(I should note that I wouldn't normally post on a case like this. But, considering that "cyber insurance" is a hot topic, I thought it appropriate given the interesting facts)
In First Bank of Delaware v. Fidelity & Deposit Co. of Maryland, No. N11C-08-221 MMJ (Del. Super. Ct. Oct. 30, 2013), a Delaware court held that Fidelity (now Zurich), could not avoid liability for a hack of its insured (First Bank) which resulted in monetary assessments against the bank (for fraudulent use of the credit cards), brought by Visa and Mastercard. The court found the insurance contract unambiguous, but balked at Fidelity's attempt to construe its insurance contract in a manner that allowed a coverage exclusion to swallow the original grant of coverage. Harkening to my days in insurance law, it is axiomatic that contracts are construed against the drafter. As a result, the superior court's opinion granted First Bank's motion for summary judgment on both of its breach of contract causes of action; Fidelity was found in breach of contract for denying reimbursement for the aforementioned assessments.
The facts, as described by the court:
The primary issue in this case is whether First Bank’s insurance policy provides coverage for losses incurred in connection with a data breach incident. Fidelity issued the D & O SelectPlus Insurance Policy (“Policy”) to First Bank(that policy, by the way, can be found here: Zurich Private Company Select); continuing:
First Bank had a relationship with a company then known as Transend, LLC (“Transend”) for certain card transactions. Transend had a similar relationship with Data Access Systems (“DAS”). Transend introduced First Bank to DAS. First Bank provided DAS with access to the Visa and MasterCard networks.After the breach, First Bank was assessed fees by both Visa and Mastercard which, together, totaled over $1M. First Bank asserted that their policy with Fidelity covered such losses; Fidelity disagreed and denied coverage.
…
First Bank was liable for any losses or expenses caused by its agents under the Visa and MasterCard agreements designating First Bank as a principal member of the networks.
…
DAS’s web server terminal was hacked on or about May 17, 2008. The hackers gained access to debit card numbers and the corresponding personal identification numbers. Millions of dollars of unauthorized withdrawals were taken from customer accounts as a result of the data breach. DAS hired VeriSign, a computer forensics firm, to investigate the hacking. VeriSign concluded that DAS was not in compliance with PDI DSS, the security standard required by the Visa and MasterCard agreements.
The court proceeds to analyze the insurance contract and the various clauses. Prior to the analysis of "Exclusion M," the outcome looked promising for Fidelity. But, as always, the other shoe dropped. The court:
Section 4 Exclusion M
Section 4 contains a list of exclusions from coverage. Exclusion M provides that the Insurer shall not be liable for any claim against the insured based upon or attributable to or arising from the actual or purported fraudulent use by any person or entity of any data or in any credit, debit, charge, access, convenience, customer identification or other card, including, but not limited to the card number.”
…
Fidelity contends Exclusion M applies and therefore Fidelity is not liable for First Bank’s losses. Fidelity argues that the Visa and MasterCard assessments are excluded from coverage because the assessments arise from the fraudulent use of data by the hackers.
…
Fidelity argues that there is a meaningful link between the hackers’ fraudulent use of the breached data and the Visa and MasterCard assessments. DAS’s computer system was breached, and the data obtained as fraudulently used to make unauthorized withdrawals. Visa and MasterCard incurred costs associated with this fraudulent use of credit cardholder data. First Bank assumed liability for these costs in its agreements with Visa and MasterCard. Fidelity concludes that the Visa and MasterCard assessments arise from the fraudulent use of data as contemplated by Exclusion M. Therefore, Fidelity is not liable for these losses.
…
While Fidelity argues that the assessments arose from the fraudulent use of data, First Bank argues that the assessments are based on First Bank’s failure to ensure that DAS was PCI DSS compliant. The Court finds that First Bank’s failure to ensure PCI DSS compliance may qualify as a parallel basis for the assessments.
Fidelity has met its initial burden of demonstrating that Exclusion M applies. Therefore, the burden shifts back to First Bank to prove that an exception to the exclusion applies. First Bank contends that Exclusion M does not apply because: (1) Exclusion M is unintelligible and ambiguous; and (2) application would render coverage illusory.
…
The Court finds that Exclusion M is somewhat unclear grammatically. Nevertheless, it is clear that the first half of the clause — “based upon or attributable to or arising from the actual or purported fraudulent use by any person or entity of any data” — is intended to exclude the “fraudulent use” of data, however fraud occurs.
…
First Bank [also] contends that the application of Exclusion M renders the coverage grant illusory. First Bank argues that coverage for unauthorized use and unauthorized access to data in the definition of “Loss Event” includes claims resulting from the fraudulent use of data. First Bank notes the difficulty of finding an example of unauthorized use or access that does not contain some element of fraud. . . .
Fidelity asserted at oral argument that “fraudulent,” as used in Exclusion M, is distinct from “unauthorized” in the definition of a Loss Event. Fidelity’s distinction is that “unauthorized” is broader and covers unintentional and mistaken use or access. Fidelity contends that the two provisions can be reconciled to provide coverage for losses resulting from the non-fraudulent unauthorized use of data. . . .
The Court finds that the language in Exclusion M is unambiguous in its attempt to exclude coverage for the fraudulent use of data. The Court finds that Fidelity has met its burden to prove the elements of the exclusion by showing a meaningful link between the fraudulent use of data and the claims at issue. However, when the burden shifts back to First Bank to prove that Exclusion M should not be applied, the Court considers that a grant of coverage should not be swallowed by an exclusion. The principle that a grant of coverage should not be rendered illusory protects the reasonable expectations of the purchaser.
The Court finds that applying Exclusion M would swallow the coverage granted under Section 4.III(L)(1) for “any unauthorized use of, or unauthorized access to electronic data . . . with a computer system.” It is theoretically possible that an example of non-fraudulent unauthorized use of data exists. However, in the context of this Policy, all unauthorized use could be, to some extent, fraudulent. The abstract possibility of some coverage surviving the fraud exclusion is not sufficient to persuade the Court to apply an exclusion that is almost entirely irreconcilable with the Loss Event coverage.
0 comments:
Post a Comment