A.M. Best has published the most recent episode of its Updates In Insurance Coverage and Bad Faith podcast earlier today, in which I discuss some recent developments in insurance coverage and bad faith law with the show’s host, John Czuba. You can listen to the episode via the link below.
A transcript of the podcast can be found here:
PodcastTranscript-137PodcastTranscript-137
Harrisburg, Feb. 22 – According to the New York Department of Financial Services, new cybersecurity rules aimed at safeguarding consumer data go into effect on March 1, 2017. The regulations will require banks, insurers, and money services to strengthen their cybersecurity protocols by, in part, putting data security programs in place, and accepting greater responsibility for monitoring the vendors with whom they do business. The rules also require reporting breaches within 72 hours.
The new rules impose obligations which could create liability from regulatory actions or consumer litigation. According to attorneys quoted in a recent article appearing on Law360.com, the new guidelines will give enterprising plaintiffs’ lawyers new claims against financial services firms, as well as firm directors and officers. Under the new DFS scheme, Company executives must certify compliance with the NY DFS regulations on an annual basis. Should those certifications prove incorrect, they could provide the basis for the DFS or consumers to make claims against banks, insurers and other financial services firms for breach of such certification. Because of that, companies should devote considerable attention and resources to two areas: 1.) implementation of cybersecurity programs and systems in compliance with DFS requirements; and 2.) making sure company executives have liability insurance coverage for cyber-related missteps, including coverage for both regulatory and consumer claims.
With respect to adequately insuring cyber exposures, companies should undertake review of D&O policies to make sure any cyber-related liability is not excluded, and also that the insurance will cover the costs of defending against regulatory actions and any resulting penalties. With respect to DFS requirements for the supervision of third-party vendors, the rules call for vendors to encrypt nonpublic information and to set up robust protection systems. Companies should require and review both vendor cybersecurity policies and related liability insurance products to make sure the vendors have technology errors and omissions coverage. Companies may wish to secure additional insured protection in such policies as well.
A copy of the regulations may be found here: nydfs-cybersecutiry-regs-03012017
HARRISBURG, Feb. 17 – As 2017 unfolds, it remains to be seen whether an emerging trend of stricter readings of cybercrime insurance policies to limit or exclude the reach of computer fraud crimes protection coverage will continue. One case decided late last year illustrates the trend, and the view that whether or not computer fraud coverage applies will be based in large part on the degree of human involvement in bringing about the criminal losses.
In Apache Corp. v. Great American Ins. Co, No. 15-20499, 2016 WL 6090901 (5th Cir. Oct. 18, 2016), the Fifth Circuit Court of Appeals ruled that a policy covering losses arising out of computer fraud did not apply to a fraudulent financial transfer “that was the result of other events and not directly by the computer use.”
Of interest to the appeals court in Apache was that the crime started with a telephone call from the thief, posing as a vendor to the insured, requesting a change of bank wiring instructions through which the insured paid the vendor. Pursuant to Apache’s request for the change of wiring instructions in writing, the thief provided the instructions via email, although the email address did not match the vendor’s email domain on file. After a telephone call made by Apache following up the email , however, Apache instructed its bank to change the wiring instructions.
Apache discovered that the wiring change was ultimately fraudulent, resulting in net losses of $2.4 million. Apache filed a claim with Great American under its crime protection insurance policy which included computer fraud coverage. The insuring agreement in the Great American policy provided for payment of losses “resulting directly from the use of any computer to fraudulently cause a transfer of [such money] from inside the premises or banking premises … to a place outside those premises.”
Great American denied the claim on the grounds that the losses did not result directly from the use of a computer, but rather human error. Apache sued Great American for coverage in Texas state court, and the case was removed to the U.S. District Court for the Southern District of Texas, after which both parties cross – moved for summary judgment. The federal district court granted the insured’s motion for summary judgment in favor of coverage, and denied the insurer’s motion for summary judgment, but refused to impose statutory penalties on the insurer.
Following appeal by both parties to the U.S. Court of Appeals for the Fifth Circuit, the appeals court reversed judgment for Apache, relieving Great American of its indemnity obligations. A three-judge panel held that that numerous intervening non-computer actions were taken between the digital actions of the posing vendor’s email and the computer bank transfer of funds. Such non-computer acts, the court noted, included telephone calls, approval of the change in wiring instructions by Apache’s management, the receipt and processing of invoices by Apache, and Apache’s approval of invoices for payment. The court finally found that Apache’s instructions to the bank to effectuate the wiring change were verbal as well.
The Court held:
“The email was part of the scheme; but, the email was merely incidental to the occurrence of the authorized transfer of money. To interpret the computer-fraud provision as reaching any fraudulent scheme in which an email communication was part of the process would. . . convert the computer-fraud provision to one for general fraud.. . . We take judicial notice that, when the policy was issued in 2012, electronic communications were, as they are now, ubiquitous, and even the line between “computer” and “telephone” was already blurred. In short, few—if any—fraudulent schemes would not involve some form of computer-facilitated communication. This is reflected in the evidence at hand. Arguably, Apache invited the computer-use at issue, through which it now seeks shelter under its policy, even though the computer-use was but one step in Apache’s multi-step, but flawed, process that ended in its making required and authorized, very large invoice-payments, but to a fraudulent bank account.”
For the Apache court, then, a critical area of focus in the analysis of coverage of cyber-crime insurance is the nexus between the crime, and the degree of computer, versus human, involvement. Apache, and decisions like it, impose rather strict limits on the scope of cyber-insurance coverage, setting a bright line between fraud which is primarily the result of flawed human systems, and fraud which is primarily digital, and computer-driven.
Cyber-crime and related technology insurance coverage is still very much an emerging insurance market. Policy language, therefore, remains varied, and such variance imposes obligations on both insurers and insureds to be precise in their understanding of what kinds of protections the policy terms, conditions, and endorsements provide.
PASADENA, June 28 — The Ninth Circuit U.S. Court of Appeals affirmed summary judgment for Great American Insurance Co., holding that the relevant policy’s “authorized representative” exclusion barred coverage of $100,000 in losses to Southern California Counseling Center arising out of computer fraud by one of the Center’s payroll agencies.
The Southern California Counseling Center (SCCC) sued its insurer Great American Insurance Co. (GAIC) for breach of contract and bad faith, alleging $100,000 in losses after a payroll company withdrew funds from SCCC’s bank accounts and used them instead of paying SCCC’s federal and state payroll tax obligations. SCCC sought a declaratory judgment that Great American had a duty to cover the underlying losses arising out of computer fraud.
On June 17, 2014, U.S.District Judge Audrey B. Collins granted summary judgment for Great American, holding that a policy provision excluding coverage for losses caused by “authorized representatives” applied to the misconduct of SCCC’s payroll services agent Ben Franklin Payroll Service .
The Ninth U.S. Circuit Court of appeals affirmed the District Court’s ruling in favor of the insurer, holding:
the plain meaning of the “authorized representative” language [here] . . . is not ambiguous and covers those who by authorization of the insured are given access to and permitted to handle the insured’s funds. . . This understanding comports with the function of the provision within the policy: to place the onus of vetting the individuals and entities whom the insured engages to stand in its shoes — and thus the risk of loss stemming from their conduct — squarely on the insured. In other words, the term ‘authorized representative’ is ‘a straightforward effort to embrace all statuses that are “authorized,” and thus are the insured’s responsibility to supervise…’”
“SCCC executed multiple agreements with Ben Franklin Payroll Service and/or its principal, Richard Zakarian, to allow the latter party or parties to provide payroll services…In doing so, SCCC gave them direct access to its bank account and permission to file tax documents on its behalf. These agreements used the word ‘authorize’ numerous times; indeed, it is difficult to imagine contracts that could more explicitly ‘authorize’ a ‘representative’ to act on one’s behalf. Under these circumstances, the district court did not err in concluding that the only reasonable construction of the term ‘authorized representative’ encompasses Ben Franklin Payroll Service and/or Zakarian, and, as a result, the exclusion unambiguously applies.”
Southern California Counseling Center v. Great Am. Ins. Co., (9th Cir., 2016)
MINNESOTA, May 20 – The U.S. Court of Appeals for the Eighth Circuit Court has ruled that the State Bank of Bellingham was covered for losses caused by an unauthorized wire transfer by hackers. The Bank sough coverage under a financial institution bond underwritten by BancInsure, Inc. for a transfer of nearly $500,000.00 to a foreign bank account. The bond is treated as an insurance policy under Minnesota state law.
According to the opinion, the unauthorized transfer occurred when a bank employee, using an electronic token, password, and passphrase as well as those of another bank employee, executed an authorized wire transfer but left the tokens “open” on an operating computer following completion of the transaction. The following day, two unauthorized transfers were discovered, only one of which the Bank was able to reverse. A forensic investigation of the breach revealed that a computer virus created a breach in access which permitted the fraudulent transfers.
A federal district court ruled that the computer fraud was the legal cause of the loss, not the bank employees’ breach of bank policies and practices regarding the use of confidential passwords, or failure to update antivirus software. The appeals court affirmed the ruling in favor of coverage, and held that while other possible factors may have “played an essential role” in the loss, they did not make the unauthorized transfers “certain” or “inevitable” such that there would be no coverage under the bond.
State Bank v. BancInsure, Inc., 2016 U.S. App. LEXIS 9235 (8th Cir. Minn. May 20, 2016)
Conventional wisdom has been that insureds might be able to recoup losses for cyber-related risks causing personal injury or property damage to third parties by submitting claims to their general liability insurers. But that window is closing.
In 2013, the Insurance Services Office (ISO), an industry organization responsible for drafting coverage language, issued two endorsements for CGL policies which eliminate the possibility of CGL coverage for cyber-related losses:
These endorsements are appearing more frequently in CGL policies, and insurers are likely to argue that they exclude liability coverage for bodily injury or property damage claims which are the result, for example, of security breaches in to computers, and electronic programmable controllers of all kinds, including ubiquitous programmable logic controllers (PLCs), used in everything from Christmas trees to cars to manufacturing plants.
Moreover, in its current form, stand-alone cyber insurance may not close the gap. Most existing cyber-insurance policies, or ones in development, contain exclusions for bodily injury or property damage. These exclusions are based on an assumption which is becoming less and less true — that CGL coverage responds to such losses.
Those monitoring this industry issue say it is likely too soon in the process to tell if the gap is likely to become a significant one. While not all insurers are using the new ISO language, it is becoming more and more popular, however. The case law remains in its infancy, so there is little to no current guidance on this specific problem.
Conducting a thorough review of existing insurance policies to diagnose the gap is an important first step. Filling the gap, however, is somewhat more complicated. It may be that unique products like captive insurance coverage might be the best solution for this exposure, unless and until the conventional insurance market responds.
Reach me at chaddick@dmclaw.com or 717-731-4800 for more information and a no-cost consultation..
VIRGINIA, April 11 – The U.S. Fourth Circuit Court of Appeals has affirmed a ruling which obligates Travelers to defend Portal Healthcare in a class action case alleging its failure to protect a records server from unauthorized access. What is mildly surprising is that the Court found this obligation exists under an Advertising Injury Endorsement to a commercial general liability policy issued by Travelers to Portal.
In an unpublished opinion, the appeals Court approved the reasoning of a Virginia district court, which in 2014 ruled that Portal published, and therefore disclosed, confidential patient information, which falls under the terms of its policy with Travelers. U.S. District Judge Gerald Bruce Lee found that Travelers had a duty to defend Portal because the medical records were “published,” implicating the personal and advertising injury coverage provision in the insurer’s CGL policy.
The Appeals Court held:
“[T]he [district court] opinion concluded that the class-action complaint ‘at least potentially or arguably’ alleges a ‘publication’ of private medical information by Portal that constitutes conduct covered under the policies.”
The appeals Court commended Judge Lee’s “sound legal analysis.”
In 2013, Portal was sued in a New York class action claim alleging that it negligently failed to secure a server containing confidential records for patients at a Glen Falls, New York, hospital. The complaint alleged that this confidential material was available online for viewing without the need of a password. Google searches by several of the patients discovered the breach.
Travelers denied coverage for the suit, and Portal filed suit against Travelers in federal court in Virginia for coverage.
Travelers Indemnity Co. of America v. Portal Healthcare Solutions LLC, 14-1944 (4th Cir. 2014)
NEW ORLEANS, March 30 – Eustis Insurance Company and its insured, New Hotel Monteleone, remain embroiled in litigation over coverage for a 2014 cyberattack, centering on the insurability of exposures Hotel Monteleone faces in the wake of the attack, including fraud recovery and operational reimbursement expenses. The case, venued in the Eastern District of Louisiana, is a signal example of the non-standard nature of cyber-coverage, and the need for experienced counsel on all sides when policies are formulated, bought, and sold.
This week, the dispute became even more complicated when Eustis filed a third-party complaint against wholesale insurance broker, R-T Specialty, Inc., alleging that R-T failed to properly explain to the Hotel Monteleone the precise coverage of the policy, issued by Certain Underwriters at Lloyd’s, London (Lloyd’s), subscribing to Ascent Cyberpro (the Ascent) policy. The hotel previously initiated the suit against Eustis and Lloyds In December 2015 seeking complete coverage for its losses under the Ascent Policy
Eustis engaged R-T after the Hotel Monteleone approached Eustis about cyber coverage following an earlier, 2013 cyber attack on the hotel, for which there was no insurance coverage. Eustis did not have broad experience with cybercoverage, and brought in R-T based on R-T’s alleged representations that it was conversant in procuring such insurance.
The Ascent Policy issued through Lloyds and R-T had an overall limit of $3 million. The coverage, however, was restricted substantially relating to costs incurred by an insured which constituted fines or penalties.
The third party complaint against R-T Specialty alleges that the broker failed to inform Eustis that fraud recovery and operation reimbursement might be considered to be a fine or penalty, or that a $200,000 sub limit appearing in the policy’s Payment Card Industry Fines or Penalties Endorsement may apply to fraud recovery and operational reimbursement expenses arising from the cyberattack.
The case illustrates the murkiness of the current cybercoverage market, the great variability in individual coverage, and the possible exposure of agents and brokers for failing to properly produce or explain the coverage they secure for their customers.
New Hotel Monteleone, LLC v. Certain Underwriters at Lloyd’s of London, Subscribing to Ascent Cyberpro Policy No. ASC14C00944, No. 2:16-CV-00061-ILRL-JCW (Eastern District, Louisiana 2016)
NEW YORK, March 24 – Purchases of cyberinsurance by customers of insurance brokerage Marsh has increased 27% since last year, according to a report published by the broker last week. Manufacturing and technology companies are among the largest sectors of buyers of the coverage, according to the report.
Marsh attributes the growth in demand to simple evolution: “In the face of an evolving risk landscape and an aggressive regulatory environment, organizations no longer treat cyber as a problem to be fixed, but rather as a risk to be managed,” the report says.
There is now developing a demand for cyberinsurance coverage among infrastructure industries like healthcare and transportation insured, Marsh reports. And new coverages for cyber losses are evolving to cover losses such as business interruption and disruption of control systems by service providers, such as power companies.
Coverage limits are increasing with the demand for such coverage, Marsh reports. The current average limit of coverage in 2015 was $16.9 million in 2015, up from $14.7 million in 2014, the brokerage said. The highest average business sector limit was in the technology/communication sector, at $86.7 million, according to the report.
Marsh also reported that no new major insurers entered the cyberinsurance market during the last quarter of 2015, but that this is likely to change going forward.
WASHINGTON, March 2 – The Cybersecurity Task Force of the National Association of Insurance Commissioners’ (NAIC) has proposed a comprehensive Model Law designed to regulate licensed insurers’ handling of electronic data and investigation of breaches in electronic data security. Comments on the proposed model law are due by March 23.
Written Information Security Program
The Model Law requires licensed insurers to prepare written information security programs designed to protect personal information collected by the insurer. The plan, the Model Law suggests, should be proportional to the characteristics of the licensed insurer including the scope of the insurer’s activities, and the sensitivity of the consumer information collected.
Insurers are required to designate employees who can perform data risk assessment, i.e., identification of potential threats as well as the potential for damage from these threats. The Model Law suggests that insurers develop standards and methods from the Framework for Improving Critical Infrastructure Cybersecurity developed by the National Institute of Standards and Technology (NIST).
The Model Law requires the insurers’ board of directors to monitor security programs, and to receive reports at least annually to determine the status of the insurer’s security plan and compliance with the Model Law. Recognizing the involvement of third-party service providers, the Model Law mandates that insurers “select and retain third-party service providers that are capable of maintaining appropriate safeguards for the personal information at issue.” The law also mandates that the third party providers “implement and maintain appropriate safeguards for the personal information at issue” (including those described above under “Implementation of a Written Information Security Program”) and “allow licensee or its agents to perform cybersecurity audits.”
Consumer Rights
The Model Law requires that insurers disclose to consumers the types of personal information collected and stored by the insurer, and any third-party service providers involved. Insurers must make the policy available on its website, and furnish hard copies of the policy on consumer requests.
After a security breach, the Model Law requires insurers to notify affected consumers no later than 60 days following notice of or identification of the breach. In what may turn out to be a murky area, notification is not required if the data in question is encrypted or the breach is not reasonably likely to cause substantial harm or inconvenience. Insurers are also required to offer to pay affected consumers for 12 months of identity theft protection.
There are additional notification requirements. Insurers must advise without delay law enforcement organizations, the insurance commissioner, payment card networks and for certain breaches consumer reporting agencies. Notice to the commissioner must take place within five calendar days of discovering a breach. The insurer is also required to provide the commissioner with any draft written communications to consumers regarding an identified breach.
The Model Law also requires insurers to investigate and remedy breaches in data security.
Oversight by Insurance Commissioners
If the insurance commissioner has reason to believe that an insurer has violated the Model law, the commissioner has hearing and subpoena power, and can make a finding whether insurer has engaged in conduct breaching the Model Law. The commissioner also has power to issue cease and desist rulings based upon such findings, and may also order monetary penalties.
The Model law provides for a $500 penalty per violation up to a maximum aggregate of $10,000.00. For violation of commissioners’ cease and desist orders, the Model law calls for a penalty of $10,000 for each violation and possible suspension and revocation of the insurer’s license. The Model Law allows for penalties of $50,000 for violations which occur with such frequency as to be determined to be a business practice.
Confidentiality
Presumably to encourage reporting under the Model Law, it provides that any information in the control or possession of a department of insurance furnished by a licensee shall be confidential and is not subject to open records laws or subpoena, thereby protecting the confidentiality and privileged nature of consumer information.
Whether the Model Law Proceeds, and how it proceeds after the comment period, depends on whether the law receives majority support from within the NAIC following the comment period.
NAIC Cybersecurity Task Force Model Law
badfaithadvisor.com 