Hunton Insurance Recovery Blog

While America was tuned into the big game, one California insurance broker faced its own treacherous showdown in the form of a putative class action filed on February 8, 2024 stemming from a data breach. With cyber incidents still on the rise, this is a story we know all too well: an unauthorized third party gains access to personally identifiable information, the company eventually detects the threat actor and leadership must decide how to respond. Once notifications to the public go out, the individuals impacted often file suit to recover for their alleged harm.

In the August 2019 publication of Contract Management, Hunton insurance recovery lawyers Walter Andrews, Lorelie Masters, Michael Levine, and Latosha Ellis discuss how a robust insurance program can help government prime contractors mitigate potential financial risks associated with downstream data breaches or releases. In the article, the authors explain government prime contractors’ cybersecurity obligations under DFARS and other federal regulations. A copy of the article is here.

Equifax Inc. recently announced that it has agreed to pay up to $700 million to settle numerous government investigations and consumer claims arising out of a 2017 breach that exposed Social Security numbers, addresses and other personal data belonging to over 148 million individuals. Following the breach, Equifax faced investigations from the Federal Trade Commission, the Consumer Financial Protection Bureau, all 50 state attorneys general and consumers prosecuting nationwide multidistrict litigation. As part of the deal, Equifax will contribute approximately $300 million to compensate consumers, with the potential to increase to $425 million depending on the number of claims filed. Equifax also agreed to pay $175 million to state governments, plus another $100 million in civil penalties to the CFPB.

In January we wrote about Rosen Millennium Inc.’s (“Millennium”) appeal to the Eleventh Circuit, whereby Millennium took the position that a Florida federal court ignored well established Florida insurance law when it ruled that St. Paul Fire & Marine Insurance Co. had no duty to defend it against a multimillion dollar claim arising out of a 2016 cybersecurity breach.

Hunton Andrews Kurth insurance practice head, Walter Andrews, recently commented to the Global Data Review regarding the infirmities underlying an Orlando, Florida federal district court’s ruling that an insurer does not have to defend its insured for damage caused by a third-party data breach.

The Federal Financial Institutions Examination Council (“FFIEC”), a U.S. governmental body comprised of banking regulators, recently issued guidance to financial institutions directing them to consider implementing dedicated cyber insurance programs to offset financial losses resulting from cyber incidents. Financial institutions face a number of potentially crippling risks arising from cyber incidents, including financial, operational, legal, compliance, strategic, and reputational risks resulting from fraud, data loss, or disruption of service. While cyber insurance can mitigate these risks, it is not required by financial regulators, and thus many financial institutions may not have obtained such insurance specifically designed to cover their cyber risks.  Nonetheless, the FFIEC now is urging financial institutions to include dedicated cyber insurance as part of a multi-faceted cyber risk management strategy and not to rely solely on traditional insurance.  In addition, the FFIEC is recommending that financial institutions have their outside advisors review their potential cyber insurance coverage to ensure that it will cover the relevant risks.

May 25, 2018 should be a day circled on many company calendars. On that day, the European Union’s long-awaited Global Data Protection Regulation (“GDPR”) will go into effect.  It is crucial for U.S. companies to prepare for the GDPR, as they, too, will be required to comply with a new set of data privacy rules if they are handling data from EU-based customers, suppliers, or affiliates. As long as you collect personal or behavioral data from someone in the EU, you must comply with the GDPR.

In a recently filed brief in the Ninth Circuit, Cottage Health argued in support of the federal district court’s stay of Columbia Casualty’s lawsuit against Cottage Health in favor of Cottage Health’s parallel state court lawsuit against Columbia Casualty.

As posted earlier today on the Hunton Retail Law Resource blog, Hunton insurance lawyer Michael S. Levine, along with Hunton colleagues Randy S. Parks and Keith Voorheis, discuss five tips to consider when thinking about what cybersecurity insurance requirements you need in your technology transactions.

Hunton & Williams insurance partner, Syed Ahmad, tells Law360 about trends in D&O liability insurance that are likely to grab headlines in 2017, including the impact of privacy and cyber breaches on corporate executives and the continued fallout from 2015’s “Yates Memo,” emphasizing an increase in government prosecution of individual corporate wrongdoers and incentivizing companies to cooperate in cases against their executives.  A link to the article featuring Syed’s comments can be found here

Syed Ahmad, a partner in the Hunton & Williams LLP insurance recovery practice, was quoted in an article by Law360 concerning the Fourth Circuit’s April 11, 2016 decision in Travelers Indemnity Company v. Portal Healthcare Solutions, No. 14-1944. In the decision, a panel of the Fourth Circuit affirmed the decision of a Virginia district court, which held in August 2014 that Travelers must defend Portal Healthcare Solutions LLC against a proposed class action alleging that the policyholder’s failure to secure its server made medical records accessible by unauthorized users ...

On January 12, 2016, a federal court in Utah refused to dismiss a bad faith claim brought by Federal Recovery Services against Travelers Property Casualty Company of America, despite finding that there was no duty to defend FRS under Travelers’ “CyberFirst Policy.” Travelers Property Casualty Company of America et al. v. Federal Recovery Services et al., Case No. 2:14-cv-00170. FRS sought a defense and indemnity for a lawsuit filed against it by Global Fitness Holdings, LLC, a fitness center operator. Global Fitness had alleged that FRS intentionally misused the credit card and bank account information of Global Fitness’ customers, which consequently interfered with FRS’s business dealings.