McGuireWoods Insurance Recovery Blog

McGuireWoods Insurance Recovery Blog

Insights for Policyholders

Uncategorized

D&O Insurance: Five Things Your Company’s Policy Might Cover Which Could Surprise You

Most companies have Directors & Officers Liability (“D&O) insurance.  As the name of the policy suggests, these polices provide coverage for lawsuits against a company’s directors and officers for acts performed in the course of their duties.  But policyholders are sometimes surprised to learn that D&O policies may provide coverage in a number of other situations.

First, some D&O basics.  D&O policies generally include multiple insuring agreements, typically referred to as “Side A,” “Side B,” and “Side C” coverages.  Side A coverage insures individual directors and officers against “non-indemnified losses” – that is, losses insured by these individuals that are not indemnified by the company for one reason or another, such as if the company is legally prohibited from providing indemnification or lacks the financial resources to do so.  Without this coverage, the personal assets of the company’s officers and directors would be at risk, significantly disincentivizing their service.

Side B coverage, by contrast, protects the company itself, and covers the company’s losses incurred in advancing legal fees or indemnifying individual directors and officers for their losses incurred due to a claim relating to their service.  Most companies offer their directors and officers such indemnification to the extent permitted by law.

Side C coverage, sometimes called “entity coverage,” is included in some D&O polices and also protects the company, providing coverage for certain types of claims against the company.  For most public companies, this coverage is limited to claims based on state securities laws, but many policies issued to private companies offer much broader coverage for a variety of claims against the company arising from “wrongful acts” by the company or its directors or officers.

Each of these coverage grants provides coverage for “claims” as defined in the policy.  But what is a claim?  Not surprisingly, lawsuits filed against the company, officers or directors will constitute claims if they allege “wrongful acts” within the definition of the policy.  Most policies, however, include other definitions of “claim,” which can include:

  • A request to toll or waive the statute of limitations.  Companies frequently receive such requests if a potential plaintiff is interested in resolving a dispute short of litigation, but is concerned about the statute of limitations running.  A tolling agreement stops the running of the statute while the parties attempt to work out a resolution of the dispute.  If your company receives such a request, your D&O policy may provide coverage.
  • A subpoena or civil investigative demand (“CID”).  Some, but not all, D&O policies include subpoenas or CIDs within the definition of “claim.”  In addition, some courts have held that a subpoena or CID constitutes a “written demand for non-monetary relief,” which is one of the definitions of “claim” included in most policies.
  • A governmental investigation of the company or one of its directors or officers.  Policies that cover governmental investigations often require the investigating entity to identify an insured target in writing before coverage is triggered.
  • A criminal proceeding against the company or one of its officers or directors, commenced by filing of charges.
  • An arbitration, mediation or other alternative dispute resolution proceeding.  Many companies require such alternative dispute resolution efforts in contracts with counterparties, either in lieu of, or as a prerequisite to, litigation.

As with any form of insurance, the specifics of the coverage available to your company depend on the terms of your policy.  It is essential that companies understand what does and does not constitute a “claim” under the D&O coverage so that they can be sure to satisfy their’ policy’s notice requirements and avoid the risk of losing coverage altogether through failure to give timely notice.

 

Best Practices, Cyber Insurance, General Liability, Policy Interpretation, Property Insurance

Cyber Risk “IRL”: Insurance Issues Arising from Cyber-Related Property Damage and Bodily Injury Claims

Many an unhappy modern tale arises when a cyber-predator suggests to his victim that they transition their dealings from the virtual world to a meeting “IRL” – “in real life.” But the perils that arise when the internet meets the “real world” are not limited to vulnerable individuals:  advances in technology, coupled with the ingenuity of malefactors, create the real risk that acts taking place wholly within cyberspace can have substantial impacts “in real life” – in the outside world – that go well beyond the loss of data or computer functionality.  The best-known example is the STUXNET virus, which seized control of Iran’s nuclear centrifuges and caused them, in effect, to commit mechanical suicide.  Nearly as well-publicized was the 2014 cyber-attack on a German steel mill, which prevented a blast furnace from properly shutting down, reportedly causing massive damage.  Any commercial entity who relies on internet-connected systems to control the operation of physical assets (such as manufacturing companies or utilities), and any entity that manufactures or distributes internet-connected products, is potentially at risk.

The risks go beyond the threat of damage to one’s own property: malicious computer activity could cause damage to third-party property or, worse yet, bodily injury or death. Many readers will recall the 2015 event (staged by “white hat” hackers) showing that a motor vehicle could be remotely disabled while traveling on a highway.  It is not hard to imagine that similar vulnerabilities could provide an entrée for hackers to precipitate catastrophic accidents.  Imagine what would happen, for example, if hackers remotely caused cardiac pacemakers to speed up patients’ heart rates to dangerous levels (this was the mechanism used, fictionally, to dispatch a victim in a 2013 episode of the TV show “Elementary”).  As the “internet of things” becomes more prevalent, the risk grows commensurately.  And the consequences of even minor disruptions (for example, the remote manipulation of an Internet-connected refrigerator that causes food spoilage) can be substantial when aggregated across thousands of products (through class action lawsuits or otherwise).

Faced with these sorts of losses, businesses and individuals would justifiably look to their insurance for coverage. After all, what is insurance for if it is not to protect against unexpected risks of damage or injury?  Unfortunately, but not surprisingly, insurance coverage for these risks – both first-party property insurance to cover loss to one’s own property, and third-party liability insurance to cover one’s legal obligations to others – remains unclear.

For example, when faced with a third-party claim seeking to impose liability for bodily injury or property damage, most policyholders would turn to their commercial general liability (CGL) insurance, the backbone of most corporate insurance programs. But the standard-form CGL policy was (as of 2004) rewritten to exclude “[d]amages arising out of the loss of, loss of use of, damage to, corruption of, inability to access, or inability to manipulate electronic data.”  (Some – but not all – CGL policies incorporate a subsequent refinement restoring coverage for bodily injury.) See generally Insurance Services Office, Endorsement CG 21 06 05 14 & Endorsement 21 07 05 14.

The clear intent of the exclusion was to preclude coverage for more typical “cyber risks,” such as loss of data or computer functionality. Even so, some courts in other contexts have taken an unreasonably broad view of the inherently-vague phrase “arising out of,” which could lead those courts to give the exclusion a scope that it was not intended to have, an interpretation that violates policyholders’ reasonable expectations and unjustifiably narrows what is supposed to be broad coverage.[1]  Such courts, for example, could conclude that the remote hacking of an automobile’s engine that causes an accident “arose out of” the “corruption” of “electronic data.”

Coverage for first-party losses is equally uncertain. While most commercial property programs presumptively cover “all risks of physical loss or damage,” a variety of exclusions may take away with the left hand what the right hand has just given.  For example, one London Market property insurance form excludes all “loss, damage, destruction, distortion, erasure, corruption or alteration of ELECTRONIC DATA from any cause whatsoever,” or loss of use, cost or expense “of whatsoever nature resulting therefrom, regardless of any other cause or event contributing concurrently or in any other sequence to the loss,” unless fire or explosion ensues.

This might then lead a policyholder to ask “won’t cyber-insurance protect me?” Even there the answer is not clear. Most currently-available cyber insurance policies exclude coverage for third-party claims alleging bodily injury or property damage, ostensibly because these risks are already covered by commercial general liability (CGL) insurance (an assumption that might be unwarranted, as noted above).  Some insurers are now marketing supplemental cyber “difference in conditions” coverage intended to fill the gap, but until these questions have been addressed in court, this coverage may be an expensive and unnecessary redundancy.

In some cases, this might not be a concern: insurers depend upon new and renewal business, and so face certain practical constraints in how aggressive they can be in rejecting legitimate policyholder claims. If the loss is large enough, however, an insurer may be strongly tempted to engage in so-called “retrospective underwriting,” an exercise in “Monday morning quarterbacking” in which its claims staff pores through the policy looking for some textual excuse – any excuse – to deny coverage for a risk that the insurer and its customer both intended to be covered, but that has now turned out to be unprofitable.

What then should policyholders do? As in most cases, “forewarned is forearmed”:

  • At the risk of restating the obvious, policyholders should review their risk profile, to identify potential risks before they ripen into losses.
  • Policyholders should review their existing coverages to determine whether there is an acceptable margin of protection for the risks that have been identified. This exercise should focus not only on what the policy says clearly, but should also consider how an insurer might be tempted to rewrite the terms of the deal retroactively by creatively arguing that policy language narrows or precludes coverage. (This analysis should also consider which states’ laws may apply in the event of a coverage fight, since the laws of the different states and their receptiveness or hostility to policyholder claims can vary considerably. For example, Virginia is notoriously pro-insurer, while Washington is decidedly pro-policyholder.)
  • Armed with the results of these analyses, policyholders may wish to consult insurance markets to obtain more peace of mind – if it can be obtained at a reasonable price and on reasonable terms. In some cases, policyholders with sufficient market power may be able to negotiate endorsements confirming or restoring the coverage that they intend to have. In other cases, policyholders may be able to obtain this protection using additional “off the shelf” insurance products, albeit at extra cost.

In each of these endeavors, the assistance of experts – brokers, coverage counsel, cyber-risk analysts, and the like – may be useful or even necessary.

In short, cyber risks “in real life” are indeed real, and existing insurance products may offer incomplete (or even illusory) protection, but some advance thought and effort may mitigate those risks substantially.

[1] At the risk of a discursion into nuances of insurance coverage, a broad construction of the inherently-ambiguous phrase “arising out of” is appropriate when it appears in a policy term granting or extending coverage, because ambiguities should be construed against the insurer (as a professional risk-taker who wrote the language at issue) and in favor of the policyholder (who was presented with boilerplate language as a fait accompli, and who is relying on the insurance at a time, after the loss has taken place, when it cannot obtain substitute coverage at any price).  Such a broad construction is inappropriate, however, when the phrase appears in an exclusion, since exclusions must be construed narrowly to effectuate an insurance policy’s dominant purpose (providing coverage for unexpected loss or damage).

Best Practices

Best Practices for Getting Notice Right

All insurance policies have provisions requiring timely notification of a loss or claim to the insurance carrier. Commercial general liability policies, for example, provide that the policyholder “must see to it that we are notified as soon as practicable of an ‘occurrence’ or an offense which may result in a claim” and that “[i]f a claim is made or ‘suit’ is brought against any insured, you must  . . . [notify us as soon as practicable].”  Claims-made policies, which include most director’s & officer’s liability and professional policies, generally also require notification of a claim “as soon as practicable” but in any case within the policy period or within a specified period of time (60 days, for example) after the policy expires.

The consequences of not giving your carrier timely notice of a claim can be severe. In many cases, failure to timely notify an insurer will excuse the insurer’s obligations under the policy.  Even in jurisdictions that require insurers to provide prejudice before denying claims based on notice issues, policyholders can be forced to spend significant time and money litigating their claims, or see the settlement value of their claims diminish significantly, if the policy’s notice requirements are not met.

So, what do you need to do to get your notice right? Here are five best practices:

  1. Don’t rely on your broker. Many brokers will provide notification as a service to their clients, but it is best not to rely on a broker to give notice for you.  Many a policyholder has assumed that their broker would handle notice, only to discover later that coverage was compromised due to late, inaccurate, or incomplete notice.  Brokers can be helpful on notice issue, but it is up to the insured to get notice right, and the insured will bear the consequences if it is not.
  2. Do follow the notice requirements of the policy. First and foremost, this means your notice must be timely.  Do not wait until you have settled a lawsuit, repaired damaged property, or responded to a governmental investigation before notifying your insurance carrier.  In addition, pay attention to other notice requirements in the policy.  Send your notice to the address specified in the policy, not to your broker.  Provide any information that the policy requires be included.  Be careful, though, not to divulge attorney advice, as a policyholder’s communications with its insurance company generally will not be privileged.
  3. Don’t assume that late notice will be excused. Insurance law varies from state to state, and while many states require an insurer to demonstrate prejudice before denying a claim based on late notice or otherwise disfavor forfeiture of coverage, other states strictly enforce notice requirements.  The law of notice may also differ for claims-made coverage, where part of the insurance bargain with the carrier is that coverage exists only for “claims made and reported” within a specified period.
  4. Do consider reporting a notice of circumstances. Many claims-made policies permit an insured to provide the carrier with notice of “circumstances which may reasonably be expected to give rise to a claim,” even when a claim does not yet exist.  The advantage of proving a notice of circumstances, from the policyholder’s perspective, is that if the notice is accepted by the insurer, it will lock in coverage under the policy then in effect, leaving future policies fully available to cover future exposures.  Indeed, failing to provide notice of circumstances can lead to the claim not being covered at all under a future policy.
  5. Do consider reporting requirements to excess carriers. Excess policies present different notice considerations than primary policies.  Most excess policies do not require the carrier to defend claims, and the majority of losses will not involve excess insurance.  For this reason, notice to excess insurers must generally be given when a loss is reasonably likely to involve the excess policy.  However, excess policy notification provisions may vary significantly, with some requiring notice regardless of loss amount.  For this reason, it is essential to pay careful attention to policy language and to carefully evaluate the loss with the assistance of counsel when considering whether and when to notify an excess carrier.

 

Construction Insurance, General Liability, Policy Interpretation

New Jersey Supreme Court Follows National Trend, Holds That Subcontractors’ Faulty Workmanship Is Covered Under CGL Policy

On August 4, 2016, the Supreme Court of New Jersey issued a decidedly pro-policyholder ruling in Cypress Point Condominium Association, Inc. v. Adria Towers, L.L.C., holding that water damage caused by a subcontractor’s faulty workmanship was covered under the property developer’s Commercial General Liability policies.  Evanston Insurance Company and Crum & Forster Specialty Insurance Company issued the policies, which were modeled after the 1986 CGL form published by the Insurance Services Office.  The key holdings were that the subcontractor’s faulty workmanship was “property damage,” consequential water damage to the completed non-defective portions of the work was an “accident” or “occurrence,” and the damage fell within the “subcontractor exception” to the “your work” exclusion.

In Cypress Point, a condominium association sued its developer for damages arising from water damage both to individual units and to common areas of the condominium complex, which arose from faulty work performed by one of the developer’s subcontractors.  The association also brought a declaratory judgment claim against the developer’s insurers seeking coverage.

The trial court granted summary judgment for the insurers on the declaratory judgment action, ruling that the water damage did not constitute “property damage” as defined in the policy and that there had been no “occurrence.”  The Appellate Division reversed and found coverage, holding that “unintended and unexpected consequential damages to the common areas and residential units caused by the subcontractors’ defective work constitute ‘property damage’ and an ‘occurrence’ under the CGL policies.”  The insurers then appealed to the Supreme Court of New Jersey.

The New Jersey Supreme Court had not previously decided whether negligent work by a subcontractor could give rise to coverage under the 1986 ISO CGL form.  The court had previously held that the older, 1973 CGL form would not confer such coverage. See Weedo v. Stone-E-Brick, Inc., 81 N.J. 233 (1979).  The Cypress Point court distinguished Weedo because it dealt with a breach of contract claim in which the policyholder sought damage for the cost of replacing sub-standard materials the contractor installed, whereas Cypress Point involved a claim for negligence and a demand for consequential damages. The court further distinguished Weedo on the basis that it did not decide whether there had been an “occurrence” under the terms of the insuring agreement because the court found a “business risk” exclusion barred coverage. The court similarly distinguished a prior Appellate Division holding in Fireman’s Insurance Co. of Newark v. National Union Fire Ins. Co., 387 N.J. Super. 434 (App. Div. 2006).

The supreme court, affirming the court of appeals, determined that post-construction consequential damages, and the resulting loss of use, were covered “property damage” as defined in the policy.  The court then found that faulty workmanship by a subcontractor constituted an “accident,” and thus an “occurrence” under the policy.  Accident was not defined, so the court construed it according to plain meaning: “the term ‘accident’ in the policies at issue encompasses unintended and unexpected harm caused by negligent conduct.”

Finally, the court examined the “your work” exclusion, which eliminates coverage for property damage to “your work,” as defined in the policy.  Significantly, in the 1986 form at issue in Cypress Point (unlike the 1976 ISO form in Weedo), the “your work” exclusion contained the “subcontractor exception,” which does not bar coverage for work performed by a subcontractor. The court found that because the “property damage” was caused by the subcontractor’s work, the “your work” exclusion did not bar coverage.

This is a favorable decision for policyholders, and follows an strong national trend, as we have previously reported here, here and here.  Insurers have typically contended that CGL policies issued to a developer or general contractor provide coverage for damages only to other property, and not the property that is the subject of the construction project.  The New Jersey court followed the Florida Supreme Court’s decision in U.S. Fire Ins. Co. v. J.S.U.B., Inc., 979 So. 2d 871, 877-78 (Fla. 2007), in which that court found coverage for the defective work of a subcontractor under the 1986 CGL form. See also, French v. Assurance Co. of America, 448 F. 3d 693, 704 (4th Cir. 2004) (applying Maryland law and finding coverage for consequential damages but not the defective work itself); Lamar Homes, Inc. v. Mid-Continent Cas. Co., 242 S.W.3d 1, 16 (Tex. 2007) (holding that claim of faulty workmanship against a homebuilder was a claim for “property damage” caused by an “occurrence” under a CGL policy).

The case is Cypress Point Condominium Ass’n, Inc. v. Adria Towers, L.L.C., A-13/14 September Term 2015, 076348.  It is available at 2016 N.J. LEXIS 847.

Construction Insurance, General Liability, Policy Interpretation

Subcontractor’s Defective Work Covered Under CGL Policy, Iowa Supreme Court Holds

Last month, in a lengthy decision over the dissent of three justices, the Iowa Supreme Court joined the ranks of state high courts to conclude that defective work performed by a subcontractor is covered under the standard Commercial General Liability (CGL) policy held by almost all general contractors today.

The case arose from the construction of an apartment complex in Des Moines in the early 2000s. After the buyer, Westlake, closed on the purchase of the complex, numerous water intrusion problems manifested in the complex resulting in extensive damage throughout the complex to otherwise undamaged property.  Westlake sued the project’s general contractor and other defendants, who in turn asserted claims against the subcontractors who worked on the project.  Ultimately, the case settled with the general contractor’s primary carrier, Arch, contributing its policy limits, but the excess carrier, National Surety Corporation (NSC), refusing to contribute any part of its $20 million in limits.  As part of the settlement, the defendants assigned their rights under the NSC excess policy to Westlake, and NSC filed a declaratory judgment action seeking to disclaim coverage.

Westlake prevailed after a three-week jury trial, obtaining a $12.5 million judgment against NSC. NSC then appealed, arguing that the trial court erred as a matter of law when it concluded that a subcontractor’s faulty work constitutes an “accident” – and thus an “occurrence” – triggering coverage under the standard CGL policy.

Noting that this was a question of first impression in Iowa, the court focused on an exception to an exclusion in the policy – the exclusion precluding coverage for completed work performed by the insured, and the exception stating that the “your work” exclusion does not apply if “the damaged work or the work out of which the damage arises was performed . . . by a subcontractor.” The court reasoned that it would be illogical for the policy to contain an exception to an exclusion granting back coverage for property damage caused by the defective work of a subcontractor if such defective work were not covered by the grant of coverage in the policy.  Accordingly, and relying on the history of the modern CGL form as well as the decisions of other state supreme courts addressing the issue, the court concluded that “defective workmanship by an insured’s subcontractor may constitute an occurrence under a modern standard-form CGL policy containing a subcontractor exception to the ‘your work’ exclusion.”

The court’s decision is a boon to general contractors who must rely on subcontractors to complete many facets of complex construction projects but who cannot, even with careful management, prevent or detect all defective subcontractor work.

Duty to Defend, Duty to Indemnify, Policy Interpretation

Fourth Circuit Affirms Denial of Coverage for Accidental Gunshot Injury

On April 14, the Fourth Circuit held that an insurer owed no defense or indemnity coverage for an underlying personal injury suit against the policyholder’s employee, a security guard who accidentally shot a friend while socializing at the business off-hours. The court concluded that the firing of the gun was not within the scope of employment and clarified the dividing line between actions performed within the scope of employment and those actions which — even if arguably work-related — are not.

The underlying facts in QBE Ins. Corp. v. Cobb, No. 15-1880, were as follows: Robert Crooks worked as a sales and service representative for Jeco, Inc., and lived in an apartment in the same building housing Jeco’s business to provide “some level of security for the business off-hours.” While entertaining friends at the apartment off-hours, Crooks was “playing around” with a gun and accidentally shot his friend, Nicholas Cobb. Crooks sought coverage for Cobb’s resulting personal injury claims from Jeco’s commercial general liability (CGL) insurer, QBE Insurance Corp., contending that the accident occurred while he was “maintaining a presence” for Jeco as a night watchman. QBE denied coverage and sought a declaratory judgment that it had no duty to defend or indemnify Crooks.

The District of South Carolina granted QBE’s motion for summary judgment, concluding that Crooks was not acting within the scope of his employment or performing duties related to Jeco’s business when he was “playing with the gun” and shot Cobb. Thus, Crooks did not qualify as an “insured” under the CGL policy.

Under South Carolina law, “[a]n act is within the scope of a servant’s employment where reasonably necessary to accomplish the purpose of his employment and in furtherance of the master’s business,” even if the act is outside the scope of the servant’s authority. However, a servant’s act that is “done to effect some independent purpose of his own and not with reference to the service in which he is employed” is not within the scope of his employment. “If a servant steps aside from the master’s business for some purpose wholly disconnected with his employment, the relation of master and servant is temporarily suspended; this is so no matter how short the time, and the master is not liable for [the servant’s] acts during such time.”

The Fourth Circuit agreed that as a matter of law Crooks had “stepped away” from his duties as night watchman when he fired the gun and “was not within the scope of his employment or in performance of a duty related to employment.” In the court’s view, “[t]o conclude otherwise would stretch the insurance policy far beyond its intended coverage,” contrary to South Carolina law that counsels against adopting a “strained or violent interpretation not contemplated by the parties.”

Additional Insured Coverage, Bad Faith, Business Interruption, Crime Insurance, Cyber Insurance, Financial Institution Bonds

8th Circuit: Financial Institution Bond Provides Coverage for Fraudulent Wire Transfers

With policyholders facing increased losses from hacking and business email compromise, insurers are fighting hard to escape their obligations under financial institution bonds, crime policies and cyber insurance policies. In a case that bolsters policyholders seeking coverage for digital fraud, the U.S. Court of Appeals for the Eighth Circuit held that a bank’s financial institution bond provided coverage for losses arising from the fraudulent transfer of $485,000 by computer hackers to a foreign bank, even though the bank’s employees were negligent in securing the bank’s computer network.

In its May 20 decision, issued in State Bank of Bellingham v. BancInsure, Inc., No. 14-3432, — F.3d —, 2016 WL 2943161 (8th Cir. May 20, 2016) , the Eighth Circuit affirmed the District Court’s conclusion that the efficient and proximate cause of the loss was the criminal activity of the third-party hackers.

The Underlying Breach and Loss

In October 2011, an employee of the State Bank of Bellingham (the “Bank”) completed a wire transfer, which required several security steps, including the entry of the names and passwords of two Bank employees and the insertion of two physical tokens. At the end of the work day, the employee left the two tokens in the computer and left the computer running. Prior to the wire transfer, a Zeus Trojan horse virus had infected the Bank’s computer system. This virus then allowed a computer hacker to access the Bank’s network and transfer funds to accounts in Poland (the “Loss”).

The Bank held a financial institution bond issued by BancInsure providing coverage for losses such as those arising from dishonesty and computer systems fraud. The Bank submitted a claim and proof of loss to BancInsure seeking coverage for the Loss. BancInsure denied coverage, relying on exclusions for (a) employee-caused losses, (b) theft of confidential information, and (c) mechanical breakdown or deterioration of a computer system.

The Litigation and the District Court Decision

The Bank filed suit seeking damages for the insurer’s breach of contract. The U.S. District Court for the District of Minnesota granted the Bank’s motion for summary judgment, holding that the “computer systems fraud was the efficient and proximate cause of [Bank’s] loss,” and “neither the employees’ violations of policies and practices … the taking of confidential passwords, nor the failure to update the computer’s antivirus software was the efficient and proximate cause of [Bank’s] loss.”

The Eighth Circuit Decision

Minnesota law applied to the interpretation of the bond, and the Eighth Circuit addressed Minnesota’s concurrent causation doctrine, which provides the standard for causation in insurance contracts. Under this doctrine,

where an excluded peril “contributed to the loss,” an insured may recover if a covered peril is … “the efficient and proximate cause” of the loss. Conversely, it follows that if an excluded peril is the efficient and proximate cause of the loss, the coverage is excluded. An “efficient and proximate cause,” in other words, is an “overriding cause.”

BancInsure first argued that the concurrent-causation doctrine does not apply to financial institution bonds, “because a financial institution bond requires the insured initially show that its loss directly and immediately resulted from dishonest, criminal, or malicious conduct.” The court rejected this argument, observing that “no Minnesota case precludes application of the concurrent-causation doctrine to financial institution bonds.”

BancInsure also asserted that the parties had “contracted around the doctrine,” because the bond’s exclusions state that they apply to losses caused either directly or indirectly by the peril listed in the exclusion. The court also rejected this argument, holding that although parties can contract around the doctrine, Minnesota law requires such language to be “clear and specific.” The court held that the simple reference to “indirect” in the bond was not sufficient to avoid the concurrent causation doctrine.

Finally, BancInsure argued that the causation issue should have been left to the jury and that the court erred in finding that the criminal acts by the third party were the efficient and proximate cause of the Loss. In rejecting BancInsure’s argument, the Eighth Circuit relied on its decision in Friedberg v. Chubb & Son, Inc., 691 F3d 948 (8th Cir. 2012), in which the court addressed the concurrent causation doctrine in connection with a first-party claim. In Friedberg the insureds’ home suffered water damage. An investigation determined that defective construction had allowed water to enter the home. The court held that “although the water intrusion played an essential role in the damage to the house, once the house was plagued with faulty construction, it was a foreseeable and natural consequence that water would enter.” The court applied the concurrent causation doctrine and held that the policy did not provide coverage.

Based on the reasoning in Friedberg, the Eighth Circuit held that “the efficient and proximate cause of the loss in this situation was the illegal transfer of the money and not the employees’ violations of policies and procedures.” Specifically, the court held that “[u]nlike the water damage in Friedberg, an illegal wire transfer is not a ‘foreseeable and natural consequence’ of the Bank employees’ failure to follow proper computer security policies, procedures, and protocols.” That is, even if the employee’s actions are found to have played an essential role in a virus attacking the Bank’s system, “the intrusion and the ensuing loss … suffered remains the criminal activity of a third party.”

Impact

The Eighth Circuit’s ruling is a noteworthy win for policyholders. As criminals find more ways to attack computer systems and initiate transfers of funds, insurers face increased exposure to these types of claims, which often result from a combination of illegal activity and imperfect network security. Financial institution bonds and commercial crime policies commonly exclude “indirect loss,” and insurers frequently argue that despite criminal activity, the “direct” cause of the loss is the negligence of the policyholder’s employees.

The Eighth Circuit’s ruling in State Bank of Bellingham v. BancInsure, Inc., provides policyholders with a strong argument that employee negligence does not bar coverage for fraudulent wire transfers. The case also supports the argument that courts should not apply a unique causation standard to financial institution bonds but should instead apply basic principles of insurance law to interpret the language of the bond.

Crime Insurance, Cyber Insurance

Arizona Court Rules That Chubb Cyber Policy Does Not Cover Credit Card Theft Losses

As cyber attacks increase at an unprecedented pace, more and more businesses are purchasing cyber insurance to protect against that risk. The insurance industry now faces an avalanche of claims, and those claims now are moving to the litigation phase. In one of the first decisions interpreting a cyber insurance policy, an Arizona federal court on May 31 allowed Federal Insurance Company (“Chubb”) to escape liability under a cyber policy for losses arising from the theft of 60,000 credit card numbers from P. F. Chang’s China Bistro, Inc. See P.F. Chang’s China Bistro, Inc. v. Fed. Ins. Co., No. CV-15-01322-PHX-SMM, 2016 WL 3055111 (D. Ariz. May 31, 2016).

The Breach and Its Consequences

In 2014, a hacker infiltrated P.F. Chang’s China Bistro’s computer system and stole 60,000 credit card numbers from its customers. The hacker posted the stolen numbers on the internet. Chubb insured Chang’s under a “CyberSecurity by Chubb Policy,” and the restaurant immediately provided notice to Chubb of the breach.

Chang’s engaged third parties to investigate the event, notify card holders and provide legal and other advice, and to help it carry out its breach notification obligations. Unfortunately, P.F. Chang’s also had to defend class action lawsuits. Chubb provided coverage for these costs, which were approximately $1.7 million.

Chubb refused to provide coverage for the remainder of P.F. Chang’s loss, however. Credit card holders are protected from fraudulent charges arising from the theft of credit cards. The banks issuing the credit cards (the issuing banks) reimburse the card holders for the losses. In addition, the issuing banks are obligated to issue new credit cards.

Issuing banks have recourse, however. The issuing banks enter into contracts with MasterCard. P.F. Chang’s (and all merchants accepting credit cards) enters into contracts with acquiring or merchant banks to process charges, and the acquiring banks enter into contracts with MasterCard. A set of rules published by MasterCard governs the relationships among the issuing banks, MasterCard and the acquiring banks, and these rules are incorporated into MasterCard’s contracts with issuing banks and acquiring banks. In the event a retailer suffers a security breach resulting in unauthorized access to account data, these rules hold the retailer’s acquiring bank liable for the fraudulent charges incurred by the issuing banks. This is accomplished through an assessment from the payment card brand. The acquiring bank, in turn, has recourse against the retailer who experienced the breach.

Here, MasterCard issued a roughly $1.9 million assessment to the acquiring bank and processor of P.F. Chang’s credit card sales. The assessment included several components. About $1.7 million comprised fraudulent charges; about $200,000 involved notification and card replacement costs and administrative fees. Chang’s’ contract with the acquiring bank obligated the restaurant to pay the assessment. P.F. Chang’s demanded that Chubb reimburse the MasterCard assessment, and Chubb denied coverage.

The Coverage Litigation

P.F. Chang’s filed suit against Chubb. Chubb moved for summary judgment, arguing the claim fell outside the policy’s insuring agreement and that the losses were excluded. Although the court noted at the outset of the opinion that Chubb had marketed the policy as “a flexible insurance solution designed by cyber risk experts to address the full breadth of risks associated with doing business in today’s technology-dependent world” that “[c]overs direct loss, legal liability, and consequential loss resulting from cyber security breaches,” it nevertheless agreed with Chubb and granted its motion for summary judgment.

P.F. Chang’s argued the majority of the assessment by MasterCard (the fraudulent charges), for which Chang’s was contractually liable, fell within the policy’s grant of coverage for Privacy Injury, which the policy defined as an “injury sustained or allegedly sustained by a ‘Person’ because of actual or potential unauthorized access to such ‘Person’s’ ‘record’ . . . .” The court rejected the insured’s claim and held that the Privacy Injury coverage applied only when a person suffering the privacy injury made a claim against the insured, and because the acquiring bank had not suffered a privacy injury, the Privacy Injury coverage did not apply.

Relying on cases interpreting commercial general liability policies, the court also found that two contractual liability exclusions barred coverage for the entire claim. These included an exclusion for “any liability assumed by any ‘Insured’ under any contract or agreement and an exclusion for “any cost or expenses incurred to perform any obligation assumed by, on behalf of, or with the consent of any ‘insured.’” Because P.F. Chang’s had agreed to reimburse the acquiring bank for the assessments, the court concluded the exclusions applied.

In reaching this decision, the court rejected P.F. Chang’s argument that the exclusion should not apply because Chang’s would have been liable to the acquiring bank even in the absence of the indemnification agreement. The court also found unavailing the restaurant’s argument that its payment to the acquiring bank was the “functional equivalent” of compensating the victims of Privacy Injury, because P.F. Chang’s failed to offer evidence that it would have been liable for the MasterCard assessment absent the agreement with the bank.

The court finally rejected Chang’s argument that coverage existed under the reasonable expectations doctrine. Although P.F. Chang’s presented evidence that Chubb represented that its policy afforded coverage for direct loss, legal liability and consequential loss resulting from cyber security breaches, the court concluded that this evidence was insufficient to establish that Chang’s had a reasonable expectation of coverage for the payments it made to its bank.

Impact

P.F. Chang’s purchased an insurance policy to protect itself from liability arising from a breach of its computer systems, but in this case, the cyber insurance policy provided only a partial recovery for the insured. Contrary to basic principles of insurance law, the court narrowly construed the insuring agreement and broadly construed the exclusions to find that no coverage existed for the losses arising from the claim by the acquiring bank against Chang’s. While it is true that the acquiring bank’s own “records” were not stolen, the fraudulent charges arose from claims by customers whose card numbers were stolen. The acquiring bank was merely a conduit to pass along those losses. Therefore, the court should have found coverage.

This case demonstrates that carriers will advertise that their policies offer broad coverage, but when faced with a claim, insurers will fight hard to limit the coverage.

The ruling also sends a clear warning to retailers. A primary risk to a retailer following a cyber breach is an assessment from Visa or MasterCard passed on to it by an acquiring bank, and this court found that losses arising from these assessments are not covered losses, at least under this Chubb policy.

It is important for policyholders to evaluate the purchase of a cyber insurance policy carefully, and if you have purchased a cyber policy, you should consider carefully the coverage that is available under that policy. Property and general liability policies are standardized, but the market for cyber insurance is dynamic, and cyber policies vary significantly. One cyber policy may cover a loss and another may not.

Risk managers and business owners should consult with coverage counsel as they evaluate the purchase of a cyber policy. McGuireWoods can assist, and for more information, please see our Legal Alert, A Buyer’s Guide to Cyber Insurance.

Allocation, Asbestos, Exhaustion, Long-Tail Claims, Policy Interpretation

Big Win for Policyholders in NY: “All Sums” Allocation, Vertical Exhaustion Apply

On May 3, 2016, the New York Court of Appeals issued a much-anticipated and significant decision on allocation and exhaustion issues in the context of long-tail liability insurance.  The case was styled Viking Pump, Inc. v. TIG Ins. Co., and the New York court ruled on two certified questions of New York law submitted by the Delaware Supreme Court.  The court ruled that in the context of insurance policies containing so-called “non-cumulation” clauses, an “all sums” allocation method applies to the allocation of a policyholder’s claims.  The court also ruled that a vertical, as opposed to horizontal, approach to the exhaustion of underlying policies was proper.  Both issues came out in favor of policyholders.

The case involves long-tail coverage for asbestos claims.  Liberty Mutual wrote coverage for Houdaille Industries over a number of years, consisting of both a primary layer and an umbrella policy.  There was also an extensive program of excess coverage in place, written by other carriers, totaling over $400 million.  The appellants here, Viking Pump, Inc., and Warren Pumps, LLC, bought their pump businesses from Houdaille in the 1980s.  They have both been previously adjudicated as entitled to coverage under policies issues to Houdaille.

Viking and Warren have both been subject to extensive liability for asbestos personal injury claims.  The present dispute arises between the excess insurers and Viking and Warren because the Liberty Mutual coverage is at or nearing exhaustion.

The litigation has been ongoing in Delaware state courts for some time, and those courts concluded that it was governed by New York law.  The Delaware Supreme Court determined that resolution of two important issues depended on unsettled questions of NY law and sent certified questions to the New York Court of Appeals, which that court accepted.

The first issue was how a court applying New York law should allocate an asbestos personal injury loss where the exposure spanned multiple policy years.  The insurers argued that the loss must be allocated across the policies in effect during each year of exposure on a pro rata basis, with each insurer paying its proportionate share of the loss − thus requiring the policyholder to recover from each insurer separately.  This is referred to as the “pro rata” approach.  The petitioners argued that they were entitled to recover the entire amount of each loss against any policy that was in force during the period.  This latter method is referred to as the “all sums” approach.

The New York court reiterated its adherence to traditional contract principles: that the parties are free to make their bargain, and the court will enforce it, construing the policies in such a way as to afford a fair meaning to all the language and in a manner that “leaves no provision without force and effect.”

The court distinguished its prior decision in Consolidated Edison Co. v. Allstate Ins. Co., 98 N.Y.2d 208 (2002), noting that while it had addressed the allocation issue in that case and held that a pro rata allocation should apply, that decision was specific to the contract at issue and not a general rule.  The court wrote: “[W]e did not reach our conclusion in Consolidated Edison by adopting a blanket rule, based on policy concerns, that pro rata allocation was always the appropriate method of dividing indemnity among successive insurance policies. Rather, we relied on our general principles of contract interpretation, and made clear that the contract language controls the question of allocation.”

Importantly, the Liberty Mutual policies issued to Houdaille contain non-cumulation clauses, and the various excess policies all either follow form or contain substantially similar non-cumulation clauses.  The court analyzed the effect of the non-cumulation clauses in the policies on the allocation issue, concluding that where the policy contains a non-cumulation clause, the all sums approach must be followed because the pro rata method is inconsistent with the non-cumulation clause.  The court noted that at least two states, New Jersey and Illinois, which have adopted the pro rata approach to allocation, have also expressly held that the non-cumulation clauses cannot be reconciled with the pro rata approach and are to be disregarded.

The court observed that the purpose of a non-cumulation clause is to prevent an insured from stacking limits across multiple policies, which necessarily assumes that each policy can respond for the full amount of the loss.  Since the court was determined to give effect to all the language in the policy, it was unwilling to accept the pro rata approach, which it reasoned would have rendered the non-cumulation clauses as surplusage.

On the exhaustion issue, the court considered whether the insureds are required to “horizontally exhaust” all of the first layer and umbrellas policies before accessing the excess policies, or whether a particular excess policy can be accessed by “vertically exhausting” the underlying policies for that particular year alone.  The court held that because each excess policy attaches when the underlying cover in the same policy year is exhausted, vertical exhaustion is the correct approach under the policies at issue.

The court specifically rejected the argument raised by the carriers that vertical exhaustion was prohibited by the “other insurance” clauses in the excess policies.  The carriers asserted that because the injury spanned multiple policy years, the underlying policies issued in other coverage years had to respond before the excess policies.  The court held that “other insurance clauses are not implicated in situations involving successive – as opposed to concurrent – insurance policies.”

The New York court’s decision in Viking Pump adds yet another win to the policyholder column on whether “all sums” or pro rata allocation applies.  It is a significant victory for policyholders in general, and asbestos defendants in particular.

The opinion can be found here.

McGuireWoods’ insurance recovery team represents policyholders in insurance disputes across the country. For more information on how we assist policyholders in protecting their rights and maximizing recoveries, click here.

Cyber Insurance, General Liability

Fourth Circuit Affirms Insurance Coverage for Cyber Claim Under CGL Policy

In a decision issued April 11, the Fourth Circuit added to a small but growing body of case law across the country finding coverage for cyber claims under traditional general liability insurance policies. In Travelers Indemnity Co. v. Portal Healthcare Solutions, LLC, No. 14-1944, − F. App’x − 2016 WL 1399517 (4th Cir. April 11, 2016), the court affirmed a federal district court’s ruling that Travelers Indemnity Company of America (“Travelers”) must defend its insured, Portal Healthcare Solutions, LLC (“Portal”), in a putative class-action lawsuit alleging that Portal published the plaintiffs’ private medical records on the Internet.

The underlying lawsuit against Portal was filed by plaintiffs Dara Halliday and Teresa Green in New York state court. The plaintiffs alleged that Portal had allowed their private medical records to remain on an unsecured server for several months, making them publicly available on the Internet for anyone to see. Portal was insured under two insurance policies issued by Travelers – one spanning the period from January 2012 to January 2013, and another spanning from January 2013 to January 2014. The policies covered Portal for damages caused by “electronic publication of material that … gives unreasonable publicity to a person’s private life” or the “electronic publication of material that … discloses information about a person’s private life.”

Travelers filed a lawsuit against Portal in the Eastern District of Virginia, seeking a declaration that it was not obligated to defend Portal against the underlying New York putative class-action claims. Travelers argued that the complaint failed to allege a covered publication by Portal for two reasons: First, Travelers argued that “publication” under the policy required intentional publication, rather than mere inadvertent disclosure. Second, Travelers contended that there was no “publication” because the underlying complaint did not allege that anyone, other than the plaintiffs, actually viewed the medical records online. The district court rejected these arguments, finding that exposing confidential medical records to online searching is “publication” giving “unreasonable publicity” to, or “disclos[ing]” information about, a person’s private life, and holding that Travelers was duty bound under the policies to defend Portal against the class-action complaint.

The Fourth Circuit affirmed in an unpublished, per curiam opinion. The court emphasized that the district court had correctly applied the “eight corners rule” – which looks to the terms of the policy and the allegations in the complaint – to determine whether Travelers had a duty to defend. Turning to the “publication” issue, the court noted its agreement with the district court’s conclusion that the class-action complaint “at least potentially or arguably” alleged a “publication” of private medical information by Portal that constituted conduct covered under the applicable policies and affirmed the district court’s ruling that Travelers was required to defend Portal against the New York class-action complaint.

Some may argue that the decision in Portal is “too little, too late.” It can arguably be seen as “too little,” in that there remains a divergence in the case law that encourages strategic insurer claim denial (particularly in jurisdictions that lack a robust policyholder remedy for insurer bad faith). For example, insurers continue to rely on the ill-reasoned trial court decision in Zurich American Insurance Company v. Sony Corp. of America, where the New York trial court held that there was no coverage unless the “publication” was made by the policyholder, rather than hackers. The fact that the decision is unreported further limits its potential precedential impact. The decision may also arguably be seen as “too late,” in that the insurance industry has promulgated endorsements that are intended to minimize or eliminate the potential for cyber-breach coverage under general liability policies.

Nevertheless, the Fourth Circuit’s decision in Portal is noteworthy for at least two reasons. First, the court’s broad reading of the policy term “publication” will benefit policyholders seeking coverage for data breach claims involving inadvertent disclosure of information. Second, the decision underscores the importance of considering the possibility of coverage for cyber events under traditional policies – such as commercial general liability, directors and officers, and errors and omissions policies – despite efforts by the insurance industry to exclude cyber claims from traditional policies and force insureds to purchase dedicated cyber coverage.