Cyber Coverage for Social Engineering Schemes Remains at Odds

Social engineering continued to be a major concern in 2018 as businesses continued to fall prey to such schemes and other cyber risks. 2018 also saw a trend in favor of coverage for these schemes, which is promising for retailers and other businesses. However, the varied results continue and should caution policyholders to obtain social engineering/ impersonation cyber fraud coverage by endorsement that is as specific as possible.

  • Am. Tooling Ctr., Inc. v. Travelers Cas. & Sur. Co. of Am., 895 F.3d 455 (6th Cir. 2018). The Sixth Circuit reversed a district court's decision finding coverage under a crime policy for a manufacturer's $800,000 loss, reasoning that the fraudulent email that prompted wire transfers to fraudsters was an immediate and proximate cause of the loss.
  • Medidata Sols. Inc. v. Fed. Ins. Co., 268 F.Supp.3d 471 (2d Cir. 2018). The Second Circuit affirmed a district court's ruling and found coverage under the computer fraud provision of the insured's crime policy for a cloudbased service provider's loss of $4.8 million resulting from an employee's being deceived into transferring the money as a result of an email disguised to look like it was from the company's president.
  • Aqua Star (USA) Corp. v. Travelers Cas. & Surety Co. of Am., No. 16-35614 (9th Cir. Apr. 17, 2018). The Ninth Circuit affirmed a district court's decision finding no coverage for a $700,000 loss resulting from hackers who, while posing as employees, directed other employees to change account information for a customer. The court found that an exclusion providing that the policy "will not apply to loss resulting directly or indirectly from the input of Electronic data by a natural person having the authority to enter the Insured's Computer System" applied and barred coverage.

Contrasting Results Introduce New Challenges for Policyholders Seeking Coverage for Credit Card Company Assessments and Penalties Resulting from Cyber Exposure

Businesses are increasingly purchasing insurance policies to address their cyber and data security exposures. Recently, courts have weighed in on coverage afforded to policyholders for credit card company assessments and penalties resulting from data exposure caused by third-party hackers. Many of the judicial decisions addressing insurance for cyber exposures have done so under traditional insurance policies, as opposed to under newer cyber insurance policies, resulting in negative results for policyholders. However, recent decisions demonstrate that policyholders should engage their insurers to ensure that their policies, whether traditional or not, are specifically designed to cover cybersecurity and data breach events. And, faced with a denial, policyholders should not assume that an insurer's efforts to deny coverage will necessarily prevail in all cases, as shown by recent decisions

  • Spec's Family Partners, Ltd. v. Hanover Ins. Co., No. 17-20263 (5th Cir. June 25, 2018). The Fifth Circuit found that Hanover Insurance Company had a duty to defend Spec in an action arising out of two data breaches of Spec's credit card payment system. The court held that the district court improperly found that an exclusion for contract-based claims barred coverage, finding that part of the alleged conduct did not fall within the exclusion for contract-based claims.
  • St. Paul Fire & Marine Insurance Co. v. Rosen Millennium Inc., 6:17-cv-540 (M.D. Fla. Sept. 28, 2018). A federal district court in Florida ruled that St. Paul Fire & Marine Insurance Co.'s commercial general liability policy did not cover fines and penalties assessed against its insured, Rosen Hotels, after hackers installed malware into the hotel's credit card payment network. The court reasoned that the policy required that the credit card information be "made known" by the insured's activities and not a third party's activities. Thus, because the credit card information was made known as a result of the hackers' activities, the court found there was no coverage.

Recall Insurance Continues to be Source of Coverage Disputes

The risk of product recalls has continued to increase in recent years due to tightened regulatory standards and the implementation of new safety rules. 2018 experienced a surge in coverage disputes involving the interpretation of recall insurance policies' terms. Varying court interpretations illustrate the need for policyholders to scrutinize recall insurance policies. Below we highlight some key cases.

  • Blessings, Inc. d/b/a Blessings Seafood v. Houston Casualty Co., No. 1:18-cv-00262-LTS (S.D.N.Y. filed Jan. 11, 2018). A seafood distributor, Blessings, sued its insurer seeking to recover losses associated with a product contamination claim involving Blessings' raw shrimp product. Blessings sought coverage under its contamination policy with Houston Casualty, which provided coverage for, among other things, the value of contaminated products up to $3 million per insured event. Houston Casualty issued partial payment for Blessings' direct losses associated with the value of the contaminated shrimp, but refused to pay the balance of the claim. On March 1, 2018, the court was notified that the parties had reached a settlement, pending execution of a final written agreement.
  • Hanover Ins. Group, Inc. v. Raw Seafoods, Inc., 91 Mass. App. Ct. 401 (2107). The Appeals Court of Massachusetts in Boston found that the trial judge erred when granting summary judgment in favor of the insurer relating to a coverage dispute regarding more than 57,000 pounds of spoiled scallops. RSI, a seafood processing company, was sued by its customer, Atlantic Capes Fisheries Inc., after receiving a batch of spoiled scallops for processing. RSI's insurer, Hanover, agreed to defend RSI in the action under a reservation of rights. Hanover also filed suit seeking a ruling that it owed no coverage because the damage to the products was not caused by an "occurrence" distinct from RSI's performance of its work. The trial court granted summary judgment in Hanover's favor, but the appellate court reversed, finding that the damaged scallops were caused by an "unexpected happening," and thus an "accident," rather than a foreseeable consequence of RSI's normal business operations.
  • Starr Surplus Lines Insurance Co. v. Mountaire Farms, Inc., No. 2:18-cv-67-JDL (D. Me. Aug. 02, 2018). A federal district court in Maine ruled against an insurer's effort to be reimbursed for $10 million it paid a policyholder in connection with salmonella-contaminated raw chicken. Starr Indemnity & Liability Co. Inc. brought an action against a chicken supplier, Mountaire Farms, asserting that Mountaire delivered contaminated chicken products to Starr's insured, AdvancePierre Foods, which resulted in a recall of more than 1,700,000 pounds of chicken products. Starr had paid the policy limits of $10 million for AdvancePierre's recall insurance claim. Mountaire moved to dismiss Starr's lawsuit, arguing, among other things, that Starr's claims failed because salmonella is an "inherent and recognized characteristic" of raw chicken and, therefore, could not be considered "defective," "unfit for its particular purpose" or "unreasonably dangerous," which are required elements of Starr's claims. Mountaire further argued that Starr's strict liability claim is barred by the economic loss doctrine. The court agreed with both arguments and dismissed the lawsuit.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.