Cyber Policies and Issues

The United States District Court for the Southern District of New York, applying Connecticut law, has concluded that a fraud exclusion is not triggered where an insured unwittingly transferred a client’s funds to third-party fraudulent actors based on spoofed emails, because the fraudulent acts were not committed by the insured.  SS&C Techs. Holdings, Inc. v. AIG Specialty Ins. Co., No. 19-cv-7859 (S.D.N.Y. Nov. 5, 2019).

Continue Reading

An Alabama federal district court has ruled that a third-party claim seeking indemnification for a medical malpractice suit, allegedly resulting from the insured’s allegedly faulty performance of technology services, was barred from coverage by “medical services” and bodily injury exclusions.  Jackson, Key & Assocs., LLC v. Beazley Ins. Co., Inc., 2018 WL 6710041 (S.D. Ala. Nov. 30, 2018) (report and recommendation adopted on December 20, 2018).

Continue Reading

A Montana federal district court has ruled that a false pretense exclusion did not preclude coverage under a crime policy for monetary losses resulting from a fraudulent email scheme, reasoning that the exclusion was ambiguous.  Ad Advert. Design, Inc. v. Sentinel Ins. Co., 2018 WL 4621744 (D. Mont. Sept. 26, 2018).  The court also held that further briefing was necessary to determine the amount recoverable under the policy.

Continue Reading

A Florida federal district court has ruled that a claim asserting that an insured’s negligent data security practices led to a payment card breach did not trigger personal injury coverage under a CGL policy.  See St. Paul Fire & Marine Ins. Co. v. Rosen Millennium, Inc., No. 6:17-cv-540-Orl-41GJK (M.D. Fla. Sept. 28, 2018).  The court reasoned that because the hacker’s conduct, not the insured’s omissions, led to the breach, the insured did not make known any private information.  The alleged damages therefore did not “result[] from [the insured’s] business activities” but instead arose from the third-party hacker’s criminal conduct.

Continue Reading

A Nevada federal district court has applied the “direct means direct” rule to conclude that losses an insured suffered from payment card chargebacks when certain employees made fraudulent charges on customers’ payment cards were only the “indirect” result of employee theft, and therefore not covered under the insured’s commercial crime policy.  CP Food & Beverage, Inc. v. U.S. Fire Ins. Co., No. 1:16-cv-02421-APG-GWF (D. Nev. Aug. 6, 2018).

Continue Reading

The U.S. Court of Appeals for the Sixth Circuit, applying Michigan law, has held that the computer fraud provision of a commercial crime policy covers losses from wire transfers sent by the insured pursuant to fraudulent emails.  American Tooling Ctr., Inc. v. Travelers Cas. & Sur. Co., 2018 WL 3404708 (6th Cir. Jul. 13, 2018).

Continue Reading

The United States Court of Appeals for the Fifth Circuit, applying Texas law, has reversed an order granting an insurer judgment on the pleadings, holding that a breach of contract exclusion did not bar coverage for a demand received by an insured retailer from its credit card processor for indemnification and other relief arising from a payment card breach.  Spec’s Family Partners, Ltd. v. Hanover Ins. Co., 2018 WL 3120794 (5th Cir. June 25, 2018).

Continue Reading

The United States Court of Appeals for the Eleventh Circuit, applying Georgia law, has affirmed a district court’s ruling that a fraudulent scheme using telephones to exploit a computer coding vulnerability in the insured’s system that ultimately led to a loss was not covered under a computer fraud provision in a commercial crime policy.  Interactive Commc’ns Int’l v. Great Am. Ins. Co., 2018 WL 2149769 (11th Cir. May 10, 2018).  Unlike the district court, however, the appellate court held that the scheme involved the “use of a[] computer.”  A summary of the district court opinion can be found here.

Continue Reading