Second Circuit’s Decision Upholding Social Engineering Fraud Coverage Likely a Paper Tiger

In a case closely monitored by the insurance industry, the Second Circuit upheld in a non-precedential summary order a New York federal district court’s summary judgment finding coverage under the computer fraud coverage of a commercial crime policy. Medidata Solutions, Inc. v. Fed. Ins. Co., No. 17-2492, 2018 WL 3339245 (2d Cir. 2018). Although the policyholders are apt to tout the decision as a seismic victory, the atypical policy language and factual circumstances should greatly limit its persuasive value.

As background, the insured, Medidata …

Continue Reading

First of its Kind: Yahoo Settles Securities Litigation for $80 Million

Yahoo’s recently-announced $80 million settlement of its data breach-related securities lawsuit may be a signal that the plaintiffs’ bar is going to pivot away from pursuing these claims in the form of shareholder derivative lawsuits. In their ongoing effort to capitalize on large-scale data breaches, to date, plaintiffs have struggled to survive motions to dismiss in data breach-related derivative lawsuits (e.g. Target and Wyndham Worldwide). Although the plaintiffs in the Home Depot derivative litigation were able to extract a $1.125 million settlement while the dismissal …

Continue Reading

Credit Card Payment Coverage Declined: Cyberinsurer Not Obligated to Reimburse P.F. Chang’s for PCI Liability

In the most significant cyberinsurance coverage decision to date, an Arizona federal district court in P.F. Chang’s China Bistro v. Federal Insurance Co., No. CV-15-01322-PHX-SMM (D. Ari. May 31, 2016), granted summary judgment to Federal Insurance Company, acknowledging it had no duty to reimburse P.F. Chang’s China Bistro for payment card industry liability assessments under the CyberSecurity policy issued by Federal to P.F. Chang’s corporate parent. This decision represents a significant victory for cyberinsurers insofar as it upholds insurers’ marketing strategy of making available …

Continue Reading

Insurers May Need a Doctor’s Note: Data Breach of Medical Records Triggers Coverage, Says Fourth Circuit

On Monday, April 11, 2016, the Fourth Circuit handed down a notable, albeit unpublished, decision with regard to an issue that has vexed the insurance industry, namely, do data breaches trigger a CGL insurer’s duty to defend under Coverage B? In Travelers Indemnity Company of America v. Portal Healthcare Solutions, L.L.C., the Fourth Circuit determined, under Virginia law, the underlying class action lawsuit, indeed, triggered Travelers’ duty to defend.

The underlying lawsuit was a class action complaint filed against, in pertinent part, Portal Healthcare …

Continue Reading

Not If, But When: Another Health Insurer Hacked

In mid-September, it was reported that hackers hit another set of health insurance companies. In this case, the hackers hit The Lifetime Healthcare Companies and its affiliates including Excellus BlueCross BlueShield, Univera Healthcare, and The MedAmerica Companies. A full list of plans affected can be found on the press release outlining the details of the attack.

Hackers took information on approximately 10 millions customers including seven million from Excellus and three million from associated entities. Company IT officials first discovered the intrusion on August 5, …

Continue Reading

NAIC Tackles Cybersecurity Including Proposed Consumer Cybersecurity Bill of Rights

In the wake of recent cyber breaches against major health insurance companies, the NAIC is undertaking three initiatives designed to “protect consumer information and educate the public about cyber risks.” First, on July 28, 2015, the NAIC’s Cybersecurity Task Force issued a proposed Consumer Cybersecurity Bill of Rights. This Bill of Rights contains 12 specific rights for consumers including:

  • Know what type of personally identifiable information is being collected by the insurer and how long that information is being kept by the insurer, insurance
Continue Reading

Federal Cyber Legislation – Hurry Up and Wait

In recent months, two more companies in the healthcare industry have been hacked. UCLA Health announced on July 17, 2015 that it was the victim of a “criminal cyber attack” and “as many as 4.5 million individual potentially may have bene involved in the attack.”  This comes on the heels of another attack in May 2015 against Medical Informatics Engineering whose subsidiary is NoMoreClipboard, an online medical information sharing service used by patient and physicians alike.  Both of these episodes are the latest in attacks …

Continue Reading

Connecticut Supreme Court Makes Significant Ruling in Data Breach Case

The Connecticut Supreme Court made a very significant ruling yesterday in Recall Total Information Management, Inc. v. Federal Insurance Co., adopting wholesale the Appellate Court’s well-reasoned ruling that an insured’s loss of sensitive records, without more, does not constitute a “publication” of material that violates a person’s right of privacy. Notably, the Appellate Court held that absent proof of an unauthorized third party’s access to the personal identification information, the “publication” element of the Privacy Offense (under the definition of “personal and advertising injury” …

Continue Reading

Cyber Breaches Prompt Government Action

The recent data breach at health insurer Anthem has sparked new legislation in Connecticut.   During the breach, at least 80 million records were stolen.  According to NBC News, among the 80 million victims, tens of millions of American children had their Social Security numbers, dates of birth, and health care ID numbers stolen.  In response, Connecticut state legislators are proposing legislation that would require health insurance companies to encrypt their customers’ data.   Connecticut’s proposed legislation is similar to recent legislation passed in New Jersey …

Continue Reading