Ninth Circuit Says Demand for Cyberinsurance Payment not a “Claim”

One of the more common forms of cyberattack is that of a business email compromise (BEC) – when the email account of either a buyer or seller (or both) is compromised by a hacker who then spoofs one or both of the parties to demand or redirect payments intended to occur between the parties to the hacker themselves.

When email accounts of Irvine, California technology firm Alorica, Inc. were hacked, the hackers sent fraudulent emails purporting to come from Alorica to its clients, including Express Scripts, directing the clients to pay money to what was supposed to be Aloricas bank account but was instead an account belonging to the hacker.

In response to the fake Alorica email, Express Scripts wire transferred $4.8 million to the hacker. Other Alorica clients similarly transferred funds, which should have gone to Alorica, to the hacker, and Alorica never received the money from their customers.

Alorica had an insurance policy with Starr which covered “first party” losses resulting from a “security breach.” In January 2018, Alorica’s insurance broker notified Alorica’s crime insurer and Starr about the Express Scripts matter, and filed a “Crime Insurance Proof of Loss” form with their crime insurer (not Starr), but provided Starr with notice of the facts of the case, which Starr treated as a “notice of circumstance” and not a “claim” against the policy. Alorica then tried to get the unpaid invoice from Express Scripts paid either by Express Scripts or Express Scripts’ insurer. Express Scripts, via letter, rejected the claim except to the extent that they were actually successful in recovering a bit more than $56,000 of the $4.8 million, and they remitted that amount to Alorica.

Alorica passed the letter from Express Scripts to its insurer, Starr. When Alorica’s separate crime insurer refused to pay the claim in October 2018, Alorica turned to its cyberinsurer, Starr, to pay the “claim.” Starr refused, asserting that the notices it had received about the nature of the case and the progress of the case, as well as the status of the claims under Express Scripts’ policy and Alorica’s crime policy, did not constitute a “formal notice” of a claim or a “written demand for monetary or non-monetary relief or services made against Starr.”

On April 6, 2021, the United States Court of Appeals for the Ninth Circuit, in an unpublished opinion, Alorica v. Starr, Dkt. No. 8:19-cv-00690-JVS-KES, found that the letter from Express Scripts to Alorica, forwarded to Starr, did not, in fact, constitute a written demand for payment by Starr under the policy. Thus, despite the fact that Alorica had cyberinsurance coverage from Starr which might have covered the $4.8 million in losses, and despite the fact that Starr had been notified of the facts which constituted the basis of the covered losses (the fact that there was a security breach; the breach resulted in fraud losses, and that these losses could not be recovered by other parties), the failure of Alorica to formally and in writing file a “claim” against the policy, specifically demanding payment or some other remedy was fatal to its proposed recovery.

DevOps Unbound Podcast

The lesson from this case is that it is not enough that you have cyberinsurance, and that you check that the policy covers you for fraud losses, crime losses, breach losses, data destruction and ransomware losses, as well as things like ID fraud and theft, business email compromise, and costs of recovery, restoration, investigation and litigation. It’s also not enough that you keep your carrier advised of any possible covered losses. It’s important, at the first instance, to formally and in writing file a “claim” for coverage, even if you don’t yet know the full scope of the potentially covered claim. This is true even if you have multiple policies that might cover your losses, and even if your losses might be a result of some actions of a third party which might have its own insurance policies. So it’s not enough to have insurance – you also have to adhere to the procedures delineated in the policy, and provide timely and actual notice of the claim.

Avatar photo

Mark Rasch

Mark Rasch is a lawyer and computer security and privacy expert in Bethesda, Maryland. where he helps develop strategy and messaging for the Information Security team. Rasch’s career spans more than 35 years of corporate and government cybersecurity, computer privacy, regulatory compliance, computer forensics and incident response. He is trained as a lawyer and was the Chief Security Evangelist for Verizon Enterprise Solutions (VES). He is recognized author of numerous security- and privacy-related articles. Prior to joining Verizon, he taught courses in cybersecurity, law, policy and technology at various colleges and Universities including the University of Maryland, George Mason University, Georgetown University, and the American University School of law and was active with the American Bar Association’s Privacy and Cybersecurity Committees and the Computers, Freedom and Privacy Conference. Rasch had worked as cyberlaw editor for, as Chief Privacy Officer for SAIC, and as Director or Managing Director at various information security consulting companies, including CSC, FTI Consulting, Solutionary, Predictive Systems, and Global Integrity Corp. Earlier in his career, Rasch was with the U.S. Department of Justice where he led the department’s efforts to investigate and prosecute cyber and high-technology crime, starting the computer crime unit within the Criminal Division’s Fraud Section, efforts which eventually led to the creation of the Computer Crime and Intellectual Property Section of the Criminal Division. He was responsible for various high-profile computer crime prosecutions, including Kevin Mitnick, Kevin Poulsen and Robert Tappan Morris. Prior to joining Verizon, Mark was a frequent commentator in the media on issues related to information security, appearing on BBC, CBC, Fox News, CNN, NBC News, ABC News, the New York Times, the Wall Street Journal and many other outlets.

mark has 199 posts and counting.See all posts by mark

Cloud Workload Resilience PulseMeter

Step 1 of 8

How do you define cloud resiliency for cloud workloads? (Select 3)(Required)