BA Section of Litigation 2012 Insurance Coverage Litigation Committee

Women In Insurance Networking Workshop,

October 18, 2012:
Cloud Cover: Insuring Technology & Cyberliability Risks Key Cases

Cloud Cover: Insuring Technology &

Cyberliability Risks Key Cases

Nancy D. Adams
Mintz Levin PC
Boston, MA
Mary E. McCutcheon
Farella Braun & Martel LLP
San Francisco, CA
Stacey L. McGraw
Troutman Sanders LLP
Washington D.C.

CLOUD COVER: INSURING TECHNOLOGY& CYBERLIABILITY RISKS

KEY CASES
I.

Cyber Liability Cases Involving General Liability Policies

Connecticut
Recall Total Info. Mgmt., Inc. v. Fed. Ins. Co., No. X07CV095031734S, 2012 Conn. Super. LEXIS
227 (Conn. Super. Ct. Jan. 17, 2012)
The insured, who had contracted with IBM to provide distribution services, sought coverage under its
general liability and umbrella policies when an IBM cart holding computer data tapes fell out of a
transport van on a highway ramp and was taken by an unknown third person. The tapes contained
personal data for more than five hundred thousand IBM employees. The insured claimed that when
the tapes were stolen, both property damage and publication had occurred, and that the claims made by

IBM were covered under its policies. The court rejected these arguments, noting that IBM did not
seek damages for the tapes or the cart, but had rather made claims for the loss of electronic data, which
could not be construed as damage to tangible property as required by the definition of property in the
policies. Further, the court held that there was no publication, as publication requires evidence of
communication to a third party, which was not present in the case.
Louisiana
Union Pump Co. v. Centrifugal Tech., Inc., No. 05-0287, 2009 U.S. Dist. LEXIS 86352 (W.D. La.
Sept. 18, 2009)
In this case, the court found that there was no coverage under the insureds commercial general
liability policy for litigation involving claims that the insured had wrongfully used and then destroyed
electronic data which included plaintiffs design drawings, autocad drawings, and pump models. As
to coverage for property damage, the court found that electronic data failed to meet the definition of
tangible property as required by the policy and that further, coverage only applied to property
damage in the event of an occurrence. Since plaintiffs claims all involved allegations of intentional
acts, they were excluded under the intentional act exclusion. With respect to personal and advertising
injury, the court found that no evidence was presented that the insured had engaged in any act of
advertisement that would be consistent with the policy.
Minnesota
Eyeblaster, Inc. v. Fed. Ins. Co., 613 F.3d 797 (8th Cir. 2010)
The insured, an online marketing campaign management company engaging in rich media advertising,
was sued by an individual who alleged that the online advertising caused his computer to be infected
with a spyware program which severely impaired the function of his computer, resulting in data loss,
numerous pop-up ads, a hijacked browser, and frequent error messages. The insurer denied coverage
under the general liability policy because the complaint did not assert claims for bodily injury or
property damage to tangible property caused by an accident or occurrence as required by the policy.
The insurer also denied coverage under a technology E&O policy, claiming that the plaintiff in the
underlying action had failed to allege that the insured had committed a wrongful act (defined in the
policy as an error, unintentional omission, or a negligent act) in connection with a product failure or in
failing to perform service. The court found that the action was covered both under both policies. With
the regard to the general liability policy, the court found that while damage to software would not have
been covered under the policy, the loss of use of the computer, which was tangible property, was
sufficient. Further, under the E&O policy, the court found that error in a technology E&O policy
to include intentional, non-negligent acts but to exclude intentional wrongful conduct, which
encompassed the insureds actions.
II.

Cyber Liability Cases Involving E&O Or D&O Policies

Delaware
United Westlabs, Inc. v. Greenwich Ins. Co., No. 09C-12-048 MMJ, 2011 Del. Super. LEXIS 261
(Del. Super., June 13, 2011), affd No. 337, 2011, 2012 Del. LEXIS 130 (Feb. 28, 2012)
Under a policy covering liability for cyber and technology activities, coverage was barred for an action
filed against the insured during the policy period because the wrongful acts alleged were part of a
continuous series of related acts that had been alleged in an action filed before the policy inception.
Massachusetts
New Fed Mortg. Corp. v. Natl Union Fire Ins. Co. of Pittsburgh, PA, 543 F.3d 7 (1st Cir. 2008)
A residential mortgage originator sought to compel the insurer to provide coverage and defense costs
under its E&O policy after an employee of the insured falsified electronic credit reports in several

mortgage applications. The court held that the insurer had no duty to defend because the underlying
litigation involved allegations of intentional misconduct that were plainly excluded from coverage.
Minnesota
St. Paul Fire and Marine Ins. Co. v. Compaq Computer Corp., 539 F.3d 809 (8th Cir. 2008)
Applying Texas law, the Eight Circuit found that the insurer had a duty to defend under a technology
E&O policy because the allegations in the underlying litigation included conduct falling within the
policys definition of error. Specifically, the plaintiffs alleged the insured engaged in the
unintentional incorrect act of selling defective computers. As the act was alleged to be unintentional
rather than intentional, the claims fell within the scope of the policy.
New Jersey
Vonage Holdings Corp. v. Hartford Fire Ins. Co., Civ No. 11-6187, 2012 U.S. Dist. LEXIS 44401
(D.N.J. Mar. 28, 2012)
The insured sought coverage under a cyber liability policy after a group of computer hackers accessed
the insureds servers and used them to route calls to Cuba through one of the insureds
telecommunications partners. The policy provided coverage for damage to money, securities, and
other property following and directly related to the use of any computer to fraudulently cause a
transfer [to a person or place outside the premises]. The insurer sought to dismiss the insureds
action, claiming that the insured had not alleged that tangible property directly related to the use of a
computer was transferred outside the premises and that the insured had failed to allege loss of or
loss from damage to tangible property. The court denied the insurers motion to dismiss, finding
that the policy language was ambiguous and that defendants reading of the provision was reasonable.
The case is pending.
New York
Tagged, Inc. v. Scottsdale Ins. Co., No. JFM-11-127, 2011 U.S. Dist. LEXIS 75262 (S.D.N.Y. May
27, 2011)
Under California law, the court held that a directors and officers policy issued to a social networking
website excluded coverage for a claim alleging that the websites management falsely represented the
content protections for children because the allegations involved the professional service of regulating
the content of the website.

III.

Cyber Liability Case Involving A Crime Policy

Ohio
DSW Inc. v. National Union Fire Ins. Co. of Pittsburgh, Pa., Case No. 10-4576/5608 (Aug.
23, 2012).
The U.S. Court of Appeals for the Sixth Circuit recently addressed an exclusion for loss
caused by the theft of confidential information. The court found that there was coverage for
first-party and third-party losses arising from the theft of customer credit card information by
hackers under a crime policys computer fraud endorsement. The Sixth Circuit found that the
crime policy at issue covered third-party liability losses even though the insuring agreement
limited coverage to loss resulting directly from the theft of any Insured property by
Computer Fraud. The Sixth Circuit also refused to apply an exclusion barring coverage for
any loss of proprietary information, Trade Secrets, Confidential Processing Methods or other
confidential information of any kind. The court reasoned that, while credit card information

might be considered confidential in some circumstances, it could not have been the type of
confidential information envisioned by the exclusion. Otherwise, the exclusion would vitiate
the coverage that the policy promised to provide.
IV.

Pending Cyber Liability Cases In The News

Arch Ins. Co. v. Michaels Stores Inc., 1:12-cv-00786 (N.D. Ill. filed Feb. 23, 2012)
Arch brought suit seeking a declaration that it is not required to indemnify or defend Michaels under a
general liability policy in connection with a recent security breach where criminals known as
skimmers tampered with PIN pad terminals in Michaels stores, using them to steal customers
financial information and obtain access to their bank accounts. Arch asserts that none of the
underlying suits allege property damage, bodily injury, or advertising injury, as required by the
policies. Moreover, Arch contends that the electronic data and breach of contract exclusions in the
policies apply.
Zurich Am. Ins. v. Sony Corp. of Am., No. 651982/2011 (N.Y. Sup. Ct. filed July 20, 2011)
In April 2011, hackers accessed data for one hundred million Sony PlayStation users and as a result,
Sony was sued in sixty actions across the United States. Zurich brought suit seeking a declaratory
judgment, claiming that it has no duty to defend or indemnify Sony against customer class actions and
related matters. Sony purchased primary commercial general liability and excess liability policies
from Zurich. Zurich asserts that the lawsuits arising out of the cyber attacks are not covered by the
"bodily injury," "property damage" and "personal and advertising injury" coverage provided by its
liability policies.