Uber-Complicated: Insurance Gaps for Rideshare Vehicles Can Create Uncertainty for Passengers and Drivers

Many of us have come to enjoy the convenience of summoning a ride via our Smartphones with a rideshare service company such as Uber, Lyft, or Sidecar.  However, significant issues exist over whether rideshare vehicles have adequate insurance coverage to compensate people injured in accidents involving those vehicles.

If one is injured by a Greyhound bus, for example, there is little question that Greyhound likely would have adequate insurance to cover any injuries and likely would have sufficient resources to compensate the injured party even without insurance.

By contrast, if one is injured by a rideshare driver, there are several potential obstacles to securing adequate compensation.

First, the rideshare company may classify the driver as an independent contractor instead of an employee, meaning that the company will not accept responsibility for the driver’s actions.  Second, even if the rideshare company accepts responsibility, the company’s insurance may not provide coverage, as discussed below.  In that event, the injured party is left to rely on the driver’s insurance, which also may be inadequate and may even exclude coverage for rideshare-related accidents.

The independent contractor issue has been litigated in numerous states with different outcomes.  Uber currently is facing two class action lawsuits in California related to this issue: Ghazi v. Uber Technologies, Inc., et al., No. CGC-15-545532 (Superior Court of California, County of San Francisco) and O’Connor v. Uber Technologies, Inc., et al., No. CV-13-3826 (U.S. District Court for the Northern District of California).[1]

Even if rideshare companies accept responsibility for a driver’s conduct, the companies typically have provided only limited insurance for their drivers.  Specifically, rideshare companies typically have not provided coverage in the following two periods: (1) when the rideshare app is turned off, or (2) when the app is turned on but no passenger is in the vehicle.

But, a horrific accident involving an Uber vehicle helped to start changing this dynamic.  Uber was sued in 2014 in California after a driver struck and killed a child during period (2) above, when he had his app turned on but had not yet picked up a passenger.  The case is captioned Liu v. Uber Technologies Inc., et al., No. CGC-14-536979 (Superior Court of the State of California, County of San Francisco).

California and other states recently have started requiring rideshare companies to maintain some coverage for their drivers in period (2), but that coverage is limited.  The companies typically provide contingent liability coverage with $50,000 per person/$100,000 per accident bodily injury coverage, but this insurance typically pays only for losses not covered by the driver’s personal policy.

And, even when rideshare company coverage is in place, insurers have relied on certain insurance policy exclusions in an effort to avoid paying claims.  One insurer is currently making such arguments in the coverage dispute with Uber over the Liu settlement See Evanston Insurance Co. v. Uber Technologies, Inc., No. C15-03988 WHA (U.S. District Court for the Northern District of California).

If a rideshare company’s commercial insurance is inadequate to fully compensate an injured party, that person is left to rely on a driver’s personal insurance.  But the driver’s insurance may be of no help because personal auto policies often contain an exclusion (the “livery exclusion”) for accidents occurring during commercial use of the vehicle, such as when a driver is transporting a passenger for hire.

Recently, there has been some effort in the insurance industry to close the insurance gaps discussed above, particularly during period (2), when a rideshare driver is using a mobile app but has not yet picked up a passenger.

In March 2015, the National Association of Insurance Commissioners adopted a white paper on insurance coverage for rideshare companies titled “Transportation Network Company Insurance Principles for Legislators and Regulators.”  The paper recommends that rideshare companies provide full coverage for period (2) or that drivers purchase individual commercial coverage during that period.

Similar to California, legislatures in Colorado, Illinois, and Virginia have passed laws requiring rideshare companies to offer full insurance during period (2).

In addition, some insurance companies are offering products to rideshare drivers to protect them in the event that rideshare companies’ commercial insurance does not pay.  For example, Geico (in Maryland and Virginia) and Progressive (in Pennsylvania) are offering individual commercial insurance to rideshare drivers that has lower rates than most commercial insurance.  USAA (in Colorado and Texas) offers a commercial insurance policy to rideshare drivers for an extra $6 to $8 per month.  Erie Insurance (in Illinois and Indiana) has removed an exclusion from personal auto policies purchased with a “business use” designation such that rideshare drivers now may be covered.

Overall, many options are emerging to provide additional insurance coverage on rideshare vehicles for the benefit of passengers and other third parties at all stages of the transportation process – from the time a rideshare driver turns on the app through the transport of a passenger.  Passengers, drivers, and affected third parties should continue to monitor these developments to make sure they are adequately protected.

© 2016 Gilbert LLP

[1] One consequence of the driver being classified as an independent contractor is that rideshare companies do not have to provide worker’s compensation insurance for a driver’s on-the-job injuries.  The Ghazi case addresses whether Uber drivers actually are employees and thus Uber must provide worker’s compensation insurance.

Cyber Liability: The Risks of Doing Business in a Digital World

Major security and data breaches have become more prevalent in the past decade. News headlines are dominated by stories of major corporations having networks hacked and subjecting employees’ and customers’ personal, financial and health information to cyber threats. Perhaps one of the following from 2014 will sound familiar:

  • January: Snapchat had the names and phone numbers of 4.5 million users compromised

  • February: Kickstarter had personal information from 5.6 million donors compromised

  • May: Ebay‘s database of 145 million customers was compromised.

  • September: iCloud had celebrity photostreams hacked

  • November: Sony Pictures had the highest profile hack of the year involving email accounts, video games and movie releases

While the news headlines make it is easy to think this is an issue for large, Fortune 500 companies, the risk is equally widespread, but much less publicized, for small businesses.

While the data breaches at small businesses do not garner the same attention as the data breaches occurring at Sony or iCloud, the impact to the organization and the liability the organization incurs are largely the same.

Although there are many studies available giving analytics on the types of data breaches that occur, those most common to small businesses can be described in three general categories: unintentional/miscellaneous errors, insider misuse and theft/loss.

Unintentional and miscellaneous errors are any mistake that compromises security by posting private data to a public site accidentally, sending information to the wrong recipients or failing to dispose of documents or assets securely. For example, have any of your employees ever accidentally sent an order (with account information) to the wrong email address?

Insider misuse is not a situation where an accidental error occurs. Rather, an employee or someone with access to the information intentionally accesses the data to use it for an unlawful purpose. For example, a disgruntled clerk in the billing department accesses customer information to obtain name, date of birth and bank account information in order to fraudulently establish a credit card in that customer’s name. Consider another scenario where a third party vendor, a benefits provider, for example, handles employee information. Once transmitted, the employer loses control over information security for that data. Savvy business owners will make sure their contracts with vendors make the vendor responsible for any data breach that occurs during the engagement and that it will indemnify the business for any actions arising from such a breach.

Data breaches also result from physical theft or loss of laptops, tablets, smart phones, USB drives or even printed documents. Consider a scenario where the Human Resource director is heading to a conference and her laptop is stolen at the airport. The laptop is not encrypted or pass coded and the thief can access all the employee files the director keeps on her computer.

In the past decade, laws have been aimed at narrowing the information that can initially be collected by businesses and with whom it can be shared, as well as mitigating the breach after it occurs.

Federal regulations like the Health Insurance Portability and Accountability Act (HIPAA) limit the collection and use of protected health information, and also has requirements for entities suffering a data breach, including customer notification and damage mitigation provisions, such as mandatory credit monitoring and fraud protection for affected customers.

The Personal Information Protect Act requires government agencies, corporations, universities, retail stores or other entities that handle nonpublic personal information to notify each Illinois resident who may be affected by a breach of data security. 815 ILCS 530/1 et seq. Personal information is defined as: an individual’s first name or first initial and last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted or redacted:

  1. Social security number.

  2. Driver’s license number or State identification card number.

  3. Account number or credit card or debit card number, or an account number or credit card number in combination with any required security code, access code, or password that would permit access to an individual’s financial account.

The required notice to Illinois residents must include contact information for credit reporting agencies and the Federal Trade Commission, along with a statement that the individual can obtain information from those sources about fraud alerts and security freezes. 815 ILCS 530/10(a). If the data breached is data that the entity owns or licenses, the notice must be made without unreasonable delay. Id. If the data breached is data that the entity does not own or license, notice must be made immediately. 815 ILCS 530/10(b).

Failure to notify affected consumers is a violation of the Illinois Consumer Fraud and Deceptive Business Practices Act. 815 ILCS 530/20.

Technology is everywhere. Smart phones, tablets, laptops, the internet, online bill payments and the like have changed the way businesses operate. There is no denying that technology allows for efficient and effective commerce and communication. Unfortunately, the same technology that allows for faster and more efficient commerce and communication also subjects businesses to new forms of risk when it comes to data security.

There are risk management tools that all businesses should be aware of and using on a daily basis. Anti-virus software, passwords on all devices, frequent back up of data, encryption for sensitive information transmitted electronically are just a few.

What if a business owner takes all the steps necessary to reduce the risk of a data breach and it still occurs? There is a way to reduce damages and to shorten the recovery and restoration timeframes.

Cyber Liability insurance can protect businesses, large and small, from data breaches that result from malicious hacking or other non-malicious digital risks. This specific line of insurance was designed to insure consumers of technology services or products for liability and property losses that may result when a business engages in various electronic activities, such as selling on the internet or collecting data within its internal electronic network.

Most notably, cyber and privacy policies cover a business’ liability for data breaches in which the customer’s personal information (such as social security or credit card numbers) is exposed or stolen by a hacker.

As you might imagine, the cost of a data breach can be enormous. Costs arising from a data breach can include: forensic investigation, legal advice, costs associated with the mandatory notification of third parties, credit monitoring, public relations, losses to third parties, and the fines and penalties resulting from identity theft.

While most businesses are familiar with their commercial insurance policies providing general liability (CGL) coverage to protect the business from injury or property damage, most standard commercial line polices do not cover many of the cyber risks mentioned above. Furthermore, cyber and privacy insurance is often confused with technology errors and omissions (tech E&O) insurance. However, tech E&O coverage is intended to protect providers of technology products and services such as computer software and hardware manufacturers, website designers, and firms that store corporate data on an off-site basis. Cyber risks are more costly. The size and scope of the services a business provides will play a role in coverage needs and pricing, as will the number of customers, the presence on the internet, and the type of data collected and stored. Cyber Liability polices might include one or more of the following types of coverage:

  • Liability for security or privacy breaches (including the loss of confidential information by allowing or failing to prevent unauthorized access to computer systems).

  • The costs associated with a privacy breach, such as consumer notification, customer support and costs of providing credit monitoring services to affected customers.

  • Costs of data loss or destruction (such as restoring, updating or replacing business assets stored electronically).

  • Business interruption and extra expense related to a security or privacy breach.

  • Liability associated with libel, slander, copyright infringement, product disparagement or reputational damage to others when the allegations involve a business website, social media or print media.

  • Expenses related to cyber extortion or cyber terrorism.

Coverage for expenses related to regulatory compliance for billing errors, physician self-referral proceedings and Emergency Medical Treatment and Active Labor Act proceedings.

While cyber liability insurance may not be right for all businesses, those that actively use technology to operate should consider the risks they would be exposed to if a data breach occurred. In addition, there are many different cyber policy exclusions and endorsements. Not all policies are created equal

While cyber liability insurance may not be right for all businesses, those that actively use technology to operate should consider the risks they would be exposed to if a data breach occurred. In addition, there are many different cyber policy exclusions and endorsements. Not all policies are created equal.

Responding to the Anthem Cyber Attack

Proskauer Rose LLP, Law Firm

Anthem Inc. (Anthem), the nation’s second-largest health insurer, revealed late on Wednesday, February 4 that it was the victim of a significant cyber attack. According to Anthem, the attack exposed personal information of approximately 80 million individuals, including those insured by related Anthem companies.Anthem has reported that the exposed information includes member names, member health ID and Social Security numbers, dates of birth, addresses, telephone numbers, email addresses and employment information. The investigation of the massive data breach is ongoing, and media outlets have reported that class action suits have already been filed against Anthem in California and Alabama, claiming that lax Anthem security measures contributed to this incident.

Employers, multiemployer health plans, and others responsible for employee health benefit programs should take note that theHealth Insurance Portability and Accountability Act (HIPAA) and state data breach notification laws may hold them responsible for ensuring that certain notifications are made related to the incident. The nature of these obligations will depend on whether the benefits offered through Anthem are provided under an insurance policy, and so are considered to be “fully insured,” or whether the Anthem benefits are provided under a “self-insured” arrangement, where Anthem does not insure the benefits, but instead administers the benefits. The most significant legal obligations on the part of employers, multiemployer health plans, and others responsible for employee health benefit programs will apply to Anthem benefits that are self-insured.

Where notifications must be made, the notifications may be due to former and present employees and their dependents, government agencies, and the media.  Where HIPAA applies, the notifications will need to be made “without unreasonable delay” and in any event no later than 60 days after the employer or other responsible party becomes aware that the breach has affected its own health plan participants. Where state data breach laws apply, notifications generally must be made in the most expedient time possible and without unreasonable delay, subject to certain permitted delays. Some state laws impose outside timeframes as short as 30 days. Under the state laws, reporting obligations on the part of employers, multiemployer health plans, and others responsible for employee health benefit programs will generally turn on whether they, or Anthem, “own” the breached data. Since the state laws apply to breaches of data of their residents, regardless of the states in which the compromised entities and data owners are located, and since former employees and dependents could reside anywhere, a comprehensive state law analysis is required to determine the legal requirements arising from this data breach. Fortunately, depending on the circumstances, some (but not all) state data breach notification laws defer to HIPAA breach notification procedures, and do not require additional action where HIPAA applies and is followed.

As potentially affected parties wait for confirmation from Anthem as to whether any of their employees, former employees or their covered dependents has had their data compromised, we recommend that affected parties work with their legal counsel to determine what their responsibilities, if any, might be to respond to this incident. Among other things, for self-insured arrangements, HIPAA business associate agreements and other contracts with Anthem should be reviewed to assess how data breaches are addressed, whether data ownership has been addressed by contract, and whether indemnification provisions may apply. Consideration should also be given to promptly reaching out to Anthem to clarify the extent to which Anthem will be addressing notification responsibilities. Once parties are in a position to make required notifications, we also recommend that companies consult with legal counsel to review the notifications and the distribution plans for those notifications to assure that applicable legal requirements have been satisfied.



Data Analytics as a Risk Management Strategy


In our increasingly competitive business environment, companies everywhere are looking for the next new thing to give them a competitive edge. But perhaps the next new thing is applying new techniques and capabilities to existing concepts such as risk management. The exponential growth of data as well as recent technologies and techniques for managing and analyzing data create more opportunities.

Computer Network Wires

Enterprise risk management can encompass so much more than merely making sure your business has purchased the right types and amounts of insurance. With the tools now available, businesses can quantify and model the risks they face to enable smarter mitigation strategies and better strategic decisions.

The discipline of risk management in general and the increasingly popular field of enterprise risk management have been around for years. But several recent trends and developments have increased the ability to execute on the concept of enterprise risk management.

First, the amount of data being produced everywhere has exploded and continues to accelerate. The typical executive today is swamped by data coming from all directions. Luckily, just as the raw amount of data has grown, the cost of the hardware to store data has decreased at an exponential rate. For example, in the last 10 years, retail hard-drive costs have dropped from about $1.20 per gigabyte (GB) in 2004 to about 4 cents per GB today. What’s more, the cost of hardware to store all that enterprise data is quickly becoming negligible.

But such huge amounts of data present a problem: Somebody has to manage and analyze it. All data is not equally important or relevant to the problems business executives need to solve or the risks they’re trying to manage. The explosion of data has created a greater amount of helpful and relevant data, but it can get lost in an even greater amount of useless, irrelevant, and distracting data. So an effective data management and analytics program is crucial to take advantage of the opportunities resident in the new flood of data.

One job of analytics is to sort the important from the unimportant and analyze and synthesize the data in new ways that create actionable information. Fortunately, the tools and techniques to manage large volumes of data have been progressing over the past several years. In particular, there has been a lot of buzz about big data. The field of big data has developed from a specific platform to manage large volumes of data into an entire ecosystem of related technologies. These tools are critical to the process of picking out the grains of useful intelligence from the vast quantities of distracting chaff that are characteristic of many big data sources.

Of course, all the recent technical developments and analytic techniques that make it possible to extract actionable information from a flood of data are all professionally exciting—if you’re an analyst. However, analytics for analytics’ sake does not help an organization. Often, analytics groups can remain isolated from the business itself. When such groups ultimately present what they have discovered, they may simply talk about the part most interesting to them—the analytics process—rather than focusing on the resulting information.

It is important to remember that actionable information is the ultimate goal of the entire exercise. The information must reach the decision makers in an understandable form when it is needed—the right information at the right place and at the right time. When designing information systems or even just presenting information to business executives, it is important for technical professionals to keep technical details to a minimum and focus on the actionable information. A feedback mechanism is critical. Users of the information must have a method to tell the creators of the information whether it was sufficient, correct, timely and understandable.

It’s been said that the three most important factors in real estate are location, location, and location. Similarly, the three most important factors in effective analytics are data, data, and data. Good data can sometimes make up for mediocre analytics, but even the best analytics will never produce anything useful from poor data.

Where should a business begin to leverage the new data and risk analytics? It has to start with the data itself. So start collecting and storing the data that’s available to you. Every business generates vast amounts every day. Collecting, managing, and analyzing internal data is necessary; but by looking outside the organization at social media, government data sources and third-party data vendors, a company can really begin to illuminate the environment in which it operates.

Managing data for analytics is a specialized field in its own right, and a topic for another day. But the business that can effectively leverage data and analytics to manage the risks it faces will be rewarded by seeing the future more clearly, making better decisions and ultimately being more successful than those companies that cannot.

Article authored by Phil Hatfield, modeling data services executive for ISO Insurance Programs and Analytic Services (IPAS), a Verisk Analytics (Nasdaq:VRSK) business.


Cyber and Technology Risk Insurance for the Construction Sector

Much Shelist law firm logo

The recent, well-publicized retail store data breach controversies have spawned a number of lawsuits and insurance claims. Not surprisingly, insurers have responded with attempts to fight claims for coverage for such losses. Insurance underwriters are carefully monitoring decisions being handed down by courts in these lawsuits. All of this activity has led to a new emphasis on cyber and technology risk and assessments, as well as on insurance-program strategies.

These developments have ramifications for the construction industry that include, and go well beyond, the data-breach context. Contractors, design professionals and owners may find that in addition to losses caused by data breaches, other types of losses occasioned by technology-related incidents may not be covered by their existing insurance programs.

Specifically, insureds may find themselves with substantial coverage gaps because:

  • data and technology exclusions have been added to general liability policies.

  • such losses typically involve economic losses (as opposed to property damages or personal-injury losses) that insurers argue are not covered by general liability policies.

  • data and technology losses may be the result of manufacturing glitches rather than professional negligence covered by professional liability policies.

Coverage for claims involving glitches, manufacturing errors and data breaches in technology-driven applications — such as Building Information Modeling (BIM), estimating and scheduling programs, and 3D printing — may be uncertain. A number of endorsements are currently available for data breach coverage, but insurers don’t necessarily have the construction industry in mind as they provide these initial products.

In addition, there is no such thing as a “standard” cyber liability policy, endorsement or exclusion. Insurers have their own forms with their own wording, and as seemingly minor differences in language may have a significant impact in coverage, such matters should be run past counsel.

Construction insurance brokers are telling us that insurers are in the process of determining how to respond to cyber and technology risk claims, what products to offer going forward, and how to underwrite and price these products. Keith W. Jurss, a senior vice president in Willis’s National Construction Practice warns:

“As the construction industry continues to identify the unique “cyber” risks that it faces we are identifying gaps in the current suite of “cyber” insurance coverages that are available.  In addition, new exclusionary language related to cyber risk under CGL and other policies adds to the gap.  The insurance industry is slowly beginning to respond with endorsements that give back coverage or new policies designed to address the specific risks of the construction industry.

“As we identify cyber insurance underwriters willing to evaluate the risks specific to the construction industry, we are seeing the development of unique solutions in the market. There is, however, more work required and as construction clients continue to demand solutions the industry will be forced to respond.”

Consequently, this is a time to stay in close touch with qualified construction insurance brokers who understand the sector and have their hands on the pulse of the latest available cyber and technology risk products. As these products become available, clients may also want to consider what cyber and technology risk coverage to require on projects and whether to include these requirements in downstream contracts.



Illinois Guaranty Fund Gets Setoff From Statutory Dram Shop Limit Rather Than Jury Verdict

Heyl Royster Law firm

Eighteen-year-old boy was killed in a head-on collision with a vehicle driven by an intoxicated person. His parents received $26,550 from the drunk driver’s insurance carrier and $80,000 from their own insurance carrier. They subsequently filed a dram shop suit. While it was pending, the dram shop’s insurance carrier was declared insolvent, and the Illinois Guaranty Fund assumed the defense. The issue was whether the $106,550 should be set off from a potential jury verdict or from the statutory dram shop limit of $130,338.51. The Fifth District held the setoff should be applied against the jury verdict.

The Supreme Court reversed and held the setoff should be applied against the statutory limit. The Fund’s obligation cannot be expanded by a jury verdict. It can only be reduced by other insurance. Rogers v. Imeri, 2013 IL 115860.

© 2014 Heyl, Royster, Voelker & Allen, P.C

New Ridesharing Legislation in California and Oregon Highlights Insurance Uncertainty in Emerging Industries

Proskauer Law firm

Managing a company’s exposure to new types of risks is often a complicated endeavor.  We’ve previously reported on the uncertainty that can arise when existing coverage models are applied to a new risk—such as losses arising from data breaches and other cyber-attacks.  Applying existing coverage models to emerging industries presents similar challenges.  These challenges were highlighted recently in the years-long dispute over insurance of ridesharing companies, like Lyft and Uber, which recently reached some degree of closure in California with the enactment of new insurance legislation for these companies.

Ridesharing companies have arisen in the past few years as an alternative to traditional forms of transportation, such as taxis.  These companies neither employ the drivers nor own the cars used for transportation; they essentially serve as an online “middleman” connecting passengers with freelance drivers for hire and expressly disavow that they provide any sort of “transportation services.”  This new business model—blurring the lines between traditional services and social media—presented many questions as to liability and, consequently, risk management.  These questions were brought to the fore earlier this year, when the family of a six year old girl killed by a ridesharing driver sued the ridesharing company.  The company disclaimed liability on the basis that it is not responsible for the acts of its drivers, especially when the drivers do not have ridesharing passengers or are not en route to pick up one.

Many ridesharing drivers have relied primarily on their personal automobile policies, eschewing business coverage altogether, reportedlyat the recommendation of the ridesharing companies themselves.  While ridesharing companies have carried excess insurance policies to cover ridesharing accidents, the insurance industry took the position that these policies did not cover such accidents because there was no primary coverage.  In other words, because the only “primary” insurance policies were personal use automobile policies that did not cover commercial livery use, the excess insurance could not be triggered.

On September 17, 2014, California AB-2293 was enacted to address this uncertainty of coverage.  The statute was the result of discussions between legislators, ridesharing companies, insurers, and traditional taxi companies.  It requires ridesharing companies in the state to provide $100,000 in coverage for their drivers that takes effect the moment a driver connects to the ridesharing company’s dispatch software and increases to $1 million once the driver agrees to pick up a passenger.  It also states that a personal automobile insurer does not have the duty to defend or indemnify claims arising out of ridesharing, unless the policy expressly provides such coverage, and it requires ridesharing companies to disclose this fact to their drivers.

Whether other states will follow California’s lead remains to be seen.  Legislation addressing ridesharing has been introduced across the country, and as one Pennsylvania state legislator observed, “By far the biggest issue is insurance.”  In other states, regulators are addressing the possible insurance gap.  Just days after California’s new statute was enacted, Oregon’s State Insurance Division issued a consumer advisory, warning of the potential unavailability of insurance coverage under personal insurance policies for ridesharing and other services provided in the peer-to-peer marketplace.

As Oregon Insurance Commissioner Laura Cali observed in connection with ridesharing, “When a new industry emerges, it often creates unique insurance situations.”  New industries may exist under insurance uncertainty for years or decades before legislation, regulation, or litigation clarifies the issue.  It is therefore critical when expanding into a nascent industry to consider how the risks of that industry may be managed, under either new or existing types of insurance coverage.