A commentator recently summed up the risk of ransomware attack in 2022: “we’re all screwed.” True enough. But that’s all the more reason to prepare right now. After all, the only thing worse than a ransomware attack is not having adequate insurance coverage when it occurs. The time to prepare is now.
Continue Reading As Ransomware Proliferates, Insurance Can Help

The Indiana Supreme Court recently reversed a trial court’s finding and an affirming intermediate appellate court opinion regarding the interpretation of a policy providing coverage for cyber-crime. In G&G Oil Co. of Indiana, Inc. v. Continental Western Insurance Co., the state high court rejected the lower courts’ narrow interpretation of coverage and impractical view on causation. A copy of the decision can be found here.
Continue Reading Indiana Supreme Court Decrypts Computer Crime Coverage

Much of the commentary on insurance issues arising from the COVID-19 crisis, including multiple posts on this blog, understandably has focused on recovery under first-party property policies providing business interruption coverage for losses incurred due to office closures, government orders, extra expenses, and other direct costs experienced by employers. There is a much broader

As reported on the January 31, 2020 posting to the Hunton Retail Law Resource Blog, the Florida legislature has introduced identical bills in the Florida House of Representatives (HB 963) and the Senate (SB 1670) (collectively the Act) that, if adopted, will require companies operating websites and other online services in the state to inform Florida consumers whether it is collecting personal information, and to provide an opportunity for the consumer to opt out of the sale of the personal information.
Continue Reading Florida Following in Other Jurisdiction’s Footsteps with Proposed Data Privacy Legislation

The City of Baltimore is the latest victim of increasingly common ransomware attacks. On May 7, 2019, unidentified hackers infiltrated Baltimore’s computer system using a cyber-tool named EternalBlue, developed originally by the United States National Security Agency to identify vulnerabilities in computer systems. However, the NSA lost control of EternalBlue, and since 2017, cybercriminals have used it to infiltrate computer systems and demand payment in exchange for relinquishing control. For instance, in Baltimore, the hackers have frozen the City’s e-mail system and disrupted real estate transactions and utility billing systems, among many other things. The hackers reportedly demanded roughly $100,000 in Bitcoin to restore Baltimore’s system. The city has refused to pay.
Continue Reading Will Insurers Declare “War”? The War Exclusion, the Ransomware Attack on Baltimore, and the NSA Cyber-Tool?

Insurance partner Michael Levine is teaming up with Hunton’s Michael Perry and Adam Solomon and Jones Day’s Lisa Ropple to discuss cybersecurity litigation and insurance coverage presentation for the Massachusetts Bar Association. The presentation, sponsored by the MBA’s Complex Commercial Litigation Section, will take place on Wednesday, March 20th at 4:30 pm at the

Hunton Andrews Kurth insurance partner Michael Levine was recently interviewed by LegalTech News concerning Ohio’s recent adoption of the National Association of Insurance Commissioners’ (NAIC) Insurance Data Security Model Law. The law, modeled after the New York State Department of Financial Services Cybersecurity Requirements for Financial Service Companies Act, seeks to provide a framework for

New cybersecurity rules for insurance companies licensed in South Carolina are set to take effect in part on January 1, 2019. The new law is the first in the United States to be enacted based on the data security model law drafted by the National Association of Insurance Commissioners. The law requires licensed insurance companies to notify state insurance authorities of data breaches within 72 hours of confirming that nonpublic information in the company’s (or a service provider’s) system was “disrupted, misused, or accessed without authorization.” The breach reporting requirement is in addition to notification obligations imposed under South Carolina’s breach notification law and applies if the insurance company has a permanent location in the state or if the breach affects at least 250 South Carolina residents, among other criteria. The 72-hour notice requirement takes effect January 1, 2019.
Continue Reading Cybersecurity Rules for Insurance Companies to Take Effect in South Carolina

As we and our sister blogs have previously reported (see here, here, and here), the New York State Department of Financial Services enacted Cybsersecurity Requirements for Financial Services Companies, 23 NYCRR 500, on March 1, 2017. The first certification of compliance with this regulation is due today, February 15, 2018.
Continue Reading New York Cybersecurity Deadline Highlights Importance of a Comprehensive Insurance Coverage for Cyber Risks