While there’s no simple formula for determining what, and how much, cyber liability insurance is necessary for a given company, a few simple inquiries can make a big difference. My colleague Syed Ahmad, along with Eileen Garczynski (senior vice president and partner at insurance brokerage Ames & Gough), recently published an article for Mealey’s Data Privacy Law Report on critical questions for companies seeking to protect company assets through cyber insurance. Their article is available here.
The Ninth Circuit in Teleflex Medical Incorporated v. National Union Fire Insurance Company of Pittsburgh PA, No. 14-56366 (9th Cir. Mar. 21, 2017) affirmed a jury verdict finding that AIG must pay $3.75 million in damages plus attorneys’ fees to cover LMA North America, Inc.’s (“LMA’s”) settlement with its competitor over allegedly disparaging advertisements that characterized a competitor’s products as unsafe.
In a March 17, 2017 opinion, a Minnesota federal court rejected a financial institution bond carrier’s attempt to rescind the bond it issued to a credit union despite the credit union’s manager making a false statement in the bond application that she had no knowledge of any act which might give rise to a claim, after she had embezzled $3 million. See National Credit Union Administration Board v. CUMIS Insurance Society, Inc., No. 16-139, 2017 WL 1047256 (D. Minn. Mar. 17, 2017). The court refused to attribute the embezzler’s misrepresentation to her employer because, in embezzling the credit union’s money, she was working solely for her own benefit.
A panel of the California Court of Appeals, in an unpublished opinion (Stein v. Axis Ins. Co., (Cal. Ct. App., Mar. 8, 2017, No. B265069) 2017 WL 914623), issued March 8, 2017, held that a policy exclusion requiring “final adjudication” did not support a refusal to pay the policyholder’s defense costs by Houston Casualty Company (HCC) following a trial court’s entry of judgment where the policyholder still could pursue appeal.
A federal district court judge in Connecticut recently agreed that an insurer did not owe coverage under a “claims-made” D&O liability insurance policy where the policyholder failed to give timely notice of a suit arising from a loan default. Although the ruling killed the claim, the decision also offered guidance on two critical – and commonly cited – exclusions: the “related claim” and “pending or prior claim” exclusions. The court held that neither exclusion applied under the factual nexus test used by the court, reminding policyholders and insurers alike that successive or seemingly “related” claims may not be connected simply because they are traceable to a common genesis. Read Michael Levine and Katie Miller’s alert on the case here.
Policyholders are often surprised to hear that their policies cover more than the run-of-the-mill claim. For example, a general liability policy may cover a cyber-related loss. See our prior post. As a more recent example, a federal court in South Carolina found that a parent’s homeowners’ policy obligated an insurer to defend a college student against hazing allegations. Allstate Ins. Co. v. Ingraham, No. 7:15-cv-3212 (D.S.C. Mar. 14, 2017).
Cyber and crime insurance policies have been heavily recommended to address the growing prevalence and types of cyber risks. My colleagues Walter Andrews and Jennifer White recently authored an article appearing in Risk Management discussing how the purchase of cyber and crime insurance policies alone is not enough to successfully manage these risks. These policies must be carefully evaluated and tailored to the particulars of each organization. The full article is available here. In the article, Andrews and White identify four key questions that every organization must ask when purchasing cyber and crime insurance policies to ensure that their cyber coverage is sufficient to meet their organization’s needs.
Attorneys Syed Ahmad and Jennifer White contributed to the Hunton Retail Law Resource’s “Recall Roundup” for the month of February with a discussion of Starr Surplus Lines Insurance Company’s suit against CRF Frozen Foods, LLC. Starr seeks to rescind the a product contamination policy based on allegations that, during the insurance application process, CRF failed to disclose “violations” identified by Washington State and federal inspectors which, Starr claims, were likely to give rise to CRF’s 2016 recall of frozen vegetables. See Starr Surplus Lines Ins. Co. v. CRF Frozen Foods, LLC, No. 1:17-cv-01030 (S.D.N.Y. Feb. 10, 2017). Starr’s suit comes on the heels of its success before the Third Circuit earlier this year, when the court affirmed Starr’s rescission of the accidental contamination policy issued to Heinz. For more on that case, click here.
As posted earlier today on Hunton & Williams’ Retail and Privacy blogs, and as reported in Law360, Hunton & Williams announces the formation of a cross-disciplinary legal team dedicated to guiding companies through the minefield of regulatory and cyber-related risks associated with high-stakes corporate mergers and acquisitions.
The ABA announced last week that it would supplement its insurance coverage offerings to include cyber insurance. Chubb Limited will underwrite the insurance, which the ABA said “includes cyber coverage for a firm’s own expenses, such as network extortion, income loss and forensics, associated with a cyber-incident as well as for liability protection and defense costs.”
In its press release, the ABA referenced the revelations late last year that Chinese citizens had hacked two law firms to obtain information regarding mergers. The hackers then used that insider information to make more than $4 million by trading shares of the target companies.
Firms may also face lawsuits for failure to protect confidential information. For example, a Chicago firm was sued in a class action alleging that a failure to protect client’s confidential information. While traditional insurance policies may cover such a suit, cyber insurance policies are another available form of coverage.
Hackers can also launch ransomware attacks on law firms. Such attacks involve malicious software installed on a computer system. That software encrypts the files on the computer system, making the inaccessible. The hackers then threaten to destroy the files unless a ransom is paid. Again, cyber insurance policies can cover losses arising out of such events.
In sum, law firms are not immune from the cyber risks that face all companies and should consider cyber coverage to supplement other insurance policies that may cover cyber-related losses. as discussed in our prior article which can be found here.