Hunton Insurance Recovery Blog

Following an investigation involving public companies potentially impacted by the 2020 SolarWinds software compromise, the US Securities and Exchange Commission recently charged several companies with making materially misleading disclosures regarding cybersecurity risks and intrusions. The SEC’s enforcement is the latest example of “cyber as a D&O risk,” underscoring the importance of maintaining robust directors and officers (D&O) liability coverage, along with cyber insurance, as part of a comprehensive liability insurance program designed to respond to cyber incidents.

Just two months ago, Illinois Governor J. B. Pritzker signed significant amendments to the Illinois Biometric Information Privacy Act (BIPA). While the amendments limit businesses’ exposure to BIPA-related damages, significant BIPA exposures still persist. Given these continuing exposures, businesses should consider the protections that insurance can offer. The Illinois Appellate Court’s September 2024 decision in Tony’s Finer Foods Enterprises v. Certain Underwriters at Lloyd’s, 2024 IL App (1st) 231712 offers concrete guidance for businesses thinking about doing just that.

Recent high-profile cases involving Chief Information Security Officers (CISOs) have spotlighted the need for robust directors and officers (D&O) liability insurance tailored to cybersecurity executives. The SEC charges against the former SolarWinds CISO—which were not dismissed in the highly-anticipated decision truncating the SEC’s case against the company—and the 2022 criminal conviction of Uber’s former CISO underscore the growing personal liability risks faced by security leaders.

As social media continues to grow, businesses have turned to different platforms to promote their products. This advertising strategy can have unintended consequences, including copyright infringement claims, if businesses fail to take certain steps when sharing photos and videos to promote their product.

For example, many multinational music companies have filed lawsuits against brands for copyright infringement. Given the frequency of these claims, businesses may think that infringement and similar intellectual property claims are covered by their liability insurance policies. But that is not always the case.

The most common source of coverage is “Coverage B” in commercial general liability policies, which protects against claims alleging personal and advertising injury. Those claims can include allegations of libel, slander, invasion of privacy, copyright infringement, false arrest, and wrongful eviction. All policies are not created equal, however, and references to advertising or intellectual property rights may not actually lead to coverage for social media missteps involving alleged infringement. As a result, it is important for an insured to understand the coverage afforded under their CGL policies and additional coverage options that may provide broader coverage.

There are several common limitations on coverage that may come into play for claims involving social media.

If your company has been impacted by today’s network outage issues, know that insurance may be able to help. Many, but not all, cyber and technology errors and omissions (“Tech E&O”) insurance policies include broad dependent business interruption coverage for losses caused by system failures of a company or vendor on which you rely to operate your business.

This series addresses whether your company should consider protecting its products under the SAFETY Act, which serves as a governmental seal of quality and offers powerful litigation and liability benefits.  Part I of this series addressed the benefits of obtaining SAFETY Act coverage.  This post explains the levels of protection under the SAFETY Act and how your company should evaluate whether its products may be eligible.

In a recent featured article for Aon plc, Hunton Andrews Kurth insurance coverage lawyers Kevin Small and Alice Weeks, along with Aon’s Adam Furmansky, discussed the evolving nature of social engineering claims and the importance of understanding how an insured’s crime policy will respond to these claims.

The SAFETY Act is a highly effective risk management tool created to incentivize the development of anti-terrorism technologies—broadly defined—and to provide protections to providers of products and services meant to prevent or mitigate physical and cyber-attacks.  Among other benefits, companies receiving SAFETY Act coverage for their technologies have their potentially liability associated with an act of terrorism capped at the amount of insurance coverage required by the U.S. Department of Homeland Security (“DHS”).  Companies seeking to reduce their exposure to liability associated with cyber or physical attacks should consider applying for designation or certification under the SAFETY Act.  DHS has also approved a wide variety of other technologies and security programs for protection under the SAFETY Act. 

Hunton Andrews Kurth’s 300-lawyer cross-disciplinary Retail Industry Team has released its annual 2023 Retail Industry Year in Review. The Review discusses retail industry issues that implicate multiple legal practice areas and highlights new and emerging risks retailers may encounter in the year ahead.

Significant issues from 2023, with insurance implications that will continue to evolve in 2024 and beyond, include copyright infringement claims for retailers engaged in social media and polyfluoroalkyl substances (PFAS) related liability claims and related putative class action lawsuits.

We discuss these risks in the 2023 Retail Industry Year in Review and on our insurance recovery blog, along with other risks that will continue to affect the retail industry in 2024.

While America was tuned into the big game, one California insurance broker faced its own treacherous showdown in the form of a putative class action filed on February 8, 2024 stemming from a data breach. With cyber incidents still on the rise, this is a story we know all too well: an unauthorized third party gains access to personally identifiable information, the company eventually detects the threat actor and leadership must decide how to respond. Once notifications to the public go out, the individuals impacted often file suit to recover for their alleged harm.

Artificial intelligence (AI) is rapidly changing the way businesses operate, from the way we research and write, to the way data is processed, to the way inventory is measured and distributed, to the way employees are monitored and beyond. Soon, artificial intelligence might be providing life advice, saving hospital patients or accelerating the development of cities. It is already reshaping corporate America. Very few, if any, industries—including the insurance industry—are immune. As the consultancy McKinsey wrote in 2021, artificial intelligence “will have a seismic impact on all aspects of the insurance industry.” McKinsey’s prediction has proved prescient.

As AI continues to influence the insurance industry and the broader economy, new opportunities and risks abound for policyholders. It is therefore essential for policyholders to keep up-to-date about insurance law’s latest frontier. To help policyholders navigate this new frontier, Hunton Andrews Kurth LLP’s insurance recovery team is introducing a new resource: The Hunton Policyholder’s Guide to Artificial Intelligence.

A federal court recently denied an insurer’s motion to dismiss an insured’s claim for declaratory relief. The insurer argued that the policyholder’s declaratory judgment claim was redundant of its breach of contract claim. The Court ruled that “redundancy is not grounds for dismissal under Rule 12(b)(6).”

Last week, we published a client alert discussing the importance of cyber and directors and officers liability insurance for companies and their executives to guard against cyber-related exposures.  In today’s ever-changing threat landscape, all organizations are at risk of damaging cyber incidents, and resulting investigations and lawsuits, underscoring the importance of utilizing all tools in a company’s risk mitigation toolkit, including insurance, to address these exposures. 

Hardly a day passes without hearing about another major cyber incident. Recent studies show that cybersecurity incidents are becoming more common, but they are also costly, with some reports estimating an average cost of $9.44 million for breaches in the US. In recognition of this mounting problem, government agencies continue to ramp up enforcement and issue new rules, regulations and other guidance aimed at curbing cyber risks. Last week, the SEC adopted final rules requiring registered entities to periodically disclose material cybersecurity incidents and annually disclose their cybersecurity risk management, strategy and governance plans. In announcing the new rules, the SEC specifically noted that “an ever-increasing share of economic activity is dependent on electronic systems.” According to SEC Chair Gary Gensler, “Whether a company loses a factory in a fire—or millions of files in a cybersecurity incident—it may be material to investors.” 

The Supreme Court of New Jersey recently agreed to hear ACE American Insurance Company’s appeal of an Appellate Division decision finding that a war exclusion in a property insurance policy did not preclude coverage for Merck & Co., Inc.’s claim stemming from a 2017 cyberattack. We previously reported about this case here.   

The Superior Court of New Jersey Appellate Division recently upheld a lower court’s finding that the war exclusion in a property insurance policy did not preclude coverage for Merck’s claim stemming from a 2017 cyberattack. The decision is appropriately being heralded as a huge win for policyholders and an affirmance of New Jersey’s longstanding history of protecting policyholders’ reasonable expectations. We previously blogged about developments relating to the war exclusion and the Merck case when it was initially heard by the Appellate Division.

Artificial intelligence technology (“AI”) is poised to radically improve human functionality, although some say the technology is quietly learning how to overtake it. In the meantime, the insurance industry has been using AI to save time, attain consistency and improve risk mitigation. However, while the industry looks forward to cost savings and better business utilizing generative AI, some insurers have simultaneously cautioned policyholders about the potential risks that reliance on AI may pose. Insurer’s cautionary statements cast doubt on the integrity of their own reliance on the technology.

In 2008, Illinois enacted the Biometric Information Privacy Act (BIPA) to protect individuals’ privacy rights in their biometric information, including retina or iris scans, fingerprint, voiceprint, hand scans, facial geometry, DNA and other unique, identifying biological information. Companies are now paying hundreds of millions of dollars to settle employee and consumer suits for BIPA violations. In a recent Reuters Legal News article, Hunton Andrews Kurth LLP attorneys Syed Ahmad, Rachel Hudgins and Torsten Kracht, discuss what BIPA is, how it applies to companies ...

As discussed in a recent client alert, on March 24, 2023, Florida Governor Ron DeSantis signed House Bill (HB) 837 into law, making it more difficult and costly for insurance policyholders of all sizes to sue insurers for bad faith by eliminating fee-shifting for most policyholders and requiring something “more than” negligence for bad faith claims.

Blockchain technology has been touted as inherently reliable for years. More recently, collectors of Non-Fungible Tokens (NFTs) have explored expanded uses for that novel technology. Some courts have bought in and, in doing so, recently authorized a use that perhaps no one had imagined when NFTs first entered the mainstream: service of process.

Update: On May 1, 2023, the New Jersey appeals court affirmed the trial court's decision that a war exclusion did not bar $1.4 billion in coverage for Merck’s losses stemming from the NotPetya attack.

On June 27, 2017, the skies over New Jersey were clear and the ground steady. But Merck & Co., a New Jersey-based pharmaceutical company, was under attack. Malware ripped through its computers, damaging 40,000 of them and causing over $1.4 billion in losses.

Merck was not the sole target.^[1] Dubbed “NotPetya,” the virus tore through the US economy,^[2] and did an estimated $10 billion in damage. The US Department of Justice charged six Russian nationals, alleged officers of Russia’s Intelligence Directorate (the GRU), for their roles in the NotPetya attack, among others. The attackers’ goal, according to the DOJ, was:

A recent settlement filed by the Federal Trade Commission (FTC) and GoodRx may merit a review of your cyber insurance coverages. Earlier this month, the FTC took enforcement action for the first time under its Health Breach Notification Rule against the telehealth and prescription drug provider, GoodRx, for failing to notify consumers of its unauthorized disclosures of personal health information.

As detailed in a February 27 Hunton client alert, the Health Breach Notification Rule generally requires that vendors not covered by the Health Insurance Portability and Accountability Act (HIPAA) of personal health records give notice in the event of a “breach of security,” which is defined to include “unauthorized acquisition” of personal health records.

Last week, the Ohio Supreme Court ruled in EMOI Services, L.L.C. v. Owners Ins. Co., 2022 WL 17905839 (Ohio, Dec. 27, 2022), that a policyholder did not suffer direct physical loss of or damage to computer media that was encrypted and rendered unusable.  The Court reached its ruling even though “media” was defined in the policy to include “computer software,” concluding that software does not have a “physical existence.” The Supreme Court’s decision reverses an Ohio appellate court’s earlier ruling that the cyberattack triggered coverage under a commercial property insurance policy and builds upon plainly distinguishable rulings in COVID-19 business interruption cases, such as Santo’s Italian Café, L.L.C. v. Acuity Ins. Co., 15 F.4th 398, 402 (6th Cir. 2021), where the Sixth Circuit found that government orders issued in response to the COVID-19 pandemic did not physically alter insured property.

As we have discussed in prior parts of this series, the insurance industry has developed an array of policies specifically tailored to cover cryptocurrency claims, and some of these policies may also cover certain NFT claims. Separate and apart from these tailored policies, policyholders with NFT claims also may look to traditional forms of insurance. 

NFTs are collectible and one of a kind, yet digital. The most common NFT is a type of visual art image like a digital painting, a photograph or generative designs (created by artificial intelligence). However, this high-level definition doesn’t do justice to just how pervasive these have become. In addition to traditional artwork, there are:

A federal court recently found that a policyholder adequately plead that a loss of hundreds of thousands of dollars through wire fraud is covered under a commercial crime policy. In Landings, Yacht, Golf, and Tennis Club v. Travelers Casualty and Surety Company of America Case No. 2:22-cv-00459, Landings Yacht, Golf, and Tennis Club (“Landings”) sued Travelers Casualty and Surety Company of America (“Travelers”) under a crime policy for denying coverage for: (1) about $6,885.79 in unauthorized withdrawals (“First Withdrawal”) from users purporting to be Landings and (2) $575,723.95 in withdrawals made by a third-party purporting to act on behalf of Landings (“Second Withdrawal”).^[1]

Several of the largest brokers have developed a considerable bench. For example, Marsh has a Digital Asset Risk Team (DART);^[1] Lockton has its Lockton Emerging Asset Protection Team (LEAP)^[2] and Aon and others have their own teams.^[3]

There are multiple advantages to procuring cryptocurrency insurance through brokers that have deep experience in this particular area of insurance. These may include:

Last week, Kim Kardashian settled with the SEC after the SEC announced charges against the social-media and reality TV star for promoting a crypto-currency token called EthereumMax, on her Instagram account, where she boasts more than 330 million followers, without disclosing that she received payment for the promotion. Kardashian agreed to pay $1.26 million in penalties, including the $250,000 EthereumMax paid her for promoting its crypto-tokens to potential investors. SEC Chair Gary Gensler stated that Kardashian’s case is “a reminder to celebrities and others that the law requires them to disclose to the public when and how much they are paid to promote investing in securities.”

Last week’s discussion focused on the evolution of the insurance marketplace for digital assets. This section focuses on the marketplace as it now exists, providing examples of products being bought by companies and consumers facing cryptocurrency risks. 

In the 18^th Century, underwriting desks at what came to be known as Lloyd’s of London were developed to share or transfer risks associated with shipping.^[1] Availability of risk sharing, or insurance, provided protection for maritime investors and facilitated increased levels of investment and thus increased levels of maritime activity. Risk transfer has become an essential part of the development of a marketplace for many products. 

In the early years of cryptocurrency, there were no insurance products specifically designed to cover cryptocurrency-related losses. Much like the presence of insurance fosters development of a marketplace, the absence of insurance hinders it.

In the early years of cryptocurrency, there were no crypto-specific insurance coverages. Instead, policyholders sustaining losses were left to try to access coverage under traditional insurance policies such as:

Who can incur losses associated with cryptocurrency or digital assets? The real question is who uses them. 

Among the most obvious users would be exchanges in which cryptocurrency is traded. It has been reported that the largest insurance market in the cryptocurrency industry consists of exchanges that insure against thefts from cryptocurrency hackers. Among the more prominent exchanges are Coinbase, Crypto.com and Gemini. Similarly obvious are the third-party custodians that store cryptocurrency and other forms of digital assets on consumers behalf such as BNY Mellon Crypto Currency or Fidelity Digital Assets. They provide safekeeping of digital assets including keys and ensure accessibility. 

Crypto markets are experiencing the greatest crash in their history to date. The value of a Bitcoin (BTC) has plummeted 70% from its peak and Ethereum (ETH) has fallen 77%. Since last November, the value of cryptocurrency tokens has lost $2 billion in value.^[1] As noted financial publication Barron’s put it: “Crypto is having a ‘Lehman moment,’ a shattering of confidence triggered by plunging asset prices, liquidity freezing up, and billions of dollars wiped out in a few scary weeks.”^[2] Cryptocurrency companies are halting withdrawals and transfers, platforms are seizing up, and regulators are circling.^[3]

The Eastern District of Pennsylvania recently gave another reminder why cyber insurance should be part of any comprehensive insurance portfolio.  In Construction Financial Administration Services, LLC v. Federal Insurance Company, No. 19-0020 (E.D. Pa. June 9, 2022), the court rejected a policyholder’s attempt to find coverage under its professional liability insurance for a social engineering incident that defrauded over $1 million.

Hunton Andrews Kurth LLP insurance partner, Andrea DeField, was recently interviewed by Courtney DuChene for Risk & Insurance magazine for their article, Cyber Captives 101: Is Self-Insuring the Right Risk Mitigation Choice for Your Business? As we’ve discussed previously on the blog, the cyber insurance market has become increasingly difficult, see here, here, here, and here, and captive insurance may present a potential solution, see here. However, as DeField notes in the article, “If you’re going to go through this whole time-intensive, labor-intensive ...

Recently, the Ninth Circuit dealt with a case involving a scenario that is becoming all too common. In Ernst & Haas Mgmt. Co., Inc. v. Hiscox, Inc., 23 F.4th 1195 (9th Cir. 2022), a property management company’s accounts payable clerk received several e-mails from her supervisor instructing her to pay some invoices. Unbeknownst to the clerk, these e-mails did not originate with her supervisor, but were actually part of a fraudulent scheme to elicit fraudulent bank transfers. The clerk paid off hundreds of thousands of dollars in “invoices” before becoming suspicious but, by then, it was too late and the damage was done.

Hunton insurance attorneys, Walter Andrews, Andrea DeField, and Sima Kazmir, recently published an article in the Daily Business Review, discussing the scrutiny that companies face as a result of increased cyberattacks as well as tips for your next cyber insurance renewal.

A recent U.S. Treasury Department report noted that through June 30, 2021, the total value of suspicious activity associated with ransomware transactions was $590 million. The standalone cyber insurance industry has grown to address this pervasive risk. These major shifts in the cyber landscape mean that ...

A commentator recently summed up the risk of ransomware attack in 2022: “we’re all screwed.” True enough. But that’s all the more reason to prepare right now. After all, the only thing worse than a ransomware attack is not having adequate insurance coverage when it occurs. The time to prepare is now.

An Ohio appellate court held last month that a cyberattack triggered coverage under a commercial property insurance policy in the case EMOI Services, LLC v. Owners Insurance Company, No. 29128, 2021 WL 5144828 (Ohio Ct. App. Nov. 5, 2021).  This is good news for policyholders in light of widespread cyberattacks over the last two years, and rising premiums in today’s cyber insurance markets. The decision also has wider implications, including in suits seeking coverage for losses caused by COVID-19 under property insurance policies.

On September 21, 2021 and October 15, 2021, the US Treasury Department’s Office of Foreign Assets Control (OFAC) issued reminders of the sanctions risks for facilitating ransom payments to designated malicious cyber actors.  As discussed in our prior blogpost on OFAC's October 1, 2020 advisory, OFAC has made clear that it is increasingly willing to bring enforcement actions against entities, including cyber insurers, that facilitate payments to sanctioned threat actors on behalf of corporate victims.

This guidance should serve as a reminder to policyholders that ransomware and other cyber incidents trigger stringent regulatory and reporting requirements and that policyholders should consider engaging experienced advisors to develop a cohesive response strategy when cyber incidents occur.  OFAC’s guidance also should remind policyholders to carefully scrutinize cyber insurance coverages (and others) to ensure they provide the broadest possible coverage for cyber risks while still following OFAC guidance.

The Indiana Supreme Court recently reversed a trial court’s finding and an affirming intermediate appellate court opinion regarding the interpretation of a policy providing coverage for cyber-crime. In G&G Oil Co. of Indiana, Inc. v. Continental Western Insurance Co., the state high court rejected the lower courts’ narrow interpretation of coverage and impractical view on causation. A copy of the decision can be found here.

The adage goes, “the best defense is a good offense.” This appears to be the approach that New York insurance regulators are advocating in response to what they deem “systemic risk[s] that occur when a widespread cyber incident damages many insureds at the same time, potentially swamping insurers with massive losses.” On February 4, 2021, the New York Department of Financial Services (“DFS”), which regulates the business of insurance in New York, has issued guidelines, in the Insurance Circular Letter No. 2 (2021) regarding “Cyber Insurance Risk Framework” (the “Guidelines”), calling on insurers to take more stringent measures in underwriting cyber risks. In the Guidelines, DFS cites the 2020 SolarWinds attack as an example of how managing growing cyber risk is “an urgent challenge for insurers.”

It’s a cautionary tale of cyber fraud.  A title agent in a real estate transaction receives an email ostensibly from the mortgage lender providing instructions for transferring the loan proceeds into a settlement bank account.  After transferring the funds ($520,000), it becomes apparent that the transfer instructions came from an email address that was one letter off from the mortgage lender’s actual email address – it was a scam.  But it’s too late, the scammer has already withdrawn the funds from the settlement account and cannot be traced.

Is it illegal for an insurer to pay the ransom demanded in a cyber extortion or ransomware attack on its insured? According to the US Department of the Treasury’s Office of Foreign Assets Control’s (“OFAC”) October 1, 2020 advisory (“OFAC Advisory”), in certain situations, it may be.

Trading on New Zealand’s stock exchange was disrupted last week, following four straight days of repeated cyberattacks that resulted in outages affecting debt, equities, and derivatives markets.  The DDoS attack, which is said to have originated offshore, is allegedly part of a global extortion scheme that has also targeted companies like PayPal and Venmo.  With this type of cyberattack becoming only more common and sophisticated, it is vital for policyholders to focus on the host of available insurance coverage options to protect against and maximize their insurance recovery following losses from a cyberattack.

While COVID-19 occupies most of the world’s attention, cyber-criminals continue to hone their trade. Consequently, with attention diverted and business-as-usual changing daily, the recent rise in cyber-related attacks comes as no surprise. Analysts have found that companies with an increased number of employees working remotely as a result of the coronavirus pandemic have witnessed a spike in malicious cyber-attacks. For example, the United States Health and Human Services Department experienced two separate cyber-attacks since the onset of COVID-19, with the attacks aimed at sowing panic and overloading the HHS servers.[1] These attacks, however, are not limited to the United States, as they have been reported across the globe. For instance, hackers launched a cyber-attack on a hospital in the Czech Republic, stalling dozens of coronavirus test results, only days after the government declared a national emergency.[2]

Social engineering attacks, particularly fraudulent transfers, are becoming one of the most utilized cyber scams.  As a result, there has been a flurry of litigation, and a patchwork of decisions, concerning coverage disputes over social engineering losses.  Most recently, the United States District Court for the Eastern District of Virginia found in Midlothian Enterprises, Inc. v. Owners Insurance Company, that a so-called “voluntary parting” exclusion provision in a crime policy should exclude coverage for a fraudulent transfer social engineering scheme.  The decision illustrates why policyholders must vigilantly analyze their insurance policies to ensure that their coverages keep pace with what has proven to be a rapidly evolving risk landscape.

As reported on the January 31, 2020 posting to the Hunton Retail Law Resource Blog, the Florida legislature has introduced identical bills in the Florida House of Representatives (HB 963) and the Senate (SB 1670) (collectively the Act) that, if adopted, will require companies operating websites and other online services in the state to inform Florida consumers whether it is collecting personal information, and to provide an opportunity for the consumer to opt out of the sale of the personal information.

A Maryland federal court recently awarded summary judgment to National Ink and Stitch, finding coverage for a cyber-attack under a non-cyber insurance policy after the insured’s server and networked computer system were damaged as a result of a ransomware attack.  We discussed the significance of the decision in a January 27 blog post that can be found here.

Ruling on cross motions for summary judgment, a federal court in New York held that AIG Specialty Insurance Company (AIG) must cover the settlement of an underlying action against its insured, SS&C Technologies Holdings, Inc. (SS&C), who was duped by e-mail scammers to issue millions in wire transfers.  The court rejected AIG’s assertion that the loss resulted from SS&C’s exercise of authority or discretionary control of client funds where SS&C only had limited administrative authority and further held that, even if SS&C had exercised the requisite authority, the exclusion was ambiguous.  A copy of the court’s decision can be found here.

As crypto-asset losses continue to rise, the industry is taking steps to protect clients and investors through insurance. Crypto-exchange and custody provider, Gemini Trust Company, LLC (“Gemini”), recently launched its own captive insurance provider, Nakamoto, Ltd. Captive insurance is an alternative to self-insurance whereby a company creates a licensed insurance company to provide coverage for itself. According to a statement from Gemini, Nakamoto is “the world’s first captive to insure crypto custody” and allows Gemini “to increase its insurance capacity beyond the coverage currently available in the commercial insurance market” for cryptocurrency wallets not connected to the internet, commonly referred to as “cold storage.” According to Gemini, this move makes Nakamoto the world’s most insured crypto-asset cold storage solution, which signals an expectation of increased demand in the crypto market.

Innovation and developments in technology bring both opportunities and challenges for the retail industry, and Hunton Andrews Kurth has a sophisticated understanding of these issues and how they affect retailers. On January 23, 2020, our cross-disciplinary retail team, composed of over 200 lawyers, released our annual Retail Industry Year in Review. The 2019 edition, Spotlight on Technology, provides an overview and analysis of recent developments impacting retailers, as well as what to expect in 2020 and beyond. Topics discussed include: braille gift cards as the next wave ...

A Maryland federal court awarded summary judgment last week to policyholder National Ink in National Ink and Stitch, LLC v. State Auto Property And Casualty Insurance Company, finding coverage for a cyber-attack under a non-cyber insurance policy after the insured’s server and networked computer system were damaged as a result of a ransomware attack.  This is significant because it demonstrates that insureds can obtain insurance coverage for cyber-attacks even if they do not have a specific cyber insurance policy.

Following a bench trial, the United States District Court for the Eastern District of Virginia found in The Cincinnati Insurance Co. v. The Norfolk Truck Center that a commercial truck dealer’s social engineering loss arose directly from a computer, thereby triggering the dealer’s computer fraud coverage, notwithstanding that the scheme involved numerous non-computer acts in the causal chain of events.  A copy of the decision may be found here.

Illinois National Insurance Company, an AIG Commercial Insurance company, (“AIG”) told a Pennsylvania federal court in a brief opposing summary judgment that it has no duty to defend Hub Parking Technology USA Inc. (“Hub”), a Pittsburgh-area parking technology company, in a third-party complaint alleging a privacy breach that exposed customers’ credit card numbers at Cleveland Hopkins International Airport.

On December 9^th, the Eleventh Circuit held that a loss of over $1.7 million to scammers was covered under a commercial crime insurance policy’s fraudulent instruction provision.

A New York federal court denied AIG Specialty Insurance Company’s (“AIG”) motion to dismiss breach of contract and bad faith claims in a lawsuit filed by SS&C Technology Holdings, Inc. (“SS&C”). SS&C alleges that AIG breached its contract by failing to cover losses stemming from a cyber incident in which hackers duped the company out of millions of dollars.

When facing a crisis, such as product recall or a cyber attack, companies routinely engage third-party consultants. When doing so, there are potential privilege issues involved. Hunton Andrews Kurth insurance attorneys Syed Ahmad and Adriana A. Perez discuss these privilege issues in an article published by Westlaw. The full article is available here. In the article, the authors discuss the recent decision in Stardock Systems Inc. v. Reiche, which explores when communications with third-party consultants, such as public relations professionals, are ...

Recent headlines underscore the security challenges faced by public-facing businesses. From physical threats to cyber attacks targeting a wide range of critical infrastructure, companies in diverse sectors, such as the financial, retail, entertainment, energy, transportation, real estate, communications and other areas, face a challenging landscape of risks and potential liabilities. Join us on October 28, 2019, at 12:00 p.m. EST, for a webinar to discuss these issues, including why companies should consider SAFETY Act protection and how to obtain it.

In a recent Global Data Review article, Hunton Andrews Kurth insurance practice head Walter Andrews commented on the FBI’s guidelines on ransomware payments and the insurance industry’s aggressive marketing of ransomware policies, noting that policyholders now have a resource that can help cover the cost of such an attack. The full Global Data Review article can be found here.

Energy industry: is your insurance sufficient to handle a major cyber event? Larry Bracken, Mike Levine, and I address this question and more in our recent article for Electric Light & Power, found here.  In the article, we identify three major gaps in cyber insurance that we routinely see when analyzing coverage for energy industry clients. The first major gap is coverage for bodily injury or property damage caused by a cyber event. Most cyber insurance policies exclude coverage for both bodily injury and property damage, even if caused by a cyber event. Meanwhile, many commercial general liability insurance policies now exclude cyber-related risks, thus creating a gap in coverage for these losses. The second gap we identify is coverage for fines and penalties, including those issued under the European Union’s General Data Protection Regulation (GDPR). Even where cyber insurance policies expressly purport to cover fines and penalties, it is unclear if these may be deemed uninsurable as a matter of public policy in certain jurisdictions. Finally, we identify a gap in coverage for business income losses when the insured’s network, or that of a vendor on which they rely, goes down. That coverage is a key component of a robust cyber program, but one that is typically only offered for an additional premium.

On Friday, August 9^th, an Indiana Court of Appeals reversed a trial court’s ruling and allowed an insureds’ claim for bad faith based on misrepresentations in the insurer’s quote for coverage to proceed to trial.

In the August 2019 publication of Contract Management, Hunton insurance recovery lawyers Walter Andrews, Lorelie Masters, Michael Levine, and Latosha Ellis discuss how a robust insurance program can help government prime contractors mitigate potential financial risks associated with downstream data breaches or releases. In the article, the authors explain government prime contractors’ cybersecurity obligations under DFARS and other federal regulations. A copy of the article is here.

Recent reports of another social engineering scam, this time at a North Carolina public school system, demonstrates why public entities and companies, alike, need to regularly review their cyber vulnerabilities and potential exposures and ensure that their cyber insurance is properly tailored for their specific risks.

Equifax Inc. recently announced that it has agreed to pay up to $700 million to settle numerous government investigations and consumer claims arising out of a 2017 breach that exposed Social Security numbers, addresses and other personal data belonging to over 148 million individuals. Following the breach, Equifax faced investigations from the Federal Trade Commission, the Consumer Financial Protection Bureau, all 50 state attorneys general and consumers prosecuting nationwide multidistrict litigation. As part of the deal, Equifax will contribute approximately $300 million to compensate consumers, with the potential to increase to $425 million depending on the number of claims filed. Equifax also agreed to pay $175 million to state governments, plus another $100 million in civil penalties to the CFPB.

Phishing has been around for decades.  But now, the long-lost ancestor claiming to be a foreign prince is stealing more than your grandmother’s savings.  Phishers are targeting corporations—small and big, private and public—stealing sensitive data and money.  When Policyholders take the bait, they had better have a tailored insurance policy to keep their insurers on the hook as well.

The City of Baltimore is the latest victim of increasingly common ransomware attacks. On May 7, 2019, unidentified hackers infiltrated Baltimore’s computer system using a cyber-tool named EternalBlue, developed originally by the United States National Security Agency to identify vulnerabilities in computer systems. However, the NSA lost control of EternalBlue, and since 2017, cybercriminals have used it to infiltrate computer systems and demand payment in exchange for relinquishing control. For instance, in Baltimore, the hackers have frozen the City’s e-mail system and disrupted real estate transactions and utility billing systems, among many other things. The hackers reportedly demanded roughly $100,000 in Bitcoin to restore Baltimore’s system. The city has refused to pay.

The Hunton Andrews Kurth insurance recovery team secured a victory for firm client, The Children’s Place (“TCP”), obtaining a ruling from a New Jersey federal court in The Children’s Place, Inc. v. Great Am. Ins. Co., 2019 WL 1857118 (D.N.J. Apr. 25, 2019), in which the court allowed TCP to seek insurance coverage for a “social engineering scheme” that defrauded the company of $967,714.29.

Insurance partner Michael Levine is teaming up with Hunton’s Michael Perry and Adam Solomon and Jones Day’s Lisa Ropple to discuss cybersecurity litigation and insurance coverage presentation for the Massachusetts Bar Association. The presentation, sponsored by the MBA’s Complex Commercial Litigation Section, will take place on Wednesday, March 20^th at 4:30 pm at the MBA’s office in Boston. Topics will include:

• General litigation claims arising from cybersecurity incidents and defenses available to companies facing these claims.
• Safeguards to prevent ...

Hunton insurance associate Andrea DeField will be speaking on a plenary panel titled “Transferring the Risk: A Professional's Checklist for Procurement of the Cyber Liability Policy” at the University of South Carolina School of Law’s 2019 Cybersecurity Legal Institute. The event will take place on April 4^th in Columbia, South Carolina. 

In an article appearing in CyberInsecurity News, Hunton insurance recovery partner, Michael Levine, comments on Zurich American Insurance Company’s attempt to invoke a so-called “war exclusion” as a basis for not paying business income losses suffered by snack food giant Mondelez International.  As Levine expains, so-called “war exclusions” have rarely been invoked and only then, in times of clear military or state-sponsored activity.  The Mondelez case will therefore focus on whether a computer attack was indeed an act of war and, importantly, whether and how Zurich ...

In January we wrote about Rosen Millennium Inc.’s (“Millennium”) appeal to the Eleventh Circuit, whereby Millennium took the position that a Florida federal court ignored well established Florida insurance law when it ruled that St. Paul Fire & Marine Insurance Co. had no duty to defend it against a multimillion dollar claim arising out of a 2016 cybersecurity breach.

Rosen Millennium Inc. (“Millennium”), the cyber security and IT support subsidiary of Rosen Hotels & Resorts, Inc., has appealed to the Eleventh Circuit contending that a Florida federal court ignored Florida insurance law when it ruled that Travelers Insurance Company has no duty to defend it against a multimillion dollar claim arising out of a cybersecurity breach.

Notwithstanding the absence of a congressional war declaration since Japan bombed Pearl Harbor, Zurich American Insurance Company has invoked a “war exclusion” in an attempt to avoid covering Illinois snack food and beverage company Mondelez International Inc.’s expenses stemming from its exposure to the NotPetya virus in 2017. The litigation, Mondelez Intl. Inc. v. Zurich Am. Ins. Co., No. 2018-L-11008, 2018 WL 4941760 (Ill. Cir. Ct., Cook Cty., complaint filed Oct. 10, 2018), remains pending in an Illinois state court.

Hunton Andrews Kurth insurance partner Michael Levine was recently interviewed by LegalTech News concerning Ohio’s recent adoption of the National Association of Insurance Commissioners’ (NAIC) Insurance Data Security Model Law. The law, modeled after the New York State Department of Financial Services Cybersecurity Requirements for Financial Service Companies Act, seeks to provide a framework for states to address risks and develop cybersecurity guidelines for insurance companies. Ohio became the second state, after South Carolina, to adopt the model law. As Mike ...

New cybersecurity rules for insurance companies licensed in South Carolina are set to take effect in part on January 1, 2019. The new law is the first in the United States to be enacted based on the data security model law drafted by the National Association of Insurance Commissioners. The law requires licensed insurance companies to notify state insurance authorities of data breaches within 72 hours of confirming that nonpublic information in the company’s (or a service provider’s) system was “disrupted, misused, or accessed without authorization.” The breach reporting requirement is in addition to notification obligations imposed under South Carolina’s breach notification law and applies if the insurance company has a permanent location in the state or if the breach affects at least 250 South Carolina residents, among other criteria. The 72-hour notice requirement takes effect January 1, 2019.

The head of Hunton Andrews Kurth’s insurance practice, Walter Andrews, was interviewed earlier this week by ABC 7 (WJLA) concerning the need for cyber insurance and the benefits that it can provide to government contractors and other businesses that are impacted by a cyber event.  Andrews explains the diverse spectrum of benefits that are available through cyber insurance products, but cautions that a serious lack of uniformity exists among today’s cyber insurance products, making it crucial that policyholders carefully analyze their cyber insurance to ensure it provides the scope and amount of insurance they desire.

A California federal court found coverage under AIG’s general liability policy for the defense and indemnity of email scanning suits against Yahoo!. Those suits generally alleged that Yahoo! profited off of scanning its users’ emails. Because the allegations gave rise to the possibility that Yahoo! disclosed private content to a third party, the court found that the suit potentially fell within the coverage for “oral or written publication, in any manner, of material that violates a person’s right of privacy.” Thus, AIG’s duty to defend was triggered.

The court also ...

Hunton Andrews Kurth insurance practice head, Walter Andrews, recently commented to the Global Data Review regarding the infirmities underlying an Orlando, Florida federal district court’s ruling that an insurer does not have to defend its insured for damage caused by a third-party data breach.

As reported yesterday in Business Insurance, Lloyd’s of London underwriters have agreed to insure digital currency storage company, Kingdom Trust Co., against theft and destruction of cryptocurrency assets.  The cover comes after almost a decade-long search by Kingdom Trust for insurance to cover its crypto-assets.  According to the BI, Kingdom Trust sees the availability of insurance as a key factor in bringing institutional investors into the marketplace by dispelling concerns about lack of traditional safeguards in the emerging crypto-asset space.

The Sixth Circuit has rejected Travelers Casualty & Surety Company’s request for reconsideration of the court’s July 13, 2018 decision, confirming that the insured’s transfer of more than $800,000 to a fraudster after receipt of spoofed e-mails was a direct loss" that was "directly caused by" the use of a computer under the terms of ATC’s crime policy.  In doing so, the court likewise confirmed that intervening steps by the insured, such as following the directions contained in the bogus e-mails, did not break the causal chain so as to defeat coverage for “direct” losses.

The Second Circuit has rejected Chubb subsidiary Federal Ins. Co.’s request for reconsideration of the court’s July 6, 2018 decision, confirming that the insurer must cover Medidata’s $4.8 million loss under its computer fraud insurance policy.  In July, the court determined that the loss resulted directly from the fraudulent e-mails.  The court again rejected the insurer’s argument that the fraudster did not directly access Medidata’s computer systems.  But the court again rejected that argument, finding that access indeed occurred when the "spoofing" code in emails sent to Medidata employees ended up in Medidata's computer system.

In a recent article appearing in Florida’s Daily Business Review (available here), Hunton Insurance Recovery Practice team head, Walter Andrews, explains why phishing and whaling scams should be covered by insurance.  In the article, Andrews notes that recent appellate decisions support policyholders’ reasonable expectations of coverage and reject insurers’ contentions that social engineering losses do not result directly from the use of computers.  Andrews goes on to explain that should a company find itself a victim of a phishing or whaling attack, it should carefully ...

On Monday, a Nevada federal court held that U.S. Fire Insurance Co. (“U.S. Fire”) need not cover its insured, CP Food and Beverage, Inc. (“CP”), a strip club, under its commercial crime policy for a scheme perpetrated by its own employees that resulted in the theft of money from CP customers. A copy of the decision can be found here.

In a recent post, we discussed the Sixth Circuit’s holding in American Tooling Center, Inc. v. Travelers Casualty and Surety Co. of America, No. 17-2014, 2018 WL 3404708 (6th Cir. July 13, 2018), where the Sixth Circuit reversed the district court’s summary judgment for the insurer, finding coverage under its policy for a fraudulent scheme that resulted in a $834,000.00 loss. The insurer, Travelers, has now asked the Court to reconsider its decision.

The Sixth Circuit, in American Tooling Center, Inc. v. Travelers Casualty and Surety Co. of America, No. 17-2014, 2018 WL 3404708 (6th Cir. July 13, 2018), reversed the District Court’s grant of summary judgment in favor of the insurer in a dispute over coverage for a social engineering scheme. The policyholder, American Tooling, lost $800,000 after a fraudster’s email tricked an American Tooling employee into wiring that amount to the fraudster.

In a July 9, 2018 article appearing in Insurance Law360, Hunton Andrews Kurth insurance recovery practice head, Walter J. Andrews, explains why the Second Circuit’s decision in Medidata Solutions Inc. v. Federal Insurance Co., No. 17-2492 (2^nd Cir. July 6, 2018), affirming coverage for a $4.8 million loss caused by a “phishing” e-mail attack, is a common sense application of the plain language of Medidata’s computer fraud coverage provision.  As Andrews explained, “[c]learly, hijacking — or spoofing — email addresses constitutes an attack on a company's computer system for which a reasonable policyholder should expect coverage. A computer is a computer is a computer. Everyone knows that — except for insurance companies.”

On July 6, 2018, the Second Circuit Court of Appeals affirmed a district court’s summary judgment award in favor of Medidata Solutions, Inc., finding that Medidata’s $4.8 million loss suffered after Medidata was tricked into wiring funds to a fraudulent overseas account, triggered coverage under a commercial crime policy’s computer fraud provision. The decision in Medidata Solutions, Inc. v. Federal Ins. Co., 17-cv-2492 (2d Cir., July 6, 2018), confirms a ruling by District Judge Andrew L. Carter, Jr., in which the district court found that a fraudsters manipulation of Medidata’s computer systems constitutes a fraudulent entry of data into the computer system, since the spoofing code was introduced into the email system.

The construction industry is no stranger to insuring its projects against the risks of physical and natural disasters. Policies purchased to cover these risks, however, often are not broad enough to reach cyber threats, which can be just as damaging and costly as a physical disaster. During the past decade, hacks have targeted the data held by several high profile companies, including Target Corp., Sony Corp., Equifax Inc. and Yahoo Inc.  So far, the construction industry has not yet been at the center of one of these attacks.  Still, builders are no less susceptible to these risks than any other industry, especially given that these companies often possess sensitive data related to buildings and projects.

Phishing attacks are on the rise, and they are targeting Microsoft’s flagship cloud-based products. According to a report by specialist data breach insurer Beazley, hackers have increased attempted and successful attacks on Microsoft Office 365, especially systems used by financial, health care, and professional services organizations. These attacks are deceptively simple, relying on employees and contractors falling for fake, yet well disguised, Microsoft communications, like a HelpDesk message or a survey. Once employees or contractors interact with these communications, they are prompted to enter personal information, which allows the hackers access to confidential information. This information allows the intruders to steal customer data, initiate bank transfers, and gain access to additional employees’ accounts. Microsoft 365’s default settings compound the dangers of these attacks because they decrease the ability to track how many accounts are compromised.

On May 10, 2018, the Eleventh Circuit Court of Appeals affirmed a Northern District of Georgia decision barring coverage for a loss claimed to arise under a “Computer Fraud” policy issued by Great American Insurance Company to Interactive Communications International, Inc. and HI Technology Corp. Interactive Commc’ns Int’l, Inc. v. Great Am. Ins. Co., No. 17-11712, 2018 WL 2149769 (11th Cir. May 10, 2018).  InComm sells “chits,” each of which has a specific monetary value to consumers who can redeem them by transferring that value to their debit card.  To redeem a chit, a consumer dials a specific 1-800 number and goes through a computerized interactive voice system.  InComm lost $11.4 million when fraudsters manipulated a glitch in the system by placing multiple calls at the same time.  This allowed consumers to redeem chits more than once.  InComm sought coverage for these losses under its “Computer Fraud” policy.

The Federal Financial Institutions Examination Council (“FFIEC”), a U.S. governmental body comprised of banking regulators, recently issued guidance to financial institutions directing them to consider implementing dedicated cyber insurance programs to offset financial losses resulting from cyber incidents. Financial institutions face a number of potentially crippling risks arising from cyber incidents, including financial, operational, legal, compliance, strategic, and reputational risks resulting from fraud, data loss, or disruption of service. While cyber insurance can mitigate these risks, it is not required by financial regulators, and thus many financial institutions may not have obtained such insurance specifically designed to cover their cyber risks.  Nonetheless, the FFIEC now is urging financial institutions to include dedicated cyber insurance as part of a multi-faceted cyber risk management strategy and not to rely solely on traditional insurance.  In addition, the FFIEC is recommending that financial institutions have their outside advisors review their potential cyber insurance coverage to ensure that it will cover the relevant risks.

May 25, 2018 should be a day circled on many company calendars. On that day, the European Union’s long-awaited Global Data Protection Regulation (“GDPR”) will go into effect.  It is crucial for U.S. companies to prepare for the GDPR, as they, too, will be required to comply with a new set of data privacy rules if they are handling data from EU-based customers, suppliers, or affiliates. As long as you collect personal or behavioral data from someone in the EU, you must comply with the GDPR.

To follow up on our post last week recapping a recent Ninth Circuit decision regarding coverage for losses from a social engineering scheme, federal appellate courts continue to examine the coverage available for such losses. As Law360 highlighted, and as we previously reported (here, here, here, and here), appeals are pending in the Second, Sixth, and Eleventh circuits. These cases, some of which involve lower court findings of coverage while others do not, show that coverage for social engineering scams remains hotly contested, which means policyholders must carefully ...

On April 17, 2018, the Ninth Circuit affirmed a district court decision finding that an exclusion barred coverage for a $700,000 loss resulting from a social engineering scheme. Aqua Star (USA) Corp. v. Travelers Cas. & Surety Co. of Am., No. 16-35614 (9th Cir. Apr. 17, 2018). The scheme involved fraudsters who, while posing as employees, directed other employees to change account information for a customer. The employees changed the account information and sent four payments to the fraudsters.

As we and our sister blogs have previously reported (see here, here, and here), the New York State Department of Financial Services enacted Cybsersecurity Requirements for Financial Services Companies, 23 NYCRR 500, on March 1, 2017. The first certification of compliance with this regulation is due today, February 15, 2018.

Hunton & Williams Insurance Recovery leader, Walter Andrews, discusses the top insurance issues facing employers in Part 2, of a two-part video series.  Part 1 of the series is available here.

In today’s interconnected society, a cyber breach is inevitable. For energy companies in particular, the threat is even more acute as cyber security improvements lag behind the rapid digitalization in oil and gas operations. One recent cyber security report stated that 68% of respondents reported that their organization experienced at least one cyber compromise. And, just last week, it was disclosed that hackers used sophisticated malware, called “Triton,” to take control of a key safety device at a power plant in Saudi Arabia. Find our analysis of this latest attack on the blog here .

In what has been described as a “watershed” cyber incident, hackers recently used sophisticated malware—dubbed Triton—to take control of a key safety device installed at a power plant in Saudi Arabia. One of the few confirmed hacking tools designed to manipulate industrial control systems, this new breach is part of a growing trend in hacking attempts on utilities, production facilities, and other critical infrastructure in the oil and gas industry. The Triton malware attack targeted the Triconex industrial safety technology made by Schneider Electric SE. The attack underscores the importance of mitigating this and other similar risks through cyber and other traditional liability insurance as part of a comprehensive cybersecurity program.

The U.S. District Court for the Middle District of Florida, in Innovak International v. The Hanover Insurance Co., recently granted summary judgment in favor of Hanover Insurance Company finding that it had no duty to defend Innovak against a data breach lawsuit. Innovak, which is a payroll service, suffered a breach of employee personal information, including social security numbers. The employees then filed suit against Innovak alleging it had negligently created a software that allowed personal information to be accessed by third parties. Innovak sought a defense for the lawsuit from its commercial general liability carrier, Hanover Insurance Company. Innovak argued that the employee’s allegations triggered the personal and advertising injury coverage part of the policy, which covers loss arising out of the advertising of the policyholder’s goods or services, invasion of privacy, libel, slander, copyright infringement, and misappropriation of advertising ideas. The court disagreed and found the employees’ allegations did not involve a publication that would trigger coverage under the commercial general liability policy.

In a recent brief filed in the Sixth Circuit, American Tooling Center, Inc. argued that the appellate court should reverse the district court’s decision finding no insurance coverage for $800,000 that American Tooling lost after a fraudster’s email tricked an employee into wiring that amount to the fraudster. As we previously reported here, the district court found the insurance policy did not apply because it concluded that American Tooling did not suffer a “direct loss” that was “directly caused by computer fraud,” as required for coverage under the policy. The district count pointed to “intervening events” like the verification of production milestones, authorization of the transfers, and initiating the transfers without verifying the bank account information and found that those events precluded a “finding of ‘direct’ loss ‘directly caused’ by the use of any computer.”