The growing percentage of businesses that purchase cyber security and data privacy insurance portends a growing number of claims and, inevitably, litigation over some of those claims. Wells Fargo’s 2015 Cyber Security and Data Privacy Survey: How Protected Are You? indicates that nearly half (44%) of companies with $100 to $500 million in revenue that have cyber security and data privacy insurance have filed a claim with their carriers at some point. But 96% of those companies that filed a claim are satisfied with their coverage and the insurers’ handling of the claim. If the data can be extrapolated, then the remaining 4% are in or could end up in some sort of dispute resolution proceeding – small by percentage but potentially large in terms of the direct and indirect costs that can arise from cyber risk.
Recent litigation filings provide a glimpse into what types of claims are in dispute and several are noted here; however, it is important to note that these cases are still pending and no coverage decisions have been made.
One of the hottest areas of cybercrime is spoofed emails – ostensibly from an authorized corporate official – instructing an employee to transfer funds out of the company. Does the fact that the scam occurs by means of email turn the scam into a “cyber” loss? In Ameriforge Group Inc. v. Federal Ins. Co., filed on January 4, 2016 in Harris County, Texas (No. 2016-00197), the plaintiff alleges that its insurer wrongfully denied coverage under a crime policy for a spoofed email resulting in the unauthorized transfer of $480,000. The plaintiff seeks coverage under the “computer fraud coverage” provision, asserting that the email directing the funds transfer was an “unauthorized introduction of instructions, programmatic or otherwise, which propagate themselves” through a computer system. The insurer has denied coverage on the basis (among others) that the email and unauthorized transfer do not constitute computer fraud as defined in the policy.
A battle over policy limits is the subject of another recent filing. In New Hotel Monteleone, LLC v. Certain Underwriters at Lloyd’s, filed on December 10, 2015 in Orleans Parish, Louisiana (No. 2:16-cv-00061), and then removed to the Federal District Court for the Eastern District of Louisiana, the insurer has asserted that the $200,000 limit in an endorsement for “payment card industry fines” applies to all claims arising from a cyberattack against the insured. The insured claims that the full policy limits of $3 million are available to cover its alleged losses, which include not only PCI fines but also fraudulent charge reimbursement and card replacement.
Lastly, a recently filed Illinois action seeks a declaration of no coverage under a cyber, privacy and media policy for a lawsuit alleging that two employees misappropriated trade secrets when they left a competitor to work for the insured. Certain Underwriters at Lloyd’s v. Wunderland Group, LLC, filed on December 15, 2015 in Cook County, Illinois (No. 15 CH 018139). The competitor’s suit alleged that the two former employees violated their non-disclosure agreements by using proprietary information relating to the IT staffing market. The insured contends the suit should be covered under a provision covering misappropriation of trade secrets and other information arising from “media content” or “user generated content.”
The policy language, facts and jurisdiction will affect the outcomes in litigation or other proceedings. These recent filings illustrate that insureds and insurers present and face a wide array of arguments that will mark the legal landscape. While most claims get paid or settled, the minority of disputed claims continues to provide fodder for litigation that will help develop the body of law that both insureds and insurers can consider in their insurance transactions going forward.