Is a commercial policyholder able to get insurance under the terms of its computer fraud coverage (typically offered as part of a crime policy) for a fraud based upon information transmitted by email? Not according to the Fifth Circuit’s recent decision in Apache Corporation v. Great American Insurance Company, which vacated the trial court’s judgment and left the policyholder with a $2.4 million uninsured loss. While the opinion is unpublished and therefore should have limited precedential value, it highlights the importance of reviewing your company’s coverage profile in an effort to close potential gaps in insurance coverage for security breaches and other losses involving computer use.
Author: John T. Wolak
Regulations Proposed by NY Department of Financial Services are a Significant Development for Regulated Entities … and Everyone Else
On September 13, 2016, New York Governor Andrew M. Cuomo announced new first-in-the-nation proposed regulations to protect against the ever growing threat of cyber-attacks in the financial services industry. The proposed regulations, to be enforced by the New York State Department of Financial Services, would apply only to an entity regulated by the NY Department of Financial Services – from a multi-national bank to a “mom-and-pop” operation. However, the regulations are important for all companies to review and consider, regardless of their location or scope of operations, because the proposal represents an important step in the ongoing national dialogue about reasonable and necessary cybersecurity standards for all businesses.
The FTC Confirms That Mere Disclosure of Health Information is a “Substantial Injury” Justifying Sanctions for “Unreasonable” Data Security Practices
The Federal Trade Commission (“FTC” or “the Commission”) recently confirmed that disclosure of sensitive consumer data as a result of inappropriate data security practices may be deemed an “unfair act or practice” in violation of the Federal Trade Commission Act (“FTC Act”). This decision is important because the FTC reached this conclusion with no evidence of actual economic or physical harm, or any actual health and safety risks as a result of the disclosure. The Commission’s decision is also notable because it emphasizes the FTC’s expanding reach in the regulation of data security.
Policyholders may still enforce an insurer’s duty to defend under a Commercial General Liability (“CGL”) policy for claims arising out of a data security breach, according to a recent Fourth Circuit decision. While the decision was issued in an unpublished opinion (a mere 18 days after oral argument), the decision represents a significant victory for policyholders seeking insurance coverage for claims arising out of data breaches resulting in the disclosure of personal information.
Attention Corporate Policyholders: Comply With All the Notice Requirements of Your Insurance Policies When Reporting a Claim or Risk Losing All Available Coverage
A recent decision by the New Jersey Supreme Court serves as a strident warning to commercial insureds to make prompt notice of claims under claims-made policies. In Templo Fuente de Vida Corp. v. National Union Fire Insurance Company of Pittsburgh, P.A., the claims-made D&O policy at issue required written notice of a claim “as soon as practicable … and … during the Policy Period.” The insured was served with an underlying complaint on February 21, 2006. It retained defense counsel and filed an answer, but did not provide notice of the claim to its insurer until August 26, 2006 — a delay of six months, yet still within the policy period. The insurer denied coverage for various reasons, including that notice was not provided “as soon as practicable.”
The risks inherent in the maintenance and storage of confidential information present an ongoing challenge to daily operations. Cyber insurance may be an appropriate mechanism to mitigate those risks. But – BUYER BEWARE – broad exclusions and other conditions in a cyber policy can hack into coverage and leave your company uninsured and exposed to significant liability for defense costs, liability payments, and regulatory damages.
New York Court of Appeals Reconsiders and Holds That an Insurer May Invoke Policy Exclusions Despite Wrongful Refusal to Defend
The New York Court of Appeals has vacated its recent decision in K2 Investment Group, LLC v. American Guarantee & Liability Insurance Co., reverting to the majority position that an insurer breaching its duty to defend an insured is not barred from relying on policy exclusions to defend a later claim for indemnification. The case originated from a related lawsuit where K2 Investment Group, LLC and ATAS Management Group, LLC (collectively, the “LLCs”) sued an attorney for legal malpractice.
Broader Coverage May Still Be No Coverage At All: The First Department’s Application of the Prior Pending Claim Exclusion
The recent decision by New York’s Appellate Division, First Department in Executive Risk Indemnity, Inc. v Starwood Hotels & Resorts Worldwide, Inc., serves as a grim reminder to insureds to pay careful attention at the time of policy renewal to existing demands from third parties, applicable terms and conditions of expiring and renewal policies, differences in the scope of coverage, and appropriate disclosures. Those who do not run the risk of foregoing the insurance they thought they had without even realizing it.
Lack of Actual Notice Does Not Defeat Policy Exclusion When Insurer Made Sufficient Efforts to Provide Clear and Direct Notice of New Exclusion to Policyholder
The recent decision in MDC Acquisition Co. v. North River Insurance Co., serves as a reminder of the impact that clear and direct notice of policy changes will have on the scope of available insurance coverage. Although rendered by the Northern District of Ohio, the decision is based upon generally accepted legal principles that apply in most jurisdictions and is noteworthy for both insurers and policyholders.
One of the threshold – if not determinative – issues in many insurance coverage disputes is the number of “occurrences” that are presented by a particular set of facts relating to a claim submitted by the policyholder. In a recent decision, a New York appeals court has concluded not only that the relevant policy language allows for grouping of claims into similar “occurrences,” but that additional discovery may be conducted of the parties’ intent and the insurers’ underwriting guidelines and procedures relating to the relevant policy terms. In Mt. Kinley Ins. Co. v. Corning Inc., the Court affirmed the Trial Court’s denial of summary judgment, concluding that the insured’s comprehensive general liability (“CGL”) policies’ “occurrence”-related terms allowed for grouping of claims arising at a common location or at approximately the same time, which may result in a drastically reduced number of deductibles under the applicable policies. Thousands of individuals had brought separate claims against the insured — Corning Inc. — as a result of exposure to two asbestos-containing products. At issue on summary judgment was whether each of these individual claims constituted a separate “occurrence” under Corning’s primary, excess, and umbrella CGL policies, such that each claim would be individually subject to a deductible before the insurers’ coverage was implicated.