Cyber Policies and Issues

The United States District Court for the Northern District of Mississippi, applying Mississippi law, held that only a “Social Engineering Fraud” provision responded to a loss resulting when an unknown third-party, posing as the insured’s vendor, sent fraudulent banking information and the insured issued payments based on that information.  Miss. Silicon Holdings, LLC v. AXIS Ins. Co., 2020 WL 868874 (N.D. Miss. Feb. 21, 2020).  The court, holding that the policy provisions were unambiguous, rejected the insured’s argument that the policy’s “Computer Transfer Fraud” and “Funds Transfer Fraud” provisions should apply.

Continue Reading

A Maryland federal district court has ruled that a ransomware event involved “direct physical loss of or damage to” software, data, and computer systems, thus triggering coverage under a businessowner’s insurance policy.  National Ink & Stitch, LLC v. State Auto Prop. & Cas. Ins. Co., No. SAG-18-2138 (D. Md. Jan. 23, 2020).

Continue Reading

The United States District Court for the Southern District of New York, applying Connecticut law, has concluded that a fraud exclusion is not triggered where an insured unwittingly transferred a client’s funds to third-party fraudulent actors based on spoofed emails, because the fraudulent acts were not committed by the insured.  SS&C Techs. Holdings, Inc. v. AIG Specialty Ins. Co., No. 19-cv-7859 (S.D.N.Y. Nov. 5, 2019).

Continue Reading

An Alabama federal district court has ruled that a third-party claim seeking indemnification for a medical malpractice suit, allegedly resulting from the insured’s allegedly faulty performance of technology services, was barred from coverage by “medical services” and bodily injury exclusions.  Jackson, Key & Assocs., LLC v. Beazley Ins. Co., Inc., 2018 WL 6710041 (S.D. Ala. Nov. 30, 2018) (report and recommendation adopted on December 20, 2018).

Continue Reading

A Montana federal district court has ruled that a false pretense exclusion did not preclude coverage under a crime policy for monetary losses resulting from a fraudulent email scheme, reasoning that the exclusion was ambiguous.  Ad Advert. Design, Inc. v. Sentinel Ins. Co., 2018 WL 4621744 (D. Mont. Sept. 26, 2018).  The court also held that further briefing was necessary to determine the amount recoverable under the policy.

Continue Reading

A Florida federal district court has ruled that a claim asserting that an insured’s negligent data security practices led to a payment card breach did not trigger personal injury coverage under a CGL policy.  See St. Paul Fire & Marine Ins. Co. v. Rosen Millennium, Inc., No. 6:17-cv-540-Orl-41GJK (M.D. Fla. Sept. 28, 2018).  The court reasoned that because the hacker’s conduct, not the insured’s omissions, led to the breach, the insured did not make known any private information.  The alleged damages therefore did not “result[] from [the insured’s] business activities” but instead arose from the third-party hacker’s criminal conduct.

Continue Reading

A Nevada federal district court has applied the “direct means direct” rule to conclude that losses an insured suffered from payment card chargebacks when certain employees made fraudulent charges on customers’ payment cards were only the “indirect” result of employee theft, and therefore not covered under the insured’s commercial crime policy.  CP Food & Beverage, Inc. v. U.S. Fire Ins. Co., No. 1:16-cv-02421-APG-GWF (D. Nev. Aug. 6, 2018).

Continue Reading

The U.S. Court of Appeals for the Sixth Circuit, applying Michigan law, has held that the computer fraud provision of a commercial crime policy covers losses from wire transfers sent by the insured pursuant to fraudulent emails.  American Tooling Ctr., Inc. v. Travelers Cas. & Sur. Co., 2018 WL 3404708 (6th Cir. Jul. 13, 2018).

Continue Reading