Listen to this post

Sometimes defining the simplest phrases proves anything but simple. So learned the insurer in a property loss and bad faith case brought by its insured and decided earlier this year by the Pennsylvania Superior Court (Watchword Worldwide v. Erie Ins. Co., 308 A.2d 728 (Pa. Superior Ct. 2024)).

Watchword Worldwide engaged in the business of producing and selling Biblical videos.  Its sales process involved a customer’s use of a mobile application and an application programming interface (API) that verified the sale and delivered the purchased video. Watchword’s videos and its API were housed on a server owned by GoDaddy; Watchword leased an account on GoDaddy’s server under a license, but the server was owned by GoDaddy.

In 2017, Watchword learned that an unknown hacker had deleted its videos and API from the GoDaddy server. It asserted a claim against its property and liability insurer, seeking recovery under the policy’s electronic data coverage. The policy provided coverage for loss or damage to electronic data, “which is owned by you, licensed or leased to you, originates and resides in your computers, and is used in the e-commerce activity of your business.” The insurer, Erie, denied the claim, in part on the basis that Watchword’s data at the time of its loss resided on GoDaddy’s server, not Watchword’s.

Watchword then filed suit for breach of contract and bad faith against Erie. The jury returned a verdict in Watchword’s favor, and Erie appealed. The appeals court reversed the jury’s verdict, on the ground that Watchword had not adequately shown that its loss exceeded the policy’s deductible but ruled against the insurer on the “your computers” issue.

In a question of first impression – not only in Pennsylvania but apparently the country – the court ruled that “your computer” could reasonably both include or exclude computers the insured had a right to use but did not own. The court noted that policy did not define the term “your computer” and that no case law existed interpreting it and so applied the common understanding that “your computer” could reasonably apply to computers that the insured did not own but had a right to use. Because both definitions were reasonable, the term was ambiguous and therefore had to be construed in the insured’s favor. In this case, the term “your computer” was not defined, which allowed the court to apply its own common-sense definition that expanded coverage. Had the policy contained its own, more restrictive definition, the analysis could have come out very differently. The takeaway for policyholders here is that simple phrases in an insurance policy may not be so simple after all. It makes sense to check your electronic data coverage, particularly if your data is being preserved on or passing through servers or other computer facilities that you don’t technically own.

Listen to this post

Most policyholders are aware of the danger of losses from fraudulent instructions and invoices accomplished through what is known as “social engineering” or related methods. Often this is carried out by an email claiming to be from a vendor or company executive that provides instructions for payment to a fraudulent account. In some cases, the fraud can go on for months before it is detected, leading to losses of hundreds of thousands of dollars. 

Unfortunately, policyholders are sometimes unpleasantly surprised when their cyber insurance excludes or places limits on coverage for this type of fraud. Unlike many other kinds of insurance, cyber has not become standardized in the years since its inception. Instead, the cyber insurance market offers policyholders a menu of coverage options from which the organization must purchase specific insuring agreements that match its risk profile. This “à la carte” approach means that policyholders must pay close attention to the insuring agreements in their policies, as well as key conditions on this coverage. They must also recognize missing coverages because not all cyber policies offer social engineering or other theft-of-property coverages.

Confusing terminology compounds the problem: If given options to purchase coverage for (a) “computer fraud,” (b) “funds transfer fraud,” or (c) “fraudulent instruction,” would you know which one insures against an invoice your company received from a spoofed vendor email? As these terms are commonly used in the insurance market, the answer is most likely (c), but depends on the specific policy language. 

Where coverage does exist, it is frequently subject to sublimits that are much lower than the overall policy limits. Policyholders should consider whether, for example, a sublimit of $100,000 is sufficient for the expected risk of a fraud event or if higher limits are needed.

An important condition typically imposed by insurers requires policyholders to maintain and utilize procedures for verifying a transaction, such as using two-factor or “out-of-band” authentication before transferring funds. The organization should determine the specific procedures mandated by the policy or represented to the insurer during the application process, and confirm those requirements are being followed. Ideally, this will not only avoid forfeiting coverage, but may prevent the loss in the first instance. 

What about the reverse scenario when your customer is deceived by an email purporting to be from your organization? The customer may balk at paying the same invoice twice, or may argue that your company was at fault, particularly if the deception was aided by a breach of your own data. Some insurers will refuse to cover this type of event, reasoning that a third party, not the insured, has been defrauded. Other insurers expressly offer this coverage or make it available by endorsement. Coverage is usually available — but only if the insured understands its risks and obtains knowledgeable counsel from its coverage attorneys and brokers.

Listen to this post

As the Atlantic hurricane season reaches its peak in September, bringing with it rainfall and flooding, a recent New Jersey court held a sewer overflow resulting from rainfall was not caused, directly or indirectly, by a flood and therefore did not trigger a flood exclusion. This decision, and the insured’s submission of evidence to prove causation, serves as a roadmap for policyholders challenging an insurer’s overbroad application of an exclusion. In G.E.M.S. Partners LLC v. AmGUARD Ins. Co., — F.Supp. 3d —, No. CV 22-1664, 2024 WL 3568932 (D.N.J. July 29, 2024)), the New Jersey district court denied an insurer’s motion for summary judgment, holding that property damage caused by rainfall associated with a hurricane did not trigger the policy’s flood exclusion.

The insured, G.E.M.S. Partners LLC (the Insured), purchased a commercial property policy from AmGUARD Insurance Companyy (AmGUARD). In September 2021, Hurricane Ida brought heavy rainfall that overwhelmed the local infrastructure and sewer system causing water to leak from plumbing fixtures. The Insured sought coverage under a Water Back-Up and Sump Overflow Endorsement covering “damage . . . caused by . . . [w]ater . . . which backs up through or overflows or is otherwise discharged from a sewer[.]” AmGUARD denied the insured’s claim for property damage citing a flood exclusion:

THIS IS NOT FLOOD INSURANCE. We will not pay for loss or damage from water or other materials that back up or overflow from any sewer, drain or sump that itself is caused, directly or indirectly, in whole or in part, by any flood. Flood means the overflow of surface water, waves, tides, tidal waves, streams, or other bodies of water, or their spray, all whether driven by wind or not.

AmGUARD’s motion for summary judgment required the court to decide  whether overflow from the sewer system constituted a “flood” triggering the exclusion. A plumber who inspected the buildings after the storm described the water loss as a “back up” of “sewer . . . water.” In the absence of any controlling New Jersey state law cases, the G.E.M.S. court predicted “the New Jersey Supreme Court would hold that for purposes of the Flood Exclusion here, ‘flood’ means ‘the overflow of . . . a bod[y] of water,’” which is distinct from overflow from a sewer system.

In reaching this conclusion, the court first considered dictionary definitions of “flood,” which focused on the overflow of a body of water. The court then noted that “flood” was generally understood in insurance policies (citing authorities) as “overflow of a body of water” and cited New Jersey contract principles applicable to insurance policies that require policy interpretation “to keep in step with the broader consensus view as to the meaning of a given insurance contract term.”

Next, the court applied these definitions of flood to the flood exclusion itself and noted that the exclusion equated “flood” with “an overflow,” which “implies a boundary – water pushes ‘over’ it, and then ‘flow[s]’ beyond it.” The court concluded: “This is why it is natural to say that a pond or stream overflows – each is a body of water. And that is why it is less natural to say that falling rain overflows.” The court also noted that the phrase “surface water, waves, tides, tidal waves, [and] streams” referred to “bodies of water” while the definition of flood was “the overflow of . . . bodies of water.” Finally, the G.E.M.S. court considered prior New Jersey case law interpreting the phrase “surface water” as a “permanent body of water that sits on the land – like a lake or river.”

In denying AmGUARD’s motion for summary judgment, the G.E.M.S. court concluded the New Jersey Supreme Court would hold that “surface water” means overflow from an “on-the-surface body of water” and not a rain event that “backs up through or overflows or is otherwise discharged from a sewer.” The G.E.M.S decision highlights the importance of framing causation at the outset of a claim to establish coverage, as well as the importance of working with experienced coverage counsel who can assist in interpreting policy language to articulate a covered – and not excluded – cause of loss.