1. Assess the policies you have and reassess the policies you should buy in the future.
2020 has brought a host of unwelcome events: pandemics, fires, floods, cyberattacks, financial failures, etc. An insurance program tailored to the risks and business opportunities of your specific company can provide for recovery during dark times, and specialized insurance products can help you safely expand your business. It is time to consider how tailored your current program is, and how you can better align insurance assets to your business in the future.
2. Use indemnities and additional insured status to expand your insurance assets.
Everyday business for many companies involves the use of terms and conditions; sales or services orders; and leases that address indemnification, minimum insurance requirements, and additional insured status. A well-thought-out use of additional insured status can allow you to leverage the insurance assets and insurance premiums of counterparties.
3. Ensure that you get the full benefits of your liability and property insurances.
Insurance policies provide many coverages, policy limits, and extensions that may not be readily apparent, and all of which may provide substantial financial assistance in the event of a loss. In addition, specialized forms of insurance, additional riders, or policy wording upgrades can better tailor policies to your specific business attributes. Use the renewal season to explore your options.
4. Avoid “conventional wisdom” about what is or is not covered.
With insurance, words matter! In fact, the wording determines the outcome. Do not accept statements about what others think a policy does or should cover. For example, claims for intentional wrongdoing and punitive damages often are covered by liability policies. Likewise, losses from your supply chain may be covered under your property policies. Non-payments of debts and breaches of contractual promises are covered under various forms of policies. Let the words lead you to coverage.
5. Give notice once you know of a loss or claim.
Typically, notice should be given soon after a loss, claim, or lawsuit, but remember that a delay in giving notice will not necessarily result in the loss of coverage. Consider the potentially applicable insurance assets that may apply and give notice.
6. Insist your insurers fully investigate claims.
Insurers have a duty to investigate claims thoroughly and must look for facts that support coverage.
7. Watch what you say.
Communications with an insurer or an insurance broker regarding a lawsuit against you or a loss are not necessarily privileged.
8. Don’t take “no” for an answer.
A reservation of rights is almost always the start of the insurance claim process, and a denial should not dissuade you from pursuing your rights. Even if coverage is not obvious at first, it may be there, if you look in the right places.
9. Document, document, document your claim.
Whether it is a first-party loss or a liability suit against you, write to your insurer and document your submission of information and materials. Require your insurer to respond in writing and to explain its position. A well-documented chain of correspondence narrows disputes, helps to limit shifting of insurer positions, or helps to make such shifting very apparent if your claim proceeds to formal enforcement measures.
10. Insist that your insurers honor their duties.
In the liability context insurers frequently owe broad duties to defend with independent, conflict-free counsel, even if uncovered claims dominate the lawsuit against you. In property insurance contexts, insurers have duties to help you on an expedited emergency basis to protect your interests immediately after a loss. It is important to hold insurers to their duties to protect you immediately upon assertion of liability or after a loss—delay only benefits insurers.
The “WannaCry” and “NotPetya” computer viruses that infected computer systems around the world in 2017 sounded a wakeup call. They demonstrated the power of a cyber event to disrupt the core operations of numerous companies and other organizations. Now some fear that another unpleasant surprise related to the 2017 virus attacks may be on the horizon—this time from the insurance industry. A recent lawsuit alleges that an insurer denied coverage for losses arising out of the “NotPetya” virus based on an exclusion for “hostile and warlike actions.” A version of this war exclusion appears in virtually all insurance policies, including cyberinsurance policies, which are supposed to address cyber events like “WannaCry” and “Not Petya.”
The lawsuit is Mondelez International, Inv. v. Zurich American Insurance Company. Filed late last year in Illinois state court, the policyholder, a snack food and beverage maker, alleges that it suffered a nightmare cyber scenario. Two separate intrusions of the “NotPetya” virus at different locations “rendered permanently dysfunctional approximately 1700 of [the policyholder’s] servers and 24,000 laptops.” According to the complaint, the virus caused property damage, commercial supply disruptions, unfulfilled customer orders, reduced margins, and other covered losses aggregating well in excess of $100,000,000. Continue reading “Recent Lawsuit Highlights Need for Careful Review of Cyberinsurance Policies”
Businesses are increasingly purchasing dedicated cyber insurance policies to address their cyber and data security exposures. To date, however, many of the judicial decisions addressing insurance for cyber exposures have done so under other, more traditional, types of insurance policies such as commercial general liability (“CGL”) and commercial property policies. Some of these rulings have disappointed policyholders by concluding that such non-cyber insurance policies do not cover cyber exposures. But a recent decision by the United States Court of Appeals for the Fifth Circuit demonstrates that certain non-cyber policies potentially afford coverage for cyber exposures. In Spec’s Family Partners, Ltd. v Hanover Insurance Co., No. 17-20263, 2018 U.S. App. LEXIS 17246 (5th Cir. June 25, 2018), the court of appeals found that a contractual liability exclusion in a management liability policy did not excuse the insurer of its duty to defend its policyholder, a private company, against a claim arising out of a payment card data breach. Continue reading “Seeking Insurance Coverage for Data Breach Claims? A Recent Case Confirms that Certain D&O Policies Potentially Provide Coverage”
“Phishing” is a scheme in which criminals use spoofed e-mails, copycat websites, or other deceptive communications to trick unwitting companies or individuals into sharing valuable personal information or into wiring money to sham bank accounts. As these schemes become unfortunately more common and sophisticated, companies are increasingly turning to their insurance policies to cover their monetary losses. However, many businesses that have purchased crime insurance to cover this type of “computer fraud” may not realize that e-mail-based thefts are not always covered. Businesses may reasonably assume that coverage exists under a crime insurance policy covering computer fraud because the loss is computer related, but insurance companies will likely insist on proof of a direct causal relationship between the computer fraud and the loss of funds before providing coverage.
The American Tooling case is the most recent pronouncement from the courts on “computer fraud” coverage. On July 13, the United States Court of Appeals for the Sixth Circuit ruled in favor of the policyholder and reversed the Michigan district court’s grant of summary judgment to Travelers Casualty and Surety Company of America. Am. Tooling Ctr., Inc. v. Travelers Cas. & Sur. Co. of Am., No. 17-2014, 2018 WL 3404708, — F.3d. — (6th Cir. July 13, 2018). Continue reading “American Tooling and Medidata: The Latest Rulings on Coverage for Phishing Scams”
On June 28, 2018, California passed a historic privacy bill (AB 375) that mirrors some of the privacy obligations that recently came into effect in Europe under the General Data Protection Regulation (“GDPR”). The new California Consumer Privacy Act of 2018 (the “Act”) will go into effect on January 1, 2020. The new law requires greater transparency in information practices and gives individuals powerful new rights with respect to their personal information. Complying will be a challenge for many American businesses, in particular those that have not had to grapple with GDPR. Continue reading “California Corner: California Passes Historic Privacy Law: What to Consider Now to Reduce Future Financial Exposure”
The General Data Protection Regulation (“GDPR”) goes effective tomorrow. Companies are considering the consequences and attempting to determine whether they are compliant or how to get there, whatever “compliant” ultimately will be determined to mean as time progresses under GDPR. In considering the consequences of failure to comply, companies are, or should, also be thinking about whether they can transfer risk, including to insurance, and whether their current insurance policies will do the trick. Many companies now have cyber insurance, but cannot presume that their current cyber policy will protect against GDPR exposures. So, as we welcome in GDPR, the internal corporate conversation should include discussion of whether existing cyber policies are enough, or what needs to be done to fortify insurance protection against unknown future GDPR financial exposures.
As cybersecurity incidents continue to mount and as the issue of data security becomes increasingly important and a source of potential liability, companies should consider whether their standard commercial general liability (“CGL”) policies provide adequate coverage. The case law, although limited, suggests that policyholders might face an uphill battle in obtaining coverage.
In Innovak International, Inc. v. The Hanover Insurance Company, No. 8:16-cv-2453-MSS-JSS, — F. Supp. 3d —, 2017 WL 5632718 (M.D. Fla. Nov. 17, 2017), the Court found that the insurer was not required to provide a defense to the policyholder because the underlying complaint did not allege that the policyholder published the private data. Innovak develops and markets accounting and payroll software and maintains a database accessible via Internet portals. The complaint alleged that as a result of Innovak’s negligence, hackers were able to access class members’ personal information, including social security numbers, addresses, dates of birth, telephone numbers, employment information, and spousal information. The complaint included claims for negligence, breach of implied contract, gross negligence, unjust enrichment, and fraudulent suppression. The claimants alleged that they suffered psychic injuries including stress, nuisance, loss of sleep, worry, and the annoyance of dealing with the data breach. Continue reading “CGL Coverage for Cyber Data Breaches: Court Finds No Coverage unless the Policyholder Itself Publishes the Private Information”
In Part I of this two-part series, I identified first-party and third-party insurance claims that could result from a cyber event or attack on the Smart Grid. In this part, I examine how insurance policy language governs resolution of these claims and how to minimize gaps in coverage.
Examine Your Insurance Policies
Traditionally, third-party losses are covered by a company’s commercial general liability (“CGL”) policy. To qualify for coverage under a CGL policy, the policyholder typically must be confronted with a claim for “bodily injury” to another person or “physical injury to tangible property” (collectively known as “Coverage A”), or with a claim for “personal and advertising injury” (injury arising out of certain enumerated offenses such as malicious prosecution or invasion of privacy) (“Coverage B”). Various disputes have arisen as to whether cyber-related losses fit within these coverages. Continue reading “Be Smart about Insurance for the Smart Grid: Coverage for Losses from Cyber Events—Part II”
At the beginning of 2017, many publications predicted that ransomware would be one of the most significant cyber threats of the year. The year is not even half over and that prediction appears to be coming true.
On Friday, May 12, 2017, tens of thousands of organizations and companies across the world fell victim to a virulent form of ransomware known as “WannaCry.” The global event has been recognized as one of the largest cyberattacks ever. Continue reading “Ransomware and Cyberinsurance”