Ninth Circuit Zaps Insured’s Suit Seeking Coverage for Zip Code Claims

By on December 10, 2015
Leave a comment

In Big 5 Sporting Goods Corp. v. Zurich American Ins. Co., et al., Case No. 13-56249 (9th Cir. Dec. 7, 2015), the Ninth Circuit, interpreting California law, held that underlying putative class action lawsuits asserting Song-Beverly Act claims alongside causes of action for invasion of privacy and negligence were not covered and did not trigger a duty to defend under CGL policies issued by Zurich and Hartford. The Ninth Circuit affirmed the decision of the Central District Court Judge Dolly Gee.

The Song-Beverly Act prohibits retailers from requesting and recording personal identification information (e.g., Zip codes) in conjunction with point-of-sale credit card transactions. Big 5 was sued in a series of underlying class action lawsuits asserting causes of action based on alleged violations of the Song-Beverly Act. Some of those complaints also asserted common law and constitutional invasion of privacy claims as well as negligence causes of action.

The policies included “Distribution of Material” exclusions which eliminated coverage for personal and advertising injury arising directly or indirectly out of any act or omission that violates or is alleged to violate any statute that prohibits or limits the sending, transmitting, communicating, distribution, etc., of material or information. Additionally, the Hartford policy included a “Right of Privacy Created by Statute” exclusion which eliminated coverage for personal and advertising injury arising out of the violation of a person’s right of privacy created by statute.

The Ninth Circuit affirmed District Court, holding that these exclusions eliminated coverage and any duty to defend the underlying suits based on the alleged violations of the Song-Beverly Act. The Court determined that the Act was undeniably a statute and that the alleged violations of the Act amounted to acts or omissions that were excluded from coverage.

Significantly, the Ninth Circuit rejected Big 5’s argument that the underlying common law and California constitutional invasion of privacy claims independently triggered a duty to defend. In doing so, the Court determined that in the context of the at-issue garden variety Song-Beverly Act complaints, such invasion of privacy claims “simply do not exist.” The Court further stated:

California does not recognize any common law or constitutional privacy right causes of action for requesting, sending, transmitting, communicating, distributing, or commercially using ZIP Codes. The only possible claim is for statutory penalties, not damages.

As support for this conclusion, the Ninth Circuit recognized that the Song-Beverly Act created a new right to protection in a consumer’s personal identification information that that did not previously exist and that the remedy for violations of the Act were specified statutory penalties. It also relied on the decision in Fogelstrom v. Lamps Plus, Inc. (2011) 195 Cal. App. 4th 986, which concluded that in the context of Song-Beverly class actions, there was no actionable invasion of privacy cause of action as the required element of a serious invasion of privacy or egregious breach of social norms was not present.

The Ninth Circuit further held that the underlying negligence causes of action did not trigger a duty to defend, stating that “[j]ust as a rose by any other name is still a rose, so a ZIP Code case under any other label remains a ZIP Code case.” The Court recognized that under California law, artful drafting and the assertion of superfluous negligence claims does not create a duty to defend where such a duty does not otherwise exist under the facts alleged.

With its decision in Big 5, the Ninth Circuit joins a growing number of Courts from across the country that have held that statutory class action lawsuits do not trigger a duty to defend under CGL policies.

The Ninth Circuit’s decision in Big 5 is not published and its citation is governed by 9th Cir. R. 36-3.

Filed under Commercial General Liability, Electronic Data, Exclusion, Personal and Advertising Injury

Insurance Coverage for Social Engineering Losses

By on November 16, 2015
Leave a comment

11-4Cyber criminals employ a variety of tactics—such as hacking, phishing or baiting schemes—to steal a business’s money, property or proprietary information. The term “social engineering” is applied to schemes that use technology, not to steal directly from the business, but to manipulate employees unwittingly to perform acts, transfer assets or divulge confidential information. A common social engineering loss scenario involves a trusted employee who is induced, by a spoof email or forged written instructions from someone impersonating a customer, a vendor or a senior officer of the company, to instruct the employer’s bank to wire funds to the imposter’s account.

Many businesses mistakenly believe that traditional commercial crime policies cover all such cyber-related losses. Although commercial crime policies have traditionally included computer fraud and funds transfer fraud insuring agreements, courts interpreting the scope of such coverages have generally distinguished between: (1) Losses where a thief hacks the insured’s computer systems and uses the computer to steal the insured’s property or to induce the insured’s bank to transfer the insured’s funds; and (2) Losses where the insured voluntarily transfers funds. Courts have generally allowed coverage for the first category of loss, but the latter losses—which include “social engineering” claims—usually are not covered.

Standard computer fraud insurance usually applies to hacking losses, i.e., direct loss resulting from “theft” through the use of a computer system. Social engineering losses are outside the scope of coverage because they do not arise “directly” from the use of any computer to fraudulently cause a transfer of property; they arise from an authorized transfer of funds.

The Funds Transfer Fraud insuring agreement applies when an imposter induces a financial institution to allow funds to be withdrawn from the insured’s account by posing as the insured and submitting fraudulent instructions. Social engineering claims are outside the scope of the insuring agreement, where an authorized employee is induced to authorize a withdrawal.

Social engineering loss is difficult to prevent; it cannot be defended against through hardware or software. Insurance coverage against social engineering risks, however, is available, usually by endorsement to commercial crime policy forms.  Such coverage typically covers direct loss resulting from the intentional misleading of an employee through electronic or written instruction sent by a person who purports to be a vendor, client or employee, that directs the Employee to transfer, pay or deliver money or property, and contains a misrepresentation of material fact which is relied upon by the employee.

Filed under Cyberinsurance, Electronic Data

Property Damage in a Digital Age: Florida District Court Confirms That Coverage for “Property Damage” Excludes Electronic Data

By and on October 31, 2014
Leave a comment

In Carolina Casualty Insurance Co. v. Red Coats, Inc. d/b/a Admiral Security Services, Inc., the U.S. District Court for the Northern District of Florida ruled that the cost to provide free credit protection services to individuals whose confidential medical information was contained on stolen laptop computers did not constitute “property damage” under two commercial general liability insurance policies.

The insured (Red Coats, Inc.), a full-service contract management company that provides security, janitorial and alarm services, entered into a contract with AvMed, Inc., a provider of health coverage plans to members and subscribers throughout Florida, to provide security services at AvMed’s Gainesville, Florida, facility.  Shortly thereafter, two of AvMed’s laptop computers were stolen from its Gainesville facility.  As HIPAA-protected information was contained on at least one of the stolen laptops, AvMed notified the affected subscribers/members and provided each of them with two years of free credit protection services.

AvMed thereafter filed suit against Red Coats, alleging that one of Red Coats’ security guards committed the subject theft (alleging claims against Red Coats for breach of contract, fraud, negligent hiring, retention and supervision, and vicarious liability).  Red Coats then made claims against each of its five insurers (including two commercial general liability carriers, an employment practices liability carrier, and two crime carriers), all of which denied coverage.  After Red Coats and AvMed settled their dispute, Red Coats’ employment practices liability carrier filed a declaratory judgment action, seeking a decree of no coverage.  In response, Red Coats counterclaimed against each of its insurers.  The parties filed cross-motions for summary judgment, which were decided by the court on April 22, 2014 (the crime carriers resolved prior to the disposition of summary judgment).

The commercial general liability policies defined “property damage,” in pertinent part, as “loss of use of tangible property that is not physically injured.” Notably, those policies specifically excluded from the definition of tangible property “electronic data,” defined as “information, facts or programs stored as or on, created or used on, or transmitted to or from computer software, including systems and applications software, hard or floppy disks, CD-ROMS, tapes, drives, cells, data processing devices or any other media which are used with electronically controlled equipment.”

The U.S. District Court for the Northern District of Florida ruled that, with regard to Red Coats’ commercial general liability policies, “the loss of use of the laptops was not the problem – AvMed has a lot of other laptops – the problem was that others could access the HIPAA data.  At best, the only coverage would be [the] cost of getting new laptops; there would be no coverage for the HIPAA information and any other data or programs on them, since they would represent electronic data, which is expressly excluded from coverage.  Simply put, this is not property damage in any ‘man on the street’ definition of the term. . . . [I]t is an economic loss claim which is not covered by the [commercial general liability policies].”  The court also rejected Red Coats’ argument that coverage existed under its employment practices liability policy.

Red Coats has appealed the Northern District’s decision to the Eleventh U.S. Circuit Court of Appeals (with briefing to be completed by November 14, 2014).

Filed under Electronic Data, HIPAA-Protected Information, Loss of Use, Property Damage