McGuireWoods Insurance Recovery Blog

McGuireWoods Insurance Recovery Blog

Insights for Policyholders

Best Practices, Policy Interpretation

Avoiding the Minefields of Claims-Made Insurance Coverage

This is the first in a series of posts relating to what we will call the “minefields” of claims made insurance coverage.  Fifty years ago, most insurers issued liability insurance policies on “occurrence” policy forms.  As insurers expanded their coverage offerings for professional and executive risks in the 1960s and 1970s, they began to use “claims-made” policy forms.  Today, while most commercial general liability or “CGL” policies are issued on occurrence forms, claims-made policies dominate the marketplace for professional liability, D&O, fiduciary and other specialty coverages.

Claims-made policies differ from occurrence-based policies primarily in the method of triggering or activating coverage under the policy.  These policies create unique challenges for policyholders both in connection with the reporting of claims as well as with the purchase of a policy with the appropriate terms, conditions and exclusions for the risks that the insured faces.

To understand claims-made coverage, it is important to start with a comparison of occurrence policy forms with claims-made forms.  Occurrence-based CGL policy forms insure bodily injury or property damage that takes place during the policy period regardless when the claim is made against the insured.  The “trigger” of coverage is when the claimant is injured or when the property damage takes place.

The trigger of coverage analysis with an occurrence-based form is not always simple, however.  For example, in an asbestos toxic-tort case, it is frequently difficult to pinpoint the date of the occurrence because there is a latency period between the original exposure to asbestos and the manifestation of injury.  Courts have developed different rules to determine the trigger of coverage in this type of latent injury case:  (1) the “exposure” trigger, which applies the policy in effect at the time of the exposure to the harm; (2) the “manifestation” trigger, which applies the policy that was in effect at the time the injury manifested itself; (3) the “injury-in-fact” trigger, which applies the policy or policies that were in effect at any time actual injury occurred; and (4) the “continuing injury” trigger, which applies all policies in effect from the initial exposure through the manifestation of the injury.

Claims-made policies operate very differently.  A claims-made policy provides coverage if the claim is made against the insured during the policy period, regardless when the injury took place (although most policies require the injury to occur after a “retroactive date” stated in the policy).  Most claims made policies also provide that the insured must report the claim to the insurer during the policy period or during an “extended reporting period.”

There are four key differences between occurrence-based policies and claims-made policies.  First, with a claims-made policy, the threshold event is a claim against the insured during the policy period.  In contrast, occurrence-based CGL coverage looks to whether injury or damage occurred during the policy period.

Second, with a claims-made policy, it is the concept of a “wrongful act” (typically defined as an “act, error or omission”) that gives rise to coverage.  With occurrence-based CGL policies, on the other hand, it is the bodily injury or property damage that gives rise to coverage, not the wrongful act by the insured.

Third, reporting to the insurer is an affirmative element of coverage that the insured generally must prove under the terms of a claims-made policy.  The insured must notify the insurance company of the claim during a specified time period (either during the policy period or during the extended reporting period) or lose coverage.  Under occurrence-based policies, notice is not an element of coverage, but a policy condition.

Because reporting is an element of coverage, most courts interpreting claims-made policies strictly enforce notice requirements.  If the insured fails to provide notice within the required period under a claims-made policy, the insurer can refuse to cover the loss without proving that the insurer was prejudiced by the delay.  In most states, if an insured fails to provide timely notice under an occurrence-based CGL policy, the insurer must provide coverage unless the delay resulted in prejudice to the insurer.

In future posts in this series, we will discuss the key coverage issues that arise under claims-made policies, best practices in providing notice to insurers under claims-made policies, and recommendations to policyholders regarding the purchase of claims-made policies.


Policy Interpretation, Professional Liability Insurance

Fifth Circuit Narrowly Construes Prior Knowledge Exclusion in Claims-Made Policy and Affirms Bad Faith Verdict

Insurers frequently rely on “prior knowledge” exclusions in an effort to avoid coverage under claims-made liability insurance policies.  In OneBeacon Insurance Co. v. T. Wade Welch & Associates et al., the Fifth Circuit recently affirmed a $28 million judgment following a jury verdict against One Beacon Insurance Company, finding that the insurer had wrongfully declined to indemnify a law firm in a legal malpractice case based on a prior knowledge exclusion in its policy.  The court held that the prior knowledge exclusion in the policy was overly broad and that “[a]s written . . . the exclusion renders the coverage illusory and is facially absurd.”

The Policies:  OneBeacon issued a series of professional liability policies to T. Wade Welch & Associates (the “Welch Firm”) beginning in December 2006.  In the application for the first policy, Wade Welch, the principal of the firm, represented that after inquiring of each lawyer in the firm, he was not aware of “any fact or circumstance, act, error, omission or personal injury which might be expected to be the basis of a claim or suit” against the firm.”

Each of the One Beacon policies contained a prior knowledge exclusion barring coverage for

any claim arising out of a wrongful act occurring prior to the policy period if, prior to the effective date of the first Lawyers’ Professional Liability Insurance Policy issued by [OneBeacon] to [the Welch Firm] and continuously renewed and maintained in effect to the inception of this policy period … you had a reasonable basis to believe that you had committed a wrongful act, violated a disciplinary rule, or engaged in professional misconduct; [or] you could foresee a claim would be made against you.

For an additional premium, the Welch Firm purchased a retroactive date for the policy of January 4, 1995.  The retroactive date set the earliest possible date when a wrongful act or omission could occur and still be covered under the policy.

The Welch Firm renewed the 2006-2007 policy in subsequent years, making the same representations about its knowledge of potential claims.

The Malpractice Claim:  The Welch Firm represented DISH Network Corp. in a lawsuit filed against it by Russia Media Group (“RMG”).  During the course of discovery in the DISH lawsuit, the Welch Firm failed to timely serve discovery responses after the court had ordered DISH to respond.  In February 2007, RMG moved for “death penalty” sanctions for DISH’s failure to respond to the discovery.  In February 2008, the district court affirmed an order entered by the magistrate judge granting sanctions.  Specifically, the court held that DISH could not oppose RMG’s three primary claims and barred DISH from challenging RMG’s damages.

The Coverage Dispute:  Prior to Welch’s application for the renewal of the initial OneBeacon policy for a subsequent (2007-2008) year, the firm failed to respond to the discovery giving rise to the subsequent sanctions motion.  Mr. Welch was not aware of this fact and noted in the policy application that the firm was not “aware of any fact, circumstance, or situation which might reasonably be expected to give rise to a claim.”

After the entry of the death penalty order, Wade Welch learned for the first time of the discovery dispute and the sanctions motion and order.  He then notified OneBeacon of a potential malpractice claim.  OneBeacon acknowledged the claim.

In June 2008 the Welch Firm informed OneBeacon that RMG had made a demand of $105,800,000 to DISH to settle the underlying lawsuit. In December 2010, DISH requested that OneBeacon make its policy limits available for a potential settlement with RMG and in June 2011 DISH offered to settle and release the Welch Firm in exchange for OneBeacon’s policy limits.

OneBeacon responded in August 2011 and declined DISH’s settlement offer.  OneBeacon then rescinded the Welch Firm’s policy and filed suit seeking a declaration that the prior-knowledge exclusion in its exclusion barred coverage.  The Welch firm counterclaimed, and DISH intervened.  In the interim, DISH demanded arbitration against the Welch firm for malpractice.

The parties filed motions for summary judgment, including cross-motions regarding the policy’s prior-knowledge exclusion.  The Welch Firm argued that the court should enforce the prior-knowledge exclusion only if a reasonable attorney with defense counsel’s subjective knowledge at the time of application could have reasonably expected his acts, errors and omissions could lead to a malpractice claim.  The trial court agreed and rejected OneBeacon’s argument that the that the prior-knowledge exclusion should be read in isolation.  The court found ruled that it must consider the context of the policy as a whole, because to do so would render the policy’s retroactive coverage illusory.

The case proceeded to trial and based on this standard, a Houston jury found that the prior knowledge exclusion did not bar coverage, because OneBeacon had not shown that a reasonable attorney, given defense counsel’s knowledge in December 2006 − the date of the first application for coverage − could have reasonably expected his actions to result in a malpractice claim.  The jury awarded the Welch Firm $33 million, which the district judge reduced to $28 million.

On appeal, the Fifth Circuit upheld the trial court’s ruling on the prior-knowledge exclusion.  The court found that the prior-knowledge exclusion must be read in conjunction with the required disclosures in policy application and that the exclusion applied only to a claim arising out of a wrongful act that the insured could reasonably foresee at the time of the application would result in a claim.  The court of appeals clearly rejected OneBeacon’s arguments, holding:

The district court could not apply the literal policy language because of the extreme overbreadth of the wrongful act definition used in the exclusion: ‘any actual or alleged act, error, omission or breach of duty arising out of the rendering or the failure to render professional legal services.’  On its face this covers every single thing an attorney does or does not do, wrongful act or not. As written, then, the exclusion renders the coverage illusory and is facially absurd.”

Impact:  Insurers issue claims-made policies on many different policy forms, and these policies often include endorsements that alter the terms of the core policy firm.  In Welch, OneBeacon issued a policy where the prior-knowledge exclusion was so broad that it subsumed the coverage afforded by the main policy form.  The insurer has control over the wording of its policy, and in this case it issued a policy with contradictory terms and then tried to enforce it in a way that made the coverage illusory.  It paid a price for doing so.

Policyholders with claims-made coverages should take note of this decision.  It is important to review your policy form at renewal and to focus on the key timing elements of claims-made forms – the retroactive date in the policy, the terms of the grant of the “claims-made” coverage, the reporting requirements in the policy, and the exclusions.  The insured also should compare the representations it is asked to make in its application to the terms and exclusions in the policy to make sure that the coverage offered is consistent with the insured’s expectations.

Look for future posts here on the topic of claims-made policies.



D&O Insurance: Five Things Your Company’s Policy Might Cover Which Could Surprise You

Most companies have Directors & Officers Liability (“D&O) insurance.  As the name of the policy suggests, these polices provide coverage for lawsuits against a company’s directors and officers for acts performed in the course of their duties.  But policyholders are sometimes surprised to learn that D&O policies may provide coverage in a number of other situations.

First, some D&O basics.  D&O policies generally include multiple insuring agreements, typically referred to as “Side A,” “Side B,” and “Side C” coverages.  Side A coverage insures individual directors and officers against “non-indemnified losses” – that is, losses insured by these individuals that are not indemnified by the company for one reason or another, such as if the company is legally prohibited from providing indemnification or lacks the financial resources to do so.  Without this coverage, the personal assets of the company’s officers and directors would be at risk, significantly disincentivizing their service.

Side B coverage, by contrast, protects the company itself, and covers the company’s losses incurred in advancing legal fees or indemnifying individual directors and officers for their losses incurred due to a claim relating to their service.  Most companies offer their directors and officers such indemnification to the extent permitted by law.

Side C coverage, sometimes called “entity coverage,” is included in some D&O polices and also protects the company, providing coverage for certain types of claims against the company.  For most public companies, this coverage is limited to claims based on state securities laws, but many policies issued to private companies offer much broader coverage for a variety of claims against the company arising from “wrongful acts” by the company or its directors or officers.

Each of these coverage grants provides coverage for “claims” as defined in the policy.  But what is a claim?  Not surprisingly, lawsuits filed against the company, officers or directors will constitute claims if they allege “wrongful acts” within the definition of the policy.  Most policies, however, include other definitions of “claim,” which can include:

  • A request to toll or waive the statute of limitations.  Companies frequently receive such requests if a potential plaintiff is interested in resolving a dispute short of litigation, but is concerned about the statute of limitations running.  A tolling agreement stops the running of the statute while the parties attempt to work out a resolution of the dispute.  If your company receives such a request, your D&O policy may provide coverage.
  • A subpoena or civil investigative demand (“CID”).  Some, but not all, D&O policies include subpoenas or CIDs within the definition of “claim.”  In addition, some courts have held that a subpoena or CID constitutes a “written demand for non-monetary relief,” which is one of the definitions of “claim” included in most policies.
  • A governmental investigation of the company or one of its directors or officers.  Policies that cover governmental investigations often require the investigating entity to identify an insured target in writing before coverage is triggered.
  • A criminal proceeding against the company or one of its officers or directors, commenced by filing of charges.
  • An arbitration, mediation or other alternative dispute resolution proceeding.  Many companies require such alternative dispute resolution efforts in contracts with counterparties, either in lieu of, or as a prerequisite to, litigation.

As with any form of insurance, the specifics of the coverage available to your company depend on the terms of your policy.  It is essential that companies understand what does and does not constitute a “claim” under the D&O coverage so that they can be sure to satisfy their’ policy’s notice requirements and avoid the risk of losing coverage altogether through failure to give timely notice.


Best Practices, Cyber Insurance, General Liability, Policy Interpretation, Property Insurance

Cyber Risk “IRL”: Insurance Issues Arising from Cyber-Related Property Damage and Bodily Injury Claims

Many an unhappy modern tale arises when a cyber-predator suggests to his victim that they transition their dealings from the virtual world to a meeting “IRL” – “in real life.” But the perils that arise when the internet meets the “real world” are not limited to vulnerable individuals:  advances in technology, coupled with the ingenuity of malefactors, create the real risk that acts taking place wholly within cyberspace can have substantial impacts “in real life” – in the outside world – that go well beyond the loss of data or computer functionality.  The best-known example is the STUXNET virus, which seized control of Iran’s nuclear centrifuges and caused them, in effect, to commit mechanical suicide.  Nearly as well-publicized was the 2014 cyber-attack on a German steel mill, which prevented a blast furnace from properly shutting down, reportedly causing massive damage.  Any commercial entity who relies on internet-connected systems to control the operation of physical assets (such as manufacturing companies or utilities), and any entity that manufactures or distributes internet-connected products, is potentially at risk.

The risks go beyond the threat of damage to one’s own property: malicious computer activity could cause damage to third-party property or, worse yet, bodily injury or death. Many readers will recall the 2015 event (staged by “white hat” hackers) showing that a motor vehicle could be remotely disabled while traveling on a highway.  It is not hard to imagine that similar vulnerabilities could provide an entrée for hackers to precipitate catastrophic accidents.  Imagine what would happen, for example, if hackers remotely caused cardiac pacemakers to speed up patients’ heart rates to dangerous levels (this was the mechanism used, fictionally, to dispatch a victim in a 2013 episode of the TV show “Elementary”).  As the “internet of things” becomes more prevalent, the risk grows commensurately.  And the consequences of even minor disruptions (for example, the remote manipulation of an Internet-connected refrigerator that causes food spoilage) can be substantial when aggregated across thousands of products (through class action lawsuits or otherwise).

Faced with these sorts of losses, businesses and individuals would justifiably look to their insurance for coverage. After all, what is insurance for if it is not to protect against unexpected risks of damage or injury?  Unfortunately, but not surprisingly, insurance coverage for these risks – both first-party property insurance to cover loss to one’s own property, and third-party liability insurance to cover one’s legal obligations to others – remains unclear.

For example, when faced with a third-party claim seeking to impose liability for bodily injury or property damage, most policyholders would turn to their commercial general liability (CGL) insurance, the backbone of most corporate insurance programs. But the standard-form CGL policy was (as of 2004) rewritten to exclude “[d]amages arising out of the loss of, loss of use of, damage to, corruption of, inability to access, or inability to manipulate electronic data.”  (Some – but not all – CGL policies incorporate a subsequent refinement restoring coverage for bodily injury.) See generally Insurance Services Office, Endorsement CG 21 06 05 14 & Endorsement 21 07 05 14.

The clear intent of the exclusion was to preclude coverage for more typical “cyber risks,” such as loss of data or computer functionality. Even so, some courts in other contexts have taken an unreasonably broad view of the inherently-vague phrase “arising out of,” which could lead those courts to give the exclusion a scope that it was not intended to have, an interpretation that violates policyholders’ reasonable expectations and unjustifiably narrows what is supposed to be broad coverage.[1]  Such courts, for example, could conclude that the remote hacking of an automobile’s engine that causes an accident “arose out of” the “corruption” of “electronic data.”

Coverage for first-party losses is equally uncertain. While most commercial property programs presumptively cover “all risks of physical loss or damage,” a variety of exclusions may take away with the left hand what the right hand has just given.  For example, one London Market property insurance form excludes all “loss, damage, destruction, distortion, erasure, corruption or alteration of ELECTRONIC DATA from any cause whatsoever,” or loss of use, cost or expense “of whatsoever nature resulting therefrom, regardless of any other cause or event contributing concurrently or in any other sequence to the loss,” unless fire or explosion ensues.

This might then lead a policyholder to ask “won’t cyber-insurance protect me?” Even there the answer is not clear. Most currently-available cyber insurance policies exclude coverage for third-party claims alleging bodily injury or property damage, ostensibly because these risks are already covered by commercial general liability (CGL) insurance (an assumption that might be unwarranted, as noted above).  Some insurers are now marketing supplemental cyber “difference in conditions” coverage intended to fill the gap, but until these questions have been addressed in court, this coverage may be an expensive and unnecessary redundancy.

In some cases, this might not be a concern: insurers depend upon new and renewal business, and so face certain practical constraints in how aggressive they can be in rejecting legitimate policyholder claims. If the loss is large enough, however, an insurer may be strongly tempted to engage in so-called “retrospective underwriting,” an exercise in “Monday morning quarterbacking” in which its claims staff pores through the policy looking for some textual excuse – any excuse – to deny coverage for a risk that the insurer and its customer both intended to be covered, but that has now turned out to be unprofitable.

What then should policyholders do? As in most cases, “forewarned is forearmed”:

  • At the risk of restating the obvious, policyholders should review their risk profile, to identify potential risks before they ripen into losses.
  • Policyholders should review their existing coverages to determine whether there is an acceptable margin of protection for the risks that have been identified. This exercise should focus not only on what the policy says clearly, but should also consider how an insurer might be tempted to rewrite the terms of the deal retroactively by creatively arguing that policy language narrows or precludes coverage. (This analysis should also consider which states’ laws may apply in the event of a coverage fight, since the laws of the different states and their receptiveness or hostility to policyholder claims can vary considerably. For example, Virginia is notoriously pro-insurer, while Washington is decidedly pro-policyholder.)
  • Armed with the results of these analyses, policyholders may wish to consult insurance markets to obtain more peace of mind – if it can be obtained at a reasonable price and on reasonable terms. In some cases, policyholders with sufficient market power may be able to negotiate endorsements confirming or restoring the coverage that they intend to have. In other cases, policyholders may be able to obtain this protection using additional “off the shelf” insurance products, albeit at extra cost.

In each of these endeavors, the assistance of experts – brokers, coverage counsel, cyber-risk analysts, and the like – may be useful or even necessary.

In short, cyber risks “in real life” are indeed real, and existing insurance products may offer incomplete (or even illusory) protection, but some advance thought and effort may mitigate those risks substantially.

[1] At the risk of a discursion into nuances of insurance coverage, a broad construction of the inherently-ambiguous phrase “arising out of” is appropriate when it appears in a policy term granting or extending coverage, because ambiguities should be construed against the insurer (as a professional risk-taker who wrote the language at issue) and in favor of the policyholder (who was presented with boilerplate language as a fait accompli, and who is relying on the insurance at a time, after the loss has taken place, when it cannot obtain substitute coverage at any price).  Such a broad construction is inappropriate, however, when the phrase appears in an exclusion, since exclusions must be construed narrowly to effectuate an insurance policy’s dominant purpose (providing coverage for unexpected loss or damage).

Best Practices

Best Practices for Getting Notice Right

All insurance policies have provisions requiring timely notification of a loss or claim to the insurance carrier. Commercial general liability policies, for example, provide that the policyholder “must see to it that we are notified as soon as practicable of an ‘occurrence’ or an offense which may result in a claim” and that “[i]f a claim is made or ‘suit’ is brought against any insured, you must  . . . [notify us as soon as practicable].”  Claims-made policies, which include most director’s & officer’s liability and professional policies, generally also require notification of a claim “as soon as practicable” but in any case within the policy period or within a specified period of time (60 days, for example) after the policy expires.

The consequences of not giving your carrier timely notice of a claim can be severe. In many cases, failure to timely notify an insurer will excuse the insurer’s obligations under the policy.  Even in jurisdictions that require insurers to provide prejudice before denying claims based on notice issues, policyholders can be forced to spend significant time and money litigating their claims, or see the settlement value of their claims diminish significantly, if the policy’s notice requirements are not met.

So, what do you need to do to get your notice right? Here are five best practices:

  1. Don’t rely on your broker. Many brokers will provide notification as a service to their clients, but it is best not to rely on a broker to give notice for you.  Many a policyholder has assumed that their broker would handle notice, only to discover later that coverage was compromised due to late, inaccurate, or incomplete notice.  Brokers can be helpful on notice issue, but it is up to the insured to get notice right, and the insured will bear the consequences if it is not.
  2. Do follow the notice requirements of the policy. First and foremost, this means your notice must be timely.  Do not wait until you have settled a lawsuit, repaired damaged property, or responded to a governmental investigation before notifying your insurance carrier.  In addition, pay attention to other notice requirements in the policy.  Send your notice to the address specified in the policy, not to your broker.  Provide any information that the policy requires be included.  Be careful, though, not to divulge attorney advice, as a policyholder’s communications with its insurance company generally will not be privileged.
  3. Don’t assume that late notice will be excused. Insurance law varies from state to state, and while many states require an insurer to demonstrate prejudice before denying a claim based on late notice or otherwise disfavor forfeiture of coverage, other states strictly enforce notice requirements.  The law of notice may also differ for claims-made coverage, where part of the insurance bargain with the carrier is that coverage exists only for “claims made and reported” within a specified period.
  4. Do consider reporting a notice of circumstances. Many claims-made policies permit an insured to provide the carrier with notice of “circumstances which may reasonably be expected to give rise to a claim,” even when a claim does not yet exist.  The advantage of proving a notice of circumstances, from the policyholder’s perspective, is that if the notice is accepted by the insurer, it will lock in coverage under the policy then in effect, leaving future policies fully available to cover future exposures.  Indeed, failing to provide notice of circumstances can lead to the claim not being covered at all under a future policy.
  5. Do consider reporting requirements to excess carriers. Excess policies present different notice considerations than primary policies.  Most excess policies do not require the carrier to defend claims, and the majority of losses will not involve excess insurance.  For this reason, notice to excess insurers must generally be given when a loss is reasonably likely to involve the excess policy.  However, excess policy notification provisions may vary significantly, with some requiring notice regardless of loss amount.  For this reason, it is essential to pay careful attention to policy language and to carefully evaluate the loss with the assistance of counsel when considering whether and when to notify an excess carrier.


Construction Insurance, General Liability, Policy Interpretation

New Jersey Supreme Court Follows National Trend, Holds That Subcontractors’ Faulty Workmanship Is Covered Under CGL Policy

On August 4, 2016, the Supreme Court of New Jersey issued a decidedly pro-policyholder ruling in Cypress Point Condominium Association, Inc. v. Adria Towers, L.L.C., holding that water damage caused by a subcontractor’s faulty workmanship was covered under the property developer’s Commercial General Liability policies.  Evanston Insurance Company and Crum & Forster Specialty Insurance Company issued the policies, which were modeled after the 1986 CGL form published by the Insurance Services Office.  The key holdings were that the subcontractor’s faulty workmanship was “property damage,” consequential water damage to the completed non-defective portions of the work was an “accident” or “occurrence,” and the damage fell within the “subcontractor exception” to the “your work” exclusion.

In Cypress Point, a condominium association sued its developer for damages arising from water damage both to individual units and to common areas of the condominium complex, which arose from faulty work performed by one of the developer’s subcontractors.  The association also brought a declaratory judgment claim against the developer’s insurers seeking coverage.

The trial court granted summary judgment for the insurers on the declaratory judgment action, ruling that the water damage did not constitute “property damage” as defined in the policy and that there had been no “occurrence.”  The Appellate Division reversed and found coverage, holding that “unintended and unexpected consequential damages to the common areas and residential units caused by the subcontractors’ defective work constitute ‘property damage’ and an ‘occurrence’ under the CGL policies.”  The insurers then appealed to the Supreme Court of New Jersey.

The New Jersey Supreme Court had not previously decided whether negligent work by a subcontractor could give rise to coverage under the 1986 ISO CGL form.  The court had previously held that the older, 1973 CGL form would not confer such coverage. See Weedo v. Stone-E-Brick, Inc., 81 N.J. 233 (1979).  The Cypress Point court distinguished Weedo because it dealt with a breach of contract claim in which the policyholder sought damage for the cost of replacing sub-standard materials the contractor installed, whereas Cypress Point involved a claim for negligence and a demand for consequential damages. The court further distinguished Weedo on the basis that it did not decide whether there had been an “occurrence” under the terms of the insuring agreement because the court found a “business risk” exclusion barred coverage. The court similarly distinguished a prior Appellate Division holding in Fireman’s Insurance Co. of Newark v. National Union Fire Ins. Co., 387 N.J. Super. 434 (App. Div. 2006).

The supreme court, affirming the court of appeals, determined that post-construction consequential damages, and the resulting loss of use, were covered “property damage” as defined in the policy.  The court then found that faulty workmanship by a subcontractor constituted an “accident,” and thus an “occurrence” under the policy.  Accident was not defined, so the court construed it according to plain meaning: “the term ‘accident’ in the policies at issue encompasses unintended and unexpected harm caused by negligent conduct.”

Finally, the court examined the “your work” exclusion, which eliminates coverage for property damage to “your work,” as defined in the policy.  Significantly, in the 1986 form at issue in Cypress Point (unlike the 1976 ISO form in Weedo), the “your work” exclusion contained the “subcontractor exception,” which does not bar coverage for work performed by a subcontractor. The court found that because the “property damage” was caused by the subcontractor’s work, the “your work” exclusion did not bar coverage.

This is a favorable decision for policyholders, and follows an strong national trend, as we have previously reported here, here and here.  Insurers have typically contended that CGL policies issued to a developer or general contractor provide coverage for damages only to other property, and not the property that is the subject of the construction project.  The New Jersey court followed the Florida Supreme Court’s decision in U.S. Fire Ins. Co. v. J.S.U.B., Inc., 979 So. 2d 871, 877-78 (Fla. 2007), in which that court found coverage for the defective work of a subcontractor under the 1986 CGL form. See also, French v. Assurance Co. of America, 448 F. 3d 693, 704 (4th Cir. 2004) (applying Maryland law and finding coverage for consequential damages but not the defective work itself); Lamar Homes, Inc. v. Mid-Continent Cas. Co., 242 S.W.3d 1, 16 (Tex. 2007) (holding that claim of faulty workmanship against a homebuilder was a claim for “property damage” caused by an “occurrence” under a CGL policy).

The case is Cypress Point Condominium Ass’n, Inc. v. Adria Towers, L.L.C., A-13/14 September Term 2015, 076348.  It is available at 2016 N.J. LEXIS 847.

Construction Insurance, General Liability, Policy Interpretation

Subcontractor’s Defective Work Covered Under CGL Policy, Iowa Supreme Court Holds

Last month, in a lengthy decision over the dissent of three justices, the Iowa Supreme Court joined the ranks of state high courts to conclude that defective work performed by a subcontractor is covered under the standard Commercial General Liability (CGL) policy held by almost all general contractors today.

The case arose from the construction of an apartment complex in Des Moines in the early 2000s. After the buyer, Westlake, closed on the purchase of the complex, numerous water intrusion problems manifested in the complex resulting in extensive damage throughout the complex to otherwise undamaged property.  Westlake sued the project’s general contractor and other defendants, who in turn asserted claims against the subcontractors who worked on the project.  Ultimately, the case settled with the general contractor’s primary carrier, Arch, contributing its policy limits, but the excess carrier, National Surety Corporation (NSC), refusing to contribute any part of its $20 million in limits.  As part of the settlement, the defendants assigned their rights under the NSC excess policy to Westlake, and NSC filed a declaratory judgment action seeking to disclaim coverage.

Westlake prevailed after a three-week jury trial, obtaining a $12.5 million judgment against NSC. NSC then appealed, arguing that the trial court erred as a matter of law when it concluded that a subcontractor’s faulty work constitutes an “accident” – and thus an “occurrence” – triggering coverage under the standard CGL policy.

Noting that this was a question of first impression in Iowa, the court focused on an exception to an exclusion in the policy – the exclusion precluding coverage for completed work performed by the insured, and the exception stating that the “your work” exclusion does not apply if “the damaged work or the work out of which the damage arises was performed . . . by a subcontractor.” The court reasoned that it would be illogical for the policy to contain an exception to an exclusion granting back coverage for property damage caused by the defective work of a subcontractor if such defective work were not covered by the grant of coverage in the policy.  Accordingly, and relying on the history of the modern CGL form as well as the decisions of other state supreme courts addressing the issue, the court concluded that “defective workmanship by an insured’s subcontractor may constitute an occurrence under a modern standard-form CGL policy containing a subcontractor exception to the ‘your work’ exclusion.”

The court’s decision is a boon to general contractors who must rely on subcontractors to complete many facets of complex construction projects but who cannot, even with careful management, prevent or detect all defective subcontractor work.

Duty to Defend, Duty to Indemnify, Policy Interpretation

Fourth Circuit Affirms Denial of Coverage for Accidental Gunshot Injury

On April 14, the Fourth Circuit held that an insurer owed no defense or indemnity coverage for an underlying personal injury suit against the policyholder’s employee, a security guard who accidentally shot a friend while socializing at the business off-hours. The court concluded that the firing of the gun was not within the scope of employment and clarified the dividing line between actions performed within the scope of employment and those actions which — even if arguably work-related — are not.

The underlying facts in QBE Ins. Corp. v. Cobb, No. 15-1880, were as follows: Robert Crooks worked as a sales and service representative for Jeco, Inc., and lived in an apartment in the same building housing Jeco’s business to provide “some level of security for the business off-hours.” While entertaining friends at the apartment off-hours, Crooks was “playing around” with a gun and accidentally shot his friend, Nicholas Cobb. Crooks sought coverage for Cobb’s resulting personal injury claims from Jeco’s commercial general liability (CGL) insurer, QBE Insurance Corp., contending that the accident occurred while he was “maintaining a presence” for Jeco as a night watchman. QBE denied coverage and sought a declaratory judgment that it had no duty to defend or indemnify Crooks.

The District of South Carolina granted QBE’s motion for summary judgment, concluding that Crooks was not acting within the scope of his employment or performing duties related to Jeco’s business when he was “playing with the gun” and shot Cobb. Thus, Crooks did not qualify as an “insured” under the CGL policy.

Under South Carolina law, “[a]n act is within the scope of a servant’s employment where reasonably necessary to accomplish the purpose of his employment and in furtherance of the master’s business,” even if the act is outside the scope of the servant’s authority. However, a servant’s act that is “done to effect some independent purpose of his own and not with reference to the service in which he is employed” is not within the scope of his employment. “If a servant steps aside from the master’s business for some purpose wholly disconnected with his employment, the relation of master and servant is temporarily suspended; this is so no matter how short the time, and the master is not liable for [the servant’s] acts during such time.”

The Fourth Circuit agreed that as a matter of law Crooks had “stepped away” from his duties as night watchman when he fired the gun and “was not within the scope of his employment or in performance of a duty related to employment.” In the court’s view, “[t]o conclude otherwise would stretch the insurance policy far beyond its intended coverage,” contrary to South Carolina law that counsels against adopting a “strained or violent interpretation not contemplated by the parties.”

Additional Insured Coverage, Bad Faith, Business Interruption, Crime Insurance, Cyber Insurance, Financial Institution Bonds

8th Circuit: Financial Institution Bond Provides Coverage for Fraudulent Wire Transfers

With policyholders facing increased losses from hacking and business email compromise, insurers are fighting hard to escape their obligations under financial institution bonds, crime policies and cyber insurance policies. In a case that bolsters policyholders seeking coverage for digital fraud, the U.S. Court of Appeals for the Eighth Circuit held that a bank’s financial institution bond provided coverage for losses arising from the fraudulent transfer of $485,000 by computer hackers to a foreign bank, even though the bank’s employees were negligent in securing the bank’s computer network.

In its May 20 decision, issued in State Bank of Bellingham v. BancInsure, Inc., No. 14-3432, — F.3d —, 2016 WL 2943161 (8th Cir. May 20, 2016) , the Eighth Circuit affirmed the District Court’s conclusion that the efficient and proximate cause of the loss was the criminal activity of the third-party hackers.

The Underlying Breach and Loss

In October 2011, an employee of the State Bank of Bellingham (the “Bank”) completed a wire transfer, which required several security steps, including the entry of the names and passwords of two Bank employees and the insertion of two physical tokens. At the end of the work day, the employee left the two tokens in the computer and left the computer running. Prior to the wire transfer, a Zeus Trojan horse virus had infected the Bank’s computer system. This virus then allowed a computer hacker to access the Bank’s network and transfer funds to accounts in Poland (the “Loss”).

The Bank held a financial institution bond issued by BancInsure providing coverage for losses such as those arising from dishonesty and computer systems fraud. The Bank submitted a claim and proof of loss to BancInsure seeking coverage for the Loss. BancInsure denied coverage, relying on exclusions for (a) employee-caused losses, (b) theft of confidential information, and (c) mechanical breakdown or deterioration of a computer system.

The Litigation and the District Court Decision

The Bank filed suit seeking damages for the insurer’s breach of contract. The U.S. District Court for the District of Minnesota granted the Bank’s motion for summary judgment, holding that the “computer systems fraud was the efficient and proximate cause of [Bank’s] loss,” and “neither the employees’ violations of policies and practices … the taking of confidential passwords, nor the failure to update the computer’s antivirus software was the efficient and proximate cause of [Bank’s] loss.”

The Eighth Circuit Decision

Minnesota law applied to the interpretation of the bond, and the Eighth Circuit addressed Minnesota’s concurrent causation doctrine, which provides the standard for causation in insurance contracts. Under this doctrine,

where an excluded peril “contributed to the loss,” an insured may recover if a covered peril is … “the efficient and proximate cause” of the loss. Conversely, it follows that if an excluded peril is the efficient and proximate cause of the loss, the coverage is excluded. An “efficient and proximate cause,” in other words, is an “overriding cause.”

BancInsure first argued that the concurrent-causation doctrine does not apply to financial institution bonds, “because a financial institution bond requires the insured initially show that its loss directly and immediately resulted from dishonest, criminal, or malicious conduct.” The court rejected this argument, observing that “no Minnesota case precludes application of the concurrent-causation doctrine to financial institution bonds.”

BancInsure also asserted that the parties had “contracted around the doctrine,” because the bond’s exclusions state that they apply to losses caused either directly or indirectly by the peril listed in the exclusion. The court also rejected this argument, holding that although parties can contract around the doctrine, Minnesota law requires such language to be “clear and specific.” The court held that the simple reference to “indirect” in the bond was not sufficient to avoid the concurrent causation doctrine.

Finally, BancInsure argued that the causation issue should have been left to the jury and that the court erred in finding that the criminal acts by the third party were the efficient and proximate cause of the Loss. In rejecting BancInsure’s argument, the Eighth Circuit relied on its decision in Friedberg v. Chubb & Son, Inc., 691 F3d 948 (8th Cir. 2012), in which the court addressed the concurrent causation doctrine in connection with a first-party claim. In Friedberg the insureds’ home suffered water damage. An investigation determined that defective construction had allowed water to enter the home. The court held that “although the water intrusion played an essential role in the damage to the house, once the house was plagued with faulty construction, it was a foreseeable and natural consequence that water would enter.” The court applied the concurrent causation doctrine and held that the policy did not provide coverage.

Based on the reasoning in Friedberg, the Eighth Circuit held that “the efficient and proximate cause of the loss in this situation was the illegal transfer of the money and not the employees’ violations of policies and procedures.” Specifically, the court held that “[u]nlike the water damage in Friedberg, an illegal wire transfer is not a ‘foreseeable and natural consequence’ of the Bank employees’ failure to follow proper computer security policies, procedures, and protocols.” That is, even if the employee’s actions are found to have played an essential role in a virus attacking the Bank’s system, “the intrusion and the ensuing loss … suffered remains the criminal activity of a third party.”


The Eighth Circuit’s ruling is a noteworthy win for policyholders. As criminals find more ways to attack computer systems and initiate transfers of funds, insurers face increased exposure to these types of claims, which often result from a combination of illegal activity and imperfect network security. Financial institution bonds and commercial crime policies commonly exclude “indirect loss,” and insurers frequently argue that despite criminal activity, the “direct” cause of the loss is the negligence of the policyholder’s employees.

The Eighth Circuit’s ruling in State Bank of Bellingham v. BancInsure, Inc., provides policyholders with a strong argument that employee negligence does not bar coverage for fraudulent wire transfers. The case also supports the argument that courts should not apply a unique causation standard to financial institution bonds but should instead apply basic principles of insurance law to interpret the language of the bond.

Crime Insurance, Cyber Insurance

Arizona Court Rules That Chubb Cyber Policy Does Not Cover Credit Card Theft Losses

As cyber attacks increase at an unprecedented pace, more and more businesses are purchasing cyber insurance to protect against that risk. The insurance industry now faces an avalanche of claims, and those claims now are moving to the litigation phase. In one of the first decisions interpreting a cyber insurance policy, an Arizona federal court on May 31 allowed Federal Insurance Company (“Chubb”) to escape liability under a cyber policy for losses arising from the theft of 60,000 credit card numbers from P. F. Chang’s China Bistro, Inc. See P.F. Chang’s China Bistro, Inc. v. Fed. Ins. Co., No. CV-15-01322-PHX-SMM, 2016 WL 3055111 (D. Ariz. May 31, 2016).

The Breach and Its Consequences

In 2014, a hacker infiltrated P.F. Chang’s China Bistro’s computer system and stole 60,000 credit card numbers from its customers. The hacker posted the stolen numbers on the internet. Chubb insured Chang’s under a “CyberSecurity by Chubb Policy,” and the restaurant immediately provided notice to Chubb of the breach.

Chang’s engaged third parties to investigate the event, notify card holders and provide legal and other advice, and to help it carry out its breach notification obligations. Unfortunately, P.F. Chang’s also had to defend class action lawsuits. Chubb provided coverage for these costs, which were approximately $1.7 million.

Chubb refused to provide coverage for the remainder of P.F. Chang’s loss, however. Credit card holders are protected from fraudulent charges arising from the theft of credit cards. The banks issuing the credit cards (the issuing banks) reimburse the card holders for the losses. In addition, the issuing banks are obligated to issue new credit cards.

Issuing banks have recourse, however. The issuing banks enter into contracts with MasterCard. P.F. Chang’s (and all merchants accepting credit cards) enters into contracts with acquiring or merchant banks to process charges, and the acquiring banks enter into contracts with MasterCard. A set of rules published by MasterCard governs the relationships among the issuing banks, MasterCard and the acquiring banks, and these rules are incorporated into MasterCard’s contracts with issuing banks and acquiring banks. In the event a retailer suffers a security breach resulting in unauthorized access to account data, these rules hold the retailer’s acquiring bank liable for the fraudulent charges incurred by the issuing banks. This is accomplished through an assessment from the payment card brand. The acquiring bank, in turn, has recourse against the retailer who experienced the breach.

Here, MasterCard issued a roughly $1.9 million assessment to the acquiring bank and processor of P.F. Chang’s credit card sales. The assessment included several components. About $1.7 million comprised fraudulent charges; about $200,000 involved notification and card replacement costs and administrative fees. Chang’s’ contract with the acquiring bank obligated the restaurant to pay the assessment. P.F. Chang’s demanded that Chubb reimburse the MasterCard assessment, and Chubb denied coverage.

The Coverage Litigation

P.F. Chang’s filed suit against Chubb. Chubb moved for summary judgment, arguing the claim fell outside the policy’s insuring agreement and that the losses were excluded. Although the court noted at the outset of the opinion that Chubb had marketed the policy as “a flexible insurance solution designed by cyber risk experts to address the full breadth of risks associated with doing business in today’s technology-dependent world” that “[c]overs direct loss, legal liability, and consequential loss resulting from cyber security breaches,” it nevertheless agreed with Chubb and granted its motion for summary judgment.

P.F. Chang’s argued the majority of the assessment by MasterCard (the fraudulent charges), for which Chang’s was contractually liable, fell within the policy’s grant of coverage for Privacy Injury, which the policy defined as an “injury sustained or allegedly sustained by a ‘Person’ because of actual or potential unauthorized access to such ‘Person’s’ ‘record’ . . . .” The court rejected the insured’s claim and held that the Privacy Injury coverage applied only when a person suffering the privacy injury made a claim against the insured, and because the acquiring bank had not suffered a privacy injury, the Privacy Injury coverage did not apply.

Relying on cases interpreting commercial general liability policies, the court also found that two contractual liability exclusions barred coverage for the entire claim. These included an exclusion for “any liability assumed by any ‘Insured’ under any contract or agreement and an exclusion for “any cost or expenses incurred to perform any obligation assumed by, on behalf of, or with the consent of any ‘insured.’” Because P.F. Chang’s had agreed to reimburse the acquiring bank for the assessments, the court concluded the exclusions applied.

In reaching this decision, the court rejected P.F. Chang’s argument that the exclusion should not apply because Chang’s would have been liable to the acquiring bank even in the absence of the indemnification agreement. The court also found unavailing the restaurant’s argument that its payment to the acquiring bank was the “functional equivalent” of compensating the victims of Privacy Injury, because P.F. Chang’s failed to offer evidence that it would have been liable for the MasterCard assessment absent the agreement with the bank.

The court finally rejected Chang’s argument that coverage existed under the reasonable expectations doctrine. Although P.F. Chang’s presented evidence that Chubb represented that its policy afforded coverage for direct loss, legal liability and consequential loss resulting from cyber security breaches, the court concluded that this evidence was insufficient to establish that Chang’s had a reasonable expectation of coverage for the payments it made to its bank.


P.F. Chang’s purchased an insurance policy to protect itself from liability arising from a breach of its computer systems, but in this case, the cyber insurance policy provided only a partial recovery for the insured. Contrary to basic principles of insurance law, the court narrowly construed the insuring agreement and broadly construed the exclusions to find that no coverage existed for the losses arising from the claim by the acquiring bank against Chang’s. While it is true that the acquiring bank’s own “records” were not stolen, the fraudulent charges arose from claims by customers whose card numbers were stolen. The acquiring bank was merely a conduit to pass along those losses. Therefore, the court should have found coverage.

This case demonstrates that carriers will advertise that their policies offer broad coverage, but when faced with a claim, insurers will fight hard to limit the coverage.

The ruling also sends a clear warning to retailers. A primary risk to a retailer following a cyber breach is an assessment from Visa or MasterCard passed on to it by an acquiring bank, and this court found that losses arising from these assessments are not covered losses, at least under this Chubb policy.

It is important for policyholders to evaluate the purchase of a cyber insurance policy carefully, and if you have purchased a cyber policy, you should consider carefully the coverage that is available under that policy. Property and general liability policies are standardized, but the market for cyber insurance is dynamic, and cyber policies vary significantly. One cyber policy may cover a loss and another may not.

Risk managers and business owners should consult with coverage counsel as they evaluate the purchase of a cyber policy. McGuireWoods can assist, and for more information, please see our Legal Alert, A Buyer’s Guide to Cyber Insurance.

We use cookies to enhance your experience of our website. By continuing to use this website, you agree to the use of these cookies. For more information and to learn how you can change your cookie settings, please see our policy.