Category: Insurance Coverage

War of the Words: Ninth Circuit Reverses Judgment for the Insurer in Rare War Exclusion Case

In Universal Cable Prods. LLC v. Atlantic Specialty Ins. Co., 2:16 cv-04435 PA, (9th Cir. July 12, 2019), the Ninth Circuit reversed the district court’s determinations as it relates to the application of two war exclusions.

In the summer of 2014, Universal Cable Productions wasfilming a television series, Dig, in Jerusalem.  During filming, hostilities arose in the region as Hamas, a Palestinian political movement, began firing rockets from Gaza into Israel.  The ongoing and escalating Israeli-Palestinian strife caused Universal to halt production, and ultimately move it out of the area.  Not surprisingly, the move resulted in significant expenses, prompting Universal to file a claim under its television production policy in order to cover the costs.

The insurer denied coverage for the claim, relying, for apparently the first time, on the applicability of the policy’s war exclusions.  The exclusions, which the insurer argued were triggered by Hamas’ firing of rockets, barred coverage for expenses resulting from: war, warlike action by a military force, or insurrection, rebellion, or revolution.  Universal countered that the exclusions are not applicable because the terms in the exclusions had a specialized meaning in the insurance context, and the Hamas action did not comport with that meaning.  The district court, refusing to apply any specialized meaning and instead using the plain meaning of the terms, sided with the insurer and found that Hamas’ actions clearly constituted war or warlike action which triggered the application of the exclusions.  Universal appealed.

On appeal, the Ninth Circuit disagreed with the district court’s analysis—namely the district court’s refusal to apply the alleged specialized meaning of the exclusions’ terms—finding that a provision of the California Civil Code required the application of specialized meaning when the meaning has been developed from customary usage.  The appellate court first found that the principal construing any ambiguity in favor of the insured was not applicable.  In doing so, the court noted that “the typical concerns animating [that principle] do not exist here.”  Next, the court found that because the terms “war” and “warlike action by a military force” had acquired a special meaning via usage, that special meaning must be followed and failure to do so “is reversible error.”  The court determined that in the insurance context, “war” and “warlike action by a military force” required the existence of “de jure” or “de facto” governments and because the court found that Hamas is neither, the exclusions did not work to bar coverage. Consequently, the court reversed the district court’s ruling in favor of the insured.

©2011-2019 Carlton Fields, P.A.

Article by Roben West of Carlton Fields.
For more insurance law, see the National Law Review Insurance Reinsurance & Surety law page.

U.S. District Court Upholds Short-Term Limited Duration Insurance Rule

The U.S. District Court for the District of Columbia upheld a rule that expanded the maximum length of time for short-term, limited duration insurance (STLDI).

STLDI is coverage that lasts a limited period of time and is exempt from many of the requirements that apply to plans in the individual health insurance market. Concerned that STLDI was drawing healthy lives away from the individual health insurance market that the Affordable Care Act (ACA) sought to support, the Obama administration shortened the length of time an individual could enroll in STLDI from 12 months to three months. Seeing STLDI as a low cost alternative to individual insurance, the Trump administration reversed course. Final regulations issued last year restored the period to 12 months and allowed for up to two renewals, for a total period of 36 months of coverage. One month later, seven organizations representing small health insurers, mental health patients and providers, and others brought suit challenging these regulations.

The court denied the challenge. It found that the ACA–and HIPAA, which first introduced STLDI–did not define the length of time STLDI could remain in effect and that the U.S. Departments of Treasury, Labor, and Health and Human Services could extend the length of time STLDI may remain available to enrollees without posing a threat to the ACA’s “structural core.”

The plaintiffs have already expressed their intent to appeal the decision. In the meantime, states continue to consider the question of whether and how to regulate the availability and terms of STLDI policies issued within their borders.

Copyright © by Ballard Spahr LLP
This article is by Edward I. Leeds  and Paige A. Haughton of Ballard Spahr LLP.
For more on health insurance, please see the National Law Review Health Law & Managed Care page.

Claims of False Advertising and Unfair Competition Are Not Disparagement or Defamation

Most commercial general liability policies include coverage for personal and advertising injury claims by third parties.  In a recent case, the Third Circuit Court of Appeals addressed the issue of whether claims of false advertising and unfair competition brought against a competitor entitled the policyholder to a defense under its personal and advertising injury coverage.

In Albion Engineering Co. v. Hartford Fire Ins. Co., No. 18-1756 (3rd Cir. Jul. 10, 2109) (Not Precedential), the policyholder was sued by a competitor alleging claims for false advertising and unfair competition based on the allegation that the policyholder’s products were represented as being made in the US when they were really made overseas.  The policyholder sought coverage from its carrier under its personal and advertising injury coverage, particularly for publication of material that slanders or libels a person or disparages a person’s goods, products or services.  The carrier disclaimed and the policyholder brought suit seeing to enforce coverage.  The district court dismissed the complaint after summary judgment in favor of the carrier.

On appeal, the policyholder contended that the claims in the underlying suit were essentially disparaging and defamatory.  In applying New Jersey law, the circuit court rejected the policyholder’s arguments because nothing alleged by the underlying claimant or in the extrinsic evidence discovered constituted the publication of false statements about the competitor.  Under New Jersey law, for the duty to defend to arise, the false and defamatory statement has to be made about another (in this case about the competitor’s products).  “For the suit to fall within the policy’s coverage, [policyholder] must demonstrate [competitor] brings a claim that [policyholder] (1) made an electronic, oral, written or other publication of material that (2) slanders or libels [competitor] or disparages [competitor’s] good, products, or services.” Here, said the court, the claims were about the policyholder’s own products, not about the competitor’s products.  Thus, because the policyholder had not shown that the competitor’s claims constitute disparagement or defamation claims made by the policyholder about the competitor’s products, the carrier had no duty to defend the underlying lawsuit.

 

© Copyright 2019 Squire Patton Boggs (US) LLP

Life on the B Side: Social Media Advertising Under CGL Coverage B (Part 2)

The following is Part II in our two-part series on the intersection between social media advertising and the lesser known portion of commercial general liability (“CGL”) policies—the elusive “Coverage B.”  In Part I, we examined the prevalence of social media and social media advertising in today’s society.  We also provided a brief overview of the Coverage B provisions that are likely to be implicated by social media advertising.  In Part II, we discuss these Coverage B issues in greater detail.

POTENTIAL COVERAGE B ISSUES IMPLICATED BY SOCIAL MEDIA ADVERTISING

1.   What Constitutes Advertising?

A threshold issue that could arise in cases involving social media advertising is whether the use of social media qualifies as “advertising” under the policy.  In the typical insurance policy, “Advertising Injury or Damage” is defined as including a covered offense stemming from the insured’s “advertising” efforts.  However, the term “advertising” is often left undefined.

Social media advertising raises some unique questions, particularly with respect to whether specific content constitutes “advertising.”  On the one hand, banner ads (i.e., those typically found on the top or sides of a website) are akin to traditional forms of print advertising; therefore, it is difficult to imagine that such content would not qualify as “advertising” for Coverage B purposes.  On the other hand, social media offers access to less formal means of advertising.  For instance, a business could open a Twitter or Facebook account in order to promote itself through individual postings.  Although the use of these social media platforms as a promotional tool would appear to constitute “advertising,” judges unfamiliar with social media platforms, or at least more familiar with traditional forms of advertising, might disagree.

This issue has not yet been addressed in the Coverage B context.  However, one court recently concluded that a business’s Facebook posts did not constitute advertising under the Lanham Act.  In Buckeye International v. Schmidt Custom Floors, 2018 WL 1960115 (W.D. Wis. Apr. 26, 2018), a federal judge held that Facebook posts made by one business criticizing another business did not constitute advertising under the Lanham Act because they were “individualized person-to-person communication[s].”  This ruling fails to appreciate that a business’s posts to social media accounts, particularly where the business makes those posts public without limitation, are not “individualized person-to-person communications” because they are often intended to reach large audiences or the public-at-large.  However, judges examining similar issues in a Coverage B dispute could reach similar conclusions.  Thus, educating courts about the basics of social media platforms, including how they operate and the purposes for which businesses use them, is critical in any litigation involving these technologies.

2.   #trademarkviolation

Anyone who has ever viewed a Twitter feed has surely noticed the presence of hashtags within individual Tweets.  Hashtags were originally intended as a tool to categorically arrange materials so that other users could easily search for a topic.  However, their use has quickly expanded to other social media platforms.  Today, they are often used to express humor or as a method for brand recognition.  Indeed, certain courts to-date have found that hashtags are entitled to trademark or copyright protections, despite that they were originally intended to assist with online search capabilities.  The Wall Street Journal has reported that companies are increasingly filing trademark applications for hashtags related to their companies and products.[1]

The increased protections offered for hashtags has potential Coverage B implications.  In Part I, we discussed the fact that included among the covered offenses that constitute “personal and advertising injuries” are:  (1) the use of another’s advertising idea in your “advertisement”; and (2) infringing upon another’s copyright, trade dress, or slogan in your “advertisement.”  Thus, social media advertisements employing hashtags could trigger intellectual property litigation.  And, the related defense costs and/or indemnity arising out of such litigation would potentially be covered by standard Coverage B protections.

3.   Risks Associated With Social Media Influencers

In Part I of our series, we discussed how companies were employing brand advocacy through paid social media influencers (individuals with a significant following on social media who post content about products and services in exchange for compensation (e.g., money or free products)).  Although a company’s use of social media influencers does not create any unique Coverage B issues, the use of such influencers as part of a marketing campaign is not without risks.  Social medial influencers are certainly not professional advertisers—recent studies show they are not only not aware of the rules and regulations concerning their paid posts, but may actually be consciously ignorant of those rules and regulations.[2]  Therefore, in order to minimize liability, companies seeking to utilize influencers must be dogged in (1) educating their influencers, and (2) monitoring their influencers’ content.  This is especially true given the above-referenced statistics showing social media influencers are often ignorant of advertising norms—an influencer left to his or her own devices is an influencer who could cause headaches for an insured.  However, even companies that educate influencers about advertising norms must trust these people to actually follow the rules.  By utilizing influencers, companies give up certain elements of control over the advertising that they would maintain under traditional advertising campaigns and increase the chances that an influencer could engage in acts that constitute covered offenses for Coverage B purposes.

CONCLUSION

As highlighted throughout this two-part series, the use of social media advertising raises interesting and unique issues, as well as possible liabilities to companies.  Along with these possible liabilities comes the potential for insurance coverage under policies offering coverage for “personal and advertising injuries.”  While it remains to be seen how courts will address these issues, companies should be mindful of the potential for insurance coverage.

[1] See https://www.wsj.com/articles/companies-increasingly-trademark-hashtags-1…

[2] See Jim Tobin, Ignorance, Apathy or Greed? Why Most Influencers Still Don’t Comply with FTC Guidelines, Forbes (Apr. 27, 2018 8:00 AM) https://www.forbes.com/sites/forbesagencycouncil/2018/04/27/ignorance-ap… Steven P. Mandell et al., Recent Developments in Media, Privacy, Defamation, and Advertising Law, 52 Tort Trial & Ins. Prac. L.J. 531, 560 (2017).

 

© 2019 Gilbert LLP
This post was written by Michael B. Rush and Samantha R. Miller of Gilbert LLP.
Read more insurance legal news on our Insurance type of law page.

Tours in Trouble: Rock Stars and Insurance Recovery

Touring is where profits lie for today’s successful recording artists, with considerable sums expended on venues and staging to bring an artist’s music to his or her fans. But the list of things that can go wrong before and during a tour is almost endless.

That’s why artists, tour companies, and record labels purchase various forms of tour insurance to mitigate the risk from postponements or cancelations caused by a variety of circumstances. Often, those purchasing tour insurance have considerable influence over what harms are covered and the terms under which reimbursement will be provided. Unforeseen disasters can result in losses to the tune of millions of dollars if proper insurance is not obtained and handled carefully.

Three sources of tour insurance claims are particularly important: natural disasters, terrorism, and artist illness. As we outline below, tour profitability depends upon understanding these threats and choosing effective strategies to mitigate them or avoid them entirely.

Coverage for Natural Disasters

Just like any other event, tours planned months or years in advance are susceptible to natural disasters such as earthquakes, hurricanes, and floods. However, even when tour insurance is purchased, receiving coverage for tour cancelations or postponements on this basis is not automatic.

For example, many “non-appearance” insurance policies contain exclusions that could be construed to eliminate coverage for certain kinds of disasters. One such provision is the “adverse weather” exclusion, which commonly excludes coverage for outdoor performances affected by rain, wind, or other similar meteorological incidents. Also common is language restricting coverage to certain enumerated perils and requiring that a covered peril be the “sole and direct cause” of any non-appearance. How such policy language is interpreted in the case of a hurricane or tropical storm, for instance, may make the difference as to whether an artist is compensated under his or her tour insurance policy.

Coverage for Acts of Terrorism

Just as threatening to tour profits as natural disasters are those postponements or cancelations caused by acts of terror. The attacks in Las Vegas during Jason Aldean’s performance, those in Manchester, England outside Ariana Grande’s show, and those at the Eagles of Death Metal performance at the Bataclan club in Paris, France highlight that terrorism is a very real threat to music artists.

However, even if an artist’s tour is insured, acts of terrorism are often excluded unless specifically added by an amendment to insurance policies called an endorsement, which can be quite expensive.  Moreover, terrorism coverage policy language varies, with certain provisions requiring an attack to have taken place, whereas others provide coverage if a tour is postponed or canceled based on the threat of an attack. Still other policies that purport to cover cancellations due to terrorist acts limit coverage based on how long after or how far away from an attack or threatened attack the tour is scheduled to take place. For instance, the Foo Fighters canceled the remainder of their European tour in Spain and Italy in the wake of the Paris bombing in 2015. However, the Foo Fighters’ insurers initially refused to reimburse them for these losses under their applicable tour insurance policies (which included terrorism coverage), apparently because the insurers considered the future shows too far away from the date and site of the Paris attack. After much publicity and costly litigation, the lawsuit was eventually settled on confidential terms.

Coverage for Artist Illness

Tour events are also canceled due to artist illness. Often, an insurer’s response to a claim based on artist illness depends on the nature of the illness and what the artist said in underwriting materials submitted to the insurers.  It is not uncommon for coverage disputes to center around the accuracy of medical reports submitted by artists to insurers. For instance, Linkin Park canceled parts of a tour in 2008 due to their then-frontman’s back issues. Nickelback was forced to cancel part of their 2015 No Fixed Address tour due to polyps discovered on their lead singer’s throat  In both instances, the bands’ tour insurance claims were denied based on alleged inaccurate medical reporting in the underwriting materials submitted to the insurers. And in both cases, the bands were forced to resort to litigation based upon alleged failures to disclose existing medical issues.

Sometimes, an artist’s tour is postponed or canceled but the artist and insurers do not agree on the cause. Not surprisingly, this can lead to coverage disputes.  For example, Kanye West’s cancelation of his 2016 Saint Pablo tour resulted in two lawsuits, with West claiming he suffered a “debilitating medical condition” and his insurers insinuating the cancelation was due to drug use and mental health issues (both of which were excluded under the policy). The last of the suits ultimately settled in February 2018, but not before myriad news outlets reported on the parties’ allegations, including leaked details about West’s medical history.

Strategies to Mitigate or Avoid Coverage Threats 

These examples only scratch the surface of the many reasons a tour may be postponed or canceled, and the ways in which this can complicate insurance recovery.  Different strategies should be applied depending on individual challenges, but all involve careful scrutiny of the governing policy language.  The best time for such scrutiny is during negotiation of the policy itself, when experienced counsel can advise on coverage gaps or language that might cause trouble for touring artists.

Also key is carefully shaping the public narrative for any tour postponement or cancelation. This is particularly true in the context of postponements or cancelations where the cause may be disputed.  Effective counsel can assist in rapidly coordinating the actions of doctors, the media, and the artist to ensure a consistent message and head off potential pretextual coverage denials from insurers.

As the Ramones sang, “high risk insurance, the time is right.”

© 2019 Gilbert LLP
This post was written by Benjamin W. Massarsky and Kellyn Goler of Gilbert LLP.

Intentional Accidents: California Supreme Court Announces that General Commercial Liability Policies Apply to Negligent Hiring, Training, and Supervising Claims for Failing to Prevent Intentional Torts

In a recent decision, the U.S. Court of Appeals for the Ninth Circuit observed that under California law, there was an unresolved question as to whether a commercial general liability (“CGL”) insurance policy covers an employer-insured for negligently failing to prevent an employee’s intentional misconduct. In essence, it was unclear whether such an incident constituted an “occurrence” that only covers “accidents,” as an intentional act cannot, by definition, be an accident. Through a certified question from the U.S. Ninth Circuit Court of Appeals, the California Supreme Court answered that such insurance policies indeed cover negligent hiring, training, and supervision claims because the crux of inquiry is the insured’s negligence—not the employee’s intent.

In Liberty Surplus Insurance Corporation, et al. v. Ledesma and Meyer Construction Company, Inc., No. 14-56120 (9th Cir. Oct. 19, 2018), the insured construction company was sued because its employee sexually abused a minor. Ledesma and Meyer Construction Company, Inc. (“L&M”) had been retained by a school district to oversee the construction of a middle school. During the course of construction, an employee sexually abused a 13-year-old student. The student sued L&M alleging claims of negligent hiring, training, and supervision of the employee that committed the intentional tort.

L&M’s CGL carrier filed a declaratory judgment action in federal district court, alleging that the claim against L&M was not covered by the insurance policy because it was premised on an intentional act. The district court granted summary judgment in favor of the plaintiff insurer. It reasoned that, because the policy covered “bodily injury” that was “caused by an occurrence,” and because an “occurrence” is defined as an “accident,” the claims for negligent hiring, training, and supervision were too attenuated from the intentional injury-causing conduct to trigger coverage.

On appeal, the Ninth Circuit certified the question of coverage to the California Supreme Court. The Supreme Court rephrased the question as follows: “When a third party sues an employer for the negligent hiring, training, and supervision of an employee who intentionally inured that third party, does that suit allege an ‘occurrence’ under the employer’s commercial general liability policy?” The Supreme Court answered in the affirmative, reasoning that, “[b]ecause the term ‘accident’ includes negligence, a policy which defines ‘occurrence’ as an ‘accident’ provides ‘coverage for liability resulting from the insured’s negligent acts.’” (internal citations omitted). On the basis of this answer, the Ninth Circuit reversed the district court’s decision and remanded for further proceedings.

This decision solidifies what amounts to an expansion of insurance coverage in the Ninth Circuit over an employer-insured’s employee’s intentional acts, where the claims are premised on the employer-insured’s negligent hiring and supervision of the employee. Underwriters should take note and consider appropriate exclusions and/or pricing of premiums of insured risks in California and elsewhere in the Ninth Circuit.

 

©2011-2018 Carlton Fields Jorden Burt, P.A.

As Electric Scooters Barrel Their Way into the Sharing Economy, Manufacturers and Their Insurers Should Prepare for an Influx of New Claims

Electric scooters and the shared economy

If you have spent any time in Los Angeles or New York City recently, you may have noticed adults riding two-wheeled electric scooters − the type we are more accustomed to seeing kids ride. These scooters are the latest transportation tools in the ever-evolving sharing economy.

The sharing economy, a term used to describe the growth of an economy based on sharing goods and services, just witnessed the newest heavyweight enter the ring – motorized electric scooter companies. All you have to do is download an app on your smartphone, enter your credit card information, find an electric scooter using the app, and scan a barcode. Typically, rental scooters cost $1 to start and 15 cents a minute thereafter. When you reach your destination, simply leave the scooter in a public space and tap your screen to end the ride.

The scooters can reach speeds of up to 15 miles per hour, and there are almost no regulations in place to ensure their safe use. Additionally, it is not always clear whether the scooters should be driven on sidewalks, in bike lanes, or on roadways. In fact, some cities do not require riders to wear helmets. Finally, few riders are clear on whether they are subject to traffic laws (they are in most, if not all, cities).

Recently, scooter-sharing companies have drawn the ire of plaintiffs’ lawyers across the country. Both riders and pedestrians injured on or by scooters are making waves in courthouses and the media, calling for increased regulation or, in some cases, prohibition of the scooters altogether. Complaints have been filed against scooter-sharing companies based on allegations of gross negligence, aiding and abetting assault, and creating a public nuisance. These companies are not alone, however, in facing potential liability for injured riders and pedestrians. Scooter manufacturers also have been named for any number of alleged defects with the scooters.

Scooter and parts defects

Scooter manufacturers may soon face a number of product defect claims. While not an exhaustive list, these claims could include the following:

  • Failed brakes – At 15 miles per hour, functioning brakes are essential to riders and pedestrians. And, the 15 mile-per-hour maximum speed does not account for scooters going downhill. The scooters can reach even higher speeds and, consequently, create a higher risk of serious injury or death.

  • Stuck throttles – Likewise, riders and pedestrians face an increased risk of injury when throttles get stuck, making the rider unable to slow down.

  • Exploding batteries

  • Flat tires

  • Inoperative lights

  • Broken tubes – If the tubes that transmit power within the vehicle suddenly break, riders risk being thrown off.

  • Defective handlebars

  • Failure to warn of hidden dangers associated with the use of this unique electric vehicle.

The potential of such claims should be enough to capture the attention of astute product liability insurers.

Why electric scooters?

An array of products are used as part of the sharing economy – cars, houses, bicycles, cameras, kitchenware, musical instruments, boats, construction equipment, outdoor gear, and more. So why should insurance companies pay particularly close attention to scooters?

The answer is because the popularity of electric scooters is growing at an unprecedented pace. Adoption rates in metro areas across the United States are accelerating faster than other players in the ride-sharing economy (i.e., cars). In addition to the incredible adoption rates, public support is high among people from anywhere on the socioeconomic spectrum, with the greatest support from low-income groups, presumably because scooters require much fewer infrastructure investments. And, scooter-sharing companies are not going away. On the contrary, major scooter-sharing companies such as Bird and Lime have begun expanding internationally. So, what should risk advisors expect with regard to claims and lawsuits?

What to expect

The leading electric scooter company, Bird Rides, Inc.’s robust liability waiver has so far limited the number of cases plaintiffs’ lawyers are willing to take. The waiver provides that all riders, in exchange for the use of “Bird Services, [v]ehicles, and other equipment… [,] agree[ ] to fully release, indemnify, and hold harmless Bird…from liability for all ‘Claims’ arising out of or in any way related to … use of the Bird Services, [v]ehicles, or related equipment…[,] except for [c]laims based on … gross negligence or willful misconduct.” Nonetheless, the class-action lawsuit filed in Los Angeles County Superior Court on October 19, 2018 – case number 18-STCV-01416 – has garnered enough attention from the public and media that an influx of claims should be expected.

The Los Angeles County lawsuit names, in addition to Bird, leading competitor Lime (formerly LimeBike), and manufacturers Xiaomi USA, Inc. and Segway, Inc. The plaintiffs’ claims include Strict Products Liability, Negligence, Negligence Per Se, Gross Negligence, Breach of Implied Warranty of Fitness for a Particular and/or Intended Purpose, and Breach of Implied Warranty of Merchantability. The blanket of negligence theories cast against the manufacturers is broad. They allege manufacturing defects, design defects, and a charge of inadequate user warnings. It is to be determined how much protection, if any, manufacturers will receive under Bird’s liability waiver. It is very likely, though, that the plaintiffs will be allowed to pursue lawsuits under a theory of, at least, gross negligence.

Another big question is whether and how many of these suits will get to a jury. The comprehensive waiver in Bird’s user agreement includes an administrative dispute resolution process, followed by a binding arbitration provision in the event the parties are unable to settle a claim. It also includes a class action waiver. However, the opt-out provision in the same section of the agreement provides: “You have the right to opt-out and not be bound by the arbitration and class action waiver provisions … by sending written notice of your decision to opt-out to the [Bird] address…. The notice must be sent within 30 days of the effective date or your first use of the Service, whichever is later….”

Whether claims are brought in court or moved into arbitration, a rigorous defense is called for on behalf of the manufacturers. Because scooters are often left at the scene of an incident wherein injuries were suffered, there may be no physical evidence of a defect in the scooter and/or parts. Even if there were some malfunction, mechanical or otherwise, plaintiffs must prove that any injuries were the direct and proximate result of the scooter, rather than user error. These factual hurdles also have served to limit the number of lawsuits brought thus far.

There is an array of issues, legal and factual, that must be scrutinized upon receiving notice of a claim or suit. And, it is not simply the electric scooter companies that need to brace for an influx of claims – scooter and parts manufacturers are being sued right along with them.

© 2018 Wilson Elser

ARTICLE BY

Michael P. Manfredi
Wilson Elser Moskowitz Edelman & Dicker LLP

Five Things You Should Know About Employment Practices Liability Insurance

If you listen closely on a quiet weekday afternoon, you can hear the steady thumping of stamps on inkpads at the Equal Employment Opportunity Commission’s (EEOC) offices on West Madison Street in Chicago. And it’s no different throughout the country — employee claims of discrimination, harassment, and retaliation are high paced and showing no signs of slowing down.

This high rate of claims means your company needs to be savvy about a number of key strategies that can help you minimize risk. One of these strategies may include purchasing employment practices liability insurance (EPLI). Here, we answer some core questions about EPLI:

1. What is EPLI, and how does it differ from related insurance policies?

EPLI policies allow employers to protect themselves against the exposure and costs associated with claims and litigation arising out of the employment relationship. These policies generally cover claims made by current and former employees, applicants who were never hired, or third-parties claiming the employer has engaged in wrongful conduct.

Discrimination, harassment, retaliation, wrongful discharge, and invasion of privacy are the typical claims covered by EPLI. On the other hand, claims that an employer violated the Fair Labor Standards Act (e.g., failure to pay overtime, misclassification as an independent contractor) are typically not covered by EPLI policies, nor are claims under ERISA, COBRA, or the National Labor Relations Act, although it may be possible to purchase limited coverage for defense costs.

Not surprisingly, EPLI is but one item on a buffet of insurance offerings to employers; alongside it are directors and officers (D&O), commercial general liability (CGL), and errors and omissions (E&O) policies, each serving a distinct purpose. D&O insurance covers acts committed by a company’s directors and officers only; it is of no help when an employee’s supervisor is accused of sexually harassing an employee. Likewise, E&O policies are concerned with true errors and omissions allegedly committed in the course of doing what your company does for a living, and are not implicated by allegations of discriminatory discharge, which is seldom an accident. CGL policies often expressly exclude wrongful employment practices. In other words, EPLI may overlap with other types of coverage, but it largely exerts its own force in confronting an array of everyday claims.

2. Should my company purchase EPLI?

Maybe — it’s a business decision that requires you to take into account several factors, such as the cost of the EPLI premiums and the extent of the deductible (or self-insured retention, to be explained below), your company’s location and number of employees (and how these correlate with the likelihood of a claim being filed against your business), history of claims and losses, and whether you have written, preventative employment policies in place.

According to the 2017 Hiscox Guide to Employee Lawsuits, U.S. companies have a 10.5% chance of being on the receiving end of an employment-related charge, and the chances for Illinois companies are 35% higher than the national average. On average, small-to-medium size companies facing such claims battle for 318 days before resolution and leave the arena with a $160,000 bruise.

As with every type of insurance, the perceived value of the coverage depends upon the company’s level of comfort with the self-insured retention (SIR) or deductible. The SIR is the amount the company must pay out of pocket at the beginning stages of a claim; the insurer is not required to pay a penny until after the SIR has been met by actual payment of defense costs and/or losses by the insured. A deductible, on the other hand, is subtracted by the insurer from its total policy payment, which then must be paid by the company.

As expected, the policy premium will seesaw with SIR levels. Policies with a high SIR amount (or deductible) typically will have lower premiums than the same policy with a low SIR or deductible. These policies are better suited for companies that view EPLI as a type of catastrophic coverage. On the flip side, if your cash flow would make it difficult to absorb a high SIR, then a higher premium with a lower SIR amount may make economic sense.

The number of individuals employed by your company should also factor into your decision-making. Although most federal anti-discrimination statutes apply only to businesses with 15 or more employees, smaller companies are subject to state anti-discrimination laws, which may govern employers with only one employee (depending on the nature of the claim). Nevertheless, it is not unreasonable for a small company in certain industries to forego EPLI, while maintaining strong training and preventative strategies, until it grows closer to 15 employees.

Given the numerous factors that must be taken into account, employers should consult with their attorneys and business advisors to reach a sound decision about whether and what type of EPLI to purchase.

3. What should I do when negotiating the purchase of an EPLI policy?

It is better to negotiate a good EPLI policy up front, than to sign up for standard terms, stuff the policy packet in your desk drawer, and later bemoan its shortcomings when an issue pops up.

A good first step is to talk to your attorney about her previous experiences with various insurance companies; lawyers repeatedly deal with EPLI carriers and it’s best to make decisions based upon known trends than to shop just based on price.

You should determine whether the policy imposes on the insurer a “duty to defend” or a “duty to reimburse.” A duty to defend requires the insurer to defend the claim or lawsuit, cover legal fees and costs, and pay for liability (all up to the policy limits). Insurers with a duty to defend retain high levels of control over the defense of claims, the selection of counsel, and litigation and settlement strategies. The duty to defend extends to all claims, even frivolous ones, or issues reasonably related to the underlying claim.

An insurer subject to a “duty to reimburse,” on the other hand, must reimburse covered costs and losses and is typically not required to defend matters reasonably related to the underlying claim. However, the company retains higher levels of control in selecting counsel and executing its defense strategies.

You may want to consider negotiating a “mutual selection of counsel” endorsement to the policy, which will provide you with greater flexibility in retaining your own counsel, even where the insurer has a duty to defend with the corresponding high levels of control. This will prove helpful when you want your preferred counsel to handle a case, and do not want to relinquish your fate to unknown lawyers selected by the insurance company. Be aware, however, that even if you are able to obtain a selection of counsel provision, you may be required to share in the cost of attorneys’ fees to the extent your preferred counsel charges rates higher than the default panel rates typically paid by insurers. This should be another point of discussion during your negotiations.

4. Even if my company has an EPLI policy, does it always make sense to report a claim?

Unlike auto insurance policies, reporting a claim does not typically impact the cost of maintaining or renewing your EPLI policy. Therefore, it is usually wise to report claims as you become aware of them. However, there may be circumstances where it does not make sense to do so. For example, if your policy comes with an SIR (self-insured retention) of $25,000, and you believe you can settle the matter for $10,000, reporting the claim may achieve nothing but a headache. But even that logic comes with risks; if you are wrong in your estimates and the settlement numbers start to creep up, you risk losing coverage altogether due to untimely notice to the insurer. When in doubt, err on the side of reporting, and consult your attorney to help reach a sound decision.

It is also wise to “park” a potential claim. “Parking” a claim means notifying your carrier that you have been made aware of facts or circumstances that might give rise to a future claim (but for which no current claim exists). If a claim based upon those facts or circumstances later materializes outside of the policy period, because you “parked” your claim, it will be treated as though it arose and was reported during the relevant period.

Staying silent when you know something is brewing may backfire, as insurers are not interested in selling fire insurance to someone who already smells smoke. Providing timely and transparent notice via “parking” also demonstrates to the insurer that your company is prudent, which fosters confidence in the relationship and promotes a sense that you are serious about risk management.

5. What are some common mistakes companies make regarding EPLI policies?

Because most companies prefer to focus on running their business than worrying about the minutiae of an insurance policy, it is easy to overlook potentially critical missteps. Many companies, for example, have never heard of EPLI or don’t even know if they have it. Others automatically renew policies they’ve never read, rather than negotiate more favorable terms. Sometimes, a company is unaware of relevant policy periods, or neglects to promptly ascertain whether an event or awareness of an event constitutes a claim or otherwise triggers reporting requirements. Finally, because there are so many types of insurance policies out there, it is not uncommon for companies to think their existing policies will address employment practices claims, only to later discover that they’re hung out to dry.

© 2018 Much Shelist, P.C.

ARTICLE BY

Laura A. Elkayam
Neil B. Posner
Much Shelist, P.C.

Transferring Cybersecurity Risk: Considerations When Obtaining Cyber Insurance

While procuring cyber insurance is an increasingly important business decision, choosing cyber insurance is not a simple process of merely identifying the amount of coverage desired and then paying for the corresponding premium.  Instead, as set forth below, it presents a matrix of considerations to be explored to ensure receipt of appropriate coverage when needed.

The Importance of Cyber Insurance

In the face of continued and more destructive cyber threats and the advent of more demanding statutory and regulatory requirements, it is critical for a company not only to mitigate risk through comprehensive cybersecurity management but also to transfer that risk by obtaining tailored cyber insurance.  Indeed, more rigorous regulations, along with their attendant financial penalties for noncompliance (such as the EU’s General Data Protection Regulation (“GDPR”), which became effective May 25, 2018, or the NY Department of Financial Services (“NYDFS”) cybersecurity regulation, which was instituted in 2017) are likely to become the norm, not the exception.  Violation of these more recent rules and requirements (and potential expenses and related fines) also do not apply only when data is lost through an actual breach, but also when data is destroyed or cannot be accessed (ransomware) and when data is improperly collected.  Moreover, cyber risks and costs are indiscriminate and affect all industries.

To offset these serious risks, cyber insurance usually is necessary.  Third-party cyber liability claims are not covered under most general liability policies including the Insurance Service Organization’s industry standard GL form.  Director & Officer liability policies usually exclude cyber liability claims.  Property policies, including the ISO “All Risk” form, typically exclude first party cyber claims.  Limited first party cyber coverage may be available through crime policies, and some Information Technology Industry Errors & Omissions policies afford third party cyber coverage.  In most cases, however, only a cyber policy can assure a company of the desired coverage.  A company has a much better chance for coverage and a prompt resolution of its claim under a cyber policy without the need to resort to litigation.

While cyber insurance has been available since the late 1990’s, it is rapidly expanding because of the continued need for a holistic approach to cybersecurity protection.  Indeed, insurance companies expect a surge of business as companies rush to purchase cyber insurance following the arrival of tougher regulations like the GDPR.

Cyber security and liability risks also often involve highly-technical, rapidly evolving information technology issues.  A prospective insured should inquire regarding the cyber experience of its broker, particularly if it is not using a large multi-line producer who has access to an IT consultant or cyber specialist.  Some brokers specialize in cyber insurance, and an insured should consider using a broker who possesses cyber experience.  While “bare bones” cyber coverage is available from authorized or “admitted” insurers, more comprehensive niche cyber coverage often is available only in the surplus lines or “non-admitted” market and can be brokered only by surplus lines producers.

The selection of an insurer is even more important.  In addition to issues of Best’s Financial Quality and Size Ratings, many insurers offer low cost, bares bones thirdparty coverage, while other insurers offer broader, albeit more expensive, coverage, and better claim service.

Cost-wise, premiums will be lower for those companies with comprehensive cyber-risk management plans in place with demonstrated levels of security and internal controls, i.e., better security equals lower risk, which equals more competitive pricing.  A company therefore is further incentivized to ensure it has adequate procedures in place to prevent, detect, investigate, and report data breaches.

The Level of Coverage Needed: Initial Considerations

One of the most important steps in the process of obtaining cyber insurance is to determine what type of coverage a company needs based on reasonably anticipated cyber risks inherent to a company’s business and position in the marketplace.  There are multiple considerations a company should undertake in assessing the kind and amount of coverage needed.

What type of company are you?

A company should consider:

>> its industry and the type of services it offers;

>> the type of data it handles (e.g., financial information, health information, credit information);

>> the makeup of its customers (e.g., whether they include EU citizens); and

>> what regulations it must follow.

Depending upon the kind of data it collects and handles, the company will be subject to a different array of regulations, which should inform the company regarding the type of cyber insurance coverage to be sought.  If a company is a financial institution, it must comply with the privacy rules of the Gramm Leach Bliley Act.  If the company handles personal health information, it will be subject to the privacy requirements of the Health Insurance Portability and Accountability Act, HIPAA.  If the company handles the data of EU citizens, it will be subject to the privacy restrictions (and severe potential penalties) of the GDPR.

First-Party and Third-Party Costs

The company also should think about the kinds of costs it may incur to manage a cyber incident/breach and whether cyber insurance coverage to defer or recoup all of those costs is necessary or prudent.  Such first-party costs can include:

>> forensic investigation costs to determine the source of the cyber incident/ breach and the extent of harm caused

>> remediation costs to rectify any network problem or software deficiencies

>> notification costs to customers whose data was compromised

>> data restoration costs of data stolen, lost, or altered

>> business interruption costs to help restore business functions and to maintain business capabilities while responding to a cyber incident

>> legal costs to evaluate regulatory obligations and assess any liability

>> public relation costs to help maintain and/or restore confidence in the company

Considering these first-party costs, however, is not as straightforward as it may seem.  For instance, assuming a company wants a policy to cover notification costs to advise its customers of a data breach, a company still needs to determine the type of notification it envisions.  Does it merely want to comply with statutory notification requirements or might it want to take a more aggressive approach to notification for customer relation purposes?  And how is the company going to notify its customers?  Email?  Regular mail?  First Class mail?  Similarly, when assessing remediation costs, the company also needs to determine if it wants to provide credit monitoring to its customers and have those costs covered under a cyber policy.  A company must think through these issues to help ensure the right cyber insurance coverage is obtained.

Furthermore, a company may also incur third-party costs as a result of a cyber-event, such as defending against a litigation or regulatory action.  Contemplating cyber coverage for these types of third-party costs also compels additional considerations regarding the extent of coverage desired.  For example, legal fees in defending a claim often can approach or even exceed the ultimate cost of settling the claim.  A company should decide if it wants its litigation costs to erode the policy’s limit of liability, sometimes referred to as being “cost-inclusive,” or whether defense costs should be in addition to the limit of liability.  With regard to a regulatory inquiry, while payment of fines and penalties is unlawful in some jurisdictions and is often excluded from coverage, the company must determine if it wants coverage to include investigatory costs in responding to the governmental inquiry.  Some policies cover up to half of the investigatory costs of responding to a governmental inquiry or subpoena, usually subject to a sublimit on liability.

Do the Provisions of the Policy Ensure the Desired Coverage?

Once a company identifies the coverage it hopes to purchase, it then is essential to carefully consider the specific provisions of a cyber policy to ensure receipt of the level of coverage sought for the cyber risk possibilities reasonably envisioned.  Among the questions when analyzing the policy’s provisions are:

>> When is coverage triggered?

>— Is the policy written on an “occurrence” basis, i.e., the breach must occur during the policy period to be covered, or is it written on a claimsmade basis, i.e., the claim must be made and reported during the policy period in order for coverage to be available?

>— If the policy is written on a claims-made basis, does the breach nevertheless have to occur during the policy period, does it merely have to be discovered in the policy period, or both?

— Is intentional conduct required (by a third-party or malicious company insider) or can coverage be triggered by the negligence of an employee?

>— Is the conduct of a malicious insider to the company covered or must the cyber incident be caused by an outside third-party?

>— Must data have been disseminated outside the company (a breach) or will the policy also cover situations where data is destroyed or cannot be accessed (e.g., ransomware)?

>> What kind of information is covered?

>— How is “personal information” defined?

>— Is “confidential corporate information” covered?

>> Does the policy require minimum security requirements be maintained to protect the company’s computer network and data?

>> What devices are covered?

>— Are only the company’s servers and computers covered?

>— How are mobile devices (laptops, mobile phone, thumb drives) treated?

>— If the company allows employees to use personal devices or work remotely (BYOD – Bring Your Own Device policies), are cyber incidents originating on an employee’s personal device covered?

>> Are cyber breaches or incidents caused by vendors assisting the company (e.g., HVAC, data processors, cloud providers) covered?

>— Would coverage only extend to breaches caused by a vendor on the company’s network?

>— Would coverage extend to a breach of a vendor’s network housing the company’s data?

>> What are the policy provisions regarding notice and defense of a claim?

>— How quickly does the policy require a claim to be reported to the carrier?

>— Whose knowledge of a breach is imputed to the company for the purpose of determining whether a claim has been reported late and whether an exclusion applies?

>— Does the definition of “claim” include responding to a subpoena?

— Is the defense obligation of the policy a “duty to defend” where the insurer controls the defense and settlement of a claim or does the policy have a duty to advance defense costs, which permits the policyholder to control the defense and settlement of the claim at the cost of the insurer?

>— If the policy has a duty to advance costs, are there limitations on who the company can retain as outside counsel or as a forensic expert?

>— Are regulatory investigations covered?

>— Does the policy cover investigatory costs in responding to a governmental inquiry?

>— Are fines covered?  If so, is the company domiciled in a jurisdiction where indemnification against fines and penalties is not against public policy?

>— How is regulator defined?  Does it cover EU regulators?

To be sure, disputes between policyholders and insurance carriers are inevitable, and insurers will attempt to strictly construe policies against coverage.  Courts are just beginning to interpret cyber insurance policy provisions, sometimes coming out on opposite sides of the same issue depending upon the jurisdiction.

For instance, courts have disagreed whether cyber insurance policies cover losses resulting from social engineering, i.e., when a company employee is falsely manipulated to wire out company funds based on what is believed to be a legitimate email authorizing the transfer but what is actually an email initiated by a fraudster.  Insurers may assert that a loss caused by social engineering (also known as business email compromise) is not a direct loss under the computer fraud provisions of a cyber insurance policy.  Carriers attempt to distinguish between fraudulently causing a transfer (via social engineering) and causing a fraudulent transfer (via hacking into a company’s computer network to wire out funds).

Insurers also have sought to disclaim coverage by invoking exclusions for a company’s failure to maintain agreed-upon levels of cybersecurity to protect the company’s network and data.  Courts have been asked to construe cyber policy provisions to determine whether the insured satisfied the policy’s security requirements.  Considering that industry cybersecurity measures are constantly updated, a company should attempt to avoid a situation where a court’s interpretation of policy language and evaluation of a company’s cybersecurity efforts will determine whether it can recoup losses from a cyber event.

Conclusion

As criminals find new and more inventive ways to attack computer systems or fraudulently cause the theft of company funds, a company faces the increased risk of loss, which can result from a combination of illegal activity, imperfect network security, and employee negligence.  As such, a company should undertake a complete strategy to combat cybersecurity-related threats, which includes procuring appropriate insurance coverage to manage reasonably anticipated cyber risks.  Carriers may attempt to dispute claims, so a company must give special attention to cyber policy language to avoid the possibility of coverage being denied.  To help negotiate policy provisions to avoid ambiguities and potential grounds for disputes, a company should explore using an insurance professional to help negotiate a policy with the desired coverage, including identifying additional policy endorsements that may be available to cover certain specific cyber threats.  When procuring cyber insurance, considering the questions and issues outlined above may make the difference between receiving expected cyber coverage and not.

 

© Copyright 2018 Sills Cummis & Gross P.C.
This post was written by Joseph B. Shumofsky and Thomas S. Novak from Sills Cummis & Gross P.C.

Will Your Company’s Insurance Cover Losses Due to Phishing and Social Engineering Fraud?

Six Tips for Evaluating and Seeking Coverage for Business Email Compromises

If your company fell victim to a business email compromise – a scam that frequently involves hackers fraudulently impersonating a corporate officer, vendor, business partner, or others, getting companies to wire money to the hackers – would your insurance cover your loss?  There is reason to be concerned about this sort of attack, as the FBI has explained that the “scam continues to grow and evolve, targeting small, medium, and large business and personal transactions. Between December 2016 and May 2018, there was a 136% increase in identified global exposed losses” in actual and attempted losses in U.S. dollars.  The good news for policyholders is that courts across the country have been ruling that crime insurance policies should provide coverage for this sort of loss, at least where it is not specifically excluded.

How do business email compromises work?

In early versions of business email compromises, the hackers send emails that appear to be from company executives, discussing corporate acquisitions, or other financial transactions, and are received by company employees in the finance department.  See, e.g.Medidata Sols., Inc. v. Federal Ins. Co., 268 F. Supp. 3d 471 (S.D.N.Y. 2017), aff’d, — F. App’x — (2d Cir. 2018).  The employee is told that the transaction is highly confidential, and that the employee should work closely with an attorney or other financial advisor to help close the deal.  The employee then is told to wire money to cover the costs of the transaction, very often to a foreign country.  Having been defrauded, the employee logs in to an online banking site, and approves a wire transfer.

In other versions of a business email compromise, hackers get access to email accounts of one party, sometimes via a brute force attack where an attacker breaks into a system by guessing a password, or via a phishing attackwhere a user is fooled into typing a username and password into a fraudulent site.  Then, the hacker sends out emails from the compromised account, pretending to be a vendor, and asking for payment to be sent to a different bank account.  See, e.g.Am. Tooling Center, Inc. v. Travelers Cas. & Sur. Co. of Am., — F.3d — (6th Cir. 2018).  Again, having been defrauded, the employee has money wired to the fraudster, instead of to the vendor.

Will insurance cover losses due to business email compromises?

The answer to whether insurance carriers will cover these losses – without court intervention – is “it depends.”  Recent decisions have ordered insurance carriers to provide coverage.  And the insurance industry has been scrambling to write new endorsements for their insurance policies that the insurance companies say provide coverage for business email compromises.

A common place for seeking coverage for these losses is under crime insurance policies.  Many crime insurance policies include coverage for “computer fraud,” “funds transfer fraud,” or even “computer and funds transfer fraud.”  Exemplar “computer fraud” coverage applies to “direct loss” of money resulting from the fraudulent entry, change, or deletion of computer data, or when a computer is used to cause money to be transferred fraudulently.  Exemplar “funds transfer fraud” coverage applies to “direct loss” of money caused by a message that was received initially by the policyholder, which purports to have been sent by an employee, but was sent fraudulently by someone else, that directs a financial institution to transfer money.  A reasonable policyholder, which fell victim to a fraudulent scheme via a computer, or transferred funds because of a fraudulent scheme, likely would think that computer and funds transfer fraud coverages would apply to the losses.

What have courts said?

Two recent decisions from federal courts of appeal have resulted in coverage under crime policies for business email compromise losses.

The first is the July 6, 2018 opinion issued in Medidata Solutions, Inc. v. Federal Insurance Co., No. 17-2492 (2d Cir.).  The Medidata trial court ruled that a crime insurance policy provides coverage for a fraudulent scheme and wire transfer.  The Court of Appeals for the Second Circuit affirmed the trial court’s decision.  In Medidata, the policyholder’s employees received emails that purported and appeared to be from high level company personnel but were, in fact, sent by fraudsters.  Based on those emails, and messages from purported outside counsel, Medidata wired nearly $5 million to the fraudsters.  It sought coverage under a crime policy that it bought from Chubb that had computer fraud, funds transfer fraud, and other coverages.  The trial court ruled that computer fraud and funds transfer fraud coverages both applied.  It rejected the arguments that the loss was not “direct” because there were steps in between the original fraudulent message and the wiring of funds.

On appeal, the Second Circuit ruled that Medidata’s loss was “direct” under the insurance policy language.  “Federal Insurance further argue[d],” as carriers have done in many business email compromise cases, “that Medidata did not sustain a ‘direct loss’ as a result of the spoofing attack, within the meaning of the policy.”  Slip op. at 3.  The Court of Appeals held that because “[t]he spoofed emails directed Medidata employees to transfer funds in accordance with an acquisition, and the employees made the transfer that same day,” the loss wasdirect.  Id.  The court rejected the insurance carrier’s argument that the loss was not direct because “the Medidata employees themselves had to take action to effectuate the transfer”; the employees’ actions were not “sufficient to sever the causal relationship between the spoofing attack and the losses incurred.”  Slip op. at 3.  The Court of Appeals did not address the trial court’s ruling that funds transfer fraud coverage applied, “[h]aving concluded the Medidata’s losses were covered under the computer fraud provision.”  Id.

Shortly after Medidata was issued, the Sixth Circuit decided on July 13, 2018 that computer fraud coverage applies to losses resulting from a business email compromise in American Tooling Center, Inc. v. Travelers Casualty & Surety Co., No. 17-2014 (6th Cir.).  There, the policyholder (ATC) wired money to fraudsters, instead of a vendor, because of a business email compromise.  The Sixth Circuit reversed the district court, ruling that the losses are “direct,” covered by crime insurance.

In a decision that will be published, the Court of Appeals held there was “‘direct loss’ [that] was ‘directly caused’ by the computer fraud,” even though the policyholder had engaged in “multiple internal actions” and “signed into the banking portal and manually entered the fraudulent banking information emailed by the impersonator” after receiving the initial fraudulent emails.  Id.

Holding that coverage applied, the Sixth Circuit distinguished the Eleventh Circuit’s decision regarding computer fraud coverage in Interactive Communications v. Great American, No. 17-11712, ___ F. App’x ___, 2018 WL 2149769 (11th Cir. May 10, 2018).  Id. at 9-10.  After the policyholder in American Tooling had “received the fraudulent email at step one,” it “conducted a series of internal actions, all induced by the fraudulent email, which led to the transfer of the money to the impersonator at step two.”  The loss occurred at step two; as such, “the computer fraud ‘directly caused’ [the policyholder’s] ‘direct loss.’”  Id. at 10.  By contrast, the Sixth Circuit explained, the policyholder in Interactive Communications only suffered losses at step four in a significantly more complicated chain of events.  See id. at 9-10.

These decisions are great news for policyholders pursuing coverage under crime policies for losses resulting from business email compromises.  And, in light of this new authority, policyholders would be well-advised to examine denial letters carefully, giving due consideration to whether these decisions could be used to argue in favor of coverage.

What options are available to policyholders going forward?

Cynical viewers of insurance history might view the state of coverage as similar to what the industry has done in the past.  That is, initially, cover new claims under “old” policies.  Then, after claims get expensive, hire coverage counsel to tell courts why the carriers must not have meant to cover these new claims (whether the drafting history reflects such an intent or not).  Next, get insurance regulators to approve exclusions purportedly tailored explicitly to the risk, and, at the same time, sell new policy endorsements (often for additional premium) that provide lower limits of coverage for the risk.

That’s what is happening in connection with insurance for business email compromises.  At least one insurance group that drafts crime insurance policies has asked for a definition of computer and funds transfer fraud to be changed, and a new social engineering fraud endorsement to be approved for sale.  Insurers have rolled out these endorsements with limits of coverage that often are capped at low amounts, and might also have high retentions.  These endorsements frequently are available for crime policies and, sometimes, are available for cyberinsurance policies as well.

So what are some options for policyholders trying to structure an insurance program for these risks?  These questions should provide helpful tips:

1. What does the insurance policy include? Policyholders would be well-advised to see whether the insurance program includes social engineering fraud endorsements or coverage parts.

2. What are the applicable limits? Policyholders would be well-advised to check the policy limits that would apply to those coverages.  Binder letters might not disclose a sublimit, and the policyholder might not realize the limit of coverage is lower than the full policy limit until it is too late.

3. Are coverages available under more than one policy? At the time of policy renewal, policyholders would be well-advised to consider asking whether social engineering fraud coverage can be added to a crime program and a cyberinsurance program.

4. Will excess coverage apply, and, if so, when? Policyholders would be well-advised to explore whether excess policies will provide this coverage, and, if so, will “drop down” to attach at the level of any sublimit, to avoid donut holes in the coverage.

5. Will other policy provisions provide coverage, beyond narrow endorsements? If the policyholder faces a claim, policyholders would be well-advised to determine whether other coverages might apply to the losses, notwithstanding a social engineering fraud endorsement.

6. What happens if the insurance carrier says, “no,” or that sublimits apply? If the insurance carrier denies coverage, or tries to apply a sublimit, policyholders would be well-advised to be mindful of the interpretation that two Courts of Appeals have used for computer fraud coverage in similar contexts.

 

© 2018 BARNES & THORNBURG LLP
This post was written by Scott N. Godes of Barnes & Thornburg LLP.