Can You Hear Me Now? Tenth Circuit Rejects Coverage for Telephone Consumer Protection Act ClaimsA recent Tenth Circuit decision undercut policyholder arguments that Telephone Consumer Protection Act (TCPA) claims are insurable under a standard CGL policy. Policyholders should take note of this decision but should not assume that all TCPA claims are necessarily uncovered.

On February 21, the Tenth Circuit affirmed a finding of no coverage on appeal from the District of Colorado. In Ace American Insurance Company v. Dish Network, LLC, the Tenth Circuit held there was no duty to defend Dish in a lawsuit alleging various violations of state and federal laws relating to telemarketing phone calls. The court held that statutory damages and injunctive relief sought under the TCPA were uninsurable penalties instead of insurable “damages” under the relevant liabilities policies. The court also rejected Dish’s argument that the TCPA’s provisions governing actual monetary loss qualified as a remedial provision that could be insured under Colorado law. Finally, the court rejected Dish’s argument that the underlying claims for equitable relief could constitute insurable damages.

Policyholders should take note of this case for several reasons:

  1. Rising TCPA Claims. TCPA claims continue to gain popularity on court dockets across the country. Insurers will undoubtedly lean on this case as a basis for denial of coverage in similar cases. That said, TCPA policyholders should not simply assume that all hope is lost. For example, the Tenth Circuit’s decision relies heavily on aspects of Colorado law that may not be controlling in other jurisdictions.
  2. Claims for Equitable Relief May Still Trigger Duty To Defend. This case is a good reminder of the importance of a detailed analysis relating to the particular damage allegations in an underlying lawsuit when considering the duty to defend. The Tenth Circuit did not shut the door on the possibility of a duty to defend claim seeking equitable relief. Instead, the decision is limited to the particular allegations in the underlying complaint.
  3. TCPA Exclusions Becoming More Common. The court noted that several later policies contained specific exclusion endorsements for TCPA claims. Policyholders that may face TCPA allegations should consider whether their current liability policies contain such exclusions and, if so, whether additional coverage may be necessary to protect against such future allegations.
  4. Some Coverage Arguments Not Fully Addressed. Unfortunately, the Tenth Circuit did not reach some of the other interesting coverage questions that could have played a role. For example, I would have been interested to see the court’s analysis of whether “bodily injury” or “property damage” was alleged in the underlying litigation.

This case is not the death knell for coverage for TCPA defendants, but it may prove a hurdle even in jurisdictions beyond Colorado. Companies that face this risk should consider their current coverage portfolio, particularly with respect to any exclusions that may expressly or implicitly apply to TCPA claims. In the event of a claim, companies should analyze each case independently, including consideration of choice of law and the particular policy provisions and allegations at issue.

Increased FTC Enforcement Highlights Need for Cyber Regulatory CoverageRegulatory components to cyber insurance policies are becoming increasingly valuable as data-breach enforcement continues to surge. The Federal Trade Commission (FTC or Commission), the nation’s primary privacy and data security enforcer, has announced another record year of enforcement actions regarding consumer privacy. In 2017, the FTC brought nearly two hundred privacy and data security cases. Generally, getting hacked alone will not invite a lawsuit from the FTC, but failing to take corrective actions (resulting in a subsequent breach) could attract attention from regulators. To ensure enforcement, the Commission requires companies to take affirmative steps to remediate unlawful behavior. In addition, the FTC may impose civil, monetary penalties.

Recent FTC Enforcement Activities

Many well-known companies were targets of FTC investigations or enforcement actions in 2017, including Equifax, Lenovo, and VIZIO. Just last month, the FTC announced a settlement with electronic toymaker VTech, stemming from a data breach in 2015. VTech agreed to pay $650,000 to settle allegations that it violated the Children’s Online Privacy Protection Act, which generally requires websites and apps to obtain parental consent before collecting personal information from children under 13 years of age. The FTC alleged that VTech had collected personal information from children without providing the requisite notice or obtaining the parent’s consent. The Commission also claimed that VTech had failed to take reasonable steps to secure the data it had collected.

Coverage for Fines and Penalties

As the FTC continues to increase enforcement actions, regulatory components to cyber-insurance policies are becoming increasingly valuable. Cyber regulatory defense and penalties coverage is one of the rare types of insurance that may affirmatively cover fines and penalties.  For example, the AIG CyberEdge Security and Privacy Liability Insurance defines covered “Loss,” in part, as “civil fines or penalties imposed by a governmental agency and arising from a Regulatory Action, unless the civil fine or penalty is uninsurable under the law of the jurisdiction imposing such fine or penalty.” Other cyber policies provide coverage for “Penalties,” meaning “any civil fine or money penalty payable to a governmental entity that was imposed in a Regulatory Proceeding by the Federal Trade Commission . . . or any other federal, state, local or foreign governmental entity.” Like the AIG definition, these policies also caution that applicable state law may not allow for coverage, stating “the insurability of Penalties shall be in accordance with the law in the applicable venue that most favors coverage for such Penalties.” As with the insurability of punitive damages, there is no uniform view regarding whether fines and penalties can be insured, despite policy language expressly providing for such coverage. Insurers are likely to challenge coverage for fines and penalties that stem from intentional or willful conduct, claiming that loss is uninsurable based on public policy arguments.

Coverage for Defense and Investigative Costs

Cyber policies can also provide coverage for defense and investigative costs in connection with governmental investigations. Typically, the insurer will agree to pay attorneys’ fees, as well as other legal costs, excluding the insured’s internal costs, such as salary or overhead. Commonly, the insurer agrees to pay “Claims Expenses and Penalties in excess of the Retention, which the Insured shall become legally obligated to pay because of any Claim in the form of a Regulatory Proceeding.” Notably, FTC actions and investigations are included in traditional definitions of “Regulatory Proceeding.” Defense and investigation costs can add up quickly, making this portion of cyber coverage quite valuable.


Insurance for regulatory actions stemming from data breaches is readily available in the marketplace. While it remains unclear whether fines and penalties are insurable, as a matter of public policy, insurers are consistently providing coverage for defense and investigative costs in connection with cyber events. As the FTC continues to investigate data security and privacy issues, companies should continue to evaluate cyber-regulatory coverage as it can be a valuable part of business insurance portfolios.

2018 Allianz Risk Barometer Highlights Business Interruption and Cyber as Two Most Important Risks of New YearAllianz’s yearly survey of nearly 2,000 risk experts from 80 countries highlights business interruption and cyber incidents as the top two major threats for companies through 2018 and beyond. Forty-two percent of responses identified business interruption (BI) as the most important global risk because it can substantially impact revenues. So it is no surprise that BI has been highlighted as the most important risk for six years in a row. New for 2018, however, is that cyber incidents are the most feared BI trigger in the new year.

In addition to cyber incidents’ potential to trigger BI, risk experts identified cyber incidents generally as the second most important risk of 2018 (42 percent of responses). In particular, risk experts highlighted attacks on common internet infrastructure (with the potential to harm multiple companies at one time) as an increasing risk. These large‑scale attacks, such as the October 2016 Mirai Botnet attack on Dyn that brought down Twitter, SoundCloud, Spotify, Reddit and a host of other sites for hours, can substantially disrupt online operations and be used to extort multiple companies.

The Allianz report highlights what most policyholders already know: Cyber risk, whether in the form of business interruption, data‑breach liability, extortion, or otherwise, continues to expand at an almost breathtaking pace.

Every organization should survey the threat landscape to measure cyber exposure in six key risk areas:

  1. Business email compromise (BEC) scams
  2. Ransomware
  3. Distributed denial of service (DDoS)
  4. Data breach
  5. Theft of intellectual property
  6. Destruction or damage to computer systems

Surveying the cyber risk landscape is only the first step. For most organizations, the next step — cyber risk mitigation — includes purchasing cyber insurance. Due to the evolving nature of cyber insurance, and insurers’ differing tolerances for undertaking cyber risk, organizations must carefully assess proposed cyber insurance policies. Coverage grants vary and can include coverage for computer fraud and theft, cyber business interruption, cyber remediation, liability (including defense costs) resulting from a cyber event, regulatory costs, and PCI penalties.

  • Computer fraud and theft coverage pays for losses sustained as a result of unauthorized access to electronic systems or data.
  • Cyber business interruption coverage pays for losses resulting from a cyber event that prevents normal business operations, such as a DDoS attack that restricts web traffic or a ransomware event that shuts down servers, preventing potential customers from accessing the affected services.
  • Remediation coverage pays for response costs following a cyber event (investigation, public relations, customer notification, and credit monitoring).
  • Liability coverage pays defense and indemnity costs resulting from network security events (unauthorized access to systems causing injury to third parties), privacy events (exposure of confidential information), and media liability (advertising injury and copyright or trademark infringement).
  • Regulatory coverage pays defense and investigation costs for regulatory investigations and claims resulting from cyber events (or failure to properly handle a cyber event).
  • PCI coverage pays for liability to credit card issuers arising out of unauthorized disclosure of credit information (and, as noted above, generally requires proof of compliance with PCI standards).

For more information on mitigating your organization’s cyber risks through cyber insurance, our previous article, published by MISTI Infosec Insider, provides a more detailed overview of the factors to consider when managing a cyber‑insurance program.

Bradley Attorneys Highlight Cyber Insurance Risks to Consider When Acquiring a CompanyIn a recent article published by Mergers & Acquisitions, Bradley’s Policyholder Practice Group Leader Katherine Henry and policyholder coverage attorney Brendan Hogan explain some of the risks companies need to consider when considering potential merger and acquisition targets.

This article covers how companies can mitigate M&A risk by:

  • Reviewing key cyber risk management procedures the target company should have in place
  • Assessing the target company’s insurance assets and potential liability
  • Understanding specific cyber insurance coverage grants (data breach, fraud and theft, business interruption, and remediation) and the risks they help mitigate

Read the full article by visiting the Merger & Acquisitions website.

Fore! Fourth Circuit Affirms No Coverage for Hole-in-One PaymentsAs proof that almost anything can be insured, hole-in-one insurance is available on the market. Coverage is granted for payments or awards (cars, cruises, golf trips, cash, etc…) given and can be obtained for the right premium whether you’re protecting against the risk of an “ace” by a professional or a hacker at a charity scramble event. Of course, there are also limitations defined by the terms, conditions, and exclusions in the policy.

During the 2015 Greenbrier Classic in West Virginia, an annual PGA Tour event, Justin Thomas and George McNeill aced the 18th hole. The hole was playing 137 yards that day. The fans went particularly wild, largely because they took home approximately $200,000 from a tournament contest offering a cash prize to any spectator that witnessed a hole-in-one in person.

Those spectators might not have celebrated had they known their prize money would ultimately end up uninsured. At the end of 2017, the Fourth Circuit held there was no coverage for the payments made by Old White Charities because the policy required a longer hole — at least 170 yards (see All Risks v. Old White Charities).

The Fourth Circuit enforced that policy limitation under West Virginia law. Like other jurisdictions across the country, West Virginia enforces the plain language of the policy. The court also rejected arguments based on a shorter limitation (150 yards, so it wouldn’t have mattered anyway) in the policy application and Old White’s argument that it had a reasonable expectation of coverage despite the 170-yard minimum in the policy. Old White’s claims of negligence and fraud during the underwriting process also failed. In sum, the court saw no evidence that provided an exception to the plain language rule.

Two obvious takeaways here:

  1. Many golfers never get the chance to see a hole-in-one in person, but there is nothing unusual about a court upholding a clear policy exclusion or limitation. Even policyholders that do not know the difference between a birdie and a bogey should heed this case as a reminder: The language in the policy matters, even when the result may be harsh. Absent a way around it (an ambiguity caused by other language, waiver, misrepresentation in the application process), an exclusion can produce a tough result inconsistent with the policyholder’s expectations.
  2. This case is also a reminder about the need to manage risk even after insurance is in place. The best risk management programs account for the limitations in the company’s insurance portfolio. For example, some comprehensive property insurance programs contain limitations (e.g., no flood coverage for properties on a coast) on the location of scheduled properties purchased after the policy is bound. Failure to consider that limitation when a new property is acquired can lead to a significant uninsured loss.

I hated to see this result for Old White Charities and a golf tournament that I love to watch, particularly when the same tournament had to be cancelled due to the tragic flooding in that part of West Virginia in 2016. Here’s hoping the 2017 tournament was the start of a new stretch of good fortune for the Greenbrier Classic.

Insurance Purchasers Beware: Florida Court Finds No Duty to Defend Data Breach Claim Under CGL Personal & Advertising Injury CoverageOn November 17, 2017, a U.S. district court in Florida narrowly construed personal and advertising injury coverage for data-breach claims under a commercial general liability policy. In Innovak International, Inc., v. The Hanover Insurance Company, the court held that The Hanover Insurance Company (the insurer) has no duty to defend Innovak International, Inc. (the insured), against a putative class action arising from a data breach that compromised users’ personal private information (“PPI”).

The court narrowly construed the policy’s definition of “personal and advertising injury” that included “[o]ral or written publication in any manner of material that violates a person’s right of privacy.” Despite the absence of a requirement that the insured publish that material, the court held that the policy only extended coverage to publication by the insured.

The court held that “[t]he act that violates the claimants’ right of privacy is the publication of their PPI, and the Underlying Claimants have not alleged that Innovak directly or indirectly committed that act.” The court rejected Innovak’s arguments that the phrase “in any manner” includes both “direct publication of PPI and negligent failure to prevent third parties from obtaining the PPI.” Following a New York state court decision (Zurich American Insurance v. Sony Corporation of America), the Florida court construed the phrase “in any manner” to refer to the medium rather that the sender of the information.

The court also rejected Innovak’s argument that the putative class action complaint alleged that Innovak indirectly published the PPI. The court held that the complaint clearly alleged that Innovak failed to protect the users’ PPI by failing to implement sufficient data security measures – which is not an allegation of publication at all. The court distinguished a California case, Hartford Casualty Insurance Co. v. Corcino & Associates, et al., because that complaint alleged that the insured posted private information on a public website, and the court did not address the same legal issues.

Finally, the court made short shrift of Innovak’s argument that Hanover waived its defense by omitting it from its denial letter, because the particular defense was included within the letter.

This case serves as a reminder that organizations should not assume that their commercial general liability policies will cover losses from data breaches – even if the organization purchases a data breach enhancement, as Innovak did. The policy’s Data Breach Form provided only data breach services and paid only data breach expenses and expressly excluded “fees, costs, settlements, judgments or liability of any kind” arising out of a data breach. The lack of coverage under the Data Breach Form left Innovak with only the personal and advertising injury coverage, which, in this instance, did not extend to the putative class action against Innovak.

As often mentioned on this blog, prudent insureds should purchase dedicated cyber insurance coverage if at all possible. Smaller organizations may rely on coverage enhancements to their existing insurance programs but should recognize the risk of this strategy. Under either a traditional or specialized cyber insurance program, all insureds should scrutinize policy language to understand the scope of coverage and –more importantly – the limitations of that coverage for data breach and other cyber-related exposures.

webinarUpcoming Event - Policyholder Insurance Webinar Series: Is That Drone Insured?Bradley’s Policyholder Insurance Group is pleased to present “Is That Drone Insured?” as part of our ongoing Policyholder Insurance Webinar Series.

This webinar will discuss an overview of available drone insurance terms and conditions, recommended contract terms, and an insurance market assessment, including market capacity and pricing presented by Bradley attorneys Katherine J. Henry and Brendan W. Hogan with guest speaker Chris Proudlove of Global Aerospace.

When: Tuesday, December 12, 2017, 11:30AM – 12:30PM CST

Where: Webinar Registration

What: Businesses are hiring third-party drone operators to provide various services, including aerial photography and mapping, with many more uses developing daily. Some businesses are bypassing third-party operators and purchasing drones for their own use. Given the rapid pace of development of this technology, risks posed by drone operations may not be adequately insured by the third-party drone operator or may be uninsured by your company’s existing insurance portfolio, and governing contracts may not include adequate insurance requirements to protect your company.

We look forward to seeing you there!

$16 Billion Debt Cancellation Gives Breathing Space for National Flood Insurance ProgramThe Senate’s vote Tuesday to forgive $16 billion in debt owed by the National Flood Insurance Program gives a much-needed boost for NFIP as it faces large payouts from recent hurricanes. Packaged with other disaster aid appropriations, the bill now goes to President Trump, who is expected to sign.

NFIP has struggled to stay solvent in the face of multibillion-dollar flood insurance losses in recent years, including $16.3 billion from Hurricane Katrina and $8.6 billion from Superstorm Sandy. Prior to Hurricane Harvey, the program was already nearly $25 billion in debt to the U.S. Treasury, with a $30 billion dollar borrowing limit. Passage of H.R. 2266 allows the program to continue paying claims in the near term, but does not implement any long-term reforms to NFIP. Nor does it extend the life of the program, which is set to expire before the end of the year absent congressional re-authorization. But Tuesday’s 82-17 vote in the Senate suggests that there is strong bipartisan support to maintain the coverage provided by the program, with or without a long-term fix.

Trigger for Hurricane and Named Storm DeductiblesRecent damage from Hurricanes Harvey, Irma, and Maria have focused attention on special “named storm” and “hurricane” deductible endorsements found in most property insurance policies issued for coastal areas. Such endorsements typically convert the insured’s deductible from a fixed amount to a percentage of the property value, such as 1, 2, 5, or 10 percent, for damage caused by certain categories of storms. These percentages are usually taken from the insured value of the property, not merely the amount of damage, so when triggered the endorsement can result in a substantial increase in the out-of-pocket cost for the policyholder.

Several names are used for these endorsements. “Hurricane” deductibles generally apply when a storm has been designated a hurricane by the National Weather Service. “Named Storm” deductibles are broader and include declared tropical storms. “Windstorm” deductibles are the broadest of all and may apply to damage caused by almost any high wind weather event.

Circumstances triggering the deductible can vary significantly depending on the policy and state in which the insured property is located, so the individual policy language and state regulation must be reviewed to determine when the deductible applies. ISO Commercial Property Endorsement CP 03 25 (“Named Storm Percentage Deductible”), for example, provides that a “Named Storm” begins at the time the National Weather Service issues a watch or warning for the area in which the insured premises is located, and ends 72 hours after the termination of the last watch or warning issued for that area.

In some states, regulations have altered the circumstances for triggering the deductible by mandating the scope and duration of a “hurricane.” For example, Florida defines a “hurricane” for residential property insurance purposes as beginning at the time the National Weather Service issues a hurricane watch or warning for any part of Florida and ending 72 hours after the termination of the last hurricane watch or hurricane warning anywhere in the state. Because of the broad scope of this definition, policyholders in some areas may pay a “hurricane deductible” even though the insured property was never subjected to hurricane-force winds.

Where the insurer contends that a percentage deductible applies on account of a hurricane or tropical storm, policyholders should carefully review the policy language and insurance regulations in their state, as well as the actual conditions that caused property damage, to determine if there is an argument against the increased deductible.

The Professional Services Exclusion: You May Not Have the Coverage You ThinkCould you be providing “professional services” that might lead to liability excluded by your commercial general liability policy? The answer may be different than you think.

A recent unpublished Eleventh Circuit opinion provides a reminder that it is important to review your CGL policy and understand whether you are covered. The facts upon which the court relied in Witkin Design Group, Inc. v. Travelers Property Casualty Co. of America appear simple enough. An intersection traffic accident resulted in the death of a young boy. The resulting lawsuit included a negligence claim against the landscape architect who designed and constructed the intersection. The landscape company called on its CGL insurer to defend and indemnify it from the claim. You can imagine the company doing so with the thought that a liability claim had been brought and its general liability policy would provide coverage for that claim.

Like most CGL policies, however, this CGL policy contained a professional services exclusion that excluded coverage for claims “arising out of the rendering of or failure to render any ‘professional service’.” Professional services were defined by the policy as “any service requiring specialized skill or training.” The CGL policy said that professional services included:

a. Preparation, approval, provision of or failure to prepare, approve, or provide any map, shop drawing, opinion, report, survey, field order, change order, design, drawing, specification, recommendation, warning, permit application, payment request, manual or inspection;

b. Supervision, inspection, quality control, architectural, engineering or surveying activity or service, job site safety, construction contracting, construction administration, construction management, computer consulting or design, software development or programming service, or a selection of a contractor or subcontractor; or

c. Monitoring, testing, or sampling service necessary to perform any of the services included in a. or b. above.

But, these are merely non-exhaustive examples. The Eleventh Circuit was clear: “the professional service exclusion applies to any service requiring specialized skill or training.” Because the claim for which the landscape company sought coverage arose out of its design and construction of the intersection, which required specialized skill or training, the court found the professional liability exclusion applied, resulting in no coverage under the CGL policy.

The Eleventh Circuit’s opinion is not ground-breaking. Whether an insured’s conduct constitutes excluded “professional services” is a frequently litigated coverage question, which turns on policy language, the insured’s specific conduct, and applicable state law’s definition of professional services. Other recent examples of cases in which courts have found no coverage because of professional services exclusions include a claim against a home inspector alleging failure to discover insect and water damage; a claim against a real estate broker who failed to disclose an adverse property condition; a claim against a property manager for failing to properly supervise construction; and a claim against an insurance company for misrepresenting insurance policies.

Simply because a professional services claim is excluded by the CGL policy, however, does not always mean that the insured is left holding the bag without insurance coverage. Many companies purchase professional liability policies, which are errors and omissions policies intended to provide coverage for claims arising from the specific professional services in which the insured is engaged. It is critical to understand, however, that these policies may define “professional services” differently than the insured’s CGL policy, and care should be taken to ensure that your professional liability policy covers what your CGL policy may exclude.

So, while the Eleventh Circuit’s recent decision is not ground-breaking, it does provide a useful reminder to think about whether you have the liability coverage that you think you have.  We suggest that you consider the following questions, and discuss them with your broker or attorney if necessary:

  • Does my CGL policy have a “professional services” exclusion?
  • Am I engaged in conduct that could expose me to liability claims and that could be construed as a “professional service” as defined and excluded by the policy?
  • Do I need to purchase a professional liability policy to protect from those claims, and does that professional liability policy cover what the CGL policy excludes?

It is better to know the answers to these questions now, rather than find out after a claim has been filed that you don’t have the coverage you thought. After all, It Pays to be Covered.™