Insurance partner Michael Levine is teaming up with Hunton’s Michael Perry and Adam Solomon and Jones Day’s Lisa Ropple to discuss cybersecurity litigation and insurance coverage presentation for the Massachusetts Bar Association. The presentation, sponsored by the MBA’s Complex Commercial Litigation Section, will take place on Wednesday, March 20th at 4:30 pm at the MBA’s office in Boston. Topics will include:

  • General litigation claims arising from cybersecurity incidents and defenses available to companies facing these claims.
  • Safeguards to prevent cyberattacks from outside sources.
  • Insurance coverage issues arising out of cybersecurity incidents.

Continue Reading Hunton Insurance Partner Michael Levine to Present on Cybersecurity Litigation to the Massachusetts Bar Association

Hunton insurance associate Andrea DeField will be speaking on a plenary panel titled “Transferring the Risk: A Professional’s Checklist for Procurement of the Cyber Liability Policy” at the University of South Carolina School of Law’s 2019 Cybersecurity Legal Institute. The event will take place on April 4th in Columbia, South Carolina. Additional information about this event can be found here.

In an article appearing in CyberInsecurity News, Hunton insurance recovery partner, Michael Levine, comments on Zurich American Insurance Company’s attempt to invoke a so-called “war exclusion” as a basis for not paying business income losses suffered by snack food giant Mondelez International.  As Levine expains, so-called “war exclusions” have rarely been invoked and only then, in times of clear military or state-sponsored activity.  The Mondelez case will therefore focus on whether a computer attack was indeed an act of war and, importantly, whether and how Zurich American has applied its war exclusion in other cases.  Mondelez was one of many victims of the NotPetya ransomware attack in 2017.  As Levine explains in the article, among other things, Mondelez “certainly will want to see, want to know how many other claims [Zurich] had involving NotPetya. How many other war exclusions did it use?”

In January we wrote about Rosen Millennium Inc.’s (“Millennium”) appeal to the Eleventh Circuit, whereby Millennium took the position that a Florida federal court ignored well established Florida insurance law when it ruled that St. Paul Fire & Marine Insurance Co. had no duty to defend it against a multimillion dollar claim arising out of a 2016 cybersecurity breach.

Continue Reading Insurance Groups Support Travelers In 11th Circuit Breach Row

Rosen Millennium Inc. (“Millennium”), the cyber security and IT support subsidiary of Rosen Hotels & Resorts, Inc., has appealed to the Eleventh Circuit contending that a Florida federal court ignored Florida insurance law when it ruled that Travelers Insurance Company has no duty to defend it against a multimillion dollar claim arising out of a cybersecurity breach.

Continue Reading Hotel Data Breach Case Heads to Eleventh Circuit

Notwithstanding the absence of a congressional war declaration since Japan bombed Pearl Harbor, Zurich American Insurance Company has invoked a “war exclusion” in an attempt to avoid covering Illinois snack food and beverage company Mondelez International Inc.’s expenses stemming from its exposure to the NotPetya virus in 2017. The litigation, Mondelez Intl. Inc. v. Zurich Am. Ins. Co., No. 2018-L-11008, 2018 WL 4941760 (Ill. Cir. Ct., Cook Cty., complaint filed Oct. 10, 2018), remains pending in an Illinois state court. Continue Reading Zurich Invokes War Exclusion in Battle Over Coverage for NotPetya Attack

Hunton Andrews Kurth insurance partner Michael Levine was recently interviewed by LegalTech News concerning Ohio’s recent adoption of the National Association of Insurance Commissioners’ (NAIC) Insurance Data Security Model Law. The law, modeled after the New York State Department of Financial Services Cybersecurity Requirements for Financial Service Companies Act, seeks to provide a framework for states to address risks and develop cybersecurity guidelines for insurance companies. Ohio became the second state, after South Carolina, to adopt the model law. As Mike explained in the article, the statute provides policyholders with an added layer of protection against disclosure of sensitive and confidential information that may be held by insurers operating in the state.

A link to the article featuring Mike’s comments can be found here.

New cybersecurity rules for insurance companies licensed in South Carolina are set to take effect in part on January 1, 2019. The new law is the first in the United States to be enacted based on the data security model law drafted by the National Association of Insurance Commissioners. The law requires licensed insurance companies to notify state insurance authorities of data breaches within 72 hours of confirming that nonpublic information in the company’s (or a service provider’s) system was “disrupted, misused, or accessed without authorization.” The breach reporting requirement is in addition to notification obligations imposed under South Carolina’s breach notification law and applies if the insurance company has a permanent location in the state or if the breach affects at least 250 South Carolina residents, among other criteria. The 72-hour notice requirement takes effect January 1, 2019. Continue Reading Cybersecurity Rules for Insurance Companies to Take Effect in South Carolina

The head of Hunton Andrews Kurth’s insurance practice, Walter Andrews, was interviewed earlier this week by ABC 7 (WJLA) concerning the need for cyber insurance and the benefits that it can provide to government contractors and other businesses that are impacted by a cyber event.  Andrews explains the diverse spectrum of benefits that are available through cyber insurance products, but cautions that a serious lack of uniformity exists among today’s cyber insurance products, making it crucial that policyholders carefully analyze their cyber insurance to ensure it provides the scope and amount of insurance they desire.

Continue Reading Hunton Insurance Head Interviewed Concerning the Benefits and Hidden Dangers of Cyber Insurance

A California federal court found coverage under AIG’s general liability policy for the defense and indemnity of email scanning suits against Yahoo!. Those suits generally alleged that Yahoo! profited off of scanning its users’ emails. Because the allegations gave rise to the possibility that Yahoo! disclosed private content to a third party, the court found that the suit potentially fell within the coverage for “oral or written publication, in any manner, of material that violates a person’s right of privacy.” Thus, AIG’s duty to defend was triggered.

The court also found that AIG had a duty to indemnify for Yahoo!’s settlement in the email scanning suits. One key question was whether the settlement amount paid as attorneys’ fees to plaintiff’s counsel constituted damages under the policy. The court concluded that they were, based on the fact that the plaintiffs sought attorneys’ fees under a statute and on its finding that Yahoo! would reasonably expect that those fees would qualify as damages.

Yahoo! had also alleged that AIG acted in bad faith in its claims handling because AIG had denied coverage for the first two lawsuits and then ultimately acknowledged such an obligation with respect to the third lawsuit and in so doing had cited exclusions that were not a part of the policy. The court found that issue was one for a jury to decide.

This decision is another example that valuable cyber coverage for defense and indemnification may be available under general liability policies. Of course, whether there is coverage will depend on the particulars of the claim and the insurance policy.