New York Rolls Out New Cybersecurity Requirements for Banks, Insurers

 

cyber-liability

Harrisburg, Feb. 22 –  According to the New York Department of Financial Services, new cybersecurity rules aimed at safeguarding consumer data go into effect on March 1, 2017.  The regulations  will require banks, insurers, and money services to strengthen their cybersecurity protocols by, in part, putting data security programs in place, and accepting greater responsibility for monitoring the vendors with whom they do business.  The rules also require reporting breaches within 72 hours.

The new rules impose obligations which could create liability from regulatory actions or consumer litigation. According to attorneys quoted in a recent article appearing on Law360.com,  the new guidelines will give enterprising  plaintiffs’ lawyers new claims against financial services firms, as well as firm directors and officers. Under the new DFS scheme, Company executives must certify compliance with the NY DFS regulations on an annual basis. Should those certifications prove incorrect, they could provide the basis for the DFS or consumers to make claims against banks, insurers and other financial services firms for breach of such certification.  Because of that, companies should devote considerable  attention and resources to two areas: 1.) implementation of cybersecurity programs and systems in compliance with DFS requirements; and 2.) making sure company executives have liability insurance coverage for cyber-related missteps, including coverage for both regulatory and consumer  claims.

With respect to adequately insuring cyber exposures, companies should undertake review of D&O policies to make sure any cyber-related liability is not excluded, and also that the insurance will cover the costs of defending against regulatory actions and any resulting penalties.  With respect to DFS requirements for the supervision of third-party vendors, the rules call for vendors to encrypt  nonpublic information and to set up robust protection systems.  Companies should require and review both vendor cybersecurity policies and related liability insurance products to make sure the vendors have technology errors and omissions coverage.  Companies may wish to secure additional insured protection in such policies as well.

A copy of the regulations may be found here:  nydfs-cybersecutiry-regs-03012017

 

 

Cybercrime Insurance Outlook 2017: Man vs. Machine

edi-spotlight-banner

HARRISBURG, Feb. 17 – As 2017 unfolds, it remains to be seen whether an emerging trend of stricter readings of cybercrime insurance policies to limit or exclude the reach of computer fraud  crimes protection coverage will continue.  One case decided late last year illustrates the trend, and the view that whether or not computer fraud coverage applies will be based in large part on the degree of human involvement in bringing about the criminal losses.

In Apache Corp. v. Great American Ins. Co, No. 15-20499, 2016 WL 6090901 (5th Cir. Oct. 18, 2016),  the Fifth Circuit Court of Appeals ruled that a policy covering losses arising out of computer fraud did not apply to a fraudulent financial transfer “that was the result of other events and not directly by the computer use.”

Of interest to the appeals court in Apache was that the crime started with a telephone  call from the thief, posing as a vendor to the insured, requesting a change of bank wiring instructions through which the insured paid the vendor.  Pursuant to Apache’s request  for the change of wiring instructions in writing, the thief provided the instructions via email, although the email address did not match the vendor’s email domain on file.  After a telephone call made by Apache following up the email , however, Apache instructed its bank to change the wiring instructions.

Apache discovered that the wiring change was ultimately fraudulent,  resulting in net losses of $2.4 million. Apache filed a claim with Great American under its crime protection insurance policy which included computer fraud coverage. The insuring agreement in the Great American policy provided for payment of losses “resulting directly from the use of any computer to fraudulently cause a transfer of [such money] from inside the premises or banking premises … to a place outside those premises.”

Great American denied the claim on the grounds that the losses did not result directly from the use of a computer, but rather human error.  Apache sued Great American for coverage in Texas state court,  and the case was removed to the U.S. District Court for the Southern District of Texas, after which both parties cross – moved for summary judgment. The federal district court granted the insured’s motion for summary judgment in favor of coverage,  and denied the insurer’s motion for summary judgment, but refused to impose statutory penalties on the insurer.

Following appeal by both parties to the U.S. Court of Appeals for the Fifth Circuit, the appeals court reversed judgment for Apache, relieving Great American of its indemnity obligations.  A three-judge panel held that that numerous intervening non-computer actions were taken between the digital actions of the posing vendor’s email and the computer bank transfer of funds.  Such non-computer acts, the court noted, included telephone calls, approval of the change in wiring instructions by Apache’s management, the receipt and processing of invoices by Apache, and Apache’s approval of invoices for payment.  The court finally found that Apache’s instructions to the bank to effectuate the wiring change were verbal as well.

The Court held:

“The email was part of the scheme; but, the email was merely incidental to the occurrence of the authorized transfer of money. To interpret the computer-fraud provision as reaching any fraudulent scheme in which an email communication was part of the process would. . . convert the computer-fraud provision to one for general fraud.. . . We take judicial notice that, when the policy was issued in 2012, electronic communications were, as they are now, ubiquitous, and even the line between “computer” and “telephone” was already blurred. In short, few—if any—fraudulent schemes would not involve some form of computer-facilitated communication. This is reflected in the evidence at hand. Arguably, Apache invited the computer-use at issue, through which it now seeks shelter under its policy, even though the computer-use was but one step in Apache’s multi-step, but flawed, process that ended in its making required and authorized, very large invoice-payments, but to a fraudulent bank account.”

For the Apache court, then, a critical area of focus in the analysis of coverage of cyber-crime insurance is the nexus between the crime, and the degree of computer, versus human, involvement. Apache, and decisions like it, impose rather strict limits on the scope of cyber-insurance coverage, setting a bright line between fraud which is primarily the result of flawed human systems, and fraud which is primarily digital, and computer-driven.

Cyber-crime and related technology insurance coverage is still very much an emerging insurance market.  Policy language, therefore, remains varied, and such variance imposes obligations on both insurers and insureds to be precise in their understanding of what kinds of protections  the policy terms, conditions, and endorsements provide.

Apache Corp. v. Great American Insurance Company, No. 15-20499, 2016 WL 6090901 (5th Cir. Oct. 18, 2016) 

Washington Supreme Court Ruling May Limit Suits Under Insurance Fair Conduct Act

discovery

WASHINGTON STATE, Feb. 2 – Washington state’s Supreme Court has potentially limited insured’s rights to sue insurers under the state’s Insurance Fair Conduct Act.

In Perez-Santos v. State Farm, the state Supreme Court held that State Farm could not be held liable based on alleged unfair conduct in handling claims for medical bills arising out of a car accident.  The Court ruled that the IFCA does not create an independent right of action for regulatory missteps, but allows a right of action when an insurer unreasonably denies or delays benefits.

Practitioners in the state say that the ruling, however, may raise more questions than it answers, according to a recent report in Law360.com.

In the case, the insured,  Perez-Crisantos, was in a car accident in November 2010 and alleged more than $50,000 in medical bills. State Farm agreed to pay the $10,ooo in first party personal injury protection (PIP) benefits. The insurer denied, however, the insured’s  underinsured motorist(UIM) claim, after concluding the claims included bills for excessive chiropractic treatment and unrelated shoulder surgery.

Perez-Crisantos sued State Farm in Washington state court, and  ultimately won another $24,000 from the insurer on his UIM claim in an arbitration.  Thereafter,
Perez-Crisantos amended the state court civil complaint alleging State Farm’s violation of a Washington Administrative Code provision prohibiting insurers from forcing a first-party policyholder to litigate to recover “amounts due under an insurance policy by offering substantially less than the amounts ultimately recovered in such actions.”

A state judge granted State Farm’s motion to dismiss, concluding there was no evidence of “some sort of incentive program to ‘lowball claims.'”

On appeal to the state Supreme Court,  Perez-Crisantos argued regulatory violation alone could support an IFCA claim, but the justices disagreed. The Supreme Court, in an opinion written by  Justice Steven C. Gonzalez, found  no indication that the Washington state Legislature intended to create an independent cause of action under the statute solely for regulatory violations.   “Instead, IFCA makes regulatory violations relevant to the apportioned attorneys’ fees and damages associated with that derivative violation,” Gonzalez wrote.

IFCA permits courts to award successful claimants attorneys’ fees and authorizes courts to award triple damages.

Washington Justice Debra L. Stephens wrote in a concurring opinion that she favored affirmed the judgment in favor of State Farm without tackling the issue of whether a regulatory violation gives rise to an independent cause of action under the IFCA. She wrote, “I fear that the majority’s gratuitous ‘holding’ on IFCA will lead to confusion and will frustrate the intent of this remedial statute.”

Perez-Santos v. State Farm (Wash. Feb. 2, 2017)

 

Claims Delay Not Unreasonable, In Bad Faith, Judge Rules

lateclaim

SCRANTON, Pa., Jan. 31 — An auto insurer did not unreasonably delay processing of a claim, a Pennsylvania federal judge has ruled.   In Thomas and Colleen Meyers v. Protective Insurance Co., No. 16-1821, M.D. Pa., 2017 U.S. Dist. LEXIS 11338, a delay in the payment of an auto claim at issue in the case was found not so unreasonable as to constitute bad faith.

Thomas Meyers was insured by a hit-and-run vehicle while working as a delivery man on  Jan. 21, 2014.  He filed a claim alleging serious injury  with  Protective Insurance Co.,  for uninured/underinsured motorist benefits on April 23, 2014.  Meyers sought medical expenses and wage loss of more than $120,000.00 on Feb. 1, 2006.  He claims to have received no response from Progressive for more than three months.

On May 26, 2016, Meyers rejected a settlement offer from Protective in the amount of $225,000 .  Meyers later rejected an increased offer, and Protective hired counsel requesting additional time to review the claim.  Protective’s counsel required Meyers to complete four medical evaluations.

Meyers sued the Protective in the Lackawanna County, Pa., Court of Common Pleas, stating claims for breach of contract, common law, and  statutory bad faith pursuant to 42 Pa. C.S. §8371.  Protective removed the action to the U.S. District Court for the Middle District of Pennsylvania and moved to dismiss all claims including breach  of “fiduciary duty,” bad faith and a loss of consortium claim.

Judge A. Richard Caputo dismissed all fiduciary claims, holding, “[u]nder Pennsylvania law, an insurer owes a duty of good faith and fair dealing toward their insureds.  It is well-established, however, that there is no fiduciary duty owed to an insured in the context of an underinsured/uninsured motorist benefits.”

Judge Caputo also rejected the bad faith claims, including allegations that Protective’s failure to communicate constituted bad faith, finding such claims unsupported.  The judge found  that the insurer contacted the Meyerses four times requesting information and/or providing updates on the investigation between March 9, 2016, and May 24, 2016:

“Moreover, after the first settlement offer was rejected by Plaintiffs, Defendant, within only one week, proposed a new, higher, settlement offer.  Although Defendant often did not immediately respond to Plaintiffs’ communications, an allegation of ‘failure’ to communicate is inconsistent with reality.  Defendant’s communications may be described as tardy, but I cannot impute bad faith or even unreasonable delay, especially in light of the fact that Defendant made a settlement offer within three-and-a-half months after receiving Plaintiffs’ estimate of damages.  Although ‘[d]elay is a relevant factor in determining whether bad faith had occurred,’ [Kosierowski v. Allstate Ins. Co., 51 F.2d 583, 588 (E.D.Pa.1999)], I am unable to find precedent supporting the proposition that an insurance company’s investigation of a claim lasting three-and-a-half months is unreasonably lengthy. . . “[t]here is also no evidence that Defendant failed to objectively and fairly evaluate Plaintiffs’ claims, or that the settlement offer was so inadequate as to constitute bad faith.”

Judge Caputo also did not find Protective’s settlement offers unreasonably low:

“First, given that the damages package provided by Plaintiffs included a ‘medical lien and wage loss documentation in an amount in excess of $122,000,’ a settlement offer that is higher by nearly $100,000 than the proposed damages package is not unreasonable, and ‘bad faith is not present merely because an insurer makes a low but reasonable estimate of an insured’s damages.’  Secondly, Plaintiffs’ assertion of a verdict potential is an opinion as to the value of their claim, not an objective measure of it, and because such an assertion is nothing more than a legal conclusion, it must be disregarded.  Simply put, Plaintiffs’ subjective belief as to the verdict potential of their claims cannot constitute evidence of bad faith on the part of Defendant because Defendant’s subjective belief as to the value of the claim may reasonably, and permissibly, differ.”

The judge granted Protective’s 12(b)(6) motion, and gave the Plaintiffs 21 days to amend their complaint.

Thomas and Colleen Meyers v. Protective Insurance Co., No. 16-1821, M.D. Pa., 2017 U.S. Dist. LEXIS 11338