WannaCry Ransomware and Legal Fault

The WannaCry Ransomware attack has spread throughout the world over the past week.  Fingers are pointing at Microsoft for the vulnerability in earlier versions of Windows, at the NSA for creating the leaked exploit, and at North Korea for allegedly perpetrating the attack.  There is blame to go around, but if we were to assess comparative fault the victim is also substantially to blame, for at least two reasons, one obvious and one less obvious:

First, the obvious reason:  the attack affected older versions of Windows, including Windows XP, which has not been supported by Microsoft since 2014.  However frustrating Microsoft’s update and support cycle might seem, and whatever transaction and opportunity costs are involved in switching an organization to a newer OS, it is negligent to continue using an outdated, unpatchable OS.

Second, the less obvious reason:  the attack exploited Port 445, a networking port used by those older versions of Windows for peer-to-peer connections with printers and the like.  A basic component of any cybersecurity compliance program — in addition to using updated, patched software — is to conduct regular port audit scans and to configure firewalls to block unnecessary ports.  Given the low cost of this kind of precaution, failure to conduct port audits is almost certainly negligence.


Managing Cyber Risk: Insurance and Coverage Cases

The scope of the risk and uncertainty involved in data breaches and other cybersecurity incidents suggests that insurance should play a key role in any organization’s risk management strategy. The specialty cyber risk insurance market is rapidly developing, although not yet mature. Among other ambiguities, there is relatively little case law interpreting either traditional or specialty liability policies in connection with cyber liability claims.

The question of how courts will decide cyber insurance litigation became front page business news when a case stemming from the massive Sony Playstation data breach was decided by a New York trial court. Zurich American Insurance v. Sony Corp. of America, No. 651982/2011 (N.Y. Sup. Ct. 2014). The court held that Sony had no coverage for its data breach-related losses under a standard form of Comprehensive General Liability (CGL) policy. In a bench ruling, the court found that there was no “publication” of the data because Sony had tried to keep it secure and it was disclosed only because of the criminal activity of hackers. Sony filed an appeal, but the case settled after appellate arguments.

In another example under a traditional policy, Recall Total Information Management, Inc. v Federal Insurance Co., 83 A.3d 664, 147 Conn. App. 450 (2014), aff’d, 115 A.3d 458, 317 Conn. 46 (2015), a cart full of computer backup tapes containing employee information fell out of a van used by a subcontractor of a records storage company. Some of the tapes were taken by an unknown person and were never recovered. The subcontractor’s insurance policy defined covered “personal injury” to include “injury, other than bodily injury property damage, or advertising injury, caused by an offense of . . . electronic, oral, written or other publication . . . of material that . . . violates a person’s right to privacy.” Id. at 672, 147 Conn. App. at 462. As in the Sony case, the court held that the information on the tapes had not been subject to “publication” because there was no evidence that any third party had actually accessed the information. In addition, the court held that losses relating to notification costs under state data breach notification statutes did not comprise the sort of “injury” covered by the policy. The court therefore granted summary judgment in favor of the insurer. Id. at 671-73, 147 Conn. App. at 461-65.

Not every case, however, has been decided in favor of the insurer. A good example of a case involving a traditional liability policy in which insured prevailed is Travelers Indemnity Co v. Portal Healthcare Solutions, LLC, 35 F. Supp. 3d 765 (E.D. Va. 2014). The policy in this case obligated Travelers to cover losses from damages arising from “electronic publication” of material that “gives unreasonable publicity to” or “discloses information about” a person’s “private life.” Id. at 767. Portal Healthcare provided electronic medical records services to Glen Falls Hospital. Due to an unspecified error, which did not seem to involve hacking, two patients of Glen Falls who searched their own names on Google discovered that their medical records came up as the first search result. Id. at 768. The court held that the records were subject to “publication” because they were made available over the Internet, even though their availability was unintentional and even though there was no evidence they had been accessed by any member of the general public. The court also found that this constituted unreasonable publicity and disclosure as those terms were used in the policies. Therefore, the court granted summary judgment in favor of the insured. Id. at 771-72.

There will undoubtedly continue to be claims and litigation over traditional policies for some time. However, the Insurance Services Office’s (“ISO”) standard commercial general liability (“CGL”) policy forms were changed by ISO in 2013 and 2014 to limit and exclude coverage for privacy and data breach claims. See CG 24 13 04 13 (2012) (limiting personal and advertising injury liability); CG 21 06 05 14 – Exclusion for Access or Disclosure of Confidential or Personal Information and Data-Related Liability – With Bodily Injury Exception; CG 21 07 05 14 – Exclusion for Access or Disclosure of Confidential or Personal Information and Data-Related Liability – Limited Bodily Injury Exception Not Included; CG 21 08 05 14 – Exclusion for Access or Disclosure of Confidential or Personal Information (Coverage B Only).

The specialty cyber risk market will therefore become increasingly important. Cases are just beginning to arise under these specialty policies.  A recent case in federal district court in Utah has been described as the first coverage case involving a cyber risk coverage form. See Travelers v. Federal Recovery Services, Inc., 103 F. Supp.1297 (D. Utah 2015). The relevant form was a Travelers “Cyberfirst Policy” with a “Technology Errors and Omissions Liability Form” which provided coverage for an “errors and omissions wrongful act.” Id. at 1298. “Errors and omissions wrongful act” was defined in the policy as “any error, omission, or negligent act.” Id. at 1298-99.

Federal Recovery Acceptance (“FRA”), a data storage, processing, and backup company, had a services contract to handle a client’s customer account data. The client was being acquired by another company and requested return of its client data. FRA allegedly withheld the data and demanded a ransom payment beyond that allowed under its contract. The client sued FRA and related defendants for tortious interference, promissory estoppel, conversion, breach of contract, and breach of the implied covenant of good faith and fair dealing. FRA and the related defendants tendered the defense to Travelers, which filed an action for declaratory relief and accepted the tender under a full reservation of rights. Id. at 1299-1300.

The court held that Travelers did not have a duty to defend because “none of Global’s allegations involve errors, omissions, or negligence.” Id. at 1302. Instead, FRA was allegedly intentionally withholding the data.
Another case involving a specialty cyber risk policy recently was recently filed in federal court in California. Columbia Casualty Co. v. Cottage Health System, No. 2:15-cv-03432 (C.D. Cal.). Columbia had issued a “NetProtect 360” policy to Cottage Health. See Complaint for Declaratory Judgement and Reimbursement of Defense and Settlement Payments (“Complaint”), Columbia Casualty Co. v. Cottage Health System, Case No. 2:1-cv-03432 (C.D. Cal. May 7, 2015), 2015 WL 2201797. The policy covered losses for “privacy injury” and “privacy regulation proceedings.” However, the policy contained an exclusion for “failure to follow minimum required practices.” The exclusion stated that Columbia is not liable for any loss “based upon, directly or indirectly arising out of, or in any way involving . . . any failure of an Insured to continuously implement the procedures and risk controls identified in the Insured’s application for this insurance and all related information submitted to the Insurer in conjunction with such application . . . .” Complaint, ¶ 26. As part of its application for the policy, Cottage Health had submitted a “Risk Control Assessment,” which required it to respond to questions about security patches, threat assessment, audits of third party vendors, and other cybersecurity practices. Id., ¶ 29.

Cottage Health System’s electronic medical records provider allegedly failed to secure a server with encryption, resulting in the exposure of approximately 32,500 patient records. Cottage Health was named in a class action under California’s Confidentiality of Medical Information Act, Cal. Civil Code § 56 et seq., and ultimately agreed to a $4.124 million class settlement. Cottage Health also faced an investigation by the California Department of Justice. Columbia agreed to fund the settlement under a reservation of rights. Complaint, ¶¶15-22. The Complaint alleged, on information and belief, that Cottage Health provided false responses to the security-related questions in the application, and that as a result, Columbia had no liability under the Policy. Complaint, ¶¶30, 39-58.
Columbia’s Complaint was dismissed without prejudice pending the completion of an alternative dispute resolution procedure agreed to by the parties. See Order Granting Motion to Dismiss, Columbia Cas. Co. v. Cottage Health Sys. 2015 WL 4497730 (C.D. Cal. July 17, 2015). Nevertheless, the initiation of this proceeding by Columbia signaled that issuers of cyber risk policies may be willing to test insureds’ compliance with required security programs in court.

If there is a pattern in these cases, it may be that – not surprisingly – insurers will contest coverage for a variety of reasons under both traditional CGL and specialty cyber policies. Indeed, a number of very recently filed coverage cases confirm this intuition. See, e.g., New Hotel Monteleone, LLC v. Certain Underwriters at Lloyd’s of London, No. 15-11711, 2015 WL 9608250 (Orleans Parish, LA, December 10, 2015) (coverage claim arising from hacking incident resulting in stolen payment card information); Certain Underwriters at Lloyd’s of London v. Wunderland Group, LLC, No. 2015-CH-18139, 2015 WL 9608250 (Cook County, Ill., December 15, 2015) (coverage claims relating to insider attack / trade secret misappropriation); Ameriforge Group, Inc. v. Federal Ins. Co., No. 2016-00197, 2016 WL 1366311 (Harris County Tex. January 4, 2016) (coverage claims relating to phishing attack). Even specialty policies may not cover risks such as cyber-extortion by a vendor, or they may require the insured to implement a rigorous cyber hygiene program. The precise language of the coverage and exclusions, as well as the precise nature of the incident, will be at issue in any coverage challenge. An insurance program should be carefully evaluated and cyber hygiene should be continuously monitored as part of a comprehensive cyber risk mitigation strategy.

BitPay Cyber Insurance Litigation

An interesting cyber insurance coverage case was filed recently in the the Northern District of Atlanta involving bitcoin payment processor Bitpay.  Bitpay’s CFO was spear phished, leading to an improper transfer of bitcoins valued at  $1.8 Million.  Bitpay had been issued a Commercial Crime Policy by Hanover Insurance Group, which included coverage for “Computer Fraud,” as follows:

We will pay for loss of or damage to ‘money’, ‘securities’ and ‘other property’ resulting directly from the use of any computer to fraudulently cause a transfer of that property from inside the ‘premises’ or ‘banking premises’:
a.  To a person (other than a ‘messenger’) outside those ‘premises’; or
b.  To a place outside those ‘premises.’

Hanover denied the claim because, according to Hanover, the transfer of bitcoins as a result of spear phishing did not “directly” result from the use of a computer.  This kind of spear phishing attack, Hanover stated in its denial letter, does not entail “a hacking or unauthorized entry into Bitpay’s computer system fraudulently causing a transfer of Money.”  Hanover further argued that “there is an important distinction between fraudulently causing a transfer, as the Policy language requires, and causing a fraudulent transfer, which is what occurred upon the CEO’s approval of the bitcoin transactions after receiving the fictitious emails.”  Finally, Hanover argued that “the term ‘premises’ is defined in the policy as, ‘the interior of that portion of any building you occupy in conducting your business'” and does not over bitcoins “held online, and transferred online.”  After further attempts to obtain coverage were unsuccessful, Bitpay filed the coverage action.

If the case does not settle, it will be interesting to see how the court construes the disputed terms in the context of this bitcoin spear phishing scam.