Category: Insurance Coverage

Uber-Complicated: Insurance Gaps for Rideshare Vehicles Can Create Uncertainty for Passengers and Drivers

Many of us have come to enjoy the convenience of summoning a ride via our Smartphones with a rideshare service company such as Uber, Lyft, or Sidecar.  However, significant issues exist over whether rideshare vehicles have adequate insurance coverage to compensate people injured in accidents involving those vehicles.

If one is injured by a Greyhound bus, for example, there is little question that Greyhound likely would have adequate insurance to cover any injuries and likely would have sufficient resources to compensate the injured party even without insurance.

By contrast, if one is injured by a rideshare driver, there are several potential obstacles to securing adequate compensation.

First, the rideshare company may classify the driver as an independent contractor instead of an employee, meaning that the company will not accept responsibility for the driver’s actions.  Second, even if the rideshare company accepts responsibility, the company’s insurance may not provide coverage, as discussed below.  In that event, the injured party is left to rely on the driver’s insurance, which also may be inadequate and may even exclude coverage for rideshare-related accidents.

The independent contractor issue has been litigated in numerous states with different outcomes.  Uber currently is facing two class action lawsuits in California related to this issue: Ghazi v. Uber Technologies, Inc., et al., No. CGC-15-545532 (Superior Court of California, County of San Francisco) and O’Connor v. Uber Technologies, Inc., et al., No. CV-13-3826 (U.S. District Court for the Northern District of California).[1]

Even if rideshare companies accept responsibility for a driver’s conduct, the companies typically have provided only limited insurance for their drivers.  Specifically, rideshare companies typically have not provided coverage in the following two periods: (1) when the rideshare app is turned off, or (2) when the app is turned on but no passenger is in the vehicle.

But, a horrific accident involving an Uber vehicle helped to start changing this dynamic.  Uber was sued in 2014 in California after a driver struck and killed a child during period (2) above, when he had his app turned on but had not yet picked up a passenger.  The case is captioned Liu v. Uber Technologies Inc., et al., No. CGC-14-536979 (Superior Court of the State of California, County of San Francisco).

California and other states recently have started requiring rideshare companies to maintain some coverage for their drivers in period (2), but that coverage is limited.  The companies typically provide contingent liability coverage with $50,000 per person/$100,000 per accident bodily injury coverage, but this insurance typically pays only for losses not covered by the driver’s personal policy.

And, even when rideshare company coverage is in place, insurers have relied on certain insurance policy exclusions in an effort to avoid paying claims.  One insurer is currently making such arguments in the coverage dispute with Uber over the Liu settlement See Evanston Insurance Co. v. Uber Technologies, Inc., No. C15-03988 WHA (U.S. District Court for the Northern District of California).

If a rideshare company’s commercial insurance is inadequate to fully compensate an injured party, that person is left to rely on a driver’s personal insurance.  But the driver’s insurance may be of no help because personal auto policies often contain an exclusion (the “livery exclusion”) for accidents occurring during commercial use of the vehicle, such as when a driver is transporting a passenger for hire.

Recently, there has been some effort in the insurance industry to close the insurance gaps discussed above, particularly during period (2), when a rideshare driver is using a mobile app but has not yet picked up a passenger.

In March 2015, the National Association of Insurance Commissioners adopted a white paper on insurance coverage for rideshare companies titled “Transportation Network Company Insurance Principles for Legislators and Regulators.”  The paper recommends that rideshare companies provide full coverage for period (2) or that drivers purchase individual commercial coverage during that period.

Similar to California, legislatures in Colorado, Illinois, and Virginia have passed laws requiring rideshare companies to offer full insurance during period (2).

In addition, some insurance companies are offering products to rideshare drivers to protect them in the event that rideshare companies’ commercial insurance does not pay.  For example, Geico (in Maryland and Virginia) and Progressive (in Pennsylvania) are offering individual commercial insurance to rideshare drivers that has lower rates than most commercial insurance.  USAA (in Colorado and Texas) offers a commercial insurance policy to rideshare drivers for an extra $6 to $8 per month.  Erie Insurance (in Illinois and Indiana) has removed an exclusion from personal auto policies purchased with a “business use” designation such that rideshare drivers now may be covered.

Overall, many options are emerging to provide additional insurance coverage on rideshare vehicles for the benefit of passengers and other third parties at all stages of the transportation process – from the time a rideshare driver turns on the app through the transport of a passenger.  Passengers, drivers, and affected third parties should continue to monitor these developments to make sure they are adequately protected.

Article By Natalie A. Baughman of Gilbert LLP
© 2016 Gilbert LLP

[1] One consequence of the driver being classified as an independent contractor is that rideshare companies do not have to provide worker’s compensation insurance for a driver’s on-the-job injuries.  The Ghazi case addresses whether Uber drivers actually are employees and thus Uber must provide worker’s compensation insurance.

Drones: Insurance Coverage Issues

With new regulations for unmanned aerial vehicles (UAVs, or drones) and a seemingly never-ending expansion of use cases and attendant sources of liability, drone operators and those concerned about damage caused by drones need to carefully consider the role of insurance. As in other contexts, insurance—if carefully tailored and negotiated—can be an effective risk-transfer tool.

Insurance that potentially covers loss related to drones is in flux, but generally falls into three categories:

1. Specialty Aircraft Insurance: While specialty products related aircraft, including for unmanned aircrafts, have been on the market for a number of years, use of those products historically has been limited to individuals, companies and enterprises whose core business relates to aircrafts. This type of insurance is not always tailored to drones with cameras, which raise additional potential liability (e.g., invasion of privacy).

2. Commercial General Liability (CGL) Insurance: Most other insureds rely on a commercial general liability (CGL) policy to provide protection. But earlier this year, the Insurance Services Office (ISO), which proposes and makes changes to the standard CGL form used by most insurers, revised the provisions that might apply to drone-related liability. Some of these revisions purport to exclude coverage for liability related to drones that, for example, might arise from subcontractors’ or independent contractors’ operations for which the insured might be vicariously liable. Other changes to the CGL policy form require detailed attention to specific drones and projects or to whether violations of privacy might occur. The ISO changes warrant careful consideration, both when considering the purchase of insurance, as well as during contract negotiations where risk transfer is a significant issue.

3. Homeowners’ Insurance: Finally, for non-commercial insureds hoping to rely on their homeowners’ insurance policies, many insurers are seeking to include exclusions for drone-related liability in their new policies. Spend the time to learn whether or not your policy provides adequate coverage.

Purchasing insurance for drone-related liability is only the first step. Claims related to damage caused by drones are on the rise and will only continue to rise in the future. When faced with insurance claims, expect insurers to examine closely whether the insured complied with all applicable regulations, industry standards with respect to training, policies or procedures outlined in the application for insurance, and others.

In short, insurance can be an effective risk-transfer tool for commercial drone operators or those concerned about drone-related liability. The recent changes in policy terms and a rapidly-changing marketplace for insurance require diligence and specialized knowledge of how the offered insurance policy fits the insured’s potential liability.

Article By Eric G. Barber & Steven L. Ritt of Michael Best & Friedrich LLP

© MICHAEL BEST & FRIEDRICH LLP

Cyber Liability: The Risks of Doing Business in a Digital World

Major security and data breaches have become more prevalent in the past decade. News headlines are dominated by stories of major corporations having networks hacked and subjecting employees’ and customers’ personal, financial and health information to cyber threats. Perhaps one of the following from 2014 will sound familiar:

  • January: Snapchat had the names and phone numbers of 4.5 million users compromised

  • February: Kickstarter had personal information from 5.6 million donors compromised

  • May: Ebay‘s database of 145 million customers was compromised.

  • September: iCloud had celebrity photostreams hacked

  • November: Sony Pictures had the highest profile hack of the year involving email accounts, video games and movie releases

While the news headlines make it is easy to think this is an issue for large, Fortune 500 companies, the risk is equally widespread, but much less publicized, for small businesses.

While the data breaches at small businesses do not garner the same attention as the data breaches occurring at Sony or iCloud, the impact to the organization and the liability the organization incurs are largely the same.

Although there are many studies available giving analytics on the types of data breaches that occur, those most common to small businesses can be described in three general categories: unintentional/miscellaneous errors, insider misuse and theft/loss.

Unintentional and miscellaneous errors are any mistake that compromises security by posting private data to a public site accidentally, sending information to the wrong recipients or failing to dispose of documents or assets securely. For example, have any of your employees ever accidentally sent an order (with account information) to the wrong email address?

Insider misuse is not a situation where an accidental error occurs. Rather, an employee or someone with access to the information intentionally accesses the data to use it for an unlawful purpose. For example, a disgruntled clerk in the billing department accesses customer information to obtain name, date of birth and bank account information in order to fraudulently establish a credit card in that customer’s name. Consider another scenario where a third party vendor, a benefits provider, for example, handles employee information. Once transmitted, the employer loses control over information security for that data. Savvy business owners will make sure their contracts with vendors make the vendor responsible for any data breach that occurs during the engagement and that it will indemnify the business for any actions arising from such a breach.

Data breaches also result from physical theft or loss of laptops, tablets, smart phones, USB drives or even printed documents. Consider a scenario where the Human Resource director is heading to a conference and her laptop is stolen at the airport. The laptop is not encrypted or pass coded and the thief can access all the employee files the director keeps on her computer.

In the past decade, laws have been aimed at narrowing the information that can initially be collected by businesses and with whom it can be shared, as well as mitigating the breach after it occurs.

Federal regulations like the Health Insurance Portability and Accountability Act (HIPAA) limit the collection and use of protected health information, and also has requirements for entities suffering a data breach, including customer notification and damage mitigation provisions, such as mandatory credit monitoring and fraud protection for affected customers.

The Personal Information Protect Act requires government agencies, corporations, universities, retail stores or other entities that handle nonpublic personal information to notify each Illinois resident who may be affected by a breach of data security. 815 ILCS 530/1 et seq. Personal information is defined as: an individual’s first name or first initial and last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted or redacted:

  1. Social security number.

  2. Driver’s license number or State identification card number.

  3. Account number or credit card or debit card number, or an account number or credit card number in combination with any required security code, access code, or password that would permit access to an individual’s financial account.

The required notice to Illinois residents must include contact information for credit reporting agencies and the Federal Trade Commission, along with a statement that the individual can obtain information from those sources about fraud alerts and security freezes. 815 ILCS 530/10(a). If the data breached is data that the entity owns or licenses, the notice must be made without unreasonable delay. Id. If the data breached is data that the entity does not own or license, notice must be made immediately. 815 ILCS 530/10(b).

Failure to notify affected consumers is a violation of the Illinois Consumer Fraud and Deceptive Business Practices Act. 815 ILCS 530/20.

Technology is everywhere. Smart phones, tablets, laptops, the internet, online bill payments and the like have changed the way businesses operate. There is no denying that technology allows for efficient and effective commerce and communication. Unfortunately, the same technology that allows for faster and more efficient commerce and communication also subjects businesses to new forms of risk when it comes to data security.

There are risk management tools that all businesses should be aware of and using on a daily basis. Anti-virus software, passwords on all devices, frequent back up of data, encryption for sensitive information transmitted electronically are just a few.

What if a business owner takes all the steps necessary to reduce the risk of a data breach and it still occurs? There is a way to reduce damages and to shorten the recovery and restoration timeframes.

Cyber Liability insurance can protect businesses, large and small, from data breaches that result from malicious hacking or other non-malicious digital risks. This specific line of insurance was designed to insure consumers of technology services or products for liability and property losses that may result when a business engages in various electronic activities, such as selling on the internet or collecting data within its internal electronic network.

Most notably, cyber and privacy policies cover a business’ liability for data breaches in which the customer’s personal information (such as social security or credit card numbers) is exposed or stolen by a hacker.

As you might imagine, the cost of a data breach can be enormous. Costs arising from a data breach can include: forensic investigation, legal advice, costs associated with the mandatory notification of third parties, credit monitoring, public relations, losses to third parties, and the fines and penalties resulting from identity theft.

While most businesses are familiar with their commercial insurance policies providing general liability (CGL) coverage to protect the business from injury or property damage, most standard commercial line polices do not cover many of the cyber risks mentioned above. Furthermore, cyber and privacy insurance is often confused with technology errors and omissions (tech E&O) insurance. However, tech E&O coverage is intended to protect providers of technology products and services such as computer software and hardware manufacturers, website designers, and firms that store corporate data on an off-site basis. Cyber risks are more costly. The size and scope of the services a business provides will play a role in coverage needs and pricing, as will the number of customers, the presence on the internet, and the type of data collected and stored. Cyber Liability polices might include one or more of the following types of coverage:

  • Liability for security or privacy breaches (including the loss of confidential information by allowing or failing to prevent unauthorized access to computer systems).

  • The costs associated with a privacy breach, such as consumer notification, customer support and costs of providing credit monitoring services to affected customers.

  • Costs of data loss or destruction (such as restoring, updating or replacing business assets stored electronically).

  • Business interruption and extra expense related to a security or privacy breach.

  • Liability associated with libel, slander, copyright infringement, product disparagement or reputational damage to others when the allegations involve a business website, social media or print media.

  • Expenses related to cyber extortion or cyber terrorism.

Coverage for expenses related to regulatory compliance for billing errors, physician self-referral proceedings and Emergency Medical Treatment and Active Labor Act proceedings.

Article By Chrissie Peterson of Heyl, Royster, Voelker & Allen, P.C.
© 2015 Heyl, Royster, Voelker & Allen, P.C

While cyber liability insurance may not be right for all businesses, those that actively use technology to operate should consider the risks they would be exposed to if a data breach occurred. In addition, there are many different cyber policy exclusions and endorsements. Not all policies are created equal

While cyber liability insurance may not be right for all businesses, those that actively use technology to operate should consider the risks they would be exposed to if a data breach occurred. In addition, there are many different cyber policy exclusions and endorsements. Not all policies are created equal.

Is ‘Loss of Value’ Insurance Worth The Price For Student-Athletes, Universities??

Disability insurance policies are frequently secured by college football players, especially those who expect to be selected in the early rounds of the NFL draft. These policies are typically secured by the player in one or two forms. One option allows players to secure coverage to protect against “total permanent disability”. Such coverage would only pay the athlete in the event of a catastrophic, career ending injury. Alternative policies can protect the athlete against the potential “loss of value” tied to the player’s projected draft position. This type of insurance coverage provides a player protection in the event his projected draft position drops because of injury. Typically, the policy would make up the difference the projected bonus money and the actual contract amount secured by the player. Unfortunately, ‘loss of value’ insurance policies, may not be as easy to collect on as initially thought.

High-profile players, including 2015 NFL Draft’s No. 1 pick Jameis Winston, have secured the insurance expecting that if an injury causes their draft stock to fall, thus resulting in a lesser contract, they can collect on the policy to recoup some of the lost earnings. Jameis Winston’s premium for “loss of value” insurance was reportedly paid out of the Florida State University’s Student Assistance Fund (SAF). The SAF allows schools to “assist student-athletes in meeting financial needs that arise in conjunction with participation in intercollegiate athletics, enrollment in an academic curriculum or that recognize academic achievement.”

In addition to schools using the NCAA authorized Student Assistance Fund to pay insurance premiums for star athletes, the NCAA issued a waiver after the start of the 2014 football season creating a new avenue for college football players to secure loss of value insurance. While student-athletes had previously been able to secure the loss of value insurance only with their own funds or the use of SAF, purchasing the insurance became easier in October, when the NCAA began granting waivers to student-athletes, allowing them to purchase the insurance by borrowing against their future earnings to secure a loan from an established, accredited commercial lending institution, for the purpose of purchasing loss-of-value insurance. However, despite the increasing popularity of the loss of value insurance, no collegiate student-athlete has been able to collect on a policy, according to ESPN’s Darren Rovell. Former University of Southern California wide receiver Marqise Lee is currently experiencing the challenges of trying to collect on his policy.

Lee, once projected as a first round pick, purchased loss of value insurance in August 2013. He paid a $94,600 premium for $9.6 million in coverage. Lee believed that the coverage protected him if his draft position dropped and he signed a rookie contract worth significantly less than that the projected $9.6 million amount. Lee injured his left knee just two games into the 2013 season. As a result of the injury, Lee’s draft position dropped to the 39th overall pick in the 2014 NFL draft. Ultimately, he signed a contract with the Jacksonville Jaguars for $5.17 million. Lee filed an insurance claim and attempted to collect on the policy, but was unable to do as the insurance company raised a defense that Lee had misled with regard to pertinent medical information. In March 2015, Lee, along with a former USC teammate facing a similar issue, sued the insurance company over their failure to honor the policy.

Lee’s lawsuit highlights the potential challenges of collecting on loss of value policies. While the securing of insurance policies for student-athletes has indeed become a tool for universities to help keep star players remain in school and to temporarily forego the NFL, the possible issues related to collection are apparent. The University of Oregon utilized its SAF to purchase policies for its players, including cornerback Ifo Ekpre-Olomu. Ekpre-Olomu, once projected as a first round pick, likely will attempt to collect on his policy after an ACL injury in December 2014 caused him to fall to the seventh round of the 2015 Draft. The cornerback’s policy, which cost the University of Oregon $40,000, calls for a $3 million payout since Ekpre-Olomu late round selection was well after the coverage threshold of the first picks of the third round of the 2015 Draft.

All athletes that utilize the NCAA waiver to purchase insurance or universities that allocate SAF to purchase loss of value insurance will need to monitor Lee’s lawsuit and Ekpre-Olomu’s attempt to collect on his policy. If student-athletes continue to face difficulties collecting on their policies, both student-athletes and their universities will need to reconsider whether such policies are worth the cost.

Authored by Michael B. Ackerstein  and Gregg E. Clifton of Jackson Lewis P.C.

Jackson Lewis P.C. © 2015

Auto Insurers Again Seek Dismissal of In RE Auto Body Shop Antitrust Litigation

In early March, the auto insurer defendants in the In re Auto Body Shop Antitrust Litigation renewed their motions seeking the dismissal of plaintiffs’ action, this time directed at plaintiffs’ Second Amended Complaint. The insurer defendants urged the Court to dismiss the action with prejudice, maintaining that, despite three attempts, the plaintiff auto body shops have still failed to include sufficient facts to make their claim of conspiracy plausible.

The action, commenced well over a year ago as A&E Auto Body v. 21st Century Centennial Insurance Co. and subsequently transformed into a multidistrict litigation proceeding (In re Auto Body Shop Antitrust Litigation, MDL 2557) after similar cases were filed in a multitude of states, centers upon a claim that many of the leading auto insurers in the country conspired to reduce rates for the repair of damaged vehicles and to steer insureds away from auto repair shops that refused to accept lower reimbursement rates for their services. The cases were consolidated before Judge Gregory Presnell (M.D. Fla.) in late 2014, and in early 2015 Judge Presnell dismissed plaintiffs’ First Amended Complaint, finding that the plaintiffs had failed to plead an antitrust conspiracy with the degree of specificity required under Bell Atlantic v. Twombly, 550 U.S. 544 (2007).

In February, plaintiffs filed their Second Amended Complaint, seeking to cure the deficiencies in the complaint identified in Judge Presnell’s prior rulings. In March, the defendants filed several new motions to dismiss the action. One group of defendants (including State Farm, Allstate, Progressive and 21st Century) maintained that the plaintiffs’ allegations still failed to include sufficient factual support to plead an actionable antitrust conspiracy, which they described as the “crucial question” in the case. Claiming that the plaintiffs’ allegations demonstrated nothing more than “parallel conduct” towards the plaintiffs, not agreement, these defendants renewed their request to have the action dismissed as to them. Another group of defendants (which includes Hartford, Nationwide and Zurich American) went a step further, arguing that the plaintiffs had failed to allege any material facts specifically about them, despite Judge Presnell’s express instruction in his prior dismissal order in January (without prejudice, on that occasion) that plaintiffs provide detailed allegations about each defendant’s involvement in the alleged conspiracy. Finally, one defendant (Old Republic) filed a separate motion not only seeking dismissal, but sanctions as well, based on the claim that the plaintiffs had been put on notice by the Court that particularized allegations as to each defendant’s alleged conduct was required, and that plaintiffs’ failure to include any additional factual support for their claims against Old Republic was sanctionable conduct.

In late March, the plaintiffs filed an “omnibus” response to all of the defendants’ motions, arguing that dismissal of the case at this juncture was not warranted. Asserting that “the Second Amended Complaint complies in every respect with the Court’s [January] Order,” the plaintiffs urged the Court to permit them to proceed into discovery. Specifically, the plaintiffs maintained that the parallel conduct alleged in the Second Amended Complaint constitutes “circumstantial evidence of conspiracy” and that the Supreme Court has never expressly held how many “plus factors” supporting a claim of conspiracy are required to satisfy a plaintiff’s pleading obligations. Plaintiffs contended, therefore, that they are not required to “set out specific facts establishing the time, place or persons involved in the conspiracy” nor are they required to allege an “express agreement.” Instead, they maintained, their allegations of parallel conduct, coupled with their allegations about the defendants’ collective market share, motive to conspire and opportunity to do so are more than sufficient to meet their pleading obligations.

In early April, the auto insurers filed reply briefs responding to the plaintiffs’ contentions. Perhaps most significantly, those defendants that had argued that the Second Amended Complaint still failed to contain any significant allegations about their specific conduct noted that the plaintiffs’ response had failed to refute that assertion in any meaningful way (“Rather than simply admit that they failed to allege anything against the moving defendants under the Sherman Act…plaintiffs point to allegations against the other defendants….” emphasis in original).

The entire set of motions are now before Judge Presnell for consideration, with the defendants urging the Court to take a “three strikes, you’re out” approach to the plaintiffs’ case. Whether Judge Presnell will adopt defendants’ baseball analogy and dismiss the case, with prejudice, as to all or some of the defendants remains to be seen. What is certain is that this matter will continue to be a significant focus of attention for the entire auto insurance industry over the coming months. Stay tuned.

Authored by James M. Burns of Dickinson Wright PLLC

© Copyright 2015 Dickinson Wright PLLC

Can Business Owners Get Insurance to Cover Losses from Riots, Vandalism and Civil Unrest?

The recent civil unrest in Baltimore, just like the mayhem that took place in Ferguson, Missouri, last year, is a stark reminder that we live in troubled times. While the events that lead to such occurrences are varied, and the societal issues that influence them can be widely debated, one thing is clear – the damage and destruction left in their wake is devastating. Shops burn, glass storefronts are shattered, inventory is stolen and valuable property is otherwise vandalized. Luckily for business owners both directly and indirectly affected by these unfortunate events, they can and should turn to their business property insurers to cover what, in many instances, can be staggering losses.

First steps for obtaining coverage for losses from riots, vandalism and civil unrest

For any impacted business owner, the first step is to locate and review his or her business property insurance policy. Once the policy has been located, provide notice of any losses promptly. If the policy is written on a defined risk or peril basis, generally the covered risks or perils will include riots, vandalism, civil commotion, looting and malicious mischief. If the policy is written on a broader and more inclusive all-risk or all-peril basis, any risk or peril causing a loss will be a covered event unless otherwise excluded.[1] Provided that the events surrounding the period of civil unrest are covered perils, the policy should provide basic protection for direct physical damage or loss to covered property, as well as resulting business interruption loss and associated extra expense.

Look to coverage extensions that could apply and provide further coverage

In many instances, a business property policy will also contain a host of coverage extensions that can also be extremely valuable sources for recovery. The following is just a brief overview of some of these additional or supplemental coverages potentially available to impacted business owners.

  • Civil Authority Coverage: Coverage under this extension is provided for a business interruption loss due to an order of civil authority that prevents access to an insured location. Thus, if a curfew is imposed or the public is otherwise prevented by authorities from accessing a business area, resulting business interruption and extra expense coverage may be available. Importantly, coverage is not dependent on the policyholder actually sustaining damage to his or her own property. However, coverage under more restrictive policies will be conditioned on the order of civil authority being issued as a direct result of property damage within the vicinity of the insured location. Less restrictive policies will not contain such a condition and will allow for business interruption coverage whenever business is impacted by an order or civil authority regardless of the existence of property damage.
  • Ingress/Egress Coverage: Pursuant to this supplement, business interruption and extra expense coverage is provided when direct physical damage physically prevents ingress to or egress from an insured location. For example, if customers are physically unable to obtain access to a business because of surrounding physical damage – such as downed power lines – business interruption coverage may be available. As with civil authority coverage, actual physical damage to the policyholder’s own property may not be a prerequisite to coverage.
  • Attraction Property Coverage: Yet another example of a business interruption coverage source available even if there is no direct physical damage to an insured location is attraction property coverage. Under this extension, business interruption coverage may be available if locations neither owned nor operated by the policyholder, but which attract business to the policyholder, sustain physical damage. Examples of such attraction properties may include convention centers, sports venues, theme parks, restaurants, theaters and casinos.
  • Accounts Receivable Coverage: In the event that a policyholder sustains physical loss or damage to his or her accounts receivable records – resulting from an event such as a fire – coverage under this grant will generally be available for any shortfall in the collection of the impacted receivables.
  • Protection and Preservation of Property Coverage: In addition to providing coverage for the costs incurred for actions to temporarily protect or preserve insured property in the event of actual or threatened physical loss or damage, this coverage extension may also apply to fire department charges incurred for responding to a fire at an insured location and the costs incurred for restoring and recharging fire protection systems.

Takeaways for obtaining coverage

As stated above, when confronted with a loss, policyholders should be extremely diligent in providing notice to their carriers as soon as possible. Policyholders must also be mindful that their policies likely contain other time sensitive conditions. For example, a policy may contain a requirement that the policyholder provide a sworn proof of loss within 30 days following the loss. The policy may also provide that the policyholder only has a set amount of time in which to bring suit against the carrier for failure to pay a loss. Failure to abide by these conditions may provide the insurer with technical bases to avoid their coverage obligations.

Above all else, policyholders must not forget that the coverage that they purchase is an asset that can and should be called upon to respond in the event of a loss. A detailed review and understanding of that policy asset is necessary to fully maximize the coverage for which valuable premium was paid.

[1] Terrorism can be an excluded peril under some property policies. While the riots our country has recently witnessed would not ordinarily be thought of as terrorist events, policy definitions can be extremely broad. Fortunately, many policies will specifically exclude riots and related activities from their definition of terrorism.

Authored by: Adam K. Hollander of Barnes & Thornburg LLP

© 2015 BARNES & THORNBURG LLP

Are Helmets Required in Pennsylvania and New Jersey?

As most riders know, wearing a helmet is mandatory in New Jersey. Not so in Pennsylvania where anyone 21 years of age or older and has been licensed to operate a motorcycle for not less than two full calendar years OR has completed a motorcycle safety course approved by PennDOT or the Motorcycle Safety Foundation can ride without one. Beyond the arguments for or against mandatory helmet laws is the reality of the dangers associated with riding without one. A few years ago, the Philadelphia Inquirer published an article on the Pennsylvania law that permits riders to forgo a helmet and State Representative Dan Frankel’s effort to reinstate a mandatory helmet law.

According to the National Highway Traffic Safety Institute, in New Jersey for the year 2007, there were 85 motorcycle related fatalities of which 82 % were wearing helmets. The National Highway Safety Institute estimated that 42 people’s lives were saved by wearing helmets and that 6 fatalities would have been prevented with 100% use of helmets. In 2008, 82 fatalities with 87% wearing helmets and NHTSA estimates another 42 lives saved because of helmets and 4 fatalities would have been prevented with 100% use of helmets.

In Pennsylvania in 2007 there were 225 motorcycle related fatalities. 46 % were wearing helmets and another 61 people’s lives were saved by wearing helmets. In 2008, 239 fatalities with 49% wearing helmets and another 70 lives saved because of helmets. The NHTSA also estimated that in 2007 45 lives would have been saved and in 2008 45 lives would have been saved if they were wearing helmets.

Across the US there were over 5000 fatalities in both 2007 and 2008 from motorcycle accidents with only 58% wearing helmets. NHTSA estimated that in those two years there were 3615 lives saved by the use of a helmet and another 1627 lives would have been saved if they were wearing helmets. More recently, in 2012, NHTSA estimates helmets saved the lives of 1,699 motorcyclists and that an additional 781 lives could have been saved if all motorcyclists had worn helmets. In states without universal helmet laws, 62% of the motorcyclists killed in 2012 were not wearing helmets compared to 9% in the states with universal helmet laws. Think about that for a minute.

In addition, NHTSA sponsored a study in 1996 to assess the effect of wearing a helmet upon the ability of motorcycle riders to: (1) visually detect the presence of vehicles in adjacent lanes before changing lanes and (2) to detect traffic sounds when operating at normal speed. The results indicate that wearing helmets does not restrict the ability to hear auditory signals or the likelihood of seeing a vehicle in an adjacent lane prior to changing lanes.

I have no reason to doubt these figures. A few years ago while traveling to Court in rush hour traffic on I 95 towards Philadelphia I saw a rider go flying over his handle bars onto the roadway. It was shocking to say the least. I thought he was unconscious. I pulled over the side of the road and watched as he got up. Another motorist an I assisted the rider to the side of the road. He had a full face helmet and a motorcycle leather jacket and blue jeans. He was disoriented and almost lost consciousness a few times. His knees were scraped through his jeans and bleeding. His jacket showed the signs of a serious incident. His helmet showed damage that would have caused a serious injury to a rider without one. Despite his protective gear, I was sure that he had suffered serious injuries. I am happy to report that he called me the next day to tell me that but for his bruised/scraped knees, he was fine. It is clear to me that his helmet and jacket had adequately protected him from more serious harm. As a rider I routinely see other riders in Pennsylvania riding without helmets. In both states it is common to see riders in shorts, sneakers and T shirts. I rode for many years in jeans and a T shirt but always with a helmet. It is great to ride on a warm summer day without the bulk of protective clothing. It’s also dangerous. At many of the rally’s I attend I am often engaged by visitors about their right to ride without a helmet. It’s a debate worth having. What is often overlooked are the true consequences of that action. As indicated above, helmets save lives. That’s indisputable.

What is missing from those statistics are the consequences of sustaining an injury as a result of not wearing a helmet and surviving. NHTSA estimates on a national level we would have saved 2.7 billion dollars in 2007 and 2.9 billion dollars in 2008 if there was 100% helmet use. This of course fails to consider the impact to the rider and their families. Many head injuries are quite serious and have long term consequences, job loss, medical bills and other financial strains. Many of the more serious head injuries lead to long term disability and regular care. We see this regularly when representing injured riders. As many of us in the motorcycle community know, motorcycle insurance provides in most cases no medical benefit and in others, very little coverage. Riders without insurance who suffer serious head injuries become dependent on Federal programs such as SSI and Medicaid. Even people with insurance don’t have enough coverage for a lifetime of care.

I urge anyone reading this to reconsider riding without a helmet. I’m sure the families of those who lost loved ones or who are now watching someone suffer because they were not wearing a helmet would join in my request. Every motorcycle rider understands that there is some danger associate with riding but that doesn’t mean that you should not be prudent and take precautions to minimize your risk.

COPYRIGHT © 2015, STARK & STARK     Authored By:  Joel R. Rosenberg

Will Cyberinsurance Cover Target's $19 Million Mastercard Settlement?

Barnes & Thornburg LLP Law Firm

Another credit card in the mail?

If you’re reading this post, you’ve probably received a new credit or debit card in the mail, attached by rubber cement to a cover letter explaining that your card number could have been compromised – so you ended up with replacement cards. You might even have received new cards more than once over the past five years. Perhaps you even received a new card with an explanation that after the data breach at Target Corporation, your “issuing bank” – the bank that issued you the credit or debit card – decided to send you a new card. And maybe you signed your card, called to activate it, replaced your old card, and didn’t give a second thought to it. After all, consumers generally are not financially responsible for fraudulent charges and likely did not pay to get the shiny new piece of plastic in the mail.

What are card brand liabilities?

The payment card brands, however, view such incidents differently than do individual consumers. The payment card brands frequently pursue retailers, either directly or by means of a payment processor. They allegedly do so on behalf of the issuing banks and the losses that the issuing banks allegedly suffered as a result of the data breach.[1] The brands allege that the retailers are responsible for the fraudulent charges that were incurred and the amounts spent to replace payment cards. As Target explained in its 2014 Form 10-K:

“In the event of a data breach where payment card data is or may have been stolen, the payment card networks’ contracts purport to give them the ability to make claims for reimbursement of incremental counterfeit fraud losses and non-ordinary course operating expenses (such as card reissuance costs) that the payment card networks believe they or their issuing banks have incurred as a result of the event.”[2]

Those amounts can run into the millions of dollars (Card Brand Liabilities). Card Brand Liabilities also may include amounts for alleged failures to maintain certain levels of computer security required by contract (so-called PCI-DSS compliance).[1] The amounts owed for alleged fraudulent charges and replacement of compromised credit cards often dwarfs the amounts of fines for alleged PCI non-compliance.[2] Some incidents that involved more than 1 million allegedly exposed card numbers have resulted in Card Brand Liabilities in the millions of dollars.[3]

Target’s card brand liabilities…and pending settlement of them with MasterCard

Target disclosed that three out of the four payment card brands made written demands for Card Brand Liabilities, and that it expected the fourth brand to do so as well.[4] The total amount of Target’s potential Card Brand Liabilities is unclear, but Target did disclose that it had incurred $252 million of data breach-related expenses, an amount that accounts for Card Brand Liabilities.[5]

On April 15, 2015, Target announced that it had reached a settlement of its Card Brand Liabilities with MasterCard for up to $19 million.[6] Interestingly, Target explained that the settlement is contingent upon the issuing banks, which allegedly reimbursed the fraudulent charges and issued the new cards, agreeing to accept payment via the MasterCard settlement and the issuing banks dropping claims against Target.[7] This requirement is fascinating, as issuing banks have filed a putative class action against Target directly, alleging that they suffered losses as a result of Target’s data breach.[8] It may be that the MasterCard settlement resolves at least part of the claims at issue in the issuing bank litigation.

Will Target’s cyberinsurance cover its card brand liability settlement?

Now for the question you’ve been waiting for: will Target’s insurance policies cover its $19 million settlement with MasterCard? Probably.

Without commenting on the correctness of the position, consider that one underwriter has written that Card Brand Liabilities are contract-based indemnities and may be excluded from cyberinsurance coverage, with emphasis added:[9]

Many policy forms in the marketplace directly exclude contractual indemnities and liability, including that which stems from merchant service agreements. Some policy forms initially grant coverage for breach of contract claims, but then add exclusions concerning key components of this coverage. In addition, some policy forms exclude breach of contract claims with some very narrow carvebacks to the exclusionary wording that may not help the insured much in the event of a payment card breach.

Although most privacy/security insurance policies grant the insured coverage for situations in which they need to incur the first-party costs to notify individuals and extend insureds credit monitoring services, not all will directly respond to the breach of, or the indemnities contained in, a merchant services agreement.

Without commenting on the merits of it, consider an opposing view that Card Brand Liabilities could be treated as common law claims for purposes of insurance coverage, not liabilities created by contract, and the payment card brands are demanding amounts as agents for the issuing banks. Target may not have to address whether its Card Brand Liabilities were created by merchant services agreement contracts or are common law liabilities, because Target reportedly has $50 million in coverage for this exact type of loss:

“To limit our exposure to losses relating to data breach and other claims, we maintain $100 million of network-security insurance coverage, above a $10 million deductible and with a $50 million sublimit for settlements with the payment card networks.”[10] 

How would your insurance cover card brand liabilities? Even if you have cyberinsurance, does the policy address card brand liabilities? Does your insurance carrier’s claim handler view the losses as liabilities under a merchant services agreement contract? Or as common law liabilities? If it’s the former, are there exclusions for liabilities allegedly assumed in a merchant services agreement contract? Or sublimits on the total policy limit (making just a fraction of coverage available)?

Consider using the Target announcement as a perfect opportunity to review your insurance – including your cyberinsurance – policies closely to figure out whether you would have full coverage for these losses. The last thing that you want to face is the prospect of your insurer denying coverage for millions of dollars in losses after you were told that buying cyberinsurance would be a panacea for all things cyberrisk.

[1] See, e.g.First Bank of Del., Inc. v. Fid. & Deposit Co. of Md., 2013 WL 5858794, at *2 (Del. Super. Oct. 30, 2013), rearg. denied, 2013 WL 6407603 (Del. Super. Dec. 4, 2013).

[2] Genesco, Inc. v. Visa U.S.A., Inc., 296 F.R.D. 559, 564 (M.D. Tenn. 2014) (over $13 million in liabilities overall, but only $10,000 in “fines for failing to ensure Genesco’s PCI DSS compliance”), opinion amended and superceded on other grounds, 2014 WL 935329 (M.D. Tenn. Mar. 10, 2014).

[3] See, e.g.Retail Ventures, Inc. v. Nat’l Union Fire Ins. Co. of Pittsburgh, PA, 691 F.3d 821, 824-25 (6th Cir. 2012) (retailer suffered more than $4 million in Card Brand Liabilities after credit card-based data incident); First Bank of Del., 2013 WL 5858794, at *2 (bank and debit card processor paid $1.4 million in compensatory damages due to Card Brand Liabilities after data incident of retailer with whom company did business); Genesco, Inc. v. Visa U.S.A., Inc., 296 F.R.D. 559, 564 (M.D. Tenn. Jan. 14, 2014) ($13.3 million in Card Brand Liabilities after a credit card-based data incident).

[4] Target, Form 10-K, Target Corporation SEC Filings (Mar. 14, 2014), available here.

[5] Target, Form 10-K, Target Corporation SEC Filings (Mar. 14, 2014), available here.

[6] Target, Target Announces Settlement Agreement with MasterCard; Estimated Costs Already Reflected in Previously Reported Results (Apr. 15, 2015), available here.

[7] Id.

[8] See In re Target Corp. Customer Data Security Breach Litigation (Financial Institution Cases), MDL No. 14-2522 (PAM/JJK), slip op. (D. Minn. Dec. 2, 2014). A copy of the decision is available via Google Scholar.

[9] Matt Donovan, Banking on Credit: Merchants bear the brunt of data breach risks in the hospitality industry, PropertyCasualty 360º (Dec. 1, 2013), available at http://www.propertycasualty360.com/2013/12/01/banking-on-credit?t=commercial (emphasis added).

[10] Target, , Form 10-Q, Target Corporation SEC Filings (Nov. 26, 2014), available here.

[1] MasterCard’s Security Rules and Procedures could be read to suggest that MasterCard is acting as an agent for issuing banks and demands against retailers are made on behalf of the issuing banks in whole or in part. MasterCard, Security Rules and Procedures – Merchant Edition, § 10.2.5.3 (Feb. 5, 2015) available at http://www.mastercard.com/us/merchant/pdf/SPME-Entire_Manual_public.pdf.

[2]Target, Form 10-K, Target Corporation SEC Filings (Mar. 14, 2014), available here.

ARTICLE BY

Scott N. Godes
Barnes & Thornburg LLP

Will Cyberinsurance Cover Target’s $19 Million Mastercard Settlement?

Barnes & Thornburg LLP Law Firm

Another credit card in the mail?

If you’re reading this post, you’ve probably received a new credit or debit card in the mail, attached by rubber cement to a cover letter explaining that your card number could have been compromised – so you ended up with replacement cards. You might even have received new cards more than once over the past five years. Perhaps you even received a new card with an explanation that after the data breach at Target Corporation, your “issuing bank” – the bank that issued you the credit or debit card – decided to send you a new card. And maybe you signed your card, called to activate it, replaced your old card, and didn’t give a second thought to it. After all, consumers generally are not financially responsible for fraudulent charges and likely did not pay to get the shiny new piece of plastic in the mail.

What are card brand liabilities?

The payment card brands, however, view such incidents differently than do individual consumers. The payment card brands frequently pursue retailers, either directly or by means of a payment processor. They allegedly do so on behalf of the issuing banks and the losses that the issuing banks allegedly suffered as a result of the data breach.[1] The brands allege that the retailers are responsible for the fraudulent charges that were incurred and the amounts spent to replace payment cards. As Target explained in its 2014 Form 10-K:

“In the event of a data breach where payment card data is or may have been stolen, the payment card networks’ contracts purport to give them the ability to make claims for reimbursement of incremental counterfeit fraud losses and non-ordinary course operating expenses (such as card reissuance costs) that the payment card networks believe they or their issuing banks have incurred as a result of the event.”[2]

Those amounts can run into the millions of dollars (Card Brand Liabilities). Card Brand Liabilities also may include amounts for alleged failures to maintain certain levels of computer security required by contract (so-called PCI-DSS compliance).[1] The amounts owed for alleged fraudulent charges and replacement of compromised credit cards often dwarfs the amounts of fines for alleged PCI non-compliance.[2] Some incidents that involved more than 1 million allegedly exposed card numbers have resulted in Card Brand Liabilities in the millions of dollars.[3]

Target’s card brand liabilities…and pending settlement of them with MasterCard

Target disclosed that three out of the four payment card brands made written demands for Card Brand Liabilities, and that it expected the fourth brand to do so as well.[4] The total amount of Target’s potential Card Brand Liabilities is unclear, but Target did disclose that it had incurred $252 million of data breach-related expenses, an amount that accounts for Card Brand Liabilities.[5]

On April 15, 2015, Target announced that it had reached a settlement of its Card Brand Liabilities with MasterCard for up to $19 million.[6] Interestingly, Target explained that the settlement is contingent upon the issuing banks, which allegedly reimbursed the fraudulent charges and issued the new cards, agreeing to accept payment via the MasterCard settlement and the issuing banks dropping claims against Target.[7] This requirement is fascinating, as issuing banks have filed a putative class action against Target directly, alleging that they suffered losses as a result of Target’s data breach.[8] It may be that the MasterCard settlement resolves at least part of the claims at issue in the issuing bank litigation.

Will Target’s cyberinsurance cover its card brand liability settlement?

Now for the question you’ve been waiting for: will Target’s insurance policies cover its $19 million settlement with MasterCard? Probably.

Without commenting on the correctness of the position, consider that one underwriter has written that Card Brand Liabilities are contract-based indemnities and may be excluded from cyberinsurance coverage, with emphasis added:[9]

Many policy forms in the marketplace directly exclude contractual indemnities and liability, including that which stems from merchant service agreements. Some policy forms initially grant coverage for breach of contract claims, but then add exclusions concerning key components of this coverage. In addition, some policy forms exclude breach of contract claims with some very narrow carvebacks to the exclusionary wording that may not help the insured much in the event of a payment card breach.

Although most privacy/security insurance policies grant the insured coverage for situations in which they need to incur the first-party costs to notify individuals and extend insureds credit monitoring services, not all will directly respond to the breach of, or the indemnities contained in, a merchant services agreement.

Without commenting on the merits of it, consider an opposing view that Card Brand Liabilities could be treated as common law claims for purposes of insurance coverage, not liabilities created by contract, and the payment card brands are demanding amounts as agents for the issuing banks. Target may not have to address whether its Card Brand Liabilities were created by merchant services agreement contracts or are common law liabilities, because Target reportedly has $50 million in coverage for this exact type of loss:

“To limit our exposure to losses relating to data breach and other claims, we maintain $100 million of network-security insurance coverage, above a $10 million deductible and with a $50 million sublimit for settlements with the payment card networks.”[10] 

How would your insurance cover card brand liabilities? Even if you have cyberinsurance, does the policy address card brand liabilities? Does your insurance carrier’s claim handler view the losses as liabilities under a merchant services agreement contract? Or as common law liabilities? If it’s the former, are there exclusions for liabilities allegedly assumed in a merchant services agreement contract? Or sublimits on the total policy limit (making just a fraction of coverage available)?

Consider using the Target announcement as a perfect opportunity to review your insurance – including your cyberinsurance – policies closely to figure out whether you would have full coverage for these losses. The last thing that you want to face is the prospect of your insurer denying coverage for millions of dollars in losses after you were told that buying cyberinsurance would be a panacea for all things cyberrisk.

[1] See, e.g.First Bank of Del., Inc. v. Fid. & Deposit Co. of Md., 2013 WL 5858794, at *2 (Del. Super. Oct. 30, 2013), rearg. denied, 2013 WL 6407603 (Del. Super. Dec. 4, 2013).

[2] Genesco, Inc. v. Visa U.S.A., Inc., 296 F.R.D. 559, 564 (M.D. Tenn. 2014) (over $13 million in liabilities overall, but only $10,000 in “fines for failing to ensure Genesco’s PCI DSS compliance”), opinion amended and superceded on other grounds, 2014 WL 935329 (M.D. Tenn. Mar. 10, 2014).

[3] See, e.g.Retail Ventures, Inc. v. Nat’l Union Fire Ins. Co. of Pittsburgh, PA, 691 F.3d 821, 824-25 (6th Cir. 2012) (retailer suffered more than $4 million in Card Brand Liabilities after credit card-based data incident); First Bank of Del., 2013 WL 5858794, at *2 (bank and debit card processor paid $1.4 million in compensatory damages due to Card Brand Liabilities after data incident of retailer with whom company did business); Genesco, Inc. v. Visa U.S.A., Inc., 296 F.R.D. 559, 564 (M.D. Tenn. Jan. 14, 2014) ($13.3 million in Card Brand Liabilities after a credit card-based data incident).

[4] Target, Form 10-K, Target Corporation SEC Filings (Mar. 14, 2014), available here.

[5] Target, Form 10-K, Target Corporation SEC Filings (Mar. 14, 2014), available here.

[6] Target, Target Announces Settlement Agreement with MasterCard; Estimated Costs Already Reflected in Previously Reported Results (Apr. 15, 2015), available here.

[7] Id.

[8] See In re Target Corp. Customer Data Security Breach Litigation (Financial Institution Cases), MDL No. 14-2522 (PAM/JJK), slip op. (D. Minn. Dec. 2, 2014). A copy of the decision is available via Google Scholar.

[9] Matt Donovan, Banking on Credit: Merchants bear the brunt of data breach risks in the hospitality industry, PropertyCasualty 360º (Dec. 1, 2013), available at http://www.propertycasualty360.com/2013/12/01/banking-on-credit?t=commercial (emphasis added).

[10] Target, , Form 10-Q, Target Corporation SEC Filings (Nov. 26, 2014), available here.

[1] MasterCard’s Security Rules and Procedures could be read to suggest that MasterCard is acting as an agent for issuing banks and demands against retailers are made on behalf of the issuing banks in whole or in part. MasterCard, Security Rules and Procedures – Merchant Edition, § 10.2.5.3 (Feb. 5, 2015) available at http://www.mastercard.com/us/merchant/pdf/SPME-Entire_Manual_public.pdf.

[2]Target, Form 10-K, Target Corporation SEC Filings (Mar. 14, 2014), available here.

ARTICLE BY

Scott N. Godes
Barnes & Thornburg LLP

Insurers See Worldwide Drop in Customer Satisfaction

Risk Management Magazine / Risk Managment Montitor a publication of RIMS

Non-life insurers in most of the world saw improved underwriting ratios last year, thanks to a significant drop in claims expenses and rising premium volume aided by growth in emerging markets. According to Capgemini’s 2015 World Insurance Report, however, insurers were not nearly as successful with their customers.

Globally, positive customer experiences decreased significantly in 2014, indicating that steps taken by insurers are not matching rising customer expectations, the consultancy reported. The fall was pervasive worldwide, but North America witnessed the largest drop of 8.3 percentage points, followed by Latin America with 5.3 points.

According to the report, “The agent channel delivered positive experience levels that were almost double those of digital channels, suggesting that digital channels are dragging down global customer experience levels. Customer expectations of digital channels such as mobile and social media are rising rapidly along with their usage and importance. However, more than 40% of customers cited positive experiences through the agency channel, while less than 30% of customers had positive experiences through digital channels such as mobile and social media.”

Claims servicing is also problematic in terms of customer experience, seeing the lowest percentage of happy customers.

Among all customers, Gen Y currently presents the biggest decrease in satisfaction. The drop in positive experience levels was much steeper for this age group than any other, and this trend is seen across all regions, especially in the developed markets. In North America, the drop in experience levels for Gen Y customers was approximately 10 percentage points steeper than other age segments, while in developed Asia-Pacific the difference was around five percentage points, Capgemini reported.

Check out more of the study’s key findings in the infographic below:

Insurers See Worldwide Drop in Customer Satisfaction

ARTICLE BY

Hilary Tuttle
Risk and Insurance Management Society, Inc. (RIMS)