Hunton Insurance Recovery Blog

In an article in the September issue of ABA Business Law Today, Hunton & Williams attorneys Lorie Masters, Sergio F. Oehninger, and Patrick McDermott discuss the increasing use of blockchain technology, the security of the technology, and insuring against the relevant risks. As they explain, the "potential disruptive uses of blockchain technology in the marketplace have been compared to that of the Internet." Thus, businesses across industries should consider their insurance would cover risks arising out of the use of blockchain technology. The authors point out that current ...

In an article that first appeared in Electric Light & Power, Hunton & Williams attorneys Sergio F. Oehninger and Paul T. Moura discuss the growing Electric Vehicle (EV) industry and the risks posed due to the consequential strain on the power grid. As they explain, demand and investment in EVs will likely spur greater demand for supercharging stations that consume significant amounts of electricity. Urban centers and real estate owners are also expected to increase the supply of these stations in order to make these areas more attractive and accessible to EV owners, drone operators, and autonomous vehicle fleets. All of this growth will put increasing demands on electricity supply that can be difficult for businesses to control, leading to grid outages that can cause an interruption in business operations, an inability to access or restore system data, and significant losses of business income. All of this raises the question—Can businesses count on their insurance coverage to respond to the risks posed by EVs?

Technological advances like 3D printing and “sharing platforms” have increased business risk and, simultaneously, opportunities for risk-shifting between stakeholders. For example, 3D printing has exposed manufacturers to new risks associated with professional, product, IP and workplace liabilities, and the sharing economy (e.g., ride-sharing, home-sharing, car-sharing, etc.) has complicated traditional risk-sharing structures and insurance portfolios.  Attorneys Michael Levine and Andrea DeField discuss the primary issues policyholders need to consider ...

Highlighting the continued problems faced by policyholders in obtaining coverage for "computer fraud," a Michigan district court recently held that a manufacturer could not recover $800,000 in funds lost after an employee mistakenly wired payment for legitimate vendor invoices into a fraudster's bank account after receiving a spoofed e-mail requesting payment. In American Tooling Center, Inc. v. Travelers Casualty and Surety Company of America, No. 16-12108 (E.D. Mich. Aug. 1, 2017), the district court applied state law favoring a narrow interpretation of the crime policy's computer fraud provision to hold that the policyholder had not suffered a "direct" loss that was "directly caused" by the use of any computer.

Last month's post summarized key findings from the recent emerging risk report issued by Lloyd's of London and risk-modeling firm Cyence, highlighting several key findings about cyber risks and the cyber insurance market more generally. In this post, we provide a closer look at some of the more significant cyber coverage issues discussed in the report, a full copy of which can be found here.

In a recently filed brief in the Ninth Circuit, Cottage Health argued in support of the federal district court’s stay of Columbia Casualty’s lawsuit against Cottage Health in favor of Cottage Health’s parallel state court lawsuit against Columbia Casualty.

Earlier this week, HBO announced that it had suffered a "cyber-incident" involving the compromise of "proprietary information" that reportedly includes forthcoming episodes and scripts from popular HBO shows such as Game of Thrones. The HBO breach is the most recent in a growing list of cybersecurity issues faced by Hollywood studios this year. In an e-mail to HBO employees, CEO Richard Plepler called the cyber attack "disruptive, unsettling and disturbing."

Hunton & Williams insurance practice head Walter Andrews commented in a July 25, 2017, Law360 article concerning a New York federal court’s recent decision in Medidata Solutions, Inc. v. Federal Ins. Co., where the court found coverage for a $4.8 million “social engineering” loss that occurred after Medidata received fraudulent emails that caused accounting personnel to wire funds to a fake bank account in China. The decision, which was the subject of a July 24, 2017, Hunton blog post, focused on two main issues: (1) whether the fraudulent emails amounted to an infiltration of ...

A federal judge in New York awarded summary judgment on Friday in favor of Medidata Solutions, Inc., finding that Medidata’s $4.8 million loss suffered after Medidata was tricked into wiring funds to a fraudulent overseas account, triggered coverage under a commercial crime policy’s computer fraud provision and funds transfer fraud provision. The award comes after District Judge Andrew L. Carter, Jr., ruled in March 2016 that additional expert discovery was needed concerning the manner in which the fraudsters manipulated Medidata’s computer systems.

The lawsuit, discussed in an August 18, 2016, Hunton & Williams blog post, arose after employees in Medidata’s finance department were deceived into transferring $4.8 million to a Chinese bank account based on emails that falsely appeared to come from a Medidata executive. Federal Insurance Company, a unit of Chubb Corp., insured Medidata under a policy providing coverage for, among other things, computer fraud, forgery and funds transfer fraud. Federal argued that Medidata’s claim was not covered because, among other things, there was no manipulation of Medidata’s computers and Medidata “voluntarily” transferred the funds.

As discussed in prior posts, recent cyber events, such as the “Wanna Cry” ransomware attack, serve as important reminders to policyholders that cyber insurance should remain a priority for any business facing potential exposure from a cyber event. A recent report further underscores the potential impact of a major global cyber event, estimating that the resulting loss could exceed $53 billion worldwide, on par with the damage caused by catastrophic natural disasters such as hurricanes.

Earlier this week, Lloyd’s of London issued an emerging risk report, co-authored with risk-modeling firm Cyence, that examines several plausible cyber-risk scenarios to help insurers and policyholders understand cyber liability and risk exposures in an area that the report concludes is relatively underdeveloped compared with other classes of insurance.

Many commentators have predicted that the use of blockchain technology will greatly expand in the coming years. They envision uses in all types of business, including the healthcare sector, financial services arena, and supply chains.

Beginning last Friday, and still occurring today, one of the worst and most widespread malware attacks has impacted more than 200,000 victims in at least 150 countries, including Britain's National Health Service, FedEx, telecommunications companies Telefonica and Megafon, and automakers Renault and Nissan. The malware, known as "WannaCry," disables the user's computer system and all of its data. A note in a text file then appears stating that in order to unlock the computer, $300 worth of the digital currency bitcoin must be paid to the hackers. A countdown timer appears and the fee increases with time. The hackers threaten to delete all data on the computer system if payment is not sent within one week. Cybersecurity experts believe that the malware was sent to computers through "phishing attacks," which are emails that appear to be from reputable sources and include a download to a link that allows the malware to infect the computer. From these computers, the malware then spread to other computers on the network. One infected computer can spread this virus network-wide, and quickly.

Hunton & Williams insurance partner Syed Ahmad was recently quoted in Law360 regarding a recent trend in judicial decisions favoring policyholders. Ahmad addresses an apparent trend by courts to refuse to allow technical violations to void coverage under complex insurance policies. A link to the Law360 article containing Ahmad’s comments can be found at 5 Insurance Rulings You May Have Missed In The 1st Quarter.

While there’s no simple formula for determining what, and how much, cyber liability insurance is necessary for a given company, a few simple inquiries can make a big difference.  My colleague Syed Ahmad, along with Eileen Garczynski (senior vice president and partner at insurance brokerage Ames & Gough), recently published an article for Mealey’s Data Privacy Law Report on critical questions for companies seeking to protect company assets through cyber insurance.  Their article is available here

Cyber and crime insurance policies have been heavily recommended to address the growing prevalence and types of cyber risks.  Walter Andrews and Jennifer White recently authored an article appearing in Risk Management discussing how the purchase of cyber and crime insurance policies alone is not enough to successfully manage these risks. These policies must be carefully evaluated and tailored to the particulars of each organization. The full article is available here. In the article, Andrews and White identify four key questions that every organization must ask when purchasing ...

As posted earlier today on Hunton & Williams' Retail and Privacy blogs, and as reported in Law360, Hunton & Williams announces the formation of a cross-disciplinary legal team dedicated to guiding companies through the minefield of regulatory and cyber-related risks associated with high-stakes corporate mergers and acquisitions.

The ABA announced last week that it would supplement its insurance coverage offerings to include cyber insurance. Chubb Limited will underwrite the insurance, which the ABA said “includes cyber coverage for a firm’s own expenses, such as network extortion, income loss and forensics, associated with a cyber-incident as well as for liability protection and defense costs.”

In its press release, the ABA referenced the revelations late last year that Chinese citizens had hacked two law firms to obtain information regarding mergers. The hackers then used that insider ...

As posted earlier today on the Hunton Retail Law Resource blog, Hunton insurance lawyer Michael S. Levine, along with Hunton colleagues Randy S. Parks and Keith Voorheis, discuss five tips to consider when thinking about what cybersecurity insurance requirements you need in your technology transactions.

On February 22^nd, Hunton insurance team partner Syed Ahmad and Mary Borja of Wiley Rein LLP will be speaking at the DC Bar’s CLE program “What Every Litigator Should Know About Insurance and How It May Impact Your Case Strategy.” The two hour class will discuss what steps an insured should take to protect claims, the role of insurance in defending and settling claims, and how to preserve attorney-client privileges. To learn more about the event, please visit: http://bit.ly/2k8SCQT.

Date and Time:
Wednesday, February 22, 2017 from 6 pm to 8:15 pm

Location:
D.C. Bar Conference ...

Reports of recent cyberattacks continue the discussion we started with yesterday’s blog post about common hurdles to coverage.  The hurdle for today’s discussion?  Ransomware.

Ransomware attacks are on the rise.  Security services company SonicWall reported that ransomware attacks increased by a factor of 167, from 3.8 million in 2015 to 638 million in 2016.  Similarly, insurer Beazley reported that ransomware claims quadrupled in 2016, and are expected to double again in 2017.

Despite these trends, many standard cyber forms do not cover ransoms to restore system access or to ...

As discussed Friday on the Hunton Privacy and Information Security Blog, the U.S. Department of Health and Human Services has imposed a non-appealable $3.2 million fine on Children’s Medical Center of Dallas due to breaches of HIPPA-protected information.  The breaches allegedly occurred in 2009 (when an employee lost an unencrypted Blackberry containing electronic protected health information (ePHI) for 3,800 individuals); 2010 (when a medical resident lost an “iPod device” synced to a hospital email account, compromising the ePHI of at least 22 individuals); and 2013 (when an unencrypted laptop, which contained ePHI for 2,462 individuals was stolen from the hospital).  The government’s investigation allegedly led Children’s Hospital to admit additional thefts of devices containing ePHI in 2008 and 2009.

Hunton & Williams insurance partner, Syed Ahmad, tells Law360 about trends in D&O liability insurance that are likely to grab headlines in 2017, including the impact of privacy and cyber breaches on corporate executives and the continued fallout from 2015’s “Yates Memo,” emphasizing an increase in government prosecution of individual corporate wrongdoers and incentivizing companies to cooperate in cases against their executives.  A link to the article featuring Syed’s comments can be found here

Hunton & Williams Insurance practice head, Walter Andrews, provides a brief, 5-minute overview, of why members of the real estate industry should be thinking about and obtaining appropriate cyber insurance protection for their real estate operations.  Mr. Andrews explains why cyber insurance is different from other insurance products and requires a careful examination of the particular assets and exposures that are to be protected.

Hunton and Williams LLP has published its 2016 Retail Industry Year in Review.  The Review discusses the key legal and regulatory developments that affected the retail industry last year.  In the Review, Hunton insurance coverage attorneys Syed Ahmad, Mike Levine and Jenn White discuss the lessons learned from insurance coverage cases that promise to have a lasting impact on retail cyber security and product contamination insurance.  As they explain, “Last year’s decisions are critical reminders that having the right insurance is key, and even unintentional missteps can ...

Law firms have become a popular target for cyberattacks. Sergio Oehninger and Patrick McDermott recently authored an article in the ABA’s TYL magazine regarding insurance coverage for law firms for cyber-related risks. In the article, Oehninger and McDermott identify the potential coverage issues firms may face under their typical liability policies and provide guidance for firms seeking coverage specifically written to cover cyber-related risks.

As first reported yesterday by Michael Levine, Tesco Bank (owned by Britain’s biggest retailer) stopped online transactions on Monday after hackers stole money from 9,000 accounts. Tesco Bank has begun refunds, the total cost of which will exceed $3 million. Experts estimate that the biggest hit to the bank will come in the form of reputational damage.

Retailer Tesco Plc’s banking branch reported earlier this week that £2.5 million (approximately $3 million) had been stolen from 9,000 customer bank accounts over the weekend in what cyber experts said was the first mass hacking of accounts at a western bank. The reported loss is still being investigated by UK authorities but is believed to have occurred through the bank’s online banking system. The loss, which is about half of what Tesco initially estimated, is still substantial and serves as a strong reminder that cyber-related losses are a real threat to retailers and other ...

On November 4, Michael Levine and Matthew McLellan provided commentary for Westlaw about the Fifth Circuit’s recent decision in Apache Corp. v. Great American Insurance Co., No. 15-20499, 2016 WL 6090901 (5^th Cir. Oct. 18, 2016), on which Michael Levine had previously written a blog post. In the Westlaw Journal: Computer and Internet, Mike and Matt discussed a frustrating gap in coverage for “computer fraud” that may be found in some crime policies. They encourage policyholders to review their legacy and cyber policies to ensure that complex cyber risks are actually covered ...

On November 4, Michael Levine and Matthew McLellan provided commentary for Westlaw about the Fifth Circuit’s recent decision in Apache Corp. v. Great American Insurance Co., No. 15-20499, 2016 WL 6090901 (5^th Cir. Oct. 18, 2016), on which Michael Levine had previously written a blog post. In the Westlaw Journal: Computer and Internet, Mike and Matt discussed a frustrating gap in coverage for “computer fraud” that may be found in some crime policies. They encourage policyholders to review their legacy and cyber policies to ensure that complex cyber risks are actually covered ...

On October 27, 2016, my colleague, Michael S. Levine, was quoted in Business Insurance concerning the recent decision in Camp’s Grocery Inc. v. State Farm Fire & Casualty Co., which he and I discussed on October 26, 2016 on the Hunton & Williams LLP Insurance Recovery Blog.  In Camp’s, the court refused to find coverage under legacy property and liability policies for third-party liabilities arising from the hacking of a point-of-sale network and the resulting breach of bank card and other data.  Mike's comments on the risk of relying on legacy coverage for cyber protection and the ...

On October 27, 2016, my colleague, Michael S. Levine, was quoted in Business Insurance concerning the recent decision in Camp’s Grocery Inc. v. State Farm Fire & Casualty Co., which he and I discussed on October 26, 2016 on the Hunton & Williams LLP Insurance Recovery Blog.  In Camp’s, the court refused to find coverage under legacy property and liability policies for third-party liabilities arising from the hacking of a point-of-sale network and the resulting breach of bank card and other data.  Mike's comments on the risk of relying on legacy coverage for cyber protection and the ...

As reported in the Privacy & Information Security Law blog, on October 25, 2016, the Federal Trade Commission released a guide for businesses on how to handle and respond to data breaches (the “Guide”). The 16-page guide details steps businesses should take once they become aware of a potential breach. The guide also underscores the need for cyber-specific insurance to help offset potentially significant response costs.

As reported in the Hunton Retail Law Resource blog, a federal judge in Alabama ruled Tuesday that a grocer could not rely on its legacy business insurance policies – including an "electronic data" coverage extension – to protect against third-party claims after customer data was compromised by a point-of-sale cyberattack. The decision in Camp's Grocery, Inc. v. State Farm Fire and Casualty Company is yet another reminder to policyholders to ensure that their cyber security programs include both adequate cyber security safeguards and appropriate first-party and third-party cyber/crime insurance coverages. Failure to maintain either may jeopardize coverage for resulting cyber losses.

In a seemingly illogical decision, the Fifth Circuit Court of Appeals ruled in Apache Corp. v. Great American Ins. Co., No 15-20499 (5th Cir. Oct. 18, 2016), that loss resulting from a fraudulent e-mail did not trigger coverage under a crime policy's "computer fraud" coverage because the loss was not the "direct result" of computer use.

A federal judge in Georgia held last week that a Commercial Crime Policy must cover a $1.7 million wire-transfer of funds precipitated by a fraudulent e-mail, purportedly authored by one of the insured's managing directors. The decision marks yet another attempt by insurers to improperly narrow the scope of coverage afforded for cyber and technology-related losses.

In a case filed in California last week, an insurer once again has taken the position that funds disbursed to computer hackers because of fraudulent commands received via e-mail from hackers are somehow distinguishable from the hacker misappropriating the funds directly. They are not. The typical scheme, via social engineering commonly known as “business e-mail compromise” or “CEO fraud,” involves an e-mail from a high-level executive’s e-mail account directing a subordinate employee to wire funds to a bank account actually owned by a third-party scammer, the true author of the email. Insurers have denied coverage for such liabilities, contending that their policies do not cover voluntary disbursements of company funds – as if the insureds intended to give their funds away to the bad guys!

Insurance-giant American International Group (AIG) announced that it will be the first insurer to offer standalone primary coverage for property damage, bodily injury, business interruption, and product liability that result from cyberattacks and other cyber-related risks. According to AIG, “Cyber is a peril [that] can no longer be considered a risk covered by traditional network security insurance product[s].” The new AIG product, known as CyberEdge Plus, is intended to offer broader and clearer coverage for harms that had previously raised issues with insurers over ...

Consumer class actions are on the minds of virtually all consumer product manufacturers and service providers. Class actions based on privacy and consumer protection statutes are increasing at a remarkable rate, and can be a challenge to predict, budget, and defend, given the difficulty in valuing consumer privacy rights. In their article, “Second Circuit Reminds Consumer Product Companies That Insurance Options Exist For Big Data Blunders And Privacy Faux Pas,” as published in FC&S Legal’s Eye on the Experts column, Syed S. Ahmad, Neil K. Gilman, and Paul T. Moura address ...

In a June 1, 2016 decision, the Second Circuit Court of Appeals in National Fire Insurance Co. of Hartford et al. v. E. Mishan & Sons Inc. required CNA Financial Corporation to defend E. Mishan & Sons, Inc.("Emson") – best known for its "As Seen on TV" products –in two class actions alleging a conspiracy to trap customers into recurring credit card charges and that Emson sold private consumer information that it obtained through its product sales.

Hunton & Williams insurance lawyers, Mike Levine and Sergio Oehninger, were quoted today in a Law360 article analyzing the impact of the recent decision in P.F. Chang's bid for coverage for certain losses stemming from a 2013 cyber breach. In a June 1, 2016 blog post, Levine and Oehninger criticized the court's decision and forewarned policyholders that disputes of this sort are likely to be common, given the continually evolving nature of cyber coverages. According to Levine in a subsequent comment, "until insurance markets arrive at policy language that clearly sets forth the ...

In a May 31, 2016 decision, a federal court in Arizona rejected P.F. Chang's attempt to recover an additional $2 million it paid following a 2013 breach in which hackers obtained and posted on the Internet approximately 60,000 credit card numbers belonging to P.F. Chang's customers.  P.F. Chang's was insured under a "CyberSecurity by Chubb Policy," which it had purchased from Federal Insurance Company for an annual premium of $134,000.  On its website, Federal marketed the policy as "a flexible insurance solution designed by cyber risk experts to address the full breadth of risks associated with doing business in today's technology-dependent world" including "consequential loss resulting from cyber security breaches."

On May 20, the Eight Circuit held that the State Bank of Bellingham was covered for losses following the criminal third party wire transfer of $485,000 from the bank to a foreign account. The money was stolen by hackers in 2011 after a bank employee inadvertently left one of three security measures disabled and computers running overnight.

In an article recently published in Bloomberg/BNA Privacy and Security Law Report, Hunton lawyers Syed Ahmad, Sergio Oehninger and Patrick McDermott discuss a recent decision finding insurance coverage for a cyber-related incident.  In the article, the authors dissect whether information made available on the internet is “published” if there is no evidence that anyone ever accessed the information.  As the authors and the court conclude, coverage is indeed available under the general liability policy at issue, demonstrating that general liability insurance can provide ...

Syed Ahmad, a partner in the Hunton & Williams LLP insurance recovery practice, was quoted in an article by Law360 concerning the Fourth Circuit’s April 11, 2016 decision in Travelers Indemnity Company v. Portal Healthcare Solutions, No. 14-1944. In the decision, a panel of the Fourth Circuit affirmed the decision of a Virginia district court, which held in August 2014 that Travelers must defend Portal Healthcare Solutions LLC against a proposed class action alleging that the policyholder’s failure to secure its server made medical records accessible by unauthorized users ...

On April 11, 2016, the Fourth Circuit affirmed a trial court’s decision that Travelers must defend a class action against its policyholder, Portal Healthcare Solutions, arising out of Portal’s alleged failure to safeguard confidential medical records. In the class action, the plaintiffs contended that Portal had allowed their private medical records to be accessed on the internet for more than four months by a simple Google search of a patient’s name. Portal sought coverage under provisions in two Travelers policies that provided coverage for alleged injury arising from “electronic publication of material” that “gives unreasonable publicity to a person’s private life” or that “discloses information about a person’s private life.”

Last week, two blind customers sued Sweetgreen, a D.C.-based salad chain, alleging violations of Title III of the Americans with Disabilities Act of 1990 (ADA) and sections of New York’s Human Rights statute. In the Complaint, the customers claim that Sweetgreen’s online ordering system “prevents blind customers from customizing and placing their orders in the same way as sighted customers can.” Title III prohibits discrimination on the basis of disability at “places of public accommodations,” like restaurants, movie theaters, schools, and recreation facilities. Courts are split about whether “places of public accommodation” are limited to actual physical structures or include websites that are part of an integrated merchandising effort. The tide is pressing toward the broader reading of the statute, emboldened in part by the Department of Justice’s long-awaited website accessibility regulations (now set to be published in fiscal year 2018).

Globalization has inspired the development of cross-border business activities, as companies across several industries seek new markets for their goods and services.  The dynamic rewards have been accompanied by a corresponding increase in novel risks, and those who rely on traditional risk assessment mechanisms have often been left unnecessarily exposed.

Hunton & Williams LLP attorneys Mike Levine and Matt McLellan, along with Tim Monahan of Lockton Companies, LLC., presented to a group of risk managers and insurance professionals on Wednesday evening, February 17^th, about strategies and pitfalls in the claim presentation process. The event was well-attended and the audience was lively with questions for the presenters. A copy of the PowerPoint can be downloaded here. Key points discussed with the group include:

On January 12, 2016, a federal court in Utah refused to dismiss a bad faith claim brought by Federal Recovery Services against Travelers Property Casualty Company of America, despite finding that there was no duty to defend FRS under Travelers’ “CyberFirst Policy.” Travelers Property Casualty Company of America et al. v. Federal Recovery Services et al., Case No. 2:14-cv-00170. FRS sought a defense and indemnity for a lawsuit filed against it by Global Fitness Holdings, LLC, a fitness center operator. Global Fitness had alleged that FRS intentionally misused the credit card and bank account information of Global Fitness’ customers, which consequently interfered with FRS’s business dealings.