Germany recently enacted a law that enables state health insurance schemes to reimburse costs related to the use of digital health applications (“health apps”), but the law requires the Federal Ministry of Health to first develop the reimbursement process for such apps.  Accordingly, on January 15, 2020, the German government published a draft regulation setting

By John G. Buchanan and Marialuisa S. Gallozzi

Although the National Cybersecurity Awareness Month of October has come to a close, it is not too late for corporate counsel and risk managers to be thinking about cyber-risk insurance — an increasingly essential tool in the enterprise risk management toolkit. But a prospective policyholder purchasing cyber insurance for the first time may be hard put to understand what coverage the insurer is selling and whether that coverage is a proper fit for its own risk profile. With little standardization among cyber policies’ wordings, confusing labels for their covered perils, and little interpretive guidance from case law to date, a cyber insurance buyer trying to evaluate a new proposed policy may hardly know where to focus first.

After pursuing coverage for historically major cyber breaches and analyzing scores of cyber insurance forms over the past 15 years, we suggest the following issues as a starting point for any cyber policy review:
Continue Reading Top Tips and Traps for Cyber Insurance Buyers

By Benjamin Duke, Matt Schlesinger, and Scott Levitt

[This article was also published as a Client Alert.]

Two recent federal district court decisions involving computer “spoofing” scams highlight the uncertainty about whether such incidents may be covered under standard “computer fraud” provisions in widely used crime insurance forms. The conflicting results in these cases provide a stark reminder to policyholders that seemingly minor differences in policy wordings can have a major impact on the scope of coverage – and severe financial consequences.

“Spoofing” refers to the practice of manipulating a commercial e-mail to falsify the e-mail’s true origin, without the consent or authorization of the user whose e-mail address is “spoofed.” See Karvaly v. eBay, Inc., 245 F.R.D. 71, 91 n.34 (E.D.N.Y. 2007). As recent cases reflect, scam artists have used spoofing—also known as “business email compromise,” “social engineering,” or “fake president” fraud—to induce even high-level executives of sophisticated companies to transfer millions of dollars to accounts under the scammers’ control. Faced with irretrievable losses, many companies have understandably looked first to the “computer fraud” and other provisions of their corporate crime policies for insurance coverage.

Last month, in Medidata Solutions, Inc. v. Federal Insurance Co., 2017 WL 3268529, __ F. Supp. 3d __ (S.D.N.Y. July 21, 2017), the court found coverage under the “computer fraud” provision of the insured’s crime policy for a $4.8 million loss resulting from an email spoofing scam. The scam started with a spoofed email to an accounts payable employee purportedly from Medidata’s president, directing the employee to await an attorney’s wire transfer instructions to pay for an impending acquisition. Id. at *1. That same day, the purported attorney called with instructions to process the wire transfer, and a subsequent spoofed email induced both Medidata’s vice-president and its CFO to sign off on the transfer. Id. at *2. Not until two days later did the company realize that it had been defrauded. Id.
Continue Reading Recent Cases on E-Mail “Spoofing” Coverage Highlight the Impact of Specific Crime Policy Wordings

The recent National Institute of Standards and Technology (NIST) publication of cybersecurity guidance for the Internet of Things (IoT) is a useful reminder that hacking incidents can result not only in privacy breaches, but also in bodily injury or property damage — via critical infrastructure, medical devices and hospital equipment, networked home appliances, or even children’s toys. In addition to enhanced system security engineering and preventive education efforts, insurance is an increasingly essential component in any enterprise risk management approach to cyber vulnerabilities. But purchasers of cyber insurance are finding that nearly all of the available cyber insurance products expressly exclude coverage for physical bodily injury and property damage.
Continue Reading Insurance Coverage Issues for Cyber-Physical Risks

Cyber insurers commonly require insureds to complete detailed applications, often including extensive technical disclosure and risk self-assessments. The complaint recently filed by the insurer in Columbia Casualty Co. v. Cottage Health System illustrates the pitfalls in these requirements.

Cottage Health, an operator of a hospital network, suffered a data breach in 2013 resulting in thousands of its patients’ private medical information being publicly disclosed. In addition to other losses, Cottage Health paid $4.125 million to settle a putative class action in 2014 and faces additional proceedings arising from the breach. Columbia’s lawsuit denies all coverage for the breach and seeks to rescind its policy due to the insured’s alleged failure to comply with the cybersecurity practices described in its application.
Continue Reading Cyber Insurer Seeks to Void Data Breach Coverage Because of Purported Misstatements in Policy Application

Data breaches suffered by retailers and other businesses that handle payment cards can result in substantial assessments by card brands such as MasterCard and Visa. Retailers typically do not process payment card transactions directly with the banks that issue their customers’ cards. Instead, they contract with an intermediary—called an acquiring or servicing bank—to process their customers’ card transactions with the card-issuing banks. In the event of a payment card data breach, the card brands typically impose assessments on the retailer’s acquiring bank, which in turn pursues indemnification under its service contract with the retailer.

That was the situation in P.F. Chang’s v. Federal Insurance Co., in which a federal district court in Arizona recently held that Chang’s had no cyber coverage for over $1.9 million in credit card assessments that it had to pay as a result of a data breach. The Chang’s court found that the Federal cyber policy’s “Privacy Injury” coverage did not respond to an acquiring bank’s claim against Chang’s for reimbursement of card brand assessments, because the Federal policy’s definition of “Privacy Injury” required that the compromised confidential records at issue be the claimant’s. As is typical, the payment card information stolen by the hackers belonged to Chang’s customers and the card-issuing banks, not the acquiring bank that made the actual claim for reimbursement by Chang’s.
Continue Reading P.F. Chang’s Ruling Highlights Potential Pitfalls of Cyber Insurance

Employees’ use of social media and other online services in their professional and personal lives has increased the risk of an employee bringing claims against a current or former employer.  In the past three years, for example, employers have had to defend against claims related to ownership of social media accounts used by former employees

Last week, Rep. Blaine Luetkemeyer (R-MO) introduced legislation (H.R. 5817) to limit the obligations of certain financial institutions to provide an annual privacy notice to consumers.  Under the Gramm-Leach-Bliley Act (“GLBA”), financial institutions must provide customers an initial privacy notice and, for the duration of a customer relationship, an annual privacy notice that describes the company’s information-sharing practices.  While anything is possible in Washington, particularly in a Presidential election year, the expectation is that this bill is unlikely to progress to enactment.

Under H.R. 5817, a financial institution would not be obligated to provide customers with an annual privacy notice so long as the company shares information only in certain limited respects (that are more narrow than those permitted under federal law) and provided that the company has not changed its privacy policies or practices from those disclosed in its most recent privacy notice.   Specifically, the carve-out would only be available to those financial institutions that do not share information in either of the following respects:Continue Reading Proposed Bill Would Limit Annual Privacy Notice Requirement Under GLBA