In November, Tyler wrote about insurance issues raised by both the European Union’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act, which goes into effect on January 1, 2020. California’s governor Jerry Brown signed two other cyber-related laws in September, which will also go into effect on January 1, 2020 – Assembly Bill 1906 and Senate Bill 327, which address security concerns relating to devices that are capable of connecting to the internet – the so-called Internet of Things or “IoT”. See California Civil Code 1798.91.04(a) et seq.

The bills largely mirror each other and, put very simply, require manufacturers of devices that are capable of being connected to the internet to equip them with “reasonable” security features that are both appropriate to the device and require a user to generate a new means of authentication before access is granted to the device for the first time. Technologists are debating whether the laws are good or bad, and if good, whether they go far enough. Regardless, the law will become effective and manufacturers of IoT devices will have to comply with them. The law does not provide for a private right of action; it permits the state’s Attorney General to enforce its provisions.

The new California law applies to all connected devices sold or offered for sale in California. Because California is such a large market, this likely means that all such devices sold in North America and Europe will comply with California’s regulations, and older, less secure devices will be diverted to countries with fewer regulations.


Continue Reading

An insurance carrier has declined to defend a claim asserted against its insured, arguably without meeting its obligation to investigate the claim. For whatever reason— a change in personnel, loss of a file, or some other motivation—the carrier has done little, if anything, to investigate the claim tendered to it: no Google search, no phone calls, and very little factual investigation other than the information tendered by the insured. The carrier has, however, relied on the plain language of the policy, and the few facts of which it was aware supported its denial.

But when a court later finds that the carrier’s coverage position was wrong— the facts in existence created a potential for coverage and hence triggered the carri­er’s duty to defend—the insured may argue that its carrier’s failure to investigate sup­ports a finding that it breached the implied warranty of good faith and fair dealing; that is, the insurer acted in bad faith.
Continue Reading

Blog-Image---Are-You-CoveredA recent case in the Northern District of California offers two cautionary tales to policyholders. First, when buying insurance, companies should understand their risks and ensure that the policies they’re buying match those risks as closely as possible. Second, when a claim arises, policyholders must carefully consider all the allegations, not just the formal causes of action, in the complaint to determine whether they might trigger an insurer’s defense obligation.
Continue Reading

Blog-Image---DataSecurity

Policyholders should always consider the potential for coverage under their CGL policies if they suffer a data security breach. However, as the cases described in my article for Corporate Counsel, coverage is highly fact-dependent and subject to interpretation by the courts even in the absence of a data-related exclusion. The addition of such an

Law firms are important gatekeepers between cybercriminals and clients’ sensitive data. The release of the Panama Papers and several other recent high-profile breaches have brought to light vulnerabilities in law firm cyber security.

I recently participated in a podcast with journalist Ben Hammersley and eSentire’s VP and industry security strategist Mark Sangster. Our discussion focused

On July 21, U.S. District Court Judge Claudia Wilken handed insureds a significant victory in a coverage case for Seagate, a computer hard drive manufacturer.  Download 2010-07-21 Order re defts MTC and plffs MSJ (2) Farella represents Seagate in that action.  Judge Wilken granted Seagate partial summary judgment on its claim that the Insurance Company