New Jersey Appellate Court Refuses to Apply Exclusion for 'Hostile/Warlike Action' to NotPetya Cyberattack
The start of this year saw an anticlimactic resolution of an insurance coverage dispute over the application of an exclusion for “hostile or warlike action” to a state-sponsored cyberattack. The dispute was slated to be addressed by the New Jersey Supreme Court before a settlement left in place an Appellate Division decision that held that the exclusion did not apply to a cyberattack on multinational pharmaceutical giant Merck & Co. Merck & Co. v. ACE Am. Ins., 475 N.J. Super. 420 (App. Div.), leave to appeal granted, 254 N.J. 506 (2023), appeal dismissed, 256 N.J. 190 (2024).
The case arose out of Merck’s claim for insurance coverage under “all-risk” property policies for $1.4 billion of losses caused by a June 2017 cyberattack involving malware known as “NotPetya.” The malware entered Merck’s system via a backdoor in accounting software provided by a Ukrainian software vendor. Unbeknownst to the vendor, alleged Russian threat actors hacked the vendor’s servers and used its software update distribution infrastructure to transmit the malware. In February 2018, the U.S. government attributed the attack to the Russian government’s effort to destabilize Ukraine.
NotPetya affected over 40,000 machines in Merck’s network, causing critical applications to go offline and creating massive disruptions to Merck’s manufacturing, research and development, and sales operations.
Merck sought coverage under its property policies that insured “against all risks of physical loss or damage to property,” which was defined to include “destruction, distortion or corruption of any computer data, coding, program or software …” The policies also covered losses resulting from the failure of computer systems due to a malicious attack directed at Merck.
Some of Merck’s property insurers denied coverage citing an exclusion for “hostile or warlike action,” which barred coverage for:
"Loss or damage caused by hostile or warlike action in time of peace or war, including action in hindering, combating, or defending against an actual, impending, or expected attack:
(a) by any government or sovereign power (de jure or de facto) or by any authority maintaining or using military, naval, or air forces;
(b) or by military, naval, or air forces;
(c) or by an agent of such government, power, authority, or forces[.]"
The insurers took the position that the exclusion applied, because the NotPetya cyberattack was believed to be the work of actors sponsored by the Russian government.
In a subsequent coverage action, the trial court granted summary judgment to Merck, holding that the exclusion applied “only to traditional forms of warfare” and not to cyberattacks. On appeal, the Appellate Division affirmed, reading the exclusion to “require[] the involvement of military action.” In the court’s view, “the plain language of the exclusion did not include a cyberattack on a non-military company that provided accounting software for commercial purposes to non-military consumers, regardless of whether the attack was instigated by a private actor or a ‘government or sovereign power.’”
The Appellate Division based its holding on a series of decisions where similar exclusions were applied to actions clearly connected to war or, at least, to a military action or objective. The court reasoned that these decisions “demonstrate a long and common understanding” that such exclusions “are intended to relate to actions clearly connected to war or, at least, a military action or objective.”
The New Jersey Supreme Court granted the insurers’ motion for leave to appeal. However, the appeal was dismissed earlier this year after Merck and the insurers settled the dispute.
The Merck decision suggests that courts in New Jersey will take a narrow view of traditional exclusions and may decline to apply those exclusions to cyber losses based on a lack of historical context. Meanwhile, insurers can be expected to revise policy exclusions to clarify that they apply in the modern context of evolving state-sponsored cyber activity.
Recent Decisions Restricting Coverage for BIPA Claims Highlight Challenges for Policyholders Seeking Coverage for Violations of Privacy Statutes
This past year saw significant coverage decisions issued in Illinois with respect to the state’s Biometric Information Privacy Act (BIPA). The coverage litigation over Illinois’s unique biometric privacy law has implications far beyond the Prairie State as other states adopt expansive privacy legislation.
Enacted in 2008, BIPA governs the collection, use, and storage of biometric identifiers, such as fingerprints, facial recognition data, and voiceprints, with stringent requirements on the collection and use of such information. BIPA’s private right of action has spurred a wave of class-action lawsuits, which, in turn, has brought insurance coverage disputes to the forefront as policyholders seek defense and indemnity for BIPA claims. Until recently, BIPA imposed statutory damages of $1,000 per “violation,” before it was amended to limit the statutory damages to one violation per individual for repeated collections or disclosures.
In 2021, the Illinois Supreme Court issued a decision in West Bend Mutual Insurance Company v. Krishna Schaumburg Tan, 183 N.E.3d 47 (Ill. 2021), holding that an insurer had a duty to defend a tanning salon facing BIPA claims under two businessowners’ liability policies based on the salon’s use and disclosure of customers’ fingerprints. The court in West Bend found that the alleged disclosure of biometric data qualified as a “publication” under the policies’ personal and advertising injury coverage, which applied to the publication of information in violation of a person’s right to privacy.
The court also rejected the insurer’s reliance on an exclusion that barred coverage for violations of the Telephone Consumer Protection Act (TCPA), the CAN-SPAM Act, and any “statute … other than the TCPA or CAN-SPAM Act of 2003, that prohibits or limits the sending, transmitting, communicating or distribution of material or information.” The court reasoned that, under the doctrine of ejusdem generis, the exclusion’s reference to statutes “other than the TCPA or CAN-SPAM Act” should be construed as referring only to statutes that regulate methods of communications, like telephone calls, faxes, and e-mails, rather than statutes that regulate the use and distribution of personal information more generally.
While West Bend was received as a major victory for policyholders, more recent decisions have narrowed the coverage available for those facing liability under BIPA.
In National Fire Insurance Company of Hartford v. Visual Pak Company, 2023 IL App. (1st) 221160 (Ill. App. Ct. 2023), appeal denied, No. 130374, 2024 Ill. LEXIS 339 (Ill. May 29, 2024), the Appellate Court of Illinois held that the commercial general liability (CGL) policies at issue did not cover claims asserting that a policyholder violated the BIPA rights of 13,000 individuals. After determining that the claims fell within the scope of the policies’ insuring agreements, the court addressed the application of a “violation-of-law” exclusion, which it found was broader than the exclusion at issue in West Bend. The Visual Pak court held that the specific language of the exclusion indicated that it applied broadly enough to encompass BIPA claims. This marked a change in decisions interpreting similar exclusions in CGL policies, which to that point had generally declined to apply exclusions for statutory violations to BIPA claims. See, e.g., Westfield Ins. v. Ucal Sys., No. 21-cv-3227, 2024 U.S. Dist. LEXIS 138237 (N.D. Ill. Aug. 5, 2024).
Meanwhile, other decisions signal limitations for coverage for BIPA claims under cyber-specific policies. In September, the Appellate Court of Illinois rejected a claim for coverage under two “Cyber, Data Risk, and Media Insurance” policies issued by Lloyd’s of London. Tony’s Finer Foods Enters. v. Certain Underwriters at Lloyd’s, London, 2024 IL App. (1st) 231712 (Ill. App. Ct. 2024). In that case, a grocer sought coverage from Lloyd’s for BIPA claims arising from its practice of requiring employees to clock in and out of work using their fingerprints. The employees bringing suit alleged that the grocer failed to comply with BIPA’s requirements for disclosing how this biometric information was retained and used and for obtaining consent from the employees for its collection and use.
As a starting point, the Appellate Court held that the claims fell outside the scope of the policies’ insuring agreement, which covered losses “resulting from a data breach, security failure, or extortion threat …” The court found that the allegations against the grocer did not describe a “data breach,” which the policies defined as “the acquisition, access, or disclosure of” information that was “unauthorized” by the insured. The allegations also did not involve a “security failure,” defined as a “failure … in securing the insured’s computer system,” and it was undisputed that there was no extortion threat. Instead, it was clear that the allegations against the grocer concerned its intentional collection and use of data, which fell outside of the scope of the cyber policies.
The court also held that coverage was clearly barred by an exclusion for claims arising out of the “collection of information … without the knowledge or permission of the [data subjects]” or the “use of personally identifiable information … in violation of law.” As a result, the Lloyd’s cyber policies did not provide coverage for the BIPA claims against the grocer.
The decisions addressing coverage for BIPA claims will serve as a source of guidance for courts in other jurisdictions, including New Jersey, as coverage litigation over privacy claims proliferates.
Robert P. Vacchiano is counsel in the insurance and reinsurance group and cybersecurity & data privacy group at Riker Danzig.
