Cybersecurity Insurance: Circuit Courts Weigh in on Insurers’ Liability for an Insured’s Losses Stemming from a Data Breach | Pietragallo Gordon Alfano Bosick & Raspanti, LLP

Bring away: When a cybersecurity-related incident occurs, an insured should not automatically assume that standard commercial general liability (CGL) insurance issued by an insurer will cover their losses, since CGL policies generally provide an insured with coverage for losses offer resulting from personal injury and damage to property. An insured’s cybersecurity losses can include much more, such as: I.e., third parties not within the scope of an insured’s traditional CGL policy. Therefore, to ensure cyber coverage is in place following a cyber incident, an insured should ensure potential cyber-related losses are included in the “four corners” of the underlying insurance policy to provide a defense and, more importantly, to ensure coverage an insurer.

key point: In determining whether a duty of defense exists, a court must follow the “eight corners” rule and look at the “four corners” of the complaint and the “four corners” of the underlying insurance policies.[1] In other words, an insurer has a duty to defend its insured when the allegations of fact in the lawsuit superficially involve damage that is actually or potentially within the scope of the policy.[2]

discussion: Recently, an increasing number of legal disputes over whether losses related to cybersecurity incidents are covered by an insured’s policy have challenged the applicability of the underlying policy. For example, a panel in the Eleventh Circuit considered whether a contract issued by the Great American Insurance Company for Interactive Communications International, Inc. and HI Technology Corp. (collectively, “InComm”) issued a “Computer Fraud” policy that excluded coverage for fraud-related losses.[3] InComm sold “chips” – each of which had a specific monetary value – to consumers who could then “redeem” them by loading their value onto a debit card.[4] Between November 2013 and May 2014, InComm lost $11.4 million when scammers manipulated a flaw in InComm’s computerized interactive phone system that allowed them to redeem chips multiple times, with each duplicate redemption of an already redeemed chip costing InComm the value of the chip chips cheated.[5] The panel narrowly interpreted the proximate cause and found that the insured’s losses from the fraudulent hack were not directly attributable to computer fraud and were therefore not covered by the insurance policy.[6] Importantly, the panel noted that while the scammers “used [a] Computer” within the meaning of the policy, the damage to the insured person is not “result[ ] directly” from computer fraud, as required by the plain text of the directive[7], I.e., the meaning of the terms in the “four corners” of the policy.

In another case, the Court of Appeals for the Second Circuit applied[8] whether losses are due to a “spoofing” attack[9] were covered by the computer fraud provision of an insurance policy issued by the Federal Insurance Company. The plaintiff, Medidata Solutions, Inc., provides cloud-based services to researchers conducting clinical trials and uses Google’s Gmail platform for corporate email.[10] Email messages sent to Medidata employees were routed through Google computer servers, and Google systems then processed and stored the email messages.[11] In the midst of planning a potential acquisition, Medidata instructed its finance staff to “prepare to urgently assist with critical transactions.”[12] On September 16, 2014, a Medidata employee received an email, allegedly from Medidata’s President, stating that Medidata was nearing completion of an acquisition and that an attorney named Michael Meyer (“Meyer”) would be contacting the employee .[13] Meyer then called the associate and requested a wire transfer, and $4,770,226.00 was transferred to a bank account provided by Meyer.

Medidata filed a lawsuit, claiming that its losses from the email “spoofing” attack were covered by, among other things, a computer fraud provision in its federal insurance policy. The provision covered losses arising from “inputting data into” or “altering data elements or program logic of” a computer system. Federal Insurance claimed that the spoofing attack was not covered because Medidata’s policy only applied to hacking attacks instead.[14]

In interpreting the “plain and clear language of the policy,” the court ruled that the “spoofing” attack was the proximate cause of Medidata’s losses and that those losses were covered by the provisions of the Computer Fraud Provision because computers are an integral part Part of the policy was the success of the scheme.[15]

And just a week ago, Wesco Insurance Company filed a complaint against IRA Financial Group for a statement that it does not have to provide coverage for various claims made against the self-directed retirement and retirement account provider in connection with a cyberattack with at least $36 million in stolen crypto assets.[16] The complaint contains various provisions of the underlying policy allegedly in support of Wesco’s denial of coverage, including a provision excluding “cyber liability”.[17] Given the recent surge in the number of cryptocurrency holders worldwide, it will be interesting to see how the court interprets the “plain language” of the insurance policy to determine whether those terms fall within the “four corners” of the underlying policy, creating a Cover provided for the insurance policy is insured.

[1] See Travelers Indem. Co. of America v Portal Healthcare Solutions, LLC35 F.Supp.3d 765, 769 (EDVa. 2014).

[2] See American and Foreign Ins. Co. vs. Jerry’s Sport Center, Inc.2 A.3d 526, 541 (Pa. 2010).

[3] See Interactive Communications International, Inc. v Great American Ins. co, 731 Fed.Appx. 929 (11 Circ. 2018).

[4] ID. around 930.

[5] ID. around 930-31.

[6] ID. at 935-36.

[7] ID. around 930.

[8] See Medidata Solutions, Inc. v Federal Ins. co, 729 Fed.Appx. 117 (Mem) (2nd Circ. 2018).

[9] As the district court explained, “spoofing” is “the practice of disguising a commercial e-mail to make it appear that the e-mail came from an address that it did not in fact come from. Spoofing involves inserting an email address other than the actual sender’s address into the “from” or “reply-to” lines or other parts of email messages without the consent or authorization of the email user. Email address whose address is spoofed.” Medidata Sols., Inc. v Fed. Into the. co268 F.Supp.3d 471, 477 n.2 (SDNY 2017) (citation Karvaly vs. eBay, Inc.245 FRD 71, 91 at.34 (EDNY 2007)).

[10] See Medidata Solutions, Inc.268 F.Supp.3d at 472.

[11] ID.

[12] ID. at 473.

[13] ID.

[14] See Medidata Solutions, Inc., 729 Fed.Appx. at 118.

[15] ID. at 119.

[16] See Wesco Ins. Co. v. IRA Financial Group, et al.Case #1:22-cv-23507 (SDFl. 27 Oct 2022)

[17] See Wesco’s Complaint, ¶ 48, p. 19

* This blog is for informational purposes only and is not intended to constitute legal advice on any subject. By viewing blog posts, the reader understands that there is no attorney-client relationship between the reader and the blog publisher. The blog should not be used as a substitute for legal advice from a licensed professional attorney. Readers are urged to consult their own legal counsel or contact one of Pietragallo’s attorneys with any legal questions regarding any particular situation.