CYBER-CRIMES: How Have Courts Dealt with the Insurance Implications of this Emerging Risk? By Alan Rutkin

Similar documents
IN THE UNITED STATES COURT OF APPEALS FOR THE FIFTH CIRCUIT

TWENTY SECOND ANNUAL NORTHEAST SURETY AND FIDELITY CLAIMS CONFERENCE

Emerging Insurance Disputes

Case , Document 48, 11/28/2017, , Page1 of cv FOR THE SECOND CIRCUIT MEDIDATA SOLUTIONS, INC., vs.

Supreme Court of Florida

Insurance Coverage Law Update: The Recent Cases You Need to Know

Quincy Mutual Fire Insurance C v. Imperium Insurance Co

IN THE UNITED STATES DISTRICT COURT FOR THE NORTHERN DISTRICT OF GEORGIA ATLANTA DIVISION : : : : : : : : : : : ORDER

Case 2:08-cv CEH-SPC Document 38 Filed 03/30/10 Page 1 of 9 UNITED STATES DISTRICT COURT MIDDLE DISTRICT OF FLORIDA FT.

UNITED STATES COURT OF APPEALS FOR THE THIRD CIRCUIT. No

Trends, Vendor Management, and Practical Tips For In House Counsel. ACC National Capital Region October 16, 2018

State By State Survey:

WHAT DOES IT MEAN TO EXHAUST AN UNDERLYING LAYER OF INSURANCE?

INSURED CLOSINGS: TITLE COMPANY AGENTS AND APPROVED ATTORNEYS. By John C. Murray 2003

The Ever Changing Duty to Defend and. How It s Currently Leading to Bad faith

PUBLISHED UNITED STATES COURT OF APPEALS FOR THE FOURTH CIRCUIT. No

Five Questions to Ask to Maximize D&O Insurance Coverage of FCPA Claims

ADDRESSING MULTIPLE CLAIMS.

Navigating the Waters of Large SIRs and Deductibles

THREE ADDITIONAL AND IMPORTANT TAKEAWAYS FROM SONY

Case 2:17-cv SDW-CLW Document 23 Filed 02/07/18 Page 1 of 10 PageID: 1841 UNITED STATES DISTRICT COURT FOR THE DISTRICT OF NEW JERSEY OPINION

PROVING EXHAUSTION: HOW YESTERDAY'S PAYMENTS CAN BE SHOWN WITH TODAY'S TECHNOLOGY

IN THE SUPREME COURT OF MISSISSIPPI CONTINENTAL CASUALTY COMPANY. v. No CA ALLSTATE PROPERTY AND CASUALTY INSURANCE COMPANY

11th Circuit: Computer Fraud Policy Did Not Cover Loss That Did Not Result Directly From Computer Fraud

No In The United States Court of Appeals For The Sixth Circuit AMERICAN TOOLING CENTER, INC., Plaintiff-Appellant,

CHANCES ARE... A FORTUITY CASE STUDY A POLICYHOLDER S PERSPECTIVE

Multiemployer Potpourri

TWENTIETH ANNUAL NORTHEAST SURETY AND FIDELITY CLAIMS CONFERENCE SEPTEMBER 24 th and 25 th, 2009

O'Connor-Kohler v. State Farm Ins Co

Plaintiff, 08-CV-6260T DECISION v. and ORDER INTRODUCTION. Plaintiff Bausch & Lomb Incorporated, ( Bausch & Lomb or

Recent Developments in Construction Coverage

Insurance Coverage for PATENT Disputes: A QUICK HIT. Presented By Caroline Spangenberg Kilpatrick Stockton LLP December 16, 2010

UNDERSTANDING CRIME POLICIES AND PRESENTMENT OF CLAIMS

Insurance Bad Faith MEALEY S LITIGATION REPORT. A commentary article reprinted from the November 24, 2010 issue of Mealey s Litigation Report:

IN THE UNITED STATES DISTRICT COURT FOR THE EASTERN DISTRICT OF PENNSYLVANIA : : : : : : : : : : NO M E M O R A N D U M

Litigation Update The Hospitality Law Conference February 3-5, 2010 Houston, TX


IN THE UNITED STATES DISTRICT COURT FOR THE WESTERN DISTRICT OF TEXAS SAN ANTONIO DIVISION ) ) ) ) ) ) ) ) ) ) ) ) ) ) ) ) ) ) ) ) ) )

Tornadoes and Thunderstorms. Tornadoes and Thunderstorms. Kevin Hromas JD, EGA, RPA, CPIU, PLCS, WIND Umpire/Appraiser

Life Insurance Summary of State Exemptions 1 for Cash Value 2 and Proceeds 3

TRIGGER OF COVERAGE FOR WRONGFUL PROSECUTION CLAIMS IN 2016

IN THE UNITED STATES COURT OF APPEALS FOR THE ELEVENTH CIRCUIT. No Non-Argument Calendar. D.C. Docket No. 6:10-cv JA-KRS.

Case 9:16-cv BB Document 42 Entered on FLSD Docket 01/30/2017 Page 1 of 9 UNITED STATES DISTRICT COURT SOUTHERN DISTRICT OF FLORIDA

Case 1:13-cv JGK Document 161 Filed 08/08/16 Page 1 of 14

Marianne Gallagher v. Ohio Casualty Insurance Co

Case 2:17-cv CB Document 28 Filed 02/28/18 Page 1 of 10 IN THE UNITED STATES DISTRICT COURT FOR THE WESTERN DISTRICT OF PENNSYLVANIA

UNITED STATES COURT OF APPEALS FOR THE SECOND CIRCUIT SUMMARY ORDER

IN THE UNITED STATES COURT OF APPEALS FOR THE FIFTH CIRCUIT

Forest Labs., Inc. v A rch Ins. Co.

Responding to Allegations of Bad Faith

Notice of Claims in Claims-Made Insurance Policies

IN THE UNITED STATES DISTRICT COURT FOR THE NORTHERN DISTRICT OF ILLINOIS EASTERN DIVISION

STATUS OF THE PRICE OPTIMIZATION DEBATE

IN THE UNITED STATES DISTRICT COURT FOR THE EASTERN DISTRICT OF PENNSYLVANIA MEMORANDUM

Department of Labor Reverses Course: Mortgage Loan Officers Do Not Meet the Administrative Exemption s Requirements

UNITED STATES DISTRICT COURT NORTHERN DISTRICT OF ILLINOIS EASTERN DIVISION. v. Judge John Robert Blakey MEMORANDUM OPINION AND ORDER

IN THE UNITED STATES COURT OF APPEALS FOR THE FIFTH CIRCUIT

ALL SUMS VERSUS PRO RATA ALLOCATION, TERMINOLOGY, AND A LOOK AHEAD Audiocast

Some Observations on Notice Requirements Under Claims-Made Forms and Other Policies with Strict Claim Reporting Requirements

3 Recent Insurance Cases That Defend The Duty To Defend


Hartford Steam Boiler (HSB) data security products for Commercial Lines.

Target Date Funds Platform Investment Options

TWENTIETH ANNUAL SOUTHERN SURETY AND FIDELITY CLAIMS

Discharge Under the Code for ERISA "Fiduciaries"

When Can LLCs Appoint A Special Litigation Committee?

TWO AUTOMOBILES INSURED UNDER FAMILY POLICY DOUBLES STATED MEDICAL PAYMENTS COVERAGE LIMIT OF LIABILITY

COMPUTER FRAUD AND FUNDS TRANSFER FRAUD COVERAGES

BAILEY CAVALIERI LLC ATTORNEYS AT LAW

NOT FOR PUBLICATION UNITED STATES COURT OF APPEALS FOR THE NINTH CIRCUIT. Plaintiff-Appellant, D.C. No. 4:16-cv CW

Camico Mutual Insurance Co v. Heffler, Radetich & Saitta

New claim regulations in New York: Key points to know before January 19, 2009

UNITED STATES COURT OF APPEALS TENTH CIRCUIT ORDER AND JUDGMENT *

LITTLE FISH, BIG PONZI: RECOUPING MADOFF LOSSES THROUGH INSURANCE PROCEEDS

STATE OF MICHIGAN COURT OF APPEALS

CYBER LIABILITY: TRENDS AND DEVELOPMENTS: WHERE WE ARE AND WHERE WE ARE GOING

TITLE INSURANCE: CLOSING PROTECTION LETTERS

Unclaimed Property: 2016 Litigation Update

WHAT EVERY LAWYER SHOULD KNOW ABOUT INSURANCE COVERAGE

IN THE UNITED STATES DISTRICT COURT FOR THE NORTHERN DISTRICT OF GEORGIA ATLANTA DIVISION

UNITED STATES DISTRICT COURT EASTERN DISTRICT OF MICHIGAN SOUTHERN DIVISION. Hon. Matthew F. Leitman

Michael Verdetto v. State Farm Fire & Casualty Co

) ) ) ) ) ) ) ) ) ) ) ) ) ) ) ) )

IN THE COURT OF APPEAL OF THE STATE OF CALIFORNIA SECOND APPELLATE DISTRICT DIVISION FOUR

DISTRICT COURT OF APPEAL OF THE STATE OF FLORIDA FOURTH DISTRICT

Case 1:15-cv SMJ ECF No. 54 filed 11/21/17 PageID.858 Page 1 of 10 UNITED STATES DISTRICT COURT EASTERN DISTRICT OF WASHINGTON

MFA COMPLIANCE 2016: UNDERSTANDING INSURANCE AND LIABILITY: A FOCUS ON D&O, CYBERSECURITY AND POLICY REVIEWS

Prudential Prop v. Boyle

[*1]CashZone Check Cashing Corp., et al., Plaintiffs-Appellants, Vigilant Insurance Company, et al., Defendants-Respondents.

Case 2:07-cv SRD-JCW Document 61 Filed 06/17/2009 Page 1 of 6 UNITED STATES DISTRICT COURT EASTERN DISTRICT OF LOUISIANA VERSUS NO.

No IN THE SUPREME COURT OF THE STATE OF MONTANA 2006 MT 344

Would Your Company s Insurance Cover a Cyberattack? 1

UNITED STATES NAVY MARINE CORPS COURT OF CRIMINAL APPEALS

UNITED STATES DISTRICT COURT MIDDLE DISTRICT OF FLORIDA JACKSONVILLE DIVISION. v. Case No. 3:17-cv-436-J-32PDB ORDER

United States V. Cruz- Tax Preparers Finally Beat IRS Death Penalty Action

Ercole Mirarchi v. Seneca Specialty Insurance Com

BROKER-DEALER GUARD FIDELITY BOND

Insurance Tips For 'No Poach' Employment Antitrust Claims

Nationwide Mutual Insurance Co v. David Randall Associates Inc

Construction Defects No Occurrence In Pennsylvania

Transcription:

CYBER-CRIMES: How Have Courts Dealt with the Insurance Implications of this Emerging Risk? By Alan Rutkin Insurance coverage law has one firm rule: when a new risk emerges, new coverage issues follow. There are roughly forty cases addressing insurance coverage for cyber-crime liability. We have seen three interesting questions recurring: (1) Does the policy apply to acts by this person? (2) Does the policy apply to this type of conduct? (3) Was the problem caused by computer activity? 1) Does the policy apply to acts by this person? A common coverage question in cyber-crime claims is whether the policy applies to the acts of the person who used the computer to cause the injury. The issue is authorization. Computer-specific policies often limit coverage to the bad acts of persons who are not authorized. Acts by employees are often excluded. In Apps Communication, Inc. v. Hartford Casualty Insurance Co., 1 a Computers and Media Endorsement excluded dishonest or criminal acts by employees. A virus damaged the policyholder s computers. The policyholder alleged that a virus was introduced into its computer system, but the policyholder did not allege who introduced the virus. The court held that the policyholder needed to allege who introduced the virus to make it clear that the employee exclusion did not apply. 2 1 No. 11C3994, 2011 U.S. Dist. LEXIS 118906 (N.D. Ill. Oct. 14, 2011); see also Palm Hills Properties v. Continental Ins. Co., No. 07-668-RET-SCR, 2008 WL 4303817 (M.D. La. July 23, 2008)(court applied employee exclusion to bar coverage). 2 This decision is very favorable to insurers. Generally, insurers have the burden to establish exclusions. But here, the court found that the policyholder s complaint effectively needed to allege that the exclusion did not apply. But see NMS Services, Inc. v. Hartford, 62 F. App x 511, 2003 U.S. App. LEXIS 7442 (4th

Like the employee exclusion, several courts have considered and enforced exclusions for acts of authorized representatives. In Stop & Shop v. Federal Insurance Co., 3 the First Circuit applied an authorized representatives exclusion when a tax payment service stole $13 million from a supermarket. In Milwaukee Area Technical College v. Frontier Adjusters, 4 the court applied an authorized representatives exclusion when a college s claim adjuster stole $1.6 million. Other courts faced more nuanced versions of the authorized person issue. In Universal American Corp. v. Union Fire Insurance Co., 5 a Computer Systems Fraud policy covered [l]oss resulting directly from a fraudulent entry of Electronic Data. The policyholder, a health insurer, suffered $18 million in losses from fraudulent claims. Most of these claims were submitted by providers. The providers entered fraudulent information. The case hinged on the meaning of fraudulent entry. Did it extend to the entry of information that was fraudulent? Or, was it limited to instances where it was fraudulent to enter any information at all. The court found that entry focused on the act of entering data; the data was fraudulent, but the act of entering it was legitimate. The court found for the insurer. In Morgan Stanley Dean Witter & Co. v. Chubb, 6 an authorized person made unauthorized transfers causing about $100 million in losses. The policy, an Electronic Computer Crime Policy, focused on how the transfers were made. If the transfer was Cir. Sept. 24, 2003) (applying acts of destruction exception to exclusion where bad actor was an employee). 3 136 F.3d 71 (1st Cir. 1998). 4 312 Wis. 2d 360 (Wis. App. 2008). 5 38 Misc. 3d 859, 959 N.Y.S.2d 849 (N.Y. Sup. Ct. 2013), aff d, 25 N.Y. 3d 675 (2015). 6 No. A-4124-03T2, 2005 N.J. Super. Unpub. LEXIS 798 (App. Div. Dec. 2, 2005). 2

made by fax, coverage only applied if the person giving the fax instructions was not authorized to do so. The voice coverage, however, extended to unauthorized instructions by authorized persons. Consequently, the court found that the fax coverage did not apply, but the voice coverage did apply. In Pestmaster Services v. Travelers Casualty and Surety Co., 7 a payroll company was authorized to electronically transfer funds from the insured s account into its own as part of its payroll services. The payroll company failed to pay the insured s payroll taxes as required by the contract, and instead used the money to pay its own obligations. The insured made a claim under its Computer Crime policy, which covered losses directly caused by Computer Fraud. The court held that the payroll company s acts did not constitute Computer Fraud because the funds transfer was authorized and did not involve hacking or any unauthorized entry into a computer system. 8 The fraud took place only after the authorized transfer. 1. Does the policy cover this act? In claims arising from cyber-crimes, many cases focus on whether the policy applies to the act that caused the injury. Generally, computer fraud policies cover hacking. Nearly all criminals use computers. Only some criminals hack computers. Consequently, a common issue in the act cases is distinguishing hacking a computer from using a computer. 7 No. CV-13-5039-JFW(MRWx), 2014 U.S. Dist. LEXIS 108416 (C.D. Cal. July 17, 2014). 8 The court observed that Computer Fraud occurs when someone hacks or obtains unauthorized access or entry to a computer in order to make an unauthorized transfer or otherwise uses a computer to fraudulently cause a transfer of funds. Id. at *19. 3

Hacking is to gain access to a computer illegally. 9 Policyholders have tried to extend hacking coverage to instances in which criminals give bad information that is then legally entered into the policyholder s computer. At least two courts have distinguished giving bad information from actually breaking into a computer. Both courts found that the hacking coverage did not apply. 10 Similarly, another court recently distinguished a data refusal from a data error. The policy covered errors, not intentional refusals. The court upheld the insurer s disclaimer. 11 Just a few weeks ago, the Supreme Court of New Hampshire found that hacking is not an occurrence because it is inherently injurious. 12 Finally, we re seeing talk about whether coverage can be subject to policyholders following best practices. In 2013, an insurer sought a declaratory judgment of no coverage based upon an exclusion for Failure to Follow Minimum Required Practices. The case was dismissed on procedural grounds. But, we will surely see more of the best practices issue. 13 9 Merriam-Webster.com definition of hack, available at http://www.merriam-webster.com/dictionary/hack. 10 Hudson United Bank v. Progressive Cas. Ins. Co., 112 F. App x 170, 2004 U.S. App. LEXIS 21335 (3d Cir. Oct. 14, 2004) (fraudulent data entry was not recoverable because data was not entered into the covered computer (i.e., the policyholder s computer); Northside Bank v. American Cas. Co., 60 Pa. D. & C. 4 th 95 (Ct. Common Pleas Jan. 10, 2001), aff d, 792 A.2d 625 (Pa. Super. Ct. 2001) (coverage protecting a bank against hackers did not apply to the introduction of information that was fraudulent when received). See also Metro Brokers v. Transportation Ins. Co., No. 1:12-cv-3010, 2013 U.S. Dist. LEXIS 184638 (N.D. Ga. Nov. 21, 2013), aff d, 603 Fed. App x. 833 (11 th Cir. 2015) (policyholder conceded that malicious code and system penetration exclusion applied to virus). 11 Travelers Property Cas. Co. v. Federal Recovery Services, Inc., 103 F. Supp. 3d 1297 D. Utah 2015). 12 Todd v. Vermont Mutual Insurance Co., No. 2015-0233 (N.H. Apr. 7, 2016). 13 Columbia Casualty Co. v. Cottage Health System, No. 2:15-cv-03432 (C.D. Cal. 2015). 4

2. Does the policy limit coverage to losses that computer activity caused directly? Claims under computer policies frequently involve a causation issue. Coverage is typically limited to losses directly related to some type of bad act on a computer. Insurers often maintain that direct means immediate, without an intervening cause. 14 Policyholders, on the other hand, argue for a proximate cause approach. In Retail Ventures, 15 criminals used computers to gain access to their victims. The criminals used computers to steal credit card information, and then stole from the accounts. The computers set up the crimes, but the computers were not used to carry out the crimes. The court found the losses resulted directly from computers. Similarly, in Apache Corp. v. Great American Insurance Co., 16 a federal district court held that a computer fraud policy covered wire transfers to a phony account because a fraudulent email was a substantial factor in bringing about the injury. There, the insured s employee received a phone call from an imposter posing as one of the insured s vendors. The imposter claimed to be providing new account information for future wire payments. The employee asked for a written request on the vendor s official letterhead. The imposter sent the letter by email. Another employee of the insured called the number on the letter to verify the request and obtained supervisor clearance before wiring the funds. After learning that the account was fraudulent, the insured sought recovery under the computer fraud section of its crime protection policy. The policy covered loss 14 See, e.g., Retail Ventures, Inc., 691 F.3d at 824. 15 691 F.3d 821. 16 No. 4:14-CV-237, 2015 U.S. Dist. LEXIS 161683 (S.D. Tex. Aug. 7, 2015). 5

resulting directly from the use of any computer to fraudulently cause a transfer of property to another. The insurer declined coverage on the basis that the scheme s success hinged on the telephone calls and related acts. It did not result directly from the use of a computer. The court disagreed and held despite the human involvement that followed the fraud, the loss still resulted directly from computer fraud, i.e. the email directing [the insured] to disburse payments to a fraudulent account. 17 In contrast to these decisions, several courts have found that the use of a computer was merely incidental to the loss. In Pinnacle Processing Group v. Hartford Casualty Insurance Co., 18 the court held that direct means without any intervening cause. In Brightpoint, Inc. v. Zurich American Insurance Co., 19 the court cited Black s Law Dictionary to state that direct means in a straight line or course and immediately. 20 In Pestmaster, the court stated that direct means direct, and held that losses must flow immediately and directly from computer use. 21 17 Id. at *6-7. The case is currently on appeal before the Fifth Circuit. 18 No. C10-1126-RSM, 2011 U.S. Dist. LEXIS 128203 (W.D. Wash. Nov. 4, 2011). 19 2006 U.S. Dist. LEXIS 26018. 20 Id. at *20. 21 Pestmaster, 2014 U.S. Dist. LEXIS 108416 at *23-24 (computer was merely incidental to misuse of funds where fraud occurred after an authorized electronic transfer). 6

2024 © financedocbox.com Privacy Policy | Terms of Service | Feedback