Struck by CrowdStrike Outage? Your Business Loss Could Be Covered

Over the last week, organizations around the globe have struggled to bring operations back online following a botched software update from cybersecurity company CrowdStrike. As the dust settles, affected organizations should consider whether they are insured against losses or claims arising from the outage. The Wall Street Journal has already reported that insurers are bracing for claims arising from the outage and that according to one cyber insurance broker “[t]he insurance world was expecting to cover situations like this.” A cyber analytics firm has estimated that insured losses following the outage could reach $1.5 billion.

Your cyber insurance policy may cover losses resulting from the CrowdStrike outage. These policies often include “business interruption” or “contingent business interruption” insurance that protects against disruptions from a covered loss. Business interruption insurance covers losses from disruptions to your own operations. This insurance may cover losses if the outage affected your own computer systems. Contingent business interruption insurance, on the other hand, covers your losses when another entity’s operations are disrupted. This coverage could apply if the outage affected a supplier or cloud service provider that your organization relies on.

Cyber policies often vary in the precise risks they cover. Evaluating potential coverage requires comparing your losses to the policy’s coverage. Cyber policies also include limitations and exclusions on coverage. For example, many cyber policies contain a “waiting period” that requires affected systems to be disrupted for a certain period before the policy provides coverage. These waiting periods can be as short as one hour or as long as several days.

Other commercial insurance policies could also provide coverage depending on the loss or claim and the policy endorsements and exclusions. For example, your organization may have procured liability insurance that protects against third-party claims or litigation. This insurance could protect you from claims made by customers or other businesses related to the outage.

If your operations have been impacted by the CrowdStrike outage, there are a few steps you can take now to maximize your potential insurance recovery.

First, read your policies to determine the available coverage. As you review your policies, pay careful attention to policy limits, endorsements, and exclusions. A policy endorsement may significantly expand policy coverage, even though it is located long after the relevant policy section. Keep in mind that courts generally interpret coverage provisions in a policy generously in favor of an insured and interpret exclusions or limitations narrowly against an insurance company.

Second, track your losses. The outage likely cost your organization lost profits or extra expenses. Common business interruption losses may also include overtime expenses to remedy the outage, expenses to hire third-party consultants or technicians, and penalties arising from the outage’s disruption to your operations. Whatever the nature of your loss, tracking and documenting your loss now will help you secure a full insurance recovery later.

Third, carefully review and comply with your policy’s notice requirements. If you have experienced a loss or a claim, you should immediately notify your insurer. Even if you are only aware of a potential claim, your policy may require you to provide notice to your insurer of the events that could ultimately lead to a claim or loss. Some notice requirements in cyber policies can be quite short. After providing notice, you may receive a coverage response or “reservation of rights” from your insurer. Be cautious in taking any unfavorable response at face value. Particularly in cases of widespread loss, an insurer’s initial coverage evaluation may not accurately reflect the available coverage.

If you are unsure of your policy’s notice obligations or available coverage, or if you suspect your insurer is not affording your organization the coverage that you purchased, coverage counsel can assist your organization in securing coverage. Above all, don’t hesitate to secure the coverage to which you are entitled.

Listen to this post

Medical Staff Leaders: 10 Things Your Lawyers Want You to Know

Whether you are new to medical staff leadership or have served in the past and have been called to serve again, there are times when you will need to consult a lawyer who specializes in medical staff matters. While there is nothing simple about medical staff affairs, there are some basic guidelines and protections that your lawyers would like you to know that will make your term easier and make you more effective.

Understand that hospitals and medical staffs are highly regulated organizations with a myriad of laws and standards that must be followed. As a medical staff leader, advisor or medical staff professional, you are leading and advising the professionals responsible for practitioner competence and conduct within the organization. Medical staff law has evolved from the lawyer in the office who would return your call in a week, or fax you a letter, to a specialty area where your lawyer is your partner and there to assist in all aspects of medical staff affairs.

We hope you will benefit from and find the following 10 recommendations make your term or role more informed and manageable.

10. Keep Your Governance Documents Up to Date and Reflective of Actual Practice.

We don’t suggest you must read every page of your governance documents, but you should be sure you know where to look and how to use them. Governance documents include the medical staff bylaws, credentialing manual, hearing plan, rules and regulations, policies and other documents approved by the medical staff and designed to set and guide medical staff processes. Too often we have found the documents will conflict or are missing critical passages. Your medical staff bylaws or medical staff governance committee can be one of the strongest committees in the organization. This is the committee that will annually review the documents and make sure they are internally consistent, reflect actual practice and are relevant to your organization’s practice and clinical services. Remember the medical staff bylaws set the overall guiding principles for the medical staff organization. All other governance documents flow from the foundation of the medical staff bylaws and must be consistent with their principles and mission. Undoubtedly, there will be some inconsistencies but look at those inconsistencies as opportunities to reexamine the principles and consider what is best for your organization. All governance documents should be reviewed in the context of the laws and regulations that require these documents. State and federal laws and regulations set out the basic requirements for the contents of the documents, as do many of the accreditation standards. It is far better to review and revise your governance documents regularly, rather than learn they are deficient during an unannounced survey or regulatory proceeding.

9. Use Your Committees Effectively.

There are two types of committees: those with authority to act and those that are advisory. The committees with authority are generally the Medical Executive Committee (“MEC”) and clinical department committees. All other committees are advisory to the MEC. Advisory committees can develop and recommend policies, rules and clinical practices. Authoritative committees approve policies and rules, take disciplinary action and make recommendations to the MEC. The MEC is the final medical staff authority that submits recommendations for final approval to the governing body. Knowing which committees to use and when is key to leadership success.

8. Know the Scope of Your Authority.

As a leader, you are an agent of the medical staff and the spokesperson for the committee/ department you chair. There are times when you will need to act without the benefit of input from your committee/department. Medical staff bylaws will generally identify the circumstances under which you can act alone and when your action(s) will need to be ratified by the committee. As the chair, you are acting on behalf of the committee/ department between meetings. Do what is needed when needed, within the scope of your authority, but report your actions to the committee/department on a regular basis and be sure your actions are properly recorded in the appropriate minutes. If summary or urgent action is needed, do not hesitate to call a special meeting. You are better off to have the protection of a committee action than to be acting alone or without ratification.

7. Know the Peer Review Protections of HCQIA, Your State and Organization.

Many, if not most, of your actions and the actions of your committees will be covered by federal, state and organizational protections. The Healthcare Quality Improvement Act (“HCQIA”) provides protection from liability for members of a professional review body/ medical staff, who take a professional review action (a) in the reasonable belief the action was in furtherance of quality health care, (b) after a reasonable effort to obtain the facts, (c) after adequate notice and hearing and (d) in the reasonable belief that the action was warranted by the facts. In addition to this federal protection, many states have laws that similarly protect peer review participants, and often, your organization will have an indemnification policy or provision that further protects you and your committee members from damages. Remind your committee participants and members on a regular basis of these protections and that they were specifically designed to encourage peer review by allowing free discussions aimed at improving patient care.

6. Know Your Reporting Obligations.

The National Practitioner Data Bank (“NPDB”) defines the circumstances under which a physician or dentist must be reported. Those include (a) when a professional review action adversely affects their clinical privileges for 30 days or longer or (b) when a physician surrenders clinical privileges while under investigation or in exchange for not conducting an investigation. The failure to report when required to do so can result in the loss of immunities under HCQIA for up to three years, along with a monetary fine. There are many nuances to reporting to the NPDB and we recommend you consult a medical staff attorney who can assist with identifying when to report and what to say. Additionally, each state may have reporting requirements for professional review actions to the state licensing board that exceed the NPDB’s requirements. The state licensing board may also have defined penalties for failure to report. In one state, the knowing failure of a physician leader to report a practitioner to the state licensing board can be considered unprofessional conduct, which can subject the physician leader to state board action.

5. Understand Confidentiality and Peer Review Privilege Protections.

A best practice at the beginning of each meeting is to remind committee members of the importance of maintaining confidentiality. State peer review privileges and protections are often dependent on maintaining confidentiality of the records and proceedings. The failure to maintain confidentiality can act as a waiver of the privilege and permit the introduction of confidential peer review documents and testimony in litigation in the future. Peer review privileges and protections are designed to promote candor in the peer review process. This permits free discussion and identification of opportunities to improve patient care. Without confidentiality and the corresponding privileges and protections, committee members would be reluctant to analyze and frankly discuss areas for improvement in a peer’s clinical care. Obtain information about your state’s peer review privilege and protections and fully understand the circumstances that may cause a waiver, which would permit confidential peer review information to be discussed in open court and stifle important, free-flowing discussion of quality of care at peer review meetings.

4. Know Your Options.

Every professional competence or conduct situation you face will be different. A sound guideline to generally follow is selecting the least restrictive action that will protect patients. Keep in mind that the goal of all peer review is education and remediation. For example, if a practitioner is having complications with robotic surgery, evaluate whether the complications are the result of technical skill, which can be remediated with more practice, or if the complications are the result of poor clinical judgment, which reaches into all areas of performance. In the first case, proctoring, monitoring or an additional educational course may correct the problem. But with the second, the cause of poor judgment is more challenging and may require a further workup, including a fitness for duty evaluation, retrospective review of cases, or an external expert review. Work with your committee and medical staff lawyer to identify all the facts and options to address the problem that has been brought to your attention. In some cases, it may be appropriate to have the issue addressed by the individual’s department or interdisciplinary peer review committee, but in others, the nature of the problem may require the immediate attention of the MEC. In some cases, a discrete referral to your organization’s well-being committee may be appropriate. Regardless, each matter must be carefully and thoughtfully analyzed in light of all the available facts. Then, with all appropriate actions on the table, an informed determination may be made.

3. Act When Indicated but Don’t Shortcut the Process.

. The law and your medical staff bylaws provide for the ability to take emergency action against a practitioner’s privileges when there is a concern of imminent threat to patients or others. What constitutes an “imminent” threat or danger is often the source of hours of discussion and analysis by medical staff lawyers throughout the country. Your legal team is invaluable in working through the facts of a given matter and determining whether a decision for summary suspension is legally sound. If there is a circumstance where emergency intervention via summary suspension is necessary to avoid patient harm after an initial evaluation of the matter, do not hesitate! Take the action to summarily suspend and remove an errant practitioner from the bedside. Afterward, there is time to re-examine the basis for the action and analyze whether continued suspension is necessary to protect patients or others. At that time, it is important to call on your MEC and legal team for their analysis and determination of whether the summary suspension should be upheld.

There are also times when summary suspension will be considered prospectively to address a chronic problem that is rising to an acute stage. The practitioner whose disruptive, bullying and retaliatory conduct has been tolerated may have reached a level where the cumulative effect creates the potential for patient harm because staff, for example, are afraid to call the physician at night about a patient’s health condition, seek clarification of an order, or question whether a procedure is being done on the right side or on the correct patient. Following the medical staff bylaws investigation process will allow for a careful analysis of the reported conduct, which will provide a solid framework for later defense, should it be necessary. That process will almost always involve a committee evaluation of the facts, interview of the practitioner, and a determination of the appropriate next steps. Each of these steps, if followed, will support the action when later scrutinized by a court or jury.

2. Do What is Right for the Patients.

Always put the patients first. There may be procedural missteps during a disciplinary process as the healthcare organization balances the need to protect patients with providing a practitioner due process. However, if the peer review being conducted is based in the foundation of improving patient care and patient safety, courts will generally consider the health care organization’s goals before making a determination that would go against the organization and potentially place patients in harm’s way.

1. Utilize Internal or External Counsel to Navigate Medical Staff Law so You Can Focus on Improving Patient Care.

I (Erin) was asked recently what possible motivation there would be for a physician to enter leadership in a medical staff organization if their role consisted solely of consulting with a medical staff lawyer. In response, I reminded this physician that medical staff leadership and medical staff lawyers work together on challenging matters and daily operations with the lawyer recommending limitations and guardrails and advising on how to avoid legal missteps and pitfalls. This advice from the lawyer enables the leader to focus on monitoring the business of the organization and improving patient care.

Final Take-Aways

Our medical staff organizations need people who are willing to serve as leaders during challenging times when caregivers are stretched thin, suffering burnout and subjected to daily difficulties that can be demoralizing. Strong leaders who are reassured of their legal protections can perform their leadership responsibilities without fear of reprisal when following the advice of their legal counsel. We encourage you to reach out and make your lawyer an integral part of your team so that they can understand your organization and business and provide you the best available advice that will reassure you and other leaders in the organization of the legal protections and immunities.

© Polsinelli PC, Polsinelli LLP in California

Hurricanes and Act of God Defenses

Maritime contracts for services generally include clauses for performance, demurrage, deviation, termination, and suspension. Performance may be affected by an Act of God or Force Majeure clause and event. A typical Force Majeure clause reads as follows:

Except for the duty to make payments hereunder when due, and the indemnification provisions under this Agreement, neither Company nor Contractor shall be responsible to the other for any delay, damage or failure caused by or occasioned by a Force Majeure Event as used in this Agreement. “Force Majeure Event” includes: acts of God, action of the elements, warlike action, insurrection, revolution or civil strife, piracy, civil war or hostile action, strikes, differences with workers, acts of public enemies, federal or state laws, rules and regulations of any governmental authorities having jurisdiction in the premises or of any other group, organization or informal association (whether or not formally recognized as a government); inability to procure material, equipment or necessary labor in the open market acute and unusual labor or material or equipment shortages, or any other causes (except financial) beyond the control of either Party. Delays due to the above causes, or any of them, shall not be deemed to be a breach of or failure to perform under this Agreement.

A. Act of God

Act of God or Force Majeure is a defense to many contractual obligations, including performance, deviation, and demurrage. It may also be the basis to suspend or terminate a maritime agreement for cause. It is defined as an abnormal natural event that is overwhelming and cannot be forestalled nor controlled. Skandia Ins. Co., Ltd. V. Star Shipping, AS, 173 F.Supp. 2d 1228 (S.D. Ala. 2001) (Hurricane Georges cargo claim). It is also a defense to certain tort claims like collisions and allisions occurring during a storm. Petition of U.S., Heide Shipping & Trading v. S.S. Joseph Lykes, 425 F.2d 991 (5th Cir. 1970) (vessel break-away in Hurricane Betsy).

When plead, a party must demonstrate that it was prudent in predicting and attempting to avoid the impact of the overwhelming and unexpected natural event and took reasonable precautions under the circumstances. A failure to perform or third party tort damages are not subject to an Act of God defense if the failure results from human agency, neglect or an unseaworthy condition. Compania DeVapores Ins. Co., SA v. Mo-Pac R.R. Co., 232 F.2d 657 (5th Cir. 1985) (cargo claim for failure to take reasonable steps to guard against wind storm).

Following Hurricane Katrina, the U.S. District Court for the Eastern District of Louisiana held that a category 4 or 5 hurricane was an Act of God sufficient to bar a tort claim by a marina owner against the owner of a vessel that broke away from her berth, drifted and hit another vessel. The defense of Act of God applied because, 1) the accident was due exclusively to abnormal natural events without human interest, and (2) there was no intervening negligent behavior by the vessel owner. J.W. Stone Oil Dist., LLC v. Bollinger Shipyard, 2007 WL 2710809 (E.D. La. 2007). Judge Lemmon held in Stone Oil that hurricanes are considered as a matter of law to be an Act of God and defensible unless there is an intervening and contributing act of individual negligence. This obligation includes taking reasonable precautions based upon all available information.

In Simmons v. Lexington Ins. Co., 2010 WL 1254638 (E.D. La. 2010), aff’d., 401 Fed. Appx. 903 (5th Cir. 2010), J),  the courts similarly considered whether reasonable precautions had been taken by a marina to protect a sailboat during Hurricane Katrina under both Louisiana and maritime law. The Court reviewed other Katrina cases, including Conagra Trade Group, Inc. v. AEP Memco, LLC, 2009 WL 2023174 (E.D. La. 2009), and Coex Coffee Int’l., Inc. v. Dupuy Storage & Forwarding, LLC, 2008 WL 1884041 (E.D. La. 2008). (Katrina’s unprecedented flooding and devastation was an Act of God defense.) In Conagra, supra, Judge Fallon was asked to review a contract of affreightment for a cargo of wheat aboard a barge that sunk. Memco was found not negligent in delivering its barge of cargo to an affected berth several days before the weather forecast accurately predicted the landfall of Katrina.

In re S.S. Winged Arrow, 425 F.2d 991 (5th Cir. 1970), affirmed that where a vessel had been sufficiently moored based upon the anticipated path of Hurricane Betsy, the Act of God defense applied to relieve its owner of  tort damages resulting from its breakaway. From a review of the case law involving severe weather events, it is apparent that Act of God defenses will be granted as a defense to both third party tort claims and also contractual claims for failure to perform where reasonable decisions and precautionsunder the circumstances have been made.

B. Performance Clauses

Clauses for demurrage, detention or laytime usually involve delays in the loading or unloading of cargo or the delivery of goods and materials. Laytime is the period of time allowed for loading and unloading. Demurrage and detention are sums paid to compensate for time lost related to the delivery of equipment or cargo. Demurrage begins to run after the passage of laytime or the agreed time of delivery and performance. Damages are awarded for failure to perform. Deviation is an obligation to maintain a proper course in ordinary trade and to timely arrive at the agreed destination. All deviation clauses are subject to certain liberties. Any deviation may affect insurance and hire.

Typically a contract for maritime services can be terminated for cause or for convenience. Similarly, parties may negotiate terms to suspend performance, which would suspend payment of hire and performance of services. A suspension clause is typically an off-hire clause where the contract terms remain but no hire is paid. Usually a vessel owner will be compensated and reimbursed for certain additional expenses if a contract is terminated for convenience. An Act of God clause excuses delays in performance, but in most cases serves to either suspend performance or terminate the contract for cause as between the parties.

Similar defenses are also statutorily allowed under COGSA. Under the COGSA “perils of the sea” defense, a carrier and vessel are not liable for cargo damage proximately caused by an Act of God where the carrier is not independently negligent and its vessel seaworthy when confronted with an unexpected and abnormal event of nature. 46 USC 1304(2) (c) & (d) ; J.Gerber & Co. v S/S SABINE HOWALDT 437 F.2d. 580 (2nd Cir. 1971); Taisho Marine & Fire Ins. Co. v. Sea-Land ENDURANCE 815 F. 2d. (9th Cir. 1270).

C. Conclusion

The purpose of an Act of God clause in a contract or asserted as a defense to a maritime tort is to relieve a defendant from liability for performance and damages where there was an extreme natural event. Whether a particular storm or natural event is considered an ACT OF GOD is a question of fact. The factors to be considered in accessing an ACT OF GOD/FORCE MAJEURE include the intensity of the natural event and whether the conditions would normally be expected. In order to avail oneself of the ACT OF GOD defense a defendant must show a causal connection between the loss and the peril as well as defendant’s freedom from fault.

This post was written by Grady S. Hurley of Jones Walker LLP © 2017

For more legal analysis go to The National Law Review