This new publication, Cyber Claims Insight from Aon Benfield’s Cyber Practice Group, empowers readers with the resources and tools they need to understand the cyber landscape, including legal trends, claims and insurance coverage disputes.

1. Aon Benfield
Cyber Practice Group
Cyber Claims Insight
This new publication, Cyber Claims Insight from Aon Benfield’s Cyber Practice Group,
empowers readers with the resources and tools they need to understand the cyber landscape,
including legal trends, claims and insurance coverage disputes.
Trends in 2016
The Panama Papers
In April 2016, news broke about the Panama
Papers, the largest leak of insider information in
history, involving 11.5 million documents leaked by a
Panamanian law firm to journalists. The documents
implicate politicians, criminals, and celebrities in
sheltering of fortunes in offshore tax havens through
the use of shell companies. More than 100 media
organizations spent a year reviewing leaked files of
data connecting offshore shell companies with
people in multiple countries exposing billions in
assets.
The scandal, and its insurance implications, is still
unfolding, including whether this was a leak or a
hack of the law firm’s email servers.
Data Breach Class Actions
The issue of standing has been a roadblock for data
breach class action lawsuits. On April 14, 2016, in
John Lewert, et al. v. P.F. Chang’s China Bistro,
Inc., the Court of Appeals for the 7
th
Circuit reversed
the District Court’s dismissal of the data breach
class action (based on the lack of standing to sue).
Standing under Article III of the US Constitution is
the ability of a party to bring a lawsuit in court based
upon their stake in the outcome. Citing their own
ruling in 2015 in Remijas v. Neiman Marcus
Group, LLC, the 7
th
Circuit concluded that plaintiffs
who had their credit and debit card data stolen met
the three elements required for standing: 1) Injury:
plaintiff(s) suffered or imminently will suffer injury, 2)
Causation: the injury must be reasonably connected
to the defendant’s conduct, and 3) Redressability: a
favorable court decision must be likely to redress the
injury.
The question remains whether this trend will afford
plaintiffs redress and reimbursement for actual or
potential data breach costs.
Ransomware Attacks
There has been a surge of ransomware attacks on
hospitals in the US with five incidents reported in
recent weeks. Thus far, only one of the five
hospitals, Hollywood Presbyterian (HPMC) in
California has admitted to paying a ransom to unlock
data, while the others resolved the matter by relying
on backup systems. HPMC paid the Bitcoin
equivalent of USD17,000 in February 2016 to regain
control of its mission-critical communications
systems from cyber hostage-takers. The 10-day
intrusion locked employees out of critical electronic
medical record systems in the 434-bed hospital.
HPMC's executives went public about the
ransomware attack to assure the public (and
regulators) that personal healthcare information
(PHI) had not been breached. If patient records had
been exposed, HPMC would have faced fines from
the Department of Health and Human Services for
violations of privacy regulations under HIPAA, as
well as possible patient lawsuits.
Most current breach notification rules would apply
only if PHI had been compromised. Otherwise
extortion payments may not be disclosed. Carriers
will likely be reviewing their insurance wordings in
light of this trend.
First Issue, April 25, 2016
Cyber Practice Group – Cyber Claims Insight – First Issue

2. Aon Benfield
Cyber Practice Group
Email Fraud
One of the hottest trends in cybercrime is spoofed
emails (aka whaling or business email compromise)
– ostensibly from an authorized corporate official –
instructing an employee to transfer funds out of the
company. According to the FBI, an estimated
USD750 million was stolen from more than 7,000
companies in the US between October 2013 and
August 2015. Typically, these schemes motivate
victims to do the dirty work of the fraudsters by
agreeing to wire funds via manipulated emails.
To counter these schemes, the FBI has urged
companies to use two-step or two-factor
authentication for email, where available, and/or
establish other communication channels to verify
significant transactions, particularly international
wires. Some legal experts take the view that lawsuits
seeking cyber insurance coverage for email fraud
losses will fail due to the voluntary approval of wire
transfers by employees as opposed to cases
involving hackers taking over accounts. Does the
fact that the scam occurs by means of email turn the
scam into a “cyber” loss?
One case pending in federal court in Texas
addresses that question. In Ameriforge Group Inc. v.
Federal Ins. Co., filed in January 2016 in Harris
County, Texas, the plaintiff alleges that its insurer
wrongfully denied coverage under a crime policy for
a spoofed email resulting in the unauthorized
transfer of USD480,000 to a bank in China. The
plaintiff seeks coverage under the “computer fraud
coverage” provision arguing that the email directing
the funds transfer was an “unauthorized introduction
of instructions, programmatic or otherwise, which
propagate themselves” through a computer system.
Federal (a division of Chubb) has denied coverage
arguing that this action did not constitute computer
fraud as defined in the policy, i.e., forgery of a
financial instrument.
Beyond ransomware attacks and email fraud, we are
seeing a trend in coverage disputes both under
traditional comprehensive general liability wording
as well as under cyber policies.
Cyber Coverage Disputes
In Travelers Property Casualty Co. of America v
Federal Recovery Services, Inc., a Utah federal
court found the insurer had no duty to defend its
policyholders in the underlying lawsuit due to the
lack of allegations of negligence (as required by the
policy wording). This was the first coverage decision
regarding a standalone cyber insurance policy, in
particular the “Network and Information Security
Liability and Technology Errors and Omissions
Liability” coverage parts of the cyber policy.
Click here to learn more on this case.
In Continental Casualty Co. v. Cottage Health
Systems, Columbia Casualty filed a declaratory
judgment action in federal court in California seeking
a declaration that it was not obligated to cover
Cottage Health, full reimbursement from Cottage
Health of data breach defense costs, and settlement
payments it paid on their behalf under the cyber
policy containing “Privacy Injury Claims” and
“Privacy Regulation Proceedings” coverage parts.
The challenge arose from the “Failure to Follow
Minimum Required Practices Exclusion” wherein
Columbia Casualty alleged that Cottage Health did
not adhere to certain basic security practices. The
case was dismissed based on the ADR clause in the
contract, so no case precedent has been set.
New Hotel Monteleon, LLC v. Certain Underwriters
at Lloyd’s, filed in December 2015 in Orleans Parish,
Louisiana, involves a coverage dispute as well as a
dispute with the placing broker. The insurer argues
that the USD200,000 sublimit provided by a
payment card industry (PCI) fines and penalties
endorsement applies to all claims arising from a
2014 cyberattack in which payment card numbers
were compromised. The insured argues that the full
policy limits of USD3 million should be available to
cover its losses, including fraud recovery,
operational reimbursement, and case management
fees. A trial is pending, and we will report the
decision.
Cyber Practice Group – Cyber Claims Insight – First Issue 2

3. Aon Benfield
Cyber Practice Group
In Certain Underwriters of Lloyd’s v. Wunderland
Group, LLC, filed in December 2015 in Circuit Court
in Cook County, Illinois, the plaintiff underwriters
seek a declaration of no coverage under a cyber,
privacy and media policy for a lawsuit alleging that
two employees misappropriated trade secrets when
they left a competitor to work for the insured. The
competitor’s suit alleged that the two former
employees violated their non-disclosure agreements
by using proprietary information relating to the IT
staffing market. The insured argues the suit should
be covered under a provision covering
“Misappropriation of Trade Secrets” and other
information arising from “Media Content” or “User-
Generated Content.” The DJ action is pending, and
we will report the decision.
A new case filed in April 2016 involves a traditional
CGL policy, specifically “publication” coverage. In
Travelers Indemnity Co. of America v. Portal
Healthcare Solutions LLC, the US Court of Appeals
for the Fourth Circuit, in an unpublished opinion,
affirmed the Virginia district court’s ruling on
publication under the GCL policy. The Fourth Circuit
ruled that “publication” occurs when information is
placed before the public, not when a member of the
public reads the information placed before it, thus
finding that Travelers has a duty to defend the
medical records company Portal against a data
breach class action (alleging that its failure to secure
a server caused records to be accessible to
unauthorized users). The appellate court found the
district court judge had correctly applied the eight
corners rule, comparing the complaint to the CGL
policy language, stating that insurers “must use
language clear enough to avoid…ambiguity” if there
are particular types of coverage that it does not want
to provide.” Carriers will be reviewing their CGL
policies, including exclusions recommended by the
Insurance Services Office (ISO).
Contacts
Bill Henriques
Senior Managing Director, Aon Benfield &
Aon Benfield’s Cyber Practice Group Leader
+1 973 966 3565
William.henriques@aonbenfield.com
Dawn Kristy, JD
Claims Specialist, Aon Benfield, Client Operations &
Aon Benfield’s Cyber Practice Group – Legal Trends
Expert
+1.312.381.5483
dawn.kristy@aonbenfield.com
About Aon Benfield
Aon Benfield, a division of Aon plc (NYSE: AON), is
the world’s leading reinsurance intermediary and
full-service capital advisor. We empower our clients
to better understand, manage and transfer risk
through innovative solutions and personalized
access to all forms of global reinsurance capital
across treaty, facultative and capital markets. As a
trusted advocate, we deliver local reach to the
world’s markets, an unparalleled investment in
innovative analytics, including catastrophe
management, actuarial and rating agency advisory.
Through our professionals’ expertise and
experience, we advise clients in making optimal
capital choices that will empower results and
improve operational effectiveness for their business.
With more than 80 offices in 50 countries, our
worldwide client base has access to the broadest
portfolio of integrated capital solutions and services.
To learn how Aon Benfield helps empower results,
please visit aonbenfield.com.
Cyber Practice Group – Cyber Claims Insight – First Issue 3