Hunton Insurance Recovery Blog

Following an investigation involving public companies potentially impacted by the 2020 SolarWinds software compromise, the US Securities and Exchange Commission recently charged several companies with making materially misleading disclosures regarding cybersecurity risks and intrusions. The SEC’s enforcement is the latest example of “cyber as a D&O risk,” underscoring the importance of maintaining robust directors and officers (D&O) liability coverage, along with cyber insurance, as part of a comprehensive liability insurance program designed to respond to cyber incidents.

Just two months ago, Illinois Governor J. B. Pritzker signed significant amendments to the Illinois Biometric Information Privacy Act (BIPA). While the amendments limit businesses’ exposure to BIPA-related damages, significant BIPA exposures still persist. Given these continuing exposures, businesses should consider the protections that insurance can offer. The Illinois Appellate Court’s September 2024 decision in Tony’s Finer Foods Enterprises v. Certain Underwriters at Lloyd’s, 2024 IL App (1st) 231712 offers concrete guidance for businesses thinking about doing just that.

With increasing frequency, companies are coming under fire for changes in customer loyalty programs, many of which occur without warning or recourse. Whether it is a persistent devaluation of miles or points, arbitrary expiration dates or some other perceived loss of value, customers and regulators are becoming increasingly discontent with programs that are touted as an added value to repeat customers.

Recent high-profile cases involving Chief Information Security Officers (CISOs) have spotlighted the need for robust directors and officers (D&O) liability insurance tailored to cybersecurity executives. The SEC charges against the former SolarWinds CISO—which were not dismissed in the highly-anticipated decision truncating the SEC’s case against the company—and the 2022 criminal conviction of Uber’s former CISO underscore the growing personal liability risks faced by security leaders.

As social media continues to grow, businesses have turned to different platforms to promote their products. This advertising strategy can have unintended consequences, including copyright infringement claims, if businesses fail to take certain steps when sharing photos and videos to promote their product.

For example, many multinational music companies have filed lawsuits against brands for copyright infringement. Given the frequency of these claims, businesses may think that infringement and similar intellectual property claims are covered by their liability insurance policies. But that is not always the case.

The most common source of coverage is “Coverage B” in commercial general liability policies, which protects against claims alleging personal and advertising injury. Those claims can include allegations of libel, slander, invasion of privacy, copyright infringement, false arrest, and wrongful eviction. All policies are not created equal, however, and references to advertising or intellectual property rights may not actually lead to coverage for social media missteps involving alleged infringement. As a result, it is important for an insured to understand the coverage afforded under their CGL policies and additional coverage options that may provide broader coverage.

There are several common limitations on coverage that may come into play for claims involving social media.

In a recent featured article for Aon plc, Hunton Andrews Kurth insurance coverage lawyers Kevin Small and Alice Weeks, along with Aon’s Adam Furmansky, discussed the evolving nature of social engineering claims and the importance of understanding how an insured’s crime policy will respond to these claims.

Hunton Andrews Kurth’s 300-lawyer cross-disciplinary Retail Industry Team has released its annual 2023 Retail Industry Year in Review. The Review discusses retail industry issues that implicate multiple legal practice areas and highlights new and emerging risks retailers may encounter in the year ahead.

Significant issues from 2023, with insurance implications that will continue to evolve in 2024 and beyond, include copyright infringement claims for retailers engaged in social media and polyfluoroalkyl substances (PFAS) related liability claims and related putative class action lawsuits.

We discuss these risks in the 2023 Retail Industry Year in Review and on our insurance recovery blog, along with other risks that will continue to affect the retail industry in 2024.

While America was tuned into the big game, one California insurance broker faced its own treacherous showdown in the form of a putative class action filed on February 8, 2024 stemming from a data breach. With cyber incidents still on the rise, this is a story we know all too well: an unauthorized third party gains access to personally identifiable information, the company eventually detects the threat actor and leadership must decide how to respond. Once notifications to the public go out, the individuals impacted often file suit to recover for their alleged harm.

Artificial intelligence (AI) is rapidly changing the way businesses operate, from the way we research and write, to the way data is processed, to the way inventory is measured and distributed, to the way employees are monitored and beyond. Soon, artificial intelligence might be providing life advice, saving hospital patients or accelerating the development of cities. It is already reshaping corporate America. Very few, if any, industries—including the insurance industry—are immune. As the consultancy McKinsey wrote in 2021, artificial intelligence “will have a seismic impact on all aspects of the insurance industry.” McKinsey’s prediction has proved prescient.

As AI continues to influence the insurance industry and the broader economy, new opportunities and risks abound for policyholders. It is therefore essential for policyholders to keep up-to-date about insurance law’s latest frontier. To help policyholders navigate this new frontier, Hunton Andrews Kurth LLP’s insurance recovery team is introducing a new resource: The Hunton Policyholder’s Guide to Artificial Intelligence.

Last week, we published a client alert discussing the importance of cyber and directors and officers liability insurance for companies and their executives to guard against cyber-related exposures.  In today’s ever-changing threat landscape, all organizations are at risk of damaging cyber incidents, and resulting investigations and lawsuits, underscoring the importance of utilizing all tools in a company’s risk mitigation toolkit, including insurance, to address these exposures. 

Hardly a day passes without hearing about another major cyber incident. Recent studies show that cybersecurity incidents are becoming more common, but they are also costly, with some reports estimating an average cost of $9.44 million for breaches in the US. In recognition of this mounting problem, government agencies continue to ramp up enforcement and issue new rules, regulations and other guidance aimed at curbing cyber risks. Last week, the SEC adopted final rules requiring registered entities to periodically disclose material cybersecurity incidents and annually disclose their cybersecurity risk management, strategy and governance plans. In announcing the new rules, the SEC specifically noted that “an ever-increasing share of economic activity is dependent on electronic systems.” According to SEC Chair Gary Gensler, “Whether a company loses a factory in a fire—or millions of files in a cybersecurity incident—it may be material to investors.” 

The Supreme Court of New Jersey recently agreed to hear ACE American Insurance Company’s appeal of an Appellate Division decision finding that a war exclusion in a property insurance policy did not preclude coverage for Merck & Co., Inc.’s claim stemming from a 2017 cyberattack. We previously reported about this case here.   

The Superior Court of New Jersey Appellate Division recently upheld a lower court’s finding that the war exclusion in a property insurance policy did not preclude coverage for Merck’s claim stemming from a 2017 cyberattack. The decision is appropriately being heralded as a huge win for policyholders and an affirmance of New Jersey’s longstanding history of protecting policyholders’ reasonable expectations. We previously blogged about developments relating to the war exclusion and the Merck case when it was initially heard by the Appellate Division.

For many, the “metaverse” sounds like some obscure sci-fi fantasyland. You may be asking, where is it? How does one get there? Chances are, if you are reading this article on a screen then you are already interacting with what could be described as the metaverse. One thing is certain though, if the metaverse is to succeed, insurance will play a pivotal role. The metaverse is not without risk.

The Insurance Journal recently published an article by Hunton Insurance Recovery lawyers discussing risk management of exposures in the metaverse. In the article, Syed S. Ahmad, Kevin V. Small ...

Last week, the Ohio Supreme Court ruled in EMOI Services, L.L.C. v. Owners Ins. Co., 2022 WL 17905839 (Ohio, Dec. 27, 2022), that a policyholder did not suffer direct physical loss of or damage to computer media that was encrypted and rendered unusable.  The Court reached its ruling even though “media” was defined in the policy to include “computer software,” concluding that software does not have a “physical existence.” The Supreme Court’s decision reverses an Ohio appellate court’s earlier ruling that the cyberattack triggered coverage under a commercial property insurance policy and builds upon plainly distinguishable rulings in COVID-19 business interruption cases, such as Santo’s Italian Café, L.L.C. v. Acuity Ins. Co., 15 F.4th 398, 402 (6th Cir. 2021), where the Sixth Circuit found that government orders issued in response to the COVID-19 pandemic did not physically alter insured property.

A federal court recently found that a policyholder adequately plead that a loss of hundreds of thousands of dollars through wire fraud is covered under a commercial crime policy. In Landings, Yacht, Golf, and Tennis Club v. Travelers Casualty and Surety Company of America Case No. 2:22-cv-00459, Landings Yacht, Golf, and Tennis Club (“Landings”) sued Travelers Casualty and Surety Company of America (“Travelers”) under a crime policy for denying coverage for: (1) about $6,885.79 in unauthorized withdrawals (“First Withdrawal”) from users purporting to be Landings and (2) $575,723.95 in withdrawals made by a third-party purporting to act on behalf of Landings (“Second Withdrawal”).^[1]

From IRS rulings that “virtual currency” is taxed as “property” to an SEC lawsuit claiming that digital assets are “securities” under federal law, meteoric growth of the largely unregulated crypto industry has raised numerous questions about whether crypto-related risks are covered by insurance. In the latest example of the intersection of crypto and insurance, a California federal court recently held that cryptocurrency stolen from a Coinbase account did not constitute a covered loss under a homeowner’s insurance policy. The fundamental issue was whether the stolen crypto met the policy’s requirement for “direct physical loss to property” and, more specifically, whether the losses were “physical” in nature. The court ruled against coverage, reasoning that lost control of cryptocurrency is not a direct physical loss as a matter of California law.

Like other policyholders, hard insurance market trends, aggravated by cybersecurity risks, climate change, and COVID-19, have hit higher education policyholders, yielding reduced or limited coverages for increased premiums. These conditions – reduced coverages and higher premiums – are symptoms of a “hard” insurance market. (A hard market is caused by a mismatch between policyholders’ waxing demand for coverage and insurers’ waning risk appetite.) But higher education policyholders face unique risks that exacerbate existing market conditions, including:

The Eastern District of Pennsylvania recently gave another reminder why cyber insurance should be part of any comprehensive insurance portfolio.  In Construction Financial Administration Services, LLC v. Federal Insurance Company, No. 19-0020 (E.D. Pa. June 9, 2022), the court rejected a policyholder’s attempt to find coverage under its professional liability insurance for a social engineering incident that defrauded over $1 million.

As businesses continue to increase their reliance on technology, they are bound to face the inevitable risks associated with online transactions and other cyber exposures. This, in turn, emphasizes the importance of having the proper insurance policies and compliance methods in place to prevent or, at least, mitigate losses that ensue from these risks. In this context, many insurance policies require that there be a “direct” loss for there to be coverage, which has spawned numerous lawsuits about what the word “direct” means. The latest court to weigh in has sided with the insured and interpreted that term broadly to essentially mean proximate causation.

With the circumstances in Ukraine intensifying and companies either shutting down or suspending operations in the region, the question arises about whether the sparingly used war exclusion will become more relevant as policyholders seek to recover losses. Economic effects of the conflict are spreading. Some companies may have to close operations entirely, some partially, and others may have their supply chains severely disrupted. The US government has warned companies to protect themselves against cyberattacks. The impact on policyholders, however, may take different forms, potentially implicating their business interruption, contingent business interruption, cyber, shipping and cargo, and political risk insurance coverages. Other coverages could be implicated as well.

Recently, the Ninth Circuit dealt with a case involving a scenario that is becoming all too common. In Ernst & Haas Mgmt. Co., Inc. v. Hiscox, Inc., 23 F.4th 1195 (9th Cir. 2022), a property management company’s accounts payable clerk received several e-mails from her supervisor instructing her to pay some invoices. Unbeknownst to the clerk, these e-mails did not originate with her supervisor, but were actually part of a fraudulent scheme to elicit fraudulent bank transfers. The clerk paid off hundreds of thousands of dollars in “invoices” before becoming suspicious but, by then, it was too late and the damage was done.

Hunton insurance attorneys, Walter Andrews, Andrea DeField, and Sima Kazmir, recently published an article in the Daily Business Review, discussing the scrutiny that companies face as a result of increased cyberattacks as well as tips for your next cyber insurance renewal.

A recent U.S. Treasury Department report noted that through June 30, 2021, the total value of suspicious activity associated with ransomware transactions was $590 million. The standalone cyber insurance industry has grown to address this pervasive risk. These major shifts in the cyber landscape mean that ...

A commentator recently summed up the risk of ransomware attack in 2022: “we’re all screwed.” True enough. But that’s all the more reason to prepare right now. After all, the only thing worse than a ransomware attack is not having adequate insurance coverage when it occurs. The time to prepare is now.

An Ohio appellate court held last month that a cyberattack triggered coverage under a commercial property insurance policy in the case EMOI Services, LLC v. Owners Insurance Company, No. 29128, 2021 WL 5144828 (Ohio Ct. App. Nov. 5, 2021).  This is good news for policyholders in light of widespread cyberattacks over the last two years, and rising premiums in today’s cyber insurance markets. The decision also has wider implications, including in suits seeking coverage for losses caused by COVID-19 under property insurance policies.

Social engineering attacks, particularly fraudulent transfers, are becoming one of the most utilized cyber scams.  As a result, there has been a flurry of litigation, and a patchwork of decisions, concerning coverage disputes over social engineering losses.  Most recently, the United States District Court for the Eastern District of Virginia found in Midlothian Enterprises, Inc. v. Owners Insurance Company, that a so-called “voluntary parting” exclusion provision in a crime policy should exclude coverage for a fraudulent transfer social engineering scheme.  The decision illustrates why policyholders must vigilantly analyze their insurance policies to ensure that their coverages keep pace with what has proven to be a rapidly evolving risk landscape.

The members of Hunton’s Insurance Recovery group present regularly on today’s hot topic insurance coverage issues. Upcoming insurance presentations for March 2020 include:

• Andrea DeField will be presenting on “Ensuring Insurance Coverage Success in Litigation: Tips and Best Practices for Young Lawyers” at the ABA’s Insurance Coverage Litigation Committee CLE Seminar in Tucson, Arizona on Wednesday, March 4, 2020.
• Lorelie S. Masters will be presenting on “The Restatement of the Law of Liability Insurance in the Courts” at the ABA’s Insurance Coverage ...

As crypto-asset losses continue to rise, the industry is taking steps to protect clients and investors through insurance. Crypto-exchange and custody provider, Gemini Trust Company, LLC (“Gemini”), recently launched its own captive insurance provider, Nakamoto, Ltd. Captive insurance is an alternative to self-insurance whereby a company creates a licensed insurance company to provide coverage for itself. According to a statement from Gemini, Nakamoto is “the world’s first captive to insure crypto custody” and allows Gemini “to increase its insurance capacity beyond the coverage currently available in the commercial insurance market” for cryptocurrency wallets not connected to the internet, commonly referred to as “cold storage.” According to Gemini, this move makes Nakamoto the world’s most insured crypto-asset cold storage solution, which signals an expectation of increased demand in the crypto market.

Illinois National Insurance Company, an AIG Commercial Insurance company, (“AIG”) told a Pennsylvania federal court in a brief opposing summary judgment that it has no duty to defend Hub Parking Technology USA Inc. (“Hub”), a Pittsburgh-area parking technology company, in a third-party complaint alleging a privacy breach that exposed customers’ credit card numbers at Cleveland Hopkins International Airport.

A New York federal court denied AIG Specialty Insurance Company’s (“AIG”) motion to dismiss breach of contract and bad faith claims in a lawsuit filed by SS&C Technology Holdings, Inc. (“SS&C”). SS&C alleges that AIG breached its contract by failing to cover losses stemming from a cyber incident in which hackers duped the company out of millions of dollars.

Recent headlines underscore the security challenges faced by public-facing businesses. From physical threats to cyber attacks targeting a wide range of critical infrastructure, companies in diverse sectors, such as the financial, retail, entertainment, energy, transportation, real estate, communications and other areas, face a challenging landscape of risks and potential liabilities. Join us on October 28, 2019, at 12:00 p.m. EST, for a webinar to discuss these issues, including why companies should consider SAFETY Act protection and how to obtain it.

In a recent Global Data Review article, Hunton Andrews Kurth insurance practice head Walter Andrews commented on the FBI’s guidelines on ransomware payments and the insurance industry’s aggressive marketing of ransomware policies, noting that policyholders now have a resource that can help cover the cost of such an attack. The full Global Data Review article can be found here.

Phishing has been around for decades.  But now, the long-lost ancestor claiming to be a foreign prince is stealing more than your grandmother’s savings.  Phishers are targeting corporations—small and big, private and public—stealing sensitive data and money.  When Policyholders take the bait, they had better have a tailored insurance policy to keep their insurers on the hook as well.

Insurance partner Michael Levine is teaming up with Hunton’s Michael Perry and Adam Solomon and Jones Day’s Lisa Ropple to discuss cybersecurity litigation and insurance coverage presentation for the Massachusetts Bar Association. The presentation, sponsored by the MBA’s Complex Commercial Litigation Section, will take place on Wednesday, March 20^th at 4:30 pm at the MBA’s office in Boston. Topics will include:

• General litigation claims arising from cybersecurity incidents and defenses available to companies facing these claims.
• Safeguards to prevent ...

Notwithstanding the absence of a congressional war declaration since Japan bombed Pearl Harbor, Zurich American Insurance Company has invoked a “war exclusion” in an attempt to avoid covering Illinois snack food and beverage company Mondelez International Inc.’s expenses stemming from its exposure to the NotPetya virus in 2017. The litigation, Mondelez Intl. Inc. v. Zurich Am. Ins. Co., No. 2018-L-11008, 2018 WL 4941760 (Ill. Cir. Ct., Cook Cty., complaint filed Oct. 10, 2018), remains pending in an Illinois state court.

The head of Hunton Andrews Kurth’s insurance practice, Walter Andrews, was interviewed earlier this week by ABC 7 (WJLA) concerning the need for cyber insurance and the benefits that it can provide to government contractors and other businesses that are impacted by a cyber event.  Andrews explains the diverse spectrum of benefits that are available through cyber insurance products, but cautions that a serious lack of uniformity exists among today’s cyber insurance products, making it crucial that policyholders carefully analyze their cyber insurance to ensure it provides the scope and amount of insurance they desire.

The Sixth Circuit has rejected Travelers Casualty & Surety Company’s request for reconsideration of the court’s July 13, 2018 decision, confirming that the insured’s transfer of more than $800,000 to a fraudster after receipt of spoofed e-mails was a direct loss" that was "directly caused by" the use of a computer under the terms of ATC’s crime policy.  In doing so, the court likewise confirmed that intervening steps by the insured, such as following the directions contained in the bogus e-mails, did not break the causal chain so as to defeat coverage for “direct” losses.

The Second Circuit has rejected Chubb subsidiary Federal Ins. Co.’s request for reconsideration of the court’s July 6, 2018 decision, confirming that the insurer must cover Medidata’s $4.8 million loss under its computer fraud insurance policy.  In July, the court determined that the loss resulted directly from the fraudulent e-mails.  The court again rejected the insurer’s argument that the fraudster did not directly access Medidata’s computer systems.  But the court again rejected that argument, finding that access indeed occurred when the "spoofing" code in emails sent to Medidata employees ended up in Medidata's computer system.

In a recent article appearing in Florida’s Daily Business Review (available here), Hunton Insurance Recovery Practice team head, Walter Andrews, explains why phishing and whaling scams should be covered by insurance.  In the article, Andrews notes that recent appellate decisions support policyholders’ reasonable expectations of coverage and reject insurers’ contentions that social engineering losses do not result directly from the use of computers.  Andrews goes on to explain that should a company find itself a victim of a phishing or whaling attack, it should carefully ...

In a July 9, 2018 article appearing in Insurance Law360, Hunton Andrews Kurth insurance recovery practice head, Walter J. Andrews, explains why the Second Circuit’s decision in Medidata Solutions Inc. v. Federal Insurance Co., No. 17-2492 (2^nd Cir. July 6, 2018), affirming coverage for a $4.8 million loss caused by a “phishing” e-mail attack, is a common sense application of the plain language of Medidata’s computer fraud coverage provision.  As Andrews explained, “[c]learly, hijacking — or spoofing — email addresses constitutes an attack on a company's computer system for which a reasonable policyholder should expect coverage. A computer is a computer is a computer. Everyone knows that — except for insurance companies.”

On July 6, 2018, the Second Circuit Court of Appeals affirmed a district court’s summary judgment award in favor of Medidata Solutions, Inc., finding that Medidata’s $4.8 million loss suffered after Medidata was tricked into wiring funds to a fraudulent overseas account, triggered coverage under a commercial crime policy’s computer fraud provision. The decision in Medidata Solutions, Inc. v. Federal Ins. Co., 17-cv-2492 (2d Cir., July 6, 2018), confirms a ruling by District Judge Andrew L. Carter, Jr., in which the district court found that a fraudsters manipulation of Medidata’s computer systems constitutes a fraudulent entry of data into the computer system, since the spoofing code was introduced into the email system.

The construction industry is no stranger to insuring its projects against the risks of physical and natural disasters. Policies purchased to cover these risks, however, often are not broad enough to reach cyber threats, which can be just as damaging and costly as a physical disaster. During the past decade, hacks have targeted the data held by several high profile companies, including Target Corp., Sony Corp., Equifax Inc. and Yahoo Inc.  So far, the construction industry has not yet been at the center of one of these attacks.  Still, builders are no less susceptible to these risks than any other industry, especially given that these companies often possess sensitive data related to buildings and projects.

Hunton & Williams Insurance Recovery leader, Walter Andrews, discusses the top insurance issues facing employers in Part 2, of a two-part video series.  Part 1 of the series is available here.

In a recent brief filed in the Sixth Circuit, American Tooling Center, Inc. argued that the appellate court should reverse the district court’s decision finding no insurance coverage for $800,000 that American Tooling lost after a fraudster’s email tricked an employee into wiring that amount to the fraudster. As we previously reported here, the district court found the insurance policy did not apply because it concluded that American Tooling did not suffer a “direct loss” that was “directly caused by computer fraud,” as required for coverage under the policy. The district count pointed to “intervening events” like the verification of production milestones, authorization of the transfers, and initiating the transfers without verifying the bank account information and found that those events precluded a “finding of ‘direct’ loss ‘directly caused’ by the use of any computer.”

A recent article published by Securityroundtable.org highlights the vulnerabilities businesses face in a world of e-commerce and interconnectivity, and how proper planning through a tailored cybersecurity program that includes - among other components - appropriate insurance coverage for cyber risks can help prevent a successful attack and mitigate the financial impact should one occur. Whether the issue is prevention or risk mitigation, cybersecurity should be at the top of the corporate agenda. As discussed in the Securityroundable.org article, Lisa Sotto, chair of the ...

On Tuesday, the U.S. District Court for the District of New Jersey granted Travelers’ motion to dismiss Posco Daewoo America Corporation’s suit for coverage under the computer fraud provision of its crime insurance policy.  Distinguishing itself from precedent like Medidata, Principal Solutions Group, Apache and American Tooling Center, Daewoo did not seek coverage for money fraudulently transferred or stolen from its own accounts.  Instead, Daewoo sought coverage for amounts that had been designated for payment to Daewoo by a third party supplier, Allnex, and stolen from Allnex after a criminal impersonated a Daewoo employee.  The Court held that the crime policy did not cover the lost sums because Daewoo did not “own” the money stolen from Allnex.

In its third quarter report, insurer Beazley reported a nine-fold increase in social engineering attacks (i.e., deception-based fraud/crime) as compared to the same time last year.  So far, the majority of social engineering attacks in 2017 were focused on the professional services sector (18%), followed by financial institutions (9%), higher education (9%) and healthcare (3%).  The report also notes continued high rates of unintended disclosure via employee negligence across all sectors (29%), second only to affirmative hacking or malware attacks (34%).

A California state court recently rejected an excess insurer’s attempt at an early exit from litigation over whether it owes coverage for cyber liabilities. In that case (previously summarized here), the policyholder, Cottage Health, suffered a data breach resulting in the disclosure of patients’ private medical information. Subject to a reservation of rights, Cottage Health’s primary insurer, Columbia Casualty, paid millions of dollars to help respond to the data breach and to defend and settle a class action lawsuit filed against Cottage Health. Cottage Health’s excess insurer was Lloyd’s.

In an article that first appeared in Electric Light & Power, Hunton & Williams attorneys Sergio F. Oehninger and Paul T. Moura discuss the growing Electric Vehicle (EV) industry and the risks posed due to the consequential strain on the power grid. As they explain, demand and investment in EVs will likely spur greater demand for supercharging stations that consume significant amounts of electricity. Urban centers and real estate owners are also expected to increase the supply of these stations in order to make these areas more attractive and accessible to EV owners, drone operators, and autonomous vehicle fleets. All of this growth will put increasing demands on electricity supply that can be difficult for businesses to control, leading to grid outages that can cause an interruption in business operations, an inability to access or restore system data, and significant losses of business income. All of this raises the question—Can businesses count on their insurance coverage to respond to the risks posed by EVs?

Highlighting the continued problems faced by policyholders in obtaining coverage for "computer fraud," a Michigan district court recently held that a manufacturer could not recover $800,000 in funds lost after an employee mistakenly wired payment for legitimate vendor invoices into a fraudster's bank account after receiving a spoofed e-mail requesting payment. In American Tooling Center, Inc. v. Travelers Casualty and Surety Company of America, No. 16-12108 (E.D. Mich. Aug. 1, 2017), the district court applied state law favoring a narrow interpretation of the crime policy's computer fraud provision to hold that the policyholder had not suffered a "direct" loss that was "directly caused" by the use of any computer.

Last month's post summarized key findings from the recent emerging risk report issued by Lloyd's of London and risk-modeling firm Cyence, highlighting several key findings about cyber risks and the cyber insurance market more generally. In this post, we provide a closer look at some of the more significant cyber coverage issues discussed in the report, a full copy of which can be found here.

In a recently filed brief in the Ninth Circuit, Cottage Health argued in support of the federal district court’s stay of Columbia Casualty’s lawsuit against Cottage Health in favor of Cottage Health’s parallel state court lawsuit against Columbia Casualty.

Earlier this week, HBO announced that it had suffered a "cyber-incident" involving the compromise of "proprietary information" that reportedly includes forthcoming episodes and scripts from popular HBO shows such as Game of Thrones. The HBO breach is the most recent in a growing list of cybersecurity issues faced by Hollywood studios this year. In an e-mail to HBO employees, CEO Richard Plepler called the cyber attack "disruptive, unsettling and disturbing."

Hunton & Williams insurance practice head Walter Andrews commented in a July 25, 2017, Law360 article concerning a New York federal court’s recent decision in Medidata Solutions, Inc. v. Federal Ins. Co., where the court found coverage for a $4.8 million “social engineering” loss that occurred after Medidata received fraudulent emails that caused accounting personnel to wire funds to a fake bank account in China. The decision, which was the subject of a July 24, 2017, Hunton blog post, focused on two main issues: (1) whether the fraudulent emails amounted to an infiltration of ...

A federal judge in New York awarded summary judgment on Friday in favor of Medidata Solutions, Inc., finding that Medidata’s $4.8 million loss suffered after Medidata was tricked into wiring funds to a fraudulent overseas account, triggered coverage under a commercial crime policy’s computer fraud provision and funds transfer fraud provision. The award comes after District Judge Andrew L. Carter, Jr., ruled in March 2016 that additional expert discovery was needed concerning the manner in which the fraudsters manipulated Medidata’s computer systems.

The lawsuit, discussed in an August 18, 2016, Hunton & Williams blog post, arose after employees in Medidata’s finance department were deceived into transferring $4.8 million to a Chinese bank account based on emails that falsely appeared to come from a Medidata executive. Federal Insurance Company, a unit of Chubb Corp., insured Medidata under a policy providing coverage for, among other things, computer fraud, forgery and funds transfer fraud. Federal argued that Medidata’s claim was not covered because, among other things, there was no manipulation of Medidata’s computers and Medidata “voluntarily” transferred the funds.

As discussed in prior posts, recent cyber events, such as the “Wanna Cry” ransomware attack, serve as important reminders to policyholders that cyber insurance should remain a priority for any business facing potential exposure from a cyber event. A recent report further underscores the potential impact of a major global cyber event, estimating that the resulting loss could exceed $53 billion worldwide, on par with the damage caused by catastrophic natural disasters such as hurricanes.

Earlier this week, Lloyd’s of London issued an emerging risk report, co-authored with risk-modeling firm Cyence, that examines several plausible cyber-risk scenarios to help insurers and policyholders understand cyber liability and risk exposures in an area that the report concludes is relatively underdeveloped compared with other classes of insurance.

Many commentators have predicted that the use of blockchain technology will greatly expand in the coming years. They envision uses in all types of business, including the healthcare sector, financial services arena, and supply chains.

While there’s no simple formula for determining what, and how much, cyber liability insurance is necessary for a given company, a few simple inquiries can make a big difference.  My colleague Syed Ahmad, along with Eileen Garczynski (senior vice president and partner at insurance brokerage Ames & Gough), recently published an article for Mealey’s Data Privacy Law Report on critical questions for companies seeking to protect company assets through cyber insurance.  Their article is available here

Cyber and crime insurance policies have been heavily recommended to address the growing prevalence and types of cyber risks.  Walter Andrews and Jennifer White recently authored an article appearing in Risk Management discussing how the purchase of cyber and crime insurance policies alone is not enough to successfully manage these risks. These policies must be carefully evaluated and tailored to the particulars of each organization. The full article is available here. In the article, Andrews and White identify four key questions that every organization must ask when purchasing ...

As discussed Friday on the Hunton Privacy and Information Security Blog, the U.S. Department of Health and Human Services has imposed a non-appealable $3.2 million fine on Children’s Medical Center of Dallas due to breaches of HIPPA-protected information.  The breaches allegedly occurred in 2009 (when an employee lost an unencrypted Blackberry containing electronic protected health information (ePHI) for 3,800 individuals); 2010 (when a medical resident lost an “iPod device” synced to a hospital email account, compromising the ePHI of at least 22 individuals); and 2013 (when an unencrypted laptop, which contained ePHI for 2,462 individuals was stolen from the hospital).  The government’s investigation allegedly led Children’s Hospital to admit additional thefts of devices containing ePHI in 2008 and 2009.

Hunton & Williams insurance partner, Syed Ahmad, tells Law360 about trends in D&O liability insurance that are likely to grab headlines in 2017, including the impact of privacy and cyber breaches on corporate executives and the continued fallout from 2015’s “Yates Memo,” emphasizing an increase in government prosecution of individual corporate wrongdoers and incentivizing companies to cooperate in cases against their executives.  A link to the article featuring Syed’s comments can be found here

Hunton & Williams Insurance practice head, Walter Andrews, provides a brief, 5-minute overview, of why members of the real estate industry should be thinking about and obtaining appropriate cyber insurance protection for their real estate operations.  Mr. Andrews explains why cyber insurance is different from other insurance products and requires a careful examination of the particular assets and exposures that are to be protected.

Hunton and Williams LLP has published its 2016 Retail Industry Year in Review.  The Review discusses the key legal and regulatory developments that affected the retail industry last year.  In the Review, Hunton insurance coverage attorneys Syed Ahmad, Mike Levine and Jenn White discuss the lessons learned from insurance coverage cases that promise to have a lasting impact on retail cyber security and product contamination insurance.  As they explain, “Last year’s decisions are critical reminders that having the right insurance is key, and even unintentional missteps can ...

Law firms have become a popular target for cyberattacks. Sergio Oehninger and Patrick McDermott recently authored an article in the ABA’s TYL magazine regarding insurance coverage for law firms for cyber-related risks. In the article, Oehninger and McDermott identify the potential coverage issues firms may face under their typical liability policies and provide guidance for firms seeking coverage specifically written to cover cyber-related risks.

As first reported yesterday by Michael Levine, Tesco Bank (owned by Britain’s biggest retailer) stopped online transactions on Monday after hackers stole money from 9,000 accounts. Tesco Bank has begun refunds, the total cost of which will exceed $3 million. Experts estimate that the biggest hit to the bank will come in the form of reputational damage.

Retailer Tesco Plc’s banking branch reported earlier this week that £2.5 million (approximately $3 million) had been stolen from 9,000 customer bank accounts over the weekend in what cyber experts said was the first mass hacking of accounts at a western bank. The reported loss is still being investigated by UK authorities but is believed to have occurred through the bank’s online banking system. The loss, which is about half of what Tesco initially estimated, is still substantial and serves as a strong reminder that cyber-related losses are a real threat to retailers and other ...

On November 4, Michael Levine and Matthew McLellan provided commentary for Westlaw about the Fifth Circuit’s recent decision in Apache Corp. v. Great American Insurance Co., No. 15-20499, 2016 WL 6090901 (5^th Cir. Oct. 18, 2016), on which Michael Levine had previously written a blog post. In the Westlaw Journal: Computer and Internet, Mike and Matt discussed a frustrating gap in coverage for “computer fraud” that may be found in some crime policies. They encourage policyholders to review their legacy and cyber policies to ensure that complex cyber risks are actually covered ...

On October 27, 2016, my colleague, Michael S. Levine, was quoted in Business Insurance concerning the recent decision in Camp’s Grocery Inc. v. State Farm Fire & Casualty Co., which he and I discussed on October 26, 2016 on the Hunton & Williams LLP Insurance Recovery Blog.  In Camp’s, the court refused to find coverage under legacy property and liability policies for third-party liabilities arising from the hacking of a point-of-sale network and the resulting breach of bank card and other data.  Mike's comments on the risk of relying on legacy coverage for cyber protection and the ...

In a seemingly illogical decision, the Fifth Circuit Court of Appeals ruled in Apache Corp. v. Great American Ins. Co., No 15-20499 (5th Cir. Oct. 18, 2016), that loss resulting from a fraudulent e-mail did not trigger coverage under a crime policy's "computer fraud" coverage because the loss was not the "direct result" of computer use.

A federal judge in Georgia held last week that a Commercial Crime Policy must cover a $1.7 million wire-transfer of funds precipitated by a fraudulent e-mail, purportedly authored by one of the insured's managing directors. The decision marks yet another attempt by insurers to improperly narrow the scope of coverage afforded for cyber and technology-related losses.

Insurance-giant American International Group (AIG) announced that it will be the first insurer to offer standalone primary coverage for property damage, bodily injury, business interruption, and product liability that result from cyberattacks and other cyber-related risks. According to AIG, “Cyber is a peril [that] can no longer be considered a risk covered by traditional network security insurance product[s].” The new AIG product, known as CyberEdge Plus, is intended to offer broader and clearer coverage for harms that had previously raised issues with insurers over ...

In a June 1, 2016 decision, the Second Circuit Court of Appeals in National Fire Insurance Co. of Hartford et al. v. E. Mishan & Sons Inc. required CNA Financial Corporation to defend E. Mishan & Sons, Inc.("Emson") – best known for its "As Seen on TV" products –in two class actions alleging a conspiracy to trap customers into recurring credit card charges and that Emson sold private consumer information that it obtained through its product sales.

Hunton & Williams insurance lawyers, Mike Levine and Sergio Oehninger, were quoted today in a Law360 article analyzing the impact of the recent decision in P.F. Chang's bid for coverage for certain losses stemming from a 2013 cyber breach. In a June 1, 2016 blog post, Levine and Oehninger criticized the court's decision and forewarned policyholders that disputes of this sort are likely to be common, given the continually evolving nature of cyber coverages. According to Levine in a subsequent comment, "until insurance markets arrive at policy language that clearly sets forth the ...

On May 20, the Eight Circuit held that the State Bank of Bellingham was covered for losses following the criminal third party wire transfer of $485,000 from the bank to a foreign account. The money was stolen by hackers in 2011 after a bank employee inadvertently left one of three security measures disabled and computers running overnight.

An article by Hunton lawyers Walter Andrews and Mike Levine, titled Insurance Planning for 2016: Top Ten Real Estate Liability Concerns, was recently published in the Spring 2016 issue of The Real Estate Finance Journal. The article addresses ten recurring liability concerns facing real estate professionals, investors, developers, lenders, owners and managers, and the associated insurance issues. The article addresses ways commercial insurance can be used to mitigate potential liability for those involved in complex real estate transactions. Andrews and Levine, along with ...

On April 11, 2016, the Fourth Circuit affirmed a trial court’s decision that Travelers must defend a class action against its policyholder, Portal Healthcare Solutions, arising out of Portal’s alleged failure to safeguard confidential medical records. In the class action, the plaintiffs contended that Portal had allowed their private medical records to be accessed on the internet for more than four months by a simple Google search of a patient’s name. Portal sought coverage under provisions in two Travelers policies that provided coverage for alleged injury arising from “electronic publication of material” that “gives unreasonable publicity to a person’s private life” or that “discloses information about a person’s private life.”

Earlier this week, Eustis Insurance Co. (Eustis) filed a third-party complaint against wholesale insurance broker, R-T Specialty, Inc. (R-T Specialty), after the broker allegedly failed to properly advise New Hotel Monteleone, Inc. (Hotel Monteleone) about its cybersecurity exposures and coverage that R-T Specialty was tasked to procure. The case represents another example of the exposure that might result from a failure to engage brokers and coverage counsel experienced in the risks to be insured. This potential is especially significant when it comes to cyber exposures, which are vastly different from the legacy exposures that brokers and insurers are accustomed to handling.

Hunton & Williams LLP attorneys Mike Levine and Matt McLellan, along with Tim Monahan of Lockton Companies, LLC., presented to a group of risk managers and insurance professionals on Wednesday evening, February 17^th, about strategies and pitfalls in the claim presentation process. The event was well-attended and the audience was lively with questions for the presenters. A copy of the PowerPoint can be downloaded here. Key points discussed with the group include:

On January 12, 2016, a federal court in Utah refused to dismiss a bad faith claim brought by Federal Recovery Services against Travelers Property Casualty Company of America, despite finding that there was no duty to defend FRS under Travelers’ “CyberFirst Policy.” Travelers Property Casualty Company of America et al. v. Federal Recovery Services et al., Case No. 2:14-cv-00170. FRS sought a defense and indemnity for a lawsuit filed against it by Global Fitness Holdings, LLC, a fitness center operator. Global Fitness had alleged that FRS intentionally misused the credit card and bank account information of Global Fitness’ customers, which consequently interfered with FRS’s business dealings.