Multi-factor authentication (MFA) is more than an annoying popup or text message when logging onto a company’s website or platform. Not only is using MFA a sound security practice and good business,[1] it is frequently becoming a prerequisite to procuring (and keeping) cyber liability coverage. Following the May 2021 Colonial Pipeline ransomware attack which shut down the country’s largest oil pipeline for several days, more cyber insurers are now requiring policyholders to implement MFA. Last month, one tech manufacturer learned this lesson the hard way when its insurer filed suit for rescission of its insurance policy and a declaration that the insurer owed no coverage for the company’s losses stemming from a ransomware attack. Travelers Property Casualty Co. of America v. International Control Services Inc., No. 22-cv-2145, complaint filed, 2022 WL 2532994 (C.D. Ill. July 6, 2022). Continue Reading Using Multi-Factor Authentication as a Prerequisite to Cyber Liability Coverage

With news of massive data breaches making headlines in recent years, the handling of personal data has become a focus for legislators and regulators around the world.  Compliance with data privacy regulations such as the European Union’s General Data Protection Regulation (GDPR) and the California Privacy Rights Act (CPRA) promises to be one of the major challenges for businesses going forward as violations of these regulations present the risk of substantial fines or penalties.

In order to manage that potential liability, businesses have looked to cyber insurance. However, even when cyber insurance policies expressly state that they cover fines and penalties, whether or not they actually do so depends on whether fines and penalties are ‘insurable’ under the law that governs that coverage. Some jurisdictions prohibit insurance for fines and penalties as against public policy, and if the law of such a jurisdiction is deemed to govern, then even a policy that expressly promises to provide coverage may not protect the insured. Continue Reading Maximizing Your Insurance Coverage for Data Privacy Liability

I recently wrote an article for Business Insurance on how the war exclusion will affect commercial policyholders. The war exclusion has received a lot of attention over the past year, particularly since Russia invaded Ukraine in February. Policyholders’ concern that insurers will assert the exclusion as a basis to deny coverage is increasing in light of recent coverage litigation and the potential that cyberattacks emanating from Russia would have serious financial consequences.

The war exclusion is in a moment of possible flux, as insurers consider changes that could increase its scope. A few months before Russia invaded Ukraine, the Lloyd’s Market Association introduced four model clauses designed to exclude, to a greater or lesser extent, coverage for war risks from cyber policies.

In the article, I analyze the model clauses and what might happen next. One aspect of all these exclusions that is particularly worrisome is that they would give the insurer the right to determine whether a cyber operation was “indirectly” carried out “by or on behalf of” a sovereign state. The language potentially could result in the elimination of coverage for attacks in which the victim was not the intended target and the actor merely claims to be acting for the benefit, or in support of, a state rather than being directed by the state.

You can read the full article here.

Our lives and the products and devices we use become more dependent on data by the day. As a result, cyberattacks and data breaches present everchanging risks to companies and individuals, and the importance of applicable insurance never has been more important. While companies historically sought coverage for losses under traditional CGL, D&O, E&O, commercial crime, and business interruption policies, their mixed results––coupled with new exclusions singling out electronic data––have led to increasing need for cyber-specific coverages. However, as evidenced by Minnesota District Court’s recent decision in Target Corporation v. ACE American Insurance Company, 2022 WL 848095 (D. Minn. Mar. 22, 2022), CGL policies still may be in play where damages result from the inability to use tangible property. Continue Reading Continuing Use of CGL Policies to Cover Data Breach Losses

Discussions with an insured’s insurance broker are often an important part of the negotiation process for insurance claims. Brokers can provide valuable insights on the drafting and underwriting of the insurance policy as well as the attitudes of insurers on particular issues.  But are communications between a client, coverage counsel, and the client’s insurance broker privileged? A previous post addressed California decisions finding that disclosure of privileged information to an insurance broker did not waive privilege because those disclosures were reasonably necessary to provide information to the insurers. In New York, whether such disclosure constitutes a waiver is a fact-specific inquiry. Continue Reading Are Communications With Your Insurance Broker Privileged Under New York Law?

Since Illinois passed its Biometric Information Privacy Act (BIPA) in 2008, there has been a proliferation of class action lawsuits filed pursuant to the statute. BIPA generally bars private entities from collecting, capturing, purchasing, receiving, or otherwise obtaining a person’s biometric information without obtaining that person’s advance, informed consent (see 740 ILCS 14/15(b)), and grants a private right of action to individuals who are “aggrieved” by a violation of the statute, entitling them to recover liquidated or actual damages as well as attorneys’ fees and costs (see 740 ILCS 14/20).

The Illinois courts are sorting out the question of the availability of insurance coverage for such BIPA suits under Commercial General Liability (CGL) policies. Of course, the standard CGL definition of covered “personal and advertising injury” includes “oral or written publication of material that violates a person’s right of privacy.” In May of 2021, an Illinois Supreme Court case, West Bend Mutual Insurance Co. v. Krishna Schaumburg Tan, Inc., 183 N.E.3d 47 (2021), addressed the threshold question of whether BIPA claims fall within this basic definition. The court agreed that the gravamen of such claims is invasion of privacy, and that the purpose of the statute is to prevent such invasions. Krishna also rejected the insurer’s argument that the policyholder’s alleged conduct did not constitute an “oral or written publication” because biometric data was merely collected and given to a single third party (a service provider for the policyholder). The court ruled that even providing the information to one other party is a “publication”; the dissemination need not be widespread. Continue Reading Illinois Courts Largely Favor Coverage for BIPA Cases Under CGL Policies

The “war” exclusion has gotten more attention over the past couple of weeks in light of Russia’s invasion of Ukraine. For good reason. This exclusion, common in property and liability policies alike, typically eliminates coverage for losses caused by “hostile or warlike action” from a nation-state or its agencies, or by military forces. Insurers have recently invoked this exclusion in an attempt to avoid providing coverage for losses arising from Russia’s 2017 “NotPetya” cyberattack against Ukraine, which spread beyond Ukraine’s borders and caused widespread damage to computer systems, including hardware, at a number of companies around the world.

A New Jersey court recently rejected an insurer’s reliance on a “war” exclusion in a property insurance policy, under which the insured had sought coverage for losses caused by the NotPetya cyberattack. See Merck Co. Inc. et al. v. ACE American Insurance Co. et al., Case number UNN L 002682-18, in the Union County Superior Court of New Jersey. Continue Reading The War Exclusion in a Time of War

Corporate policyholders often assume their computer fraud crime insurance will cover so-called social engineering thefts. Reasonably so.  Fraudsters commit these crimes by using computers to trick innocent employees into transferring corporate funds to what they believe are legitimate bank accounts, only to discover later that the accounts are controlled by criminals who have stolen the money. Although most people would consider this to be computer fraud, crime insurers have resisted covering such thefts. And some courts have sided with the insurers. Until recently, insurers could point to the Ninth Circuit Court of Appeals as being one of those courts. On January 26, the Ninth Circuit finally set the record straight in Ernst and Haas Management Company, Inc. v. Hiscox, Inc., 23 F.4th 1195 (9th Cir. 2022), by repudiating a prior unpublished ruling and finding coverage for a social engineering theft under California law. This ruling gives policyholders a boost in their crime coverage claims for social engineering theft losses and removes a cudgel from the insurers’ hands. Continue Reading Crime Insurance for Social Engineering Thefts: The Ninth Circuit Finally Joins the Party

In Verizon Communications Inc. v. National Union Fire Insurance Co. of Pittsburgh, Pa.[1] the Delaware Superior Court ruled that Verizon was entitled to a defense under its D&O policy for fraudulent transfer claims. Although the decision relies on unique facts and specific policy language, it provides guidance on how to exploit minor but critical differences in policy language to expand the company’s coverage beyond claims involving securities fraud.

The opinion also rejected the insurers’ efforts to limit coverage under a separate policy, based on their contention that the subsidiary out of which the liabilities arose was not a subsidiary when the policy was purchased. And finally, it handed policyholders a practical and valuable gift of universal application, holding that an insurer who wrongfully refuses to defend a claim cannot contest the reasonableness of the fees incurred by the policyholder to defend the case.

Whether or not it is successfully challenged on appeal, the Verizon decision is an important reminder not to make assumptions as to what is or isn’t covered under any type of insurance policy. Coverage depends on the particular language of the policy under review and the particular facts for which claims are sought. Continue Reading In Verizon Decision Careful Review of Insurance Policies Expands Coverage

Two phrases combined in a single exclusion—“alleging, arising out of, based upon or attributable to any violation of any law…” and “as respects… unfair trade practices” could inspire carriers to make trouble for policyholders seeking coverage for consumer protection claims. Fortunately, a recent federal decision recognizes that California rules of policy construction limit the scope of this exclusion, in line with a policyholder’s reasonable expectations of coverage. Continue Reading “Unfair Trade Practices” Exclusion Does Not Extend to Consumer Protection Claims