Insurance Policy Renewals

Can You Hear Me Now? Tenth Circuit Rejects Coverage for Telephone Consumer Protection Act ClaimsA recent Tenth Circuit decision undercut policyholder arguments that Telephone Consumer Protection Act (TCPA) claims are insurable under a standard CGL policy. Policyholders should take note of this decision but should not assume that all TCPA claims are necessarily uncovered.

On February 21, the Tenth Circuit affirmed a finding of no coverage on appeal from the District of Colorado. In Ace American Insurance Company v. Dish Network, LLC, the Tenth Circuit held there was no duty to defend Dish in a lawsuit alleging various violations of state and federal laws relating to telemarketing phone calls. The court held that statutory damages and injunctive relief sought under the TCPA were uninsurable penalties instead of insurable “damages” under the relevant liabilities policies. The court also rejected Dish’s argument that the TCPA’s provisions governing actual monetary loss qualified as a remedial provision that could be insured under Colorado law. Finally, the court rejected Dish’s argument that the underlying claims for equitable relief could constitute insurable damages.

Policyholders should take note of this case for several reasons:

  1. Rising TCPA Claims. TCPA claims continue to gain popularity on court dockets across the country. Insurers will undoubtedly lean on this case as a basis for denial of coverage in similar cases. That said, TCPA policyholders should not simply assume that all hope is lost. For example, the Tenth Circuit’s decision relies heavily on aspects of Colorado law that may not be controlling in other jurisdictions.
  2. Claims for Equitable Relief May Still Trigger Duty To Defend. This case is a good reminder of the importance of a detailed analysis relating to the particular damage allegations in an underlying lawsuit when considering the duty to defend. The Tenth Circuit did not shut the door on the possibility of a duty to defend claim seeking equitable relief. Instead, the decision is limited to the particular allegations in the underlying complaint.
  3. TCPA Exclusions Becoming More Common. The court noted that several later policies contained specific exclusion endorsements for TCPA claims. Policyholders that may face TCPA allegations should consider whether their current liability policies contain such exclusions and, if so, whether additional coverage may be necessary to protect against such future allegations.
  4. Some Coverage Arguments Not Fully Addressed. Unfortunately, the Tenth Circuit did not reach some of the other interesting coverage questions that could have played a role. For example, I would have been interested to see the court’s analysis of whether “bodily injury” or “property damage” was alleged in the underlying litigation.

This case is not the death knell for coverage for TCPA defendants, but it may prove a hurdle even in jurisdictions beyond Colorado. Companies that face this risk should consider their current coverage portfolio, particularly with respect to any exclusions that may expressly or implicitly apply to TCPA claims. In the event of a claim, companies should analyze each case independently, including consideration of choice of law and the particular policy provisions and allegations at issue.

2018 Allianz Risk Barometer Highlights Business Interruption and Cyber as Two Most Important Risks of New YearAllianz’s yearly survey of nearly 2,000 risk experts from 80 countries highlights business interruption and cyber incidents as the top two major threats for companies through 2018 and beyond. Forty-two percent of responses identified business interruption (BI) as the most important global risk because it can substantially impact revenues. So it is no surprise that BI has been highlighted as the most important risk for six years in a row. New for 2018, however, is that cyber incidents are the most feared BI trigger in the new year.

In addition to cyber incidents’ potential to trigger BI, risk experts identified cyber incidents generally as the second most important risk of 2018 (42 percent of responses). In particular, risk experts highlighted attacks on common internet infrastructure (with the potential to harm multiple companies at one time) as an increasing risk. These large‑scale attacks, such as the October 2016 Mirai Botnet attack on Dyn that brought down Twitter, SoundCloud, Spotify, Reddit and a host of other sites for hours, can substantially disrupt online operations and be used to extort multiple companies.

The Allianz report highlights what most policyholders already know: Cyber risk, whether in the form of business interruption, data‑breach liability, extortion, or otherwise, continues to expand at an almost breathtaking pace.

Every organization should survey the threat landscape to measure cyber exposure in six key risk areas:

  1. Business email compromise (BEC) scams
  2. Ransomware
  3. Distributed denial of service (DDoS)
  4. Data breach
  5. Theft of intellectual property
  6. Destruction or damage to computer systems

Surveying the cyber risk landscape is only the first step. For most organizations, the next step — cyber risk mitigation — includes purchasing cyber insurance. Due to the evolving nature of cyber insurance, and insurers’ differing tolerances for undertaking cyber risk, organizations must carefully assess proposed cyber insurance policies. Coverage grants vary and can include coverage for computer fraud and theft, cyber business interruption, cyber remediation, liability (including defense costs) resulting from a cyber event, regulatory costs, and PCI penalties.

  • Computer fraud and theft coverage pays for losses sustained as a result of unauthorized access to electronic systems or data.
  • Cyber business interruption coverage pays for losses resulting from a cyber event that prevents normal business operations, such as a DDoS attack that restricts web traffic or a ransomware event that shuts down servers, preventing potential customers from accessing the affected services.
  • Remediation coverage pays for response costs following a cyber event (investigation, public relations, customer notification, and credit monitoring).
  • Liability coverage pays defense and indemnity costs resulting from network security events (unauthorized access to systems causing injury to third parties), privacy events (exposure of confidential information), and media liability (advertising injury and copyright or trademark infringement).
  • Regulatory coverage pays defense and investigation costs for regulatory investigations and claims resulting from cyber events (or failure to properly handle a cyber event).
  • PCI coverage pays for liability to credit card issuers arising out of unauthorized disclosure of credit information (and, as noted above, generally requires proof of compliance with PCI standards).

For more information on mitigating your organization’s cyber risks through cyber insurance, our previous article, published by MISTI Infosec Insider, provides a more detailed overview of the factors to consider when managing a cyber‑insurance program.

RIMS 2017: Risk Revolution is less than two weeks away… are you going? Bradley’s Policyholder Insurance Coverage team is!

When: April 23-26, 2017

Where: Philadelphia, PA

What: Visit us at Booth 2734 (map of exhibit floor) to meet some of Bradley’s coverage attorneys and learn about key issues facing policyholders in today’s complicated insurance landscape. We look forward to seeing you at RIMS 2017.

For more information about the event visit the RIMS 2017 website.