Coverage Disputes over Data Breach

Rulings in Breach Coverage Cases

In one of the earliest cases involving coverage for an electronic data breach, a Florida district court held that there was no coverage under a crime insurance policy, which insured damage to “'tangible property ' that has intrinsic value.'” Peoples Telephone Co., Inc. v. Hartford Fire Ins. Co., 36 F. Supp. 2d 1335 (S.D. Fl. 1997).

The underlying breach in that case involved employee theft. An employee of Peoples Telephone, which provided mobile phones to rental car fleets, allegedly stole identification numbers and sold them to third parties who in turn used the numbers to program, activate and use other phones, and to run up hundreds of thousands of dollars in unauthorized charges. 26 F. Supp. 2d at 1336-37. Peoples Telephone argued that the crime policy issued by Hartford Fire covered this action because the stolen identification numbers constituted covered property, which the policy defined as tangible property with intrinsic value. Id. at 1337. The court rejected this argument, holding that the identification numbers could not “be said to have intrinsic value since, without reference to cellular phones, they have no meaning or use.” Id. at 1339.

Ten years later, a California state court likewise held that a commercial general liability (“CGL”) policy did not provide coverage for an alleged data breach because the policyholder had intentionally breached a third party's systems, and because there was no “personal or advertising injury” (i.e., injury “arising out of ' oral or written publication of material that violates a person's right to privacy”) under the policy. Tom Joseph Santos v. Peerless Ins. Co., 2009 Cal. App. LEXIS 3415 (Cal. Ct. App. Apr. 30, 2009).

The policyholder in that case, Santos, was an officer and owner of a company that had been authorized to resell and provide services for Apple products. In the course of a business dispute between Santos and Apple, the latter claimed that Santos had breached Apple's computer network to access non-public information. Id. at *3. Santos sought a defense and coverage from its insurer, Peerless, for that claim.

The court concluded that there was no coverage under the policy because, due to Santos' intentional acts, there was no occurrence under the policy's insuring agreement relating to “bodily injury/property damage.” Indeed, Santos had admitted that he “was deliberately misusing Apple's website to obtain information that he was not supposed to have to use as ammunition against Apple in a lawsuit ' ” Id. at *20. The court likewise held that there was no coverage under the policy's insuring agreement for “personal or advertising” injury, because Apple had not alleged that Santos had violated Apple's privacy rights. Id. at *23.

In 2009, a California federal court similarly held that an insurer had no duty to defend a policyholder that had intentionally misappropriated data. Greenwich Ins. Co. v. Media Breakaway, LLC, 2009 U.S. Dist. LEXIS 63454 (C.D. Ca. 2009). That policyholder, Media Breakaway, is an online marketing company that rewarded its contractors (or “affiliates”) for directing Internet traffic to its websites. The affiliates hacked into the social media website MySpace, and misappropriated user logins and passwords. Id. at *4.

The court held that these actions were excluded under the directors' and liability policy because the underlying claims against Media Breakaway were predicated on alleged “intentional wrongful conduct.” Id. at n.8. The court further held that coverage was barred under a policy exclusion for “profit ' to which such Insured is not legally entitled,” since Media Breakaway had profited from illegal actions. Id. at *24-25.

Three years later, a federal district court in Wisconsin considered whether electronic funds in an online bank account were covered “tangible property” under a policy that provided commercial excess liability coverage and “Bis-Pak” coverage. Carlon Co. v. Delaget, LLC, 2012 WL 1854146 (W.D. Wis. 2012). The policyholder in that case was a restaurant group, which had hired Delaget, LLC to manage its finances. Carlon's accounts allegedly appeared to have been exposed to a virus on Delaget's computer, leading to the theft of $696,656.00 from Carlon's account with Morgan Stanley. Id. at *2. The court held that the liability coverage form of the policy at issue did not apply, because there was no required loss of use of tangible property. According to the court, the electronic funds at issue were not tangible “by the ordinary meaning of that word, and no precedent or sufficient justification has been provided for treating them as such.” Id. at **5-6. The court similarly held that the property coverage form of the policy did not apply, because Delaget had not lost the use of its own property. Id. at *6.

By contrast, the Sixth Circuit held that a blanket crime policy did provide coverage for a data breach in Retail Ventures, Inc. v. National Union Fire Ins. Co. of Pittsburgh, Pa., 691 F.3d 821 (6th Cir. 2012) (applying Ohio law). In that case, an individual hacked the wireless network of DSW retail stores and stole the credit and debit card information of more than 1.4 million customers. Id. at 824. The plaintiffs' blanket crime policy provided coverage for losses, which directly resulted “from the theft of any Insured property by Computer Fraud.” National Union did not dispute that there was a theft that involved Computer Fraud as defined in the policy, but it did dispute that the losses at issue directly resulted from that computer fraud. Both the Ohio District Court and the Sixth Circuit rejected National Union's argument; applied a “proximate cause” standard; and held that the policyholder's losses directly resulted from the breach. Id. at 825-26.

The court in Metro Brokers Inc. v. Transportation Ins. Co., No. 1:12-CV-3010 (N.D. Ga. filed Aug. 29, 2012), held that an all-risk insurance policy excluded losses from a hacker(s) unauthorized access to the policyholder's account and subsequent theft of funds from escrow accounts. Specifically, the court determined that the breach fell within the policy's exclusion for damage resulting from “malicious code and system penetration.” The court also held that stealing electronic funds was not the “forgery of a negotiable instrument” under the policy's forgery endorsement, because the funds had no “intrinsic value” (as required by the policy), and because the transfers were triggered electronically instead of by a signed writing.

A federal district court in Kentucky likewise held that CGL coverage did not apply to losses resulting from the improper access of a customer database. Liberty Corporate Capital Ltd. v. Sec. Safe Outlet, Inc., 937 F. Supp. 2d 891 (E.D. Ky. 2013). The policyholder in that case, Security Safe Outlet (“SSO”), allegedly stole confidential customer information from Bud's Gun Shop (“BGS”) and used that information to advertise SSO's competing business by e-mail. Id. at 896. SSO sought defense and indemnity from Liberty Corporate for the claims alleged against it arising out of these facts. Id. at 894.

In rejecting SSO's claim for coverage, the court held that the customer information was not covered “tangible property” because the policy excluded “electronic data” from the definition of property, and because customer information in an electronic database was not “tangible,” since it had no “physical form or characteristics.” Id. at 899. The court then held that there would be coverage under the policy's “personal and advertising injury” provision, because the e-mails that SSO sent to BGS's customers constituted advertising, but that a breach of contract exclusion nevertheless barred coverage under the policy as a whole. Id. at 902.

Finally, a Connecticut state appellate court recently affirmed that a CGL policy did not provide coverage for liabilities resulting from lost computer tapes in Recall Total Info. Mgmt. Inc. v. Federal Ins. Co., 2014 WL 43529 (Conn. App. Ct. 2014). In that case, Recall had contracted to transport electronic tapes for IBM. When IBM's tapes (literally) fell off the back of a truck during transport, employment-related data for 500,000 individuals was lost. Id. at *1.

Recall asserted that coverage under the “personal injury” coverage part of the CGL policy at issue, which provided coverage for damage resulting from “injury ' caused by an offense of ' electronic, oral, written or other publication of material ' that violates a person's right to privacy.” Id. at *5. In rejecting that contention, the trial court held, and the appellate court affirmed, that the tapes were not “published” because there was no evidence the information on them was actually accessed by a third party. Id. at *6. Additionally, merely triggering notification statutes were not “presumptive invasions of privacy” giving rise to coverage under the policy. Id. at *7.

Settlements

Some cases involving coverage for data breaches have recently settled (in whole or in part), but are nonetheless worth noting for the insights that they provide into the basis for the parties' disputes. For example, in 2011, Scottrade Inc. settled a dispute with its insurer, The St. Paul Mercury Insurance Company, over coverage for losses resulting from the unauthorized access of around 1,400 brokerage accounts registered with the
company. Scottrade, Inc., v. The St. Paul Mercury Ins. Co., No. 4:09-CV-1855 (E.D. Mo. filed Nov. 12, 2009). Scottrade sought recovery under a bond issued by St. Paul Mercury, which contained a rider for computer systems fraud that covered the entry or change of “Electronic Data or Computer System” into or within “any Computer System operated by the Insured, provided that the entry or change causes property to be transferred ' an account ' to be added, deleted, debited or credited, or an unauthorized account or a fictitious account to debited or credited.”

Sony Corporation has also recently settled a data breach coverage dispute with one of its insurers, Great American, although Sony's coverage dispute with another insurer, Zurich, is still pending in New York state court. Zurich Am. Ins. Co. v. Sony Corp. of Am., No. 651982/2011 (N.Y. Sup. Ct. filed July 20, 2011). This coverage dispute stems from the breach in 2011 of Sony's PlayStation Network, and the theft of more than 100 million individuals' personal information.

Zurich initiated a declaratory judgment action against Sony and three additional insurers, seeking a declaration that the CGL policies that Zurich had issued to Sony did not provide coverage for this breach because there was no damage to tangible property, and because there had been no “personal or advertising injury.” Zurich also initiated an additional action against Sony's excess insurer, Great American, but in late 2013, Sony and Great American stipulated that the latter has no payment obligations to Sony as a result of the breach, and that Great American will not allege that Sony failed to comply with notice requirements or any law, statute or regulation if any claims from Sony insureds are retendered to Great American. As of the publication date for this article, Great American seeks dismissal of Zurich's claim against it, but Zurich takes the position that Sony is still able to retender its claims to Great American, and that the insurer's dismissal could lead to piecemeal litigation in the future.

Michaels Stores recently settled a coverage dispute with Arch Insurance Company over coverage for a breach stemming from a “skimming attack,” in which hackers used a program to compromise the stores' PIN pad terminals, which collected customers' debit and credit card information when the cards were swiped for payment. Arch Ins. Co. v. Michaels Stores, Inc., No. 1:12-cv-00786 (N.D. Ill. filed Feb. 3, 2012). Arch had asserted that there was no coverage because there was no property damage or personal and advertising injury. XL Insurance America had also filed a declaratory judgment action against Michaels stemming from the breach, but XL dismissed its suit once Michaels settled with Arch.

And, in October 2013, Schnuck Markets dismissed a lawsuit against its insurer Liberty Mutual, which had sought coverage for losses stemming from a malware attack which compromised 2.4 million credit and debit cards. Liberty Mutual Ins. Co. v. Schnuck Markets Inc., No. 4:13-CV-01574 (E.D. Mo. filed Aug. 14, 2013). Schnuck's excess insurer Liberty Mutual had contended that its policy did cover the breach because there was no property damage and no personal and advertising injury, and because other policy exclusions applied. Schnuck's insurer, Beazley Insurance Company, is still contesting coverage for this loss. Beazley Ins. Co. Inc. v. Schnuck Markets Inc., No. 1:13-CV-08083 (S.D. N.Y. filed Nov. 13, 2013).

Pending Cases

Finally, these pending disputes bear watching:

1. State Nat'l Ins. Co. v. Global Payments Inc., No. 1:13-CV-01205 (N.D. Ga. filed Apr. 2013). This dispute stems from the hacking of a credit and debit card processor's computer systems. State National, which issued an excess liability policy to Global Payments, contends that its policy does not apply to the breach because the policy's “privacy” and “technology services” coverage parts do not apply, and because exclusions bar coverage.

2. First Commonwealth Bank, et al. v. St. Paul Mercury Insurance Co., No. 2:14-CV-0009 (W.D. Pa. filed Jan. 3, 2014): On Jan. 3, 2014, First Commonwealth Bank sued St. Paul Mercury Insurance in a federal Pennsylvania court, seeking coverage under a professional liability policy for losses stemming from a bank account hacking scheme. As a result of this hacking scheme, the bank replaced $3.5 million into three corporate accounts. St. Paul alleges that it was improper for the bank to replace that money without first seeking permission from the insurer, as required under the Policy.

Conclusion

Looking ahead, we expect that coverage disputes resulting from data breaches are far from over. As businesses continue to integrate technology into the heart of the companies, the information protected becomes increasingly valuable and a larger target for sophisticated criminals. The coverage issues that follow are likewise ever more valuable, and the cases compiled in this article may reflect “just the beginning” of litigation regarding this type of loss.

Ellen Farrell is a Counsel in Crowell & Moring LLPs Insurance/Reinsurance practice group. Kathryn Linsky is an Associate in the same practice group.

'

SPECIAL OFFER: Twitter, LinkedIn, Facebook and Google+ followers can get an online subscription to Insurance Coverage Law Bulletin for only $299. Click here, select Digital Only and use promo code ICLBOL299 at checkout. This offer is valid for new subscribers only.

'

Each day, businesses become progressively more dependent on computers and the Internet to gather, store and protect information. But, as sophisticated as this technology may be, it has also proven to be susceptible to breaches, which have time and again resulted in the unauthorized access of confidential information.

These breaches can be incredibly costly to companies. According to a recent study by Symantec, the average total organizational cost of a data breach to a U.S. company has reached a staggering $5,403,644. And, as in the case of the recent Target breach, many millions of individuals have potentially had their personal information compromised, the cost of a data breach may be many times the Symantec average.

As more companies have experienced data breaches, we have seen an increasing number of disputes over whether insurance policies will help pay for them. In this article, we have compiled cases that have addressed (or are addressing) coverage for these breaches, and have divided those cases into three categories: decided, settled and pending. As set forth below, many (but not all) of these cases have focused on whether the breached data was covered property, whether there had been a “personal or advertising injury,” or whether the policyholder's conduct was intentional.

Rulings in Breach Coverage Cases

In one of the earliest cases involving coverage for an electronic data breach, a Florida district court held that there was no coverage under a crime insurance policy, which insured damage to “'tangible property ' that has intrinsic value.'” Peoples Telephone Co., Inc. v. Hartford Fire Ins. Co. , 36 F. Supp. 2d 1335 (S.D. Fl. 1997).

The underlying breach in that case involved employee theft. An employee of Peoples Telephone, which provided mobile phones to rental car fleets, allegedly stole identification numbers and sold them to third parties who in turn used the numbers to program, activate and use other phones, and to run up hundreds of thousands of dollars in unauthorized charges. 26 F. Supp. 2d at 1336-37. Peoples Telephone argued that the crime policy issued by Hartford Fire covered this action because the stolen identification numbers constituted covered property, which the policy defined as tangible property with intrinsic value. Id. at 1337. The court rejected this argument, holding that the identification numbers could not “be said to have intrinsic value since, without reference to cellular phones, they have no meaning or use.” Id. at 1339.

Ten years later, a California state court likewise held that a commercial general liability (“CGL”) policy did not provide coverage for an alleged data breach because the policyholder had intentionally breached a third party's systems, and because there was no “personal or advertising injury” (i.e., injury “arising out of ' oral or written publication of material that violates a person's right to privacy”) under the policy. Tom Joseph Santos v. Peerless Ins. Co., 2009 Cal. App. LEXIS 3415 (Cal. Ct. App. Apr. 30, 2009).

The policyholder in that case, Santos, was an officer and owner of a company that had been authorized to resell and provide services for Apple products. In the course of a business dispute between Santos and Apple, the latter claimed that Santos had breached Apple's computer network to access non-public information. Id. at *3. Santos sought a defense and coverage from its insurer, Peerless, for that claim.

The court concluded that there was no coverage under the policy because, due to Santos' intentional acts, there was no occurrence under the policy's insuring agreement relating to “bodily injury/property damage.” Indeed, Santos had admitted that he “was deliberately misusing Apple's website to obtain information that he was not supposed to have to use as ammunition against Apple in a lawsuit ' ” Id. at *20. The court likewise held that there was no coverage under the policy's insuring agreement for “personal or advertising” injury, because Apple had not alleged that Santos had violated Apple's privacy rights. Id. at *23.

In 2009, a California federal court similarly held that an insurer had no duty to defend a policyholder that had intentionally misappropriated data. Greenwich Ins. Co. v. Media Breakaway, LLC, 2009 U.S. Dist. LEXIS 63454 (C.D. Ca. 2009). That policyholder, Media Breakaway, is an online marketing company that rewarded its contractors (or “affiliates”) for directing Internet traffic to its websites. The affiliates hacked into the social media website MySpace, and misappropriated user logins and passwords. Id. at *4.

The court held that these actions were excluded under the directors' and liability policy because the underlying claims against Media Breakaway were predicated on alleged “intentional wrongful conduct.” Id. at n.8. The court further held that coverage was barred under a policy exclusion for “profit ' to which such Insured is not legally entitled,” since Media Breakaway had profited from illegal actions. Id. at *24-25.

Three years later, a federal district court in Wisconsin considered whether electronic funds in an online bank account were covered “tangible property” under a policy that provided commercial excess liability coverage and “Bis-Pak” coverage. Carlon Co. v. Delaget, LLC, 2012 WL 1854146 (W.D. Wis. 2012). The policyholder in that case was a restaurant group, which had hired Delaget, LLC to manage its finances. Carlon's accounts allegedly appeared to have been exposed to a virus on Delaget's computer, leading to the theft of $696,656.00 from Carlon's account with Morgan Stanley. Id. at *2. The court held that the liability coverage form of the policy at issue did not apply, because there was no required loss of use of tangible property. According to the court, the electronic funds at issue were not tangible “by the ordinary meaning of that word, and no precedent or sufficient justification has been provided for treating them as such.” Id. at **5-6. The court similarly held that the property coverage form of the policy did not apply, because Delaget had not lost the use of its own property. Id. at *6.

By contrast, the Sixth Circuit held that a blanket crime policy did provide coverage for a data breach in Retail Ventures, Inc. v. National Union Fire Ins. Co. of Pittsburgh, Pa. , 691 F.3d 821 (6th Cir. 2012) (applying Ohio law). In that case, an individual hacked the wireless network of DSW retail stores and stole the credit and debit card information of more than 1.4 million customers. Id. at 824. The plaintiffs' blanket crime policy provided coverage for losses, which directly resulted “from the theft of any Insured property by Computer Fraud.” National Union did not dispute that there was a theft that involved Computer Fraud as defined in the policy, but it did dispute that the losses at issue directly resulted from that computer fraud. Both the Ohio District Court and the Sixth Circuit rejected National Union's argument; applied a “proximate cause” standard; and held that the policyholder's losses directly resulted from the breach. Id. at 825-26.

The court in Metro Brokers Inc. v. Transportation Ins. Co., No. 1:12-CV-3010 (N.D. Ga. filed Aug. 29, 2012), held that an all-risk insurance policy excluded losses from a hacker(s) unauthorized access to the policyholder's account and subsequent theft of funds from escrow accounts. Specifically, the court determined that the breach fell within the policy's exclusion for damage resulting from “malicious code and system penetration.” The court also held that stealing electronic funds was not the “forgery of a negotiable instrument” under the policy's forgery endorsement, because the funds had no “intrinsic value” (as required by the policy), and because the transfers were triggered electronically instead of by a signed writing.

A federal district court in Kentucky likewise held that CGL coverage did not apply to losses resulting from the improper access of a customer database. Liberty Corporate Capital Ltd. v. Sec. Safe Outlet, Inc. , 937 F. Supp. 2d 891 (E.D. Ky. 2013). The policyholder in that case, Security Safe Outlet (“SSO”), allegedly stole confidential customer information from Bud's Gun Shop (“BGS”) and used that information to advertise SSO's competing business by e-mail. Id. at 896. SSO sought defense and indemnity from Liberty Corporate for the claims alleged against it arising out of these facts. Id. at 894.

In rejecting SSO's claim for coverage, the court held that the customer information was not covered “tangible property” because the policy excluded “electronic data” from the definition of property, and because customer information in an electronic database was not “tangible,” since it had no “physical form or characteristics.” Id. at 899. The court then held that there would be coverage under the policy's “personal and advertising injury” provision, because the e-mails that SSO sent to BGS's customers constituted advertising, but that a breach of contract exclusion nevertheless barred coverage under the policy as a whole. Id. at 902.

Finally, a Connecticut state appellate court recently affirmed that a CGL policy did not provide coverage for liabilities resulting from lost computer tapes in Recall Total Info. Mgmt. Inc. v. Federal Ins. Co., 2014 WL 43529 (Conn. App. Ct. 2014). In that case, Recall had contracted to transport electronic tapes for IBM. When IBM's tapes (literally) fell off the back of a truck during transport, employment-related data for 500,000 individuals was lost. Id. at *1.

Recall asserted that coverage under the “personal injury” coverage part of the CGL policy at issue, which provided coverage for damage resulting from “injury ' caused by an offense of ' electronic, oral, written or other publication of material ' that violates a person's right to privacy.” Id. at *5. In rejecting that contention, the trial court held, and the appellate court affirmed, that the tapes were not “published” because there was no evidence the information on them was actually accessed by a third party. Id. at *6. Additionally, merely triggering notification statutes were not “presumptive invasions of privacy” giving rise to coverage under the policy. Id. at *7.

Settlements

Some cases involving coverage for data breaches have recently settled (in whole or in part), but are nonetheless worth noting for the insights that they provide into the basis for the parties' disputes. For example, in 2011, Scottrade Inc. settled a dispute with its insurer, The St. Paul Mercury Insurance Company, over coverage for losses resulting from the unauthorized access of around 1,400 brokerage accounts registered with the
company. Scottrade, Inc., v. The St. Paul Mercury Ins. Co., No. 4:09-CV-1855 (E.D. Mo. filed Nov. 12, 2009). Scottrade sought recovery under a bond issued by St. Paul Mercury, which contained a rider for computer systems fraud that covered the entry or change of “Electronic Data or Computer System” into or within “any Computer System operated by the Insured, provided that the entry or change causes property to be transferred ' an account ' to be added, deleted, debited or credited, or an unauthorized account or a fictitious account to debited or credited.”

Sony Corporation has also recently settled a data breach coverage dispute with one of its insurers, Great American, although Sony's coverage dispute with another insurer, Zurich, is still pending in New York state court. Zurich Am. Ins. Co. v. Sony Corp. of Am., No. 651982/2011 (N.Y. Sup. Ct. filed July 20, 2011). This coverage dispute stems from the breach in 2011 of Sony's PlayStation Network, and the theft of more than 100 million individuals' personal information.

Zurich initiated a declaratory judgment action against Sony and three additional insurers, seeking a declaration that the CGL policies that Zurich had issued to Sony did not provide coverage for this breach because there was no damage to tangible property, and because there had been no “personal or advertising injury.” Zurich also initiated an additional action against Sony's excess insurer, Great American, but in late 2013, Sony and Great American stipulated that the latter has no payment obligations to Sony as a result of the breach, and that Great American will not allege that Sony failed to comply with notice requirements or any law, statute or regulation if any claims from Sony insureds are retendered to Great American. As of the publication date for this article, Great American seeks dismissal of Zurich's claim against it, but Zurich takes the position that Sony is still able to retender its claims to Great American, and that the insurer's dismissal could lead to piecemeal litigation in the future.

Michaels Stores recently settled a coverage dispute with Arch Insurance Company over coverage for a breach stemming from a “skimming attack,” in which hackers used a program to compromise the stores' PIN pad terminals, which collected customers' debit and credit card information when the cards were swiped for payment. Arch Ins. Co. v. Michaels Stores, Inc., No. 1:12-cv-00786 (N.D. Ill. filed Feb. 3, 2012). Arch had asserted that there was no coverage because there was no property damage or personal and advertising injury. XL Insurance America had also filed a declaratory judgment action against Michaels stemming from the breach, but XL dismissed its suit once Michaels settled with Arch.

And, in October 2013, Schnuck Markets dismissed a lawsuit against its insurer Liberty Mutual, which had sought coverage for losses stemming from a malware attack which compromised 2.4 million credit and debit cards. Liberty Mutual Ins. Co. v. Schnuck Markets Inc., No. 4:13-CV-01574 (E.D. Mo. filed Aug. 14, 2013). Schnuck's excess insurer Liberty Mutual had contended that its policy did cover the breach because there was no property damage and no personal and advertising injury, and because other policy exclusions applied. Schnuck's insurer, Beazley Insurance Company, is still contesting coverage for this loss. Beazley Ins. Co. Inc. v. Schnuck Markets Inc., No. 1:13-CV-08083 (S.D. N.Y. filed Nov. 13, 2013).

Pending Cases

Finally, these pending disputes bear watching:

1. State Nat'l Ins. Co. v. Global Payments Inc., No. 1:13-CV-01205 (N.D. Ga. filed Apr. 2013). This dispute stems from the hacking of a credit and debit card processor's computer systems. State National, which issued an excess liability policy to Global Payments, contends that its policy does not apply to the breach because the policy's “privacy” and “technology services” coverage parts do not apply, and because exclusions bar coverage.

2. First Commonwealth Bank, et al. v. St. Paul Mercury Insurance Co., No. 2:14-CV-0009 (W.D. Pa. filed Jan. 3, 2014): On Jan. 3, 2014, First Commonwealth Bank sued St. Paul Mercury Insurance in a federal Pennsylvania court, seeking coverage under a professional liability policy for losses stemming from a bank account hacking scheme. As a result of this hacking scheme, the bank replaced $3.5 million into three corporate accounts. St. Paul alleges that it was improper for the bank to replace that money without first seeking permission from the insurer, as required under the Policy.

Conclusion

Looking ahead, we expect that coverage disputes resulting from data breaches are far from over. As businesses continue to integrate technology into the heart of the companies, the information protected becomes increasingly valuable and a larger target for sophisticated criminals. The coverage issues that follow are likewise ever more valuable, and the cases compiled in this article may reflect “just the beginning” of litigation regarding this type of loss.

Ellen Farrell is a Counsel in Crowell & Moring LLPs Insurance/Reinsurance practice group. Kathryn Linsky is an Associate in the same practice group.

'