Policyholder Diligence Ensures You’re InsuredPolicyholders take notice – a recent New York case highlights the importance of thoroughly analyzing and understanding all policy language to minimize project risk and ensure proper coverage. As an illustration, the Court of Appeals of New York recently held that a named additional insured was not covered under an insurance policy because the plain meaning of the language in the policy endorsement required a written contract between the policyholder and the additional insured.

In Gilbane Bldg. Co./TDX Construction Corp. v. St. Paul Fire & Mar. Ins. Co., the Dormitory Authority of the State of New York (DASNY) contracted with Samson Construction Company as general contractor for the construction of a new building. DASNY also contracted with a joint venture, formed by Gilbane Building Company and TDX Construction Corporation (the “JV”), to serve as construction manager on the project. The contract between DASNY and Samson required Samson to procure general liability insurance for the project and name the JV as an additional insured. Samson obtained this coverage from Liberty Insurance Underwriters.

Thereafter, DASNY sued Samson and the project architect. In turn, the architect filed a third-party complaint against the JV, which then provided notice to Liberty seeking defense and indemnification. Liberty denied coverage, and the JV initiated suit against Liberty, arguing that it qualified for coverage as a named additional insured. The New York Supreme Court denied Liberty’s motion for summary judgment and held that the JV was an additional insured under the applicable insurance policy. The Appellate Division reversed and the Court of Appeals affirmed.

The court reviewed the language of the additional insured provision which read, in relevant part, “an insured [is] any person or organization with whom you have agreed to add as an additional insured by written contract…” Here, the JV and Samson did not have a written contract with one another. Nonetheless, the JV argued that the written contract requirement conflicted with the plain meaning of the language in Liberty’s endorsement, “well-settled rules of policy interpretation,” and the parties’ reasonable expectations. The court disagreed, and found that the language was facially clear. It concluded that Liberty’s endorsement would only provide coverage to the JV if Samson and the JV entered into a written contract because “unambiguous provisions of an insurance contract must be given their plain and ordinary meaning.”

The court then explained how the outcome would differ if the provision did not include the word “with.” In that case, the endorsement would have provided coverage to “any person or organization whom [Samson had] agreed by [any] written contract to add…” Since Samson already contracted with DASNY to add the JV as an additional insured, coverage would have been effective as to the JV.

Regardless of the type of insurance policy at issue, it is critically important to thoroughly analyze the policy documents to ensure an accurate understanding of the language used. Individual policyholders often take policy language at face value, if they read the terms of the policy at all, and never question what coverage they have actually purchased. Similarly, when the policy at issue is part of a larger set of contract documents, companies often become complacent during the contract review process—especially when certain documents appear boilerplate or seem like only a minor formality to finalize a contract. Oftentimes, the perceived need for reviewing policy language is further dampened by the fact that the insurance policy comes into existence after the project contract is signed, such as the policy in this case.

As a result of complete oversight, the hurried nature of review, or the overwhelming volume of contract documents requiring review, policyholders can easily adopt a reading of policy language that might reflect reasonable expectations but does not necessarily adhere to the plain meaning of the language. Diligence must extend to the review of insurance policies because ignoring the actual language of the policy can result in significant risk exposure.  If you have any questions or concerns about your current insurance coverage or upcoming project needs, please contact Alex Thrasher and the team at Bradley to learn more about ways to ensure that you’re covered.

FFIEC Highlights Importance of Cyber InsuranceThe Federal Financial Institutions Examination Council (FFIEC) issued a joint statement in April emphasizing the need for companies in the financial sector to include cyber insurance in their risk management program. Although the FFIEC did not announce new regulatory requirements or expectations, the announcement is further evidence of what most businesses have already recognized: Cyber coverage is quickly becoming indispensable.

Among the points highlighted by the FFIEC:

  • Institutions face a variety of risks from cyber incidents, including risks resulting from fraud, data loss, and disruption of service.
  • Traditional insurance coverage may not cover cyber risk exposures.
  • Cyber insurance can be an effective tool for mitigating risk.
  • Insurance does not remove the need for an effective system of controls as the primary defense to cyber threats.
  • The cyber insurance marketplace is growing and evolving, requiring due diligence to determine what insurance products will meet an organization’s needs.

Although not specifically mentioned in the FFIEC statement, businesses should be aware that cyber coverage can be an important source of mitigating regulatory risk associated with data breaches – if the organization purchases a policy that provides regulatory coverage. Today, there are a number of insurers offering products that reimburse costs for investigating and responding to a regulatory investigation or enforcement proceeding, as well as provide coverage for administrative penalties. Given amplified scrutiny from regulators in the area of data security, the importance of such coverage continues to increase. With a rapidly changing market, institutions should carefully review policies to be sure that the scope and limitations of coverage match their exposure.

 

Republished with permission. This blog post was modified for the It Pays to Be Covered blog. The blog post originally appeared on Bradley’s Financial Services Perspectives blog on April 17, 2018.

webinarUpcoming Event - Policyholder Insurance Webinar Series: Is That Drone Insured?Bradley’s Policyholder Insurance group is pleased to present “Enterprise Risk Management: What In-House Counsel Need to Know” as part of our ongoing Litigation Lunch & Learn series.

This onsite event will discuss an overview of enterprise risk management presented by guest speaker Matthew Lusco of Regions Financial and Bradley attorneys Katherine J. Henry and Emily M. Ruzic.

When:  Wednesday, May 16, 2018
11:30AM – 12:00PM CDT (Lunch and Registrations)
12:00PM – 1:00PM CDT (Presentation)

Where:  Bradley Arant Boult Cummings LLP, 1819 5th Avenue North, Suite 200, Birmingham, AL 35203

What:  Enterprise risk management provides a framework for managing risks across all sectors of an organization. This entity-wide approach to risk management depends on cooperation between an organization’s risk management and legal departments. Join us as we discuss enterprise risk management with Matthew Lusco, Senior Executive Vice President and Chief Risk Officer of Regions Financial. This one-hour program will offer insight into effective enterprise-risk-management strategies with a focus on in-house counsel’s contribution to an organization’s enterprise risk management program.

To register for the event, please RSVP by May 9th, 2018.

We look forward to seeing you there!

Can You Hear Me Now? Tenth Circuit Rejects Coverage for Telephone Consumer Protection Act ClaimsA recent Tenth Circuit decision undercut policyholder arguments that Telephone Consumer Protection Act (TCPA) claims are insurable under a standard CGL policy. Policyholders should take note of this decision but should not assume that all TCPA claims are necessarily uncovered.

On February 21, the Tenth Circuit affirmed a finding of no coverage on appeal from the District of Colorado. In Ace American Insurance Company v. Dish Network, LLC, the Tenth Circuit held there was no duty to defend Dish in a lawsuit alleging various violations of state and federal laws relating to telemarketing phone calls. The court held that statutory damages and injunctive relief sought under the TCPA were uninsurable penalties instead of insurable “damages” under the relevant liabilities policies. The court also rejected Dish’s argument that the TCPA’s provisions governing actual monetary loss qualified as a remedial provision that could be insured under Colorado law. Finally, the court rejected Dish’s argument that the underlying claims for equitable relief could constitute insurable damages.

Policyholders should take note of this case for several reasons:

  1. Rising TCPA Claims. TCPA claims continue to gain popularity on court dockets across the country. Insurers will undoubtedly lean on this case as a basis for denial of coverage in similar cases. That said, TCPA policyholders should not simply assume that all hope is lost. For example, the Tenth Circuit’s decision relies heavily on aspects of Colorado law that may not be controlling in other jurisdictions.
  2. Claims for Equitable Relief May Still Trigger Duty To Defend. This case is a good reminder of the importance of a detailed analysis relating to the particular damage allegations in an underlying lawsuit when considering the duty to defend. The Tenth Circuit did not shut the door on the possibility of a duty to defend claim seeking equitable relief. Instead, the decision is limited to the particular allegations in the underlying complaint.
  3. TCPA Exclusions Becoming More Common. The court noted that several later policies contained specific exclusion endorsements for TCPA claims. Policyholders that may face TCPA allegations should consider whether their current liability policies contain such exclusions and, if so, whether additional coverage may be necessary to protect against such future allegations.
  4. Some Coverage Arguments Not Fully Addressed. Unfortunately, the Tenth Circuit did not reach some of the other interesting coverage questions that could have played a role. For example, I would have been interested to see the court’s analysis of whether “bodily injury” or “property damage” was alleged in the underlying litigation.

This case is not the death knell for coverage for TCPA defendants, but it may prove a hurdle even in jurisdictions beyond Colorado. Companies that face this risk should consider their current coverage portfolio, particularly with respect to any exclusions that may expressly or implicitly apply to TCPA claims. In the event of a claim, companies should analyze each case independently, including consideration of choice of law and the particular policy provisions and allegations at issue.

Increased FTC Enforcement Highlights Need for Cyber Regulatory CoverageRegulatory components to cyber insurance policies are becoming increasingly valuable as data-breach enforcement continues to surge. The Federal Trade Commission (FTC or Commission), the nation’s primary privacy and data security enforcer, has announced another record year of enforcement actions regarding consumer privacy. In 2017, the FTC brought nearly two hundred privacy and data security cases. Generally, getting hacked alone will not invite a lawsuit from the FTC, but failing to take corrective actions (resulting in a subsequent breach) could attract attention from regulators. To ensure enforcement, the Commission requires companies to take affirmative steps to remediate unlawful behavior. In addition, the FTC may impose civil, monetary penalties.

Recent FTC Enforcement Activities

Many well-known companies were targets of FTC investigations or enforcement actions in 2017, including Equifax, Lenovo, and VIZIO. Just last month, the FTC announced a settlement with electronic toymaker VTech, stemming from a data breach in 2015. VTech agreed to pay $650,000 to settle allegations that it violated the Children’s Online Privacy Protection Act, which generally requires websites and apps to obtain parental consent before collecting personal information from children under 13 years of age. The FTC alleged that VTech had collected personal information from children without providing the requisite notice or obtaining the parent’s consent. The Commission also claimed that VTech had failed to take reasonable steps to secure the data it had collected.

Coverage for Fines and Penalties

As the FTC continues to increase enforcement actions, regulatory components to cyber-insurance policies are becoming increasingly valuable. Cyber regulatory defense and penalties coverage is one of the rare types of insurance that may affirmatively cover fines and penalties.  For example, the AIG CyberEdge Security and Privacy Liability Insurance defines covered “Loss,” in part, as “civil fines or penalties imposed by a governmental agency and arising from a Regulatory Action, unless the civil fine or penalty is uninsurable under the law of the jurisdiction imposing such fine or penalty.” Other cyber policies provide coverage for “Penalties,” meaning “any civil fine or money penalty payable to a governmental entity that was imposed in a Regulatory Proceeding by the Federal Trade Commission . . . or any other federal, state, local or foreign governmental entity.” Like the AIG definition, these policies also caution that applicable state law may not allow for coverage, stating “the insurability of Penalties shall be in accordance with the law in the applicable venue that most favors coverage for such Penalties.” As with the insurability of punitive damages, there is no uniform view regarding whether fines and penalties can be insured, despite policy language expressly providing for such coverage. Insurers are likely to challenge coverage for fines and penalties that stem from intentional or willful conduct, claiming that loss is uninsurable based on public policy arguments.

Coverage for Defense and Investigative Costs

Cyber policies can also provide coverage for defense and investigative costs in connection with governmental investigations. Typically, the insurer will agree to pay attorneys’ fees, as well as other legal costs, excluding the insured’s internal costs, such as salary or overhead. Commonly, the insurer agrees to pay “Claims Expenses and Penalties in excess of the Retention, which the Insured shall become legally obligated to pay because of any Claim in the form of a Regulatory Proceeding.” Notably, FTC actions and investigations are included in traditional definitions of “Regulatory Proceeding.” Defense and investigation costs can add up quickly, making this portion of cyber coverage quite valuable.

Conclusion

Insurance for regulatory actions stemming from data breaches is readily available in the marketplace. While it remains unclear whether fines and penalties are insurable, as a matter of public policy, insurers are consistently providing coverage for defense and investigative costs in connection with cyber events. As the FTC continues to investigate data security and privacy issues, companies should continue to evaluate cyber-regulatory coverage as it can be a valuable part of business insurance portfolios.

Fore! Fourth Circuit Affirms No Coverage for Hole-in-One PaymentsAs proof that almost anything can be insured, hole-in-one insurance is available on the market. Coverage is granted for payments or awards (cars, cruises, golf trips, cash, etc…) given and can be obtained for the right premium whether you’re protecting against the risk of an “ace” by a professional or a hacker at a charity scramble event. Of course, there are also limitations defined by the terms, conditions, and exclusions in the policy.

During the 2015 Greenbrier Classic in West Virginia, an annual PGA Tour event, Justin Thomas and George McNeill aced the 18th hole. The hole was playing 137 yards that day. The fans went particularly wild, largely because they took home approximately $200,000 from a tournament contest offering a cash prize to any spectator that witnessed a hole-in-one in person.

Those spectators might not have celebrated had they known their prize money would ultimately end up uninsured. At the end of 2017, the Fourth Circuit held there was no coverage for the payments made by Old White Charities because the policy required a longer hole — at least 170 yards (see All Risks v. Old White Charities).

The Fourth Circuit enforced that policy limitation under West Virginia law. Like other jurisdictions across the country, West Virginia enforces the plain language of the policy. The court also rejected arguments based on a shorter limitation (150 yards, so it wouldn’t have mattered anyway) in the policy application and Old White’s argument that it had a reasonable expectation of coverage despite the 170-yard minimum in the policy. Old White’s claims of negligence and fraud during the underwriting process also failed. In sum, the court saw no evidence that provided an exception to the plain language rule.

Two obvious takeaways here:

  1. Many golfers never get the chance to see a hole-in-one in person, but there is nothing unusual about a court upholding a clear policy exclusion or limitation. Even policyholders that do not know the difference between a birdie and a bogey should heed this case as a reminder: The language in the policy matters, even when the result may be harsh. Absent a way around it (an ambiguity caused by other language, waiver, misrepresentation in the application process), an exclusion can produce a tough result inconsistent with the policyholder’s expectations.
  2. This case is also a reminder about the need to manage risk even after insurance is in place. The best risk management programs account for the limitations in the company’s insurance portfolio. For example, some comprehensive property insurance programs contain limitations (e.g., no flood coverage for properties on a coast) on the location of scheduled properties purchased after the policy is bound. Failure to consider that limitation when a new property is acquired can lead to a significant uninsured loss.

I hated to see this result for Old White Charities and a golf tournament that I love to watch, particularly when the same tournament had to be cancelled due to the tragic flooding in that part of West Virginia in 2016. Here’s hoping the 2017 tournament was the start of a new stretch of good fortune for the Greenbrier Classic.