Cyber Policies and Issues

The Indiana Court of Appeals, applying Indiana law, has held that a ransomware attack did not necessarily constitute a “fraudulent” act, and the corresponding loss did not fall within the scope of the computer fraud coverage part of a multi-peril commercial insurance policy.  G&G Oil Co. of Ind. v. Cont’l Western Ins. Co., 2020 WL 1528095 (Ind. Ct. App. Mar. 31, 2020).  The court rejected the argument that the ransomware attack was a fraud because it was an “unconscionable dealing” and instead found that the hacker did not “pervert the truth” or engage in deception in order to induce ransom payment.

Continue Reading No Computer Fraud Coverage for Ransomware Attack

An Illinois federal district court has ruled that a technology company’s failure to provide timely notice of a computer outage and related email demand barred coverage for a later-filed lawsuit.  Hartford Fire Ins. Co. v. iNetworks Servs., LLC, 2020 WL 1491139 (N.D. Ill. Mar. 27, 2020).

Continue Reading Untimely Notice of Server Outage and Related Client Communications Bars Coverage for Claim Filed against Technology Service Provider

The United States District Court for the Northern District of Mississippi, applying Mississippi law, held that only a “Social Engineering Fraud” provision responded to a loss resulting when an unknown third-party, posing as the insured’s vendor, sent fraudulent banking information and the insured issued payments based on that information.  Miss. Silicon Holdings, LLC v. AXIS Ins. Co., 2020 WL 868874 (N.D. Miss. Feb. 21, 2020).  The court, holding that the policy provisions were unambiguous, rejected the insured’s argument that the policy’s “Computer Transfer Fraud” and “Funds Transfer Fraud” provisions should apply.

Continue Reading Lack of Knowledge Requirement Nixes Coverage for Social Engineering Fraud Under Computer Transfer or Funds Transfer Fraud Limits

A Maryland federal district court has ruled that a ransomware event involved “direct physical loss of or damage to” software, data, and computer systems, thus triggering coverage under a businessowner’s insurance policy.  National Ink & Stitch, LLC v. State Auto Prop. & Cas. Ins. Co., No. SAG-18-2138 (D. Md. Jan. 23, 2020).

Continue Reading Ransomware Attack Involves “Direct Physical Loss of or Damage to” Software, Data and Computer Systems

The United States District Court for the Southern District of New York, applying Connecticut law, has concluded that a fraud exclusion is not triggered where an insured unwittingly transferred a client’s funds to third-party fraudulent actors based on spoofed emails, because the fraudulent acts were not committed by the insured.  SS&C Techs. Holdings, Inc. v. AIG Specialty Ins. Co., No. 19-cv-7859 (S.D.N.Y. Nov. 5, 2019).

Continue Reading Fraud Exclusion Inapplicable Where Insured Unwittingly Transferred Funds to Fraudsters

A Florida federal district court has ruled that an invasion of privacy exclusion barred coverage for a lawsuit and consent judgment involving alleged violations of the Telephone Consumer Protection Act (TCPA).  See Horn v. Liberty Ins. Underwriters, Inc., No. 9:18-cv-80762 (S.D. Fla. May 30, 2019).

Continue Reading Invasion of Privacy Exclusion Bars Coverage for Consent Judgment in TCPA Claim

An Alabama federal district court has ruled that a third-party claim seeking indemnification for a medical malpractice suit, allegedly resulting from the insured’s allegedly faulty performance of technology services, was barred from coverage by “medical services” and bodily injury exclusions.  Jackson, Key & Assocs., LLC v. Beazley Ins. Co., Inc., 2018 WL 6710041 (S.D. Ala. Nov. 30, 2018) (report and recommendation adopted on December 20, 2018).

Continue Reading Third-Party Complaint Seeking Indemnity from IT Company for Underlying Medical Malpractice Suit Barred by Medical Services and Bodily Injury Exclusions

A Montana federal district court has ruled that a false pretense exclusion did not preclude coverage under a crime policy for monetary losses resulting from a fraudulent email scheme, reasoning that the exclusion was ambiguous.  Ad Advert. Design, Inc. v. Sentinel Ins. Co., 2018 WL 4621744 (D. Mont. Sept. 26, 2018).  The court also held that further briefing was necessary to determine the amount recoverable under the policy.

Continue Reading Monetary Loss from Fraudulent Email Scheme Triggers Coverage Under Business Owners’ Policy

A Florida federal district court has ruled that a claim asserting that an insured’s negligent data security practices led to a payment card breach did not trigger personal injury coverage under a CGL policy.  See St. Paul Fire & Marine Ins. Co. v. Rosen Millennium, Inc., No. 6:17-cv-540-Orl-41GJK (M.D. Fla. Sept. 28, 2018).  The court reasoned that because the hacker’s conduct, not the insured’s omissions, led to the breach, the insured did not make known any private information.  The alleged damages therefore did not “result[] from [the insured’s] business activities” but instead arose from the third-party hacker’s criminal conduct.

Continue Reading No Personal Injury Coverage for Payment Card Breach Because Damages Resulted from Hacker’s Criminal Conduct, Not Insured’s Data Security Practices

A Nevada federal district court has applied the “direct means direct” rule to conclude that losses an insured suffered from payment card chargebacks when certain employees made fraudulent charges on customers’ payment cards were only the “indirect” result of employee theft, and therefore not covered under the insured’s commercial crime policy.  CP Food & Beverage, Inc. v. U.S. Fire Ins. Co., No. 1:16-cv-02421-APG-GWF (D. Nev. Aug. 6, 2018).

Continue Reading Court Rules that “Direct Means Direct” in Crime Policy, Rejecting Proximate Cause Analysis