Rosen Millennium Inc. (“Millennium”), the cyber security and IT support subsidiary of Rosen Hotels & Resorts, Inc., has appealed to the Eleventh Circuit contending that a Florida federal court ignored Florida insurance law when it ruled that Travelers Insurance Company has no duty to defend it against a multimillion dollar claim arising out of a cybersecurity breach.
Hunton Andrews Kurth insurance practice head, Walter Andrews, recently commented to the Global Data Review regarding the infirmities underlying an Orlando, Florida federal district court’s ruling that an insurer does not have to defend its insured for damage caused by a third-party data breach.
The Federal Financial Institutions Examination Council (“FFIEC”), a U.S. governmental body comprised of banking regulators, recently issued guidance to financial institutions directing them to consider implementing dedicated cyber insurance programs to offset financial losses resulting from cyber incidents. Financial institutions face a number of potentially crippling risks arising from cyber incidents, including financial, operational, legal, compliance, strategic, and reputational risks resulting from fraud, data loss, or disruption of service. While cyber insurance can mitigate these risks, it is not required by financial regulators, and thus many financial institutions may not have obtained such insurance specifically designed to cover their cyber risks. Nonetheless, the FFIEC now is urging financial institutions to include dedicated cyber insurance as part of a multi-faceted cyber risk management strategy and not to rely solely on traditional insurance. In addition, the FFIEC is recommending that financial institutions have their outside advisors review their potential cyber insurance coverage to ensure that it will cover the relevant risks.
May 25, 2018 should be a day circled on many company calendars. On that day, the European Union’s long-awaited Global Data Protection Regulation (“GDPR”) will go into effect. It is crucial for U.S. companies to prepare for the GDPR, as they, too, will be required to comply with a new set of data privacy rules if they are handling data from EU-based customers, suppliers, or affiliates. As long as you collect personal or behavioral data from someone in the EU, you must comply with the GDPR.
In a recently filed brief in the Ninth Circuit, Cottage Health argued in support of the federal district court’s stay of Columbia Casualty’s lawsuit against Cottage Health in favor of Cottage Health’s parallel state court lawsuit against Columbia Casualty.
As posted earlier today on the Hunton Retail Law Resource blog, Hunton insurance lawyer Michael S. Levine, along with Hunton colleagues Randy S. Parks and Keith Voorheis, discuss five tips to consider when thinking about what cybersecurity insurance requirements you need in your technology transactions.
Hunton & Williams insurance partner, Syed Ahmad, tells Law360 about trends in D&O liability insurance that are likely to grab headlines in 2017, including the impact of privacy and cyber breaches on corporate executives and the continued fallout from 2015’s “Yates Memo,” emphasizing an increase in government prosecution of individual corporate wrongdoers and incentivizing companies to cooperate in cases against their executives. A link to the article featuring Syed’s comments can be found here.
Syed Ahmad, a partner in the Hunton & Williams LLP insurance recovery practice, was quoted in an article by Law360 concerning the Fourth Circuit’s April 11, 2016 decision in Travelers Indemnity Company v. Portal Healthcare Solutions, No. 14-1944. In the decision, a panel of the Fourth Circuit affirmed the decision of a Virginia district court, which held in August 2014 that Travelers must defend Portal Healthcare Solutions LLC against a proposed class action alleging that the policyholder’s failure to secure its server made medical records accessible by unauthorized users online. The decision confirms that legacy CGL policies do, indeed, afford coverage for cyber-related liabilities. In the Portal decision, the issue was whether the mere online availability of sensitive information constitutes “publication” for purposes of triggering a CGL policy’s personal or advertising injury coverage and its corresponding duty to defend. The appellate court said it does, and adopted the district court’s reasoning that “[p]ublication occurs when information is ‘placed before the public,’ not when a member of the public reads the information placed before it.” That the information may not have actually been accessed does not factor into whether the information was “published” for purposes of triggering coverage. Rather, the immediate accessibility to on-line information and the broad reach of that material is itself sufficient to amount to the requisite publication. The decision makes perfect sense in the context of web-based content and the ease by which it can be accessed. The decision also provides a sound answer to Mr. Ahmad’s rendition of the age-old question “If a tree falls in a forest and no one is around, does it make a sound?” According to the district court and Fourth Circuit, yes, apparently it does make a sound.
On January 12, 2016, a federal court in Utah refused to dismiss a bad faith claim brought by Federal Recovery Services against Travelers Property Casualty Company of America, despite finding that there was no duty to defend FRS under Travelers’ “CyberFirst Policy.” Travelers Property Casualty Company of America et al. v. Federal Recovery Services et al., Case No. 2:14-cv-00170. FRS sought a defense and indemnity for a lawsuit filed against it by Global Fitness Holdings, LLC, a fitness center operator. Global Fitness had alleged that FRS intentionally misused the credit card and bank account information of Global Fitness’ customers, which consequently interfered with FRS’s business dealings.
Continue Reading Bad Faith Claim Survives Despite No Coverage for Cyber Liability Claims