Gibbons Law Alert
On December 28, 2016, the New York Department of Financial Services (“DFS”) published an updated version of its proposed “Cybersecurity Requirements for Financial Services Companies.” The updated regulations will become effective on March 1, 2017. As previously reported, these regulations are an important step in the ongoing national dialogue about reasonable and necessary cybersecurity standards for all businesses.
As reported on this blog on September 27, 2016, the FTC issued a Final Order holding that LabMD’s data security practices were “unreasonable” and constituted an “unfair” business practice in violation of Section 5 of the Federal Trade Commission Act (“FTC Act”), 15 U.S.C. §45(a) and (n). The findings were a clear signal of the FTC’s expanding efforts to regulate data security and to incentivize companies handling sensitive data to implement and maintain strong data security practices. On Thursday, November 10, 2016, the 11th Circuit stayed enforcement of the FTC’s Final Order pending a full hearing and final decision on LabMD’s appeal, and called into question the validity of the FTC’s conclusions as to what may constitute an actionable “privacy harm” following a data security breach.
Is a commercial policyholder able to get insurance under the terms of its computer fraud coverage (typically offered as part of a crime policy) for a fraud based upon information transmitted by email? Not according to the Fifth Circuit’s recent decision in Apache Corporation v. Great American Insurance Company, which vacated the trial court’s judgment and left the policyholder with a $2.4 million uninsured loss. While the opinion is unpublished and therefore should have limited precedential value, it highlights the importance of reviewing your company’s coverage profile in an effort to close potential gaps in insurance coverage for security breaches and other losses involving computer use.
On September 13, 2016, New York Governor Andrew M. Cuomo announced new first-in-the-nation proposed regulations to protect against the ever growing threat of cyber-attacks in the financial services industry. The proposed regulations, to be enforced by the New York State Department of Financial Services, would apply only to an entity regulated by the NY Department of Financial Services – from a multi-national bank to a “mom-and-pop” operation. However, the regulations are important for all companies to review and consider, regardless of their location or scope of operations, because the proposal represents an important step in the ongoing national dialogue about reasonable and necessary cybersecurity standards for all businesses.
The Federal Trade Commission (“FTC” or “the Commission”) recently confirmed that disclosure of sensitive consumer data as a result of inappropriate data security practices may be deemed an “unfair act or practice” in violation of the Federal Trade Commission Act (“FTC Act”). This decision is important because the FTC reached this conclusion with no evidence of actual economic or physical harm, or any actual health and safety risks as a result of the disclosure. The Commission’s decision is also notable because it emphasizes the FTC’s expanding reach in the regulation of data security.
Policyholders may still enforce an insurer’s duty to defend under a Commercial General Liability (“CGL”) policy for claims arising out of a data security breach, according to a recent Fourth Circuit decision. While the decision was issued in an unpublished opinion (a mere 18 days after oral argument), the decision represents a significant victory for policyholders seeking insurance coverage for claims arising out of data breaches resulting in the disclosure of personal information.
A recent decision by the New Jersey Supreme Court serves as a strident warning to commercial insureds to make prompt notice of claims under claims-made policies. In Templo Fuente de Vida Corp. v. National Union Fire Insurance Company of Pittsburgh, P.A., the claims-made D&O policy at issue required written notice of a claim “as soon as practicable … and … during the Policy Period.” The insured was served with an underlying complaint on February 21, 2006. It retained defense counsel and filed an answer, but did not provide notice of the claim to its insurer until August 26, 2006 — a delay of six months, yet still within the policy period. The insurer denied coverage for various reasons, including that notice was not provided “as soon as practicable.”
The risks inherent in the maintenance and storage of confidential information present an ongoing challenge to daily operations. Cyber insurance may be an appropriate mechanism to mitigate those risks. But – BUYER BEWARE – broad exclusions and other conditions in a cyber policy can hack into coverage and leave your company uninsured and exposed to significant liability for defense costs, liability payments, and regulatory damages.
The New York Court of Appeals has vacated its recent decision in K2 Investment Group, LLC v. American Guarantee & Liability Insurance Co., reverting to the majority position that an insurer breaching its duty to defend an insured is not barred from relying on policy exclusions to defend a later claim for indemnification. The case originated from a related lawsuit where K2 Investment Group, LLC and ATAS Management Group, LLC (collectively, the “LLCs”) sued an attorney for legal malpractice.
The recent decision by New York’s Appellate Division, First Department in Executive Risk Indemnity, Inc. v Starwood Hotels & Resorts Worldwide, Inc., serves as a grim reminder to insureds to pay careful attention at the time of policy renewal to existing demands from third parties, applicable terms and conditions of expiring and renewal policies, differences in the scope of coverage, and appropriate disclosures. Those who do not run the risk of foregoing the insurance they thought they had without even realizing it.