WCM Partner Publishes Essay in Defense Research Institute Data and Security Dispatch.

WCM Partner Bob Cosgrove, a CIPM and CIPP-US, published an article entitled Porsches in London: Software, Cars and Recalls, in the December 2018 Defense Research Institute Data and Security Dispatch. The article discusses the gaps between traditional insurance products (i.e. commercial general liability policies, product recall policies and cyber policies) and the ever expanding information world that we live in.

For more information about this post please e-mail ">Bob Cosgrove.

State Farm Must Defend Cyberbully Accused of Instigating Suicide (PA)

While attending a Pennsylvania High School, Zach Trimbur repeatedly harassed his female classmate, both in person and online.  In a tragic turn, the classmate committed suicide. The classmate’s parents filed a suit in Pennsylvania state court, bringing claims of negligence and wrongful death and survival against Trimbur.

State Farm brought a declaratory judgment action after Trimbur’s parents asked State Farm to defend and indemnify him against the lawsuit by referring to their home insurance policy that provided personal liability coverage. State Farm’s policy covers the cost of defending against claims arising from “occurrences,” which Pennsylvania state law has defined as accidents.

However, on December 11, 2018, U.S. District Judge Mark Kearney sided with the insured and held that State Farm must pay for Trimbur’s defense. According to Judge Kearney, although Trimbur may have intended to hurt the girl, it is not conclusive that death by suicide was foreseeable from his cyberbullying. Judge Kearney further stated that “the true test of whether an accident occurred comes from when the situation is viewed from the perspective of the insured” and from Trimbur’s perspective, suicide was not foreseeable. Judge Kearney declined to answer whether State Farm must also indemnify Trimbur.  And with the duty to defend being broader than the duty to indemnify, indemnification is certainly on the table.  This question may remain unanswered until the close of discovery.  Thanks to Melisa Buchowiec for her contribution to this post.  Please email Brian Gibbons with any questions.

Court Finds Spoofing Attack is Hacking Covered Under Cyber Coverage (NY)

The Second Circuit recently declined to reconsider its July summary order that required an insurer to pay more than $4.8 million to its insured, a cloud-based services firm, lost as a result of “spoof” emails.  The case, Medidata Solutions Inc. v. Federal Insurance Company, provides insight into the burgeoning world of cyber insurance coverage, and how courts may handle the various policy provisions invoked by insureds seeking coverage

In June 2014, an employee at  Medidata Solutions received an email purporting to be from the company’s president instructing her to wire money to an outside bank account, which the firm eventually did.  Medidata sought coverage under its commercial crime policy.  The policy covered losses stemming from “entry of Data into” or “change to Data elements or program logic of” a computer system.  When the insurer denied coverage, Medidata sued. The insurer argued that the spoofing attack was not covered because the policy applied to hacking-type intrusions.  Medidata argued that the fraudsters entered data when they changed the “From” entry in “spoof” emails to make it seem like they were actual Medidata executives.

In unanimously affirming the district court, the Second Circuit held that “[w]hile Medidata concedes that no hacking occurred, the fraudsters nonetheless crafted a computer-based attack that manipulated Medidata’s email system.”  Moreover, because the spoofing code enabled the fraudsters to send messages which seemingly came from high-ranking members of the firm, the court held that “the attack represented a fraudulent entry of data into the computer system.”  Therefore, the court held the insurer was on the hook for the $4.8 million.

In declining to rehear this case, the Second Circuit let stand a major decision for policyholders.  In an era when claims for cyber attacks is at an all-time high, policyholders will welcome holdings in which courts find coverage for cyber attacks in non-cyber specific policies.  The holding could also put the Second Circuit at odds with a similar case currently pending before the Sixth Circuit. American Tooling Center Inc. v. Travelers Casualty & Surety Co. of America, No. 16-12108, 2017 WL 3263356 (E.D. Mich. Aug. 1, 2017).  There, the district court found no coverage under a crime policy where the Michigan firm wired $800,000 in funds to a fraudster’s account by finding the loss was not a “direct loss” caused by the “use of a computer.”  Insureds and insurers alike are keeping tabs on these and other decisions invoking cyber coverage in light of the magnitude of cyber cases in recent years.

Thanks to Douglas Giombarrese for his contribution to this post.


Insurer Mailing Error Discloses Thousands of Social Security Numbers, Prompting Settlement with AG (NY)

The New York Attorney General recently announced a $575,000 settlement with EmblemHealth, one of the largest health plans in the United States, after a “mailing error” resulted in the accidental disclosure of more than 80,000 social security numbers.

In October of 2016, EmblemHealth mailed over 80,000 policyholders, including approximately 55,000 New York residents, paper copies of their Medicare Prescription Drug Plan Evidence of Coverage. The mailing label affixed to each envelope included the policyholder’s Health Insurance Claim Number, which incorporated their social security number. According to the Attorney General’s Office, EmblemHealth’s actions violated many standards and procedures required by HIPAA. It also violated New York’s General Business Law § 399-ddd(2)(e), which prohibits printing an individual’s social security number “on a postcard or other mailer not requiring an envelope, or visible on the envelope or without the envelope having been opened.”

As part of the negotiated settlement with the Attorney General’s office, EmblemHealth agreed to implement a Corrective Action Plan that included a thorough risk analysis of security risks associated with the mailing of policy documents, and submit a report of its findings to the Attorney General’s office within 180 days of the settlement. It also agreed to review and revise its policies and procedures based on the results of the assessment, and notify the Attorney General’s office of any action it takes.   In addition, EmblemHealth pledged to make reasonable efforts to ensure that all relevant employees are adequately trained to avoid similar disclosures in future mailings, to report any known violations of EmblemHealth policies and procedures relating to the HIPAA Minimum Necessary Standard, and remediate all violations as soon as practicable. Lastly, for the next three years, EmblemHealth must report the loss or compromise of New York residents’ information to the Attorney General’s office, even in situations that would  not otherwise trigger New York State reporting requirements.

So, while this breach only costs EmblemHealth $575,000 to the AG’s office, it will cost significantly more in terms of future compliance time and expense.  EmblemHealth’s decision to settle, the amount of the settlement, and its agreement to be scrutinized by the Attorney General all speak volumes about the publicity risks associated with these kinds of privacy violations. First, the same subsection of the General Business Law discussed above limits judicial fines for violations arising from a single occurrence to $100,000 for the first offense. Fines for the second offense are also limited to $250,000. Second, the General Business Law provides would-be violators with an out: the provisions will not be “deemed . . . violated” if the entity demonstrates, by a preponderance of the evidence, that the violation was unintentional “and resulted from a bona fide error made notwithstanding . . . procedures reasonably adopted to avoid such error.”

It is unclear whether any of the individual policyholders will be able to maintain direct actions against EmblemHealth, provided they can correlate damages to the breach.  Thanks to Evan King for his contribution to this post.  Please email Brian Gibbons with any questions.

Cyber Rules About to Get Real.

We have previously reported on NY’s onerous cyber rules. The rules go into effect by month’s end.

Specifically, n August 28, 2017, insurance companies that do business in NY will be obligated to institute policies and procedures that preserve and protect PII of clients, insureds, and other entities in accordance with 23 NYCRR §500 (et seq.). The rationale of the policy was explained by the Superintendent of the DFS:
Consumers must be confident that their sensitive nonpublic information is being protected and handled appropriately by the financial institutions that they are doing business with. DFS designed this groundbreaking proposed regulation on current principles and has built in the flexibility necessary to ensure that institutions can efficiently adapt to continued innovations and work to reduce vulnerabilities in their existing cybersecurity programs. Regulated entities will be held accountable and must annually certify compliance with this regulation by assessing their specific risk profiles and designing programs that vigorously address those risks.

Insurance companies, and other covered entities, are required to perform cybersecurity assessments in accordance with a written policy developed by the covered entity, that includes:
• An evaluation of encryption of data containing PII (both in transit and at-rest);
• The development of a Crisis Response Team (“CRT”) to respond to a breach;
• TFA or MFA;
• Identify and assess internal and external cybersecurity threats;
• Utilize defensive infrastructure in conjunction with appropriate policies and procedures to protect PII;
• Capability of detecting and responding to any intrusion;
• Ability to fulfill the statutorily required breach notification statutes.

Moreover, the regulations require a specific policy that regulates 14 different aspects of the covered entities operations. If this is not enough to develop specific in-house policies, the regulations also require that insurance companies ensure that other entities it does business with and transfers materials containing PII, to maintain and adhere to strict cybersecurity regulations that include a requirement for TFA, encryption, written policies, and periodic assessments of the efficacies and compliance to the policies. The insurance company is required to promulgate a policy for its third-party service providers that complies with the above requirements. If not, the insurance company may be held liable.

Furthermore, we note that this will soon be the policy in all 50 states. It is easier to implement these changes and requirements now as opposed to being forced to implement the policies at a rush and possibly not achieving full compliance.

Special thanks to Matt Care for his contributions to this post.

For more information about this post please e-mail Bob Cosgrove.

WCM Partner to Speak at Privacy Shield Certifications Webinar.

WCM Partner Bob Cosgrove, a CIPP-US and CIPM, will be one of two speakers at an August 31, 2017 webinar entitled Privacy Shield Certifications: Things You Need to Know. Mr. Cosgrove will focus his portion of the presentation on:
1. Privacy Shield: Requirements and advantages of participating in the event of litigation.
2. Serving Two Masters: The litigation process, discovery, and data transfer from the European Union.
a. Why discovery involving European Data is a challenge and what Privacy Shield does and does not do to remedy the problem.
3. There is Nothing New Under the Sun: The implications of Privacy Shield on member state data blocking legislation.
a. Blocking legislation in member countries is still effective.
b. How the United States courts have handled blocking legislation and data transfer restrictions.
4. Privacy Shield Enforcement: The arbitration process and liability for failure to comply with Privacy Shield requirements.
If you are interested in the webinar, more information can be found here, or e-mail Bob Cosgrove.

Standing Taking a Seat in Cyber Claims.

The standard defense to a data breach lawsuit has been — there was no actual injury (only the fear of a potential injury), so the plaintiffs lack standing and the case must be dismissed. This defense has historically resulted in the dismissal of data breach lawsuits. But this standing defense is under siege and the Third Circuit might have given it a permanent seat.

In re: Horizon Data Breach Litigation, Horizon, a large health insurer, had two laptops stolen. The laptops contained the PII (or personally identifiable information) of hundreds of thousands of people. A class action lawsuit was filed in which the plaintiffs alleged that because Horizon did not take reasonable steps to secure its data, the plaintiffs were exposed to a potential vulnerability to identity theft. The district court dismissed the action, on the basis of standing, as none of the putative class members could show that the breached information was used to their detriment. The Third Circuit, in a published and precedential decision that was the first of its kind, reversed and found that, even without evidence that the information was used improperly, the plaintiffs had standing to proceed with their claims.

This decision is big news as it comes from a federal circuit court and means that the standing defense is losing its hold as a viable defense. Standing, in short, is taking a seat.

Special thanks to Matt Care for his contribution to this post. For more information, please e-mail Bob Cosgrove.

Pennsylvania Superior Court Finds Employers Have No Duty to Protect Electronically Stored Personal Information

In Dittman v. UPMC,  breach of contract and negligence actions were brought against an employer when employees’ personal information was stolen from the employer’s computer system and used to file fraudulent tax returns and steal tax refunds.  Particularly, the names, birth dates, social security numbers, tax information, addresses, salaries, and bank information of approximately 62,000 UPMC employees and former employees were accessed and stolen from UPMC’s computer system.  The information stolen was personal information that UPMC required employees to provide as a condition of employment.

The employees filed a class action lawsuit, arguing that UPMC had a legal duty to protect their personal and financial information and that UPMC failed to properly encrypt the data and establish adequate firewalls to protect the information in its network.  UPMC filed preliminary objections to the complaint, arguing that the employees lacked standing to assert these claims on behalf of an individual who had not yet been injured and that the negligence and breach of contract claims failed as a matter of law.  The trial court sustained the preliminary objections and dismissed the claims.

On appeal, the Superior Court agreed with the trial court that UPMC did not owe a duty of reasonable care in its collection and storage of the employees’ data.  In coming to that conclusion, the Superior Court weighed five factors.  First, the Superior Court found that the relationship between the parties, that of employer and employee, weighed in favor of imposing a duty on the employer.  Second, the Court reasoned that employers have an obvious need to collect and electronically store the personal information of their employees.  Although the foreseeability of a data breach is a substantial risk, the utility of electronically storing information outweighs the risk.  Next, the Court reasoned that it was unnecessary to have a judicially imposed duty requiring employers to incur significant costs to increase security when there is not true way to prevent security breaches altogether.  Finally, the Court found that it was not in the public interest to impose a duty and expend judicial resources, as there was already legislature to  address the issue.

Thanks to Alexandra Perry for her contribution to this post and please write to Mike Bono if you would like more information.

Going to Need a Bigger Boat? Will Cyber Rules Finally Impact Insurers and Their Vendors (Like Lawyers)?

You might have noticed that cybersecurity issues are a little bit in the news these days. But, we’re not here to talk about Russian spies influencing US presidential elections (although that would be an interesting discussion). Rather, we’re here to talk about boring NY bureaucrats, who have just promulgated (for comment) 23 NYCRR 500, CYBERSECURITY REQUIREMENTS FOR FINANCIAL SERVICES COMPANIES that is set to go into effect on January 1, 2017 (yes, that’s less than 3 months from now). The proposed regulation is currently in its comment period and, if adopted, will apply to insurers who do more than $5,000,000 in gross revenue and are regulated by the NY Department of Financial Services. It will also likely serve as the blueprint for other states across the country. So what does the regulation propose to do?

Basically, to prevent and mitigate a “cybersecurity event”, i.e. an act or attempt, successful or unsuccessful, to gain unauthorized access to, disrupt or misuse an information system, a regulated entity (like an insurance company) is obligated to ensure that non-public information (like names, dates of birth and social security numbers) are protected. To do that, you must:

(1) develop and implement a cybersecurity program that includes penetration testing, vulnerability assessments, an audit trail system, access privilege limitations, application security, risk assessments, a data retention policy, encryption of nonpublic information and an incident response plan;

(2) develop and implement a cybersecurity policy that includes training and monitoring;

(3) have a chief information security officer (and other personnel); and

(4) have a third-party information security policy that will apply to all third-parties doing business with the insurer.

But, you might ask, what does this really mean for me? It means that you’re going to need a bigger boat (to paraphrase Jaws) if you want to stay ahead of this shark and avoid fines and penalties by the NY Department of Financial Services (and also avoid lawsuits where failure to follow the NY regulations will serve as a blueprint for what you were supposed to do and failed to do). Insurers and their vendors (like attorneys) have in their possession voluminous amounts of information (like medical records, discovery responses and transcripts) that include non-public information. Yet, how often is such information being transmitted by insurers to their attorneys (and from attorneys to their insurers) in unsecured ways? How many insurers are capable of downloading and adding to their files information that is sent by attorneys in secured ways (e.g. via Sharefile — which is our preferred data transmission method at WCM)? I think the answer is “not as many as you would hope.” We here at WCM are happy to help work with you as to what you need to do (and to do what we can for you to help ensure compliance). But, there’s a lot of work to be done and not a lot of time to start doing it.

For more information about this post please e-mail Bob Cosgrove .

Editors Note — Due to public outcry, implementation of the regulations has been delayed to March 1, 2017. The shark remains in the water, but there is not yet blood.

Do CGL Policies Now Insure Data Breaches?

The case that everyone is talking about is Travelers Indemnity v. Portal Health, a just released, unpublished Fourth Circuit opinion. The quick story is that the Fourth Circuit affirmed the trial court opinion and held that Travelers owed coverage (specifically defense) under a CGL policy for a data breach. The real story is a bit more nuanced.

In the case, Portal Healthcare, a Virginia based company, was sued in NY in a class action lawsuit. In the lawsuit, patients of Glen Falls Hospital claimed that Portal Healthcare failed to safeguard medical records entrusted to Portal Healthcare by the hospital and instead allowed those records to be posted on the internet – accessible to everyone via a Google search. Portal Healthcare was insured by Travelers under two consecutive commercial general liability insurance policies – a 2012 policy and a 2013 policy. The Policies were not standard policies – rather they contained special endorsements that expanded the scope of personal injury, advertising injury and web site injury.

Specifically, the 2012 Policy contained a Web Xtend Liability Endorsement that deleted and replaced the definition of Personal and Advertising Injury liability. The 2013 Policy contained an Amendment of Coverage B – Personal And Advertising Liability Endorsement that deleted and replaced the definition of Personal and Advertising Injury liability. Under both endorsements, the parties (and court) seemed to agree that coverage was triggered if the underlying complaint alleged: (1) injury arising out of the offense of “electronic publication of material that . . . gives unreasonable publicity to a person’s private life” (the language utilized in the insuring agreement of the 2012 Policy) or (2) injury caused by the offense of “electronic publication of material that . . . discloses information about a person’s private life” (the language utilized in the insuring agreement of the 2013 Policy).

In respect of the first point, Travelers argued that, although the data was available to the general public, since Portal Healthcare did not intend to publish it, publication did not occur. This argument was rejected by the court which held that it was the fact of publication (and not the intent of publisher) that mattered.

In respect of the second point, Travelers argued that there was no “publicity” given to a person’s private life as the leak was not intended to generate publicity. This argument was also rejected by the court which held that since the leaked data was available to the general public, publicity had occurred.

All of this seems rather straightforward, so why all the fuss? It seems that a top sheet review might be to blame. When you look at the trial court’s decision and the policies themselves, you see that the Travelers’ decision to broaden the scope of potential claims that would qualify as “personal and advertising injury” is the root cause of the decision. So, it’s true that CGL policies might have more potential exposure to data breaches – but only if you enhance the coverages.
For more information about this post please e-mail Bob Cosgrove.