On July 21, 2021, the Fifth Circuit, in Landry’s Inc. v. Ins. Co. of the State of Pa., issued a pivotal decision concerning coverage for a data breach under a commercial general liability policy. Significantly, the Fifth Circuit held a commercial general liability insurer was obligated to defend its insured in an action asserting breach of contract claims arising out of an alleged data breach.
By way of brief background, in December 2015, Paymentech, LLC, a branch of JPMorgan Chase Bank that processes Visa and Mastercard payments for retail properties operated by Landry’s Incorporated, as successor in interest to Landry’s Management, LP, discovered credit-card problems at some of Landry’s properties. Ultimately, it was discovered that a data breach occurred at 14 Landry’s locations, which involved the unauthorized installation of a program designed to search for data from credit cards’ magnetic strips. Over an approximate eighteen-month period, the program retrieved personal information from millions of customers’ credit cards and some of that information was used to make unauthorized purchases.
In May 2018, Paymentech filed suit against Landry’s for breach of contract for the costs associated with the data breaches. Landry’s sought coverage under its commercial general liability policy with The Insurance Company of the State of Pennsylvania (“ISCOP”). Ultimately, ICSOP disclaimed coverage to Landry’s for the underlying Paymentech action as it determined the Paymentech action did not allege any “personal and advertising injury” as required under the policy. Subsequently, Landry’s filed a lawsuit against ICSOP and both ICSOP and Landry’s moved for summary judgment. The District Court for the Southern District of Texas agreed with ICSOP’s position that Paymentech did not allege a “publication” took place or that its own privacy rights were violated. Landry’s appealed to the Fifth Circuit.
First, the Court determined the publication requirement as defined by the policy was met because the complaint in the Paymentech action alleged Landry’s published its customers’ credit-card information. In other words, the Court held the personal information was exposed to public view in accordance with the dictionary definition of “publish”.
Second, the Court analyzed whether the Paymentech action involves an injury “arising out of . . . the violat[ion] [of] a person’s right of privacy.” By looking to the text of the policy, the court determined the phrase “arising out of” was broad and extended to all injuries that arise out of violations of privacy violations. Since the Court found a person has a right of privacy in his or her credit-card data and a hacker’s theft of credit-card data, the use of that data to make fraudulent purchases constitutes a “violation” of consumers’ privacy rights and the complaint in Paymentech action asserts violations of theft and fraudulent purchases, based on the plain language of the policy, ICSOP has a duty to defend. Significantly, the court reasoned the policy did not distinguish between tort and contract damages; as such, the Court focused on the facts alleged in the complaint as opposed to the legal theories asserted.
The Court held the facts alleged in the Paymentech complaint constitute an injury arising from the violation of customers’ privacy rights. In doing so, the Court held it did not matter whether Paymentech’s legal theories sounded in contract or tort or that individual customers did not sue Landry’s. Rather, the Court reasoned Paymentech’s alleged injuries arise out of the violations of customers’ rights to keep their credit-card data private. Accordingly, under Texas’ eight-corners rule, the Court held ICSOP had a duty to defend Landry’s in the underlying Paymentech action.
This decision represents a significant departure from precedent involving commercial general liability coverage and data breaches. It will be interesting to see how this matter develops as the case is remanded for further proceedings consistent with the Fifth Circuit’s ruling.
Thanks to Lauren Berenbaum for her contribution to this post. Please email Brian Gibbons with any questions.Read More
On July 6, 2021, Connecticut Governor Ned Lamont signed into law a bill designed to incentivize Connecticut businesses to implement stronger cybersecurity practices to combat the rise in cyber and ransomware attacks. In doing so, the state becomes only one of three states, the others being Ohio and Utah, to adopt an incentive-based approach for businesses to improve cybersecurity best practices. The new law, which will become effective on October 1, 2021, gives statutory protection from punitive damages claims brought under Connecticut law in Connecticut state court to those companies who enact reasonable cybersecurity controls. This includes the adoption of a formal written cybersecurity program that contains “administrative, technical and physical safeguards for the protection of personal or restricted information.” The program must also conform to certain cybersecurity standards set forth in the statute, including those established by the National Institute of Standards and Technology (NIST) and the Payment Card Industry (PCI) Security Standards Council, as well as any applicable regulations relevant to the business (e.g., HIPAA or FISMA). Connecticut businesses which do not have strong cybersecurity protocols in place should strongly consider complying with the new law to avoid potential punitive damages exposure from future cyber losses.
Thanks to Andrew Gibbs for his contribution to this post. Please email Georgia Coats with any questions.Read More
Earlier this week, the Second Circuit issued a significant ruling with respect to the unauthorized disclosure of sensitive personal identifiable information (“PII”). Federal circuits have been split with respect to whether an increased risk of identity theft following a data breach, without proof of actual harm, is sufficient to confer Article III standing. The decision in McMorris v. Lopez & Assoc., officially clarifies the issue for the Second Circuit.
Plaintiff-appellant Devonne McMorris commenced a class action lawsuit against defendant-appellees Carlos Lopez & Associates, LLC (“CLA”) in response to an email that a CLA employee inadvertently sent to all of CLA’s employees. This email contained the sensitive PII – i.e., Social Security numbers, home addresses, dates of birth, phone numbers, dates of hire and educational degrees – of about 130 former and current CLA workers, including McMorris. After discovering the breach, CLA emailed its current employees, but did not contact any former employees regarding the inadvertent disclosure or take any other corrective action.
Plaintiffs asserted state law claims of negligence, negligence per se, as well as statutory consumer protection violations on behalf of classes in California, Florida, Texas, Maine, New Jersey and New York. The plaintiffs also claimed CLA “breached its duty to protect and safeguard [their] personal information and to take reasonable steps to contain the damage caused where such information was compromised.” Due to the PII disclosure, plaintiffs asserted they faced an imminent risk of identify theft and becoming victims of “unknown but certainly impending future crimes.” In response to the complaint, CLA moved to dismiss for, inter alia, lack of Article III standing. The United States District Court for the Southern District of New York agreed with CLA and dismissed McMorris’ claims for lack of subject-matter jurisdiction as McMorris failed to allege an injury-in-fact sufficient to confer Article III standing.
McMorris appealed to the 2nd Circuit, asserting that the increased risk of identity theft confers Article III standing. The Second Circuit focused on whether the plaintiffs sufficiently alleged concrete, particularized, and actual or imminent injury. The Court considered three non-exhaustive factors: (1) whether the data at issue was comprised as a result of a targeted attack intended to obtain the plaintiffs’ data; (2) whether the plaintiffs could show some misuse of their compromised data, even if the plaintiffs have not yet experienced theft or fraud; and (3) whether the type of disclosed data subjects plaintiffs to a perpetual risk of identity theft or fraud.
While the Second Circuit recognized the information CLA divulged renders plaintiffs more exposed to future identity theft or fraud, plaintiffs failed to establish “imminent injury.” In addition, the Second Circuit determined the plaintiffs had no standing because they failed to show their PII was subject to a targeted data breach, or that any entity misused their PII.
This decision is significant. Although the Court agreed with the district court’s holding that McMorris failed to establish an injury in fact, the Court held that Article III injury in fact standing only requires proof of a substantial risk of future identity theft or fraud. A substantial risk may be sufficient to establish Article III standing, even if the plaintiff has not been a victim of identity theft or fraud. The 2nd Circuit’s thorough decision gives insight to future litigants regarding the required legal standard in this jurisdiction.
Thanks to Lauren Berenbaum for her contribution to this post. Please email Brian Gibbons with any questions about the ruling, or WCM’s data privacy and cyber-liability practice.Read More
COVID-19 has created the inevitable “new normal” of forcing employees to work from home. While that may allow for some advantages, it certainly comes with some risks. As for risks, at the top that list is cyber security and potential hackers to corporate networks.
As the business world adjusts to COVID-19, companies are using work from home networks which are (likely) recently created to adjust to restraints by COVID-19, or have been created previously but are not equipped to handle all employees working on the network full-time. As such, cyber hackers are certainly aware that companies are adjusting from an IT perspective, leading to an increased risk of cyber incidents for remote employees.
While working from home (WFH) some employees are using company computers while others are using their personal devices. It is nearly impossible for IT departments to protect personal computers from hackers as there is no way to know what they have been exposed to previously. In addition, employees using their own computers may use less secure hardware and unsecured Wi-Fi, making it easier for cyber attackers to infiltrate a corporate network. As a result, one of the questions is – how will insurance companies modify their policies to deal with the increase in claims?
Some cyber insurance policies will only cover data breaches and losses to devices owned by the insured company, which would not necessarily apply to BYOD practices that many small and mid-sized enterprises tend to employ. To that end, many policies have specific coverage exclusions for data breaches to employee owned devices.
We expect that insurance providers will adapt and modify the wording in their cyber polices moving forward, and will undoubtedly look to offer more insurance products in light of the increase in demand for insurance in the post-COVID-19 world we are all now navigating. Many cyber insurance policies already require “reasonable” IT measures to qualify for coverage. Some have predicted that insurance providers will not only interpret “reasonable” differently in light of the pandemic, but will add additional IT requirement in their policies in order to obtain coverage. In addition, while insurance companies may continue to exclude coverage to cyber-attacks on employee owned devices, the volume of BYOD practices will almost certainly prompt insurers to offer new products to respond to the marketplace. As more and more companies are likely to have employees working from home after COVID-19 subsides, insurers will likely place additional cyber requirements on employees working from home, even if using a company owned device.
COVID-19 has created a landscape where WFH and BYOD practices, which many businesses utilize, creates increased cyber risk, and with increased risk comes the increased demand for insurance products. Expect much to be published in the next few months about the insurance industry’s response to that demand.
Thanks for Corey Morgenstern for his contribution to this post. Please email Brian Gibbons with any questions.Read More
Throughout the course of the COVID-19 pandemic, attorneys have gradually assimilated to working remotely from home. It seems like every week, we encounter a litany of new challenges that we must tackle gracefully and professionally. In the midst of working in our newly established Wi-Fi silos, one other annoyance that we cannot seem to get rid of is the ubiquitous phishing emails that strangely appear in our inboxes. Hopefully by now, your company’s IT director, like ours, has already blasted the proper firm policies and procedures to help you steer clear of any and all spam emails. But what if an associate or partner at your firm decides to ignore their beloved IT director’s instructions, and instead wishes to engage in dialogue, or maybe even shares a bank routing number or two, with what they believe is close business associate or client?
Well that is precisely what happened in the matter of Beins, Axelrod, P.C. v. Analytics, LLC et al, where a plaintiff’s law firm in Washington D.C. commenced an action in federal court after a third-party allegedly hacked into the firm’s managing partner’s email and diverted $60,000 into a Citibank account. After a failed attempt by the managing partner of the firm to recover the funds, he filed an action in District Court for common law negligence fraud, breach of contract claims, and a claim under the Computer Fraud and Abuse Act (CFAA) 18 U.S. Code § 1030 against defendant Citigroup (“Citi”). The plaintiff alleged that Citi aided and abetted the hacker.
Citi moved to dismiss the complaint for a failure to state a claim. The Court found the bank cannot be held liable under the theory that it conspired with the hacker given the absence of an allegation of an agreement between Citibank and the hacker to violate the CFAA. Moreover, the court indicated that a key element of establishing aiding and abetting of conspiracy liability is demonstrating the requisite mens rea “state of mind” of the perpetrator. The plaintiff had failed to plead defendants knowing involvement in the scheme under the “willful blindness” theory.
Judge James E. Boasberg provided the following analogy to substantiate court’s reasoning in granting Citi’s motion to dismiss: “a bank that allows a private part party to open an account to which funds are improperly transferred is not akin to a farmer, who in exchange for a bribe, provides refuge to a group of strangers wearing ski masks and carrying bags of cash….. where it otherwise, whenever a thief used an unwitting bank in connection with his criminal scheme, the bank would be both criminally and civilly liable for the offense, regardless of the surrounding circumstance.”
The attack that plaintiff’s counsel faced is known as a “business email compromise”, which has become more prevalent during the COVID-19 pandemic. This case highlights the importance of how diligent attorneys and other professionals must be when responding to emails seeking confidential or sensitive information.
Thanks to James Papadakis for his contribution to this post. Please email Heather Aquino with any questions.Read More
In London, bankers have learned to win stock offerings by video chat. In New York, lawyers are conducting depositions with the use of video conferencing, and across the globe 8th graders are working on class projects from their living rooms with mobile collaboration. One of the tech companies that is making all this possible is Zoom Video Communication — and in all likelihood, many reading this post are more familiar with Zoom today than they were a month ago, in light of COVID-19 restrictions and the need for remote capabilities. The ubiquitous video conferencing platform provides remote conferencing services, online meetings, and mobile collaboration. Zoom helps us all connect, share content, and even close deals, especially in times like these, when the proverbial handshake is prohibited.
Earlier this week Robert Cullen, a user of video-conferencing software Zoom, filed a class action lawsuit against the company in Federal Court in the Northern District of California. Mr. Cullen alleged in his complaint that Zoom failed to properly safeguard the personal information of the millions of users of their software applications and video conferencing platform. Specifically, the complaint states that Zoom collects the personal information of its users and discloses, without adequate notice of authorization, this personal information to third parties, including Facebook, resulting in the invasion of privacy of millions of users. Moreover, Cullen alleges that Zoom was negligent, and that it breached its duties by failing to implement and maintain a reasonable security projections and protocols, and knowingly disclosing user’s personal information to third parties.
The lawsuit includes claims for negligence, unjust enrichment, invasion of privacy under California’s constitution and violations of California’s Consumer Privacy Act, Unfair Competition Law and Consumers Legal Remedies Act. It seeks unspecified money damages on behalf of a proposed class of similarly situated consumers nationwide. To make matters worse, on the same day the suit was filed, New York Attorney General, Letitia James, had sent Zoom a letter with questions about its data privacy practices and about what security measures it had put in place to deal with the threat of hackers. Zoom responded by sending out a press release and updating their privacy policies to show that they are committed to protect users’ privacy.
The Zoom suit reveals the vital importance of cybersecurity’s role for both insureds and insurers. Companies need to create plans tailored to their organization in order to keep business operations running while considering security and making sure that all of their employees have secured network access.
We can expect a myriad of these suits over the course of the next weeks, and despite how long the global pandemic may last, one thing is for certain – the way we conduct business will never be the same. We are now becoming more dependent on these apps than ever before, and zealously washing our hands multiple times a day will not be our only concerns for the months to come.
Thanks to James Papadakis for his contribution to this post. Please email Heather Aquino with any questions.Read More
In recent years, the need for companies to take precautions with respect to cyber security, and risks insurers need to analyze in the cyber insurance space, have been widely-reported. Current events always seem to be relevant in this field. The recent news about the tensions between the United States and Iran are no exception.
Due to the conflict with Iran, the New York Department of Financial Services (DFS) has issued a warning to banks, insurers and other businesses it supervises about an increased risk of cyber attacks orchestrated by hackers associated with the Iranian government as a result of the airstrike that killed Iran’s top general.
DFS issued a letter to all regulated entities stressing the need for more stringent cybersecurity precautions in light of the mounting tensions between the U.S and Iran after the air strike that killed General Qasem Soleimani.
Specifically the letter states “ DFS therefore strongly recommends that all regulated entities heighten their vigilance against cyberattacks…While currently there are no specific, credible reports of new Iranian-sponsored cyberattacks in the past few days, all regulated entities should be prepared to respond quickly to any suspected cyber incident.”
DFS’ warning came on the same day that the U.S. Homeland Security issued its own warning about the mounting Iranian hacking threat.
Relations with countries are always worth monitoring for obvious reasons, but insurers would be wise not to overlook the risks associated with cyberattacks.
Thanks to Jon Avolio for his contribution to this post. Please email Michael Gauvin with any questions.Read More
When a tech company falls victim to a “phishing” scam, and what is the standard for whether that company is entitled to cyber coverage? Of course, that depends on the type of coverage purchased. But in this emerging field, Court guidance on coverage issues like this is relatively scarce.
In PSG LLC v. Ironshore, a technology consulting firm, Principle Solutions Group LLC fell victim to what circuit Judge Ronald Gilan referred to as a “sophisticated” email phishing scam when the company’s controller erroneously executed a wire transfer in the amount of $1.7 million after she had followed wire instructions received from the purported email domains of a company executive, and outside counsel. (Slightly more sophisticated than the Nigerian prince scam, no?)
At issue before the 11th Circuit Court of Appeals was whether PSG should be covered under the fraudulent instruction coverage clause of their commercial-crime policy, issued by Ironshore Indemnity Inc., even though the company’s controller had to override a fraud-prevention hold to effectuate the wire transfer.
The Court upheld summary judgment for PSG under the fraudulent instruction coverage. The Court found that the set of emails the controller received within minutes of each other in July 2016 was purportedly from the company’s managing director and the other from an attorney. Moreover, the Court did not believe that Wells Fargo’s fraud prevention service red flag was enough to break the chain of causation because the controller’s action was the foreseeable result of a sophisticated phishing scheme.
Ironshore argued that there was never a fraudulent instruction as defined by the policy since the first email was essentially internal, having been sent from upper management, while the subsequent email came from outside counsel, thus falling outside the scope of the policy language. The Majority disagreed with Ironshore’s arguments, and instead applied a broad interpretation of Ironshore’s policy, and incidentally, overlooked the significance of internal corporate fraud -prevention policies. This was, we think, a creative argument put forth by Ironshore. But we imagine that at oral argument, PSG made appealed to common sense, and public policy, by arguing “If fraudulent instruction coverage does not cover a phishing scam like this one, what does it cover?” Interesting read.
Thanks to James Papadakis for his contribution to this post. For more information about this case, or Wade Clark Mulcahy’s cyber-liability practice, please email Brian Gibbons.Read More
In Grey’s Anatomy’s 2017 winter finale, the hospital is hit with a cyber attack with the hackers demanding millions of dollars in Bitcoin to release the hospital’s technology. For a tech-savvy fictional hospital, this proved nearly fatal for patients who lost access to medical records, elevators, and blood banks. Earlier this summer, five real life municipalities around the country were also victims of a cyberattack. Atlanta, Philadelphia, Baltimore, and two Florida cities had their online government and court features held for ransom. While this new type of criminal can be costly, the most pervasive cyber challenge probably isn’t isn’t a malicious hacker, but simple human error. Or, poor cyber-hygiene.
Francoise Gilbert, former co-chair of Greenberg Traurig’s data, privacy, and cybersecurity practice group, and current CEO of DataMinding, says the number one challenge to cybersecurity is people. Most recent security breaches are caused by inadvertent human error and companies have to be diligent about training employees and monitoring activity to ensure private data isn’t negligently disclosed — and documenting that training! Leaving devices unattended, sharing passwords, or accidentally e-mailing information to the wrong people are typical security errors, but many breaches are also traceable to users unwittingly giving bad actors access to networks.
In 2015 the Ponemon Institute released a report that 70% of healthcare organizations and business associates surveyed identified employee negligence and as a top threat to information security. IT professionals say at least 50% of breaches are directly attributable to user error or failure to practice proper cyber hygiene. Not much has changed since then, but the stakes are much higher. Improperly discarded records may have left hundreds or thousands people vulnerable in the past, but the massive digitization of records these days expose millions of people to potential harm. The 80 million record Anthem data breach was likely caused when thieves infiltrated Anthem’s system using a database administrator password captured through a phishing scheme.
While there is no foolproof way to eliminate human error, user awareness programs are key. Email coming into networks must be scanned for malicious attachments and links as over 40% of all email attachments examined by Palo Alto’s WildFire software was found to be malicious. Eliminating the use of passwords has also been suggested as people often use birthdates, pets, or children’s names. Multifactor authentication has been recommended such as biometric identification (facial scan or thumbprint) along with derived credentials from a CAC or PIV card, similar to a chipped credit card, so that there’s nothing to remember and nothing that can be stolen. It’s a dangerous world and we have certainly given up some privacy for convenience, but staying diligent and aware could save your data from ending up in the wrong hands. Thanks to Mehreen Hayat for her contribution to this post.
Please email Brian Gibbons with any questions.Read More