Insurance Coverage & Recovery

InsuranceLast week, the Eighth Circuit upheld a lower court’s ruling in State Bank of Bellingham v. BancInsure Inc., finding that a bank employee’s negligence in securing its computer network did not preclude coverage for a data breach resulting in a fraudulent funds transfer.  The decision affirms the lower court’s ruling granting summary judgment in favor of the Bank of Bellingham, holding that the loss was covered even if employee negligence contributed to the loss.

The Underlying Breach: The underlying coverage action between BancInsure and the Bank stemmed from an October 2011 incident in which a hacker gained access to the bank’s network with a “Zeus Trojan horse” virus and fraudulently transferred funds to accounts in Poland, resulting in a $485,000 loss.  The hacker was able to gain access because a bank employee inadvertently failed to remove two physical security tokens (which bank employees were required to insert into a computer in order to perform wire transfers via a specialized VPN device provided by the Federal Reserve) after performing a legitimate wire transfer.

Court Ruling: The Eight Circuit agreed with the trial court that an exclusion in the Bank’s financial institution bond for employee-caused losses did not apply based on Minnesota’s concurrent-causation doctrine, which states that when a loss results from multiple risks, some covered and some not covered, the loss is covered unless the excluded risk is the “overriding cause” of the loss.  The Eighth Circuit concluded that the overriding cause of the loss was the hacker’s criminal conduct rather than employee negligence, even though the employee’s negligence “played an essential role” in the loss and created a risk of intrusion into the bank’s computer system.  The court reasoned that an illegal wire transfer was not a “foreseeable and natural consequence” of the failure to follow proper computer security policies, procedures, and protocols.

The court also rejected BancInsure’s argument that the bond’s exclusions for loss due to the theft of confidential information or mechanical failure of a computer avoided application of the concurrent-causation doctrine, finding that the exclusions’ reference to “indirect” losses was not the type of “clear and specific” language needed to prevent the doctrine’s application.

The Takeaway: The Eighth Circuit’s ruling is a significant victory for policyholders.  Fidelity bonds and commercial crime policies commonly exclude “indirect loss.”  Insurance carriers frequently argue in disputes regarding such bonds or policies that the negligent actions of the policyholder’s employees converts an otherwise covered loss caused by a third party’s criminal acts into an “indirect,” uncovered loss.  The Eighth Circuit’s holding provides policyholders helpful authority to argue that employee negligence does not bar coverage or render an otherwise covered loss uncovered.

Although the decision is favorable to policyholders, there are a number of important caveats.  For instance, insurance policy language can vary substantially between carriers, and many commercial crime policies contains specific exclusions for data security breaches.  Additionally, the Eighth Circuit recognized that courts will enforce “anti-concurrent causation” provisions where the language is clear and specific.

InsuranceAs data breaches have continued to grow over the past few years, interest in cyber insurance coverage has grown along with it.  This week, the Fourth Circuit upheld a lower court’s ruling in Travelers Indemnity Co. of America v. Portal Healthcare Solutions, LLC, finding that a commercial general liability (CGL) insurance policy covered the cost to defend claims regarding a data breach.

In an unpublished opinion, a panel of the Fourth Circuit affirmed the Virginia District Court’s August 2014 decision that Travelers Indemnity Co. was obligated to defend Portal Healthcare Solutions in a class action lawsuit pending in New York state court.  The underlying class action alleged that Portal failed to secure a server containing confidential records of patients at a New York hospital, leaving the records available to view online for more than four months without a password.  Two patients discovered their records online following an internet search, but there was no evidence that any third parties viewed the information.

In looking at the four corners of the complaint and the underlying CGL insurance policy, the Fourth Circuit agreed that the mere availability of the private medical information online constituted “publication” under the CGL policy’s provision providing coverage for “electronic publication” of material regarding a person’s private life, thereby triggering the duty to defend.

Although the decision is favorable to policyholders, there are a number of important caveats.  For instance, insurance policy language can vary substantially between carriers, and the unpublished decision is not binding on other courts.  Notably, the decision contrasts a 2015 holding by the Connecticut Supreme Court finding that a CGL policy did not cover a loss of computer tapes containing employee personal information when there was no evidence of personal loss, no evidence that any third party ever accessed the information, and thus no “publication” of the information as required by the CGL policy.

In recent years, it has become increasingly difficult for policyholders to secure coverage for data breaches under CGL policies given the continuing trend of “electronic data” exclusions.  Moreover, CGL policies often contain express language clarifying that electronic data does not qualify as “tangible property,” a prerequisite for a finding of “property damage” under such policies.

Given that these policy limitations are becoming more prevalent, companies hoping to have coverage in the event of a data breach should evaluate whether their current policy appropriately covers cyber and data breach risks, or whether they may need to obtain a separate cyber liability policy specifically tailored to cover such risks.

If your company has suffered property damage or lost business as a result of recent catastrophic events – the extended closure of airspace due to volcanic ash from Iceland, the flooding of Nashville, Tennessee and surrounding areas, and the oil spill in the Gulf of Mexico – help may be on the way. While some insurance companies are already taking the position that coverage is not available for these losses, recovery for some companies is in fact likely, under the business interruption coverage often found in a property insurance policy. Whether coverage exists may depend on the business interruption language contained in your policy.

Physical damage to a business, such as water damage to a store in Nashville, may not be the only type of loss your property insurance covers. Insurance often also covers loss of business income. For example, if a business was forced to close or stop production because of physical damage to property, the inability to access property, or in response to an evacuation or curfew order, business interruption insurance may help. Business interruption insurance may also cover losses resulting from the closure of an insured company’s key supplier or customer, if that closure caused the insured company to stop or slow production. And that may be true even if the insured company is hundreds of miles away from the physical damage.

For further information about business interruption coverage for losses suffered as a result of the recent volcanic ash, flooding, or oil spill, and tips on how to maximize the chances of insurance recovery, please see the recent advisory prepared by Kelley Drye’s Insurance Recovery attorneys.

Numerous class action suits have been brought over the past several years under the Telephone Consumer Protection Act (“TCPA”) against entities that fax unsolicited advertisements (so-called “blast faxes”) to individuals and businesses.  Companies facing such suits in turn have sought insurance coverage under their comprehensive general liability (“CGL”) policies for costs incurred defending TCPA suits, and for indemnification of any liability.

While coverage disputes in blast faxing cases have historically yielded mixed results, a series of recent rulings have tilted the scales in favor of policyholders.  For example, the Florida Supreme Court decided on January 28, 2010 in Penzer v. Transportation Ins. Co., No. SC08-2068, 2010 WL 308043, that a standard CGL policy provided coverage for a suit brought under TCPA for alleged blast fax activities.  While other recent decisions have yielded similar results, Penzer is significant because it held that the plain language of the insurance policy compels coverage.

Despite the holding in Penzer, insurers will likely use the lack of unanimity among courts, and the potential for inconsistent results in jurisdictions yet to address the issue, as a basis to deny claims going forward.  Policyholders would be well served to not take these denials at face value, but rather should demand the coverage to which they are entitled.

A client advisory prepared by Kelley Drye & Warren LLP’s Insurance Recovery Group summarizes recent coverage decisions regarding blast faxing, including the Penzer decision, and discusses the implications of those cases for policyholders.

The recently filed case of First Bank v. Federal Insurance Company  reflects yet another financial services provider that was the subject of a data breach incident, and was forced into litigation with its insurers as a result. As detailed in our recent article, First Bank is not alone in having their insurance company deny the claim for coverage arising from the data breach. In this area of privacy and data security, anecdotally at least, it appears that many insurers are "underwriting at the point of claim" — that is, denying coverage in the hope that the policyholder will abandon pursuit of the coverage.

However, you may be covered, even if you do not have a "cyber" or "data security" policy. In fact, the label or title on the policy matters little, as Federal had issued a policy impressively titled, “Cybersecurity by Chubb for Financial Institutions,” yet disclaimed coverage. That old standby — Comprehensive General Liability (better known as "CGL") policies — may well provide you with the coverage you need to defend litigation arising from a data breach.

You may have noticed that premiums for Directors and Officers Liability (“D&O”) insurance are skyrocketing, largely as a result of the subprime lending crisis, stock market volatility, and the ensuing financial uncertainty. According to the American Banker, since 2008 D&O premiums, depending on the coverage type, have increased between 15% to 40% since last year. This trend shows no sign of abating. Other reports, including a recent analysis by Aon, confirm this trend.  Similar increases are forecast for the next several years as claims stemming from the current financial crisis are litigated and resolved. In fact, directors and officers of certain troubled businesses, particularly of financial institutions, may soon find that they are uninsurable at any reasonable price.

Higher premiums, however, are only one of the insurance industry’s reactions to the current financial conditions. Insurers also are instituting more restrictive terms and conditions, lower limits of liability, higher deductibles, and in some cases, specifically tailored exclusions that eliminate coverage for liability resulting from bankruptcy, bank failures, or claims brought by the Federal Deposit Insurance Corporation. In light of these developments, many financial institutions may find it difficult to retain and attract talented directors and officers at the very moment when such leadership is most needed. In fact, this current talent drain is a continuation of a trend that began in 2002 with the passage of the Sarbanes-Oxley Act.

One factor impacting rates and the availability of D&O insurance is the uncertainty surrounding AIG’s financial condition and future viability. AIG has long been the dominant underwriter of D&O insurance. As banks turn away from AIG for their D&O coverage, they are not finding the competition for their business that one might expect when an industry leader appears vulnerable. On the contrary, banks are facing a shrinking D&O market as several smaller carriers have decided to stop underwriting such coverage, especially for banks and other financial institutions, because the premiums are no longer perceived as worth the potential risk. In turn, those smaller insurers’ withdrawal from the market should only exacerbate the rate at which D&O insurance premiums increase in the ensuing months and years.

Faced with higher premiums for less D&O coverage, companies and their directors and officers should aggressively negotiate the most favorable coverage for their money. To that end, when negotiating new policies or renewals, they should carefully gauge their risk and exposure, and closely review proposed D&O policies, including exclusions, for provisions that could potentially eliminate coverage. If the proposed coverage is insufficient, or if sufficient coverage is only available at unreasonable rates, policyholders should consider alternative ways to maximize coverage and/or minimize risk going forward.

Which among the following businesses are potentially subject to consumer financial services laws, rules, and regulations?

A. a retail clothing chain
B. a bank or mortgage company
C. an internet retailer
D. a fast food franchisor
E. all of the above

If you answered E, “All of the above,” you are CORRECT. However, many companies do not realize their businesses are subject to consumer financial services laws. Consequently, their businesses may not be compliant and may be subject to litigation risk.

The focus of the Consumer Finance Law Blog is to keep – all on one site – traditional and non-traditional financial service providers subject to consumer financial services laws abreast of recent developments in:

  • State consumer protection statutes and regulations
  • State privacy statutes
  • Privacy and consumer protection litigation
  • Card Association Rules
  • Equal Credit Opportunity Act
  • Electronic Funds Transfer Act
  • Fair Credit Reporting Act
  • Fair Credit Transactions Act
  • Fair Debt Collection Practices Act
  • Payment Card Industry Data Security Standard
  • State Money Transmitter Statutes
  • State Retail Installment Sales Act
  • State and Federal Unfair and Deceptive Trade Practices Acts
  • TILA, RESPA, and related federal and state consumer disclosure and notice requirements
  • Insurance coverage issues
  • Legislation that may impact company compliance or create new litigation risk.

We welcome you and hope that you find our posts interesting, educational, and thought provoking. We also welcome your feedback and invite you to suggest topics or recent decisions of interest that you would like us to address.