DDoS Attacks on Local Universities Highlights Increasing Cybersecurity Risks (PA & NJ)

Penn State and Rutgers University join the ever-growing list of victims to cybersecurity attacks. In only the past two months, both universities have suffered distributed denial of service attacks, or as they are more commonly referred, DDoS attacks.

A DDoS attack is intended to render a server or network unavailable to its users. DDoS attackers use multiple devices and multiple internet connections to flood a victim’s computer system with web traffic until it is crippled by the requests and goes offline. Aside from the debilitating effects of DDoS attacks, they are difficult to combat. Victims cannot focus their efforts on deflecting attacks from a single attacker or a single source. Rather, the victim is flooded with requests from hundreds or even thousands of sources. While DDoS attacks are often just a frustrating nuisance for a victim to deal with, these attacks are continuing to evolve into a serious threat for network operators across the world. For Rutgers, the DDoS attack not only caused multiple internet outages, but affected the university’s final exam schedule.

So, what makes universities such a target for DDoS and other cybersecurity attacks? As explained in a recent article in the New Jersey Law Journal, universities are relatively easy targets. The article quotes Vincent Polley, the head of technology consultancy KnowConnect to explain that because the university structure is a “confederation of schools that are fairly loosely coordinated…[there’s] frequently not a lot of top-down management.” Universities store vast amounts of their students’ personal and financial information, as well as sensitive research materials.

This begs the question: what can universities and colleges across the country do to protect their students’ information? According to a recent article in the New York Times, Penn State, like many other universities and colleges across the country, are beefing up their authentication requirements. Authentication requirement are generally used before a university system can be accessed remotely. Authentication techniques can be broken into three categories: (1) things only a specified individual knows (i.e. a password, pin number, mother’s maiden name, or other type of security question; (2) things that only a specified individual would have (i.e. a key, card badge, token, one-time password); or (3) something specific about the specified individual (i.e. an encoded fingerprint, voice recognition or an iris scan).

To further beef up security, schools like Penn State are requiring a two-factor authentication, which incorporates two of the above mentioned techniques to create a multilayer defense against unauthorized access. However, how effective these measures are against DDoS attacks and other cyberattacks remains to be seen.  Thanks to Erica Woebse for her contribution.  Please email Brian Gibbons with any questions.

Catch 22- defense and indemnity of fraudulent claims (PA)

The United States District Court for the Eastern District of Pennsylvania recently found that an insurer had a duty to defend but, not a duty to indemnify in a matter involving a claims made policy. The issue was whether, prior to the inception of a policy of insurance, the insured had reason to know that based on its actions a claim could reasonably be anticipated. In the underlying case, the plaintiff alleged that the insured, prior to the inception of the insured’s insurance policy, emailed derogatory and damaging confidential information about plaintiff to a third party.

The insured timely notified the insurer and averred that it did not furnish confidential or damaging information, and that the emails referenced were forged. After defending the insured for over a year, the insurer initiated a declaratory judgment because the alleged conduct occurred prior to the effective date of the policy, and the insured knew of should have known that it would be the basis of a claim. Such knowledge violates an exclusionary provision which disclaims coverage for claims arising from any act or omission the insured had a basis to believe, prior to the policy inception, might reasonably be expected to be the basis of a claim.

The court found that the mere allegation that the insured sent emails disclosing confidential information does not establish that the insured had knowledge that something it did could give rise to a claim against it. Moreover, the policy states that it will provide coverage even for fraudulent claims, so it must do so until the final adjudication of the underlying action. Unfortunately, the only way to determine whether the insured had the requisite knowledge is if the finder of fact determines that the insured disseminated the information. If so, the claim would not be covered under the policy and the insurer would not have to indemnify the insured. Alternatively, if the finder of fact determines that the insured is not liable in the underlying action, there would be nothing to indemnify.

To disclaim or not to disclaim, that is the question…especially when it comes to fraudulent claims remember that when disclaiming on the basis of prior knowledge, an insurer should have some indication, other than the allegations, that speaks to that knowledge. Thanks to Tiffany Davis for his contribution.  Please email Brian Gibbons with any questions.

PA Bad Faith Claim Can Be Based on More Than Improper Coverage Denial.

Bad faith claims can come in many different forms, and a Pennsylvania court recently confirmed such claims can involve an insurer’s reckless conduct, not just an improper denial of a claim.

In Scheirer v. Nationwide Insurance, plaintiff Virginia Scheirer was riding a county bus when she was thrown to the floor and injured when the bus driver swerved to avoid oncoming traffic. Plaintiff had uninsured motorist coverage from Nationwide with limits up to $100,000 per person. Plaintiff notified Nationwide of her claim in July of 2011 and provided the required medical documentation in support of this claim.

In September of 2012, she demanded arbitration, which Nationwide refused.  In April of 2013, Nationwide requested a medical examination and statement under oath of the insured. In May, plaintiff sued in Monroe County, alleging that Nationwide handled her claim with excessive delay. She further amended this claim in June of 2013, alleging breach of contract and bad faith.

Nationwide sought to dismiss the bad faith claims, arguing that plaintiff could not assert bad faith without an unreasonable denial of coverage, and here there was no denial of coverage. In resolving pending summary judgment motions, the trial court ultimately ruled that there are bases for bad faith other than a denial of coverage, citing case law from Davis v. Allstate Property and Casualty Company in the Federal District Court for the Eastern District of Pennsylvania, which held that “bad faith can have various other bases, including an insurer’s lack of investigation, lack of adequate legal research concerning coverage, or failure to communicate with the insured.”

In this case, the court held that there were questions of fact as to whether the insurer had engaged in reckless conduct in respect of its investigation, legal research or communications that precluded the grant of summary judgment.

Thanks to Thalia Staikos for her contribution to this post and please write to Mike Bono for more information.




PA Supreme Court Addresses “The Insured” In Employer’s Liability Exclusions.

For much of the excess and surplus lines world, employer’s liability exclusions are THE way that insurers manage their risk (given the nominal premiums that are charged). The standard employer’s liability exclusion wording bars from coverage all claims arising out of “bodily injury” to an “employee” of “the insured.” In Pennsylvania, insurers had often attempted to use this phrasing to bar coverage for employee personal injury lawsuits to both named insureds and additional insureds. Such efforts will no longer be countenanced.

In the case of Mutual Benefit Insurance Company v. Christos Politsopoulos, et al., Politsopoulos leased commercial space to Leola Restaurant, Mutual Benefit’s insured. The Mutual Benefit policy had a blanket additional insured endorsement that (by virtue of a written contract between Leola and Politsopoulos) made Politsopoulos an additional insured under the policy. In December 2007, Marina Denovitz, a Leola employee, fell down a flight of stairs while working. She commenced a lawsuit against (among other) Politsopoulos on the basis that the stairs had been negligently maintained. Politsopoulos sought additional insured coverage from Mutual Benefit. Mutual Benefit disclaimed coverage on the grounds that the employer’s liability exclusion barred coverage to anyone seeking coverage under the Leola policy since Denovitz was an employee of Leola, “the insured.” In opposition, Politsopoulos argued that the Policy’s wording was ambiguous and by virtue of the Policy’s separation of insureds wording the employer’s liability exclusion’s was limited in applicability to Leola, as Denovitz was only an employee of “the insured.”

The trial court agreed and held that the use of the phrase “the insured” (as opposed to “any insured” or “the named insured”) was ambiguous and thus unenforceable when used to bar coverage to an additional insured. The Superior Court disagreed and reversed the trial court. The Superior Court held that (in effect) additional insureds were “named insureds.” The Supreme Court thereafter took the appeal.

In its decision reversing the trial court, the Supreme Court focused on the difference in the use of the definite (and restrictive) article “the” as opposed to the indefinite (and less restrictive) articles “an” or “any.” It held that the use of the phrase “the” insured is specific to the NAMED insured (that is the entity to which the policy was issued) and does not bar coverage to additional insureds.

The decision, although it does restrict the potential scope of the standard employer’s liability exclusion, does not void or otherwise nullify the more aggressive employer’s liability exclusions found in many excess and surplus lines policies. So, to our mind, while much ink is being spilled on the decision, it does not really move the proverbial meter. If you want to bar coverage for on the job injuries, simply use “any” and not “the.”

If you have any questions about this post, please e-mail Bob.

Policy Language Can Prove Fatal To Consent Judgments

The Pennsylvania Superior Court’s recent decision in Wolfe v. Ross illustrates the importance for policyholders to verify potential policy exclusions before agreeing to a consent judgment against their interests.

In Wolfe v Ross, the plaintiff’s estate sued for the wrongful death of their 19 year old son. The decedent attended a graduation party at plaintiff’s home, consumed alcohol, and left the party on the plaintiff’s dirt bike. The decedent lost control of and crashed the bike, ultimately leading to his death. Plaintiff and defendant agreed to a $200,000 consent judgment. When plaintiff attempted to collect from the defendant’s homeowner’s policy, the insurer disclaimed since the policy contained an exclusion for liability arising out of the use of a motor vehicle. Plaintiff argued that the policy did cover liability arising from furnishing alcohol to guests, thus the claim should be covered.

Both plaintiff and the insurer moved for summary judgment. Plaintiff argued that the furnishing of alcohol triggered coverage under the homeowner’s policy, and the insurer argued that the motor vehicle exclusion trumped because Wolfe’s death arose out of the operation of a motor vehicle. The main issue was whether the motor vehicle exclusion was ambiguous for failing to specify whether the exclusion-triggering injuries required proximate causation or only a causal connection to the use of a motor vehicle. The court held that the motor vehicle exclusion was not ambiguous. The court reasoned that in prior decisions, “arising out of” had been construed to mean “casually connected with,” not “proximately caused by.” Thus, the fact that plaintiff’s fatal injuries were related to a motor vehicle was enough to trigger the policy exclusion, regardless of the role alcohol played. The insurer’s denial of coverage was upheld.

This case demonstrates that insurance carriers and policyholders alike can benefit from a policyholders’ familiarity with exclusion provisions in their policies before “resolving” a matter through a consent judgment. This is especially true in Pennsylvania, where exclusions such as the motor vehicle exclusion at issue in Wolfe may be interpreted broadly.

Thanks to Rachel Freedman for her contribution to this post.



Who’s Laughing Now? Third Circuit Rules Bank Can’t Recover for Identity Theft (PA)

In an ironic twist of fate, the United States Court of Appeals for the Third Circuit recently ruled that even financial institutions face a rough road ahead when it comes to recovering damages for data security and identity theft claims.

In the case of Citizens Bank v. Reimbursement Technologies, Pennsylvania financial juggernaut Citizens Bank sued a third-party medical billing company whose employees allegedly accessed personally identifiable information belonging to over one hundred Citizen’s account holders and then used the data to illegally withdraw money from branches across six different states.  Although Citizen’s Bank suit focused on violations of the Stored Communications Act that regulates the disclosure of electronic communications and transactional records held by internet service providers, it also asserted state law causes of action for common law negligence.  However, the district court below ultimately dismissed the federal law action and, in addition, ruled that Citizens Bank’s state law claims failed to state a legally recognized theory of negligence against the defendant.

On appeal to the Third Circuit, the appellate panel was asked to determine whether Citizens Bank’s state law negligence and fraud claims could proceed independently of the federal action.  Citizens Bank argued that the district court erred in also dismissing its negligence claims against the defendant because as a data controller, Reimbursement Technologies owed its patients and their financial institutions a duty to safeguard their personally identifiable information.  The Court of Appeals concluded that Pennsylvania’s five-factor test for determining the existence of a duty required dismissal.  Specifically, the Third Circuit explained that notwithstanding Reimbursement Technologies’ failings, Citizens Bank, itself, was in the best position to prevent its claimed harm and, as a result, liability could not pass to the defendant as a matter of Pennsylvania law.

Citizens Bank represents a proverbial turning of the tables, insofar as the jurisprudence of data privacy and consumer protection has often operated in favor of protecting financial institutions that are sued for failing to protect their customers’ data.  Rarely, if ever, does the law recognize that what is good for the goose is likewise good for the gander, but Citizens Bank clearly indicates that the law concerning cyber security and identity theft is slow to develop irrespective of whether the claimant is an individual or a national corporation.  Thanks to Adam Gomez for his contribution, and please email Brian Gibbons with any questions.

Be Careful With Your Pleadings Says the PA Supreme Court.

In Liberty Mutual Insurance Company v. Domtar Paper Co. et al., the Pennsylvania Supreme Court recently affirmed the Superior Court’s ruling (which we had previously reported on) that Section 319 of the Pennsylvania Workers’ Compensation Act (“WCA”), 77 P.S. § 671, does not confer on employers or their workers’ compensation insurers a right to pursue a subrogation claim directly against a third-party tortfeasor when the compensated employee who was injured has not taken against the tortfeasor.

As we previously reported, this case arose when George Lawrence, an employee of Schneider National, Inc. fell at Domtar Paper’s parking lot while acting in the scope of his employment. In an effort to recover the amount of workers’ compensation benefits it paid out to Lawrence, Liberty Mutual designated itself a subrogee of Lawrence and brought a negligence action against Domtar Paper, who allegedly owned and maintained the parking lot. Domtar Paper filed preliminary objections on the basis that Liberty Mutual’s cause of action was barred because Pennsylvania does not recognize an independent cause of action by workers’ compensation insurers when the injured party has not brought suit in his own right and is not a party in the case. The trial court sustained the objections and the Pennsylvania Superior Court affirmed.

In affirming the Superior Court’s decision, the Pennsylvania Supreme Court noted that Liberty Mutual failed to explain why the Court should abandon Superior Court precedent that holds a right of action against the tortfeasor is indivisible and remains in the employee who suffered the entire loss. See Moltz v. Sherwood Bros., Inc., et al., 176 A, 842 (Pa. Super. 1935), Reliance Insurance Co. v. Richmond Machine Co., 455 A.2d 686 (Pa. Super. 1983), and Whirley Indus., Inc. v. Segel, 462 A. 3d 800 (Pa. Super. 1983). The court reasoned that “preventing the employer/ insurer from asserting an independent cause of action against the tortfeasor eliminates the possibility that the third-party tortfeasor could be exposed to multiple suits filed by both the employer and the injured employee, and will preserve the preferred rights of the injured employee who retains a beneficial interest in the cause of action against the tortfeasor. “ Ultimately, the Court concluded that preliminary objections were properly granted and affirmed because Lawrence did not (1) commence an action against Domtar Paper; (2) was not named in the action filed by Liberty Mutual; and (3) did not join the action filed by Liberty Mutual.

To our mind, as we told the press, this appears to be more a case of imprecise pleading and less a case of a substantive change in the law.

Special thanks to Sheri Flannery for her contributions to this post. For more information, e-mail Bob Cosgrove.

What happens in Pennsylvania stays in Pennsylvania

In McDonald v. Whitewater Challengers, Erin McDonald, a New York teacher, signed a release form to participate in a whitewater rafting school field trip conducted by Whitewater Challengers, a Pennsylvania company. Upon participation, Ms. McDonald was thrown from the raft and injured. Ms. McDonald sought to invalidate the signed liability release form by applying to New York law.

In New York, release forms immunizing recreational facilities from liability for negligence are invalid by statute, as they violate New York’s public policy. In Pennsylvania, however, such forms are permitted for the protection of the company where a participant agrees the sign a waiver and assuming the risk of the activity.

The Pennsylvania Superior Court acknowledged that New York may have an interest in recouping the costs of Ms. McDonald’s medical treatment. However, the Superior Court ultimately decided that Pennsylvania has the greater interest because a Pennsylvania company should be able to rely on Pennsylvania laws when conducting its operations.

We suspect plaintiff would have preferred to bring her claim in New York, as opposed to Pennsylvania, to take advantage of New York’s more plaintiff-friendly laws.  Unfortunately for plaintiff, the contract she signed also mandates that “Any claims or disputes arising from my participation in this program shall be venued in the Luzerne County Court in the town of Wilkes-Barre, PA, or in the Supreme Court of the State of Pennsylvania.”

Thanks to Tiffany Davis for her contribution to this post.  Please email Brian Gibbons with any questions.


A Mold Exclusion Really is a Mold Exclusion (PA)

Fungi and bacteria and mold, oh my! An insurance coverage dispute spawned by a moldy motel room in the Poconos ended  in summary judgment on behalf of the insurer. The trial court found that the defendant insurance provider had no duty to defend the plaintiff motel due to an unambiguous “fungi or bacteria” exclusion in the policy.

In Mount Pocono Motel Inc v Tuscarora Wayne Ins Co PICS Case No 15 0555 C P Mon, Luis Noriega (Noriega) rented a room at plaintiff’s mountainside getaway from 2004 – 2009. However, according to Noriega’s complaint, Noriega began to suffer from chest and breathing issues soon after checking into the budget-friendly motel. After venturing into the crawl space behind his room (in 2008) Noriega discovered that the cause of his flu-like symptoms was mold, which was concealed by a fresh layer of paint on his room’s walls. Noriega checked out soon thereafter.

Although the defendant, Tuscarora Wayne Insurance Company (Tuscarora), provided general commercial liability coverage from July 2008 to July 2009, the Monroe County Court of Common Pleas found that the policy clearly and ambiguously excluded coverage for damages relating to bacteria and fungi. The policy’s own definitions lumped mold into the definition of “fungi”, which led the court to believe that the parties intended to exclude coverage for mold-related damages.

Interestingly , the court’s granting of summary judgment relied on the Pennsylvania Supreme Court’s precedent that the primary goal in interpreting an insurance policy is to determine the parties’ intentions as manifested by the policy’s terms. Because the court found the language of the policy was clear and unambiguous, it found that Tuscarora had no duty to defend the Mount Pocono Motel in its moldy dispute with Mr. Noriega.  Thanks to Erica Woebse for her contribution to this post.  Please email Brian Gibbons with any questions.

Make Sure Your ROR Goes to Each Insured Defendant: PA Appellate Court Draws Bright Line Rule.

One question that we field from time to time is – who must get a copy of the ROR? The named insured? Each defendant who will be defended? Some other combination of parties? Erie Insurance was faced with just this issue in the case of Erie v. Lobenthal, et al.

In this case, Erie had issued an auto policy to Adam and Jacqueline Lobenthal. The Lobenthal’s daughter, Michaela, was involved in an auto accident; it appeared that, at the time of the accident, Michaela may have been under the influence of a controlled substance. Erie assigned defense counsel to defend Michaela (who qualified as an insured under the terms of the Erie policy) and issued two reservation of rights letters. The letters were only addressed to Adam and Jacqueline and a separate letter was never sent to Michaela. When it ultimately became clear that Erie had a basis to disclaim coverage (based on the controlled substances exclusion), Michaela objected on the basis that she had never personally received a reservation of rights letter. Erie responded by noting that while true, such an argument placed form over substance since Michaela’s attorney had a copy of the letter and, as a resident in her parent’s household, it was highly improbable that Michaela was unaware of the ROR. The trial court agreed with Erie and awarded summary judgment. An appeal resulted.

The Superior Court reversed the trial court. It held that:
we determine that Michaela, as the defendant, was entitled to notice of Erie’s reservation of its right to disclaim liability. Notice to Michaela’s parents, the named insureds, and to insurance defense counsel provided by Erie, was ineffective as to Michaela.

While the result may seem unfair, the case highlights the reality that form can sometimes matter more than substance as public policy favors ensuring that injured parties are compensated for their injuries.

If you have any questions about this post, please e-mail Bob .