Hunton Insurance Recovery Blog

A commentator recently summed up the risk of ransomware attack in 2022: “we’re all screwed.” True enough. But that’s all the more reason to prepare right now. After all, the only thing worse than a ransomware attack is not having adequate insurance coverage when it occurs. The time to prepare is now.

The Indiana Supreme Court recently reversed a trial court’s finding and an affirming intermediate appellate court opinion regarding the interpretation of a policy providing coverage for cyber-crime. In G&G Oil Co. of Indiana, Inc. v. Continental Western Insurance Co., the state high court rejected the lower courts’ narrow interpretation of coverage and impractical view on causation. A copy of the decision can be found here.

Much of the commentary on insurance issues arising from the COVID-19 crisis, including multiple posts on this blog, understandably has focused on recovery under first-party property policies providing business interruption coverage for losses incurred due to office closures, government orders, extra expenses, and other direct costs experienced by employers. There is a much broader range of possible claim scenarios arising from COVID-19 that may go to other kinds of coverages, however; most notably directors and officers liability, management liability, fiduciary ...

As reported on the January 31, 2020 posting to the Hunton Retail Law Resource Blog, the Florida legislature has introduced identical bills in the Florida House of Representatives (HB 963) and the Senate (SB 1670) (collectively the Act) that, if adopted, will require companies operating websites and other online services in the state to inform Florida consumers whether it is collecting personal information, and to provide an opportunity for the consumer to opt out of the sale of the personal information.

The City of Baltimore is the latest victim of increasingly common ransomware attacks. On May 7, 2019, unidentified hackers infiltrated Baltimore’s computer system using a cyber-tool named EternalBlue, developed originally by the United States National Security Agency to identify vulnerabilities in computer systems. However, the NSA lost control of EternalBlue, and since 2017, cybercriminals have used it to infiltrate computer systems and demand payment in exchange for relinquishing control. For instance, in Baltimore, the hackers have frozen the City’s e-mail system and disrupted real estate transactions and utility billing systems, among many other things. The hackers reportedly demanded roughly $100,000 in Bitcoin to restore Baltimore’s system. The city has refused to pay.

Insurance partner Michael Levine is teaming up with Hunton’s Michael Perry and Adam Solomon and Jones Day’s Lisa Ropple to discuss cybersecurity litigation and insurance coverage presentation for the Massachusetts Bar Association. The presentation, sponsored by the MBA’s Complex Commercial Litigation Section, will take place on Wednesday, March 20^th at 4:30 pm at the MBA’s office in Boston. Topics will include:

• General litigation claims arising from cybersecurity incidents and defenses available to companies facing these claims.
• Safeguards to prevent ...

Hunton Andrews Kurth insurance partner Michael Levine was recently interviewed by LegalTech News concerning Ohio’s recent adoption of the National Association of Insurance Commissioners’ (NAIC) Insurance Data Security Model Law. The law, modeled after the New York State Department of Financial Services Cybersecurity Requirements for Financial Service Companies Act, seeks to provide a framework for states to address risks and develop cybersecurity guidelines for insurance companies. Ohio became the second state, after South Carolina, to adopt the model law. As Mike ...

New cybersecurity rules for insurance companies licensed in South Carolina are set to take effect in part on January 1, 2019. The new law is the first in the United States to be enacted based on the data security model law drafted by the National Association of Insurance Commissioners. The law requires licensed insurance companies to notify state insurance authorities of data breaches within 72 hours of confirming that nonpublic information in the company’s (or a service provider’s) system was “disrupted, misused, or accessed without authorization.” The breach reporting requirement is in addition to notification obligations imposed under South Carolina’s breach notification law and applies if the insurance company has a permanent location in the state or if the breach affects at least 250 South Carolina residents, among other criteria. The 72-hour notice requirement takes effect January 1, 2019.

As we and our sister blogs have previously reported (see here, here, and here), the New York State Department of Financial Services enacted Cybsersecurity Requirements for Financial Services Companies, 23 NYCRR 500, on March 1, 2017. The first certification of compliance with this regulation is due today, February 15, 2018.

Many commentators have predicted that the use of blockchain technology will greatly expand in the coming years. They envision uses in all types of business, including the healthcare sector, financial services arena, and supply chains.

Beginning last Friday, and still occurring today, one of the worst and most widespread malware attacks has impacted more than 200,000 victims in at least 150 countries, including Britain's National Health Service, FedEx, telecommunications companies Telefonica and Megafon, and automakers Renault and Nissan. The malware, known as "WannaCry," disables the user's computer system and all of its data. A note in a text file then appears stating that in order to unlock the computer, $300 worth of the digital currency bitcoin must be paid to the hackers. A countdown timer appears and the fee increases with time. The hackers threaten to delete all data on the computer system if payment is not sent within one week. Cybersecurity experts believe that the malware was sent to computers through "phishing attacks," which are emails that appear to be from reputable sources and include a download to a link that allows the malware to infect the computer. From these computers, the malware then spread to other computers on the network. One infected computer can spread this virus network-wide, and quickly.

As posted earlier today on Hunton & Williams' Retail and Privacy blogs, and as reported in Law360, Hunton & Williams announces the formation of a cross-disciplinary legal team dedicated to guiding companies through the minefield of regulatory and cyber-related risks associated with high-stakes corporate mergers and acquisitions.

Hunton and Williams LLP has published its 2016 Retail Industry Year in Review.  The Review discusses the key legal and regulatory developments that affected the retail industry last year.  In the Review, Hunton insurance coverage attorneys Syed Ahmad, Mike Levine and Jenn White discuss the lessons learned from insurance coverage cases that promise to have a lasting impact on retail cyber security and product contamination insurance.  As they explain, “Last year’s decisions are critical reminders that having the right insurance is key, and even unintentional missteps can ...

As reported in the Privacy & Information Security Law blog, on October 25, 2016, the Federal Trade Commission released a guide for businesses on how to handle and respond to data breaches (the “Guide”). The 16-page guide details steps businesses should take once they become aware of a potential breach. The guide also underscores the need for cyber-specific insurance to help offset potentially significant response costs.

Hunton & Williams insurance lawyers, Mike Levine and Sergio Oehninger, were quoted today in a Law360 article analyzing the impact of the recent decision in P.F. Chang's bid for coverage for certain losses stemming from a 2013 cyber breach. In a June 1, 2016 blog post, Levine and Oehninger criticized the court's decision and forewarned policyholders that disputes of this sort are likely to be common, given the continually evolving nature of cyber coverages. According to Levine in a subsequent comment, "until insurance markets arrive at policy language that clearly sets forth the ...

In a May 31, 2016 decision, a federal court in Arizona rejected P.F. Chang's attempt to recover an additional $2 million it paid following a 2013 breach in which hackers obtained and posted on the Internet approximately 60,000 credit card numbers belonging to P.F. Chang's customers.  P.F. Chang's was insured under a "CyberSecurity by Chubb Policy," which it had purchased from Federal Insurance Company for an annual premium of $134,000.  On its website, Federal marketed the policy as "a flexible insurance solution designed by cyber risk experts to address the full breadth of risks associated with doing business in today's technology-dependent world" including "consequential loss resulting from cyber security breaches."