The Brief Case: DRI Committee News

Cybersecurity and Data Privacy: Data and Security Dispatch

Emerging Class Action Risk: Does Use of Online Session Replay and Chat Features = Wiretapping?  

By Laura Clark Fey and Will Davis

A wave of U.S. privacy litigation is targeting corporate usage of online session replay and chat features. The plaintiffs filing session replay and online chat class actions are alleging that use of such technologies violates wiretapping laws because users’ interactions and chat communications are being intercepted, used, and/or disclosed without their prior consent.  

Session replay technologies can record website/mobile application users’ interactions with a website or mobile application. Data is often captured about a user’s clicks, mouse/screen scrolling, keystrokes, searches, and more. After the data is collected, a company and/or its third-party vendor can “replay” the user’s website/application “session” utilizing such data to better understand the user’s browsing behavior and habits on the company’s site.  

Online/mobile chat features enable companies to communicate directly with their website/application users via chat boxes. It is common practice for companies to utilize chatbots to gather initial information from users and then to either connect users to a live customer service representative or have the chatbot answer users’ questions directly. 

Plaintiffs’ lawyers have started to employ website “testers” to: (1) browse through targeted corporate websites/applications; and/or (2) communicate with a chat host via targeted corporate chat features. If a “tester” concludes  that a company is allowing a third-party vendor to intercept, use, and/or disclose  the tester’s website/application interactions or chat communications without the tester’s consent, plaintiffs’ lawyers file a lawsuit against the company and/or its third-party vendor alleging that users’ interactions with the website/application and/or the tester’s online chat communications are being intercepted, used, and/or disclosed in direct contravention of a wiretapping statute. Such violations can expose a company to both civil and criminal liability.  

Overview of Wiretapping Law   

There are wiretapping statutes at both the federal and state level. In 1967, the United States Supreme Court, in two separate decisions, found that a person’s Fourth Amendment right (i.e., the right against unreasonable searches and seizures) protects against the interception of a person’s communications when the person has a “reasonable expectation of privacy.” See Katz v. United States, 389 U.S. 347 (1967); Berger v. New York, 388 U.S. 41 (1967). In 1968, in direct response to these Supreme Court decisions and increased Congressional interest in the amount of wiretapping being performed by government agencies and private individuals, Title III of the Omnibus Crime Control and Safe Street Act (the “Wiretap Act”) was passed into law. The Wiretap Act originally protected against only “oral” and “written” communications.  In 1986, Congress enacted the Electronic Communications Privacy Act (the “ECPA”) in order to supplement the Wiretap Act with additional protection against “electronic” wiretapping. The ECPA requires only one party to the communication to provide consent before the communication can be intercepted, used, and/or disclosed.  

Many states began enacting wiretapping statutes around the same time or after the original Wiretap Act was enacted. Almost all states currently have wiretapping statutes in place.  Most state statutes require the consent of only one party before a communication can be intercepted, used, and/or disclosed.  However, there are states that require “all-party consent.” 

Not surprisingly, the majority of session replay and chat technology cases filed to date are being filed in states with “all-party consent” wiretapping laws, including, but not limited to, laws in California (the California Invasion of Privacy Act (“CIPA”)), Pennsylvania (the Wiretapping and Electronic Surveillance Control Act (“WESCA”)), and Florida (the Florida Security and Communications Act).  It is worth noting, however, that there have been some cases filed under one-party consent wiretapping laws (see e.g., Balanzar v. HP Inc., No. 3:22-cv-02030 (S.D. Cal. Dec. 22, 2022); Tucker v. Cabela’s, LLC, No. 6:22-cv-3288 (W.D. Mo. Nov. 9, 2022)).  

Wiretapping statutes generally provide for a civil cause of action as a remedy against those who illegally intercept, use, and/or disclose a communication while in transit. Plaintiffs’ lawyers have been creative in using wiretapping laws as a vehicle for bringing claims falling well outside of the original purpose of such laws (i.e., protecting against unconstitutionally obtained criminal admissions). Because many of the wiretapping statutes have an “aiding and abetting” provision (or similar type of provision), plaintiffs’ lawyers have been suing not only the company’s third-party technology vendor (i.e., the interceptor), but also the company that owns the website/application (i.e., the abettor). 

These cases are particularly attractive to plaintiffs’ lawyers because plaintiffs do not have to prove actual damages in order to recover damages. If a defendant intercepts, uses, and/or discloses a plaintiff’s communications without the plaintiffs’ consent, wiretapping statutes generally provide plaintiffs with a right to statutory damages (e.g., $5,000 per violation under CIPA).  

A Brief History of Session Replay and Online Chat Feature Litigation 

Beginning in 2018 and continuing into 2020, the first wave of session replay lawsuits were filed in California, Pennsylvania, and Florida courts.  In this first wave, plaintiffs alleged that the use of session replay technology to track website users’ interaction behavior was a violation of applicable state wiretapping law. Many of the first wave  cases were dismissed based on one or more of the following reasons: (1) website browsing is not a “communication” that can be intercepted, used, and/or disclosed; (2) third-party vendors cannot “intercept” a user’s “communication” from website browsing because the third-party vendor is an actual “party” to that “communication;” or (3) users do not have a reasonable expectation of privacy when browsing on a website.  The total number of session replay lawsuits began to die down by the fall of 2021.  

However, beginning in the spring of 2022, two United States Court of Appeals’ decisions opened the door for a new wave of session replay lawsuits. First, in May of 2022, Javier v. Assurance IQ, LLC, No. 21-16351, 2022 WL 1744107 (9th Cir. May 31, 2022) was decided. In this case, the United States Court of Appeals for the Ninth Circuit found that: (a) California’s wiretapping law, CIPA, is applicable to usage of session replay technologies; and (b) companies using session replay technologies must obtain a website users’ consent prior to recording the contents of any website user’s communications. Id. at *2. 

Then, in August of 2022, the United States Court of Appeals for the Third Circuit followed Javier with a similar decision in the context of Pennsylvania’s WESCA. In this case, the Third Circuit vacated the district court’s granting of summary judgment in favor of the defendant. Popa v. Harriet Carter Gifts, Inc., 45 F.4th 687, 690-91 (3rd Cir. 2022). In overturning the district court, the Third Circuit found that: (a) WESCA applies to the usage of session replay technologies; and (b) third-party session replay vendors are deemed to be “intercepting” a plaintiff’s communications with a website under WESCA even if such communications are directly routed to a company’s third-party vendor’s own servers. Id. at 692-95. The Third Circuit rejected the Defendant’s argument that a third-party vendor intercepting a user’s interactions in live time is a “party” to the communication, and thus, there can be no liability for wiretapping. Id. at 695. The Third Circuit also re-enforced the decision in Javier that prior consent by a website user is required before any communications may be intercepted by a company’s third-party vendor. Id. at 698-99.   

Status of Session Replay and Chat Communication Litigation  

The Javier and Popa decisions resurrected the session replay cases. Opportunistic class action lawyers have also been filing lawsuits alleging that the interception, use, and/or disclosure of online chat communications without users’ prior consent violates wiretapping laws. A slew of additional session replay and new online chat communications lawsuits were filed in late 2022 and early 2023. Many of these newly filed cases are still pending, but they are in the early stages of litigation.  It is noteworthy, however, that at least one court has denied a defendant’s motion to dismiss a CIPA claim in an online chat context (i.e., finding that plaintiff sufficiently pled a claim under CIPA alleging that defendant intercepted plaintiff’s online chat conversations in real time). See Byars v. Goodyear Tire and Rubber Co., 2023 WL 1788553 at *4 (C.D. Cal. Feb. 3, 2023).  Because testers are continuing to check out corporate websites for potential new targets, it is important for corporate leaders to consider actions they could take now that would reduce the risk that their company will become the next target of session replay or online chat communication class action litigation.  

Actions Corporations Can Take to Reduce their Risk of Becoming the Next Target  

We are highlighting below actions you may want to take to minimize the risk of your company becoming the next target of a session replay and/or online chat communication class action lawsuit: 

1. Develop a Thorough Understanding of Website/Application Technologies. Identify and analyze the technologies utilized on your corporate website[s] and application[s], including but not limited to session replay and online chat features. Consider potential class action risks posed by usage of such technologies, including risks of violating wiretapping laws or other laws that are currently being used as a vehicle for class action litigation targeting website and application technology practices, such as the Video Privacy Protection Act (VPPA).   

2. Update Your Company’s Privacy Policy, as Necessary. Review your company’s privacy policy to confirm you are providing an accurate and complete privacy notice, in accordance with applicable laws, that covers, along with all other required information, all personal information collection, usage, disclosure, and storage practices, including, with respect to all website/application technologies.  Update your company’s privacy policy as necessary. 

3. Update Your Company’s Terms of Use, as Necessary.  Review your company’s website and/or application terms of use.  Identify opportunities to strengthen the terms of use, including but not limited to incorporating an arbitration clause and a class action waiver clause.

4. Obtain a Users’ Express Consent Prior to Their First Website/Application Interaction or Chat Communication.  Obtain express consent from users before any personal information is collected for session replay purposes. If your company has an online/mobile chat feature, obtain separate express consent from users prior to permitting users to communicate with a chatbot or chat representative.   

5. Properly Manage Consent. Manage consent processes.  This includes not only obtaining and tracking the original collection of consent, but also permitting and tracking withdrawals of consent.  Consider utilizing reliable consent management platforms to help manage consent.  Retain consent records for the timeframe in which your company may be required to prove that a user’s consent was, in fact, received. 

6. Enter into Appropriate Agreements with Third-Party Vendors. Enter into appropriate agreements with third-party vendors providing session replay and/or chat-related services. Confirm legal obligations are appropriately placed on the correct party.  For example, consider whether it makes sense to place the obligation to obtain users’ consent on the third-party vendor.   Also, confirm that liability and indemnity clauses are written in an appropriately protective manner. 

7.  Monitor Class Action Litigation Developments. Finally, as this latest wave of class action litigation moves forward, we recommend that you continue to monitor wiretapping case developments.   

Laura Clark Fey, current chair of DRI’s Electronic Privacy Working Group and one of the first twenty-seven U.S. attorneys recognized as Privacy Law Specialists through the International Association of Privacy Professionals (IAPP), leads Fey LLC, a global data privacy and information governance law firm. She and her team help multinational and U.S. organizations develop and implement practical solutions to their unique data privacy and information governance challenges. Laura is the former Chair of DRI’s Cybersecurity and Data Privacy Committee.  Laura also is a member of the inaugural class of IAPP Fellows of Information Privacy (FIP), a Certified U.S. and European Privacy Professional (CIPP US/E), and a Certified Information Privacy Manager (CIPM). The U.S. Department of Commerce and the European Commission selected her as an arbitrator in connection with the former E.U.-U.S. Privacy Shield Framework Binding Arbitration Program. Laura, who is also an IADC member, teaches Global Data Protection Law at the University of Kansas School of Law.  She has also taught International Issues at Baylor Law School. Email: lfey@feyllc.com.

Will Davis is an associate attorney at Fey LLC. Will assists Fey LLC clients in addressing a wide variety of global privacy, information security, and information governance challenges. He is an IAPP certified U.S. and European Information Privacy Professional (CIPP/US/E) and an IAPP Certified Information Privacy Manager (CIPM).  Will has also received the ACEDS eDiscovery Executive Certificate (eDEx).  Email: wdavis@feyllc.com.  

The authors would like to extend a special thank you to Blake Lines, Privacy Analyst at Fey LLC, for his contributions to this article. 

Interested in joining the Cybersecurity and Data Privacy Committee? Click here for more information.

Insurance Law: Covered Events

Leadership Note - Advertising Injury and Personal Injury SLG 

By Daniel I. Graham, Jr.

Edited by Allyson L. Moore, Associate at Sulloway & Hollis

Daniel I. Graham, Jr. is a partner at Nicolaides Fink Thorpe Michaelides Sullivan. He is Chair of the Advertising Injury and Personal Injury Subcommittee.

Leadership Note - DRI’s Personal Lines Substantive Law Group 

By Laurie C. Barbe

Edited by Allyson L. Moore, Associate at Sulloway & Hollis

And the Academy Award Goes to. . . 

By Laurie C. Barbe

Edited by Allyson L. Moore, Associate at Sulloway & Hollis

When insurance policies were first sold centuries ago (think London coffeehouses and meetings among merchants and ship owners), no one likely knew how much entertainment value they would later have. And while those early policies were designed to further the concept of beneficial risk spreading and personal protection, movies have sometimes portrayed insurance as something more sinister. This article will discuss a few of those movies and how insurance played a role, both big and small, and how the characters in them ranged from shysters to heroes. See Daniel Williams, 25 of the Best Insurance Movies, PropertyCasualty360 (Nov. 4, 2015), https://www.propertycasualty360.com/2015/11/04/25-of-the-best-insurance-movies/?slreturn=20 230215135543; https://www.insurdinary.ca/7-epic-movies-about-insurance.   

Many are familiar with the box office hit movie The Rainmaker (1997), in which a very young Matt Damon (playing the role of a very young and very driven lawyer named Rudy) took on a corrupt insurance company (with a team of its own lawyers) after it refused to pay a medical claim. The insurance company could have been any business for that matter because Rudy was driven to right what he believed were several wrongs (the judicial system also took a hit) and perhaps save someone’s life. As the underdog, Rudy recognized and accepted the risks associated with challenging the insurance company and, in the end, carried the day. Oh, to be a fly on the wall if Rudy and Erin Brockovich were to ever meet. Contrast the storyline in The Rainmaker with the heartwarming romantic comedy Along Came Polly (2004), about a risk-averse life insurance salesman named Reuben (Ben Stiller). Unlike Rudy or the industry for which he worked, Reuben had to be convinced to take risks in order to win over a girl (Jennifer Aniston).    

Going back a few years is a movie called Alias Jesse James (1959), about Jesse James and an insurance salesman (Bob Hope) who unknowingly sold a life insurance policy to Jesse. With all of the classic western movie features and a comic twist, this one takes you on the run with Jesse as the salesman tries to “protect” the insurer’s investment while avoiding Jesse’s underhanded attempts to fake his own death and collect on his investment. Courts may have been on Jesse’s side if doubts ever arose over the cause of his death. “[W]hen death happens under circumstances which make it doubtful whether it was caused by accident or suicide, the presumption is that it was accidental; and this presumption is sufficient, in the absence of evidence to the contrary, to sustain the burden of proof as to accidental death.” Jefferson Standard Life Ins. Co. v. Clemmer, 79 F.2d 724, 728 (4th Cir.1935).  Keeping it in the way back machine is The Killers (1946), starring Burt Lancaster and Ava Gardner. This time an insurance investigator was tasked with tracking down a murdered man’s life insurance beneficiaries and, in the process, unraveled the dead man’s past that included hitmen, double-crossing mobsters, a set fire, lies, cheating, and a deathbed confession–– all in an effort to pay a $2,500 policy benefit!  

Another movie with a similar storyline to The Rainmaker (in that it involved the denial of medical benefits) is John Q (2002), starring Denzel Washington. This movie delves deep into the health care system and follows a father’s desperate efforts to obtain life-saving heart surgery for his son. One can easily see the many sides of the antagonistic dispute between private insurance, federal plans, and personal finances that continues today. As an aside, New Line Cinema and Time Warner were sued, unsuccessfully, for copyright infringement by a man who claimed that he had written a screenplay “which derived from his experience with his sick child, who required serious heart surgery to avoid death at a time when [the man] did not have insurance to pay for it.” Tillman v. New Line Cinema Corp., 2008 WL 687222 (N.D. Ill. 2008), aff’d 295 Fed. Appx. 840 (7th Cir. 2008). Contrast that medical saga with The Fortune Cookie (1966), where Harry Hinkle (Jack Lemmon) and his attorney, Whiplash Willie Gingrich (Walter Matthau), concocted a fraudulent and deceptive plan to sue CBS, the NFL, and the Cleveland Browns for fake injuries so that Hinkle could obtain an insurance settlement and win back his ex-wife. Conflicting medical evidence, shots of Novocain, a crooked attorney, and misinformation were all part of Hinkle’s plan to pressure the insurance company into a settlement. Fortunately, a private detective hired to conduct surveillance and a guilt-ridden Hinkle eventually exposed the fraud.  

Insurance is not just for the protection of cars, homes, merchants, businesses, and lives. It is what movies are made of and what makes people do just about anything for money, whether deservedly or not. So, grab your popcorn, turn on a movie, and read your insurance policies during the commercials. Those policies just might provide you with some context for your movie. 

For a quick history lesson on insurance in America, take a look at “The History of Insurance in America” by Andrew Beattie at https://www.investopedia.com/articles/financial-theory/08/ american-insurance.asp 

Laurie C. Barbe of Steptoe & Johnson PLLC represents insurance companies in response to first- and third-party insurance claims and defends individuals and businesses in claims involving personal injury, wrongful death, products liability and property damage. She has also been involved in appellate proceedings before the Supreme Court of Appeals of West Virginia and the United States Court of Appeals for the Fourth Circuit. She is co-leader of the firm's Insurance Company Team. 

Interested in joining the Insurance Law Committee? Click here for more information.

Insurance Law: Covered Events (Cont.) 

Lessons Learned from the Rust Shooting: What the Interpretation of the Term “Each” or “Per Occurrence” Means for the Defendants Named in the Numerous Rust-Related Lawsuits   

By Taylor J. Kennedy 

Edited by Allyson L. Moore, Associate at Sulloway & Hollis

On October 21, 2021, Alec Baldwin rehearsed a scene for the movie Rust in Santa Fe, New Mexico. The scene involved pointing what was believed to be a cold prop gun at the camera. Haley Yamada & Andrea Amiel, On-Set Prop Gun Supervisor Walks Through Safety Procedures, Industry Standards, ABC News (Oct. 26, 2021), https://abcnews.go.com/Entertainment/set-prop-gun-supervisor-walks-safety-procedures-industry/story?id=80780487 (a cold gun is an unloaded gun).  While pointing the weapon at the camera, the gun discharged, striking cinematographer Halyna Hutchins and film director Joel Souza. Hutchins and Souza were taken to the hospital, where Hutchins succumbed to her injuries. Souza was released from the hospital the next day. What to Know About the Fatal Shooting on Alec Baldwin’s ‘Rust’ Movie Set, N.Y. Times (Feb 23, 2023), https://www.nytimes.com/article/alec-baldwin-shooting-investigation.html. 

Within days of Hutchins’ passing, several news outlets began speculating on the legal ramifications of the shooting and the production company’s insurance coverage. Rust’s Certificate of Liability Insurance shows that the production company obtained one million dollars in coverage under its general liability policy and five million dollars in coverage under its umbrella policy. Accord Certificate of Liability Insurance for Rust Movie Productions LLC. Assuming what has been reported is correct and that, for the sake of this article, insurance policies from other production companies involved in Rust’s filming do not cover this incident, there is a total of six million dollars in coverage available for each occurrence.  

Given the severity of the injuries associated with the shooting, news outlets predicted that there would be multiple lawsuits reaching a total in excess of the policy limits. See, e.g., Anthony McCartney, Stefanie Dazio & Lindsey Bahr, Legal, Insurance, Safety Issues Swirl Around ‘Rust’ Movie Set Shooting, Ins. J. (Oct. 28, 2021), https://www.insurancejournal.com/ news/national/2021/10/28/639522.htm; ‘Rust’ Movie Set Shooting Likely to Prompt Major Lawsuits, Experts Say, Burns & Wilcox (Nov. 10, 2021), https://www.burnsandwilcox.com/ insights/rust-movie-set-shooting-likely-to-prompt-major-lawsuits-experts-say/; ‘Rust’ Movie Set Shooting Will Cost Insurance Company Millions, Southern Md. Chronicle (Nov. 15, 2021), https://southernmarylandchronicle.com/2021/11/15/rust-movie-set-shooting-will-cost-insurance-company-millions/. It was further reported that the incident would cost the insurance company millions. ‘Rust’ Movie Set Shooting Will Cost Insurance Company Millions, supra. 

The term/phrase “each/per occurrence” in the production company’s policies is particularly important because multiple injuries and claims are associated with the shooting. Marco Della Cava, Alec Baldwin Hit with Another ‘Rust’ Lawsuit: What we Know about all the Legal Challenges, USA Today (Feb. 28, 2023), https://www.usatoday.com/story/entertainment/movies/ 2023/02/28/alec-baldwin-rust-shooting-lawsuits-timeline/11367460002/. “Each” or “per occurrence” refers to a single “occurrence” or “accident.” What constitutes a single “occurrence” within the meaning of the policy differs depending on the facts and the jurisdiction. 

Courts have defined a single occurrence or an accident in three different ways. The majority approach states “that to determine whether there is a single or multiple occurrence or accident within the meaning of the policy limits clause of a liability policy, one must look to the cause or causes of the accident or occurrence.” Michael P. Sullivan, What Constitutes Single Accident or Occurrence within Liability Policy Limiting Insurer’s Liability to a Specified Amount per Accident or Occurrence, 64 A.L.R. 4th. 688 (1988). This approach is commonly referred to as the cause theory.  

Another approach courts use states “that the phrase ‘per occurrence’ in a limitation of liability clause in a liability policy refers, not to the cause of the occurrence nor to the effect of the occurrence, but to the event which triggered liability, that is, the act or acts of the insured which subjected it to liability.” Id. This approach is commonly referred to as the event theory.

At least two courts use the third approach, i.e., the effect theory. Under the effect theory approach, the term “per occurrence refers to the effect of the accident or occurrence, thus making the entire policy limits available to each injured or damaged party.” Id. 

Six civil suits arising from the Rust shooting have been filed. Of the six suits filed, only one has been settled-- the wrongful death suit brought by Matthew Hutchins, and that suit resolved for an undisclosed amount. Marco Della Cava, Alec Baldwin Hit with Another ‘Rust’ Lawsuit: What we Know about all the Legal Challenges, USA Today (Feb. 28, 2023), https://www.usatoday.com/story/entertainment/movies/2023/02/28/alec-baldwin-rust-shooting-lawsuits-timeline/11367460002/. The six lawsuits have been filed in both New Mexico and California and there are nine plaintiffs. All nine plaintiffs claim that they have suffered personal injury as a result of the shooting and cite numerous acts of negligence. 

California defines per occurrence under the majority approach––the cause theory. Westport Insurance Corporation v. California Casualty Management Co., 249 F. Supp. 3d 1164 (N.D. Cal. 2017), judgment corrected on other grounds, 2017 WL 2335374 (N.D. Cal. 2017) (applying California law) (Under California law, the term “occurrence” under an insurance policy is defined by the event or events that caused the injury rather than the injury itself. New Mexico appears not to have adopted an approach for determining what constitutes a single occurrence under an insurance policy). However, New Mexico courts have interpreted the term “single occurrence” under their Torts Claims Act. Folz v. State, 797 P.2d 246, 254 (N.M. 1990) (There is a single occurrence under the New Mexico Torts Claim Act when a series of acts and/or omissions contribute to a unitary risk and only one triggering event occurred giving rise to liability). That “single occurrence” interpretation aligns closely with the liability-triggering event theory approach.   

Under California law, there is a single occurrence where there is one proximate, uninterrupted, and continuing cause that resulted in all the injuries and damages. State v. Continental Ins. Co., 169 Cal. App. 4th 1114, 88 Cal. Rptr. 3d 288 (4th Dist. 2009), as modified on denial of reh’g, 2009 WL 189551 (Cal. App. 4th Dist. 2009), review filed, (Feb. 13, 2009) (Pursuant to the cause test, there is a single occurrence under a liability policy when there is one proximate, uninterrupted, and continuing cause which resulted in all the injuries and damages).  While the Rust shooting plaintiffs allege numerous acts and omissions caused the shooting, plaintiffs’ claimed injuries resulted from the single discharge of a loaded gun. Thus, there is likely only one occurrence in accordance with the cause theory approach.  

Under the liability trigger event theory approach, which most closely aligns with New Mexico law, the numerous acts and omissions plaintiffs claim caused the shooting are not considered. There is only one liability-triggering event, the accidental discharge of a weapon on set. Under this approach, there is likely only one occurrence.  

As stated previously, six million dollars is available under the production company’s two insurance policies for an “occurrence.” Assuming the five remaining suits result in judgments for the plaintiffs, the plaintiffs’ judgments may exceed the six-million-dollar policy limit. If that occurs, the named defendants found liable to the plaintiffs are at risk of being held financially responsible for any remaining uninsured damages.  

Halyna Hutchins’ death highlights the importance of comprehensive coverage. As productions get larger and the stunts associated with them get riskier, the risk of injury or death on set continues to increase. Matt Stiles & Anousha Sakoui, Film Set Fatalities Rise in Last Decade as Production Booms, LA Times (Nov. 4, 2021), https://www.latimes.com/entertainment-arts/business/story/2021-11-04/film-set-fatalities-jump-in-last-decade-as-a-production-booms. Obtaining comprehensive insurance coverage for a film is essential to protect the film’s employees, independent contractors, producers, investors, and the production itself.  

Insurance And Information Security Culture: Professional Liability Insurance Coverage Lacking for Social Engineering Attacks Committed by Third Parties

By Brian Bassett and Danielle Kegley 

Edited by Allyson L. Moore, Associate at Sulloway & Hollis

It is widely reported that the frequency as well as the costs flowing from social engineering attacks on companies and other organizations are at an all-time high. Who bears these costs? Impacted policyholders that provide professional services may look to their professional liability insurers for coverage of these losses.  

Professional liability policies, however, generally only provide coverage for those risks that are inherent in the practice of the insured’s professional services.  In evaluating coverage for social engineering attacks, professional liability carriers should not only look to the language in their policies’ insuring agreements, but exclusions that are frequently found in such policies.    

What Are Social Engineering Attacks? 

Social engineering attacks typically involve third-party actors trying to “hack” the people within organizations using psychological manipulation and relying on human error to extract confidential information for a big payday. What is Social Engineering? Attacks and Prevention, Crowdstrike (Aug. 18, 2022), https://www.crowdstrike.com/cybersecurity-101/social-engineering-attacks/. Phishing, SMSishing, spear phishing, baiting, quid pro quo, pretexting, tailgating—these are all types of social engineering attacks committed by third parties.

These attacks use various media, such as emails, websites, SMS or video to induce individuals to act and disclose confidential information. These often appear to be from an outside entity, such as a bank, delivery or government agency, or from an internal department within the target’s own company, such as human resources, information technology or finance. Id.  

Fraudsters then use confidential information obtained from the attack in order to divert funds from these companies and/or their clients. This article focuses on “phishing” attacks. One example of a “phishing” attack involves the situation wherein a third-party hacks an employee’s email account and then sends spoofed emails with fake invoices to the company’s clients to divert funds. Once the funds have been diverted, the victim companies are then exposed to claims by their clients, for example, with no opportunity for recovery against the fraudster.  

Professional Liability Policies Should Not Cover the Diverted Funds and Associated Costs of Social Engineering Attacks

Professional liability carriers evaluating coverage for claims involving social engineering attacks, like the ones described above, should first consider whether these claims fall within the insuring agreements of the relevant policies by satisfying the definition of “professional services.” Insurers should then also evaluate whether such claims are also excluded by theft or misappropriation exclusions.  

These Claims Do Not Involve an Insured’s “Professional Services”

Courts generally recognize that professional liability policies do not afford coverage where the alleged acts do not arise out of the rendering or failure to render covered professional services. See, e.g., 7A John Appleman, Insurance Law & Practice § 4504.01, at 310 (Bender rev. ed. 1979). Thus, the main question is whether there is a wrongful act arising out of the insured company’s covered “professional services.” In the example of a third-party sending spoofed emails with fake invoices to a company’s clients through a hijacked employee’s email account, the act at issue (i.e., sending fake invoices to the insured company’s clients) arose from an act of a third-party, such that it could not involve the insured company’s “professional services.”  

Circumstances may arise, however, when an insured is sued and faces claims that it acted negligently in preventing the attack. In that scenario, the focus is on whether the negligent act of the insured involved the rendering of its “professional services.” See, e.g., Mut. Assurance Adm'rs v. United States Risk Underwriters, 993 P.2d 795 (Okla. Ct. App. 1999) (finding no coverage because the alleged acts were not of those wrongful acts contemplated by the professional liability policy). As discussed below, insurance companies have a strong argument that such acts do not, in fact, involve an insured’s rendering of “professional services.”

It is a generally accepted principle of professional liability coverage law that not every action professionals take in the course of providing professional services are “professional services.” Rather, an act will only constitute a “professional service” when the professional utilizes his or her professional knowledge, experience, and training in taking some action. See Gulf Coast Env't Sys., LLC v. Am. Safety Indem. Co., No. 4:13-CV-539, 2015 U.S. Dist. LEXIS 75551 (S.D. Tex. June 11, 2015); First Mercury Ins. Co. v. Shawmut Woodworking & Supply, Inc., 48 F. Supp. 3d 158, 174-75 (D. Conn. 2014); Gen. Ins. Co. of Am. v. City of New York, No. 04 CIV. 8946 (JCF), 2005 U.S. Dist. LEXIS 35864 (S.D.N.Y. Dec. 23, 2005); Food Pro Intl., Inc. v. Farmers Ins. Exch., 169 Cal. App. 4th 976, 991 (2008); S.T. Hudson Engineers, Inc. v. Pennsylvania Nat'l Mut. Cas. Co., 909 A.2d 1156, 1165–66 (N.J. Super. Ct. App. Div. 2006); Am. Nat’l Prop. & Cas. Co. v. Select Mgmt. Grp., LLC, 528 F. Supp. 3d 1188, 1198–99 (N.D. Okla. 2021); Penn. Nat’l Mut. Cas. Ins. Co. v. Roberts Bros., 550 F. Supp. 2d 1295, 1306–08 (S.D. Ala. 2008); St. Paul Fire & Marine Ins. Co. v. Era Oxford Realty Co. Greystone, LLC, 572 F.3d 893, 899 (11th Cir. 2009).   

Consider, for instance, a law firm facing claims of negligence in failing to prevent an unknown third-party from hacking its email system and providing fraudulent wire transfer instructions to a client. Insureds generally have the burden of proving a policy provides coverage for a claim.  Therefore, the law firm in this scenario would need to prove that the deficiencies in its internal security systems leading to the business email compromise involved the professional knowledge, experience, or training of lawyers. Finding that such actions constitute “professional services” would improperly expand professional liability coverage beyond its intended scope and provide coverage for all aspects of an insured’s business operations.  

Next, contrast that situation to one where there is a physical break in into a law firm’s brick and mortar office. During the break in, the attacker replaced an authentic physical check to a client with a fraudulent one. After processing the fraudulent check, the law firm is then sued by a client for negligently permitting the theft to occur and negligently retaining a security company to protect its premises. Under this scenario, it seems a little clearer that the underlying loss would not arise from the performance of “professional services” as a lawyer. Rather, it would arise from the law firm’s failures in keeping its premises safe from intruders.  

Professional liability policies only provide coverage for claims arising from an insured’s “professional services,” and are not meant to function as commercial crime or cyber policies, which are expressly designed to respond to such claims. Professional liability policies are also not underwritten to provide coverage for all aspects of an insured’s business. Insurance companies, therefore, have a strong argument that coverage does not exist for social engineering attacks under a professional liability policy.   

Application of Theft or Misappropriation Exclusions

When evaluating coverage for social engineering claims, professional liability carriers should also consider the application of theft or misappropriation of funds exclusions. Such exclusions typically preclude coverage for claims arising out of the actual or alleged theft, stealing, conversion, commingling, embezzlement or misappropriation of funds or monies.

Recently, courts have enforced these types of exclusions and held that they preclude coverage for theft or misappropriation of funds caused by social engineering schemes or attacks. See Authentic Title Servs. v. Greenwich Ins. Co., No. 18-4131 (KSH) (CLW), 2020 U.S. Dist. LEXIS 215018, at *14–15 (D.N.J. Nov. 17, 2020) (exclusion for any claim “based upon or arising out of . . . the commingling, improper use, theft, stealing, conversion, embezzlement or misappropriation of funds or accounts” barred coverage for a title insurance agent’s loss of more than $480,000 after the agent was tricked into sending the funds to a fraudster posing as an employee of a mortgage lender); Attorneys Liab. Prot. Soc’y, Inc. v. Whittington Law Assocs. PLLC, 961 F. Supp. 2d 367 (D.N.H 2013) (exclusion for claims arising out of “[a]ny conversion, misappropriation or improper commingling by an person of client or trust account funds or property” precluded coverage for an underlying loss against an insured law firm due to a Nigerian check scam in which the insured was fraudulently induced to deposit a check into the insured’s bank account and then wire the majority of the funds to a foreign bank); Landmark Am. Ins. Co. v. Esters, No. 2:20-CV-1263, 2022 U.S. Dist. LEXIS 97119, at *14 (W.D. La. May 3, 2022) (exclusion for “commingling, conversion, misappropriation or defalcation of funds or other property, or the inability or failure to pay, collect, disburse, or safeguard any funds held by an Insured” applied to “theft claims” but not to “non-theft claims” alleged); Res. Real Estate Servs., LLC v. Evanston Ins. Co., No. CV GLR-16-168, 2017 WL 660800, at *1 (D. Md. Feb. 17, 2017) (exclusion for claims “arising out of any actual or alleged conversion, misappropriation, commingling, defalcation, theft, disappearance, [or] insufficiency in the amount of escrow funds, monies, monetary proceeds, funds or property, or any other assets, securities, negotiable instruments or any other thing of value” precluded coverage for a scheme perpetrated by a fraudster that hacked into the email account of the insured’s client).  

It is important for insurers to review the specific language of theft exclusions.  Some exclusions may only apply to theft committed by “an insured,” whereas other exclusions may apply to theft committed “by any person,” including third parties. Some provisions are silent as to who must have committed the theft for the exclusion to apply.  See ABL Title Ins. Agency, LLC v. Maxum Indem. Co., No. 15-7534 (CCC), 2022 U.S. Dist. LEXIS 61391 (D.N.J. Mar. 31, 2022). Where the exclusion is silent as to the applicable actor, insurers have an argument that these exclusions include acts committed by both the insured and by third parties, based on other exclusions in the policies that include language confining their application to acts “by the insured.” See id.  

For instance, in ABL Title Ins., the exclusion at issue provided that there was no coverage for claims based upon or arising out of commingling, conversion, misappropriation, or defalcation of funds or other property. Id. The court agreed with the insurer that the exclusion directly addressed the factual scenario where funds were wired to third-party scammers who had no entitlement or right to the funds, and therefore engaged in an act of conversion under New Jersey law when it defrauded the title agency. Id. at *12–13. The title agency sought coverage for claims made by the parties whose checks from the title agency had bounced or whose payments could not be made because the title agency had insufficient funds in its escrow account to cover the disbursements. Id. The court, therefore, held that the exclusion applied to preclude coverage, even though it was not the insured who committed the conversion. Id.  

Insurers will have the burden to prove that these exclusions apply, such that they will need to establish a causal relationship between the claims asserted against their insureds and the alleged or actual theft or misappropriation of funds in order to disclaim coverage to their insureds on this basis.  

As discussed above, the purpose of social engineering is to divert funds from a company or its clients through the extraction of confidential information. Thus, it would follow that theft or misappropriation exclusions exclude such claims from coverage under professional liability policies.  

Practical Application 

Professional liability policies are not designed to provide coverage to policyholders for social engineering schemes, as evidenced by the language in their insuring agreements and exclusions. That does not mean that professionals cannot procure insurance to cover these claims.  There are many standalone polices or endorsements available to organization that are specifically tailored to respond to these kinds of social engineering matters. As social engineering schemes persist, courts will continue to address these issues in the context of professional liability policies and other liability policies. For now, courts have sided with professional liability carriers in denying coverage for these claims.  

Brian Bassett is a partner and Danielle Kegley is an associate in Traub Lieberman’s Chicago office. Brian and Danielle focus their practice on litigating and managing insurance coverage disputes involving several lines of insurance across jurisdictions nationwide.  Brian is the Vice Chair of the Professional Liability SLG of the DRI Insurance Law Committee. Danielle recently became a member of DRI and is excited to become more involved with the DRI community. 

Interested in joining the Insurance Law Committee? Click here for more information.