Cybersecurity and Data Privacy Risks

Insurance Coverage for Losses After Ransomware Attacks

• Our attorneys have been insurance coverage counsel to several domestic and international companies and organizations suffering a ransomware attacks. In several events, our attorneys worked with multiple insurance carriers to maximize the amount of insurance available to pay the resulting losses arising from and related to the event. The events have included losses approaching nine figures. This has included recovering under first party property policies, kidnap, ransom, and extortion policies, and cyberinsurance policies, getting coverage for the cost of ransom, forensic costs, legal costs, extra expenses related to replacement and rental computers, and settlements with the policyholders’ customers. We also have worked on matters where insurance carriers have threatened to rescind the policy based on purported misstatements or misrepresentations in the application.

Business Email Compromise/Phishing-Based Wire Fraud

• Our attorneys have been insurance coverage counsel to multiple companies that suffered losses resulting from business email compromises. This has included wire frauds from social engineering or spoofed emails from cyberattackers who took over email accounts. Our attorneys have helped clients from multiple industries (such as financial institutions, family offices, commercial adjusting, international retail, music publishing, home building, automotive component manufacturing, wealth management, staffing, and more) recover funds through negotiations with their insurance carriers. In one matter where the carrier refused to compromise, we won multiple victories in District Court and the Court of Appeals. Addressing an area of insurance coverage in which there are very few pro-policyholder decisions, the 11th Circuit ruled that our client’s crime insurance policy unambiguously provides coverage for the losses. In other matters, we helped our clients obtain millions of dollars in coverage for liability due to a business partner sending out fraudulent wires after a cyberattack, and obtain millions of dollars for losses and liabilities after criminals entered into the policyholder’s system via a cloud provider.

Insurance Coverage For Payment Card Cyberattacks

• Our attorneys have been insurance coverage counsel to several clients who have suffered payment card data privacy incidents, and our attorneys have litigated two of the first insurance coverage lawsuits regarding the scope of coverage for PCI-based losses. Multiple events have involved alleged compromises of millions of card numbers. Our clients for these matters include multi-billion dollar retailers through smaller hospitality companies and retailers. Our attorneys have helped our clients pursue insurance coverage for the liabilities to the card brands and processors, as well as for class actions alleging harm due to the cyberattacks. This has included the pursuit and obtaining of coverage under cyberinsurance, directors and officers, crime, first party, general liability, umbrella liability, and package insurance policies. Our attorneys have litigated some of the very few publicly-filed cases under cyberinsurance policies to date, disputing the application of policy “sublimits” for “operational fraud” and “operational reimbursement.” We also have resolved claims at mediation, in circumstances where the insurance policy and the governing law required alternative dispute resolution as well as after an appeal was argued, and through strategic advice and counseling that resulted in full coverage for our client’s losses. Our attorneys also have litigated whether CGL policies provide coverage for losses due to a PCI-related cyberattack, handling the dispute from the initial filing to arguing at the Court of Appeals for the 11th Circuit, and ultimately resolving the matter through a settlement achieved shortly after oral arguments.

Sensitive Personal Information Compromise, International Dating Company

• Our attorneys acted as insurance coverage counsel to an international dating company that suffered a data privacy incident and cyberextortion threat. Our attorneys evaluated the entire insurance portfolio, gave notice of the claim, and advised the company on insurance-related issues.

Corporate Secret Data Privacy Incident, Global Software Company

• Our attorneys acted as insurance coverage counsel to a global software company that suffered a data privacy incident and theft of corporate secrets. Our attorneys evaluated the entire insurance portfolio and gave notice of the claim. One insurance company quickly tendered its limits, and our attorneys obtained coverage under the remaining policies.

Protected Health Information Data Breach, Health Care Company

• The advice from one of our attorneys helped this client obtain full coverage from cyberinsurance, E&O insurance, and D&O insurance carriers for its losses resulting from a breach of protected health information. Our advice resulted in multiple carriers agreeing to pay the costs of responding to a subpoena, pay the costs of defending against a putative class action, to indemnify the amount that the insured paid in a regulatory settlement, and to indemnify the settlement of the putative class action.

Protected Health Information Data Breach, Health Care Solutions Company

• The advice from one of our attorneys helped this client obtain full coverage for its losses resulting from a breach of protected health information. The company faced a class action, investigations from state attorneys general, an investigation from the Federal Trade Commission, and other claims. After the insurance company stated that only 50% of the policy limits were available, our attorney helped the policyholder obtain the full limits of its cyberinsurance policy, convincing the insurance company that a sublimit did not apply and that affirmative mitigation costs were covered under the policy.

Account Data Compromise Event, Real Estate Investment Trust

• Our attorneys advised a REIT that was seeking coverage for its losses for a data breach under multiple insurance policies, including a cyberinsurance policy. We ensured initial and full payment under the cyberinsurance policy, and worked to ensure that there is sufficient coverage and that the client can obtain coverage under other insurance policies with lower retentions.

Network Software Failure and Business Interruption, Manufacturer

• Our attorneys helped a company analyze its insurance coverage for a business interruption event after enterprise resource software failed. The company held cyber-specific business interruption coverage under an errors and omissions insurance policy. Our attorneys interviewed key business personnel, analyzed the policy language, and worked with the broker to present a comprehensive coverage analysis to the client.

Insurance Counseling for Personal Information Data Breach, Law Firm

• Our attorneys were insurance coverage counsel to a law firm that had a hard drive of backup client information stolen. The incident involved both an insurance claim and professional services claim. Our attorneys worked with the insurance company to withdraw the reservation of rights and drop efforts to pursue a potential rescission claim. We obtained full coverage for the losses. 

Insurance Litigation Related to Cyberattack Resulting in Destruction and Theft of Data, Manufacturer and Holding Company

• Our attorneys were insurance coverage and investigation counsel to a manufacturer and its parent company in connection with a cyberattack that resulted in significant quantities of deleted data and stolen information. We helped the company obtain the full limits of coverage available under a first party all risks insurance policy. We litigated the crime insurance carrier’s denial of coverage for the event, winning the case on summary judgment. The court ruled that electronic data qualifies as tangible property, requiring coverage under a crime insurance policy. The carrier later settled after a confidential mediation.

Protected Health Information Data Breach, Healthcare Non-Profit

• One of our attorneys acted as insurance coverage counsel for a non-profit that suffered a data breach of protected health information. Our attorney helped the entity obtain coverage under a crime insurance policy and acted as counsel for claims made under a package insurance policy.

Insurance Counseling for Protected Health Information Data Breach, Medical Association

• One of our attorneys acted as insurance coverage for a medical association that suffered a data breach of protected health information. Our attorney provided advice regarding insurance that potentially could provide coverage, notice to the insurance carriers, and worked with the company to respond to the insurance company’s initial coverage position.

Insurance Counseling Related to Cyber Risks, Multiple Clients

• Our attorneys have advised retailers, banks and financial institutions, a pharmacy benefit management company, law firms, healthcare-related enterprises, an internet company, defense contractors, a construction firm, a chemical manufacturer, a healthcare-related software company, investment firms, and other enterprises about the scope of coverage under offered cyberinsurance policies. Their advice led to more favorable terms and conditions being offered and purchased.