Cybersecurity Insurance: The Circuit Court considers insurers’ liability for insured losses resulting from data breaches. JD Supra

remove: In the event of a cybersecurity-related incident, the insured should not automatically assume that the standard commercial general liability (CGL) policy issued by the insurer will cover the loss. CGL policies are generally to provide coverage to the insured for loss resulting from personal injury and property damage. The insured’s cybersecurity losses may include many more losses, such as losses arising from data breaches involving confidential or personal information of clients or customers. Me.e., third parties outside the scope of the Insured’s existing CGL policy. Therefore, to ensure that cyber coverage exists after a cyber incident occurs, the insured should ensure that potential cyber-related losses are included in the “corner” of the underlying policy. , securing defenses and, more importantly, insurance companies.


Key Point: In determining whether there is a duty to defend, the court must follow the “eight corners” rule and look at the “four corners” of the complaint and the “four corners” of the underlying policy.[1] In other words, the insurer is obliged to defend the insured when the factual allegation of the claim ostensibly involves an injury that is actually or potentially within the scope of the policy.[2]

discussion: Recently, there has been an increasing number of legal battles over whether the insured’s policy covers losses related to cybersecurity incidents, testing the applicability of basic policies. For example, the 11th Circuit panel concluded that the “computer fraud” policy issued by Great American Insurance Company to Interactive Communications International, Inc. and HI Technology Corp. (together, “InComm”) We have addressed whether you are excluding compensation for[3] InComm sold “chits” to consumers, each of which had a certain monetary value, and consumers were able to “redeem” that value by charging their debit cards.[4] Between November 2013 and May 2014, a glitch in InComm’s computerized two-way phone system allowed scammers to manipulate the chit multiple times, costing Incomm $11.4 million. was covered.[5] The Panel narrowly construed the proximate cause and found that losses to insured persons due to rogue hacker attacks were not directly attributable to computer fraud and were therefore not covered by insurance policies.[6] Importantly, the Panel noted that the fraudsters “used [a] In the sense of an insurance policy, the loss of the insured is “consequentially[ ] Directly from computer fraud, as required by the plain language of the policy.”[7], Me.ethe meaning of the terms in the “four corners” of the policy.

Another case was addressed by the Court of Appeals for the Second Circuit.[8] Whether the loss is due to a “spoofing” attack[9] It was the subject of a computer fraud provision on insurance policies issued by the Federal Insurance Company. used Google’s Gmail platform for email.[10] Email messages sent to Medidata employees were routed through Google’s computer servers, and Google’s systems processed and stored the email messages.[11] In the midst of planning the potential acquisition, Medidata has instructed its treasurers to “be prepared to urgently support critical transactions.”[12] On September 16, 2014, a Medidata employee said Medidata was nearing the final stages of an acquisition and that an attorney named Michael Meyer (“Meyer”) would contact employees, according to Medidata.com. I received an e-mail that was allegedly sent by the president.[13] Meyer then called an employee requesting a wire transfer, and $4,770,226.00 was wire transferred to a bank account provided by Meyer.

Medidata sued, claiming losses from email ‘spoofing’ attack Above all, Federal Insurance and Computer Fraud Provisions for Insurance Policies. This provision covered losses caused by “inputting data” into a computer system or “changing data elements or program logic”. Federal Insurance argued that spoofing attacks were not covered, as Medidata’s policy instead only applied to hacking-type intrusions.[14]

In interpreting the “plain and clear language of the policy,” the Supreme Court held that “impersonation” attacks were the direct cause of Medidata’s losses, and that those losses were covered by the terms of the Computer Fraud Provision. Did. Scheme success.[15]

And just a week ago, Wesco Insurance Company provided coverage to IRA Financial Group for various claims brought against voluntary retirement and pension account providers related to cyberattacks involving at least $36 million. I have filed a complaint seeking a declaration that I do not have to. with stolen crypto assets.[16] The complaint sets out various provisions of the underlying policy that are purportedly applied to support Wesco’s refusal to indemnify, including the exclusion of “cyber liability.”[17] Given the recent surge in cryptocurrency holders around the world, how do courts interpret the “plain language” of insurance policies so that those terms fall into the “four corners” of basic insurance policies? It will be interesting to determine if it fits. Insured.

[1] See Travelers Indem. Co. of America v. Portal Healthcare Solutions, LLC35 F.Supp.3d 765, 769 (EDVa. 2014).

[2] look American and foreign Inns. Co. v. Jerry’s Sport Center, Inc.2 A.3d 526, 541 (Pa. 2010).

[3] See Interactive Communications International, Inc. v. Great American Ins.Ltd., 731 Fed. Appx. 929 (11th Cir. 2018).

[4] identificationAt .930.

[5] identificationat 930-31.

[6] identificationat .935-36.

[7] identificationAt .930.

[8] look Medidata Solutions, Inc. v. Federal Ins., 729 Fed. Appx. 117 (Mem) (2d Cir. 2018).

[9] As the District Court explained, “spoofing” is “the disguise of commercial e-mail so that it appears that the e-mail was sent from an address that it did not originate from. Spoofing includes sending an e-mail message including placing an email address other than the actual sender’s address in the “From” or “Reply-To” lines of any email message, or any other part of the email message, without the consent or approval of the email user; will be spoofed email address Medidata Sols., Inc. v. Fed.Ltd.268 F.Supp.3d 471, 477 n.2 (SDNY 2017) (cited Karvaly v. eBay, Inc.245 FRD 71, 91 n.34 (EDNY 2007)).

[10] look Medidata Solutions Inc.268 F.Supp.3d at 472.

[11] identification.

[12] identificationat .473.

[13] identification.

[14] look Medidata Solutions Inc., 729 Fed. Appx. at 118.

[15] identificationAt .119.

[16] look Wesco Ins. Co. v. IRA Financial Group et al.Case No. 1:22-cv-23507 (SDFl. 27 October 2022)

[17] look Wesco Complaint, ¶ 48, p. 19.

* This blog is for informational purposes only and should not be considered legal advice on any subject. I understand that no. The Blog should not be used as a substitute for legal advice from a licensed professional attorney. recommended.

Leave a Comment