consider when you’re in the market for cyber insurance: READ MORE
There has been no recent shortage of high-profile cyberattacks and data breaches leaving businesses with millions of dollars in losses. Verizon’s 2015 Data Breach Investigations Report counted 79,790 security incidents (including 2,122 confirmed data breaches) in the last year alone. If you’re a business that stores information electronically—that is, if you’re any business at all—you’re probably sufficiently worried about cyber threats just by reading the news. But if you haven’t fully appreciated the seriousness of the problem yet, the insurance industry is happy to help. As one insurer warns in its marketing materials, “many companies don’t realize that whether they experience a data security breach isn’t as much a matter of if it will happen as when.” Sufficiently terrified of cyber threats? Don’t worry—these same insurers will let you know they offer coverage that will help mitigate your risk. As one insurer puts it, “when a security breach happens, you’ll need comprehensive protection from an insurer that specializes in handling cyber risks, offers a full suite of integrated insurance solutions to help minimize gaps in coverage, and understands how to tailor coverage to your business.” READ MORE
Your insurer wrongfully denies coverage—so you file a complaint in court, right? Not so fast! Many new insurance policies now include mandatory arbitration provisions. While at one time arbitration clauses were common only in policies issued by foreign insurers, they are now finding their way into policies issued by domestic insurers and in all types of coverages, including commercial liability insurance policies, D&O, E&O, employment liability, and cyber insurance. While the terms of these clauses vary, to the extent they are enforceable or cannot be negotiated out of the coverage, arbitration provisions close the courthouse doors to insurance disputes and force policyholders and their insurers to resolve disputed issues in private and free from judicial scrutiny. READ MORE
As many companies are considering purchasing cyber insurance, they often wonder: “Will my insurer be there when I have a data breach?” Cyber insurers have generally been good in paying claims. But the recent lawsuit featured in this Orrick Client Alert demonstrates that as the landscape evolves, insurers may refuse to cover breach costs by arguing that insureds failed to meet “minimum requirements” for cybersecurity. Tending to cybersecurity policies and procedures before breaches occur is more important than ever. For more insight on how to avoid facing the loss of cyber insurance coverage just when you need it most, keep reading.
When you, as a policyholder, give an insurance company notice of a claim, the insurance company often will send a “reservation of rights” letter—especially where there are complex liability claims—preserving its right to give you a coverage decision after it investigates the claim (that is, if it doesn’t accept or deny the claim outright). These letters usually include lengthy lists of coverage defenses the insurance company reserves the right to assert and questions that it wants you to answer. Many policyholders are naturally overwhelmed by the questions and have no idea how to respond. But respond you must. And how you respond has the potential to make or break your claim. Luckily, common sense and some simple rules are usually enough to make sure your claim survives this early hurdle.
The insurance company’s questions often pose three problems. First, they may seek information solely to enable the insurance company to deny coverage, often on grounds that the notice was late. Questions such as “When did you know that there was a problem” seek to gain information to enable the insurance company to deny coverage on the basis that you failed to notify them timely of the problem. But you must remember that you are under no obligation to give the insurance company information that it can use to defeat coverage. You should provide information adequate to describe the nature of the claim, but it is the insurance company’s obligation to figure out how to defeat coverage. READ MORE