1. Information that because of name, number, personal mark, or other identifier could identify a consumer when combined with the consumer’s Social Security number, driver’s license number, financial account number, credit or debit card number, security code or PIN that would permit access to the consumer’s financial account, or biometric records.
2. Information or data, except age or gender, that can be used to identify a particular consumer and that relates to the past, present, or future physical, mental, or behavioral health or condition of any consumer or a member of the consumer’s family; the provision of health care to any consumer; or payment for the provision of health care to any consumer.

• Conduct a Risk Assessment: Conduct risk assessments that identify and mitigate “reasonably foreseeable” internal or external threats to the business and its nonpublic information, including nonpublic information accessible to or held by third-party service providers.
• Implement an Information Security Program: Use the results of the risk assessment to create an information security program. The program must be managed by the board and detail the licensee’s plan for responding to cybersecurity events (an event “resulting in the unauthorized access to, disruption or misuse of, an information system or nonpublic information stored” on an information system).
• Respond to Cybersecurity Events: Conduct a “prompt investigation” of all cybersecurity events and, in most circumstances, notify the Insurance Commissioner, within three business days, of any cybersecurity event that has a “reasonable likelihood” of materially harming a New Hampshire consumer or any material part of the licensee’s normal business operations. This notice must include specific information, including a copy of the licensee’s privacy policy.

The law provides for additional limited exemptions for companies complying with other laws, including the New York Cybersecurity Regulation.

Licensees have one year from the effective date to comply with the risk assessment and information security program requirements, and two years from the effective date to ensure that third-party service providers are implementing appropriate security measures.

We recommend that companies take steps now to assess the applicability of the statute and determine how to best integrate its requirements into existing business practices.

The Underlying Breach: The underlying coverage action between BancInsure and the Bank stemmed from an October 2011 incident in which a hacker gained access to the bank’s network with a “Zeus Trojan horse” virus and fraudulently transferred funds to accounts in Poland, resulting in a $485,000 loss. The hacker was able to gain access because a bank employee inadvertently failed to remove two physical security tokens (which bank employees were required to insert into a computer in order to perform wire transfers via a specialized VPN device provided by the Federal Reserve) after performing a legitimate wire transfer.

Court Ruling: The Eight Circuit agreed with the trial court that an exclusion in the Bank’s financial institution bond for employee-caused losses did not apply based on Minnesota’s concurrent-causation doctrine, which states that when a loss results from multiple risks, some covered and some not covered, the loss is covered unless the excluded risk is the “overriding cause” of the loss. The Eighth Circuit concluded that the overriding cause of the loss was the hacker’s criminal conduct rather than employee negligence, even though the employee’s negligence “played an essential role” in the loss and created a risk of intrusion into the bank’s computer system. The court reasoned that an illegal wire transfer was not a “foreseeable and natural consequence” of the failure to follow proper computer security policies, procedures, and protocols.

The court also rejected BancInsure’s argument that the bond’s exclusions for loss due to the theft of confidential information or mechanical failure of a computer avoided application of the concurrent-causation doctrine, finding that the exclusions’ reference to “indirect” losses was not the type of “clear and specific” language needed to prevent the doctrine’s application.

The Takeaway: The Eighth Circuit’s ruling is a significant victory for policyholders. Fidelity bonds and commercial crime policies commonly exclude “indirect loss.” Insurance carriers frequently argue in disputes regarding such bonds or policies that the negligent actions of the policyholder’s employees converts an otherwise covered loss caused by a third party’s criminal acts into an “indirect,” uncovered loss. The Eighth Circuit’s holding provides policyholders helpful authority to argue that employee negligence does not bar coverage or render an otherwise covered loss uncovered.

Although the decision is favorable to policyholders, there are a number of important caveats. For instance, insurance policy language can vary substantially between carriers, and many commercial crime policies contains specific exclusions for data security breaches. Additionally, the Eighth Circuit recognized that courts will enforce “anti-concurrent causation” provisions where the language is clear and specific.

In an unpublished opinion, a panel of the Fourth Circuit affirmed the Virginia District Court’s August 2014 decision that Travelers Indemnity Co. was obligated to defend Portal Healthcare Solutions in a class action lawsuit pending in New York state court. The underlying class action alleged that Portal failed to secure a server containing confidential records of patients at a New York hospital, leaving the records available to view online for more than four months without a password. Two patients discovered their records online following an internet search, but there was no evidence that any third parties viewed the information.

In looking at the four corners of the complaint and the underlying CGL insurance policy, the Fourth Circuit agreed that the mere availability of the private medical information online constituted “publication” under the CGL policy’s provision providing coverage for “electronic publication” of material regarding a person’s private life, thereby triggering the duty to defend.

Although the decision is favorable to policyholders, there are a number of important caveats. For instance, insurance policy language can vary substantially between carriers, and the unpublished decision is not binding on other courts. Notably, the decision contrasts a 2015 holding by the Connecticut Supreme Court finding that a CGL policy did not cover a loss of computer tapes containing employee personal information when there was no evidence of personal loss, no evidence that any third party ever accessed the information, and thus no “publication” of the information as required by the CGL policy.

In recent years, it has become increasingly difficult for policyholders to secure coverage for data breaches under CGL policies given the continuing trend of “electronic data” exclusions. Moreover, CGL policies often contain express language clarifying that electronic data does not qualify as “tangible property,” a prerequisite for a finding of “property damage” under such policies.

Given that these policy limitations are becoming more prevalent, companies hoping to have coverage in the event of a data breach should evaluate whether their current policy appropriately covers cyber and data breach risks, or whether they may need to obtain a separate cyber liability policy specifically tailored to cover such risks.

Physical damage to a business, such as water damage to a store in Nashville, may not be the only type of loss your property insurance covers. Insurance often also covers loss of business income. For example, if a business was forced to close or stop production because of physical damage to property, the inability to access property, or in response to an evacuation or curfew order, business interruption insurance may help. Business interruption insurance may also cover losses resulting from the closure of an insured company’s key supplier or customer, if that closure caused the insured company to stop or slow production. And that may be true even if the insured company is hundreds of miles away from the physical damage.

For further information about business interruption coverage for losses suffered as a result of the recent volcanic ash, flooding, or oil spill, and tips on how to maximize the chances of insurance recovery, please see the recent advisory prepared by Kelley Drye's Insurance Recovery attorneys.

While coverage disputes in blast faxing cases have historically yielded mixed results, a series of recent rulings have tilted the scales in favor of policyholders. For example, the Florida Supreme Court decided on January 28, 2010 in Penzer v. Transportation Ins. Co., No. SC08-2068, 2010 WL 308043, that a standard CGL policy provided coverage for a suit brought under TCPA for alleged blast fax activities. While other recent decisions have yielded similar results, Penzer is significant because it held that the plain language of the insurance policy compels coverage.

Despite the holding in Penzer, insurers will likely use the lack of unanimity among courts, and the potential for inconsistent results in jurisdictions yet to address the issue, as a basis to deny claims going forward. Policyholders would be well served to not take these denials at face value, but rather should demand the coverage to which they are entitled.

A client advisory prepared by Kelley Drye & Warren LLP’s Insurance Recovery Group summarizes recent coverage decisions regarding blast faxing, including the Penzer decision, and discusses the implications of those cases for policyholders.

However, you may be covered, even if you do not have a "cyber" or "data security" policy. In fact, the label or title on the policy matters little, as Federal had issued a policy impressively titled, “Cybersecurity by Chubb for Financial Institutions,” yet disclaimed coverage. That old standby -- Comprehensive General Liability (better known as "CGL") policies -- may well provide you with the coverage you need to defend litigation arising from a data breach.

Higher premiums, however, are only one of the insurance industry’s reactions to the current financial conditions. Insurers also are instituting more restrictive terms and conditions, lower limits of liability, higher deductibles, and in some cases, specifically tailored exclusions that eliminate coverage for liability resulting from bankruptcy, bank failures, or claims brought by the Federal Deposit Insurance Corporation. In light of these developments, many financial institutions may find it difficult to retain and attract talented directors and officers at the very moment when such leadership is most needed. In fact, this current talent drain is a continuation of a trend that began in 2002 with the passage of the Sarbanes-Oxley Act.

One factor impacting rates and the availability of D&O insurance is the uncertainty surrounding AIG’s financial condition and future viability. AIG has long been the dominant underwriter of D&O insurance. As banks turn away from AIG for their D&O coverage, they are not finding the competition for their business that one might expect when an industry leader appears vulnerable. On the contrary, banks are facing a shrinking D&O market as several smaller carriers have decided to stop underwriting such coverage, especially for banks and other financial institutions, because the premiums are no longer perceived as worth the potential risk. In turn, those smaller insurers’ withdrawal from the market should only exacerbate the rate at which D&O insurance premiums increase in the ensuing months and years.

Faced with higher premiums for less D&O coverage, companies and their directors and officers should aggressively negotiate the most favorable coverage for their money. To that end, when negotiating new policies or renewals, they should carefully gauge their risk and exposure, and closely review proposed D&O policies, including exclusions, for provisions that could potentially eliminate coverage. If the proposed coverage is insufficient, or if sufficient coverage is only available at unreasonable rates, policyholders should consider alternative ways to maximize coverage and/or minimize risk going forward.

If you answered E, “All of the above,” you are CORRECT. However, many companies do not realize their businesses are subject to consumer financial services laws. Consequently, their businesses may not be compliant and may be subject to litigation risk.

The focus of the Consumer Finance Law Blog is to keep – all on one site – traditional and non-traditional financial service providers subject to consumer financial services laws abreast of recent developments in:

• State consumer protection statutes and regulations
• State privacy statutes
• Privacy and consumer protection litigation
• Card Association Rules
• Equal Credit Opportunity Act
• Electronic Funds Transfer Act
• Fair Credit Reporting Act
• Fair Credit Transactions Act
• Fair Debt Collection Practices Act
• Payment Card Industry Data Security Standard
• State Money Transmitter Statutes
• State Retail Installment Sales Act
• State and Federal Unfair and Deceptive Trade Practices Acts
• TILA, RESPA, and related federal and state consumer disclosure and notice requirements
• Insurance coverage issues
• Legislation that may impact company compliance or create new litigation risk.

We welcome you and hope that you find our posts interesting, educational, and thought provoking. We also welcome your feedback and invite you to suggest topics or recent decisions of interest that you would like us to address.