CYBER CORNER

WAR EXCLUSION IN “ALL RISKS” PROPERTY POLICY INAPPLICABLE TO CYBER LOSS

Merck & Co. Inc., et al. v. ACE Am. Ins. Co., et al., No. UNN-L-2682-18 (N.J. Super. Ct. Jan. 13, 2022)

This matter arose after a pharmaceutical company was the victim of a cyberattack in which its computer systems were infected by malware, causing more than $1.4 billion in damage.

The company sought coverage for its losses under a property policy intended to cover “all risks,” including the destruction or corruption of computer data or software; however, the insurers argued that an exclusion for “Hostile/Warlike Action” precluded coverage. The company maintained that attribution to a nation-state had not been proven, and that in any event, the war exclusion did not apply to this type of action.  


In ruling for the pharmaceutical company, the court looked to the “plain meaning” of the exclusion. According to the judge, the company had a reasonable expectation that the exclusion would apply “only to traditional forms of warfare.” Moreover, despite their awareness that cyberattacks were becoming increasingly common, “the Insurers did nothing to change the language of the exemption to reasonably put the Insured on notice that it intended to exclude cyberattacks,” the judge noted, finding the war exclusion precluded only a physical act of warfare, not a malware hack.

 

The Takeaway

While welcome news for this particular insured, the decision of a state trial court judge is hardly precedent setting; other courts may rule differently, and other policies may contain stronger exclusionary wording. In any event, underwriters can be expected to revisit existing language in light of this decision.

 

HEALTH INSURER SCORES TEMPORARY VICTORY IN DATA BREACH CASE

In re: Horizon Healthcare Servs., Inc. Data Breach Litig., No. 2:13-CV-07418 (D.N.J. Dec. 21, 2021)

A federal judge recently dismissed a lawsuit seeking class action status, which arose out of the theft of two company computers from a health insurer’s headquarters several years previously, and its subsequent notice to plan members that personally identifiable information may have been compromised as a result. The suit claimed the insurer violated the privacy of over 800,000 policyholders and the personal data of its members was put at risk. 

The judge ruled that the health insurer was not subject to the Fair Credit Reporting Act (“FCRA”), as the plaintiffs alleged, because the company did not operate as a “credit reporting agency” and the theft of the laptops involved no voluntary disclosure of data by the insurer. The plaintiffs asserted allegations under both state and federal law, but without a viable claim under the FCRA, the judge declined to exercise jurisdiction over the state law claims, at least for the time being. Should the plaintiffs make out a claim under a federal statute, the judge indicated a willingness to reconsider her decision.