Cyberinsurance Update 2019: Misdirection Abounds
This year saw courts consider the scope of cyberinsurance coverage for claims involving the hacking of emails and the manipulation of search terms in online advertising.
November 26, 2019 at 02:00 PM
8 minute read
The use of fraudulent email communications to defraud companies is becoming all too common, and courts have reached differing conclusions on whether such losses fall within the scope of policies providing coverage for cybercrimes. Recently, the District of New Jersey became the latest court to weigh in on this question.
In addition, the Western District of Washington recently questioned whether cyberliability coverage extends to claims arising out of a policyholder's use of online advertising that infringes on a competitor's trademark in order to misdirect potential customers.
|Coverage for Computer Fraud and Fraudulently Induced Transfers
In April 2019, Judge Esther Salas, in the District of New Jersey, addressed an insurer's motion to dismiss an action seeking insurance coverage under a crime policy for two payments totaling $967,714.29 that were intercepted by a cybercriminal. The Children's Place v. Great Am. Ins. Co., No. 2:18-cv-11963 (D.N.J. Apr. 25, 2019). In that case, The Children's Place, an international retailer of children's apparel based in New Jersey, sought coverage from its insurer, Great American Insurance Company, for payments that it inadvertently made to a cybercriminal posing as one of its suppliers. The Children's Place alleged that the cybercriminal obtained the payments by using email domain names that were virtually identical to that of the supplier to intercept emails and "insert[] itself into the [email] conversation making it appear that the previously legitimate conversation was being continued." The Children's Place also alleged that the cybercriminal obtained its vendor setup form and the supplier's letterhead and used them to provide The Children's Place with payment instructions that surreptitiously directed payments to the cybercriminal's own bank account.
The Great American crime policy provided coverage for "Computer Fraud," defined to include "the use of any computer … to gain direct access to your computer system … and thereby fraudulently cause the transfer of money, securities or other property." The policy also included an endorsement providing coverage for "Fraudulently Induced Transfer," which was defined to include a payment "made in good faith reliance upon … instruction … from a person purporting to be an Employee, your customer, a Vendor or an Owner establishing or changing the method, destination or account for payments." The policy included a condition precedent stating that a "Fraudulently Induced Transfer" would be covered only if, prior to issuing the payment, the policyholder "verified the authenticity and accuracy of the instruction received … by calling, at a predetermined telephone number, the Employee, customer, Vendor or Owner who purportedly transmitted the instruction."
Great American took the position that the payments were not covered losses under the policy's definition of "Computer Fraud" because there was no allegation that the cybercriminal gained direct access to a computer system belonging to The Children's Place. Judge Salas rejected that argument, finding that the allegations that the cybercriminal intercepted emails and inserted himself into an email conversation, along with an allegation that this allowed him to "effectively gain[] access to [The Children's Place's] email system," were sufficient to create a factual issue as to whether the loss arose from an infiltration of a computer system. The court cited to case law from the Second Circuit, Medidata Solutions v. Federal Insurance Company, 268 F. Supp. 3d 471 (S.D.N.Y. 2017), aff'd, 729 App'x 117 (2d Cir. 2018), for the proposition that the transmission of an email that disguises its true sender could qualify as gaining access to an email system. The court also rejected the insurer's argument that fraudulent emails could not be said to be the direct cause of a loss that involved the voluntary transfer of funds, holding that the allegations of the complaint were sufficient to permit a jury to decide the issue of causation. Accordingly, the court denied Great American's motion to dismiss the complaint in so far as it sought coverage for "Computer Fraud."
Turning to the endorsement providing coverage for "Fraudulently Induced Transfer," the court addressed the argument by The Children's Place that a condition precedent requiring a policyholder to "verif[y] the authenticity and accuracy of … instruction[s]" before making a payment would render coverage illusory. The Children's Place argued that, if instructions were verified, no loss would ever occur. The court agreed that interpreting the condition precedent to require actual verification would render the coverage illusory. However, rather than hold the condition precedent void, as The Children's Place urged, the court held that the provision had to be interpreted to mean that the policyholder had to "attempt to verify" payment instructions. As it appeared that The Children's Place had failed to make such effort, the claim for coverage was dismissed to the extent it sought coverage under the "Fraudulently Induced Transfer" endorsement. The case remains pending with discovery ongoing.
The court's decision in The Children's Place shows that parties must carefully examine the terms of cyberinsurance policies and consider the particular facts of each claim for coverage under those policies. It also suggests that provisions requiring policyholders to take precautionary measures cannot impose conditions that render coverage illusory, while teaching that policyholders ignore such conditions at their own peril.
|Coverage for "AdWord" Infringement
In a decision issued in September 2019 in Mid-Century Insurance Company v. Hunt's Plumbing & Mechanical, No. 19-cv-0285 (W.D. Wash. Sept. 17, 2019), a federal district court raised the possibility that an insurance policy providing "Cyber Liability and Data Breach Response Coverage" covers liability arising from what could be called "AdWord" hijacking or "AdWord" infringement. Such claims arise when a company purchases rights from an online advertising service, such as Google's "AdWords," to use another company's trademark or tradename to direct traffic to its own website. The New Jersey Law Journal has reported on similar claims involving a law firm's trademark infringement suit against another firm accused of using Google's AdWords service to misdirect potential clients to that other firm's website. Charles Toutant, "Suit Accuses Law Firm of Hijacking Competitor's Prospective Clients Via Sponsored Searches," New Jersey Law Journal (June 26, 2018).
In Mid-Century, Hunt's Plumbing, a plumbing company located in Tacoma, Washington, sought coverage from its insurer for a local competitor's claims alleging that it manipulated Google AdWords to misdirect the competitor's customers to its own website. According to the competitor's complaint, individuals who used Google to search for the name of the competitor's business, "Beacon Plumbing," would see a text advertisement displaying the phrase "Beacon Plumbing Save On Energy Bills. Call Now." Those who clicked on the text advertisement were directed to the website for Hunt's Plumbing. Beacon's lawsuit against Hunt's Plumbing asserted claims for trademark infringement, tortious interference, and violation of a state consumer protection act.
Hunt's Plumbing sought coverage for Beacon's claims under its business owner's policy with Mid-Century Insurance Company, which in turn filed a declaratory judgment action seeking a declaration that there was no coverage for the AdWord-manipulation suit. Mid-Century sought summary judgment on the issue of coverage. The court granted Mid-Century summary judgment with respect to the policy's traditional lines of coverage, including coverage for personal and advertising injury. However, the court found that neither party sufficiently addressed whether coverage existed under the cyberliability portion of the policy, finding that the cyberliability "coverage form specifically lists '[i]nfringement of … trademark … [or] metatags' and '[i]mproper deep-linking' as covered acts." (Modifications and omissions in original.)
The court in Mid-Century directed the parties to file briefs addressing whether the claims against Hunt's Plumbing are covered under the cyberliability portion of its policy. Shortly thereafter, the parties reached a settlement, leaving open the question of whether there is cybercoverage for AdWord-manipulation claims. The extent of such coverage will need to be addressed in the future.
Cyberrisk is a threat to entities big and small. As more businesses obtain cyber-specific coverage, courts will be called on to determine the extent to which such coverage applies to deceitful conduct used to defraud policyholders and to a policyholder's own deceptive conduct.
Joseph J. Schiavone is a member of Saiber in Florham Park, and a senior member in the firm's insurance and reinsurance practice group. Robert P. Vacchiano is an associate in the insurance and reinsurance practice group. Lori J. Zeglarski is a senior associate in the firm's litigation group where she handles complex insurance and reinsurance matters.
|This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View AllAmid Growing Litigation Volume, Don't Expect UnitedHealthcare to Change Its Stripes After CEO's Killing
6 minute readJudge Approves $667K Settlement Against Independence Blue Cross for Unpaid, Pre-Shift Computer Work
4 minute readTurning the Tables: Defense Litigators Embrace Lawsuits, Alleging Fraud at Plaintiffs Shops
6 minute readLaw Firms Mentioned
Trending Stories
- 1Decision of the Day: Administrative Court Finds Prevailing Wage Law Applies to Workers Who Cleaned NYC Subways During Pandemic
- 2Trailblazing Broward Judge Retires; Legacy Includes Bush v. Gore
- 3Federal Judge Named in Lawsuit Over Underage Drinking Party at His California Home
- 4'Almost an Arms Race': California Law Firms Scooped Up Lateral Talent by the Handful in 2024
- 5Pittsburgh Judge Rules Loan Company's Online Arbitration Agreement Unenforceable
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250