Author: John T. Wolak

11th Circuit’s Stay Suggests that the FTC’s Final Order Against LabMD May Itself be “Unfair” and “Unreasonable”

As reported on this blog on September 27, 2016, the FTC issued a Final Order holding that LabMD’s data security practices were “unreasonable” and constituted an “unfair” business practice in violation of Section 5 of the Federal Trade Commission Act (“FTC Act”), 15 U.S.C. §45(a) and (n). The findings were a clear signal of the FTC’s expanding efforts to regulate data security and to incentivize companies handling sensitive data to implement and maintain strong data security practices. On Thursday, November 10, 2016, the 11th Circuit stayed enforcement of the FTC’s Final Order pending a full hearing and final decision on LabMD’s appeal, and called into question the validity of the FTC’s conclusions as to what may constitute an actionable “privacy harm” following a data security breach.

Believe It or Not: Computer Fraud Coverage May Not Cover Fraud Involving a Computer

Is a commercial policyholder able to get insurance under the terms of its computer fraud coverage (typically offered as part of a crime policy) for a fraud based upon information transmitted by email? Not according to the Fifth Circuit’s recent decision in Apache Corporation v. Great American Insurance Company, which vacated the trial court’s judgment and left the policyholder with a $2.4 million uninsured loss. While the opinion is unpublished and therefore should have limited precedential value, it highlights the importance of reviewing your company’s coverage profile in an effort to close potential gaps in insurance coverage for security breaches and other losses involving computer use.

Regulations Proposed by NY Department of Financial Services are a Significant Development for Regulated Entities … and Everyone Else

On September 13, 2016, New York Governor Andrew M. Cuomo announced new first-in-the-nation proposed regulations to protect against the ever growing threat of cyber-attacks in the financial services industry. The proposed regulations, to be enforced by the New York State Department of Financial Services, would apply only to an entity regulated by the NY Department of Financial Services – from a multi-national bank to a “mom-and-pop” operation. However, the regulations are important for all companies to review and consider, regardless of their location or scope of operations, because the proposal represents an important step in the ongoing national dialogue about reasonable and necessary cybersecurity standards for all businesses.

The FTC Confirms That Mere Disclosure of Health Information is a “Substantial Injury” Justifying Sanctions for “Unreasonable” Data Security Practices

The Federal Trade Commission (“FTC” or “the Commission”) recently confirmed that disclosure of sensitive consumer data as a result of inappropriate data security practices may be deemed an “unfair act or practice” in violation of the Federal Trade Commission Act (“FTC Act”). This decision is important because the FTC reached this conclusion with no evidence of actual economic or physical harm, or any actual health and safety risks as a result of the disclosure. The Commission’s decision is also notable because it emphasizes the FTC’s expanding reach in the regulation of data security.

Fourth Circuit Confirms that Data Breach Claims are Covered Under Traditional CGL Policies

Policyholders may still enforce an insurer’s duty to defend under a Commercial General Liability (“CGL”) policy for claims arising out of a data security breach, according to a recent Fourth Circuit decision. While the decision was issued in an unpublished opinion (a mere 18 days after oral argument), the decision represents a significant victory for policyholders seeking insurance coverage for claims arising out of data breaches resulting in the disclosure of personal information.

Attention Corporate Policyholders: Comply With All the Notice Requirements of Your Insurance Policies When Reporting a Claim or Risk Losing All Available Coverage

A recent decision by the New Jersey Supreme Court serves as a strident warning to commercial insureds to make prompt notice of claims under claims-made policies. In Templo Fuente de Vida Corp. v. National Union Fire Insurance Company of Pittsburgh, P.A., the claims-made D&O policy at issue required written notice of a claim “as soon as practicable … and … during the Policy Period.” The insured was served with an underlying complaint on February 21, 2006. It retained defense counsel and filed an answer, but did not provide notice of the claim to its insurer until August 26, 2006 — a delay of six months, yet still within the policy period. The insurer denied coverage for various reasons, including that notice was not provided “as soon as practicable.”

Don’t Get Hacked By Your Cyber-Insurer

The risks inherent in the maintenance and storage of confidential information present an ongoing challenge to daily operations. Cyber insurance may be an appropriate mechanism to mitigate those risks. But – BUYER BEWARE – broad exclusions and other conditions in a cyber policy can hack into coverage and leave your company uninsured and exposed to significant liability for defense costs, liability payments, and regulatory damages.

New York Court of Appeals Reconsiders and Holds That an Insurer May Invoke Policy Exclusions Despite Wrongful Refusal to Defend

The New York Court of Appeals has vacated its recent decision in K2 Investment Group, LLC v. American Guarantee & Liability Insurance Co., reverting to the majority position that an insurer breaching its duty to defend an insured is not barred from relying on policy exclusions to defend a later claim for indemnification. The case originated from a related lawsuit where K2 Investment Group, LLC and ATAS Management Group, LLC (collectively, the “LLCs”) sued an attorney for legal malpractice.

Broader Coverage May Still Be No Coverage At All: The First Department’s Application of the Prior Pending Claim Exclusion

The recent decision by New York’s Appellate Division, First Department in Executive Risk Indemnity, Inc. v Starwood Hotels & Resorts Worldwide, Inc., serves as a grim reminder to insureds to pay careful attention at the time of policy renewal to existing demands from third parties, applicable terms and conditions of expiring and renewal policies, differences in the scope of coverage, and appropriate disclosures. Those who do not run the risk of foregoing the insurance they thought they had without even realizing it.

Lack of Actual Notice Does Not Defeat Policy Exclusion When Insurer Made Sufficient Efforts to Provide Clear and Direct Notice of New Exclusion to Policyholder

The recent decision in MDC Acquisition Co. v. North River Insurance Co., serves as a reminder of the impact that clear and direct notice of policy changes will have on the scope of available insurance coverage. Although rendered by the Northern District of Ohio, the decision is based upon generally accepted legal principles that apply in most jurisdictions and is noteworthy for both insurers and policyholders.