A construction funds administration company (“CFA”) was the victim of a social engineering scheme, where, following receipt of transfer instructions it did not realize were fraudulent, the CFA transferred money to a Hong Kong company. The company was not previously listed in the fund operating agreement, nor did it meet other criteria set up for distribution of funds, and no documentation or verification was made by the CFA. The fraud was eventually discovered when there were insufficient funds in the account to make other valid distributions, and it was subsequently determined to be the result of a threat actor hacking an employee’s email account. Prior to notifying its insurer of the loss, the CFA borrowed money to replace the misdirected funds and avoid default of payments to valid subcontractors and suppliers.
The CFA thereafter tendered notice under its professional liability insurance policy for the full amount of the transfer, but the insurer denied the claim. Asserting that the improperly transferred funds arose from a fraudulent email stream, the insurer concluded the claim was excluded pursuant to the policy’s “Unauthorized Network Access Exclusion.” The exclusion precluded coverage for any claim “based upon, arising from or in consequence of any unauthorized or exceeded authorized access to, use of or alteration of, any computer program, software, computer, computer system or any input, output, processing, storage and communication devices that can be connected thereto.” Coverage litigation ensued.
Finding in favor of the insurer, the court held that the breach exclusion applied, rejecting the CFA’s argument that the failure to verify the account was the proximate cause of the fraudulent transfer. According to the court, the exclusionary language at issue “clearly contemplates losses precipitated by social engineering events such as hacking.” Significantly, the court noted that rather than limiting the breach exclusion’s application to injuries “arising out of” unauthorized access, the exclusion more broadly precluded coverage for injuries “based upon, arising from or in consequence of any unauthorized or exceeded authorized access to” any computer program or network.
The court further held that even if the breach exclusion did not apply, the CFA failed to notify its insurer of the loss before settling the claim. The policy’s notification provisions stated that the insurer “shall not be liable for any settlement, Defense Cost, assumed obligation or admission to which it has not given its prior written consent.” When the CFA failed to notify its insurer of the claim prior to its resolution, “it materially prejudiced [the insurer]’s ability to assert any defenses,” the court found, further concluding that since the insurer “did not give its written consent to [the CFA]'s unilateral resolution of the hacking issue,” the CFA could not obtain indemnification under the policy.
Social engineering, invoice manipulation, and fraudulent wire instructions and transfers have become increasingly frequent. As a result, insurers are narrowing coverage triggers to manage “silent cyber” losses in policies that were not expressly designed for that purpose. Continued uncertainty around the interpretation of professional liability, crime, and other such policies underscores the need for dedicated cyber insurance to unambiguously cover events like that in the case at hand.
The owners of the gas station alleged negligence by the pipeline in the maintenance of its computer system, thereby leaving it vulnerable to the cyberattack and resulting in fuel shortages and a sharp decrease in sales. The pipeline company argued it owed no duty to continually provide service to the retailer. Even if a duty were owed, the company argued the retailer could not make out a claim of negligence because its losses were strictly economic in nature.
Applying Georgia law, the court agreed with the pipeline company, concluding that no such duty existed and the state’s “economic loss rule” precluded tort claims by businesses suffering purely financial harm. The court ruled that the only recourse for the retailer was a claim sounding in contract.
The court’s decision was the only reasonable outcome here. Lost profitability from a supply chain disruption is a matter to be resolved between contracting parties. To rule otherwise could have led to a flood of litigation, resulting in dire consequences for the cyber insurance marketplace.
This included acts alleged to have taken place prior to the policy’s “retroactive date,” which is the earliest date on which a wrongful act can occur and still trigger coverage under a claims-made policy.
In denying coverage, the insurer asserted that all of the infringements alleged in the complaint formed a series of interrelated wrongful acts, and that based upon the date of the earliest act, the duty to defend was not triggered. In response, the insured contended that the alleged infringements involved different products, purchased at different times from different sources and by different employees, and sold to different customers.
In ruling for the insured, the court noted that the duty to defend is inherently broad, and the record in the case had not yet developed to the point where the court could determine definitively that all of the alleged infringements were interrelated. If even one wrongful act, the court reasoned, was not interrelated to those preceding the retroactive date, the insurer had a duty to defend the entire claim.
Insureds should not simply acquiesce to an insurer’s assertion that all wrongful acts are interrelated. The court also noted that trademark infringement is a “strict liability” tort, so knowledge of the infringement, while perhaps instructive as to damages, had no bearing on the insurer’s duty to defend.
While attempting to update its database of gun owners and permit applicants, the state’s Department of Justice released a spreadsheet containing more than ten years of personal information on California residents, including names, dates of birth, addresses, race, gender, driver’s license numbers, and even criminal records. The disclosed information did not include social security numbers or financial data, and the spreadsheet was taken down in less than 24 hours.
In a statement, the Office of the Attorney General acknowledged that personal information had been disclosed, including “internal codes corresponding to the statutory reason that a person is prohibited from possessing a firearm.” Attorney General Rob Bonta has launched an investigation and promised what he called “strong corrective measures where necessary.” The state is now offering free credit monitoring to impacted individuals and is recommending that residents consider placing a credit freeze and fraud alert on their credit reports.
Apart from the irony that the Office of the Attorney General is charged with enforcing California’s privacy regulations, considered the strictest in the nation, this incident underscores the fact that public entities possess a treasure trove of personal information. These agencies need to adopt the same level of cyber hygiene that private businesses have begun implementing in recent years.