Fourth Circuit Requires CGL Insurer to Defend Data Breach Class Action

The increasing market for cyber insurance policies combined with the addition of cyber exclusions has cooled litigation over whether a cyber breach triggers coverage under a commercial general liability (CGL) policy and whether a CGL insurer owes a duty to defend litigation arising from a cyber breach. However, the expansion of cyber insurance and integration of cyber exclusions has not the stemmed litigation under older CGL policies, many of which do not include cyber exclusions. Earlier today, the Fourth Circuit Court of Appeals addressed cyber coverage under a traditional CGL policy in Portal Healthcare v. Travelers Indemnity Company, Case No. 14-1944.

Portal arose after plaintiffs filed a putative class action, alleging that Portal negligently failed to secure a server containing confidential records for patients at a hospital, thereby making the records available for anyone to view online without a password. The insured argued that Travelers owed a duty to defend that class action because the medical records company published, and therefore disclosed, confidential information, triggering the personal and advertising injury coverage provision in the CGL policy. Travelers disagreed, arguing that the failure to secure a server is not a publication. Publication, Travelers argued, requires the deliberate step of disseminating the records – which was not alleged.

The Fourth Circuit accepted the insured’s argument, with little explanation or analysis. Commending the district court for limiting its analysis to the complaint and policy, the court concluded that “the class-action complaint ‘at least potentially or arguably’ alleges a ‘publication’ of private medical information by Portal that constitutes conduct covered under the Policies.” The court did not explain why a failure to secure a private server satisfies the plain meaning of the word publication, but instead accepted the conclusion that the possibility of pubic access constitutes publication: “Such conduct, if proven, would have given ‘unreasonable publicity to, and disclose[d] information about, patients’ private lives,’ because any member of the public with an internet connection could have viewed the plaintiffs’ private medical records during the time the records were available online.”

Portal should have limited impact on modern CGL policies because the cyber exclusions therein resolve the question of whether there is a duty to defend cyber breach litigation. However, within the Fourth Circuit, Portal suggests that a CGL insurer should carefully review cyber-related claims. Portal should be limited to the unique facts underlying the claim (in that records were made publicly available), but the Court’s failure to provide a definition of publication leaves the scope of this decision open to discussion.

Insurance Coverage for Social Engineering Losses

11-4Cyber criminals employ a variety of tactics—such as hacking, phishing or baiting schemes—to steal a business’s money, property or proprietary information. The term “social engineering” is applied to schemes that use technology, not to steal directly from the business, but to manipulate employees unwittingly to perform acts, transfer assets or divulge confidential information. A common social engineering loss scenario involves a trusted employee who is induced, by a spoof email or forged written instructions from someone impersonating a customer, a vendor or a senior officer of the company, to instruct the employer’s bank to wire funds to the imposter’s account.

Many businesses mistakenly believe that traditional commercial crime policies cover all such cyber-related losses. Although commercial crime policies have traditionally included computer fraud and funds transfer fraud insuring agreements, courts interpreting the scope of such coverages have generally distinguished between: (1) Losses where a thief hacks the insured’s computer systems and uses the computer to steal the insured’s property or to induce the insured’s bank to transfer the insured’s funds; and (2) Losses where the insured voluntarily transfers funds. Courts have generally allowed coverage for the first category of loss, but the latter losses—which include “social engineering” claims—usually are not covered.

Standard computer fraud insurance usually applies to hacking losses, i.e., direct loss resulting from “theft” through the use of a computer system. Social engineering losses are outside the scope of coverage because they do not arise “directly” from the use of any computer to fraudulently cause a transfer of property; they arise from an authorized transfer of funds.

The Funds Transfer Fraud insuring agreement applies when an imposter induces a financial institution to allow funds to be withdrawn from the insured’s account by posing as the insured and submitting fraudulent instructions. Social engineering claims are outside the scope of the insuring agreement, where an authorized employee is induced to authorize a withdrawal.

Social engineering loss is difficult to prevent; it cannot be defended against through hardware or software. Insurance coverage against social engineering risks, however, is available, usually by endorsement to commercial crime policy forms.  Such coverage typically covers direct loss resulting from the intentional misleading of an employee through electronic or written instruction sent by a person who purports to be a vendor, client or employee, that directs the Employee to transfer, pay or deliver money or property, and contains a misrepresentation of material fact which is relied upon by the employee.

Sony’s Interview Quagmire: A Watershed Moment for Cyberinsurance

Gordon & Rees Partner, Matthew Foy, recently co-authored an article published in the Spring 2015 edition of DRI’s In-House Defense Quarterly, entitled “Sony’s Interview Quagmire: A Watershed Moment for Cyberinsurance.” The article addresses the implications of the November 2014 Sony data breach and discusses why companies of all sizes should be giving a hard look at the cyberinsurance market and not simply relying on their CGL policies.

To read the full article, click here.