Ponzi Coverage: A Unique Twist from ConnecticutKostin v. Pacific Indemnity is a recent federal decision from Connecticut denying insurance coverage that should be of particular interest to those impacted by a Ponzi scheme. In a coverage dispute arising out of the Madoff scandal, the court rejected the policyholder’s argument that Madoff’s misuse of funds constituted “wrongful entry” into her bank account and denied coverage for her clawback liability to the bankruptcy trustee.

The case is particularly interesting because it involves homeowners’ insurance, not the commercial crime or liability (D&O and E&O) policies often considered in coverage cases relating to Ponzi schemes. The insured, Susan Kostin, sought recovery under her family’s “Masterpiece” homeowner’s primary and excess liability policies. Kostin and her family lost millions from an account established to manage family assets, including principal and expected profits. The coverage dispute related specifically to a $3.75 million withdrawal clawed back by the bankruptcy trustee, plus $799,000 in attorneys’ fees and litigation costs spent on fighting to keep that money.

The court invoked several standard rules of policy construction, ultimately leading to its decision against coverage. The central question was whether the claims against Kostin included claims for “personal injury,” defined by the policies to include a legal obligation resulting from “wrongful entry or eviction.” This is a standard definition of “personal injury” seen in many different types of liability coverage. Here, Kostin saw a window of opportunity and made a creative argument: Madoff’s Ponzi entries into the account ledger were wrongful, so there should be “wrongful entry” coverage for Kostin’s liability to the trustee.

In the end, the court based its coverage denial on its distinction between two types of “wrongful entry”: unauthorized intrusions versus fraudulent accounting ledger entries. While “unauthorized intrusions” into accounts might be covered, the court held “fraudulent accounting” entries would not be covered. In creating that distinction, the court focused on the fact that “wrongful entry” is coupled with the term “eviction” in the policy’s definition of “personal injury.” Kostin never alleged that Madoff was operating the account without authorization, so the court found no “wrongful entry.”

The decision was appealed to the Second Circuit. That result on appeal could be important and significant to other Ponzi victims seeking coverage under the personal liability provisions offered by some homeowners’ insurance policies.

Two takeaways here: First, do not assume that coverage is unavailable for clawback liability for Ponzi schemes, even if homeowners’ coverage is the only available policy. Second, keep in mind that the underlying allegations almost always drive the threshold liability coverage decision, particularly as to the duty to defend. For Kostin, the result might have been different if the alleged basis for her liability had instead been Madoff’s use of personal financial information to gain unauthorized access to her bank account. That type of allegation might qualify as “wrongful entry” under the trial court’s analysis.

FFIEC Highlights Importance of Cyber InsuranceThe Federal Financial Institutions Examination Council (FFIEC) issued a joint statement in April emphasizing the need for companies in the financial sector to include cyber insurance in their risk management program. Although the FFIEC did not announce new regulatory requirements or expectations, the announcement is further evidence of what most businesses have already recognized: Cyber coverage is quickly becoming indispensable.

Among the points highlighted by the FFIEC:

  • Institutions face a variety of risks from cyber incidents, including risks resulting from fraud, data loss, and disruption of service.
  • Traditional insurance coverage may not cover cyber risk exposures.
  • Cyber insurance can be an effective tool for mitigating risk.
  • Insurance does not remove the need for an effective system of controls as the primary defense to cyber threats.
  • The cyber insurance marketplace is growing and evolving, requiring due diligence to determine what insurance products will meet an organization’s needs.

Although not specifically mentioned in the FFIEC statement, businesses should be aware that cyber coverage can be an important source of mitigating regulatory risk associated with data breaches – if the organization purchases a policy that provides regulatory coverage. Today, there are a number of insurers offering products that reimburse costs for investigating and responding to a regulatory investigation or enforcement proceeding, as well as provide coverage for administrative penalties. Given amplified scrutiny from regulators in the area of data security, the importance of such coverage continues to increase. With a rapidly changing market, institutions should carefully review policies to be sure that the scope and limitations of coverage match their exposure.

 

Republished with permission. This blog post was modified for the It Pays to Be Covered blog. The blog post originally appeared on Bradley’s Financial Services Perspectives blog on April 17, 2018.

webinarUpcoming Event - Policyholder Insurance Webinar Series: Is That Drone Insured?Bradley’s Policyholder Insurance group is pleased to present “Enterprise Risk Management: What In-House Counsel Need to Know” as part of our ongoing Litigation Lunch & Learn series.

This onsite event will discuss an overview of enterprise risk management presented by guest speaker Matthew Lusco of Regions Financial and Bradley attorneys Katherine J. Henry and Emily M. Ruzic.

When:  Wednesday, May 16, 2018
11:30AM – 12:00PM CDT (Lunch and Registrations)
12:00PM – 1:00PM CDT (Presentation)

Where:  Bradley Arant Boult Cummings LLP, 1819 5th Avenue North, Suite 200, Birmingham, AL 35203

What:  Enterprise risk management provides a framework for managing risks across all sectors of an organization. This entity-wide approach to risk management depends on cooperation between an organization’s risk management and legal departments. Join us as we discuss enterprise risk management with Matthew Lusco, Senior Executive Vice President and Chief Risk Officer of Regions Financial. This one-hour program will offer insight into effective enterprise-risk-management strategies with a focus on in-house counsel’s contribution to an organization’s enterprise risk management program.

To register for the event, please RSVP by May 9th, 2018.

We look forward to seeing you there!

With the potential addition of autonomous cars and trucks to commercial fleets, commercial insureds should reassess coverage under their commercial auto, products liability, and cyber insurance policies. Automation, particularly the move toward fully autonomous vehicles, raises new coverage questions with new risk exposures for insureds and new opportunities for insurers.

This post is the first in a series examining potential coverage issues under different lines of coverage. We begin here with commercial auto insurance policies. Future posts will examine products liability and cyber insurance policies.

ISO Commercial Auto Form

Many commercial insureds’ auto policies incorporate the Business Auto Coverage Form (CA 00 01 10 13) (“Commercial Auto Form”) promulgated by the Insurance Services Office, Inc. (ISO).  The Commercial Auto Form provides coverage for “bodily injury” and “property damage” caused by an “accident” and “resulting from the ownership, maintenance or use of a covered ‘auto.’”  Although numerous cases have interpreted the scope of this coverage in cases involving vehicles other than cars and trucks, such as in accidents involving mopeds, 4x4s, riding lawnmowers, and other vehicles, courts have not yet determined whether this coverage extends to accidents involving autonomous vehicles.

Autonomous Vehicle Classifications

In a sense, today’s cars and trucks all offer some autonomous features. Some features, such as cruise control or self-parking, can operate independently once engaged by a driver. Only highly automated and fully automated vehicles can operate without driver control, however.

In its current operating guidance for autonomous vehicles — Automated Driving Systems 2.0:  A VISION FOR SAFETY, released in September 2017 (Voluntary Guidance) — the U.S. Department of Transportation’s National Highway Traffic Safety Administration (NHTSA) categorized autonomous vehicles using the International Society of Automotive Engineers’ (SAE) classification of autonomous vehicles levels between Level 0 and Level 5:

SAE Automation Levels
Source: NHTSA, Automated Driving Systems 2.0: A Vision for Safety.

NHTSA’s Voluntary Guidance describe vehicles that incorporate SAE automation Levels 3 through 5 as “Automated Driving Systems” (ADSs). Level 3 Conditional Automation ADSs require drivers to monitor and take control when necessary. Level 4 High Automation vehicles can be driven by a human, but are self-driving and do not require a driver. Level 5 Full Automation vehicles can perform all driving functions under all conditions. Level 5 vehicles include those vehicles with driver controls, as well as vehicles without driver controls, for example vehicles that lack a steering wheel or pedals. Level 5 vehicles without driver controls could incorporate seating spaces designed for conversation or work spaces with tables – but not controls that permit human occupants to assume any driving function. Let’s call these Level 5 vehicles “Personal Mobility Units” or “Level 52” (Level 5 Squared) vehicles.

Are Personal Mobility Units Considered “Autos” under the Business Auto Coverage Form?

ISO’s Commercial Auto Coverage Form identifies “autos” by numerical symbols 1-9, and 19.  Each insurance policy’s declarations page will identify the insured “autos” using those symbols.

Symbol 1 includes “Any ‘auto’” while symbols 2-9 narrow the definition of “auto” to exclude certain categories. ISO also offers the Covered Auto Designation Symbol endorsement (CA 99 54 10 13), which allows insurers to designate Symbol 10 “autos” to meet their insureds’ specific needs.

Is a Level 52 vehicle a Symbol 1 auto (“Any ‘auto’”)?  That depends on the definition of “auto.”  The Commercial Auto Form defines an auto as “a land motor vehicle” or “any other land vehicle” governed by state insurance law:

“Auto” means:

  1. A land motor vehicle, “trailer” or semitrailer designed for travel on public roads; or
  2. Any other land vehicle that is subject to a compulsory or financial responsibility law or other motor vehicle insurance law where it is licensed or principally garaged.

But “auto” does not include “mobile equipment.” CA 00 01 10 13, Section V –Definitions B (page 10 of 12).

Turning to part 1 of the “auto” definition, is a Personal Mobility Unit a “land motor vehicle?”

Of course, no court has considered this question. Those courts that have construed this definition in other contexts have considered whether the vehicle included customarily required features, whether the vehicle “resembled” a vehicle designed for use on public roads, and whether the vehicle was required to be registered by state law.

So, a construction vehicle known as a “Georgia Buggy” was not an “auto” because it: (1) did not resemble an auto; (2) was operated from a platform using “hand controls affixed to bicycle­-like handlebars;” (3) lacked key components, such as a steering wheel, a windshield, a separated driving compartment, lights, turn signals, and mirrors; and (4) was not required to be registered by the state. Harlan v. United Fire and Casualty Company, 208 F. Supp. 3d 1168, 1172‑73 (D. Kan. 2016), appeal dismissed, No. 16-3310, 2017 WL 4863142 (10th Cir. Jan. 13, 2017).

A photograph submitted during the litigation surely shows that the buggy was not an auto:

Georgia Buggy Exhibit
Georgia Buggy Exhibit

Of course, a Level 52 vehicle might not “resemble an auto,” would not have any type of hand controls, and would lack some (but not all) key components, such as a steering wheel.

A crop sprayer that collided with a motorcycle was considered an “auto” under the same policy language because it was subject to compulsory insurance and financial responsibility laws, had four wheels, was self-propelled, had headlights, taillights, turn signal, and “other components similar to road‑ready vehicles.” Berkley Regional Specialty Ins. Co. v. Dowling Spray Service, 864 N.W.2d 505, 508 (S.D. 2015). Under this reasoning, a Personal Mobility Unit is an “auto.”

Turning to part 2 of the “auto” definition, is a Personal Mobility Unit “subject to a compulsory or financial responsibility law or other motor vehicle insurance law? Is it licensed? Is it “principally garaged” in any state?

All ADSs are self-propelled and, like other self-propelled vehicles, will be subject to compulsory insurance or financial laws in most states (with certain exceptions). For example, in Delaware, motor vehicles include all “self-propelled” vehicles except farm tractors, elective personal assistive mobility devices (electric two-wheeled vehicles for one person, limited to 15 miles per hour or less), and off‑highway vehicles. Del. Code Ann. tit. 21, § 101. In Michigan, industrial equipment, electric personal assistive mobility devices, electric patrol vehicles, electric carriages, and commercial quadricycles are not “motor vehicles.” Mich. Comp. Laws § 257.33. In California, self‑propelled wheelchairs, motorized tricycles, and motorized quadricycles are not motor vehicles if operated by a person who, by reason of physical disability, is otherwise unable to move about as a pedestrian. Cal. Veh. Code § 415. Under these and other regulatory regimes, all ADSs should be subject to existing compulsory insurance or financial laws in most states (pending any change in regulatory regimes to accommodate ADSs).

No state excludes autonomous vehicles from registration. An auto is generally licensed in the state where it is registered. At the time of registration, the state will issue the appropriate number of license plates, which the owner or registrant is then required to display. See, e.g., Cal. Veh. Code § 6700. A tractor-trailer that displayed Nebraska insurance plates was indisputably licensed in Nebraska, despite being registered in multiple locations under the International Registration Plan.  See Berg. v. Liberty Mut. Ins. Co., 319 F.Supp.2d 933, 938 (N.D. Iowa 2004). Thus, the proper question is not whether an ADS is licensed, but rather whether it is required to be registered, and if so, it will likely be licensed as well.

What about the location of a Personal Mobility Unit? A vehicle is generally “principally garaged” in the physical location where it is kept most of the time. A vehicle that is kept in a single location for four months was “principally garaged” in that location even though the owner did not intend to reside there permanently. Chalef v. Ryerson, 277 N.J. Super. 22, 28, 648 A.2d 1139, 1142 (App. Div. 1994). A vehicle was not “principally garaged” in Michigan because it was not kept in Michigan “most of the time.” Frasca v. United States, 702 F. Supp. 715, 718 (C.D. Ill. 1989). But a rental truck leased for a three-day period was “principally garaged” in Virginia, not Maryland where it was licensed and registered, because the leasee kept the truck at its Virginia facility during the lease period. Hall v. Travelers Cas. Ins. Co. of Am., No. 1:16-CV-00173 (GBL), 2016 WL 5420571, at *5 (E.D. Va. Sept. 27, 2016). If the manufacturer owns the autonomous vehicle and leases it to different individuals in different states, where will that vehicle be principally garaged, and will it be subject to a compulsory or financial responsibility law or other motor vehicle insurance law in that state?

Finally, “auto” excludes “mobile equipment.” “Mobile equipment” encompasses an array of land vehicles, from bulldozers to power cranes to air compressors to any vehicle “maintained primarily for purposes other than the transportation of persons or cargo.” By definition, any autonomous vehicle, including a Personal Mobility Unit, is used to transport people and cargo and therefore will not constitute “mobile equipment.” In addition, the Commercial Auto Coverage Form excludes from the definition of “mobile equipment” those “land vehicles that are subject to a compulsory or financial responsibility law or other motor vehicle insurance law where it is licensed or principally garaged.” Those land vehicles are “autos.” As discussed above, autonomous vehicles, including Level 52 vehicles, will likely satisfy this exception to the definition of “mobile equipment” and will be considered “autos.”

Does Teleoperation Affect Coverage?

As of April 2018, California mandates a remote operator for autonomous vehicles testing on public roads without drivers. Cal. Code Reg. § 227.38. Remote operators must: (1) have the appropriate driver’s license for the type of autonomous vehicle; (2) not be seated in the driver’s seat of the vehicle; (3) engage and monitor the autonomous vehicle; and (4) be able to communicate with occupants in the vehicle by a communication link. The remote operator may also have the ability to “perform the dynamic driving task for the vehicle or cause the vehicle to achieve a minimal risk condition.”  Cal. Code. Reg. § 227.02(n).

At least one company will offer that remote control to assist with the testing and development of autonomous vehicles. Phantom Auto states that it provides a remote driver seated in a control room who can operate the vehicle remotely (described as “teleoperation”). Phantom Auto describes its services as “a teleoperation-as-a-service safety solution for all autonomous vehicles that includes an API [application program interface] for real time assistance and guidance, an in-vehicle low latency communication device, and a remote operator service.”  Phantom Auto enables a remote human operator to operate an autonomous vehicle when it encounters a scenario that it cannot handle on its own, allowing for optimally safe testing and deployment of autonomous vehicles.

The ISO Commercial Auto Form covers accidents “resulting from the ownership, maintenance or use of a covered ‘auto.’” Will insurers contend that an error in teleoperation does not “result from” the “ownership, maintenance or use of a covered ‘auto’” but instead “results from” remote operator negligence? Will they argue that other insurance policies should respond instead of a commercial auto policy?

We don’t yet know the answers to these questions, but insureds testing autonomous vehicles can determine the proper allocation of liability for remote operator error and tailor their policy language to address any liability. If teleoperation survives beyond the testing phase, all insureds using this service will need to assess the parties’ risk allocation and coverage options.

What about Exclusions?

As with the commercial liability policy, ISO’s Commercial Auto Form excludes coverage for “Expected or Intended Injury,” which it defines as “‘Bodily injury’ or ‘property damage’ expected or intended from the standpoint of the ‘insured.’” If the insured cannot operate the vehicle, can any circumstance arise that could arguably trigger this exclusion? At least from an operational standpoint, an insured could not expect or intend injury if the insured cannot operate the Personal Mobility Unit. Will insurers seize on allegedly defective maintenance rather than negligent operation to trigger this exclusion? Will they remove the exclusion as no longer applicable in an autonomous vehicle world? Only time will tell, but insureds and insurers alike should consider the impact of this exclusion.

What about Premium?

In February 2015, NHTSA reported that 94% of auto accidents are caused by human error.    Pundits predict that the frequency and severity of accidents will dramatically decline as autonomous vehicles become more prevalent (despite a messy intervening period when human drivers and partial and fully autonomous vehicles share the road). As frequency and severity falls, so does risk, thus potentially impacting premium. The complexity of autonomous vehicles may impact premium in the other direction, as early model autonomous vehicles will likely be extremely expensive to repair and replace. Insurers are no doubt (or should be) assessing autonomous vehicle’s potential impact on auto premium.

Where Next? Products Liability Insurance? Cyber Insurance?

Even as auto accident frequency and severity declines with increased automation, and premium eventually drops as repair costs normalize, commercial auto insurers may need to turn to other lines of coverage, such as products liability and cyber coverage, for revenue streams, and insureds may need to turn to these same policies for coverage for autonomous vehicles. We will discuss those policies in subsequent posts with a focus on Level 52 vehicles.

Can You Hear Me Now? Tenth Circuit Rejects Coverage for Telephone Consumer Protection Act ClaimsA recent Tenth Circuit decision undercut policyholder arguments that Telephone Consumer Protection Act (TCPA) claims are insurable under a standard CGL policy. Policyholders should take note of this decision but should not assume that all TCPA claims are necessarily uncovered.

On February 21, the Tenth Circuit affirmed a finding of no coverage on appeal from the District of Colorado. In Ace American Insurance Company v. Dish Network, LLC, the Tenth Circuit held there was no duty to defend Dish in a lawsuit alleging various violations of state and federal laws relating to telemarketing phone calls. The court held that statutory damages and injunctive relief sought under the TCPA were uninsurable penalties instead of insurable “damages” under the relevant liabilities policies. The court also rejected Dish’s argument that the TCPA’s provisions governing actual monetary loss qualified as a remedial provision that could be insured under Colorado law. Finally, the court rejected Dish’s argument that the underlying claims for equitable relief could constitute insurable damages.

Policyholders should take note of this case for several reasons:

  1. Rising TCPA Claims. TCPA claims continue to gain popularity on court dockets across the country. Insurers will undoubtedly lean on this case as a basis for denial of coverage in similar cases. That said, TCPA policyholders should not simply assume that all hope is lost. For example, the Tenth Circuit’s decision relies heavily on aspects of Colorado law that may not be controlling in other jurisdictions.
  2. Claims for Equitable Relief May Still Trigger Duty To Defend. This case is a good reminder of the importance of a detailed analysis relating to the particular damage allegations in an underlying lawsuit when considering the duty to defend. The Tenth Circuit did not shut the door on the possibility of a duty to defend claim seeking equitable relief. Instead, the decision is limited to the particular allegations in the underlying complaint.
  3. TCPA Exclusions Becoming More Common. The court noted that several later policies contained specific exclusion endorsements for TCPA claims. Policyholders that may face TCPA allegations should consider whether their current liability policies contain such exclusions and, if so, whether additional coverage may be necessary to protect against such future allegations.
  4. Some Coverage Arguments Not Fully Addressed. Unfortunately, the Tenth Circuit did not reach some of the other interesting coverage questions that could have played a role. For example, I would have been interested to see the court’s analysis of whether “bodily injury” or “property damage” was alleged in the underlying litigation.

This case is not the death knell for coverage for TCPA defendants, but it may prove a hurdle even in jurisdictions beyond Colorado. Companies that face this risk should consider their current coverage portfolio, particularly with respect to any exclusions that may expressly or implicitly apply to TCPA claims. In the event of a claim, companies should analyze each case independently, including consideration of choice of law and the particular policy provisions and allegations at issue.

Increased FTC Enforcement Highlights Need for Cyber Regulatory CoverageRegulatory components to cyber insurance policies are becoming increasingly valuable as data-breach enforcement continues to surge. The Federal Trade Commission (FTC or Commission), the nation’s primary privacy and data security enforcer, has announced another record year of enforcement actions regarding consumer privacy. In 2017, the FTC brought nearly two hundred privacy and data security cases. Generally, getting hacked alone will not invite a lawsuit from the FTC, but failing to take corrective actions (resulting in a subsequent breach) could attract attention from regulators. To ensure enforcement, the Commission requires companies to take affirmative steps to remediate unlawful behavior. In addition, the FTC may impose civil, monetary penalties.

Recent FTC Enforcement Activities

Many well-known companies were targets of FTC investigations or enforcement actions in 2017, including Equifax, Lenovo, and VIZIO. Just last month, the FTC announced a settlement with electronic toymaker VTech, stemming from a data breach in 2015. VTech agreed to pay $650,000 to settle allegations that it violated the Children’s Online Privacy Protection Act, which generally requires websites and apps to obtain parental consent before collecting personal information from children under 13 years of age. The FTC alleged that VTech had collected personal information from children without providing the requisite notice or obtaining the parent’s consent. The Commission also claimed that VTech had failed to take reasonable steps to secure the data it had collected.

Coverage for Fines and Penalties

As the FTC continues to increase enforcement actions, regulatory components to cyber-insurance policies are becoming increasingly valuable. Cyber regulatory defense and penalties coverage is one of the rare types of insurance that may affirmatively cover fines and penalties.  For example, the AIG CyberEdge Security and Privacy Liability Insurance defines covered “Loss,” in part, as “civil fines or penalties imposed by a governmental agency and arising from a Regulatory Action, unless the civil fine or penalty is uninsurable under the law of the jurisdiction imposing such fine or penalty.” Other cyber policies provide coverage for “Penalties,” meaning “any civil fine or money penalty payable to a governmental entity that was imposed in a Regulatory Proceeding by the Federal Trade Commission . . . or any other federal, state, local or foreign governmental entity.” Like the AIG definition, these policies also caution that applicable state law may not allow for coverage, stating “the insurability of Penalties shall be in accordance with the law in the applicable venue that most favors coverage for such Penalties.” As with the insurability of punitive damages, there is no uniform view regarding whether fines and penalties can be insured, despite policy language expressly providing for such coverage. Insurers are likely to challenge coverage for fines and penalties that stem from intentional or willful conduct, claiming that loss is uninsurable based on public policy arguments.

Coverage for Defense and Investigative Costs

Cyber policies can also provide coverage for defense and investigative costs in connection with governmental investigations. Typically, the insurer will agree to pay attorneys’ fees, as well as other legal costs, excluding the insured’s internal costs, such as salary or overhead. Commonly, the insurer agrees to pay “Claims Expenses and Penalties in excess of the Retention, which the Insured shall become legally obligated to pay because of any Claim in the form of a Regulatory Proceeding.” Notably, FTC actions and investigations are included in traditional definitions of “Regulatory Proceeding.” Defense and investigation costs can add up quickly, making this portion of cyber coverage quite valuable.

Conclusion

Insurance for regulatory actions stemming from data breaches is readily available in the marketplace. While it remains unclear whether fines and penalties are insurable, as a matter of public policy, insurers are consistently providing coverage for defense and investigative costs in connection with cyber events. As the FTC continues to investigate data security and privacy issues, companies should continue to evaluate cyber-regulatory coverage as it can be a valuable part of business insurance portfolios.

2018 Allianz Risk Barometer Highlights Business Interruption and Cyber as Two Most Important Risks of New YearAllianz’s yearly survey of nearly 2,000 risk experts from 80 countries highlights business interruption and cyber incidents as the top two major threats for companies through 2018 and beyond. Forty-two percent of responses identified business interruption (BI) as the most important global risk because it can substantially impact revenues. So it is no surprise that BI has been highlighted as the most important risk for six years in a row. New for 2018, however, is that cyber incidents are the most feared BI trigger in the new year.

In addition to cyber incidents’ potential to trigger BI, risk experts identified cyber incidents generally as the second most important risk of 2018 (42 percent of responses). In particular, risk experts highlighted attacks on common internet infrastructure (with the potential to harm multiple companies at one time) as an increasing risk. These large‑scale attacks, such as the October 2016 Mirai Botnet attack on Dyn that brought down Twitter, SoundCloud, Spotify, Reddit and a host of other sites for hours, can substantially disrupt online operations and be used to extort multiple companies.

The Allianz report highlights what most policyholders already know: Cyber risk, whether in the form of business interruption, data‑breach liability, extortion, or otherwise, continues to expand at an almost breathtaking pace.

Every organization should survey the threat landscape to measure cyber exposure in six key risk areas:

  1. Business email compromise (BEC) scams
  2. Ransomware
  3. Distributed denial of service (DDoS)
  4. Data breach
  5. Theft of intellectual property
  6. Destruction or damage to computer systems

Surveying the cyber risk landscape is only the first step. For most organizations, the next step — cyber risk mitigation — includes purchasing cyber insurance. Due to the evolving nature of cyber insurance, and insurers’ differing tolerances for undertaking cyber risk, organizations must carefully assess proposed cyber insurance policies. Coverage grants vary and can include coverage for computer fraud and theft, cyber business interruption, cyber remediation, liability (including defense costs) resulting from a cyber event, regulatory costs, and PCI penalties.

  • Computer fraud and theft coverage pays for losses sustained as a result of unauthorized access to electronic systems or data.
  • Cyber business interruption coverage pays for losses resulting from a cyber event that prevents normal business operations, such as a DDoS attack that restricts web traffic or a ransomware event that shuts down servers, preventing potential customers from accessing the affected services.
  • Remediation coverage pays for response costs following a cyber event (investigation, public relations, customer notification, and credit monitoring).
  • Liability coverage pays defense and indemnity costs resulting from network security events (unauthorized access to systems causing injury to third parties), privacy events (exposure of confidential information), and media liability (advertising injury and copyright or trademark infringement).
  • Regulatory coverage pays defense and investigation costs for regulatory investigations and claims resulting from cyber events (or failure to properly handle a cyber event).
  • PCI coverage pays for liability to credit card issuers arising out of unauthorized disclosure of credit information (and, as noted above, generally requires proof of compliance with PCI standards).

For more information on mitigating your organization’s cyber risks through cyber insurance, our previous article, published by MISTI Infosec Insider, provides a more detailed overview of the factors to consider when managing a cyber‑insurance program.

Bradley Attorneys Highlight Cyber Insurance Risks to Consider When Acquiring a CompanyIn a recent article published by Mergers & Acquisitions, Bradley’s Policyholder Practice Group Leader Katherine Henry and policyholder coverage attorney Brendan Hogan explain some of the risks companies need to consider when considering potential merger and acquisition targets.

This article covers how companies can mitigate M&A risk by:

  • Reviewing key cyber risk management procedures the target company should have in place
  • Assessing the target company’s insurance assets and potential liability
  • Understanding specific cyber insurance coverage grants (data breach, fraud and theft, business interruption, and remediation) and the risks they help mitigate

Read the full article by visiting the Merger & Acquisitions website.

Fore! Fourth Circuit Affirms No Coverage for Hole-in-One PaymentsAs proof that almost anything can be insured, hole-in-one insurance is available on the market. Coverage is granted for payments or awards (cars, cruises, golf trips, cash, etc…) given and can be obtained for the right premium whether you’re protecting against the risk of an “ace” by a professional or a hacker at a charity scramble event. Of course, there are also limitations defined by the terms, conditions, and exclusions in the policy.

During the 2015 Greenbrier Classic in West Virginia, an annual PGA Tour event, Justin Thomas and George McNeill aced the 18th hole. The hole was playing 137 yards that day. The fans went particularly wild, largely because they took home approximately $200,000 from a tournament contest offering a cash prize to any spectator that witnessed a hole-in-one in person.

Those spectators might not have celebrated had they known their prize money would ultimately end up uninsured. At the end of 2017, the Fourth Circuit held there was no coverage for the payments made by Old White Charities because the policy required a longer hole — at least 170 yards (see All Risks v. Old White Charities).

The Fourth Circuit enforced that policy limitation under West Virginia law. Like other jurisdictions across the country, West Virginia enforces the plain language of the policy. The court also rejected arguments based on a shorter limitation (150 yards, so it wouldn’t have mattered anyway) in the policy application and Old White’s argument that it had a reasonable expectation of coverage despite the 170-yard minimum in the policy. Old White’s claims of negligence and fraud during the underwriting process also failed. In sum, the court saw no evidence that provided an exception to the plain language rule.

Two obvious takeaways here:

  1. Many golfers never get the chance to see a hole-in-one in person, but there is nothing unusual about a court upholding a clear policy exclusion or limitation. Even policyholders that do not know the difference between a birdie and a bogey should heed this case as a reminder: The language in the policy matters, even when the result may be harsh. Absent a way around it (an ambiguity caused by other language, waiver, misrepresentation in the application process), an exclusion can produce a tough result inconsistent with the policyholder’s expectations.
  2. This case is also a reminder about the need to manage risk even after insurance is in place. The best risk management programs account for the limitations in the company’s insurance portfolio. For example, some comprehensive property insurance programs contain limitations (e.g., no flood coverage for properties on a coast) on the location of scheduled properties purchased after the policy is bound. Failure to consider that limitation when a new property is acquired can lead to a significant uninsured loss.

I hated to see this result for Old White Charities and a golf tournament that I love to watch, particularly when the same tournament had to be cancelled due to the tragic flooding in that part of West Virginia in 2016. Here’s hoping the 2017 tournament was the start of a new stretch of good fortune for the Greenbrier Classic.

Insurance Purchasers Beware: Florida Court Finds No Duty to Defend Data Breach Claim Under CGL Personal & Advertising Injury CoverageOn November 17, 2017, a U.S. district court in Florida narrowly construed personal and advertising injury coverage for data-breach claims under a commercial general liability policy. In Innovak International, Inc., v. The Hanover Insurance Company, the court held that The Hanover Insurance Company (the insurer) has no duty to defend Innovak International, Inc. (the insured), against a putative class action arising from a data breach that compromised users’ personal private information (“PPI”).

The court narrowly construed the policy’s definition of “personal and advertising injury” that included “[o]ral or written publication in any manner of material that violates a person’s right of privacy.” Despite the absence of a requirement that the insured publish that material, the court held that the policy only extended coverage to publication by the insured.

The court held that “[t]he act that violates the claimants’ right of privacy is the publication of their PPI, and the Underlying Claimants have not alleged that Innovak directly or indirectly committed that act.” The court rejected Innovak’s arguments that the phrase “in any manner” includes both “direct publication of PPI and negligent failure to prevent third parties from obtaining the PPI.” Following a New York state court decision (Zurich American Insurance v. Sony Corporation of America), the Florida court construed the phrase “in any manner” to refer to the medium rather that the sender of the information.

The court also rejected Innovak’s argument that the putative class action complaint alleged that Innovak indirectly published the PPI. The court held that the complaint clearly alleged that Innovak failed to protect the users’ PPI by failing to implement sufficient data security measures – which is not an allegation of publication at all. The court distinguished a California case, Hartford Casualty Insurance Co. v. Corcino & Associates, et al., because that complaint alleged that the insured posted private information on a public website, and the court did not address the same legal issues.

Finally, the court made short shrift of Innovak’s argument that Hanover waived its defense by omitting it from its denial letter, because the particular defense was included within the letter.

This case serves as a reminder that organizations should not assume that their commercial general liability policies will cover losses from data breaches – even if the organization purchases a data breach enhancement, as Innovak did. The policy’s Data Breach Form provided only data breach services and paid only data breach expenses and expressly excluded “fees, costs, settlements, judgments or liability of any kind” arising out of a data breach. The lack of coverage under the Data Breach Form left Innovak with only the personal and advertising injury coverage, which, in this instance, did not extend to the putative class action against Innovak.

As often mentioned on this blog, prudent insureds should purchase dedicated cyber insurance coverage if at all possible. Smaller organizations may rely on coverage enhancements to their existing insurance programs but should recognize the risk of this strategy. Under either a traditional or specialized cyber insurance program, all insureds should scrutinize policy language to understand the scope of coverage and –more importantly – the limitations of that coverage for data breach and other cyber-related exposures.