Last month, the Northern District of Georgia issued a strongly pro-insurer decision holding that a policy insuring computer fraud did not provide coverage for $11.4 million in fraudulent debit card redemptions made over the telephone. In InComm Holdings, Inc. v. Great Am. Ins. Co., No. 1:15-cv-2671-WSD, 2017 WL 1021749 (N.D. Ga. Mar. 16, 2017), the court granted summary judgment for the insurer, Great American, concluding that the insured’s losses did not result “directly” from the “use” of a computer. Continue Reading
Note: This is the first in a series of posts that will discuss the use of RWI in Mergers & Acquisitions.
Essential to a buyer’s and seller’s evaluation of the purchase and sale of a company is the allocation of exposure between them for unknown risks and liabilities associated with the breach of representations and warranties in the purchase agreement, such as inventory reporting or products liability exposures. Less than two decades ago, very few considered purchasing Representations and Warranties Insurance (“RWI”), a product designed for the express purpose of providing insurance for the breach of a representation (“rep”) or warranty contained in the purchase or merger agreement. Recently, however, these policies have emerged as an important tool to allocate risk to an insurer. RWI has also been recognized as an enhancement to the value of the deal, as well as critical to closing deals that might not otherwise get done.
Claims-made issues are often complicated in employment practices liability insurance (EPLI) cases because of the nature of discrimination claims. As a prerequisite to filing suit, a claimant must first submit a charge to the EEOC or other administrative body for investigation. Because of this, a claimant may file an EEOC charge in one policy period but file the subsequent lawsuit in a later policy period. In most EPLI policies, the event triggering coverage is a claim for an employment wrongful act which is first made during the policy period. Since both the administrative charge and the lawsuit usually fall within the policy’s definition of a claim, a dispute may arise over when the claim was first made.
Most business insurance policies are issued with one-year policy terms, creating a natural opportunity for businesses, their counsel and risk managers to re-evaluate coverage each year at renewal time. Many companies fail to take advantage of this opportunity and simply renew their policies each year without considering whether their insurance needs – or the coverages available – may have changed. Here are four questions to ask when your policies come for renewal:
It may seem obvious that policyholder defendants should immediately notify their liability insurance carrier whenever they are faced with potentially covered litigation. Among other things, policyholders want the benefit of the insurer-paid defense their policy provides. But for a variety of reasons, this does not always happen, and in some cases policyholders find themselves funding their own defense for a period of time before their insurance carrier is aware of the litigation and has agreed to accept the defense. Frequently, this leads to dispute about whether such “pre-tender” defense costs are covered under the policy.
The Eleventh Circuit faced this situation in EmbroidMe.com, Inc. v. Travelers Property Casualty Company of America, and on January 9 held that under Florida law, Travelers was not required under Florida’s Claims Administration Statute (CAS) to reimburse its policyholder, Emboidme.com, for pre-tender defense costs incurred in an underlying copyright infringement suit.
The Washington Post reported last week that Russian hackers had penetrated the U.S. utility grid through Burlington Electric Department, a Vermont utility. Although the utility later clarified that the attacked computer was not connected to the grid and that the connection to Russia was not confirmed, hundreds of news sources picked up the story, demonstrating the widespread concern over cyber intrusions into our electric grid.
The United States electricity grid is critically important to our lives. The “grid” is vulnerable to not only weather-related power outages but also to cyber attacks. The most likely path for a hacker into a utility is through a utility’s control systems, which almost always are connected to the internet. The connection between the control systems in any piece of equipment or device and the internet is called the “Internet of Things.”
A shutdown in service by a utility by a cyber attack could produce dire economic consequences to both small and large businesses. It is therefore essential that businesses try to manage this business interruption risk, and because the risk is outside of a business’s control, insurance is the best (and possibly only) tool to use.
This is the first in a series of posts relating to what we will call the “minefields” of claims made insurance coverage. Fifty years ago, most insurers issued liability insurance policies on “occurrence” policy forms. As insurers expanded their coverage offerings for professional and executive risks in the 1960s and 1970s, they began to use “claims-made” policy forms. Today, while most commercial general liability or “CGL” policies are issued on occurrence forms, claims-made policies dominate the marketplace for professional liability, D&O, fiduciary and other specialty coverages.
Claims-made policies differ from occurrence-based policies primarily in the method of triggering or activating coverage under the policy. These policies create unique challenges for policyholders both in connection with the reporting of claims as well as with the purchase of a policy with the appropriate terms, conditions and exclusions for the risks that the insured faces.
To understand claims-made coverage, it is important to start with a comparison of occurrence policy forms with claims-made forms. Occurrence-based CGL policy forms insure bodily injury or property damage that takes place during the policy period regardless when the claim is made against the insured. The “trigger” of coverage is when the claimant is injured or when the property damage takes place.
The trigger of coverage analysis with an occurrence-based form is not always simple, however. For example, in an asbestos toxic-tort case, it is frequently difficult to pinpoint the date of the occurrence because there is a latency period between the original exposure to asbestos and the manifestation of injury. Courts have developed different rules to determine the trigger of coverage in this type of latent injury case: (1) the “exposure” trigger, which applies the policy in effect at the time of the exposure to the harm; (2) the “manifestation” trigger, which applies the policy that was in effect at the time the injury manifested itself; (3) the “injury-in-fact” trigger, which applies the policy or policies that were in effect at any time actual injury occurred; and (4) the “continuing injury” trigger, which applies all policies in effect from the initial exposure through the manifestation of the injury.
Claims-made policies operate very differently. A claims-made policy provides coverage if the claim is made against the insured during the policy period, regardless when the injury took place (although most policies require the injury to occur after a “retroactive date” stated in the policy). Most claims made policies also provide that the insured must report the claim to the insurer during the policy period or during an “extended reporting period.”
There are four key differences between occurrence-based policies and claims-made policies. First, with a claims-made policy, the threshold event is a claim against the insured during the policy period. In contrast, occurrence-based CGL coverage looks to whether injury or damage occurred during the policy period.
Second, with a claims-made policy, it is the concept of a “wrongful act” (typically defined as an “act, error or omission”) that gives rise to coverage. With occurrence-based CGL policies, on the other hand, it is the bodily injury or property damage that gives rise to coverage, not the wrongful act by the insured.
Third, reporting to the insurer is an affirmative element of coverage that the insured generally must prove under the terms of a claims-made policy. The insured must notify the insurance company of the claim during a specified time period (either during the policy period or during the extended reporting period) or lose coverage. Under occurrence-based policies, notice is not an element of coverage, but a policy condition.
Because reporting is an element of coverage, most courts interpreting claims-made policies strictly enforce notice requirements. If the insured fails to provide notice within the required period under a claims-made policy, the insurer can refuse to cover the loss without proving that the insurer was prejudiced by the delay. In most states, if an insured fails to provide timely notice under an occurrence-based CGL policy, the insurer must provide coverage unless the delay resulted in prejudice to the insurer.
In future posts in this series, we will discuss the key coverage issues that arise under claims-made policies, best practices in providing notice to insurers under claims-made policies, and recommendations to policyholders regarding the purchase of claims-made policies.
Insurers frequently rely on “prior knowledge” exclusions in an effort to avoid coverage under claims-made liability insurance policies. In OneBeacon Insurance Co. v. T. Wade Welch & Associates et al., the Fifth Circuit recently affirmed a $28 million judgment following a jury verdict against One Beacon Insurance Company, finding that the insurer had wrongfully declined to indemnify a law firm in a legal malpractice case based on a prior knowledge exclusion in its policy. The court held that the prior knowledge exclusion in the policy was overly broad and that “[a]s written . . . the exclusion renders the coverage illusory and is facially absurd.”
The Policies: OneBeacon issued a series of professional liability policies to T. Wade Welch & Associates (the “Welch Firm”) beginning in December 2006. In the application for the first policy, Wade Welch, the principal of the firm, represented that after inquiring of each lawyer in the firm, he was not aware of “any fact or circumstance, act, error, omission or personal injury which might be expected to be the basis of a claim or suit” against the firm.”
Each of the One Beacon policies contained a prior knowledge exclusion barring coverage for
any claim arising out of a wrongful act occurring prior to the policy period if, prior to the effective date of the first Lawyers’ Professional Liability Insurance Policy issued by [OneBeacon] to [the Welch Firm] and continuously renewed and maintained in effect to the inception of this policy period … you had a reasonable basis to believe that you had committed a wrongful act, violated a disciplinary rule, or engaged in professional misconduct; [or] you could foresee a claim would be made against you.
For an additional premium, the Welch Firm purchased a retroactive date for the policy of January 4, 1995. The retroactive date set the earliest possible date when a wrongful act or omission could occur and still be covered under the policy.
The Welch Firm renewed the 2006-2007 policy in subsequent years, making the same representations about its knowledge of potential claims.
The Malpractice Claim: The Welch Firm represented DISH Network Corp. in a lawsuit filed against it by Russia Media Group (“RMG”). During the course of discovery in the DISH lawsuit, the Welch Firm failed to timely serve discovery responses after the court had ordered DISH to respond. In February 2007, RMG moved for “death penalty” sanctions for DISH’s failure to respond to the discovery. In February 2008, the district court affirmed an order entered by the magistrate judge granting sanctions. Specifically, the court held that DISH could not oppose RMG’s three primary claims and barred DISH from challenging RMG’s damages.
The Coverage Dispute: Prior to Welch’s application for the renewal of the initial OneBeacon policy for a subsequent (2007-2008) year, the firm failed to respond to the discovery giving rise to the subsequent sanctions motion. Mr. Welch was not aware of this fact and noted in the policy application that the firm was not “aware of any fact, circumstance, or situation which might reasonably be expected to give rise to a claim.”
After the entry of the death penalty order, Wade Welch learned for the first time of the discovery dispute and the sanctions motion and order. He then notified OneBeacon of a potential malpractice claim. OneBeacon acknowledged the claim.
In June 2008 the Welch Firm informed OneBeacon that RMG had made a demand of $105,800,000 to DISH to settle the underlying lawsuit. In December 2010, DISH requested that OneBeacon make its policy limits available for a potential settlement with RMG and in June 2011 DISH offered to settle and release the Welch Firm in exchange for OneBeacon’s policy limits.
OneBeacon responded in August 2011 and declined DISH’s settlement offer. OneBeacon then rescinded the Welch Firm’s policy and filed suit seeking a declaration that the prior-knowledge exclusion in its exclusion barred coverage. The Welch firm counterclaimed, and DISH intervened. In the interim, DISH demanded arbitration against the Welch firm for malpractice.
The parties filed motions for summary judgment, including cross-motions regarding the policy’s prior-knowledge exclusion. The Welch Firm argued that the court should enforce the prior-knowledge exclusion only if a reasonable attorney with defense counsel’s subjective knowledge at the time of application could have reasonably expected his acts, errors and omissions could lead to a malpractice claim. The trial court agreed and rejected OneBeacon’s argument that the that the prior-knowledge exclusion should be read in isolation. The court found ruled that it must consider the context of the policy as a whole, because to do so would render the policy’s retroactive coverage illusory.
The case proceeded to trial and based on this standard, a Houston jury found that the prior knowledge exclusion did not bar coverage, because OneBeacon had not shown that a reasonable attorney, given defense counsel’s knowledge in December 2006 − the date of the first application for coverage − could have reasonably expected his actions to result in a malpractice claim. The jury awarded the Welch Firm $33 million, which the district judge reduced to $28 million.
On appeal, the Fifth Circuit upheld the trial court’s ruling on the prior-knowledge exclusion. The court found that the prior-knowledge exclusion must be read in conjunction with the required disclosures in policy application and that the exclusion applied only to a claim arising out of a wrongful act that the insured could reasonably foresee at the time of the application would result in a claim. The court of appeals clearly rejected OneBeacon’s arguments, holding:
The district court could not apply the literal policy language because of the extreme overbreadth of the wrongful act definition used in the exclusion: ‘any actual or alleged act, error, omission or breach of duty arising out of the rendering or the failure to render professional legal services.’ On its face this covers every single thing an attorney does or does not do, wrongful act or not. As written, then, the exclusion renders the coverage illusory and is facially absurd.”
Impact: Insurers issue claims-made policies on many different policy forms, and these policies often include endorsements that alter the terms of the core policy firm. In Welch, OneBeacon issued a policy where the prior-knowledge exclusion was so broad that it subsumed the coverage afforded by the main policy form. The insurer has control over the wording of its policy, and in this case it issued a policy with contradictory terms and then tried to enforce it in a way that made the coverage illusory. It paid a price for doing so.
Policyholders with claims-made coverages should take note of this decision. It is important to review your policy form at renewal and to focus on the key timing elements of claims-made forms – the retroactive date in the policy, the terms of the grant of the “claims-made” coverage, the reporting requirements in the policy, and the exclusions. The insured also should compare the representations it is asked to make in its application to the terms and exclusions in the policy to make sure that the coverage offered is consistent with the insured’s expectations.
Look for future posts here on the topic of claims-made policies.
Most companies have Directors & Officers Liability (“D&O) insurance. As the name of the policy suggests, these polices provide coverage for lawsuits against a company’s directors and officers for acts performed in the course of their duties. But policyholders are sometimes surprised to learn that D&O policies may provide coverage in a number of other situations.
First, some D&O basics. D&O policies generally include multiple insuring agreements, typically referred to as “Side A,” “Side B,” and “Side C” coverages. Side A coverage insures individual directors and officers against “non-indemnified losses” – that is, losses insured by these individuals that are not indemnified by the company for one reason or another, such as if the company is legally prohibited from providing indemnification or lacks the financial resources to do so. Without this coverage, the personal assets of the company’s officers and directors would be at risk, significantly disincentivizing their service.
Side B coverage, by contrast, protects the company itself, and covers the company’s losses incurred in advancing legal fees or indemnifying individual directors and officers for their losses incurred due to a claim relating to their service. Most companies offer their directors and officers such indemnification to the extent permitted by law.
Side C coverage, sometimes called “entity coverage,” is included in some D&O polices and also protects the company, providing coverage for certain types of claims against the company. For most public companies, this coverage is limited to claims based on state securities laws, but many policies issued to private companies offer much broader coverage for a variety of claims against the company arising from “wrongful acts” by the company or its directors or officers.
Each of these coverage grants provides coverage for “claims” as defined in the policy. But what is a claim? Not surprisingly, lawsuits filed against the company, officers or directors will constitute claims if they allege “wrongful acts” within the definition of the policy. Most policies, however, include other definitions of “claim,” which can include:
- A request to toll or waive the statute of limitations. Companies frequently receive such requests if a potential plaintiff is interested in resolving a dispute short of litigation, but is concerned about the statute of limitations running. A tolling agreement stops the running of the statute while the parties attempt to work out a resolution of the dispute. If your company receives such a request, your D&O policy may provide coverage.
- A subpoena or civil investigative demand (“CID”). Some, but not all, D&O policies include subpoenas or CIDs within the definition of “claim.” In addition, some courts have held that a subpoena or CID constitutes a “written demand for non-monetary relief,” which is one of the definitions of “claim” included in most policies.
- A governmental investigation of the company or one of its directors or officers. Policies that cover governmental investigations often require the investigating entity to identify an insured target in writing before coverage is triggered.
- A criminal proceeding against the company or one of its officers or directors, commenced by filing of charges.
- An arbitration, mediation or other alternative dispute resolution proceeding. Many companies require such alternative dispute resolution efforts in contracts with counterparties, either in lieu of, or as a prerequisite to, litigation.
As with any form of insurance, the specifics of the coverage available to your company depend on the terms of your policy. It is essential that companies understand what does and does not constitute a “claim” under the D&O coverage so that they can be sure to satisfy their’ policy’s notice requirements and avoid the risk of losing coverage altogether through failure to give timely notice.
Many an unhappy modern tale arises when a cyber-predator suggests to his victim that they transition their dealings from the virtual world to a meeting “IRL” – “in real life.” But the perils that arise when the internet meets the “real world” are not limited to vulnerable individuals: advances in technology, coupled with the ingenuity of malefactors, create the real risk that acts taking place wholly within cyberspace can have substantial impacts “in real life” – in the outside world – that go well beyond the loss of data or computer functionality. The best-known example is the STUXNET virus, which seized control of Iran’s nuclear centrifuges and caused them, in effect, to commit mechanical suicide. Nearly as well-publicized was the 2014 cyber-attack on a German steel mill, which prevented a blast furnace from properly shutting down, reportedly causing massive damage. Any commercial entity who relies on internet-connected systems to control the operation of physical assets (such as manufacturing companies or utilities), and any entity that manufactures or distributes internet-connected products, is potentially at risk.
The risks go beyond the threat of damage to one’s own property: malicious computer activity could cause damage to third-party property or, worse yet, bodily injury or death. Many readers will recall the 2015 event (staged by “white hat” hackers) showing that a motor vehicle could be remotely disabled while traveling on a highway. It is not hard to imagine that similar vulnerabilities could provide an entrée for hackers to precipitate catastrophic accidents. Imagine what would happen, for example, if hackers remotely caused cardiac pacemakers to speed up patients’ heart rates to dangerous levels (this was the mechanism used, fictionally, to dispatch a victim in a 2013 episode of the TV show “Elementary”). As the “internet of things” becomes more prevalent, the risk grows commensurately. And the consequences of even minor disruptions (for example, the remote manipulation of an Internet-connected refrigerator that causes food spoilage) can be substantial when aggregated across thousands of products (through class action lawsuits or otherwise).
Faced with these sorts of losses, businesses and individuals would justifiably look to their insurance for coverage. After all, what is insurance for if it is not to protect against unexpected risks of damage or injury? Unfortunately, but not surprisingly, insurance coverage for these risks – both first-party property insurance to cover loss to one’s own property, and third-party liability insurance to cover one’s legal obligations to others – remains unclear.
For example, when faced with a third-party claim seeking to impose liability for bodily injury or property damage, most policyholders would turn to their commercial general liability (CGL) insurance, the backbone of most corporate insurance programs. But the standard-form CGL policy was (as of 2004) rewritten to exclude “[d]amages arising out of the loss of, loss of use of, damage to, corruption of, inability to access, or inability to manipulate electronic data.” (Some – but not all – CGL policies incorporate a subsequent refinement restoring coverage for bodily injury.) See generally Insurance Services Office, Endorsement CG 21 06 05 14 & Endorsement 21 07 05 14.
The clear intent of the exclusion was to preclude coverage for more typical “cyber risks,” such as loss of data or computer functionality. Even so, some courts in other contexts have taken an unreasonably broad view of the inherently-vague phrase “arising out of,” which could lead those courts to give the exclusion a scope that it was not intended to have, an interpretation that violates policyholders’ reasonable expectations and unjustifiably narrows what is supposed to be broad coverage. Such courts, for example, could conclude that the remote hacking of an automobile’s engine that causes an accident “arose out of” the “corruption” of “electronic data.”
Coverage for first-party losses is equally uncertain. While most commercial property programs presumptively cover “all risks of physical loss or damage,” a variety of exclusions may take away with the left hand what the right hand has just given. For example, one London Market property insurance form excludes all “loss, damage, destruction, distortion, erasure, corruption or alteration of ELECTRONIC DATA from any cause whatsoever,” or loss of use, cost or expense “of whatsoever nature resulting therefrom, regardless of any other cause or event contributing concurrently or in any other sequence to the loss,” unless fire or explosion ensues.
This might then lead a policyholder to ask “won’t cyber-insurance protect me?” Even there the answer is not clear. Most currently-available cyber insurance policies exclude coverage for third-party claims alleging bodily injury or property damage, ostensibly because these risks are already covered by commercial general liability (CGL) insurance (an assumption that might be unwarranted, as noted above). Some insurers are now marketing supplemental cyber “difference in conditions” coverage intended to fill the gap, but until these questions have been addressed in court, this coverage may be an expensive and unnecessary redundancy.
In some cases, this might not be a concern: insurers depend upon new and renewal business, and so face certain practical constraints in how aggressive they can be in rejecting legitimate policyholder claims. If the loss is large enough, however, an insurer may be strongly tempted to engage in so-called “retrospective underwriting,” an exercise in “Monday morning quarterbacking” in which its claims staff pores through the policy looking for some textual excuse – any excuse – to deny coverage for a risk that the insurer and its customer both intended to be covered, but that has now turned out to be unprofitable.
What then should policyholders do? As in most cases, “forewarned is forearmed”:
- At the risk of restating the obvious, policyholders should review their risk profile, to identify potential risks before they ripen into losses.
- Policyholders should review their existing coverages to determine whether there is an acceptable margin of protection for the risks that have been identified. This exercise should focus not only on what the policy says clearly, but should also consider how an insurer might be tempted to rewrite the terms of the deal retroactively by creatively arguing that policy language narrows or precludes coverage. (This analysis should also consider which states’ laws may apply in the event of a coverage fight, since the laws of the different states and their receptiveness or hostility to policyholder claims can vary considerably. For example, Virginia is notoriously pro-insurer, while Washington is decidedly pro-policyholder.)
- Armed with the results of these analyses, policyholders may wish to consult insurance markets to obtain more peace of mind – if it can be obtained at a reasonable price and on reasonable terms. In some cases, policyholders with sufficient market power may be able to negotiate endorsements confirming or restoring the coverage that they intend to have. In other cases, policyholders may be able to obtain this protection using additional “off the shelf” insurance products, albeit at extra cost.
In each of these endeavors, the assistance of experts – brokers, coverage counsel, cyber-risk analysts, and the like – may be useful or even necessary.
In short, cyber risks “in real life” are indeed real, and existing insurance products may offer incomplete (or even illusory) protection, but some advance thought and effort may mitigate those risks substantially.
 At the risk of a discursion into nuances of insurance coverage, a broad construction of the inherently-ambiguous phrase “arising out of” is appropriate when it appears in a policy term granting or extending coverage, because ambiguities should be construed against the insurer (as a professional risk-taker who wrote the language at issue) and in favor of the policyholder (who was presented with boilerplate language as a fait accompli, and who is relying on the insurance at a time, after the loss has taken place, when it cannot obtain substitute coverage at any price). Such a broad construction is inappropriate, however, when the phrase appears in an exclusion, since exclusions must be construed narrowly to effectuate an insurance policy’s dominant purpose (providing coverage for unexpected loss or damage).