Will Cyberinsurance Cover Target’s $19 Million Mastercard Settlement?

Barnes & Thornburg LLP Law Firm

Another credit card in the mail?

If you’re reading this post, you’ve probably received a new credit or debit card in the mail, attached by rubber cement to a cover letter explaining that your card number could have been compromised – so you ended up with replacement cards. You might even have received new cards more than once over the past five years. Perhaps you even received a new card with an explanation that after the data breach at Target Corporation, your “issuing bank” – the bank that issued you the credit or debit card – decided to send you a new card. And maybe you signed your card, called to activate it, replaced your old card, and didn’t give a second thought to it. After all, consumers generally are not financially responsible for fraudulent charges and likely did not pay to get the shiny new piece of plastic in the mail.

What are card brand liabilities?

The payment card brands, however, view such incidents differently than do individual consumers. The payment card brands frequently pursue retailers, either directly or by means of a payment processor. They allegedly do so on behalf of the issuing banks and the losses that the issuing banks allegedly suffered as a result of the data breach.[1] The brands allege that the retailers are responsible for the fraudulent charges that were incurred and the amounts spent to replace payment cards. As Target explained in its 2014 Form 10-K:

“In the event of a data breach where payment card data is or may have been stolen, the payment card networks’ contracts purport to give them the ability to make claims for reimbursement of incremental counterfeit fraud losses and non-ordinary course operating expenses (such as card reissuance costs) that the payment card networks believe they or their issuing banks have incurred as a result of the event.”[2]

Those amounts can run into the millions of dollars (Card Brand Liabilities). Card Brand Liabilities also may include amounts for alleged failures to maintain certain levels of computer security required by contract (so-called PCI-DSS compliance).[1] The amounts owed for alleged fraudulent charges and replacement of compromised credit cards often dwarfs the amounts of fines for alleged PCI non-compliance.[2] Some incidents that involved more than 1 million allegedly exposed card numbers have resulted in Card Brand Liabilities in the millions of dollars.[3]

Target’s card brand liabilities…and pending settlement of them with MasterCard

Target disclosed that three out of the four payment card brands made written demands for Card Brand Liabilities, and that it expected the fourth brand to do so as well.[4] The total amount of Target’s potential Card Brand Liabilities is unclear, but Target did disclose that it had incurred $252 million of data breach-related expenses, an amount that accounts for Card Brand Liabilities.[5]

On April 15, 2015, Target announced that it had reached a settlement of its Card Brand Liabilities with MasterCard for up to $19 million.[6] Interestingly, Target explained that the settlement is contingent upon the issuing banks, which allegedly reimbursed the fraudulent charges and issued the new cards, agreeing to accept payment via the MasterCard settlement and the issuing banks dropping claims against Target.[7] This requirement is fascinating, as issuing banks have filed a putative class action against Target directly, alleging that they suffered losses as a result of Target’s data breach.[8] It may be that the MasterCard settlement resolves at least part of the claims at issue in the issuing bank litigation.

Will Target’s cyberinsurance cover its card brand liability settlement?

Now for the question you’ve been waiting for: will Target’s insurance policies cover its $19 million settlement with MasterCard? Probably.

Without commenting on the correctness of the position, consider that one underwriter has written that Card Brand Liabilities are contract-based indemnities and may be excluded from cyberinsurance coverage, with emphasis added:[9]

Many policy forms in the marketplace directly exclude contractual indemnities and liability, including that which stems from merchant service agreements. Some policy forms initially grant coverage for breach of contract claims, but then add exclusions concerning key components of this coverage. In addition, some policy forms exclude breach of contract claims with some very narrow carvebacks to the exclusionary wording that may not help the insured much in the event of a payment card breach.

Although most privacy/security insurance policies grant the insured coverage for situations in which they need to incur the first-party costs to notify individuals and extend insureds credit monitoring services, not all will directly respond to the breach of, or the indemnities contained in, a merchant services agreement.

Without commenting on the merits of it, consider an opposing view that Card Brand Liabilities could be treated as common law claims for purposes of insurance coverage, not liabilities created by contract, and the payment card brands are demanding amounts as agents for the issuing banks. Target may not have to address whether its Card Brand Liabilities were created by merchant services agreement contracts or are common law liabilities, because Target reportedly has $50 million in coverage for this exact type of loss:

“To limit our exposure to losses relating to data breach and other claims, we maintain $100 million of network-security insurance coverage, above a $10 million deductible and with a $50 million sublimit for settlements with the payment card networks.”[10] 

How would your insurance cover card brand liabilities? Even if you have cyberinsurance, does the policy address card brand liabilities? Does your insurance carrier’s claim handler view the losses as liabilities under a merchant services agreement contract? Or as common law liabilities? If it’s the former, are there exclusions for liabilities allegedly assumed in a merchant services agreement contract? Or sublimits on the total policy limit (making just a fraction of coverage available)?

Consider using the Target announcement as a perfect opportunity to review your insurance – including your cyberinsurance – policies closely to figure out whether you would have full coverage for these losses. The last thing that you want to face is the prospect of your insurer denying coverage for millions of dollars in losses after you were told that buying cyberinsurance would be a panacea for all things cyberrisk.


[1] See, e.g.First Bank of Del., Inc. v. Fid. & Deposit Co. of Md., 2013 WL 5858794, at *2 (Del. Super. Oct. 30, 2013), rearg. denied, 2013 WL 6407603 (Del. Super. Dec. 4, 2013).

[2] Genesco, Inc. v. Visa U.S.A., Inc., 296 F.R.D. 559, 564 (M.D. Tenn. 2014) (over $13 million in liabilities overall, but only $10,000 in “fines for failing to ensure Genesco’s PCI DSS compliance”), opinion amended and superceded on other grounds, 2014 WL 935329 (M.D. Tenn. Mar. 10, 2014).

[3] See, e.g.Retail Ventures, Inc. v. Nat’l Union Fire Ins. Co. of Pittsburgh, PA, 691 F.3d 821, 824-25 (6th Cir. 2012) (retailer suffered more than $4 million in Card Brand Liabilities after credit card-based data incident); First Bank of Del., 2013 WL 5858794, at *2 (bank and debit card processor paid $1.4 million in compensatory damages due to Card Brand Liabilities after data incident of retailer with whom company did business); Genesco, Inc. v. Visa U.S.A., Inc., 296 F.R.D. 559, 564 (M.D. Tenn. Jan. 14, 2014) ($13.3 million in Card Brand Liabilities after a credit card-based data incident).

[4] Target, Form 10-K, Target Corporation SEC Filings (Mar. 14, 2014), available here.

[5] Target, Form 10-K, Target Corporation SEC Filings (Mar. 14, 2014), available here.

[6] Target, Target Announces Settlement Agreement with MasterCard; Estimated Costs Already Reflected in Previously Reported Results (Apr. 15, 2015), available here.

[7] Id.

[8] See In re Target Corp. Customer Data Security Breach Litigation (Financial Institution Cases), MDL No. 14-2522 (PAM/JJK), slip op. (D. Minn. Dec. 2, 2014). A copy of the decision is available via Google Scholar.

[9] Matt Donovan, Banking on Credit: Merchants bear the brunt of data breach risks in the hospitality industry, PropertyCasualty 360º (Dec. 1, 2013), available at http://www.propertycasualty360.com/2013/12/01/banking-on-credit?t=commercial (emphasis added).

[10] Target, , Form 10-Q, Target Corporation SEC Filings (Nov. 26, 2014), available here.

[1] MasterCard’s Security Rules and Procedures could be read to suggest that MasterCard is acting as an agent for issuing banks and demands against retailers are made on behalf of the issuing banks in whole or in part. MasterCard, Security Rules and Procedures – Merchant Edition, § 10.2.5.3 (Feb. 5, 2015) available at http://www.mastercard.com/us/merchant/pdf/SPME-Entire_Manual_public.pdf.

[2]Target, Form 10-K, Target Corporation SEC Filings (Mar. 14, 2014), available here.

ARTICLE BY

Insurers See Worldwide Drop in Customer Satisfaction

Risk Management Magazine / Risk Managment Montitor a publication of RIMS

Non-life insurers in most of the world saw improved underwriting ratios last year, thanks to a significant drop in claims expenses and rising premium volume aided by growth in emerging markets. According to Capgemini’s 2015 World Insurance Report, however, insurers were not nearly as successful with their customers.

Globally, positive customer experiences decreased significantly in 2014, indicating that steps taken by insurers are not matching rising customer expectations, the consultancy reported. The fall was pervasive worldwide, but North America witnessed the largest drop of 8.3 percentage points, followed by Latin America with 5.3 points.

According to the report, “The agent channel delivered positive experience levels that were almost double those of digital channels, suggesting that digital channels are dragging down global customer experience levels. Customer expectations of digital channels such as mobile and social media are rising rapidly along with their usage and importance. However, more than 40% of customers cited positive experiences through the agency channel, while less than 30% of customers had positive experiences through digital channels such as mobile and social media.”

Claims servicing is also problematic in terms of customer experience, seeing the lowest percentage of happy customers.

Among all customers, Gen Y currently presents the biggest decrease in satisfaction. The drop in positive experience levels was much steeper for this age group than any other, and this trend is seen across all regions, especially in the developed markets. In North America, the drop in experience levels for Gen Y customers was approximately 10 percentage points steeper than other age segments, while in developed Asia-Pacific the difference was around five percentage points, Capgemini reported.

Check out more of the study’s key findings in the infographic below:

Insurers See Worldwide Drop in Customer Satisfaction

ARTICLE BY

Congress Begins With Renewed Efforts to Repeal Insurer’s Antitrust Exemption

Dickinson Wright Logo

Early into the 114th Congress, multiple bills have already been introduced that would repeal the insurance industry’s limited antitrust exemption granted by the McCarran-Ferguson Act (15 USC 1011 et seq.).

On January 6, Representative John Conyers (D-Mich.) introduced the “Health Insurance Industry Antitrust Enforcement Act of 2015,” (H.R. 99). The legislation would amend the McCarran-Ferguson Act, which currently provides the insurance industry with an exemption from the federal antitrust laws for conduct that is “the business of insurance,” is “subject to state regulation,” and does not constitute “an act of boycott, coercion or intimidation,” (15 USC 1013), by removing the exemption for health insurers and medical malpractice insurers. Notably, the bill would not eliminate the exemption with respect to other lines of insurance, and is similar to McCarran repeal bills that Representative Conyers has introduced in prior sessions of Congress. Representative Conyers has previously stated that his bill would “end the mistake Congress made in 1945 when it added an antitrust exemption for insurance companies.”

Subsequently, on January 22, Representative Paul Gosar (R-Ariz.), who was a practicing dentist for many years, introduced similar McCarran repeal legislation, entitled the “Competitive Health Insurance Reform Act of 2015” (H.R. 494). Representative Gosar’s bill would only eliminate the exemption as to health insurers. In introducing his legislation, Representative Gosar stated that “Since the passage of Obamacare, the health insurance market has expanded into one of the least transparent and most anti-competitive industries in the United States,” and that there is “no reason in law, policy or logic for the insurance industry to have a special exemption” from the antitrust laws.

Both H.R. 99 and H.R. 494 have been referred to the House Judiciary Committee for further action. Whether these bills will gain traction this Congress remains to be seen, but the fact that the bill has supporters on both sides of the aisle certainly increases the chances that the legislation will, at a minimum, be considered by the House Judiciary Committee (which failed to take up similar legislation in the 113th Congress).

ARTICLE BY

OF

The Evolving Treatment of Fifield v. Premier Dealer Services, Inc.

Epstein Becker & Green, P.C.

In Fifield v. Premier Dealer Services, Inc., an Illinois Appellate Court determined that, absent other consideration, at-will employment must continue for two years in order to constitute consideration for the enforcement of competition restrictions.  Clients continue to ask how Fifield has been applied by subsequent courts.  So far, the results have been mixed.  This month, the United States District Court for the Northern District of Illinois rejected Fifield’s bright line test in the case of Bankers Life and Casualty Co. v. Miller, 2015 U.S. Dist. LEXIS 14337 (N.D. Ill. Feb. 6, 2015).  In doing so, Judge Shah explained that in light of the Illinois Supreme Court’s recent decision emphasizing the need to consider the totality of the circumstances in evaluating competition restrictions, the Illinois Supreme Court “would not adopt a bright-line rule requiring continued employment for at least two years in all cases.”  Bankers Life, at *11-12.  Previously, Judge Castillo too rejected Fifield’s bright-line test in Montel Aetnastak, Inc. v. Miessen, 998 F. Supp. 2d 694 (N.D. Ill. 2014).  However, Judge Holderman reached a different result inInstant Technology, LLC v. Defazio, 2014 U.S. Dist. LEXIS 61232 (N.D. Ill. May 2, 2014) and determined that competition restrictions were not enforceable against employees who had worked for 10, 19, and 21 months and received only that employment as consideration for the restrictions.  Instant Technology is currently on appeal.   So far, however, the score in the United States District Court for the Northern District of Illinois is 2-1 against Fifield’s bright-line test.

ARTICLE BY

Three Lessons for Mitigating Network Security Risks in 2015: Bring Your Own Device

Risk-Management-Monitor-Com

Not too long ago, organizations fell into one of two camps when it came to personal mobile devices in the workplace – these devices were either connected to their networks or they weren’t.

But times have changed. Mobile devices have become so ubiquitous that every business has to acknowledge that employees will connect their personal devices to the corporate network, whether there’s a bring-your-own-device (BYOD) policy in place or not. So really, those two camps we mentioned earlier have evolved – the devices are a given, and now, it’s just a question of whether or not you choose to regulate them.

This decision has significant implications for network security. If you aren’t regulating the use of these devices, you could be putting the integrity of your entire network at risk. As data protection specialist Vinod Banerjee told CNBC, “You have employees doing more on a mobile device and doing it ad hoc here and there and perhaps therefore not thinking about some of the risks that are apparent.” What’s worse, this has the potential to happen on a wide scale – Gartner predicted that, by 2018, more than half of all mobile users will turn first to their phone or tablet to complete online tasks. The potential for substantial remote access vulnerabilities is high.

So what can risk practitioners within IT departments do to regain control over company-related information stored on employees’ personal devices? Here are three steps to improve network security:

1. Focus on the Increasing Number of Endpoints, Not New Types

Employees are expected to have returned from holiday time off with all sorts of new gadgets they received as gifts, from fitness trackers to smart cameras and other connected devices.

Although these personal connected devices do pose some network security risk if they’re used in the workplace, securing different network-enabled mobile endpoints is really nothing special for an IT security professional. It doesn’t matter if it’s a smartphone, a tablet or a smart toilet that connects to the network – in the end, all of these devices are computers and enterprises will treat them as such.

The real problem for IT departments involves the number of new network-enabled endpoints. With each additional endpoint comes more network traffic and, subsequently, more risk. Together, a high number of endpoints has the potential to create more severe remote access vulnerabilities within corporate networks.

To mitigate the risk that accompanies these endpoints, IT departments will rely on centralized authentication and authorization functions to ensure user access control and network policy adherence. Appropriate filtering of all the traffic, data and information that is sent into the network by users is also very important. Just as drivers create environmental waste every time they get behind the wheel, network users constantly send waste – in this case, private web and data traffic, as well as malicious software – into the network through their personal devices. Enterprises need to prepare their networks for this onslaught.

2. Raise the Base Level of Security

Another way that new endpoints could chip away at a network security infrastructure is if risk practitioners fall into a trap where they focus so much on securing new endpoints, such as phones and tablets, that they lose focus on securing devices like laptops and desktops that have been in use for much longer.

It’s not difficult to see how this could happen – information security professionals know that attackers constantly change their modus operandi as they look for security vulnerabilities, often through new, potentially unprotected devices. So, in response, IT departments pour more resources into protecting these devices. In a worst-case scenario, enterprises could find themselves lacking the resources to both pivot and mitigate new vulnerabilities, while still adequately protecting remote endpoints that have been attached to the corporate network for years.

To offset this concern, IT departments need to maintain a heightened level of security across the entire network. It’s not enough to address devices ad hoc. It’s about raising the floor of network security, to protect all devices – regardless of their shape or operating system.

3. Link IT and HR When Deprovisioning Users

Another area of concern around mobile devices involves ex-employees. Employee termination procedures now need to account for BYOD and remote access, in order to prevent former employees from accessing the corporate network after their last day on the job. This is particularly important because IT staff have minimal visibility over ex-employees who could be abusing their remote access capabilities.

As IT departments know, generally the best approach to network security is to adopt policies that are centrally managed and strictly enforced. In this case, by connecting the human resources database with the user deprovisioning process, a company ensures all access to corporate systems is denied from devices, across-the-board, as soon as the employee is marked “terminated” in the HR database. This eliminates any likelihood of remote access vulnerabilities.

Similarly, there also needs to be a process for removing all company data from an ex-employee’s personal mobile device. By implementing a mobile device management or container solution, which creates a distinct work environment on the device, you’ll have an easy-to-administer method of deleting all traces of corporate data whenever an employee leaves the company. This approach is doubly effective, as it also neatly handles situations when a device is lost or stolen.

New Risks, New Resolutions

As the network security landscape continues to shift, the BYOD and remote access policies and processes of yesterday will no longer be sufficient for IT departments to manage the personal devices of employees. The New Year brings with it new challenges, and risk practitioners need new approaches to keep their networks safe and secure.

OF

Data Analytics as a Risk Management Strategy

Risk-Management-Monitor-Com

In our increasingly competitive business environment, companies everywhere are looking for the next new thing to give them a competitive edge. But perhaps the next new thing is applying new techniques and capabilities to existing concepts such as risk management. The exponential growth of data as well as recent technologies and techniques for managing and analyzing data create more opportunities.

Computer Network Wires

Enterprise risk management can encompass so much more than merely making sure your business has purchased the right types and amounts of insurance. With the tools now available, businesses can quantify and model the risks they face to enable smarter mitigation strategies and better strategic decisions.

The discipline of risk management in general and the increasingly popular field of enterprise risk management have been around for years. But several recent trends and developments have increased the ability to execute on the concept of enterprise risk management.

First, the amount of data being produced everywhere has exploded and continues to accelerate. The typical executive today is swamped by data coming from all directions. Luckily, just as the raw amount of data has grown, the cost of the hardware to store data has decreased at an exponential rate. For example, in the last 10 years, retail hard-drive costs have dropped from about $1.20 per gigabyte (GB) in 2004 to about 4 cents per GB today. What’s more, the cost of hardware to store all that enterprise data is quickly becoming negligible.

But such huge amounts of data present a problem: Somebody has to manage and analyze it. All data is not equally important or relevant to the problems business executives need to solve or the risks they’re trying to manage. The explosion of data has created a greater amount of helpful and relevant data, but it can get lost in an even greater amount of useless, irrelevant, and distracting data. So an effective data management and analytics program is crucial to take advantage of the opportunities resident in the new flood of data.

One job of analytics is to sort the important from the unimportant and analyze and synthesize the data in new ways that create actionable information. Fortunately, the tools and techniques to manage large volumes of data have been progressing over the past several years. In particular, there has been a lot of buzz about big data. The field of big data has developed from a specific platform to manage large volumes of data into an entire ecosystem of related technologies. These tools are critical to the process of picking out the grains of useful intelligence from the vast quantities of distracting chaff that are characteristic of many big data sources.

Of course, all the recent technical developments and analytic techniques that make it possible to extract actionable information from a flood of data are all professionally exciting—if you’re an analyst. However, analytics for analytics’ sake does not help an organization. Often, analytics groups can remain isolated from the business itself. When such groups ultimately present what they have discovered, they may simply talk about the part most interesting to them—the analytics process—rather than focusing on the resulting information.

It is important to remember that actionable information is the ultimate goal of the entire exercise. The information must reach the decision makers in an understandable form when it is needed—the right information at the right place and at the right time. When designing information systems or even just presenting information to business executives, it is important for technical professionals to keep technical details to a minimum and focus on the actionable information. A feedback mechanism is critical. Users of the information must have a method to tell the creators of the information whether it was sufficient, correct, timely and understandable.

It’s been said that the three most important factors in real estate are location, location, and location. Similarly, the three most important factors in effective analytics are data, data, and data. Good data can sometimes make up for mediocre analytics, but even the best analytics will never produce anything useful from poor data.

Where should a business begin to leverage the new data and risk analytics? It has to start with the data itself. So start collecting and storing the data that’s available to you. Every business generates vast amounts every day. Collecting, managing, and analyzing internal data is necessary; but by looking outside the organization at social media, government data sources and third-party data vendors, a company can really begin to illuminate the environment in which it operates.

Managing data for analytics is a specialized field in its own right, and a topic for another day. But the business that can effectively leverage data and analytics to manage the risks it faces will be rewarded by seeing the future more clearly, making better decisions and ultimately being more successful than those companies that cannot.

Article authored by Phil Hatfield, modeling data services executive for ISO Insurance Programs and Analytic Services (IPAS), a Verisk Analytics (Nasdaq:VRSK) business.

OF

Cyber and Technology Risk Insurance for the Construction Sector

Much Shelist law firm logo

The recent, well-publicized retail store data breach controversies have spawned a number of lawsuits and insurance claims. Not surprisingly, insurers have responded with attempts to fight claims for coverage for such losses. Insurance underwriters are carefully monitoring decisions being handed down by courts in these lawsuits. All of this activity has led to a new emphasis on cyber and technology risk and assessments, as well as on insurance-program strategies.

These developments have ramifications for the construction industry that include, and go well beyond, the data-breach context. Contractors, design professionals and owners may find that in addition to losses caused by data breaches, other types of losses occasioned by technology-related incidents may not be covered by their existing insurance programs.

Specifically, insureds may find themselves with substantial coverage gaps because:

  • data and technology exclusions have been added to general liability policies.

  • such losses typically involve economic losses (as opposed to property damages or personal-injury losses) that insurers argue are not covered by general liability policies.

  • data and technology losses may be the result of manufacturing glitches rather than professional negligence covered by professional liability policies.

Coverage for claims involving glitches, manufacturing errors and data breaches in technology-driven applications — such as Building Information Modeling (BIM), estimating and scheduling programs, and 3D printing — may be uncertain. A number of endorsements are currently available for data breach coverage, but insurers don’t necessarily have the construction industry in mind as they provide these initial products.

In addition, there is no such thing as a “standard” cyber liability policy, endorsement or exclusion. Insurers have their own forms with their own wording, and as seemingly minor differences in language may have a significant impact in coverage, such matters should be run past counsel.

Construction insurance brokers are telling us that insurers are in the process of determining how to respond to cyber and technology risk claims, what products to offer going forward, and how to underwrite and price these products. Keith W. Jurss, a senior vice president in Willis’s National Construction Practice warns:

“As the construction industry continues to identify the unique “cyber” risks that it faces we are identifying gaps in the current suite of “cyber” insurance coverages that are available.  In addition, new exclusionary language related to cyber risk under CGL and other policies adds to the gap.  The insurance industry is slowly beginning to respond with endorsements that give back coverage or new policies designed to address the specific risks of the construction industry.

“As we identify cyber insurance underwriters willing to evaluate the risks specific to the construction industry, we are seeing the development of unique solutions in the market. There is, however, more work required and as construction clients continue to demand solutions the industry will be forced to respond.”

Consequently, this is a time to stay in close touch with qualified construction insurance brokers who understand the sector and have their hands on the pulse of the latest available cyber and technology risk products. As these products become available, clients may also want to consider what cyber and technology risk coverage to require on projects and whether to include these requirements in downstream contracts.

ARTICLE BY

OF

Employment Related Lawsuits Are on the Rise. Are You Covered?

Gilbert LLP Law FirmOn September 25, 2014, the Equal Employment Opportunity Commission (“EEOC”) filed the first two suits in its history challenging transgender discrimination under the 1964 Civil Rights Act.  As discrimination litigation evolves, it is important to know whether your insurance coverage is evolving with it.

Coverage for employee-related lawsuits has always been important, but the increase in suits brought by the EEOC over the last several years (and the last several decades) has made employment practices liability (“EPL”) insurance of particular importance to protecting your company.  Last year, the EEOC recovered a record-setting $372.1 million.

Now, the scope of EEOC suits is increasing as a result of the EEOC’s ongoing efforts to implement its Strategic Enforcement Plan (“SEP”), adopted in December of 2012.  As part of its SEP, the EEOC makes “coverage of lesbian, gay, bisexual and transgender individuals under Title VII’s sex discrimination provisions, as they may apply” a “top commission enforcement priority.”

Comprehensive general liability (“CGL”) policies, are a type of commercial third-party liability insurance.  Most businesses in the United States purchase CGL policies in order to protect against the risk of suits by third parties.  If a patron sues you for a slip and fall in your mom-and-pop shop, your CGL policy probably covers the suit.  Likewise, if you distribute across the entire country a product that allegedly causes bodily harm to thousands of people, your CGL policy probably covers the suits.

As broad as CGL coverage is, however, it is only one piece to a balanced insurance portfolio.  CGL policies typically exclude coverage for suits brought by employees of the company.  EPL polices step in to fill one part of the gap in coverage.  Other parts of the gap are filled by workman’s compensation policies and directors and officers liability policies.

A typical EPL policy may list a number of categories of protected classes covered by insurance, and then add coverage for “other protected classes.”  A policy may also protect against claims for “Discrimination,” and define that discrimination broadly to mean “any actual or alleged violation of any employment discrimination law.”  However, some polices offer more limited coverage.  For example, some carriers may restrict coverage to only sexual harassment.

Just as you protect your company from fire by installing sprinklers in your warehouses and doing regular safety inspections, it is imperative that you keep your employment practices up to date.  Educate your employees on proper workplace behavior, and try to think about ways to get ahead of the curve to minimize your liability for alleged workplace discriminations.

Just as discrimination litigation is evolving, other areas of litigation continue to evolve and create new risks for your company.  In addition, coverage law continues to evolve across the United States, on a state-by-state basis.  As coverage law evolves, it has a direct effect on the value of your insurance portfolio.

ARTICLE BY

OF

Illinois Guaranty Fund Gets Setoff From Statutory Dram Shop Limit Rather Than Jury Verdict

Heyl Royster Law firm

Eighteen-year-old boy was killed in a head-on collision with a vehicle driven by an intoxicated person. His parents received $26,550 from the drunk driver’s insurance carrier and $80,000 from their own insurance carrier. They subsequently filed a dram shop suit. While it was pending, the dram shop’s insurance carrier was declared insolvent, and the Illinois Guaranty Fund assumed the defense. The issue was whether the $106,550 should be set off from a potential jury verdict or from the statutory dram shop limit of $130,338.51. The Fifth District held the setoff should be applied against the jury verdict.

The Supreme Court reversed and held the setoff should be applied against the statutory limit. The Fund’s obligation cannot be expanded by a jury verdict. It can only be reduced by other insurance. Rogers v. Imeri, 2013 IL 115860.

© 2014 Heyl, Royster, Voelker & Allen, P.C
OF

Not By "Any Manner" Of Means: Securing Cyber-Crime Coverage After Zurich v. Sony

Gilbert LLP Law Firm

Much has been written about the New York Supreme Court’s landmark ruling in Zurich American Insurance Co. v. Sony Corp., Index. No. 651982/2011 (N.Y. Supr. Ct. Feb. 21, 2014), in which a New York trial court denied coverage to Sony Corporation for liabilities stemming from a 2011 cyber-attack on its PlayStation Network. The court held that while a wide-scale data breach represents a “publication” of private information, the PlayStation Network breach did not fall within the ambit of Sony’s commercial general liability (“CGL”) policy because the policy covered only publications by the insured itself—not by third-party hackers. The court rejected Sony’s argument that the phrase “in any manner,” which qualified the word “publication” in Sony’s policy, sufficed to broaden coverage to encompass third-party acts. Instead, the court determined that the “in any manner” language referred merely to the medium by which information was published (e.g., print, internet, etc.), not the party that did the publishing.

Most of the commentary surrounding Sony has focused on the court’s interpretation of the phrase “in any manner.” But that aspect of the court’s ruling was relatively unremarkable: other courts have similarly limited the phrase, most notably the Eleventh Circuit Court of Appeals inCreative Hospitality Ventures, Inc. v. United States Liability Insurance Co., 444 Fed. App’x 370 (11th Cir. 2011) (holding that the issuance of a receipt to a customer containing more than the last five digits of the customer’s credit card number does not represent a publication). Lost in theSony debate is the fact that Sony may be able to prevail on appeal even if the appellate court refuses to adopt a broad reading of the “in any manner” language. Indeed, Sony can make a compelling case that the term “publication,” when read in context with the policy as a whole, is intended to encompass both first-party and third-party acts.

In focusing narrowly on the language of the advertising injury coverage grant, the Sony court overlooked a “cardinal principal” of insurance law: namely, that an insurance policy “should be read to give effect to all its provisions and to render them consistent with each other.”Mastrobuono v. Shearson Lehman Hutton, Inc., 514 U.S. 52, 63 (1995). Had the court taken a more holistic approach, it might have noticed that language in other parts of the policy evidenced the insurers’ intent to cover third-party publications. If Sony’s policy resembled the standard Insurance Services Office, Inc. (“ISO”) CGL policy, its exclusions section was surely riddled with clauses restricting coverage for certain types of injury “caused by or at the direction of the insured.” Only six of the exclusions in the ISO policy are not so qualified, including the absolute pollution exclusion and the exclusion for publications that occur prior to the policy period. It makes sense that insurers would wish to broadly exclude such categories of injury, just as it makes sense that exclusions for intentionally injurious acts would be written narrowly to apply only to the insured’s own actions. These carefully worded exclusions—when read together and in context with the policy as a whole—evidence a conscious decision by Sony’s insurers to exclude some injuries only if caused by the insured, while excluding other types of injury regardless of who, if anyone, is at fault. This, in turn, suggests that the insurers contemplated coverage for third-party acts unless such acts are expressly excluded.

Nowhere is this better illustrated that in the ISO policy’s exclusion for intellectual property infringement. This exclusion purports to broadly bar coverage for injury “arising out of the infringement of copyright, patent, trademark, trade secret or other intellectual property rights.” However, this broad exclusion is qualified by the caveat that it “does not apply to infringement,in your ‘advertisement’, [sic] of copyright, trade dress or slogan.” Thus, the exclusion bars coverage in the first instance for all intellectual property infringements irrespective of the identity of the perpetrator, then adds back coverage for certain acts of the insured. This evidences the insurer’s understanding that unless otherwise excluded, the policy affords coverage for advertising injury regardless of who caused it.

At minimum, the fact that the ISO policy exclusions vary with respect to whether they exclude all acts or only first-party acts should be sufficient to raise an ambiguity, thus triggering “the common-law rule of contract interpretation that a court should construe ambiguous language against the interest of the party that drafted it.” Mastrobuono, 514 U.S. at 62. Even if the policy does not unambiguously afford coverage for third-party publications, it is at the very least “susceptible to more than one reasonable interpretation.” Discovision Assocs. v. Fuji Photo Film Co., Ltd., 71 A.D.3d 448, 489 (N.Y. App. Div. 2010) (internal quotation marks and citation omitted). Pointing to ambiguity in the policy as a whole would provide policyholders such as Sony with a more plausible and straightforward avenue to securing coverage for third-party publications than does narrowly parsing the phrase “in any manner.”

The question of whether third-party publications are covered under the typical CGL policy is of crucial importance to policyholders seeking insurance recovery for cyber-crime injuries. Importantly, victory on this point by Sony or another hacking victim would transform Sony into a policyholder-friendly decision, because the Sony court answered the other difficult question presented in the case—whether a data breach represents a “publication”—in favor of coverage. If the appellate court is willing to look past the narrow language of the advertising injury coverage grant and focus on Sony’s policy as a whole, Sony will have a good chance of prevailing on appeal and, in doing so, will set a strong precedent in favor of cyber-crime coverage for hacking victims.

ARTICLE BY