To follow up on our post last week recapping a recent Ninth Circuit decision regarding coverage for losses from a social engineering scheme, federal appellate courts continue to examine the coverage available for such losses. As Law360 highlighted, and as we previously reported (here, here, here, and here), appeals are pending in the Second, Sixth, and Eleventh circuits. These cases, some of which involve lower court findings of coverage while others do not, show that coverage for social engineering scams remains hotly contested, which means policyholders must carefully consider such coverage when purchasing insurance. While more and more insurers have introduced endorsements designed to specifically address social engineering schemes, as Hunton attorney Patrick McDermott recently pointed out in a separate Law360 piece, one issue policyholders ought to consider is “whether an endorsement providing coverage for losses resulting from social engineering schemes actually narrows the coverage available for those losses.”
On April 17, 2018, the Ninth Circuit affirmed a district court decision finding that an exclusion barred coverage for a $700,000 loss resulting from a social engineering scheme. Aqua Star (USA) Corp. v. Travelers Cas. & Surety Co. of Am., No. 16-35614 (9th Cir. Apr. 17, 2018). The scheme involved fraudsters who, while posing as employees, directed other employees to change account information for a customer. The employees changed the account information and sent four payments to the fraudsters.
In a recent brief filed in the Sixth Circuit, American Tooling Center, Inc. argued that the appellate court should reverse the district court’s decision finding no insurance coverage for $800,000 that American Tooling lost after a fraudster’s email tricked an employee into wiring that amount to the fraudster. As we previously reported here, the district court found the insurance policy did not apply because it concluded that American Tooling did not suffer a “direct loss” that was “directly caused by computer fraud,” as required for coverage under the policy. The district count pointed to “intervening events” like the verification of production milestones, authorization of the transfers, and initiating the transfers without verifying the bank account information and found that those events precluded a “finding of ‘direct’ loss ‘directly caused’ by the use of any computer.”
On Tuesday, the U.S. District Court for the District of New Jersey granted Travelers’ motion to dismiss Posco Daewoo America Corporation’s suit for coverage under the computer fraud provision of its crime insurance policy. Distinguishing itself from precedent like Medidata, Principal Solutions Group, Apache and American Tooling Center, Daewoo did not seek coverage for money fraudulently transferred or stolen from its own accounts. Instead, Daewoo sought coverage for amounts that had been designated for payment to Daewoo by a third party supplier, Allnex, and stolen from Allnex after a criminal impersonated a Daewoo employee. The Court held that the crime policy did not cover the lost sums because Daewoo did not “own” the money stolen from Allnex.
Highlighting the continued problems faced by policyholders in obtaining coverage for “computer fraud,” a Michigan district court recently held that a manufacturer could not recover $800,000 in funds lost after an employee mistakenly wired payment for legitimate vendor invoices into a fraudster’s bank account after receiving a spoofed e-mail requesting payment. In American Tooling Center, Inc. v. Travelers Casualty and Surety Company of America, No. 16-12108 (E.D. Mich. Aug. 1, 2017), the district court applied state law favoring a narrow interpretation of the crime policy’s computer fraud provision to hold that the policyholder had not suffered a “direct” loss that was “directly caused” by the use of any computer.
Last Thursday, a federal district judge in New Jersey denied, in part, Travelers Indemnity Company’s (Travelers) motion for summary judgment on claims for indemnity costs because the plaintiff, E.M. Sergeant Pulp & Chemical Company (EMS), provided sufficient evidence to raise triable questions of fact. Although the evidence was just “barely sufficient” to keep the case alive, as the court put it, and despite no direct evidence that policies were even in place during the relevant time period, the evidence was nevertheless enough to defeat the insurer’s motion.
Hunton & Williams’ insurance practice head, Walter Andrews, was quoted in a Law360 article yesterday regarding the confusion that is likely to result from a federal bankruptcy judge’s decision in Rapid-American Corp. v. Travelers Casualty and Surety Co., where the court concluded that a majority of excess insurers owe no coverage to Rapid-American Corp. for underlying asbestos claims until the company exhausts the limits of its underlying primary and excess coverage through actual payment, not just accrued liability. According the Andrews, “the public policy clearly cries out against this ruling because you want to encourage settlement and have certainty in terms of a policyholder knowing what it can do with the coverage it has.” However, “[t]his case throws that into confusion and uncertainty,” Andrews added.
Two of three of Rapid-American Corp.’s excess liability insurers do not have to respond to underlying asbestos claims unless and until all underlying coverage is exhausted by the payment of claims, says Judge Bernstein of the United States Bankruptcy Court for the Southern District of New York in a June 7, 2016 decision. Rapid-American has been involved in asbestos litigation since 1974 and settled disputes with many of its underlying insurers, but an amount sufficient to reach its excess coverage policies has not yet been paid. Rapid-American argued that it was not necessary for the primary policies’ underlying limits to be exhausted by actual payment before insurers’ excess liability coverage attaches.
Syed Ahmad, a partner in the Hunton & Williams LLP insurance recovery practice, was quoted in an article by Law360 concerning the Fourth Circuit’s April 11, 2016 decision in Travelers Indemnity Company v. Portal Healthcare Solutions, No. 14-1944. In the decision, a panel of the Fourth Circuit affirmed the decision of a Virginia district court, which held in August 2014 that Travelers must defend Portal Healthcare Solutions LLC against a proposed class action alleging that the policyholder’s failure to secure its server made medical records accessible by unauthorized users online. The decision confirms that legacy CGL policies do, indeed, afford coverage for cyber-related liabilities. In the Portal decision, the issue was whether the mere online availability of sensitive information constitutes “publication” for purposes of triggering a CGL policy’s personal or advertising injury coverage and its corresponding duty to defend. The appellate court said it does, and adopted the district court’s reasoning that “[p]ublication occurs when information is ‘placed before the public,’ not when a member of the public reads the information placed before it.” That the information may not have actually been accessed does not factor into whether the information was “published” for purposes of triggering coverage. Rather, the immediate accessibility to on-line information and the broad reach of that material is itself sufficient to amount to the requisite publication. The decision makes perfect sense in the context of web-based content and the ease by which it can be accessed. The decision also provides a sound answer to Mr. Ahmad’s rendition of the age-old question “If a tree falls in a forest and no one is around, does it make a sound?” According to the district court and Fourth Circuit, yes, apparently it does make a sound.
On April 11, 2016, the Fourth Circuit affirmed a trial court’s decision that Travelers must defend a class action against its policyholder, Portal Healthcare Solutions, arising out of Portal’s alleged failure to safeguard confidential medical records. In the class action, the plaintiffs contended that Portal had allowed their private medical records to be accessed on the internet for more than four months by a simple Google search of a patient’s name. Portal sought coverage under provisions in two Travelers policies that provided coverage for alleged injury arising from “electronic publication of material” that “gives unreasonable publicity to a person’s private life” or that “discloses information about a person’s private life.”