Personal Injury Coverage Does not Apply to Data Breach

According to a Law360 report, Sony Units Denied Coverage For Suits Tied To Cyber Attack (subscription required), a New York state judge ruled last Friday in the Zurich v. Sony insurance litigation that the stealing of consumer information through a cyber attack did not constitute “personal injury” under a commercial general liability policy because third-party hackers and not the insured committed the offense.  If upheld on appeal, the decision would compliment other authority holding that personal injury coverage applies only to potential liability from the insured’s purposeful acts.  

The Sony coverage litigation resulted from a 2011 data breach. Zurich American Insurance Company and Mitsui Sumitomo Insurance Company had issued primary commercial general liability policies to Sony. In April 2011, computer hackers broke into Sony networks and stole personal and financial information of over 100 million users. 

Immediately following the breach, Sony was named as a defendant in numerous class actions. Sony tendered the defense of these actions to its insurers. Mitsui denied coverage. Zurich responded by filing a declaratory relief action in New York state court seeking a declaration that Zurich had no duty to defend.

The parties later filed cross-motions for partial summary judgment. The resolution of the motions turned on whether the data breach constituted a “personal injury” offense. Among other enumerated offenses, the policies provided coverage for a “publication, in any manner, of material that violates a person’s right of privacy”

Continue Reading...

FTC Calls for National Data Security Standards as Proposed Legislation Stalls

In congressional testimony, the Federal Trade Commission’s Chairwoman, Edith Ramirez, recently reiterated the FTC’s call for stronger data security laws, while federal legislation concerning data security and breach notification remains in limbo.

Although the FTC is the nation’s leading privacy enforcement agency, it derives enforcement authority from a hodgepodge of statutes, many of which lack adequate remedies to compel compliance with data security and breach notification requirements.

Those laws include:

The FTC’s need to resort to multiple statutes results in uneven enforcement authority. Only the FCRA and COPPA allow the FTC to seek civil penalties for data security violations. To obtain a civil penalty for unfair or deceptive practices under the FTC Act, the agency must show that company violated a prior administrative order.

In her remarks, Chairwoman Ramirez stressed the need for uniform national standards for data security and breach notifications, stronger civil remedies, and expanded rulemaking authority under the Administrative Procedure Act enabling the FTC to respond effectively to changes in technology.

Ramirez’s statements echoed bipartisan calls for national data security standards. Despite widespread support for such standards, proponents have not been able to amass enough votes to pass a comprehensive data security law.  

There are competing proposals in the Senate – the Personal Data Privacy and Security Act, which Sen. Patrick Leahy, D-Vt., introduced for the fifth time in January 2014, and the Data Security Act, which Sen. Tom Carper, D-Del., and Roy Blunt, R-Mo. re-introduced that same month.

Continue Reading...

Assessing Cyber Threats - The Blind Spot Between Perception and Realty

A recent survey by the Ponemon Institute entitled, “Cyber Security Incident Response: Are We as Prepared as We Think?,” suggests that many companies lack the mechanisms to meaningfully address cyber risk. Among the survey’s findings:

  • Although companies recognize that better incident response capabilities would mitigate the harm cyber attacks cause, most companies devote less than 10 percent of their security budget to incident response and this percentage has remained static over the past 24 months.
  • Most organizations do not track the time to identify and respond to incidents or the effectiveness of the response. As a result, organizations have no means to measure the actual time and costs involved in managing cyber risk.
  • Companies are overly optimistic about the time to identify intrusions and address any damage the attack caused. Many respondents estimated that attacks could be identified in hours. As breaches at Target and Verizon have shown, identifying a cyber attack can take months or even years and fixing the problem could take just as long.
  • Organizations can reduce reputational harm by promptly and credibly communicating with the public about data breaches. Yet only 23% of the companies have a public relations plan in place in the event of a security breach. 
  • Executive management and boards are seldom engaged in cyber issues and thus remain in the dark about the real nature of the threat.

A growing number of companies have recognized the need for cyber risk insurance. Yet for this market to continue to grow, perceptions about cyber threats must shift. Companies cannot appreciate the need for insurance without better understanding the actual costs involved in responding to cyber attacks.       

To learn more about the Ponemon survey, click here.


One Policy Term, May Have Two Meanings

A California Court of Appeal held in Transport Ins. Co. v. Superior Ct. (R.R. Street & Co.) that a named insured’s reasonable expectations of coverage can be different from those of an additional insured’s. This ruling leaves open the possibility that the same policy language can be interpreted differently in the same lawsuit, depending upon whether the named insured or an additional insured is seeking coverage.

Transport issued an excess and umbrella commercial general liability policy to Legacy Vulcan Corp. R.R. Street & Co. was named as an additional insured by endorsement. These two companies were named as defendants in lawsuits alleging that they distributed and sold dry cleaning products that caused environmental contamination. 

A dispute arose between Transport and Legacy about the duty to defend. The dispute turned on whether the term “underlying insurance” included only the specifically scheduled policies identified in the Transport or all potentially applicable primary policies. 

In a previously published opinion, the Court of Appeal held that the term “underlying insurance” was ambiguous in the context of the Transport policy and should be construed in accordance with Legacy’s objectively reasonable expectations.

Continue Reading...

Insurers Will Take Lead On Oil Rail Transport Safety Push

David McMahon was quoted in a Jan. 23, 2014, Law360 article, Insurers Will Take Lead On Oil Rail Transport Safety Push, about how a series of fiery derailments of trains carrying crude oil have not only led lawmakers to consider new rules, but also could push insurers to take action, forcing the oil and rail industry to improve safety to cut down on underwriting costs.

According to the article, rail transport of crude oil has grown significantly in recent years with the U.S. energy boom. Three recent crashes have highlighted safety problems: a Dec. 30, 2013, collision near Casselton, N.D.; a November derailment in rural Alabama; and a derailment in Lac-Megantic, Quebec in July. That accident set off massive blasts, destroyed part of the town and killed 47 people.

There was a real concern about the condition of the railroad’s assets in [the] Alabama [crash]. You might see carriers put inspection requirements on their own assets before writing the coverage,” McMahon said. “The carrier doesn’t want to write coverage where the assets of the railroad are dilapidated and haven’t been maintained.”

McMahon told the publication that the crashes and the resulting push for tougher rules governing the transport of oil by rail could lead insurers to limit what they are willing to underwrite.

You can see them saying, 'We’re not going to give you a blank check and allow you to carry 100 tanker cars with oil. We’re going to limit it to 40 to 50 cars,’” he said. “Or there could be outright exclusions of some particular activities.”

McMahon said insurers will not doubt embrace whatever rules regulators and lawmakers enact to improve safety.

The tighter the regulations are ... it can result in a safer environment, which insurers like,” he said. “They like things they can effectively evaluate — the safer it is, it tends to be safer to insure.”


Newly introduced Data Security Act would remove data security standards from state oversight

The Federal Government has not taken significant steps to regulate data security. For that reason, local and state officials have been taking a more aggressive role in responding to data breaches and in establishing best practices for protecting data. 

Following the well publicized breaches involving Target and Neiman Marcus, Senators Tom Carper (D-Del.) and Roy Blunt (R-Mo.) re-introduced legislation, the “Data Security Act,” that would establish federal standards for data security and remove the issue from state oversight, with one notable exception: standards for insurance companies. 

The Data Security Act would require companies to take appropriate steps to protect personal information and to notify consumers when data breaches could result in identity theft or financial losses. There would be no notification requirement if the stolen data was encrypted or otherwise unusable.

Healthcare insurers subject to HIPAA would be in compliance provided they comply with regulations promulgated under that act. 

The proposed law would preempt all state laws related to data security and notification requirements and prohibit all lawsuits in state court or under state law that relate to “any act or practice governed under the Act.” These provisions, taken together, would effectively remove data security from state oversight.

Proponents of the legislation contend that federal standards for data security are necessary because companies are subject to multitude of local laws, which sometimes conflict. Yet even under the proposed law, there would not be a single set of standards. The bill would delegate regulatory authority to a patchwork of federal agencies to promulgate rules for the particular industry that agency oversees. 

For most insurance companies, state insurance departments would retain regulatory oversight for creating data security standards. This leaves open the possibility that insurers would still have to comply with standards that vary by jurisdiction.  However, the proposed legislation would require agencies to consult with each other, to the extent possible, to develop regulations that are consistent and comparable.

The bill is in its embryonic stages and certainly would undergo significant changes if ever passed. With data breaches becoming more prevalent and larger in scope, the push for federal action in this area will only increase.

Meaning of "Mass Actions" Under CAFA clarified by SCOTUS

By James Castle and Natalie Ferrall

In one of its first decisions of the year, the United States Supreme Court unanimously held that a civil action filed solely by the State of Mississippi did not constitute a “mass action” under the Class Action Fairness Act of 2005 (“CAFA”) (Mississippi ex rel. Hood v. AU Optronics Corp.).

CAFA permits defendants in civil suits to remove “mass actions,” a statutorily defined term, from state to federal court. CAFA defines a “mass action” as “any civil action . . . in which monetary relief claims of 100 or more persons are proposed to be tried jointly on the ground that the plaintiffs’ claims involve common questions of law or fact.” 28 U.S.C. § 1332(d)(11)(B)(i)

In Hood, the State of Mississippi sued a group of LCD manufacturers in Mississippi state court, alleging violations of state law. The suit sought restitution for injuries suffered by Mississippi citizens. The defendants, the LCD manufacturers, removed the case to U.S. District Court, asserting that federal jurisdiction was appropriate under CAFA’s mass action provision. 

The District Court agreed with the defendants and found that the suit qualified as a “mass action” under CAFA because it sought recovery of restitution on behalf of more than 100 Mississippi residents. However, the District Court still remanded to state court on the ground that it fell within CAFA’s “general public” exception. 

The Fifth Circuit reversed, agreeing with the district court that the suit was a mass action but finding that the “general public” exception did not apply. The Fifth Circuit’s ruling created a split with the Fourth, Seventh, and Ninth Circuits, all of which had previously held that similar lawsuits were not “mass actions.” 

On review, and in order to alleviate the split between the Circuits, the Supreme Court unanimously held that removal was improper. The Court stated that CAFA’s “100 or more persons” condition does not include unnamed individuals who are real parties in interest to claims brought by named plaintiffs. 

Rather, a mass action must involve monetary claims brought by 100 or more named plaintiffs. Here, because the State of Mississippi was the sole named plaintiff, the Supreme Court found the lawsuit did not constitute a mass action under CAFA, and therefore, was remanded to state court.


Permits to test driverless vehicles pass DMV regulatory speed bumps

On January 14, 2014, the California Department of Motor Vehicles (DMV) held a hearing on proposed regulations governing the testing of autonomous vehicles on public roads in California. 

An autonomous vehicle is a vehicle that is equipped with technology which allows the vehicle to be operated without the active control or monitoring of a natural person. 

SB 1298, which was enacted in 2012, directs the DMV to adopt regulations on the testing of autonomous vehicles. The DMV’s proposed regulations set forth requirements which a vehicle manufacturer would have to satisfy in order to conduct testing of autonomous vehicles on public roads. 

The requirements include the obligation that the manufacturer provides evidence of its ability to respond to a judgment for damages or injuries arising from the operation of autonomous vehicles in the amount of five million dollars. The evidence may be in the form of a policy issued by an insurer, a surety bond, or a certificate of self-insurance.

During the hearing, representatives of Volkswagen and Google voiced general support for the regulations but urged the DMV to make several revisions before adopting the regulations. None of the revisions outlined at the hearing related to the manufacturer’s obligation to provide evidence of its ability to respond to damages.    

A representative of the Association of California Insurance Companies (ACIC) objected to the provision in proposed section 227.06 which states that the manufacturer’s evidence of insurance is in addition to the requirement that the driver must provide proof of insurance. ACIC argued that the testing of an autonomous vehicle should not involve personal insurance coverage.

At the close of the hearing, the DMV counsel said that the DMV hopes to attain final adoption of the regulations by early in the summer of 2014.          

Documents of note:


Title Insurance

Barger & Wolen's James Hazlehurst recently updated Chapter 39 of the California Insurance Law & Practice, Title Insurance

The chapter features many new practice tips on such diverse matters such as:

  • Filing for litigation despite the equitable tolling rule;
  • Tolling agreements;
  • The notice-prejudice rule;
  • Quiet title actions;
  • The trigger of tripartite relationships;
  • The attorney-client privilege;
  • Attorney claims adjusters;
  • Informal representations about the status of title;
  • Bad faith actions;
  • Undisclosed liens or encumbrances;
  • Failure to file an amended title report;
  • Posting collateral for an indemnification agreement;
  • Access to property rights and the title report;
  • Equitable subrogation; and
  • "Hand-crafted" endorsements.


Homeowners and Related Policies

Barger & Wolen recently updated Chapter 36 of the California Insurance Law & Practice, Homeowners and Related Policies

The chapter revisions include:

  • Trigger of coverage rules;
  • Triggering first-party coverage vs. third-party coverage;
  • Continuing or progressive damage issues;
  • The known loss rule;
  • Recission of the policy;
  • The Residential Property Insurance Bill of Rights; and,
  • Personal property coverage and exclusions.

In addition, there are 28 new practice tips covering a wide range of issues attorneys may confront in regard to homeowners insurance and reports of several court decisions on point.