On December 15, 2016, in The Travelers Indemnity Co. of Connecticut v. Max Margulis, et al., the U.S. District Court for the Eastern District of Missouri ruled that an insurer did not have a duty to defend its policyholder in a suit alleging a violation of the Telephone Consumer Protection Act (“TCPA”). Margulis
In a recent Law360 publication, C&M attorneys Rachel Raphael and Ellen Farrell discuss how the Internet of Things (IOT) can present complex insurance coverage issues. As they explain, the tangible and intangible nature of IOT products can cause particular confusion between traditional general liability policies (which may exclude coverage for cyber incidents) and stand-alone cyber …
On May 26, 2016, in the case of P.F. Chang’s v. Federal Insurance Co., the U.S. District Court for the District of Arizona held that a stand-alone cyber insurance policy did not cover fees assessed by a third party credit card processing company against P.F. Chang’s following a June 2014 data breach. This decision is notable because it is one of the first involving the scope of coverage under a stand-alone cyber insurance policy. Furthermore, since hiring a credit card processing company is a common practice among restaurants and retailers, if and when a data breach occurs, policyholders that use these third party companies may encounter similar fees.
At the core of this dispute was P.F. Chang’s decision to hire a third-party company to process credit card payments instead of dealing directly with credit card associations. After the 2014 data breach, in which computer hackers obtained and posed to the Internet about 60,000 credit card numbers belonging to P.F. Chang’s customers, the credit card associations imposed fees on the third-party processing company, Bank of America Merchant Services (“BAMS”). BAMS then passed these fees on to P.F. Chang’s pursuant to the service contract.
Federal Insurance Company (“Federal Insurance”) had sold a CyberSecurity by Chubb Policy (the “Cyber Policy”) to P.F. Chang’s corporate parent, Wok Holdco LLC, which was in effect from January 1, 2014 to January 1, 2015. After learning of the data breach, P.F. Chang’s tendered its claim to Federal Insurance. Federal Insurance reimbursed P.F. Chang’s for over $1.7 million in costs incurred as a result of the data breach, including a forensic investigation and a third-party lawsuit. However, Federal Insurance refused to reimburse P.F. Chang’s for fees assessed by BAMS in connection with the data breach, and P.F. Chang’s filed suit.
Following an April 11 ruling by the Fourth Circuit in Travelers Indemnity Company of America v. Portal Healthcare Solutions, LLC, Travelers must defend its policyholder, Portal Healthcare, in a class action lawsuit concerning a security breach. For years, courts have wrestled with whether traditional commercial general liability (CGL) policies provide coverage in event of a data breach. The results have been mixed. This most recent decision highlights the uncertainty that remains over whether traditional insurance policies cover cyber liabilities and, if so, under what circumstances and to what extent. This case appears to have been driven by specific policy language and the facts of the cyber incident, particularly the conduct of the policyholder, but highlights the increasing prevalence of cyber insurance issues.
Travelers had issued two CGL policies to Portal Healthcare, a medical records company. In April 2013, a class action was filed in New York state court alleging that, as a result of Portal Healthcare’s failure to properly protect its server, confidential medical records for patients at a New York hospital were accessible on the Internet to unauthorized individuals. The class action complaint asserts counts for alleged negligence, breach of warranty, breach of contract, and also seeks injunctive relief against Portal Healthcare, the hospital, and others.
In July 2013, Travelers filed the coverage action at issue here in the U.S. District Court for the Eastern District of Virginia. Travelers sought a declaration that it was not obligated under its CGL policies to defend or indemnify Portal Healthcare against the underlying class action lawsuit. Specifically, Travelers argued that it was entitled to declaratory judgment because the underlying class action does not allege “personal injury,” “publication of material,” “advertising injury” or “website injury,” as defined in the Travelers policies.
On August 17, in the case of Carolina Casualty Insurance Company, et al v. Red Coats Inc., the Eleventh Circuit reinstated a suit brought by Admiral Security Services against two of its insurers, Continental Casualty and National Union, in the district court for the Northern District of Florida. Admiral was seeking coverage under commercial general liability (CGL) polices issued by Continental Casualty and National Union for settlement payments that Admiral made to AvMed Inc. after AvMed suffered damages from a security breach. The district court granted summary judgment in favor of the two insurers but the Eleventh Circuit reversed based on its conclusion that the availability of coverage under these policies turned on the state law applicable to the insurance contracts. Given the relative paucity of cases involving coverage for security breaches, this case is one to watch, especially as the Eleventh Circuit has suggested that coverage may ultimately come down to which State’s law applies – an issue that can potentially “make or break” coverage in any case.
By way of background, Admiral had been hired by AvMed to provide security services at one of AvMed’s facilities, when one of Admiral’s security guards allegedly stole laptop computers from AvMed that contained personal information of AvMed members protected by the Health Insurance Portability and Accountability Act (HIPAA). The coverage action originated when one of Admiral’s carriers, Carolina Casualty, filed a declaratory judgment in a Florida district court seeking a judicial determination as to whether the Employment Practice Liability Policy that it had issued to Admiral provided coverage for the security breach suit filed by AvMed against Admiral. Admiral filed an answer and a counter-claim, which brought three other of Admiral’s carriers into the suit – Continental Casualty, National Union and Travelers that had issued policies to Admiral.
In follow up to our previous post, on Friday, July 17, the U.S. District Court for the Central District of California dismissed a lawsuit initiated by Columbia Casualty Company (“Columbia”) against Cottage Health System (“Cottage”) related to a data breach that released about 32,500 patient healthcare records that were stored electronically on Cottage’s network servers. Columbia Casualty Company v. Cottage Health System, No. 2:15-cv-03432 would have been a case of first impression in the California district court and one of the first litigated disputes involving a stand-alone cyberinsurance policy.
According to U.S. District Judge Dean D. Pregerson, who dismissed the suit, Columbia’s resort to litigation was premature. In this regard, the stand-alone “NetProtect360” cyberinsurance policy at issue provided that “[a]ll disputes and differences between the Insured and Insurer which may arise under or in connection with this policy . . . shall be submitted to the alternative dispute resolution (“ADR”) process” and that if the chosen method of ADR is mediation, then “no . . . judicial proceeding shall be commenced until the mediation shall have been terminated and at least 60 days shall have elapsed from the date of the termination . . . .”
The ever-increasing frequency of cyber incidents has caused companies to recognize the need for cyberinsurance policies in addition to more traditional types of coverage. A recent case, Columbia Casualty Company v. Cottage Health System, No. 2:15-cv-03432, suggests that even coverage under these stand-alone cyberinsurance policies may have limits.
Earlier this month, Columbia Casualty Company (“Columbia”) filed an action in the U.S. District Court for the Central District of California, seeking a declaration that it is not obligated to provide coverage to Cottage Health System (“Cottage”) in connection with a data breach that resulted in the release of private healthcare patient information stored on Cottage’s network servers. In a case of first impression, the district court has been asked to decide the scope of coverage provided by the stand-alone “NetProtect360” cyberinsurance policy issued by Columbia to Cottage.…