The construction industry is no stranger to insuring its projects against the risks of physical and natural disasters. Policies purchased to cover these risks, however, often are not broad enough to reach cyber threats, which can be just as damaging and costly as a physical disaster. During the past decade, hacks have targeted the data held by several high profile companies, including Target Corp., Sony Corp., Equifax Inc. and Yahoo Inc. So far, the construction industry has not yet been at the center of one of these attacks. Still, builders are no less susceptible to these risks than any other industry, especially given that these companies often possess sensitive data related to buildings and projects.
Phishing attacks are on the rise, and they are targeting Microsoft’s flagship cloud-based products. According to a report by specialist data breach insurer Beazley, hackers have increased attempted and successful attacks on Microsoft Office 365, especially systems used by financial, health care, and professional services organizations. These attacks are deceptively simple, relying on employees and contractors falling for fake, yet well disguised, Microsoft communications, like a HelpDesk message or a survey. Once employees or contractors interact with these communications, they are prompted to enter personal information, which allows the hackers access to confidential information. This information allows the intruders to steal customer data, initiate bank transfers, and gain access to additional employees’ accounts. Microsoft 365’s default settings compound the dangers of these attacks because they decrease the ability to track how many accounts are compromised.
The U.S. District Court for the Middle District of Florida, in Innovak International v. The Hanover Insurance Co., recently granted summary judgment in favor of Hanover Insurance Company finding that it had no duty to defend Innovak against a data breach lawsuit. Innovak, which is a payroll service, suffered a breach of employee personal information, including social security numbers. The employees then filed suit against Innovak alleging it had negligently created a software that allowed personal information to be accessed by third parties. Innovak sought a defense for the lawsuit from its commercial general liability carrier, Hanover Insurance Company. Innovak argued that the employee’s allegations triggered the personal and advertising injury coverage part of the policy, which covers loss arising out of the advertising of the policyholder’s goods or services, invasion of privacy, libel, slander, copyright infringement, and misappropriation of advertising ideas. The court disagreed and found the employees’ allegations did not involve a publication that would trigger coverage under the commercial general liability policy.
In a recent brief filed in the Sixth Circuit, American Tooling Center, Inc. argued that the appellate court should reverse the district court’s decision finding no insurance coverage for $800,000 that American Tooling lost after a fraudster’s email tricked an employee into wiring that amount to the fraudster. As we previously reported here, the district court found the insurance policy did not apply because it concluded that American Tooling did not suffer a “direct loss” that was “directly caused by computer fraud,” as required for coverage under the policy. The district count pointed to “intervening events” like the verification of production milestones, authorization of the transfers, and initiating the transfers without verifying the bank account information and found that those events precluded a “finding of ‘direct’ loss ‘directly caused’ by the use of any computer.”
A recent article published by Securityroundtable.org highlights the vulnerabilities businesses face in a world of e-commerce and interconnectivity, and how proper planning through a tailored cybersecurity program that includes – among other components – appropriate insurance coverage for cyber risks can help prevent a successful attack and mitigate the financial impact should one occur. Whether the issue is prevention or risk mitigation, cybersecurity should be at the top of the corporate agenda. As discussed in the Securityroundable.org article, Lisa Sotto, chair of the global privacy and cybersecurity practice of Hunton & Williams, explained at a recent briefing and crisis planning exercise in New York City that “it’s been a complete revolution. The cyber environment has just exploded…We could not have predicted this five years ago. There is no question that cybersecurity is a top priority for C-suites and boards. It is now recognized as a basic risk issue by every company.” Walter Andrews, chair of the insurance coverage practice at Hunton & Williams, addressed the insurability of cybersecurity risks, explaining that, “we’ve seen a sea change in a lot of areas in the last two years…There will always be liability no matter what, but cyber insurance has gone from a product a few companies acquired to one held by almost all. In fact, today regulators and boards require it.” For a recap of the entire briefing and crisis planning exercise, see the full Securityroundtable.org article, which can be found here.
On Tuesday, the U.S. District Court for the District of New Jersey granted Travelers’ motion to dismiss Posco Daewoo America Corporation’s suit for coverage under the computer fraud provision of its crime insurance policy. Distinguishing itself from precedent like Medidata, Principal Solutions Group, Apache and American Tooling Center, Daewoo did not seek coverage for money fraudulently transferred or stolen from its own accounts. Instead, Daewoo sought coverage for amounts that had been designated for payment to Daewoo by a third party supplier, Allnex, and stolen from Allnex after a criminal impersonated a Daewoo employee. The Court held that the crime policy did not cover the lost sums because Daewoo did not “own” the money stolen from Allnex.
In its third quarter report, insurer Beazley reported a nine-fold increase in social engineering attacks (i.e., deception-based fraud/crime) as compared to the same time last year. So far, the majority of social engineering attacks in 2017 were focused on the professional services sector (18%), followed by financial institutions (9%), higher education (9%) and healthcare (3%). The report also notes continued high rates of unintended disclosure via employee negligence across all sectors (29%), second only to affirmative hacking or malware attacks (34%).
A California state court recently rejected an excess insurer’s attempt at an early exit from litigation over whether it owes coverage for cyber liabilities. In that case (previously summarized here), the policyholder, Cottage Health, suffered a data breach resulting in the disclosure of patients’ private medical information. Subject to a reservation of rights, Cottage Health’s primary insurer, Columbia Casualty, paid millions of dollars to help respond to the data breach and to defend and settle a class action lawsuit filed against Cottage Health. Cottage Health’s excess insurer was Lloyd’s.
In an article that first appeared in Electric Light & Power, Hunton & Williams attorneys Sergio F. Oehninger and Paul T. Moura discuss the growing Electric Vehicle (EV) industry and the risks posed due to the consequential strain on the power grid. As they explain, demand and investment in EVs will likely spur greater demand for supercharging stations that consume significant amounts of electricity. Urban centers and real estate owners are also expected to increase the supply of these stations in order to make these areas more attractive and accessible to EV owners, drone operators, and autonomous vehicle fleets. All of this growth will put increasing demands on electricity supply that can be difficult for businesses to control, leading to grid outages that can cause an interruption in business operations, an inability to access or restore system data, and significant losses of business income. All of this raises the question—Can businesses count on their insurance coverage to respond to the risks posed by EVs?