The State of Cyberinsurance Coverage Litigation July 2018 by goldbergsegalla

The State of Cyberinsurance Coverage Litigation A Survey of Significant Decisions, Pending Actions, and Emerging Trends JULY 2018

Jonathan L. Schwartzâ&#x20AC;&#x201A;|â&#x20AC;&#x201A;Colin B. Willmott

Attorney Advertising

The State of Cyberinsurance Coverage Litigation: A Survey of Significant Decisions, Pending Actions, and Emerging Trends Similar to 2017, the bulk of cyberinsurance coverage decisions in 2018 have focused on whether claims of social engineering fraud or spoofing are covered under the Computer Fraud part of commercial crime insurance policies. We focus here on a flurry of recent decisions by the U.S. Courts of Appeals for the Second, Sixth, and Eleventh Circuits that reflect a split of authority on coverage for these claims. Another development we are following is an uptick in lawsuits seeking to impose directors and officers (D&O) liability resulting from the handling of a data breach. The actions by plaintiffs as well as regulatory bodies suggest executives may increasingly be the target of recovery efforts post-breach. Finally, 2017 witnessed the wakeup call of the Equifax breach and recognition of the dangerous problem of “silent cyber.” According to a white paper from AON Benfield, “2017 is the year that cyber aggregation risk became real for many insurers.” For those companies that have not yet purchased cyberinsurance, they hopefully will realize that the problem of cyberattacks isn’t going away — it’s only getting more dangerous. And Poof, It’s Gone! Computer Crime Decisions Regarding Fraudulent Email Schemes Email spoofing schemes, where a fraudster mimics an email address of another for the purpose of deception, have been addressed by several courts over the past 12 months in connection with Computer Fraud coverage under commercial crime policies. The main issue of contention remains whether there is a “direct” connection between the use of the computer and the ultimate loss. Just this month, we witnessed the Second and Sixth Circuits champion a minority approach to commercial crime coverage for these claims. For our take on the significance of the Second Circuit’s decision in Medidata Solutions, Inc. v. Federal Insurance Co. and the Sixth Circuit’s decision in American Tooling Inc. v. Travelers Casualty and Surety Co. of America, please visit our posts on the Goldberg Segalla Data Privacy Blog and Insurance and Reinsurance Report. Another interesting social engineering fraud coverage case is Posco Daewoo America Corp. v. Allnex USA, Inc., No. 17-483, 2017 WL 4922014 (D.N.J. Oct. 31, 2017). There, the court passed on choosing between the majority and the minority approaches and, instead, found a separate policy provision dispositive. As background, an imposter posing as an employee of the policyholder, Posco Daewoo American Corp., sent emails to its supplier Allnex USA, Inc., requesting wire payments to bank accounts to satisfy outstanding receivables owed by Allnex to Daewoo. Without confirming the authenticity of the impostor’s email or the bank accounts, the payments totaling $630,058 were effectuated. Allnex was ultimately able to recover some of the stolen amount, which was forwarded to Daewoo for payment. Daewoo sought payment of the remaining amount owed and filed suit against Allnex and Daewoo’s insurer. Notably, Daewoo had an insurance policy covering Computer Fraud. The insurer moved to dismiss the complaint, arguing it did not owe coverage and relying on the line of cases stemming from Apache Corp. v. Great American Insurance Co., 662 Fed, Appx. 252 (5th Cir. 2016). For its part, Daewoo pointed to the reasoning in Medidata (the district court’s decision) for the proposition that a fraudulent scheme involving a spoofed email could trigger Computer Fraud coverage. While the court acknowledged the dispute between Apache and Medidata, it plotted its own course and found the policy’s “Ownership of Property; Interests Covered” provision dispositive and determined that since Daewoo did not “own” the wired payments, there was no coverage. In other words, since Daewoo did not actually receive the money and was not otherwise dispossessed of the money, it did not “own” the money for which it was seeking coverage. In another social engineering fraud case, albeit one centering on an exclusion, the Ninth Circuit held in favor of the insurer in Aqua Star (USA) Corp. v. Travelers Casualty & Surety Co. of America, 719 Fed. Appx. 701 (9th Cir. 2018). The facts as developed before the district court concerned the policyholder being defrauded by an email scheme perpetrated by a hacker posing as a vendor, which resulted in losses of over $700,000. The Ninth Circuit quickly affirmed the lower court’s finding of no coverage by relying on Exclusion G of the Computer Fraud policy, which stated the policy “will not apply to loss or damages resulting directly or indirectly from the input of Electronic Data by a natural person having the authority to enter the Insured’s Computer System . . . .” As a result, since the policyholder’s losses stemmed from employees authorized to enter its computer system to change the wiring information, Exclusion G squarely applied.

Goldberg Segalla | The State of Cyberinsurance Coverage Litigation | July 2018

Two other social engineering fraud cases worth watching are Ubiquiti Networks, Inc. v. National Union Fire Insurance Co. of Pittsburgh, PA (Santa Clara Cnty., CA No. 18CV322879), and Quality Plus Services, Inc. v. National Union Fire Insurance Co. of Pittsburgh, PA (E.D. Va., No. 3:18-cv-00454). In Ubiquiti, the Superior Court denied the insurer’s demurrer arguing the absence of Funds Transfer Fraud and Computer Fraud coverage for an email spoofing scheme that eventually led to a loss in excess of $46 million. Quality Plus Services only filed this month its Complaint for Declaratory Judgment and Breach of Contract, based on a loss that was allegedly caused by the insured’s adherence to fraudulent payment instructions contained in a spoofed email. We will continue to monitor these cases for further precedential developments. In sum, due to the nature of email spoofing schemes, which generally result in insureds transmitting payments with their knowledge and consent, they have proven to be fertile ground for coverage litigation, at least under standard commercial crime policies. But, as more carriers offer social engineering fraud add-ons or extensions, we should see more of these claims being handled and resolved under that part of the policy, rather than under the “square peg-round hole” Computer Fraud coverage part. Nevertheless, those add-ons/extensions generally do not provide adequate limits to make an insured whole following a fraudulent scheme. Indicative of the problem created by inadequate limits available to policyholders is a declaratory judgment action recently filed by Travelers Casualty and Surety Company of America against its policyholder in the U.S. District Court for the Eastern District of Wisconsin, Case No. 2:18-cv-872. There, Travelers sought a judicial declaration that it is not required to pay any additional benefits to Hal Leonard LLC under the Computer Fraud coverage part of the commercial crime policy since it already paid the limit of the social engineering fraud coverage extension. We will continue to monitor this case for significant developments. At bottom, the insured’s best recourse to avoid financial loss is to have robust employee training to spot fraudulent schemes and to require dual or independent verification before any funds may be transferred to a new account or recipient. This is essential, as according to the FBI social engineering fraud losses increased 2370 percent in a recent two-year period, and there are approximately 100,000 attempts at computer fraud initiated every day. Another Hit to Coverage for Chits: The Eleventh Circuit’s Decision in Interactive Communications As discussed last year, a Georgia federal district court analyzed what constitutes use of a computer under a Computer Fraud policy where the policyholder, Interactive Communications International, Inc. (InComm), a debit card processing business, had its interactive voice response (IVR) computer system exploited by fraudsters. As a reminder, InComm sold “chits” to consumers who could them redeem them by loading their value onto a debit card. However, fraudsters exploited a system vulnerability that allowed multiple redemptions, resulting in a nearly $11.4 million loss. The district court determined there was no coverage since the fraud was not accomplished through the use of a computer, nor did the loss “result directly” from computer fraud. The Eleventh Circuit affirmed, although it only agreed that the loss did not “result directly” from computer fraud. As an initial matter, the Eleventh Circuit determined the “use of a computer” requirement was satisfied because the fraud involved both telephones and computers. Indeed, it found the telephone calls by the fraudsters to access and manipulate the IVR computer system fell within the term “use of a computer.” However, the Eleventh Circuit reasoned the term “resulting directly” meant to follow straightaway or immediately. Hence, since several steps occurred between the fraudsters’ manipulation of the IVR computer system and the ultimate loss, there could be no coverage under the Computer Fraud policy. The decision in Interactive Communications is not an unbridled win for insurers, but it is still a well-reasoned and insurerfriendly decision with respect to the “resulting directly” language. As can been seen by the Eleventh Circuit’s decision, the issue of causation can often be difficult for policyholders to satisfy if there are intermediate steps between the “use of a computer” and the ultimate loss. Give It Up Already: Cyber Claims Under Commercial General Liability Policies Although coverage litigation over cyber claims under commercial general liability (CGL) policies is waning due to the addition of data breach exclusions, policyholders continue to test the limits of coverage under those policies when responding to data breaches. The focus of these disputes concerns Coverage B’s offense for oral or written publication that violates a person’s right of privacy (Privacy Offense). This was precisely at issue in Innovak International, Inc. v. Hanover Insurance Co., 280 F. Supp. 3d 1340 (M.D. Fla. 2017). There, Innovak International, Inc. was sued in a class action lawsuit, alleging damages resulting from the breach of Innovak’s payroll computer software system and concomitant release of personal private information. Innovak’s tender of coverage 3

Goldberg Segalla | The State of Cyberinsurance Coverage Litigation | July 2018

under its CGL policy was denied, which prompted Innovak to file a coverage action. On cross-motions for summary judgment, the Florida federal district court concluded the Privacy Offense was not satisfied because Innovak did not commit the publication – the third-party hackers did. In so holding, the court relied on the reasoning in Zurich American Insurance Co. v. Sony Corporation of America, No. 651982, 2014 WL 8382554 (N.Y. Sup. Ct. Feb. 21, 2014), which similarly concluded the publication needed to have been perpetrated by the insured. This decision again highlights the difficulties policyholders face under CGL policies even in the absence of data breach-specific exclusions. Indeed, requiring the policyholder, itself, to engage in the publication nearly forecloses data breach coverage in all but the most unusual circumstances. A Golden Opportunity Wasted: The Supreme Court Punts on Standing Question Re: Data Breach Claims The United States Supreme Court recently denied certiorari in connection with a data breach where the pivotal issue was whether plaintiffs in a class action lawsuit had standing due to the heightened risk of identity theft. Attias v. Carefirst, Inc., 865 F.3d 620 (D.C. Cir. 2017), cert denied, 138 S. Ct. 981. The U.S. Court of Appeals for the District of Columbia had reversed the lower court’s dismissal, concluding the plaintiffs had standing based on allegations of substantial risk of future injury. The defendant, a healthcare insurer, had argued there was a circuit split regarding standing for data breach disputes and, more specifically, whether the mere exposure of consumer data to hackers and other third parties satisfied the standing requirement. The Supreme Court’s refusal to consider this question should only further embolden class action lawsuits based upon data breaches since some courts will recognize that a future possibility of injury caused by the stolen information could create standing. What to Watch: D&O Exposure — The New Flashpoint? There has been an increase in suits filed against directors and officers of public companies in the aftermath of a data breach. What further incentivizes such suits is reports of a recent settlement entered into by Yahoo (now known as Altbaba) with the U.S. Securities and Exchange Commission (SEC), whereby Yahoo agreed to pay $35 million for violating securities laws in connection with its 2014 data breach. This payment is in addition to the $80 million Yahoo agreed to settle securities class action lawsuits. As background, Yahoo learned in 2014 that it had suffered a breach impacting 500 million of its users. However, it did not disclose the breach until 2016. Between the breach and the disclosure, Yahoo entered into negotiations to be acquired by Verizon. The SEC argued the failure to disclose the material cybersecurity incident in any of its public filings violated federal law. Once the breach was discovered, Verizon demanded to pay a lesser share price. That reduction is the basis for the securities class action lawsuits. Wendy’s became embroiled in a similar, albeit critically different scenario. Wendy’s had discovered a data breach in early 2016 and subsequently realized in June 2016 the breach was much greater than initially expected. In December 2016, a shareholder derivative action was filed. The case was settled in May 2018, which included an agreement to adopt better cybersecurity measures and, of course, pay the plaintiff’s substantial attorneys’ fees. Since the plaintiff shareholders could not point to a reduced share price or purchase price, there was no real opportunity for them to recover damages. Accordingly, Wendy’s exposure was dramatically different from Yahoo’s exposure. These types of situations are potentially significant with respect to D&O coverage because the failure of executives, like in Yahoo’s case, to properly disclose data breaches creates exposure to securities class action lawsuits. In the event executives are sued in connection with the handling of data breaches, they will most certainly seek coverage under their D&O liability insurance policies, which raises the question of whether coverage is provided thereunder for cyber risks. We expect to report more on D&O coverage for lawsuits in connection with data breaches in next year’s edition of the report. Ransomware Update A case we reported on in 2017 concerning ransomware coverage, Moses Afonso Ryan Ltd. v. Sentinel Insurance Co. (D.R.I. 1:17-cv-157), has recently been dismissed with prejudice. Despite the paucity of cases interpreting ransomware coverage, there will certainly be coverage litigation over ransomware coverage because ransomware attacks have recently increased by 350 percent (see NTT Security report). 4

Goldberg Segalla | The State of Cyberinsurance Coverage Litigation | July 2018

In 2017, we witnessed the virulent spread of the WannaCry and NotPetya malware, which created systemic loss worldwide. According to AON Benfield, ransomware attacks are increasingly becoming automated, “meaning the attacks are almost frictionless to carry out.” We have seen only the tip of the ransomware iceberg, as there are predictions that global damage costs resulting from ransomware will exceed $11.5 billion in 2019 (per Cybersecurity Ventures). A Look Ahead A case we mentioned in our 2016 and 2017 reports continues to work its way through the courts. The Fifth Circuit recently reversed judgment in favor of an insurer in connection with a claim for payment card industry liability in Spec’s Family Partners, Ltd. v. The Hanover Insurance Co., No. 17-20263 (5th Cir. Jun. 25, 2018). For our take on this decision, please see our latest post on the Goldberg Segalla Data Privacy Blog. A similar fact scenario gave rise to coverage litigation with regard to payment card industry liability coverage under a commercial general liability insurance policy. In Landry’s, Inc. v. The Insurance Co. of the State of Pennsylvania, 2018-45222, the insured sued for coverage for a lawsuit brought by credit card companies following a point-of-sale-system infiltration at numerous locations of the insured’s restaurants and the like. The insured contends in its complaint that the credit card companies’ lawsuit alleges “personal and advertising injury,” and more specifically, satisfies the Privacy Offense. We will continue to monitor this case, which the insured filed just this month, for significant developments. Another type of claim insurers should be on the lookout for is theft of cryptocurrency. Recent reports include a $500 million theft from a Tokyo-based cryptocurrency exchange and a $37 million theft from a South Korea-based cryptocurrency exchange. While there have not yet been reported significant thefts of cryptocurrency from any U.S. entities, should there be one, and if that company was to have commercial crime coverage, there will be a claim. And, that will require a determination of whether cryptocurrency satisfies the policy definition of “covered property,” assuming the policy does not have a specific cryptocurrency provisions. Relatedly, an area we will continue to monitor is “cryptojacking,” where hackers breach an unwitting party’s network in order to use their system to run their data mining operations. Data mining for cryptocurrency is energy- and bandwidth-intensive, and as a result, the more networks, servers, and computers hackers can use to accomplish their goal of discovering vulnerable cryptocurrency exchanges, the more this will result in loss to the unwitting parties in terms of inefficiently operating computer systems and high utility bills. Yet another area we will continue to monitor for further development is penalties and fines assessed against U.S. companies (and international companies that purchase insurance coverage from U.S. carriers) as a result of their violation of the EU’s General Data Protection Regulation. We are hard-pressed to believe that, absent purchase of a specific endorsement covering these violations, these punitive measures would be covered as damages under a stand-alone cyberinsurance policy, let alone a traditional insurance policy. This is especially so for violations unrelated to a data breach, such as violations of the rules regarding data collection and maintenance. That does not mean, however, that a policyholder will refrain from employing creative interpretations to try to obtain coverage. More generally, we continue to expect more decisions relating to cyberinsurance issues. Since many large companies and an increasing number of small- and medium-sized companies now carry cyberinsurance policies (estimates indicate global cyberinsurance premiums collected in 2017 were approximately $3 billion), and the number of data breaches and cyberattacks continue to increase (the World Economic Forum recently placed cyberattacks and massive data fraud as a top-five risk worldwide), the environment is ripe for coverage litigation. Finally, we launched in May Timely Notice, our first foray into podcasts. The podcast addresses in an engaging and easily digestible way (each episode is approximately 20 minutes) many of the critical and cutting-edge issues facing insurance industry professionals, as well as their in-house and outside legal counsel. We already have released episodes dealing with cyber issues, including social engineering fraud coverage, property damage resulting from cyberattacks, and professional services firms’ absolute need to purchase cyberinsurance coverage. We encourage you to subscribe to the podcast. You can also download episodes via iTunes or Spotify, and the link to the page with show notes and a list of episodes is: timelynoticepodcast.com.

Goldberg Segalla | The State of Cyberinsurance Coverage Litigation | July 2018

About the Authors Jonathan L. Schwartz 312.572.8411 jschwartz@goldbergsegalla.com

Jonathan L. Schwartz, a partner in Goldberg Segalla’s Chicago office, is a member of the Global Insurance Services Practice Group and chair of its Cyber Risk Coverage subgroup. He concentrates his practice on insurance coverage litigation and counseling, including primary and excess commercial general liability, professional liability/errors and omissions, directors and officers liability, municipal and law enforcement liability, cyber risk, commercial property, business auto and cargo liability, employer’s liability, and employment practices liability insurance policies, with a special focus on defending extracontractual actions against insurers, and the defense of insurance agents and brokers against errors and omissions (E&O) claims. He has held numerous insurance-related leadership roles within the Defense Research Institute (DRI), chairs the Insurance Law Committee’s Insurance Industry Advisory Board, and is a longtime member of the Insurance Law Committee’s Steering Committee. He frequently authors articles for publications such as New Appleman on Insurance, DRI’s The Voice and For the Defense, and Mealey’s Litigation Report: Insurance Bad Faith, and is a regular host of Goldberg Segalla’s Timely Notice podcast.

Colin B. Willmott 312.572.8414 cwillmott@goldbergsegalla.com

Colin B. Willmott, an associate in Goldberg Segalla’s Chicago office, is a member of the firm’s Global Insurance Services Practice Group and Cybersecurity and Data Privacy Practice Group. He focuses his practice on general liability and insurance coverage matters involving commercial general liability policies. He graduated magna cum laude from the University of Illinois College of Law, and served as a judicial intern for the Honorable P. Michael Mahoney, U.S. District Court for the Northern District of Illinois. He frequently authors articles on insurance, coverage questions, policy language, and insurance-related cyber risks in Law360, in publications including Insurance Journal, Mealey’s Emerging Insurance Disputes, DRI’s Covered Events, Inside Counsel, and more.

311 South Wacker Drive | Suite 2450 | Chicago, IL 60606-6627