Some Significant & Representative Cyber Insurance Cases: Second Period & Its Dénouement
There are not very many reported cyber
insurance cases, as was already noted in my account of the First Period, Part
I, published today. There are
plenty of civil (and criminal cases) about the so-called cyber-world, but
direct, focused, coverage, or similar, cases are very few in number—almost none
in the Twentieth Century. There are
more in the early Twenty First Century, but as they have evolved, the topics of
those cases are probably passé. I have
already spelled some of this out in Part I.
There are many more cases now; that
arises from (1) the exponential growth of computer technology, following what
is called “Moore’s Law”—something which is not a scientific (or any other kind
of )law at all, (2) the increasing number of diverse insurance policies
offered, sold and bought, and (3) the
growth of the market’s need for cyber-lawyers.
Category (3) to a degree of certainty vastly exceeding that of Moore’s Law, where the market wants
transactional lawyers, it will need litigation lawyers.
Some Cases of
the “Second Period”
v. Federal [i]
The first case
to be discussed, Netscape
Communications Corp. v. Federal
2007 WL 2972924 (N.D.Cal., October 10, 2007), reversed and remanded,
343 Fed. Appx. 271 (9th
Cir. 2009) [Parallel Cite: 2011 WL
2634945]. will be of
importance, even though it is in certain ways not amongst the most important.
(After all, it is not in the “first cut” of
West’s Reported Cases.)
Nevertheless it is frequently cited, and it’s focus of “of the times.”
so-called real world policies, there is something called “Coverage B.” It’s
most recognized habitat is in the CGL policy, though it is now in many
policies. It is entitled and called “Personal Injury and Advertising Liability”
coverage, and the “Personal Injury” component covers at least some events as false arrest, malicious prosecution,
wrongful entry, some defamations, and some violations of privacy, while
“advertising injury” covers other defamations, product disparagement,
misappropriation of advertising ideas, copyright, patent, and/or trademark
violations. Some of these injuries got
subtracted over time; some were (at least in effect) added; and some were
changed. Patent violations are a paradigm of a subtraction.
Fairly obviously some of these fit into the
so-called cyber-world perfectly
some degree privacy, and related topics, may now be the most important coverage
area ripe for coverage disputes. So as
copyright violations. As are trademark infringements.
This case is not the first
quasi-reported cyber-world case, it is not at the highest level reported, nor
is it the most cited case. It is important because the district court recites
the facts in some detail; applies legal reasoning taken from the so-called
real-world, and then makes historically significant reversible error regarding
semantic reasoning. Finally, its
significance seems to have been generally misunderstood.
America Online (AOL) and its subsidiary
Netscape Communications Corporation sued Federal Insurance Corporation alleging
breach of contract, common law insurer bad faith, and Unfair Competition in
violation of the California Business and Professions Code §17200.
The case was decided on cross motions for summary judgments on the topic
of the insured’s right to a defense from St. Paul.
Netscape demanded that St. Paul defend
it in four private civil actions. Those
suits alleged at least interceptions of private electronic communications. Each of the underlying suits concerned
Netscape’s “Smart Download Product,” a software program designed to facilitate
the ability of third party users to download large files over the Internet by
enabling them to resume interrupted downloads from the point of interruption.
The program contained a feature, “Smart DownLoading Profiling,” which provided
Netscape with information about users’ internet activities. Netscape used this
information to create profiles of its users, both to help with technical
support, and to create opportunities for targeted advertising.
At first the policy “excluded coverage
for advertising injury or personal injury such as invasion of privacy claims.”
Netscape was added to the policy when it was acquired by AOL in 1999. The district court summarized parts of the
policy pertaining to what has been called “personal injury” for a long time in
CGL and similar policies. Invasion of privacy was part of the insuring agreement. Among the exclusions was one for “personal
injury for ‘online activities.’”
A major substantive question pertained
to a single exclusion in the policy, namely the “online exclusion.” St Paul
contended it applied, and Netscape denied it.
In particular, Netscape argued that “the exclusion does not apply
because SmartDownLoad did not involve ‘providing access to 3rd
parties.’” The exclusion section states that “for the purpose of advertising
injury. . ., all Online Activities are excluded from these coverages.”
The district judge examined the policy
and the English language and on those bases found that “the plain meaning of
the term ‘online activities’ included those products and services that provide,
allow for, and facilitate access to the Internet and its content. Some of the
language examined by the court was in an endorsement, and it said: “‘[p]roviding e-mail services, instant
messaging, 3rd party advertising , supplying 3rd party
content and providing internet access to 3rd parties.’” (Emphasis added.)
The court took the word “access” to be
broad, and broader than “connection.”
Providing a connection meant providing a way in. “‘Access’ included not only the permission or
ability to enter as ‘connection’ does, but also the freedom or ability to make
use of something.” The court concluded
that since the plaintiff’s were providing software that facilitated purchasers
to come on to the Internet, the seller gave them access to it.
The district judge took these points to
be based on the clear language of the policy. He went further, however, and
posed a hypothetical supposing that since the meaning of “access” is ambiguous
so it would have to be interpreted in favor of the insured, assuming that the
insured did not propound and probably actually “write” the relevant passage. But it is not ambiguous, that analysis need
involve nothing but cogitation on the purely hypothetical.
There was one other question the court
decided. It was near its main
point. This subsidiary point regarded
the meaning of “access,” actually resolves of the main other point. The policy
provided liability coverage for “personal injuries,” and that idea included
“[m]aking known to any person or organization, written or spoken material that
violates a person’s right to privacy.”
The court indicated that it would have held,
but for the exclusion just discussed, that Netscape had a right to a defense
from St. Paul. After all, Netscape
passed information to the parent company, its employees, and persons at AOL.
The court at least impliedly held that
if the exclusion functions as the court held that it did, then there is no need
to reach the “Make Known to Any Person or Organization” language of the policy.
The Ninth Circuit panel that reviewed
this case, rejected the decision of the district court without ceremony. Considering in reverse order, the panel
rejected the trial court’s interpretation of “access.” It held that common usage in the language of
cyber world discourse does not include the acts of “SmartDownload or the acts of
AOL as providing ‘access.’” The common usage equates “access” with providing an
Internet connection. Thus, the selling of a product which a buyer could use to
make a connection is not making a connection, and thereby providing access, to
the purchaser. That eliminated the exclusion.
Now for the insuring agreement. The
plaintiffs in the underlying case pleaded a breach of privacy. To be sure, it is an unusual, non-traditional
version of someone’s having a right to privacy, but the coverage language in
the policy was broad. So, as the district judge said, this case was pleaded in
such a way that fit within both the legal conception of a right to privacy and
the language of the contract.
Unquestionably, AOL internally
disseminated “private online communications” to some persons. A few courts have held that these kinds of
disclosures do not constitute an invasion of privacy. But those decisions assert this only “in
dicta while deciding whether the personal injury clause covers invasions of
‘seclusion privacy’ claims.” No such
case has been decided in a context in which the policy language employed the
word “any,” and the district court was exactly about how to think about that
The decision of the district court
was reversed and remanded.
The facts—the plot–in the underlying
case, the case upon which the coverage case is based, are familiar. Hackers invaded the computer system of Retail Ventures, Inc., DSW Inc., and DSW Shoe
Warehouses, Inc. on February 1 and 14, 2005 using the local wireless network
and one of the stores to get to the main system. They “walked off,”—downloaded—credit card and
checking account information for 1.4 million customers and the underlying
damages were stipulated to be $6.8M. Fraudulent transactions had followed the
hacked invasion, but the hackee was notified by some credit card companies on
March 2nd. Retail Ventures Inc. v. National Union Fire
Insurance Company of Pittsburgh, Pa., 691 F.3d 821 (6th Cir 2012).
Retail Ventures’ damages resulted from the
data breach included “expenses for customer communications, public relations,
customer claims and lawsuits, and attorney fees in connection with
investigations for sever state Attorney Generals and the Federal Trade
Commission.” The largest part of the
loss, $4M, “arise from the compromised credit card information: namely, costs
associated with charge backs, card reissuance, account monitoring, and fines
imposed by VISA/MasterCard.” The FTC
case was settled by Retail Venture agreeing to set up and deploy better cyber
One important feature facts surrounding
the hacking incident involved were not an issue on appeal, at least in part,
because the criminal had been identified.
In February 14, 2005, someone used a local wireless network at a local
DSW store, obtained access to the main computer system and downloaded both
credit card and check information for
1.4 million people that shopped at 108 of the DSW stores. Fraudulent transactions followed. DSW was alerted on March 2, 2005, they began
an investigation, and notified AIG quickly.
AIG reserved its rights and investigated.
The insurance policy involved was an
endorsement—a rider—covering computer fraud attached to a “Blanket Crime
Policy.” Here is a case where the
policy, considered as a whole covered both to be found in the real world and
damages to be found in the real world but the causes inflicting the injurious
effects through the use and then the causative flow to be found in the cyber
world. What was found in the cyber world
was not injured; no network was destroyed, for example. It should also to be noted that that no
bodily injury and no physical injury was inflicted on anything or any person in
the so-called real world. It was
financial or economic only.
The insured incurred substantial expenses
occasioned by the data theft, for example: matters of customer communications,
public relations, customer claims and lawsuits, attorney fees in connections
with seven (7) government investigations by state Attorney Generals and the
inquiry was resolved administratively with a consent decree, inter alia, that plaintiffs [DSW]
establish and maintain a comprehensive information security program designed to
protect the security, confidentiality, and integrity of personal information
collected from or about customer.”
event and the follow up cost DSW more than $4M for
associated with charge backs, card reissuances, account monitoring, and fines
imposed by VISA/MasterCard. That amount
was determined by the settlement of plaintiffs’ contractual obligations with
credit card processor, National Processing Company, LLC (a/k/a BA Merchant
AIG denied coverage on several
grounds. The denial letter “questioned
the ‘location’ of the loss; it stated that the loss appeared to be ‘excluded
because it related to confidential customer information’; that this was an “‘indirect
loss,’” and so not covered. The
plaintiff responded by providing further information. AIG modified its position
but continued to deny coverage on the ground that the claims “arose from ‘third party theft of propriety
confidential customer credit card information.’”
Both the insurer and the insured sought
declaratory judgments. Setting aside
other issues, the only coverage issue involved a piece of the cyber theft
endorsement to the blanket crime policy entitled “Computer & Funds Transfer
Fraud Coverage.” The insurer agreed in relevant part to pay the insurer for:
Loss which the
Insured shall sustain resulting directly from: the theft of any Insured
property by Computer Fraud.
The phrase “Computer Fraud” was defined
as including several alternatives, one of which was “‘fraudulently accessing of
such Computer System[.]’” The phrase “Insured Property” includes property the
insured owns or holds, whether or not the Insured can be held liable for what
happens in this situation, i.e., owning or holding.
AIG did not dispute
unauthorized access or that there was “Computer Theft” involving “Insured
Property.” What was disputed was whether
the insured’s loss was one “resulting directly
from the theft of insured property by computer fraud.” (All of the underlining of “direct,”
“indirect,” “directly,” as well as
“indirectly,” have been added for emphasis.)
the role of directness is built into
many cyber-policies, and many believe that the holding and reasoning in DSW
indicates that a storm in coverage litigation is coming.
In this case, AIG
advocated that the endorsement was really a fidelity bond. That argument failed quickly. The issue of directness was the main
issue on appeal. AIG took the position that “direct” means sole and
immediate cause, or what is sometimes called “Direct-Means-Direct
Approach.” The court rejected this
view. To some extent it has been used in
fidelity bond cases, and has not always been sued there. Instead, the court took a different approach;
it adopted the premise that “direct” does not unambiguously incorporate the
direct-means-direct approach; rather that the policy language makes it
In contrast to AIG, DSW
argued that “direct” means “proximate cause.”
The court seems inclined toward that view but was nervous about adopting
it without a specific holding in the Ohio Supreme Court to that effect.
AIG gave two more
arguments with which the court seem impatient. One is that there had been an
excluded “loss of propriety information, Trade Secrets” etc. The court gave a
variety of reasons why this argument could not work. One of them was that those
concepts apply to the internal business operations of the insured. Of course, nothing like that was involved
3. Zurich American v. Sony
This case begins with Zurich
American (Zurich), and a number of other insurance companies filing a Complaint
seeking a declaratory judgment on a breath taking disaster at the SONY. It
focused on both the various SONY entities and other insurers. Zurich American Insurance Company, et al v.
Sony Corporation, et al (Sp. Ct. N.Y. (Trial Division)) #651982/11. (July
20, 2011). For reasons related to actual historical sequence and significance,
this case is discussed before cases decided after it. It is my understanding
that SONY filed a similar case in California.
It all arises out of the now famous
PlayStation 2011 debacle resulting from massive hacking of gaming networks
(a/k/a a form of gambling?), together with networks inviting customers to
purchase and download games, music, movies, and so forth. For entry into these cyber-dens, customers
had to make certain disclosures of personal information—sometimes
financial. On April 16, 2011, hackers
entered into one of the defendant’s networks and from there got into the rest
of the system. Some 25 million people were subjected to cyber-information
thievery; during the next two days, through another portal of one of the
defendants, another 77 million people were subjected to the same treatment.
A total of 58 class
actions were filed against the SONY entities—55 in the U.S. and 3 in
Canada. These suits pled pretty much
what one would expect. They were actions
based on common law and violations of statutes, both state and federal.
Apparently, SONY has so far lost on the order of $2B.
of its own policies are: they were primary CGL policies, and at least one
“follow form” “quota share” excess policy.
Zurich’s pleadings focus on what insurers usually do when arguing duty
to defend issues:
Try to limit the number of those who
have rights under the policies, e.g., they are the policyholder; no one else
is; no one else is an additional named insured, and so forth;
Try to limit the exposure of the insurer
by demonstrating that there are other insurers who go first as to liability
payments, whether as to the duty to defend or the duty to indemnity; &
Try to defeat exposure both as the duty
to defend and the duty to indemnify.
So far as the CGL policy is concerned,
it seems virtually certain that there would be no bodily injury claims,
although given the number of plaintiffs in the underlying suits, perhaps some
actually had heartaches resulting from finding out about the invasions of
financial privacy. In addition, it’s hard to see how this would be a property
damage claim, since what is required is physical injury to tangible property,
and there was no such suggestion of that so far as I can tell. The most probable route for the plaintiff’s
in the underlying cases was Coverage B, which focuses on so-called “Personal
Injury.” In fact, according to Zurich’s Complaint, there were not claims for
“property damage,” as that terms is defined in the policy (or any at all, so
far as I can tell). On February 11, 2014, the trial court ruled
that Zurich had no duty to defend.
The real themes in this case revolve around Coverage B and its coverage
for invasion of privacy. The trial court
ended the case (for now) by granting Zurich what it sought. Zurich and the other insurer argued that invasions of privacy insured under CGL Coverage B require that the insured do something to violate that right, and here that would be asserting something. But that was not pled. This case may be far from
over, but it is probably over so far as Coverage A is concerned. See Roberta D. Anderson in 2014, Volume
49, Number 1 of the [ABA] TORT[,] TRIAL & PRACTICE LAW JOURNAL 499-528 is
heavily critical of the judgment and reasoning in this case, and [This is out
of 408 endnotes.] Id. at 563 n.169. Given the the lack of clarity in the language found policies regarding the categories insured under Coverage B, one would not be surprised to find that Ms. Anderson
is right. That does not matter from the
point of view of this essay.
4. Eyeblaster, Inc. v.
This case, Eyeblaster Inc. v. Federal Insurance, is
another case based on the analysis of
language in the policy. It is
much more complicated than Netscape, since—for
one reason—there are more such issues.
Eyeblaster was a
large international company that managed Internet ad campaigns all over the
world. Much of its products was
interactive advertising programs. It has
now become MindMedia.
According to the
court’s opinion, “The industry in which Eyeblaster provided services is known
as rich media advertising. It allowed customers to create interactive ads in a
wide range of formats, and to track and manage the performance of the
advertising campaigns.” It can deliver to billions of users worldwide at the
same time. It used cookies to “measure and enhance the effectiveness of an
It had purchased
(1) a General Liability policy (with some twists) and (3) Information and
Network Technology Errors and Omissions insurance policies from Federal. In additions to the cyber instruments just
pages and increases the Internet’s utility. Eyeblaster did not use spyware or
introduce malicious contact such as spam, viruses, or malware.”
The period of coverage ran from
December 5, 2005 December 5, 2007. One David Sefton (Sefton or Plaintiff) sued
Eyeblaster on October 26, 2006. Eyeblaster notified Federal, but Federal denied
the claim under the CGL on two bases: first because the Plaintiff did not
assert claims for bodily, and second because the plaintiff did not assert
“physical injury to tangible property.”
The precise series of many problems with the
plaintiff’s computer and its software, etc. is not important here, so far as
the CGL coverage is concerned. What was central to the case was the idea that
there are two categorically different components to any computer system: the
solid, material, physical part of it and the part that are not. The trial judge did not make this distinction
correctly (and it will be discussed again while considering the ideas of John DiMugno
below) and/or did not interpret the plaintiff’s complaint in a sufficiently “charitable”
way. In any case, the Eighth Circuit reversed the decision in the district
court that there was not coverage. It
reasoned, correctly, that the computer itself was tangible property and that
the plaintiff in the underlying suit had alleged that or come close enough. What is important to realize about this case,
it that it does not say that software and its “cousins” are physical objects.
Liberty Mutual Insurance Company v.
Schnuck Markets, Inc.[v]
much can be said about this case. First, there was an order sealing at least
part of the case and ordering Liberty to file a redacted pleading on August 16,
2013, and a second order was entered on August 27, 2013, regarding
the defendant’s answer date. Schnuck
filed the lawsuit to obtain coverage for a data breach that affected an
estimated 2.4m people or entities using cards at Schnucks over a 3 month
period, or so. However, Liberty has
dismissed the case. There have been two
explanations in the media. The first is that Liberty saw it was going to
lose. This one seems the opposite has
already been media mentioned. There is a
third view, of course. Liberty Mutual had worked with Schnuck Markets for a
long time and wanted to pay a little to keep the business.
of the Second Period? The Recall Case
this case, Recall Total Information
Management, Inc. v. Federal Insurance Company,[vi]
the theme I am using for dividing
the two opening historical periods for cyber insurance coverage
litigation—remember: it’s controversies as to what counts as covered property
damage in so-called real-world policies, such as the CGL policy—the issue is
barely discussed. In the Recall Total case, therefore, it is what
the parties did not argue about in what became a reported opinion that is of historical,
though not precedential, import. The
Connecticut Court of Appeals did not deal with the question as to whether cyber
data can be covered physical property under the CGL policy.
Here’s what happened. Recall Total took care of various computerized
information for IBM—its “vital records.”
Recall had hired another company, Ex Log, to haul a whole raft of “tapes”
with an enormous amount of employee confidential information on them, e.g., social
security numbers. They fell off the
truck and were never recovered. IBM spent $6+m in notifying and protecting its
employees. It demanded contract damages
(and/or, perhaps, restitution); Recall agreed to and did pay. It then sued its CGL carrier, Federal, based
on the coverage provided for invasion of privacy found in Coverage B and for
property damage, based on coverage found in Coverage A
Most significantly, the trial court
ruled that the data was “intangible property” not “tangible property,” as
required for coverage in the CGL policy.
The Court of Appeals merely observed, in passing, in endnote 4, that the
trial court’s decision had not been appealed.
But why, one might wonder, would it not be appealed; after all, the
expense of that argument on appeal would be cheap (several hours of
associate-level brief drafting, and physical objects fell off or out of the Ex
Log truck and then disappeared. It seems
obvious that the lawyers and their clients realized that fights on that issue
were pretty well over—and not just in their case—but across the board, or
mostly, anyway. (Then again, of course,
the two sides may have secretly settled that portion of the case. Of course, if
that happened, that even in and of itself would signal a resignation to the
category of Coverage A property damage fight very probably empty.
Thus, contrary to two well informed
and well respected commentators, I suggest that the history of Recall Total, though it is a third party
policy and not a first party policy, pretty much closes the book on data being
insurable against “physical loss” as that term has been used historically in
real-world policies, whether third party or first party.
Dimugno, the renowned Editor-in-Chief of INSURANCE LITIGATION REPORTER, among
other things, argued in Volume 36, Number
1 of that journal, at pages 9-12 that, among other reasons, the Recall Total case does no such thing. He
suggests that (i) if magnetic patterns
are physical components of computer systems—and the parts of these sitting on a
table or in one’s lap are clearly physical objects—and (ii) if some malware
moves from the insured’s computer system to that someone else, the
cyber-ethereal-“space” and (iii) if an entity or person relevantly connected to
that computer is sued for that which is connected related to the ethereal
something (and not to the obviously physical something, e.g., the laptop), there
may be coverage.[vii].
case upon which he relies is Eyeblaster,
already discussed. That case does not
support the proposition that (“pieces of”) data themselves are physical objects, though
it does hold, rightly so, that a computer considered as a physical object—like
the thing sitting before me right now—is exactly that, indeed a concatenation,
an organized and perhaps functioning pile of physical objects. But the fact
that such a physical thing and may “freeze,” etc., where “freezing” was a
concept central to the case, does not
make the data such an object similar to the laptop and its metaphorical
siblings. It does not even make the
magnetic patterns physical objects of an insurable sort. They are not tangible. If they were, then
brain waves would be insurable physical objects (perhaps a closer call), as
would radio signals, wireless cell phone transmissions, text data, modes of
sending texts (none of them being a close call), and so forth.[viii] If a given computer were unable to control
“pop- ups,” and the device cannot, because of a defect or injury, say, and so
as a result cannot be used, the machine is a physical entity, but the pop up
itself is not.
readers that need to be reminded of this fact, if a physical computer—the kind
just discuss—is pled to be damaged, there could be a duty to defend, and, of
course, if an insurer is obligated to defend a lawsuit because of one
allegation, it is stuck with defending the whole thing. That legal rule is just as central to
litigation in the so-called cyber-world as it is the so-called. Still, it does
not follow that the parts of the lawsuit which would not generate a duty
involve physical objects.
course, one might want to ask,
“Well, if it’s not physical what is it. Isn’t
everything in the world physical?”
I love this question, but that is because I
studied philosophy, including metaphysics and ontology, ad nauseum for years, and so in those systems of thought, I would
have to say that insurance policies are “dualistic,” in the way Descartes
was. He thought there were minds and
bodies and that they were different. I
would have to say that there is a difference between what I shall call scientific
physicality and pragmatic physicality and that both third and first
party insurances of property fall into the second of these two category. The non-metaphysician would like to ignore
that difference and always argue in the for a version of physicality that suits
client interests at the time, but it won’t work precisely because at least
pragmatic physicality runs though the unconscious of all non-superstitious
view of Roberta A. Anderson, whose major recent work has already been
discussed, her pages 560-62 at nn 159-167 above, is more restrained and more
“implication oriented.” After stating the facts in enormous reliable detail,
she simply observes that the court of appeals in Total Recall says nothing whatever about the matter of
physicality. Of course, I agree with
that view, as I’ve already indicated. My point is entirely different that of the
essay of an immensely helpful legal encyclopediast, even though both of our
views are based on what the panel did not discuss.
is there anything further to say? Sure, lots of stuff. But the phrase “enough is enough,” some might think
would have called an end to it a while back. Maybe so. In any case, I quit, for now.
Communications Corporation v. Federal Ins. Co., 2007 WL 2972924 (N.D.Cal.,
October 10, 2007), reversed and remanded, 343 Fed. Appx. 271 (9th
Cir. 2009) [Parallel Cite: 2011 WL
There were two other
passages of the policy one was the “Criminal Acts Exclusion”; the district paid
no attention to it since the jury had already decided. The other was taken care of by the court’s
opinion, so it was not considered further.
It was not really an exclusion, it was implicated by the “underlying
actions.” This matter will be discussed
in the text presently.
[iii] There was also a fascination
issue surrounding DSW’s insurer’s bad faith claim. This paper is about coverage only, and—in any
case—DSW lost on that issue. The
adjustment process was unusual, however, so the potential for bad faith in this
circumstance will be attractive to lawyers representing insureds. I predict that this amorphous attitude will
not only persist but grow, harden, and spread.
[iv] Eyeblaster v . Federal Ins. Co., 613 F.3d 797 (8th Cir.
[v] # 4:13-CV-1574
NAB (E.D.Mo). August 14, 2013).
83 A.3d 664 (Conn. App. January 14, 2014)
Courts appear, so far, to have been reluctant to provide a duty to defend
decision favoring the insured to the extent s/he or it does not cite really
specific facts plausibly indicating that the laptop, etc., actually is damaged
and is part of the point of the case.
I predict that this amorphous attitude
will not only persist but grow, harden, and spread.
is also worth noting that Eyeblasters
was not decided under a CGL policy.