Tag: Insurance Law

Federal Judge Sides with Business Owners in Losses Resulting from Pandemic

A federal judge in Kansas City ruled that policyholders whose businesses have been interrupted as a result of the coronavirus pandemic may proceed with their cause of action against their insurers.

U.S. District Court Judge Stephen Bough of the Western District of Missouri who is presiding over a case involving multiple business owners ruled Aug. 12, 2020, that policyholders claiming a loss due to the pandemic may move forward with their cases because they made a plausible argument that their property losses were a direct physical loss attributable to COVID-19.

The seven business plaintiffs in the Kansas City case, led by Studio 417 salon, argued that coronavirus is a widespread airborne virus that very well could have been present in its business establishment, even though it might be undetectable by the naked eye. The presence of this virus rendered their businesses unsafe and unusable, thereby forcing their shutdowns by various municipalities or states’ orders. That shutdown, they argued, triggered their insurance coverage due to the presence of the virus that led to a physical loss even it did not cause structural physical damage. Studio 417, Inc., et al. v. The Cincinnati Insurance Co., Case No. 20-cv-03127-SRB.

Judge Bough ruled that under the ordinary meaning of “physical loss,” the policyholder suffered a loss when the spread of coronavirus led to prohibition or restrictions on their businesses. He cited a previous case of U.S. District Court Judge Catherine Perry of St. Louis in Mehl v. Travelers that denied summary judgment to an insurance company when a policyholder alleged his house was uninhabitable because of an infestation of spiders. “Mehl supports the conclusion that ‘physical loss’ is not synonymous with physical damage,” Judge Bough wrote in his opinion, and further commented that “other courts have similarly recognized that even absent a physical alteration, a physical loss may occur when the property is uninhabitable or unusable for its intended purpose.”

© 2020 by Clifford Law Offices PC. All rights reserved.
ARTICLE BY Clifford Law
For more articles on insurance, visit the National Law Review Insurance Reinsurance & Surety section.

Riot-Related Damage and Income Losses are Covered under Most Business Owners’ Policies

Following the deaths of George Floyd, Breonna Taylor, Ahmaud Arbery, Tony McDade, and Rayshard Brooks, protests against systematic racism in general, and police brutality in particular, have swept the globe. These protests have largely been peaceful, but a small, fractious group of individuals has used the protests as cover to incite violence, damage property, and loot businesses. While it might be cold comfort to the affected business owners to hear that property damage is not the norm, most have insurance that protects their pecuniary interest.[1]

 First-party property insurance policies generally include riot and civil commotion as covered causes of loss, unless there is a specific exclusion in the policy. Although courts have acknowledged that defining a “riot” can be difficult because they can vary in size, courts have identified at least four elements:

  1. unlawful assembly of three or more people (or lawful assembly that due to its violence and tumult becomes unlawful);
  2. acts of violence;
  3. intent to mutually assist against lawful authority where “lawful authority” is not limited to official law enforcement, but extends to those whose rights are or may be injured and who seek to protect those rights; and
  4. some degree of public terror (i.e., any minor public disturbance does not rise to the level of “riot”).

Blackledge v. Omega Ins. Co., 740 So. 2d 295, 299 (Miss. 1999).

Civil commotion likewise is undefined in most property policies. As a starting point, the term necessarily means something other than “riot,” since each term in an insurance policy is presumed to have its own meaning. See, e.g., Portland Sch. Dist. No. 1J v. Great Am. Ins. Co., 241 Or. App. 161, 171 (2011). Thus, while “civil commotion” may be similar to a riot, courts have construed the term more broadly, finding that civil commotion entails “either a more serious disturbance or one that is a part of a broader series of disturbances.” Pan Am. World Airways, Inc. v. Aetna Cas. & Sur. Co., 368 F. Supp. 1098, 1138 (S.D.N.Y. 1973), aff’d, 505 F.2d 989 (2d Cir. 1974). In fact, most property policies contain no limitation on the breadth of commotion or the type of harm that it might pose to person or property.

In many policies, riot, civil commotion, vandalism, and malicious mischief are “specified causes of loss.” The practical effect of this designation is that numerous exclusions will contain exceptions for loss caused by these situations. For example, while damage to a business’s electronic data may be excluded, the exclusion may contain an exception for damage to electronic data resulting from specified causes of loss, such as riot or civil commotion. Similarly, even where the policy contains a pollution exclusion – purportedly excluding loss, damage, cost, or expense caused by or contributed to or made worse by the release of “pollutants,” which could include tear gas – that exclusion may not apply to loss or damage caused by riot, civil commotion, or vandalism.

If a policy covers riot or civil commotion, covered losses may include property damage to the building and its contents, and lost income while the building is under repair or subject to government orders affecting the business’s operations (e.g., curfews limiting hours of operation) where the order is the result of property damage elsewhere. Business insurance policies may also cover costs incurred in protecting insured property from future, imminent harm or continued damage. These costs might include hiring (or increasing) security personnel, boarding up windows and doors, securing inventory in place or moving inventory and operations off-site.

Prior to the riots in Minneapolis, Minnesota, the costliest U.S. civil disorder occurred after the acquittal of police officers involved with the arrest and beating of a black American, Rodney King, from April 29 through May 4, 1992, causing $775 million in insured losses.[2] More recently, there were approximately $24 million in insured losses following the death of Freddie Gray, a black American who died in police custody after suffering a spinal cord injury.[3] Insured losses are not yet available for the riots in Minneapolis, but the Property Claims Services (“PCS”) unit of Verisk Analytics designated the event as a catastrophe. On June 4, 2020, PCS included over 20 other states, making the civil unrest that started in Minnesota a multi-state catastrophic event.[4]

If your business has experienced or may experience a loss because of civil unrest or riots, you should begin keeping track of these losses – and costs incurred to avoid them – immediately. Save receipts and inventory damages. Contact your insurance company as soon as you experience a loss to report your claim and diligently log your interactions with your insurer and its representatives. If you feel your insurer wrongfully denied your claim or delayed payment, contact experienced insurance coverage counsel.

[1] The authors by no means intend to equate property damage and a lost life. Quite the opposite. One is recoverable (and insurable); the other is irreplaceable.

[2]  https://www.iii.org/fact-statistic/facts-statistics-civil-disorders (last viewed June 15, 2020).

[3] Id.

[4] Id. By June 4, 2020, at least 40 cities in 23 states had imposed curfews. National Guard were called in Washington, D.C. and at least 21 states.

Copyright © 2020, Hunton Andrews Kurth LLP. All Rights Reserved.
For more on property insurance amid protests, see the National Law Review Insurance, Reinsurance and Surety law page.

A Word About Business Interruption Claims From Vandalism, Riot and Civil Commotion

The death of George Floyd is a national tragedy that should never have happened.  The winds of change are in the air and we can only hope that peace, understanding, justice and fairness for all will prevail.  What happened to George Floyd and the cries to end racial injustice, however, have been overshadowed in the eyes of many by the vandalism, looting and rioting that followed.  That brings us to insurance.

There have been many articles discussing whether and how the business losses arising from the vandalism and looting will be covered under insurance policies.  Because these losses took place during the novel coronavirus pandemic, the insurance coverage issues have become more complex.  This is particularly true for business interruption claims.

There are three issues that I thought were worth highlighting.  The first concerns the confluence of the existing COVID-19 stay-home orders and the vandalism and looting.  The second is the necessary nexus between direct physical damage and civil orders under coverage for civil authority.  Finally, the effect of anti-concurrent cause clauses in property policies.

First, some of the business interruption claims now being brought by businesses that had to shut down because of the protests or because of the curfew orders have been complicated by overlapping civil authority stay-home orders because of the novel coronavirus.  Where a business was closed because of COVID-19 stay-home orders or was open only to provide curbside pickup or delivery services, how is its loss of income and extra expense calculated if the business had to close because of the civil unrest?  Analyzing this issue requires much more space than this blog post can provide.  It is a complicated issue that depends on exactly what coverage is provided and how loss of income is calculated under the relevant business interruption coverage grant.

Just as an example, under a common business income and extra expense coverage form, the amount of business income loss is determined based upon the net income of the business “before the direct physical loss or damage occurred,” the likely net income of the business “if no physical loss or damage has occurred . . . ” and “the operating expenses, including payroll expenses, necessary to resume operations with the same quality of service that existed just before the direct physical loss or damage.”  When applied to the recent vandalism and looting business interruption losses, the net income before the vandalism and looting may have been much less than in months or years past because of the COVID-19 stay-home orders.  If no vandalism and looting had occurred, the likely net income would have been the same as under the existing COVID-19 stay-home orders; that is to say, most likely diminished from prior periods.  Yet some are pushing for the COVID-19 effect not to be considered at all in the calculation of net income in the context of business interruption losses due to vandalism and looting.

Second, civil orders that prevented ingress and egress to and from businesses because of the threat of violence from possible protests likely will not be sufficient to trigger coverage under business interruption civil order provisions.  The common form requires a nexus between direct physical damage and the civil order.  For example, the action of civil authority must be “taken in response to dangerous physical conditions resulting from the damage or continuation of the Covered Cause of Loss that caused the damage. . . .”  If a local government shuts down a business district in advance of a protest and before there is any physical damage to property, that civil order should not trigger coverage under the business interruption coverage grant.  A civil order that shuts down a business district after vandalism because the area is dangerous likely would result in some coverage under the business interruption coverage grant depending on other policy factors.

Finally, some property policies limit coverage to covered causes of loss and preclude coverage if the loss was caused in part by a non-covered cause of loss.  For example,

We will not pay for loss or damage caused directly by any of the following. Such loss or damage is excluded regardless of any other cause of event that contributes concurrently or in any sequence to the loss.  These exclusions apply whether or not the loss event results in widespread damage or affects a substantial area.

If an insurance policy excludes a cause like looting, but covers vandalism, even if the loss was caused in part by looting, the anti-concurrent causation clause would preclude coverage.  So too, if part of the loss claimed was caused by the novel coronavirus and the policy has a virus exclusion, that would preclude the loss even if part of it was caused by vandalism.

As always, it is most important to read the complete policy because not all insurance policies are the same.  Nevertheless, there is no doubt that business interruption losses arising from the recent civil unrest have been complicated by existing governmental orders covering the novel coronavirus.  It will take patience by all parties and careful analysis to work through these claims.

© Copyright 2020 Squire Patton Boggs (US) LLP

For more on business interruption claims, see the National Law Review Insurance, Reinsurance and Surety law section.

Legislation Enabling Policyholders to Obtain Insurance Coverage for Coronavirus Claims is Constitutional Part 1

On top of its human toll, the coronavirus pandemic has had massive economic effects.  Stay-at-home orders, which remain in place in much of the United States, have resulted in massive layoffs, spiraling claims for unemployment compensation, and unprecedented federal aid.

Many businesses affected by the pandemic have turned to their insurers seeking “business interruption” coverage.  As its name suggests, this coverage typically reimburses the policyholder for costs incurred when the business is unable to open.  Insurers have denied policyholders’ pandemic-related claims, contending that they only have to cover business interruption that results from a “physical injury” and that the damage that results from infestation with the coronavirus or a governmental shutdown order does not constitute “physical injury.”  Insurers have also cited the exclusions in many of their policies that purport to bar coverage for virus-related injuries.

Legislative Responses to the Crisis

One response to the insurance industry’s position has been introduction of legislation voiding virus exclusions and/or defining physical injury to include coronavirus.  New Jersey, Massachusetts, Ohio, New York, Pennsylvania, and South Carolina are all considering such legislation.  The proposed bills generally provide that, notwithstanding any other law or policy language to the contrary, every insurance policy that insures against loss or damage to property which includes the loss of use and occupancy and business interruption shall be construed to include coverage for business interruption resulting from COVID-19.  The bills typically provide mechanisms for insurers to seek reimbursement from a state established and managed fund for losses paid related to COVID-19.

Insurance Industry Responses to the Proposed Legislation

Predictably, the insurance industry has objected to this legislation.  For example, in a recent interview, Evan Greenberg, CEO of Chubb, said in an interview on CNBC state governments can’t force insurance companies to cover incidents not included in the policy.  “You can’t just retroactively change a contract. That is plainly unconstitutional,” Greenberg told “Mad Money” host Jim Cramer.  See https://www.cnbc.com/2020/04/16/chubb-ceo-making-insurers-cover-pandemic-losses-is-unconstitutional.html.

Law firms that defend insurers have similarly argued that “This proposed legislation …., is unfair and is likely unconstitutional, as it appears to run afoul of the Contracts Clause of the Constitution.”   That Clause prohibits States from “pass[ing] any . . .  Law impairing the Obligation of Contracts . . . .”  U. S. Const., Art. I, Sec. 10.  The insurer lawyers contend that “the proposed legislation would substantially impair insurance policies, as [it] would operate to rewrite policies to cause them to cover a risk they do not currently cover.…”   While acknowledging that the Supreme Court has upheld state laws that impair contracts, so long as they are reasonably tailored to fulfill a legitimate interest, insurer counsel contend that such laws are still unconstitutional.  Counsel claim that the proposed laws do not fulfill a legitimate interest because they “arguably benefit[] only a narrow class of businesses; the public at-large is only an indirect beneficiary.”  Id.  And counsel assert that the proposed laws are not “appropriate and reasonable” because they “attempt[] to shift the responsibility of providing financial assistance to small businesses from the government to certain insurance companies. . . .” Id.

Why the Insurance Industry Is Wrong about the Contracts Clause

This analysis is simply mistaken.  The case law interpreting the Contracts Clause demonstrates that legislation designed to provide relief to policyholders is constitutional.

As discussed below, under the cases, courts have established a balancing test that weighs the extent to which the challenged legislation contravenes contractual expectations against the purpose of the legislation and the means used to achieve that purpose.  Under that test, the proposed legislation is constitutional.

Basic Principles

The range of state legislative actions that can affect contractual relationships is broad. For instance, a state statute may render a contract wholly illegal.  See Stone v. Mississippi, 101 U.S. 814, 819 (1879) (upholding state statute outlawing lottery against claim that it violated contract rights of lottery company).  Or a statute may directly change the term of a contract.  E.g., United States Trust Co. v. New Jersey, 431 U.S. 1, 3 (1977) (state law abrogated covenant in contract with holders of state bonds); Home Bldg. & Loan Ass’n v. Blaisdell, 290 U.S. 398, 416 (1934) (state law modified foreclosure provisions in mortgages).  Even a law that has nothing to do with either the express terms of the contract or its subject matter can affect the parties’ allocation of risk, such as a law that changes the statute of limitations for contract actions.  See J. Ely, Jr., Whatever Happened to the Contract Clause?, 4 Charleston L. Rev. 371, 377 & n.48 (2010) (discussing Contracts Clause cases involving statutes of limitations).

Yet, as the Supreme Court has made clear, “it is not every modification of a contractual promise that impairs the obligation of contract under federal law.”  City of El Paso v. Simmons, 379 U.S. 497, 506–07 (1965).  Even though the language of the Contracts Clause is  “facially absolute,” Energy Reserves Group v. Kansas Power & Light Co., 459 U.S. 400, 410 (1983), “the prohibition against impairing the obligation of contracts is not to be read literally,” Keystone Bituminous Coal Ass’n v. DeBenedictis, 480 U.S. at 502.  Rather, “[t]he States must possess broad power to adopt general regulatory measures without being concerned the private contracts will be impaired, or even destroyed, as a result.”  United States Trust Co. v. New Jersey, 431 U.S. at 22.  In other words, the ban on impairment of contracts “must be accommodated to the inherent police power of the State ‘to safeguard the vital interests of its people.’’’  Energy Reserves Group, 459 U.S. at 410, quoting Home Bldg. & Loan Ass’n v. Blaisdell, 290 U.S. at 434.

Though not specifically referenced in the Constitution, the “police power” gives state legislatures broad leeway to pass laws to protect the public health, safety, and welfare.  The classic case is Stone v. Mississippi, 101 U.S. 814 (1879).  There, a state statute outlawing lotteries was challenged by a company that had previously obtained a charter from the state to run a lottery.  Rejecting the challenge, the Court held that the state’s power to shield the public from the evils of gambling trumped the contract rights of the lottery company.  Id. at 819.  Over time, the definition of the police power expanded to include a wide variety of laws designed to protect the public.  See, e.g., Home Building & Loan Association v. Blaisdell, 290 U.S. 398, 444 (1934) (Great Depression “furnished a proper occasion for the exercise of the reserved power of the State to protect the vital interests of the community” by providing for mortgage relief for financially strapped homeowners); Manigault v. Springs, 199 U.S. 473, 480 (1905) (even if contract for sale of alcohol was permissible when made, state could later prohibit such sales without violating Contracts Clause).

As we’ll discuss in the next part of this post, since the New Deal, the Supreme Court has generally applied these principles to uphold state legislation against challenges brought under the Contracts Clause.  We’ll also discuss how these basic principles have been applied by lower courts in insurance coverage cases and why we think the proposed legislation passes muster under the Constitution.

© 2020 Gilbert LLP

ARTICLE BY Mark A. Packman of Gilbert LLP.
For more business policies & the coronavirus, see the National Law Review Insurance, Reinsurance, and Surety law section.

Department of Banking and Insurance Mandates Insurance Premium Refunds

On May 12, 2020, the New Jersey Department of Banking and Insurance issued Bulletin No. 20-22.  As a result of the COVID-19 pandemic and the resulting reduction in loss exposure for insurers, the Department has ordered insurers to make an initial premium refund or other adjustment for certain specified lines of insurance.  Premium refunds are required for the following types of insurance: (1) medical malpractice insurance; (2) commercial liability insurance; (3) commercial multiple-peril insurance; (4) workers compensation insurance; (5) commercial automobile insurance; (6) private passenger automobile insurance; and (7) any other line of coverage where the measures of risk have become substantially overstated as a result of the COVID-19 pandemic.

The premium refund may be provided as a premium credit, a reduction in premium, a return of premium, dividend, or other appropriate premium adjustment.  The premium refunds must be implemented “as quickly as practicable,” but in no event later than June 15, 2020.

Insurers may also provide additional premium relief to individual policyholders on a case-by-case basis for recent, current, and upcoming policy periods or any portion thereof.  Examples of reclassifications set forth in the Bulletin include, but are not limited to: (1) reclassifying a personal automobile exposure from “commute use” to “pleasure use”; (2) reclassifying a physician practice to part-time status; or (3) excluding payroll for employees who are being paid but not actively working.

Insurers are required to notify each affected policyholder no later than June 15, 2020 regarding the amount of the refund or adjustment.  In addition, insurers are required to provide an explanation of the basis for the adjustment, including a description of the policy period that was the basis of the premium refund and any changes to the classification or exposure basis of the affected policyholder.

While the across the board initial premium refunds referenced above will not require any action by individual policyholders, businesses and individuals should review their current and projected activities and reach out to their insurer to see if there is an opportunity for an additional “case-by-case” premium reduction.  For example, if a physician practice has reduced hours for its physicians so that all physicians are working part-time, this may provide the opportunity for a further reduction in medical malpractice premiums.

The text of the bulletin can be found here.

 

© 2020 Giordano, Halleran & Ciesla, P.C. All Rights Reserved
For more on COVID-19s effects on Insurance, see the Insurance Reinsurance and Surety section of the National Law Review

Wisconsin Supreme Court: “Retroactive Defense” Can Satisfy An Insurer’s Duty to Defend

The Wisconsin Supreme Court has issued numerous decisions over the past few years regarding an insurer’s duty to defend its insured under liability insurance. On February 13, 2020, the Court added Choinsky v. Germantown School District, Case No. 2018AP116, 2020 WI 13, where it clarified one of the four recognized procedures for insurance carriers to contest coverage while avoiding a breach of the duty to defend.  The four procedures are: (1) defend under a reservation of rights; (2) defend under a reservation of rights but seek a declaratory judgment on coverage; (3) enter into a nonwaiver agreement with the insured where the insurer preserves its right to contest coverage; and (4) file a motion to bifurcate and stay the liability determination until coverage is determined.  Choinsky addressed a wrinkle to option 4, where the insurer files the appropriate motions but the circuit court denies the stay.

In Choinsky, retirees of the Germantown School District brought a class action in 2013 after a District decision caused them to lose their long term care benefit.  The retirees alleged breach of contract, breach of implied contract, breach of the duty of good faith and fair dealing, and promissory estoppel.  The District tendered the defense to its insurer, which the insurer denied a week later.  Then, following option 4, the insurer promptly moved to intervene in the pending suit, to bifurcate the coverage and liability issues, and to stay a liability determination until coverage was decided.  Almost three months later, the circuit court granted the motion to intervene and bifurcate, but denied the motion to stay.  The insurer then agreed to retroactively defend from the date of tender until coverage was resolved.  As a result, the District had to defend itself on both coverage and liability for approximately five months and was later reimbursed only for its attorney fees on the liability defense.

After two motions by the insurer for summary judgment were denied, coverage was tried to a jury in April 2016.  The jury found that the District decision makers had acted negligently, and the circuit court accordingly determined that there was a duty to defend.  After the liability trial resulted in a jury verdict in favor of the District, the District moved again for attorney fees it incurred in proving coverage pursuant to Elliott v. Donahue, 169 Wis. 2d 310, 485 N.W.2d 403 (1992), and Newhouse v. Citizens Security Mutual Insurance Co., 176 Wis. 2d 824, 501 N.W.2d 1 (1993).  The circuit court denied that motion, reasoning that since the insurer had followed a judicially-sanctioned approach to the coverage determination, it could not be held liable for breach of contract.  The Court of Appeals affirmed.

The District argued to the Supreme Court that its insurer should be on the hook for the fees the District expended in proving coverage because the insurer initially refused to defend and cannot cure that choice by agreeing to defend six months later.  It further argued that there was a breach since the insurer didn’t start paying defense fees for almost one year after tender.  The Supreme Court held that the insurer had taken “timely” action when it responded to the tender within one week and when the insurer sought to intervene in the liability case.  The Court said that the time it took the circuit court to decide the motion for stay and then the denial of a stay caused the problem, and urged circuit courts to give these issues priority on their dockets.

The Court also concluded that any damage to the District for the insurer’s initial coverage denial was remedied by the insurer reimbursing for attorney fees retroactive to the date of tender, stating that in the situation presented “the insurer must defend its insured under a reservation of rights so that the insured does not have to pay to defend itself on liability and coverage at the same time.  Additionally, the insurer must reimburse its insured for reasonable attorney fees expended on a liability defense, retroactive to the date of tender.” 2020 WI 13, ¶ 19.

In his dissent, Justice Kelly criticized the majority: “I don’t agree, however, that an insurer can buy its way out of its breach of [the duty to defend] by reimbursing its insured for defense costs.” 2020 WI 13, ¶ 47.  He noted that the District did not receive a defense for over 5 months, and he called the retroactive payments a new concept that will incentivize insurers to refuse the duty defend between tender and resolution of coverage issues.  In doing so, the insurer “risks nothing doing so because, in the worst case, it simply pays for the defense it refused to provide.” 2020 WI 13, ¶ 56.

All coverage matters are fact-specific, and time will tell how prophetic Justice Kelly’s warning turns out to be.  The insurer in Choinsky acted in a timely fashion by responding within weeks of tender.  If an insurer takes a longer time to respond, a court might come to a different conclusion.  And while the Supreme Court again “encouraged” all circuit courts to decide motions to bifurcate and stay expeditiously, that is not always possible.  Some motions can, for one reason or another, take longer than in Choinsky and some types of claims really can’t be stayed. Environmental cases, for example, can be triggered by a “responsible party” letter from the Environmental Protection Agency or the Wisconsin Department of Natural Resources.  Johnson Controls, Inc. v. Employers Ins. of Wausau, 2003 WI 108, ¶ 92, 264 Wis. 2d 60, 665 N.W.2d 257.  It is difficult to imagine how an environmental investigation could be stayed while coverage is decided.

For now, under Choinsky it appears acceptable that an insured may be forced to defend itself on two fronts for five months– however there is no set rule and, as a result, could that mean that 10 or even 12 months is acceptable?  What if a dispute then arises over the reasonableness of fees and that dispute lasts a year and there is no payment for 24 months?  There is room to test the limits, but Choinsky suggests a safe harbor for insurers of at least a few months if insurers file “timely” bifurcation and stay motions.  Insureds should be aware of Choinsky and push to minimize the time they subject to simultaneously defending coverage and liability.

© 2020 Davis|Kuelthau, s.c. All Rights Reserved

Uber-Complicated: Insurance Gaps for Rideshare Vehicles Can Create Uncertainty for Passengers and Drivers

Many of us have come to enjoy the convenience of summoning a ride via our Smartphones with a rideshare service company such as Uber, Lyft, or Sidecar.  However, significant issues exist over whether rideshare vehicles have adequate insurance coverage to compensate people injured in accidents involving those vehicles.

If one is injured by a Greyhound bus, for example, there is little question that Greyhound likely would have adequate insurance to cover any injuries and likely would have sufficient resources to compensate the injured party even without insurance.

By contrast, if one is injured by a rideshare driver, there are several potential obstacles to securing adequate compensation.

First, the rideshare company may classify the driver as an independent contractor instead of an employee, meaning that the company will not accept responsibility for the driver’s actions.  Second, even if the rideshare company accepts responsibility, the company’s insurance may not provide coverage, as discussed below.  In that event, the injured party is left to rely on the driver’s insurance, which also may be inadequate and may even exclude coverage for rideshare-related accidents.

The independent contractor issue has been litigated in numerous states with different outcomes.  Uber currently is facing two class action lawsuits in California related to this issue: Ghazi v. Uber Technologies, Inc., et al., No. CGC-15-545532 (Superior Court of California, County of San Francisco) and O’Connor v. Uber Technologies, Inc., et al., No. CV-13-3826 (U.S. District Court for the Northern District of California).[1]

Even if rideshare companies accept responsibility for a driver’s conduct, the companies typically have provided only limited insurance for their drivers.  Specifically, rideshare companies typically have not provided coverage in the following two periods: (1) when the rideshare app is turned off, or (2) when the app is turned on but no passenger is in the vehicle.

But, a horrific accident involving an Uber vehicle helped to start changing this dynamic.  Uber was sued in 2014 in California after a driver struck and killed a child during period (2) above, when he had his app turned on but had not yet picked up a passenger.  The case is captioned Liu v. Uber Technologies Inc., et al., No. CGC-14-536979 (Superior Court of the State of California, County of San Francisco).

California and other states recently have started requiring rideshare companies to maintain some coverage for their drivers in period (2), but that coverage is limited.  The companies typically provide contingent liability coverage with $50,000 per person/$100,000 per accident bodily injury coverage, but this insurance typically pays only for losses not covered by the driver’s personal policy.

And, even when rideshare company coverage is in place, insurers have relied on certain insurance policy exclusions in an effort to avoid paying claims.  One insurer is currently making such arguments in the coverage dispute with Uber over the Liu settlement See Evanston Insurance Co. v. Uber Technologies, Inc., No. C15-03988 WHA (U.S. District Court for the Northern District of California).

If a rideshare company’s commercial insurance is inadequate to fully compensate an injured party, that person is left to rely on a driver’s personal insurance.  But the driver’s insurance may be of no help because personal auto policies often contain an exclusion (the “livery exclusion”) for accidents occurring during commercial use of the vehicle, such as when a driver is transporting a passenger for hire.

Recently, there has been some effort in the insurance industry to close the insurance gaps discussed above, particularly during period (2), when a rideshare driver is using a mobile app but has not yet picked up a passenger.

In March 2015, the National Association of Insurance Commissioners adopted a white paper on insurance coverage for rideshare companies titled “Transportation Network Company Insurance Principles for Legislators and Regulators.”  The paper recommends that rideshare companies provide full coverage for period (2) or that drivers purchase individual commercial coverage during that period.

Similar to California, legislatures in Colorado, Illinois, and Virginia have passed laws requiring rideshare companies to offer full insurance during period (2).

In addition, some insurance companies are offering products to rideshare drivers to protect them in the event that rideshare companies’ commercial insurance does not pay.  For example, Geico (in Maryland and Virginia) and Progressive (in Pennsylvania) are offering individual commercial insurance to rideshare drivers that has lower rates than most commercial insurance.  USAA (in Colorado and Texas) offers a commercial insurance policy to rideshare drivers for an extra $6 to $8 per month.  Erie Insurance (in Illinois and Indiana) has removed an exclusion from personal auto policies purchased with a “business use” designation such that rideshare drivers now may be covered.

Overall, many options are emerging to provide additional insurance coverage on rideshare vehicles for the benefit of passengers and other third parties at all stages of the transportation process – from the time a rideshare driver turns on the app through the transport of a passenger.  Passengers, drivers, and affected third parties should continue to monitor these developments to make sure they are adequately protected.

Article By Natalie A. Baughman of Gilbert LLP
© 2016 Gilbert LLP

[1] One consequence of the driver being classified as an independent contractor is that rideshare companies do not have to provide worker’s compensation insurance for a driver’s on-the-job injuries.  The Ghazi case addresses whether Uber drivers actually are employees and thus Uber must provide worker’s compensation insurance.

Cyber Liability: The Risks of Doing Business in a Digital World

Major security and data breaches have become more prevalent in the past decade. News headlines are dominated by stories of major corporations having networks hacked and subjecting employees’ and customers’ personal, financial and health information to cyber threats. Perhaps one of the following from 2014 will sound familiar:

  • January: Snapchat had the names and phone numbers of 4.5 million users compromised

  • February: Kickstarter had personal information from 5.6 million donors compromised

  • May: Ebay‘s database of 145 million customers was compromised.

  • September: iCloud had celebrity photostreams hacked

  • November: Sony Pictures had the highest profile hack of the year involving email accounts, video games and movie releases

While the news headlines make it is easy to think this is an issue for large, Fortune 500 companies, the risk is equally widespread, but much less publicized, for small businesses.

While the data breaches at small businesses do not garner the same attention as the data breaches occurring at Sony or iCloud, the impact to the organization and the liability the organization incurs are largely the same.

Although there are many studies available giving analytics on the types of data breaches that occur, those most common to small businesses can be described in three general categories: unintentional/miscellaneous errors, insider misuse and theft/loss.

Unintentional and miscellaneous errors are any mistake that compromises security by posting private data to a public site accidentally, sending information to the wrong recipients or failing to dispose of documents or assets securely. For example, have any of your employees ever accidentally sent an order (with account information) to the wrong email address?

Insider misuse is not a situation where an accidental error occurs. Rather, an employee or someone with access to the information intentionally accesses the data to use it for an unlawful purpose. For example, a disgruntled clerk in the billing department accesses customer information to obtain name, date of birth and bank account information in order to fraudulently establish a credit card in that customer’s name. Consider another scenario where a third party vendor, a benefits provider, for example, handles employee information. Once transmitted, the employer loses control over information security for that data. Savvy business owners will make sure their contracts with vendors make the vendor responsible for any data breach that occurs during the engagement and that it will indemnify the business for any actions arising from such a breach.

Data breaches also result from physical theft or loss of laptops, tablets, smart phones, USB drives or even printed documents. Consider a scenario where the Human Resource director is heading to a conference and her laptop is stolen at the airport. The laptop is not encrypted or pass coded and the thief can access all the employee files the director keeps on her computer.

In the past decade, laws have been aimed at narrowing the information that can initially be collected by businesses and with whom it can be shared, as well as mitigating the breach after it occurs.

Federal regulations like the Health Insurance Portability and Accountability Act (HIPAA) limit the collection and use of protected health information, and also has requirements for entities suffering a data breach, including customer notification and damage mitigation provisions, such as mandatory credit monitoring and fraud protection for affected customers.

The Personal Information Protect Act requires government agencies, corporations, universities, retail stores or other entities that handle nonpublic personal information to notify each Illinois resident who may be affected by a breach of data security. 815 ILCS 530/1 et seq. Personal information is defined as: an individual’s first name or first initial and last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted or redacted:

  1. Social security number.

  2. Driver’s license number or State identification card number.

  3. Account number or credit card or debit card number, or an account number or credit card number in combination with any required security code, access code, or password that would permit access to an individual’s financial account.

The required notice to Illinois residents must include contact information for credit reporting agencies and the Federal Trade Commission, along with a statement that the individual can obtain information from those sources about fraud alerts and security freezes. 815 ILCS 530/10(a). If the data breached is data that the entity owns or licenses, the notice must be made without unreasonable delay. Id. If the data breached is data that the entity does not own or license, notice must be made immediately. 815 ILCS 530/10(b).

Failure to notify affected consumers is a violation of the Illinois Consumer Fraud and Deceptive Business Practices Act. 815 ILCS 530/20.

Technology is everywhere. Smart phones, tablets, laptops, the internet, online bill payments and the like have changed the way businesses operate. There is no denying that technology allows for efficient and effective commerce and communication. Unfortunately, the same technology that allows for faster and more efficient commerce and communication also subjects businesses to new forms of risk when it comes to data security.

There are risk management tools that all businesses should be aware of and using on a daily basis. Anti-virus software, passwords on all devices, frequent back up of data, encryption for sensitive information transmitted electronically are just a few.

What if a business owner takes all the steps necessary to reduce the risk of a data breach and it still occurs? There is a way to reduce damages and to shorten the recovery and restoration timeframes.

Cyber Liability insurance can protect businesses, large and small, from data breaches that result from malicious hacking or other non-malicious digital risks. This specific line of insurance was designed to insure consumers of technology services or products for liability and property losses that may result when a business engages in various electronic activities, such as selling on the internet or collecting data within its internal electronic network.

Most notably, cyber and privacy policies cover a business’ liability for data breaches in which the customer’s personal information (such as social security or credit card numbers) is exposed or stolen by a hacker.

As you might imagine, the cost of a data breach can be enormous. Costs arising from a data breach can include: forensic investigation, legal advice, costs associated with the mandatory notification of third parties, credit monitoring, public relations, losses to third parties, and the fines and penalties resulting from identity theft.

While most businesses are familiar with their commercial insurance policies providing general liability (CGL) coverage to protect the business from injury or property damage, most standard commercial line polices do not cover many of the cyber risks mentioned above. Furthermore, cyber and privacy insurance is often confused with technology errors and omissions (tech E&O) insurance. However, tech E&O coverage is intended to protect providers of technology products and services such as computer software and hardware manufacturers, website designers, and firms that store corporate data on an off-site basis. Cyber risks are more costly. The size and scope of the services a business provides will play a role in coverage needs and pricing, as will the number of customers, the presence on the internet, and the type of data collected and stored. Cyber Liability polices might include one or more of the following types of coverage:

  • Liability for security or privacy breaches (including the loss of confidential information by allowing or failing to prevent unauthorized access to computer systems).

  • The costs associated with a privacy breach, such as consumer notification, customer support and costs of providing credit monitoring services to affected customers.

  • Costs of data loss or destruction (such as restoring, updating or replacing business assets stored electronically).

  • Business interruption and extra expense related to a security or privacy breach.

  • Liability associated with libel, slander, copyright infringement, product disparagement or reputational damage to others when the allegations involve a business website, social media or print media.

  • Expenses related to cyber extortion or cyber terrorism.

Coverage for expenses related to regulatory compliance for billing errors, physician self-referral proceedings and Emergency Medical Treatment and Active Labor Act proceedings.

Article By Chrissie Peterson of Heyl, Royster, Voelker & Allen, P.C.
© 2015 Heyl, Royster, Voelker & Allen, P.C

While cyber liability insurance may not be right for all businesses, those that actively use technology to operate should consider the risks they would be exposed to if a data breach occurred. In addition, there are many different cyber policy exclusions and endorsements. Not all policies are created equal

While cyber liability insurance may not be right for all businesses, those that actively use technology to operate should consider the risks they would be exposed to if a data breach occurred. In addition, there are many different cyber policy exclusions and endorsements. Not all policies are created equal.

Responding to the Anthem Cyber Attack

Proskauer Rose LLP, Law Firm

Anthem Inc. (Anthem), the nation’s second-largest health insurer, revealed late on Wednesday, February 4 that it was the victim of a significant cyber attack. According to Anthem, the attack exposed personal information of approximately 80 million individuals, including those insured by related Anthem companies.Anthem has reported that the exposed information includes member names, member health ID and Social Security numbers, dates of birth, addresses, telephone numbers, email addresses and employment information. The investigation of the massive data breach is ongoing, and media outlets have reported that class action suits have already been filed against Anthem in California and Alabama, claiming that lax Anthem security measures contributed to this incident.

Employers, multiemployer health plans, and others responsible for employee health benefit programs should take note that theHealth Insurance Portability and Accountability Act (HIPAA) and state data breach notification laws may hold them responsible for ensuring that certain notifications are made related to the incident. The nature of these obligations will depend on whether the benefits offered through Anthem are provided under an insurance policy, and so are considered to be “fully insured,” or whether the Anthem benefits are provided under a “self-insured” arrangement, where Anthem does not insure the benefits, but instead administers the benefits. The most significant legal obligations on the part of employers, multiemployer health plans, and others responsible for employee health benefit programs will apply to Anthem benefits that are self-insured.

Where notifications must be made, the notifications may be due to former and present employees and their dependents, government agencies, and the media.  Where HIPAA applies, the notifications will need to be made “without unreasonable delay” and in any event no later than 60 days after the employer or other responsible party becomes aware that the breach has affected its own health plan participants. Where state data breach laws apply, notifications generally must be made in the most expedient time possible and without unreasonable delay, subject to certain permitted delays. Some state laws impose outside timeframes as short as 30 days. Under the state laws, reporting obligations on the part of employers, multiemployer health plans, and others responsible for employee health benefit programs will generally turn on whether they, or Anthem, “own” the breached data. Since the state laws apply to breaches of data of their residents, regardless of the states in which the compromised entities and data owners are located, and since former employees and dependents could reside anywhere, a comprehensive state law analysis is required to determine the legal requirements arising from this data breach. Fortunately, depending on the circumstances, some (but not all) state data breach notification laws defer to HIPAA breach notification procedures, and do not require additional action where HIPAA applies and is followed.

As potentially affected parties wait for confirmation from Anthem as to whether any of their employees, former employees or their covered dependents has had their data compromised, we recommend that affected parties work with their legal counsel to determine what their responsibilities, if any, might be to respond to this incident. Among other things, for self-insured arrangements, HIPAA business associate agreements and other contracts with Anthem should be reviewed to assess how data breaches are addressed, whether data ownership has been addressed by contract, and whether indemnification provisions may apply. Consideration should also be given to promptly reaching out to Anthem to clarify the extent to which Anthem will be addressing notification responsibilities. Once parties are in a position to make required notifications, we also recommend that companies consult with legal counsel to review the notifications and the distribution plans for those notifications to assure that applicable legal requirements have been satisfied.

ARTICLE BY

Roger A. Cohen
Paul M Hamburger
Kristen J. Mathews
Ellen H Moskowitz
Richard J Zall
OF
Proskauer Rose LLP

Data Analytics as a Risk Management Strategy

Risk-Management-Monitor-Com

In our increasingly competitive business environment, companies everywhere are looking for the next new thing to give them a competitive edge. But perhaps the next new thing is applying new techniques and capabilities to existing concepts such as risk management. The exponential growth of data as well as recent technologies and techniques for managing and analyzing data create more opportunities.

Computer Network Wires

Enterprise risk management can encompass so much more than merely making sure your business has purchased the right types and amounts of insurance. With the tools now available, businesses can quantify and model the risks they face to enable smarter mitigation strategies and better strategic decisions.

The discipline of risk management in general and the increasingly popular field of enterprise risk management have been around for years. But several recent trends and developments have increased the ability to execute on the concept of enterprise risk management.

First, the amount of data being produced everywhere has exploded and continues to accelerate. The typical executive today is swamped by data coming from all directions. Luckily, just as the raw amount of data has grown, the cost of the hardware to store data has decreased at an exponential rate. For example, in the last 10 years, retail hard-drive costs have dropped from about $1.20 per gigabyte (GB) in 2004 to about 4 cents per GB today. What’s more, the cost of hardware to store all that enterprise data is quickly becoming negligible.

But such huge amounts of data present a problem: Somebody has to manage and analyze it. All data is not equally important or relevant to the problems business executives need to solve or the risks they’re trying to manage. The explosion of data has created a greater amount of helpful and relevant data, but it can get lost in an even greater amount of useless, irrelevant, and distracting data. So an effective data management and analytics program is crucial to take advantage of the opportunities resident in the new flood of data.

One job of analytics is to sort the important from the unimportant and analyze and synthesize the data in new ways that create actionable information. Fortunately, the tools and techniques to manage large volumes of data have been progressing over the past several years. In particular, there has been a lot of buzz about big data. The field of big data has developed from a specific platform to manage large volumes of data into an entire ecosystem of related technologies. These tools are critical to the process of picking out the grains of useful intelligence from the vast quantities of distracting chaff that are characteristic of many big data sources.

Of course, all the recent technical developments and analytic techniques that make it possible to extract actionable information from a flood of data are all professionally exciting—if you’re an analyst. However, analytics for analytics’ sake does not help an organization. Often, analytics groups can remain isolated from the business itself. When such groups ultimately present what they have discovered, they may simply talk about the part most interesting to them—the analytics process—rather than focusing on the resulting information.

It is important to remember that actionable information is the ultimate goal of the entire exercise. The information must reach the decision makers in an understandable form when it is needed—the right information at the right place and at the right time. When designing information systems or even just presenting information to business executives, it is important for technical professionals to keep technical details to a minimum and focus on the actionable information. A feedback mechanism is critical. Users of the information must have a method to tell the creators of the information whether it was sufficient, correct, timely and understandable.

It’s been said that the three most important factors in real estate are location, location, and location. Similarly, the three most important factors in effective analytics are data, data, and data. Good data can sometimes make up for mediocre analytics, but even the best analytics will never produce anything useful from poor data.

Where should a business begin to leverage the new data and risk analytics? It has to start with the data itself. So start collecting and storing the data that’s available to you. Every business generates vast amounts every day. Collecting, managing, and analyzing internal data is necessary; but by looking outside the organization at social media, government data sources and third-party data vendors, a company can really begin to illuminate the environment in which it operates.

Managing data for analytics is a specialized field in its own right, and a topic for another day. But the business that can effectively leverage data and analytics to manage the risks it faces will be rewarded by seeing the future more clearly, making better decisions and ultimately being more successful than those companies that cannot.

Article authored by Phil Hatfield, modeling data services executive for ISO Insurance Programs and Analytic Services (IPAS), a Verisk Analytics (Nasdaq:VRSK) business.

ARTICLE BY

Risk Management Magazine
OF
Risk and Insurance Management Society, Inc. (RIMS)