Travelers Must Cover Inadvertent Data Disclosures, Court Rules

A recent Fourth Circuit case affirmed a Virginia district court ruling that insurer Travelers Indemnity Company of America had a duty to defend a class action brought against its insured, Portal Healthcare Solutions, LLC, under a cyber liability insurance policy providing coverage for the electronic publication of certain materials. Portal Healthcare provided “electronic storage and maintenance of certain medical records” as a service to its healthcare provider clients. The class action suit alleged that Portal Healthcare negligently failed to provide services when a wrong security setting on a web access portal was selected, allowing internet search engines to scoop up not only the login page as a search result, but also the underlying sub-pages containing medical records.

Travelers argued that it had neither a duty to defend nor indemnify under the 2012 and 2013 policies acquired by Portal Healthcare. The 2012 policy included a “Web Xtend Liability Endorsement” applicable to coverage for “Personal Injury, Advertising Injury and Web Site Injury Liability.” The 2013 Policy contained a Commercial General Liability Coverage Form applicable to “Personal and Advertising Injury Liability.” The applicable definitions included:

  • “Advertising injury” means injury, arising out of one or more of the following offenses: … electronic publication of material that … gives unreasonable publicity to a person’s private life
  • “Personal injury” means injury, other than “bodily injury,” arising out of one or more of the following offenses: … electronic publication of material that … gives unreasonable publicity to a person’s private life
  • “Web site injury” means injury, other than “personal injury” or “advertising injury” arising out of one or more of the following offenses: … electronic publication of material that … gives unreasonable publicity to a person’s private life …”

Travelers asserted that it owed a duty to defend Portal Healthcare only if the underlying class action complaint alleged “(1) injury arising out of the offense of “electronic publication of material that … gives unreasonable publicity to a person’s private life” (2012 Policy) or (2) injury caused by the offense of “electronic publication of material that … discloses information about a person’s private life” (2013 Policy).”

The Fourth Circuit, however, held that the Eastern District Court of Virginia correctly analyzed the matter under the “Eight Corners” rule, where the court must look first to the four corners of the contract (the insurance policy) and then the four corners of the complaint. The policy provided coverage for “publication” of electronic materials which either gave “unreasonable publicity” to or “disclosed” information about an individual’s private life.

Travelers argued that there could not be “publication” when the insured’s business was the protection of information and there was no evidence that a third party actually viewed the information. The District Court determined in the first instance that “publication” does not refer to intent (whether intentionally or unintentionally disclosed) so that argument was rejected. As to the second element, the court noted that publication occurs when placed “before the public,” without reference to whether the public actually reads the information.

Under the second requirement for coverage, Travelers maintained that “publicity” required a proactive step to “attract” interest, and “disclosure” requires a third party to actually view. The District Court held that publicity was unreasonable due to the nature of the sensitive information contained in the medical records and there was no requirement that the insured take overt action to attract attention to the information. As to the “disclosure” argument, the District Court held that disclosure occurred when the possibility of viewing by a third party happened, not when or if a third party actually viewed the information.

The District Court also addressed the fact that there was no express exclusion of the actual security failure involved and at a minimum the insurance carrier would have to defend (although it could still later argue it had no duty to indemnify) based on the law that such an ambiguity is decided in favor of the insured.

This makes it clear that it is critical to pay attention to the type of coverage purchased and to the fine print. It may also be helpful to have an insurance agent review the types of coverage you have, to look for gaps based on your business and possible risks, since each policy type includes those risks which are intentionally covered and others which are expressly excluded. Although the types of policies continue to expand to cover new technologies and new risks, depending on the carrier and the policy’s exclusion language, the coverage may not be what you think it is.

Travelers Stages Live Hack to Examine Realities of Cyberrisk

NEW YORK—Yesterday, Travelers hosted “Hacked: The Implications of a Cyber Breach,” a panel of the insurer’s top experts and outside consultants drilling down into the realities of the cyber threat.

According to Travelers’ brand new 2015 Business Risk Index, cybersecurity rose from the #5 threat in 2014 to the #2 threat perceived by business leaders, with 55% most concerned about malicious and criminal attacks.

In an exercise to show just how valid that concern it is, panelists Kurt Oestreicher, a member of the cyber fraud investigative services team at Travelers, and Chris Hauser, former Silicon Valley FBI agent and current member of the cyber fraud investigative services team at Travelers, successfully carried out a live hack. Using a fake website created for this demonstration, the experts staged an SQL injection attack—the same kind of attack as Heartbleed, these are still responsible for 97% of breaches. Using an open-source penetration testing program that Hauser described as “point and click hacking,” they easily found a way to tunnel into the site’s SQL database. The process of scanning for vulnerabilities and acting on a known exploit—in other words, conducting the actual, successful “hack”—took about two minutes, including the time Hauser spent talking the audience through the process.

The program used to conduct this hack was free, and the number of resources readily available for free or very low cost means that more everyday businesses will become victims as malicious actors face very few obstacles to attempt a hack. “As tools and techniques like this become more common, it becomes far easier to target small- and medium-sized businesses and that exposure increases, especially because there are such low costs up front,” said Oestreicher.

Every day in the United States, 34,529 of these known computer security incidents take place. Yet many go undetected, and a lot are willfully unreported. While larger breaches impact more records, the preponderance of breaches strike Main Street businesses, not Wall Street corporations. In fact, of those that are identified and reported, 62% of breaches impact small and medium-sized businesses, Travelers found. Increased awareness among this group has yet to translate into increased coverage, however. According to a survey by Software Advice, insurance penetration among this group hovers at just over 2%, a trend Mullen has seen in the field as well. “Only about 10% of those who should have that coverage actually do,” he said.

According to data from NetDiligence, those incidents that are covered by insurance break down as follows:

NetDiligence Cyberinsurance Claims by Business Sector

NetDiligence Cyberinsurance Claims by Data Type

With hefty fines, costly investigation and notification requirements, and possible lawsuits and class actions, the true costs rapidly spiral. According to Mark Greisiger, president of data breach crisis services and security practices company NetDiligence, the average cost of a breach is $733,000 for SMBs—before any possible lawsuits or fines. Per record, the cost ranges from 1 cent to $1,000, based on the type of information contained. The average legal settlement after such breaches is currently about $550,000. Yet these numbers primarily reflect incidents where insurance was in place. Without the trusted vendor agreements, for example, the cost of retaining forensic investigation services in the midst of a crisis can be up to three times higher, he reported.

Recovering from these incidents varies wildly by the type of records exposed, and the resources available to aid in the effort. “It’s a wild pain in the butt with insurance,” said breach coach John Mullen, a managing partner of the Philadelphia Regional Office and chair of the U.S. Data Privacy and Network Security Group at Lewis Brisbois Brisgaad & Smith. “Without insurance, it’s a small- and medium-sized business killer. The Main Street story is a $2 million bill and no business.”

In the 2015 Business Risk Index, Travelers also shared a more detailed view of preparedness among specific industries:

Business Risk Index Cyber Preparedness

Insurers Will Be Found Not Guilty of Fraud in Sandy Payouts, Expert Says

Insurers will be vindicated of accusations of fraud for rejecting flood damage claims made by Superstorm Sandy victims, an insurance industry expert predicts.

New York’s Attorney General Eric Schneiderman has opened an investigation into accusations against insurers Wright National Flood Insurance Co., units of Travelers Cos. and Hartford Financial Services Group Inc., which contract with the government’s National Flood Insurance Program (NFIP), of rejecting property flood damage claims of Sandy victims based on falsified engineering reports, Bloomberg reported this week.

Called a Write Your Own program (WYO), the Federal Emergency Management Agency (FEMA) allows participating property and casualty insurers to write and service the Standard Flood Insurance Policy in their own names.

Under the WYO program, insurers receive an expense allowance for policies written and claims processed while the federal government retains responsibility for underwriting losses. The WYO Program operates as part of the NFIP, and is subject to its rules and regulations, according to FEMA, which oversees the flood insurance program.

“I am confident that the attorney general will be satisfied that insurers involved with the Write Your Own program were operating in a manner consistent with NFIP guidelines,” said Robert P. Hartwig, Ph.D., president of the Insurance Information Institute.

Lawsuits in federal court accuse the insurers of colluding with engineering firms and others to deny or reduce damage payouts based on fraudulent reports. Schneiderman is investigating whether any crimes were committed. According to The Hartford Courant, more than 1,000 lawsuits are involved, alleging that homeowners were underpaid by insurance companies. Attorneys said insurers accepted altered engineering reports in a “peer review” process.

Insurers point out that the property disputes involve only about 1% of all flood claims and that the peer-review process is common practice—a quality control measure to make sure the federal government doesn’t overpay on flood claims.

Regarding the lawsuits that have been filed, Hartwig said, “I am equally confident that the evidence will indicate once again that insurers were operating in a manner consistent with NFIP guidelines.”

He explained that the lawsuits lodged against insurers alleging that certain insurers and firms hired to perform engineering analyses on flood-damaged properties were acting together to reduce or deny claims, “reflect a fundamental  misunderstanding of how the NFIP WYO program works. Engineering firms routinely and appropriately use a peer review process to review work performed. Occasionally, that process leads to additional opinions being reflected in an engineering report, which can thus impact the dollar amount received by claimants. This is part of a routine and necessary quality-control process.”

Hartwig said that this process is “no different than peer review in other technical and scientific disciplines. Using medicine as an example, test results are routinely reviewed by more than one medical professional before a diagnosis and course of treatments are rendered.”

Moreover, he added, insurers and the engineering firms hired are not financially motivated “to pay claimants anything other than a fair and accurate assessment of the losses compensable under the NFIP policy purchased. Insurers that consistently underpay or overpay claims can be removed from the program by the NFIP/FEMA.”

Businesses Feel Less Prepared For Increasingly Risky World, Travelers Finds

In its 2014 “Business Risk Index,” Travelers surveyed more than 1,100 businesses on the top risks they perceive and how ready they are to mitigate those threats. Overall, respondents clearly see an increasingly risky world around them, but feel notably unprepared  to handle the risks. The top seven threats, in order of reported concern, are: medical cost inflation, increasing employee benefit costs, legal liability, broad economic uncertainty, cyberrisk, complying with laws, and attracting and retaining talent.

Check out this infographic for more of the study’s insights:

Travelers Business Risk Index