Takeaway: When a cybersecurity-related incident occurs, an insured should not automatically assume a standard commercial general liability (CGL) policy issued by an insurer will cover their losses, as CGL policies generally afford coverage to an insured for losses resulting from bodily injury and property damage. An insured’s cybersecurity losses can encompass much more, such as losses arising from a data breach concerning confidential or personal information of a client or customer, i.e., third parties who fall outside of the scope of an insured’s traditional CGL policy. Therefore, to ensure cyber coverage exists in the wake of a cyber incident, an insured should make certain that potential cyber-related losses are included within the “four corners” of the underlying insurance policy to secure a defense and, more importantly, coverage from an insurer.
Key Point: In determining whether there is a duty to defend, a court must follow the “Eight Corners” Rule and look at the “four corners” of the complaint and the “four corners” of the underlying insurance policies.[1] In other words, an insurer is obligated to defend its insured if the factual allegations of the complaint, on its face, encompass an injury that is actually or potentially within the scope of the policy.[2]
Discussion: Recently, an increasing number of legal battles over whether losses related to cybersecurity incidents are covered by an insured’s policy have tested the applicability of the underlying policy. For example, an Eleventh Circuit panel addressed whether a ‘computer fraud’ policy issued by Great American Insurance Company to Interactive Communications International, Inc. and HI Technology Corp. (together, “InComm”) excluded coverage for losses involving fraud.[3] InComm sold “chits” – each of which had a specific monetary value – to consumers, who can then “redeem” them by loading their value onto a debit card.[4] Between November 2013 and May 2014, InComm lost $11.4 million when fraudsters manipulated a glitch in InComm’s computerized interactive-telephone system that enabled them to redeem chits multiple times, with each duplicative redemption of an already-redeemed chit defrauding InComm of the chit’s value.[5] The Panel narrowly construed proximate cause and found that the insured’s losses through the fraudulent hacker attack did not result directly from computer fraud and thus was not covered by the insurance policy.[6] Importantly, the Panel noted that although the fraudsters did “use [a] computer” within the meaning of the policy, the insured’s losses did not “result[ ] directly” from the computer fraud, as required by the policy’s plain language[7], i.e., the meaning of the terms within the “four corners” of the policy.
In another case, the Court of Appeals for the Second Circuit addressed[8] whether losses caused by a “spoofing” attack[9] were covered under an insurance policy’s computer-fraud provision, issued by Federal Insurance Company. The Plaintiff, Medidata Solutions, Inc., provides cloud-based services to scientists conducting research in clinical trials and used Google’s Gmail platform for company emails.[10] Email messages sent to Medidata employees were routed through Google computer servers, and Google systems then processed and stored the email messages.[11] In the midst of planning a possible acquisition, Medidata instructed finance personnel “to be prepared to assist with significant transactions on an urgent basis.”[12] On September 16, 2014, a Medidata employee received an email purportedly sent from Medidata’s president stating that Medidata was close to finalizing an acquisition, and that an attorney named Michael Meyer (“Meyer”) would contact the employee.[13] Meyer then called the employee requesting a wire transfer, and $4,770,226.00 was wired to a bank account that was provided by Meyer.
Medidata brought suit, claiming that its losses from the email “spoofing” attack were covered by, inter alia, a computer fraud provision in its insurance policy with Federal Insurance. The provision covered losses stemming from any “entry of Data into” or “change to Data elements or program logic of” a computer system. Federal Insurance asserted that the spoofing attack was not covered, because Medidata’s policy instead applies to only hacking-type intrusions.[14]
In construing the “plain and unambiguous language of the policy,” the Court held that the “spoofing” attack was the proximate cause of Medidata’s losses and that those losses were covered by the terms of the computer fraud provision, because computers were integral in the scheme’s success.[15]
And just one week ago, Wesco Insurance Company filed a complaint against IRA Financial Group seeking a declaration that it does not have to provide coverage for various claims filed against the self-directed retirement and pension account provider relating to a cyberattack involving at least $36 million in stolen crypto assets.[16] The Complaint set forth various provisions of the underlying policy purportedly applicable in support of Wesco’s denial of coverage, including a “Cyber Liability” exclusion provision.[17] Given the recent spike in cryptocurrency holders worldwide, it will be interesting to see how the Court interprets the “plain language” of the insurance policy in determining whether those terms fall within the “four corners” of the underlying policy, thereby affording coverage to the insured.
[1] See Travelers Indem. Co. of America v. Portal Healthcare Solutions, LLC, 35 F.Supp.3d 765, 769 (E.D.Va. 2014).
[2] See American and Foreign Ins. Co. v. Jerry’s Sport Center, Inc., 2 A.3d 526, 541 (Pa. 2010).
[3] See Interactive Communications International, Inc. v. Great American Ins. Co., 731 Fed.Appx. 929 (11th Cir. 2018).
[4] Id. at 930.
[5] Id. at 930-31.
[6] Id. at 935-36.
[7] Id. at 930.
[8] See Medidata Solutions, Inc. v. Federal Ins. Co., 729 Fed.Appx. 117 (Mem) (2d Cir. 2018).
[9] As the district court explained, “spoofing” is “the practice of disguising a commercial e-mail to make the e-mail appear to come from an address from which it actually did not originate. Spoofing involves placing in the ‘From’ or ‘Reply-to’ lines, or in other portions of e-mail messages, an e-mail address other than the actual sender’s address, without the consent or authorization of the user of the e-mail address whose address is spoofed.” Medidata Sols., Inc. v. Fed. Ins. Co., 268 F.Supp.3d 471, 477 n.2 (S.D.N.Y. 2017) (quoting Karvaly v. eBay, Inc., 245 F.R.D. 71, 91 n.34 (E.D.N.Y. 2007)).
[10] See Medidata Solutions, Inc., 268 F.Supp.3d at 472.
[11] Id.
[12] Id. at 473.
[13] Id.
[14] See Medidata Solutions, Inc., 729 Fed.Appx. at 118.
[15] Id. at 119.
[16] See Wesco Ins. Co. v. IRA Financial Group, et al., Case No. 1:22-cv-23507 (S.D.Fl. October 27, 2022)
[17] See Wesco’s Complaint, ¶ 48, p. 19.
* This blog is available for informational purposes only and is not considered legal advice on any subject matter. By viewing blog posts, the reader understands there is no attorney-client relationship between the reader and the blog publisher. The blog should not be used as a substitute for legal advice from a licensed professional attorney. Readers are urged to consult their own legal counsel or reach out to any of Pietragallo’s attorneys on any legal questions concerning a specific situation.