A lawsuit filed against an insurer for failing to provide coverage after a policyholder was duped into wiring nearly half a million dollars overseas could completely reverse prior rulings nationwide, according to lawyers who specialize in the field.
According to a complaint filed in Texas state court by the Ameriforge Group, Chubb denied its May 2014 coverage claim for both computer and funds transfer fraud in which someone impersonating the company’s CEO sent the accounting director a deceptive email instructing him to wire $480,000 to the Agriculture Bank of China.
“The coverage of these cyber policies has a hard time keeping up with the various ways and means that the perpetrators of these fraudulent schemes and other cyber threats conduct their operations,” said Joseph Balice, an insurance recovery attorney and partner with Brutzkus Gubner in Los Angeles, which advises cyber policyholders in disputes with their insurers.
“Insurance companies like Chubb call these social engineering claims,” said Mr. Balice. “They are addressing it by adding a clause expressly into the policy as a new section, which is the insurers way of standing by their position to deny it on earlier policies.”
If Ameriforge wins, a favorable ruling could set either a binding or persuasive precedent for other courts to use in determining whether or not to cover these future claims.
There are, however, several obstacles that policyholders like Ameriforge face in winning such a suit against cybersecurity insurers. The first is the lack of standardized policy language.
“These policies are very complex and somewhat confusing to follow,” said Barry Fleishman, head of Shapiro Lifschitz & Schram’s Insurance Coverage Litigation practice in Washington, D.C. “The breadth of the coverage and the clarity of the language has yet to be fully tested in the courts.”
One such dispute involved Medidata Solutions demanding in 2015 that the Federal Insurance Company pay up to $5,000,000 for a direct loss of money that was claimed under the policy definitions of computer fraud, funds transfer fraud or forgery, in a case that is still pending.
“The Medidata Solutions dispute comes down to very detailed definitions of whether the incident was a computer violation and whether a particular action falls into the definition of computer fraud,” said Lyndon F. Bittle, a trial and appellate lawyer specializing in insurance coverage.
What happened is that certain mid-level employees inside Medidata Solutions’ finance department were deceived by fraudulent emails resulting in the transfer abroad of $4.8 million.
“When you have new coverage areas like this, in the first few years there are always disputes about what the language of the policy means.” said Mr. Bittle, a partner with Carrington Coleman in Dallas and head of the firm’s insurance coverage group.
A second common argument that insurers use to defend themselves in court against covering losses from email scams or social engineering claims is whether standardized practices were followed by the policyholder requesting reimbursement.
According to IBM X-Force Research, insider involvement accounted for 58% of all breaches in 2016 and of these 53% acted inadvertently.
“This statistic is the basis for whether a negligence standard applies and whether a policy exclusion requires a firm to follow minimum required practices,” said Mark Happe, an attorney and expert in corporate and financial services compliance.
For example, in Columbia Casualty v. Cottage Health, a class action suit was filed in U.S. District Court in Los Angeles in 2015 against Cottage Health System, a nonprofit organization that operates a network of hospitals in Southern California, for a data breach involving some 32,500 confidential medical records between Oct 8, 2013, and Dec. 2, 2013.
After a $4.1 million settlement received preliminary court approval in December 2014, Columbia Casualty got out of funding the settlement by claiming that Cottage Health’s policy precluded coverage for failure to follow minimum required practices and that Cottage Health was responsible for the breach because it had failed to live up to requirements set out under the policy.
“The precedence this case set is that the insured and the broker need to read the policy very carefully because there are extremely broad exclusions from coverage,” Mr. Happe told PacerMonitor. “Business enterprises really need to look at the underlying policy because this cyber policy language isn’t standardized and it requires a lot of scrutiny to uncover these coverage gaps or these hidden traps.”
In other words, insurers won’t pay if a firm is negligent in their cybersecurity practices. Specifically, Columbia Casualty alleged in court filings that the hospital system failed to implement the procedures and risk controls identified in its insurance application and that Cottage Health’s data breach was caused by its failure to regularly check and maintain security patches on its system, its failure to regularly reassess its information security exposure and enhance risk controls, its failure to have a system in place to detect unauthorized access or attempts to access sensitive information stored on its servers and its failure to control and track all changes to its network to ensure it remains secure among other things.
A third hurdle that companies like Medidata Solutions and Ameriforge must overcome is the fact that insurers execute policies under state laws not national or federal law.
“The degree to which a policyholder can make a claim for bad faith depends upon the case law precedent and bad faith insurance statutes in each of the individual states,” Mr. Fleishman told PacerMonitor. “Some states are broader in their recognition of bad faith. California, for example, is one but other states are much more restrictive with respect to bad faith. Whether you can attach bad faith to a breach of contract action really depends upon what state law is going to apply in a case.”
Finally, most policies include the choice of law provision, which are a set of rules used to select which jurisdiction’s laws to apply in a lawsuit.
They most often emerge in federal court pleadings in which the plaintiff and defendant are from different states.
“Choice of law prevents insurance complaints from being tried in federal court unless they are part of a class action,” Mr. Happe said.