On October 25, in the case of Camp’s Grocery, Inc. v. State Farm Fire & Casualty Company, the District Court for the Northern District of Alabama granted summary judgment in favor of State Farm Fire and Casualty Company (“State Farm”), concluding that State Farm did not have to defend or indemnify its policyholder, Camp’s
On May 26, 2016, in the case of P.F. Chang’s v. Federal Insurance Co., the U.S. District Court for the District of Arizona held that a stand-alone cyber insurance policy did not cover fees assessed by a third party credit card processing company against P.F. Chang’s following a June 2014 data breach. This decision is notable because it is one of the first involving the scope of coverage under a stand-alone cyber insurance policy. Furthermore, since hiring a credit card processing company is a common practice among restaurants and retailers, if and when a data breach occurs, policyholders that use these third party companies may encounter similar fees.
At the core of this dispute was P.F. Chang’s decision to hire a third-party company to process credit card payments instead of dealing directly with credit card associations. After the 2014 data breach, in which computer hackers obtained and posed to the Internet about 60,000 credit card numbers belonging to P.F. Chang’s customers, the credit card associations imposed fees on the third-party processing company, Bank of America Merchant Services (“BAMS”). BAMS then passed these fees on to P.F. Chang’s pursuant to the service contract.
Federal Insurance Company (“Federal Insurance”) had sold a CyberSecurity by Chubb Policy (the “Cyber Policy”) to P.F. Chang’s corporate parent, Wok Holdco LLC, which was in effect from January 1, 2014 to January 1, 2015. After learning of the data breach, P.F. Chang’s tendered its claim to Federal Insurance. Federal Insurance reimbursed P.F. Chang’s for over $1.7 million in costs incurred as a result of the data breach, including a forensic investigation and a third-party lawsuit. However, Federal Insurance refused to reimburse P.F. Chang’s for fees assessed by BAMS in connection with the data breach, and P.F. Chang’s filed suit.
Following an April 11 ruling by the Fourth Circuit in Travelers Indemnity Company of America v. Portal Healthcare Solutions, LLC, Travelers must defend its policyholder, Portal Healthcare, in a class action lawsuit concerning a security breach. For years, courts have wrestled with whether traditional commercial general liability (CGL) policies provide coverage in event of a data breach. The results have been mixed. This most recent decision highlights the uncertainty that remains over whether traditional insurance policies cover cyber liabilities and, if so, under what circumstances and to what extent. This case appears to have been driven by specific policy language and the facts of the cyber incident, particularly the conduct of the policyholder, but highlights the increasing prevalence of cyber insurance issues.
Travelers had issued two CGL policies to Portal Healthcare, a medical records company. In April 2013, a class action was filed in New York state court alleging that, as a result of Portal Healthcare’s failure to properly protect its server, confidential medical records for patients at a New York hospital were accessible on the Internet to unauthorized individuals. The class action complaint asserts counts for alleged negligence, breach of warranty, breach of contract, and also seeks injunctive relief against Portal Healthcare, the hospital, and others.
In July 2013, Travelers filed the coverage action at issue here in the U.S. District Court for the Eastern District of Virginia. Travelers sought a declaration that it was not obligated under its CGL policies to defend or indemnify Portal Healthcare against the underlying class action lawsuit. Specifically, Travelers argued that it was entitled to declaratory judgment because the underlying class action does not allege “personal injury,” “publication of material,” “advertising injury” or “website injury,” as defined in the Travelers policies.
On March 2, 2016, the National Association of Insurance Commissioners (NAIC) Cybersecurity Task Force proposed a new model law intended to “establish the exclusive standards for data security and investigation and notification of a breach of data security” in the insurance industry.
The model law requires licensed insurers and producers to:
- Develop, implement and maintain an information security program to ensure confidentiality of personal information, and protect against anticipated threats to and unauthorized access of such information.
- Provide for board of directors oversight of the information security program (if applicable) and annual reporting to the board of directors regarding the data security program.
- Include provisions in all third-party service provider contracts regarding (a) third-party safeguards, (b) post-breach notification, (c) post-loss indemnification, (d) cyber-security audits, and (e) representations and warranties regarding compliance.
- Investigate a suspected data breach and take steps to restore the security and confidentiality of compromised systems.
- Provide notice of a data breach to (a) the appropriate Federal and state law enforcement agency, (b) the insurance commissioner, (c) consumers, and (4) consumer reporting agencies.
- Implement protections for consumers after a data breach as prescribed by the commissioner but not less than twelve months of identity theft protection for affected consumers paid for by the insurer/producer.
On October 14, the National Association of Insurance Commissioners (NAIC) announced its cybersecurity “bill of rights” which outlines six rights of insurance consumers. Generally speaking, the bill of rights is divided into three broad categories: (1) standard consumer information, (2) insurer safeguards and actions and (3) post-breach and identity theft protections. Although most states have data breach laws, the proposed rights exceed what many states require. Given the current differences in state laws governing how insurance companies must protect consumers’ data, this new bill of rights may spur additional privacy legislation and greater uniformity among state laws.
First, the bill of rights states that consumers have the right to know the information that is collected and stored by insurance companies, their agents or businesses contracting with these insurance companies. Insurance consumers also have the right to expect that privacy policies be made available on the insurers’ websites and upon request. Second, the bill of rights provides that insurance companies must take reasonable steps to protect consumers’ personal information. Third, the bill of rights sets out specific notice requirements in the event of a data breach. If a breach occurs, insurance consumers have the right to at least one year of identity theft protection paid for by the company or agent involved in the data breach. Additionally, an insurance consumer whose identity is stolen has a right to, among other things, put a 90-day initial fraud alert on his or her credit report, put a credit freeze on his or her credit report, and obtain copies of documents related to the identity theft.
In a recent Law360 publication, C&M attorneys Rachel Raphael and Ellen Farrell discuss how directors and officers (D&O) insurance coverage applies when a company experiences a data breach. As they explain, D&O policies may provide some coverage when a company’s directors and officers are sued after a cyber incident, but there are often policy exclusions …
On August 17, in the case of Carolina Casualty Insurance Company, et al v. Red Coats Inc., the Eleventh Circuit reinstated a suit brought by Admiral Security Services against two of its insurers, Continental Casualty and National Union, in the district court for the Northern District of Florida. Admiral was seeking coverage under commercial general liability (CGL) polices issued by Continental Casualty and National Union for settlement payments that Admiral made to AvMed Inc. after AvMed suffered damages from a security breach. The district court granted summary judgment in favor of the two insurers but the Eleventh Circuit reversed based on its conclusion that the availability of coverage under these policies turned on the state law applicable to the insurance contracts. Given the relative paucity of cases involving coverage for security breaches, this case is one to watch, especially as the Eleventh Circuit has suggested that coverage may ultimately come down to which State’s law applies – an issue that can potentially “make or break” coverage in any case.
By way of background, Admiral had been hired by AvMed to provide security services at one of AvMed’s facilities, when one of Admiral’s security guards allegedly stole laptop computers from AvMed that contained personal information of AvMed members protected by the Health Insurance Portability and Accountability Act (HIPAA). The coverage action originated when one of Admiral’s carriers, Carolina Casualty, filed a declaratory judgment in a Florida district court seeking a judicial determination as to whether the Employment Practice Liability Policy that it had issued to Admiral provided coverage for the security breach suit filed by AvMed against Admiral. Admiral filed an answer and a counter-claim, which brought three other of Admiral’s carriers into the suit – Continental Casualty, National Union and Travelers that had issued policies to Admiral.
In follow up to our previous post, on Friday, July 17, the U.S. District Court for the Central District of California dismissed a lawsuit initiated by Columbia Casualty Company (“Columbia”) against Cottage Health System (“Cottage”) related to a data breach that released about 32,500 patient healthcare records that were stored electronically on Cottage’s network servers. Columbia Casualty Company v. Cottage Health System, No. 2:15-cv-03432 would have been a case of first impression in the California district court and one of the first litigated disputes involving a stand-alone cyberinsurance policy.
According to U.S. District Judge Dean D. Pregerson, who dismissed the suit, Columbia’s resort to litigation was premature. In this regard, the stand-alone “NetProtect360” cyberinsurance policy at issue provided that “[a]ll disputes and differences between the Insured and Insurer which may arise under or in connection with this policy . . . shall be submitted to the alternative dispute resolution (“ADR”) process” and that if the chosen method of ADR is mediation, then “no . . . judicial proceeding shall be commenced until the mediation shall have been terminated and at least 60 days shall have elapsed from the date of the termination . . . .”
The ever-increasing frequency of cyber incidents has caused companies to recognize the need for cyberinsurance policies in addition to more traditional types of coverage. A recent case, Columbia Casualty Company v. Cottage Health System, No. 2:15-cv-03432, suggests that even coverage under these stand-alone cyberinsurance policies may have limits.
Earlier this month, Columbia Casualty Company (“Columbia”) filed an action in the U.S. District Court for the Central District of California, seeking a declaration that it is not obligated to provide coverage to Cottage Health System (“Cottage”) in connection with a data breach that resulted in the release of private healthcare patient information stored on Cottage’s network servers. In a case of first impression, the district court has been asked to decide the scope of coverage provided by the stand-alone “NetProtect360” cyberinsurance policy issued by Columbia to Cottage.…
Continue Reading California District Court Called Upon to Determine Scope of Coverage Provided by Stand-Alone Cyberinsurance Policy
The National Association of Insurance Commissioners (“NAIC”) has encouraged insurers and state insurance regulators to act proactively in reducing cybersecurity risks to consumer financial and health information. On April 16, the NAIC adopted the Principles for Effective Cybersecurity Insurance Regulatory Guidance (“Principles”), twelve regulatory principles aimed at increasing the protection of [confidential and personally identifiable information] against cybersecurity breaches. The Principles promote collaboration between regulators charged with guidance and oversight, and insurers that can identify risks and offer practical solutions for protecting sensitive information.…
Continue Reading NAIC Provides Cybersecurity Guidance for Insurers, Regulators