It has been reported that thirty-one percent of organizations have experienced cyber-attacks. Moreover, cybercrime costs continue to accelerate with organizations spending nearly twenty-three percent more in 2017 than in 2016. On a corporate level, the average cost per breach is now at $11.7 million. While these statistics instill fear in some, they create opportunity for others. Insurers recognized an opportunity early on, and cyber insurance products quickly came to the rescue. Many of these cyber insurance policies, by design, covered very little. But they sell like hotcakes.
Corporate policyholders are more educated now than they were in the early cyber insurance days, but insurers still sell deficient cyber insurance products, and routinely deny cyber insurance claims that should be paid.
Please join Mark E. Miller, founding partner of Miller
Friel, PLLC, as he addresses these and other concerns in his recent PLI
Coverage under current cyber insurance policies;
How cyber insurance policies can be improved through negotiation;
Common bases for denials of cyber insurance claims; and
Best practices for handling corporate cyber insurance claims.
For additional information, please see Cyber Insurance – What Educated Policyholders Need to Know Now Presentation Materials.
New York has taken a two-prong approach to dealing with sexual abuse claims. First, the state legislature enacted the NY Child Victims Act. Second, New York publicly called out insurers telling them that providing Insurance Coverage for Child Victims Act Claims should be one of their highest priorities. See Insurers Should Prepare to Promptly Handle Wave of Child Sex Abuse Claims.
The state Department of Financial Services, in a guidance, told insurers they should be prepared to promptly approve coverage for those claims, when applicable, or face state action.
Based on our experience, many insurers are not treating policyholders fairly, and they are not promptly handling these kinds of claims. This was the subject of a recent PLI CLE Seminar where we addressed in detail some of the insurance implications we are seeing for Child Victims Act Claims. For additional information, please see PLI Seminar Course Materials.
What is the Child Victims Act?
Influenced by horrific, widely publicized incidents of sexual abuse, such as the ongoing Catholic Church scandal, and Larry Nassar’s widespread abuse of gymnasts, many states are revisiting how sexual abuse claims are handled in court. New York’s recently enacted Child Victims Act is a prime example.
The Child Victims Act revives claims for childhood sexual abuse or molestation that might otherwise be barred by statutes of limitation. Among other things, the Act creates a one-year window for claimants to file claims against their alleged abusers. That window for claims recently opened on August 14, 2019 and closes on August 14, 2020. Virtually any organization that works with children may be subject to liability.
In New York, a considerable number of Child Victims Act lawsuits were filed when the window opened for claims on August 14, 2019.
By 5:00 a.m. on the first day that lawsuits could be filed, roughly 200 lawsuits were filed;
On the first day, over 400 lawsuits were filed;
In the first two days, over 500 lawsuits were filed.
Plaintiffs’ lawyers contend that what we have seen to date is only a small portion of the lawsuits they intend to file.
New York is just one of many jurisdictions passing similar Child Victims Act laws. Child USA, reports that the vast majority of states have either passed or introduced laws extending the statute of limitations for child victims.
Insurance Coverage for Sexual Abuse Claims
Insurance coverage for sexual abuse claims is part of the solution. See Securing Insurance Coverage for Child Victims Act Claims Although insurance typically covers revived sexual abuse claims under the NY Child Victims Act and similar laws, insurance carriers don’t always see it this way. See Archdiocese of N.Y. v. Ins. Co. of N. Am., (N.Y. Sup. Ct. July 1, 2019); Rockefeller Univ. v. Aetna Cas. & Sur., (N.Y. Sup. Ct. Aug. 6, 2019).
Where plaintiffs seek financial compensation, insurance is always part of the solution. But, as we have seen with many of our clients facing claims for sexual abuse or harassment claims, many insurance carriers are circling the wagons to protect their own financial interests, rather than protecting their policyholders. Below is a list of some of the issues policyholders should consider:
1. Policies Providing Coverage
Two types of policies most commonly provide coverage: (1) Directors and Officers/ Employment Practices (D&O/EPLI) Policies and (2) General Liability (GL) Policies.
General Liability policies are the first kind of policy most policyholders think of when considering coverage. These “occurrence-based” policies cover allegations of bodily injury taking place during the policy period. Accordingly, numerous policies may be triggered by a claim and respond to a loss.
D&O/EPLI policies, by contrast, are just as important. Many D&O or management liability policies expressly cover sexual harassment. See Village of Piermont v. Am. Alt. Ins. Corp., 151 F. Supp. 3d 438, 441 (S.D.N.Y. 2015) (sexual assault covered under D&O policy). Allegations against institutions for actions of their employees often fall squarely within D&O/EPLI coverage. Unlike GL Policies, however, the triggered policy is the one in place when the claim is made, as opposed to the ones in place when when the alleged bodily injury occurred.
2. Providing Notice
Providing notice for these kinds of claims can be one of the most complicated and important things that a policyholder does. Some of the issues with notice include:
Does providing notice under one policy preclude coverage under another?
How do prior claims and prior notice provisions impact notice?
What exactly does each policy require for notice?
What is the legal consequence of providing improper notice?
Should the policyholder request authority to incur defense costs?
Should the policyholder seek consent to hire defense counsel?
Where must notice be sent, and how?
What does the law say about notice provided in a manner different from what is provided for under the policy?
What additional requests must be included with notice, and how do those requests vary from policy to policy?
Under which policies should notice be provided?
How important is it to search for additional policy information, and how should that search be conducted?
Providing notice properly requires time, thought, and legal analysis. In practice, many policyholders delegate this process to insurance brokers. Given the complexity of the issues, astute policyholders may want coverage counsel involvement at this stage of a claim.
3. Responding to Insurer Information Requests
Once notice is provided, policyholders should expect an onslaught of requests for information.
Managing insurance companies’ requests for information is no easy task, but two important ground rules need to be considered. First, insurance companies will request information that is designed to create defenses to coverage. Ironically, the same information requested by the insurers may harm the policyholders’ defense of the underlying claims. Second, information requests are inapplicable to defense of a claim. Defense obligations are typically controlled by what is known as the eight-corners rule. An insurer is permitted to review the four corners of the underlying complaint, and compare the allegation therein to the four corners of the policy. Based on this limited information, the insurer is required to either provide a defense (pay for defense counsel) or disclaim coverage.
Accordingly, policyholders should demand that the insurance carrier provide a coverage determination before engaging in requests for information designed to harm both coverage and defense of the claim.
4. Alleged Coverage Defenses to Sexual Abuse Claims
Insurers routinely raise a number of different reasons for not paying sexual abuse or harassment claims. An analysis of these so-called defenses, addressed from the perspective of a leading insurance company, is found in Munic Re’s 2010 study “Coverage and Liability Issues in Sexual Misconduct Claims.”
Three prominent insurance company arguments to defeat coverage include (1) sexual abuse exclusions, (2) no “occurrence”, and (3) policy not triggered.
Sexual Abuse Exclusions
Sexual abuse exclusions are not standard form, and do not appear uniformly in all policies by year. They may be found in some policies starting in the 1990s, but even then, they oftentimes come and go for an individual policyholder. More favorable versions expressly provide for a defense. Like all exclusions, they are construed narrowly and any ambiguities are construed in favor of coverage.
Just because a sexual abuse exclusion is present does not mean that coverage is precluded. The default rule is that the exclusion is severable, meaning that it may apply to an individual who is alleged to have perpetrated the abuse, but it does not apply to the organization who hired that individual. Moreover, allegations of negligence, false imprisonment, etc., should not trigger exclusion. SeeVillage of Piermont v. Am. Alt. Ins. Corp., 151 F. Supp. 3d 438, 451 (S.D.N.Y. 2015) (exclusion invalid as to false imprisonment claims).
Finally, and most obviously, policies that do not contain exclusions provide coverage. For example, there may be sexual abuse exclusions in policies starting in the late 1990s and thereafter, but that does not impact coverage for allegations of bodily injury taking place prior to that time. Similarly, a current D&O policy may contain such an exclusion, but the EPLI or Employment Practices Liability coverage section found in that same policy likely would not contain such an exclusion, because EPLI policies are designed to cover and do cover sexual harassment claims.
Occurrence — Neither Expected nor Intended from the Standpoint of the Policyholder
In a typical GL policy, “occurrence” may be defined as “an accident, including continuous or repeated exposure to substantially the same general harmful conditions. . . . which is neither expected nor intended from the standpoint of the insured.” Although the definition varies over time, it raises two important issues with respect to sexual abuse or harassment claims. The first is the number of occurrences. The second is coverage for expected or intentional versus negligent conduct.
Determining the number of occurrences can be a touchstone issue in these kinds of cases. Multiple occurrences means multiple policies are triggered (giving rise to increased limits), but it can also trigger multiple deductibles. Unfortunately, legal tests seldom provide a bright line answer. For example, New York applies the “unfortunate event” test. Roman Catholic Diocese of Brooklyn v. Nat’l Union Fire Ins. Co. of Pittsburgh, Pa., 991 N.E.2d 666, 672 (N.Y. 2013). The unfortunate event test requires consideration of “whether there is a close temporal and spatial relationship between the incidents giving rise to injury or loss, and whether the incidents can be viewed as part of the same causal continuum, without intervening agents or factors.” Id. Unfortunately, the test does not lend itself to one absolute and indisputable outcome in the context of a school that is sued for the negligent hiring of a perpetrator who allegedly abused multiple victims.
The “neither expected nor intended” part of the “occurrence” definition clearly favors policyholders. Here, many insurance carriers paint with a broad brush, claiming that everything is intentional, and thus, not covered. These arguments, at most, apply only to perpetrators. The neither expected nor intended argument does not apply to organizations facing negligence-based claims.
When I was a young insurance coverage lawyer in the early 1990s, many coverage lawyers immersed themselves in the intricacies of trigger law. Now, virtually everyone who can read an insurance policy agrees that all GL policies in place during the time of bodily injury are triggered. Long gone are creative insurance company arguments attempting to limit the triggering of GL policies to one and only one policy period. That fight is over and the insurers came out on the wrong end of history.
Now, there are two accepted variations of the rule that all policies in place during the time of bodily injury are triggered: the All Sums approach, and the Pro Rata approach.
Under the All Sums approach, the policyholder can collect its total liability under any one triggered policy, up to policy limits. Matter of Viking Pump, Inc., 27 N.Y.3d 244, 255-56 (N.Y. 2016); Keyspan Gas E. Corp. v. Munich Reins. Am., Inc., 31 N.Y.3d 51, 58 (N.Y. 2018). Conversely, under the Pro Rata approach, each insurance carrier is allocated a “pro rata” share of the total loss covered under the various policies for the portion of the loss occurring during its policy period.Keyspan Gas, 31 N.Y.3d at 58. New York has not adopted a strict “all sums” or “pro rata” allocation rule. Viking Pump, 27 N.Y.3d at 257; Keyspan Gas, 31 N.Y.3d at 58.
5. Settling Insurance Claims — Best Practices
We have found that settlement of insurance claims for sexual abuse and harassment should be conducted in two phases: first defense, and second indemnity.
Before settlement with an underlying claimant can be addressed, policyholders need to secure coverage for defense of the claims asserted against them. The first step here is to create a coverage chart (time on the X axis, and dollars on the Y axis) indicating the policies available for various years of alleged injury. Then, create an overlay of when the allegations in the complaint took place to understand which policies are triggered.
From a legal standpoint, any triggered GL carrier is obligated to provide a defense for the entire action. Although one might think that this concept is a powerful thing, which is is, it does not always facilitate settlement because insurers are often more concerned about how much the other carriers will pay, than how much they will pay themselves. Getting things going requires a proactive approach, getting all of the insurers in one room, and hammering out a defense funding agreement.
Once a defense funding agreement has been reached, insurers should be approached for contribution, or indemnification for settlement with the underlying claimants. If the insurance carriers refuse to cooperate, litigation may be the best option. We have been repeatedly told by mediators that early mediation with insurers does not work unless a complaint has been filed. In our experience, litigation is the best way to get an insurance carrier to move.
The volume of child abuse cases filed is challenging the courts and discussions appear to be underway to structure an Alternate Dispute Resolution (ADR) process. Insurers will participate in that ADR process, but policyholders need to be prepared with respect to legal issues raised by the insurers, and they should not be afraid to use litigation against their insurance carriers as a tool to promote justice.
Finally, the law relating to settlement of claims with or without insurance carrier consent is difficult to navigate. The general rule is that a policyholder should not settle a case without consent from the insurer. There are exceptions to this rule, such as when an insurer has denied coverage for the claim. And, there are proven ways to obtain consent if a carrier is recalcitrant. If insurance coverage is important, a claim should not be settled without first contacting coverage counsel.
We recently obtained a favorable court ruling on behalf of our client, Tecumseh Products Company LLC, on an insurance coverage issue that has vexed corporate policyholders for decades — whether primary insurance policies contain aggregate limits for long-tail environmental insurance claims. See Bedivere Insurance Co., et al. v. Tecumseh Products Company LLC, et al., (Michigan State Court, 2019) (decision).
1. The Aggregate Limits Issue for Environmental Claims
Tecumseh’s situation was not atypical. For years, even before litigation started in 2017, Tecumseh’s primary insurers and excess insurers conceded that their policies were at risk, but refused to pay a single dollar because of disagreement regarding whether or not the primary policies contained aggregate limits. If the primary policies did not contain aggregate limits, those policies are on the hook to pay their full per occurrence limits for each occurrence, meaning that there are multiple limits (rather than one limit) for each former manufacturing site. However, if those same primary policies contain aggregate limits, then payouts would be reduced dramatically, and in some situations could be zero because of prior payments on other claims.
2. The Primary/Excess Carrier Dilemma
Unsurprisingly, the primary insurance policy carriers have argued for years that their policies contain aggregate limits, and that they were already exhausted, or nearly exhausted from the payment of prior claims; whereas the excess insurers have taken the opposite view that the underlying policies do not contain aggregates, are not exhausted, and thus their policies have not yet been triggered. It’s been a classic case of the chicken and egg, with each set of insurers pointing the finger at the other, refusing to pay because of this aggregate stalemate, and both sets of insurers content to see their insured fronting the full costs of investigating and remediating the underlying environmental sites, as well as fully covering the cost of litigation by third party landowners and government agencies.
3. The Insurers’ Best Argument — Ignore Policy Language, We Know Better
In its litigation against its historical general liability insurers related to policies going back to the 1950s and involving a number of former manufacturing sites in Michigan and Wisconsin, Tecumseh purchased primary liability policies from Travelers Indemnity Company, Maryland Casualty Company (now part of Zurich) and Michigan Mutual Insurance Company (now part of Amerisure), as well as excess liability policies from Continental Insurance Company, London Market Companies, and other excess insurers. The primary policies were clear on their face that there were no aggregate limits, so that the full per occurrence limit was available for each individual site. These policies stated that aggregate limits equal to the per occurrence limits of each policy would apply if and only if the polices were “rated” (i.e., the calculation of premiums) based on remuneration (i.e., payroll data for certain periods of time). However, the policies did not even mention remuneration, let alone provide detailed payroll data for Tecumseh employees. Rather, the policies contained detailed annual sales information for Tecumseh, which the underwriters for the primary policies used to rate or adjust the premiums then due and owing.
4. As It Should — Policy Language Controls
Despite the clear language in these policies, the primary insurers, as they have done in just about every other long-tail pollution or asbestos case over the past four decades, argued that the court should disregard the clear language of the policies and instead should consider and rely upon evidence outside of the four corners of the policies, such as an underwriters manual, testimony by a former Travelers executive paid by Travelers to provide so-called “fact testimony,” and vague and generalized notions of “underwriting industry practices” in the 1950s-1970s. The Michigan trial court correctly rejected these arguments, holding that “[b]ased on the express terms of Primary Policies, no aggregate limits apply to property damage coverage in this case, [because] none of the policies contain any language indicating that the underwriters used or were authorized to use remuneration figures in the premium calculation.” The court added the following: “The Primary Policies in this matter contain plain and unambiguous language governing resolution of this motion as a matter of law. The Court further finds that it would construe any ambiguous language, if there were any, in favor of Tecumseh.”
The court’s decision in Bedivere Insurance Co., et al. v. Tecumseh Products Company LLC, et al., (Michigan State Court, 2019) is important for corporate policyholders facing long-tail liability claims. These include any claim where more than one occurrence policy has been implicated, including pollution, asbestos, silicosis, opioid, sexual abuse, and any other kind of claim where bodily injury or property damage has been alleged to have occurred over multiple policy periods.
This decision should become one of the seminal pro-corporate policyholder rulings on the aggregate limits issue, and we strongly encourage companies facing long-tail property damage and bodily injury claims to contact us if they have any questions.
Schools, religious organizations, and similar institutions (think childcare providers, summer camps, and any other businesses or nonprofits that provide services to children historically) now have less than a month to brace against an oncoming flood of claims under New York’s Child Victims Act. Although insurance typically covers revived claims under the NY Child Victims Act and similar laws, policyholders need a comprehensive approach to securing coverage. This post identifies some of the key issues that policyholders should consider to secure coverage.
The Child Victims Act revives claims for childhood
sexual abuse or molestation that might otherwise be barred by statutes of
limitation. N.Y. C.P.L.R. 214-g
(McKinney 2019). Specifically, the Act
creates a one-year window for claimants to file claims against their alleged
abusers. Id. The statute went into effect on February 14,
2019 and created a mandatory six-month waiting period in which claimants may
not file (presumably, to give defendants time to prepare their defense). Id.
That six-month moratorium lifts on Wednesday, August 14, 2019—or in a
little less than a month. See id. Claimants will then have a full year to file
any such revived claims, or until August 14, 2020. See id.
The clock is thus ticking and time is almost up. To this end, here is a brief list of suggested steps to help prepare for the coming wave of claims:
1. Search for, Locate, and Compile Relevant Insurance Policies
Most schools and similar organizations facing
legacy claims have General Liability (“GL”) policies going back many years, if
not decades. These GL policies provide
coverage for bodily injury taking place within the policy period. These policies can provide two tremendous
benefits to organizations facing claims under the Child Victims Act: defense
coverage and indemnity coverage. GL
policies typically have a “duty to defend,” requiring the insurance company to
defend against any potentially covered claims asserting bodily injury against
the insured. Also known as “litigation
coverage,” this duty to defend can provide vital coverage for insureds, as
lawsuits may drag on for several years and cost thousands of dollars in
GL policies also provide indemnity coverage,
meaning that if the claimant goes to trial and wins a verdict against the
insured, the insurance company will have a legal obligation to pay for the
judgment. Likewise, this indemnity
coverage also covers settlements with claimants seeking damages for bodily
injury. This is important because many
cases will not go to trial.
The applicable GL policies are those in place when
the alleged bodily injury occurred. Individuals
filing revived claims under the Child Victims Act may now be fully grown adults
alleging sexual abuse or molestation taking place many years ago, in the 1960s,
1970s, 1980s, and/or 1990s (or even earlier).
These policies may have been issued long before the widespread use of
computers or the existence of the Internet, so insureds may have to comb
through paper files and other hardcopy sources.
Even if the actual policies themselves have been lost, insureds should search
for letters, certificates of insurance, or other documents that refer to legacy
GL policies. Using secondary sources
such as these, insureds may be able to prove that they had coverage, even if
the actual policies have been lost.
2. Review Additional Types of Coverage
Depending on the institution, other kinds of
entities facing revived claims under the Act may also have Directors &
Officers (“D&O”), Employment Practices (“EPL”) and/or Errors &
Omissions (“E&O”) policies. D&O
policies cover claims made during the policy period against a company’s
directors and officers, typically for a “Wrongful Act.” Private company D&O policies also provide
entity coverage for the alleged “wrongful acts” of business itself. EPL coverage may also be implicated for
claims alleging wrongful retention and EPL coverage for institutions is
typically quite broad. By contrast,
E&O insurance — also known as Professional Liability insurance — covers
claims for professional errors and omissions.
For institutions specializing in education, these additional kinds of
policies may also provide coverage.
3. Provide Notice
After finding their legacy policies (or secondary
evidence thereof), insureds should provide notice to their insurance companies. Many insurance policies contain a Notice of
Claim or similar provision requiring the insured to provide written notice of
any “claim” (often defined to include both an actual lawsuit and a written
demand for monetary damages) “as soon as practicable.” In addition, some policies also require
notice of an “occurrence” likely to give rise to a later claim. Although the law with respect to notice is
often complex, and depending on applicable law, late notice may not be
problematic, the best practice is for policyholders to provide notice under
applicable insurance policies.
Schools, religious organizations, and other
institutions providing services to children may have already received letters
or emails from claimants alleging sexual abuse or molestation. These communications may qualify as “claims”
within the meaning of their policies, so insureds should report them to their
insurers as well as any actual lawsuits filed on or after August 14. If the claimants provide details of their
alleged abuse (including the years in which it occurred), insureds can also
anticipate which policies will likely be impacted.
4. Anticipate Likely Insurer Defenses
Depending on the size of the exposure, the insurers
will likely try and find ways to limit and/or deny coverage. For GL policies, insurers may argue that
there has not been an “occurrence,”meaning an accident, because the alleged
conduct was intentional. This so-called
defense has no merit for institutions, as no institution intends to harm
children, and claims against institutions are most always negligence-based (such
as failure to take action, failure to warn, negligent supervision, etc.).
Some GL policies may also have exclusions for
sexual abuse or molestation, but these exclusions were developed and used only
in recent years. The key issue here is
for policyholders to find and pursue coverage under older policies which do not
contain any such exclusion.
Alternatively, even if a policy contains an exclusion, depending on the
specific language, it may not apply.
Depending on the policy period, the insurer(s) may
also try and disclaim coverage by claiming that another insurer is on the hook
for the claimant’s alleged injuries. This
is more of a delay tactic than a basis for denial, but it can be frustrating to
policyholders when an insurer is bound to defend and indemnify, and the only
thing holding it back is its idea that some other insurer should share in
To this end, it’s helpful to understand how
allocation works regarding coverage for so-called “long-tail” claims taking
place over several policy periods. Courts
use tend to apply one of two approaches to determine how to apportion liability
across multiple policy periods: the “all sums” approach and proration. Keyspan Gas E. Corp. v. Munich Reins. Am.,
Inc., 31 N.Y.3d 51, 58 (N.Y. 2018). The
“all sums” approach allows the insured to collect its total liability under any
policy in effect during the periods of the alleged harm or injury, up to the
policy limits. Id.
The “all sums” allocation approach is akin to
“joint and several liability” and thus places the burden on the selected
insurer to seek contribution from the insurers that issued the other
policies. In re Viking Pump, Inc.,
27 N.Y.3d 244, 255 (N.Y. 2016).
By contrast, under pro rata allocation, each
insurer’s liability is limited to the sums incurred by the insured during the
policy period, meaning that each insurance policy is allocated a “pro rata”
share of the total loss for the portion of the loss occurring during its policy
period. Keyspan Gas, 31 N.Y.3d at
58. In other words, pro rata shares are
often calculated based on each insurer’s “time on the risk”—a fractional amount
corresponding to the duration of the coverage provided by each insurer in
relation to the total loss. Id. New York has not adopted a strict all sums or
pro rata allocation rule. Instead, the
particular language of the relevant insurance policy will govern the method of
allocation. Id.; Viking Pump,
27 N.Y.3d at 257. For example, the Court
of Appeals of New York has held that “all sums” allocation is appropriate for
policies containing non-cumulation and prior insurance provisions. Viking Pump, 27 N.Y.3d at 264.
Regardless of the defenses that the insurers raise,
insureds should review their coverage response(s) carefully and refuse to simply
take “no” for an answer. With these
kinds of claims, coverage denials are common, but rarely valid. Hiring a coverage attorney is oftentimes the
only way policyholders can achieve justice.
In closing, a storm is coming on August 14. Businesses and nonprofits are likely to face
revived claims under New York’s Child Victims Act. Insurance carriers have been preparing for
some time to limit liability at the expense of their policyholders, and most
have a game plan to do so. Although
insurance implications can be multifaceted, policyholders should not be
dissuaded from pursuing coverage. If
done correctly, coverage can be secured.
Policyholders must act now to batten down their insurance hatches and
line up coverage.
Over the years, we have seen some crazy defenses raised by insurers attempting to limit their exposure for corporate insurance claims. Most are laughable when raised, but that does not stop insurers from pushing them.
Several examples illustrate this point. In the 1990’s the insurers came up with the idea that general liability policies do not cover injunctive relief such as environmental cleanup orders. Why? Because, according to the law of England, in place long before anyone on this planet was born, there was a difference between courts at law and courts at equity. No matter how crazy this idea now sounds, insurance companies litigated this issue for decades. Later, with the proliferation of claims-made coverages (the norm for D&O and E&O policies), insurers came up with an even crazier idea – that long since established “duty to defend” standards did not apply anymore. Why? Because the insurers claimed that their duty to pay for defense of a lawsuit was fundamentally different from their duty to defend and pay for an underlying lawsuit. As crazy as this sounds, insurers have been pushing this idea, and more litigation to address this issue is likely to follow.
We raise these examples to illustrate a fundamental observation about high-end insurance company lawyers. They are always thinking up new ways to deny coverage. They push the envelope by continually offering their clients (insurance companies) potential solutions to minimize loss.
We also raise these examples to illustrate how many in the insurance business respond to these crazy defenses. Rather than go on common sense, we see a lot of folks, lawyers included, giving credit to these crazy defenses, rather than calling them out for what they are – complete nonsense.
Recently, we came across a shocking new defense. We call this one the “it’s not over defense.” This defense comes up in the all-to-common scenario where a corporate policyholder is subjected to a series of pending claims. Let’s say there are twenty lawsuits for which coverage is sought. One of those lawsuits is going to trial, and the judge is pushing for settlement. The parties go to mediation, and reach what they think is an acceptable resolution. But, when the insurer is asked to contribute, the insurer says, we can’t, because we don’t know what our overall exposure is, given that 19 lawsuits remain.
Please watch the video to learn more, or Contact us if you have any questions.
Below is a transcript of today’s video:
The Craziest Insurance Defense Ever
The craziest insurance defense ever. Now I think about … we see all kinds of insurance defenses, these are defenses insurance companies throw up to paying corporate insurance claims. Some of them are just laughable, others are “wow I can’t believe somebody was able to think that one up”. But the bottom line is you’ve got a bunch of lawyers sitting around in their office trying to make points with the insurance companies, trying to find new ways to deny claims. It’s an industry. A lot of money is being paid by these insurance companies to have these lawyers think up new ways to not pay claims.
The craziest insurance defense ever and we’ve seen it come up repeatedly in recent claims and that defense is, “well we can’t settle that claim because you’ve still got other claims out there”. Look if you’re a corporation and sometimes these claims, they come in waves, somebody sues you for a TCPA violation and then 20 different people sue you. So, you have 20 different claims. Somebody sues you for a securities claim and then you have four different securities claims in different jurisdictions, all of these with the plaintiff’s lawyers competing on who’s going to be the big dog and get the most money.
So, they come in waves. It seldom that you see one claim and that one claim is the only claim you have. But let’s think about what the insurance company’s saying. They’re saying, “Well you have five claims, you can’t settle these three because you still have two left.” Now it’s not in the insurance policy. There’s no defense for that. It’s not anywhere else that we can see, but it’s something they’re asserting. And the basis for asserting it is, well we just don’t want to do it because we’re afraid that these other claims might cost more money and we want to do a deal with you to pay you less than policy limits. So, it’s not really a defense. It’s more a posturing for settlement.
But the problem is what we’re seeing nowadays is insurance companies are going to mediations and they’re saying, “We’re not paying anything, till we know what the universe of the claims is.” And that’s simply wrong and that’s simply something that’s inconsistent with the policy language. The insurance company has a duty to defend and they also have a duty to settle. They can’t sit back and say, “We’re doing nothing.” And if they do, they’re in a position of bad faith.
Miller Friel attorney Bernard Bell recently presented a continuing legal education program entitled Insurance Coverage Basics for the In-House Attorney. This course is designed to help in-house attorneys deal with risk management and insurance coverage issues.
Whether confronting unexpected losses, learning of a dispute, receiving a subpoena, investigative demand or service of a complaint, insurance often comes into the picture. This course describes the difference between first-party and third-party insurance, explains basic features of each type of insurance, covers basic insurance policy components and terms, identifies specialty insurance that should be considered, and offers practice pointers for in-house counsel, including steps you can take to preserve possible coverage.
We have received numerous requests from businesses seeking to understand insurance coverage for phishing scams. Many of these businesses have become the victim of phishing attacks and are pursuing claims for coverage.
Scam I: Phishing
Computer email scams are increasing on an alarming rate. The FBI reports that companies have been swindled out of billions of dollars due to email scams over the past few years. To counteract this, the FBI recently issued public service warnings to businesses about criminals using bogus email accounts to pose as CEOs to trick financial controllers into wiring funds to the fraudsters’ bank accounts. See FBI’s Public Service Announcements, www.fbi.gov. Last year, Equifax, one of the three major credit reporting agencies in the US, announced a data breach affecting 143 million customers, based on hackers accessing Social Security numbers, birthdates, addresses, and driver’s license numbers.
Most companies have experienced these types of scams first-hand. The reason for this is that phishing scams have become more and more sophisticated over time. We all know to look out for that email from a Nigerian prince asking us to hold $10 million dollars of money for them. We also know not to respond to a bank asking us to “click here” to verify user names and passcodes. With organizations, the scams have become much more sophisticated. Cyber criminals hack into an organization’s internal computer system so that they can send what look bona fide emails from a CEO or CFO requesting the payment of invoices to a “new” bank, which coincidentally is located in China. Employees who get one of these emails from their management, naturally respond asking for confirmation. Those emails are then intercepted by the cyber-criminal, and the cyber-criminal responds saying that all is ok.
Scam II: Insurance Company Response
Insurance companies are responding to these scams by offering specialized policies, for additional premiums of course, specifically addressing these risks or adding coverage to their standard Fidelity/Crime or Cyber Liability policies, typically under the moniker of “Deception Fraud” or “Social Engineering” insuring agreements. As with most things in the world of insurance, the devil is in the details, but some of the insurance coverage bought to specifically to cover phishing scams is worthless.
Here’s how many insurance companies are deceiving their corporate policyholders. “Deception Fraud” and “Social Engineering Fraud” are so broadly defined in the policies that they cover nearly every possible computer scam. For example, in the currently available Private Choice Premier Policy, Crime Coverage Part offered by The Hartford Insurance Company, “Deception Fraud” is defined as “the intentional misleading of a person to induce the Insured to part with Money or Securities by someone, other than an identified Employee, pretending to be an Employee, owner of the Insured, . . . a Vendor, a Customer, a Custodian, or a Messenger.” Incredibly broad, which is exactly what companies want to protect them against risks, right? Not so fast. This coverage may come with a very small sub-limit of $50,000-$100,000, whereas other coverages under these same policies may have limits of between $1-$5 million.
What’s even worse (and here comes the true deception) is the fact that insurers often take the position that losses falling under “Deception Fraud” or “Social Engineering Fraud” cannot also be covered under other higher limits insuring agreements, such as “Computer Fraud” or “Funds Transfer Fraud” (which are typical coverages in Fidelity/Crime policies). Insurers argue that, despite higher limits under other coverage grants, that the loss nonetheless must be recognized as a “Deception Fraud” or “Social Engineering Loss” only, subject to a small limit of insurance. In other words, heads insurers win, tails policyholders lose. Given this widely adopted position of insurers, Policyholders were better off rejecting these new highly promoted enhancements to coverage and relying upon coverage they previously had.
Insurance Coverage for Phishing
Insurance coverage for There’s nothing more disappointing and frustrating than to spends thousands, if not hundreds of thousands, of dollars buying insuring policies to protect against the risk of fraud, only to have an insurance accompany argue that it sold a nearly worthless policy. Corporate policyholders should review their current and prospective policies to spot this and other clever limitations, and demand appropriate changes. If a company has already become a victim to phishing, however, it is not too late to challenge an insurance company regarding this kind of position which creates an unnecessary and unwarranted gap in coverage and retain coverage counsel to assess all options.
The starting point for any organization seeking to understand cyber insurance claims and coverage is to understand potential cyber-related losses. It is only through this analysis that corporate policyholders can understand what cyber insurance should cover. For illustration purposes, we examined four prominent cyber-related incidents and the fall out associated with each incident.
1. Cyber-Related Losses
In 2013 and 2014, roughly 1 billion Yahoo user accounts were breached. This resulted in a series of governmental investigations, numerous lawsuits alleging, among other things, gross negligence and breach of various data protection laws. Yahoo was also forced to renegotiate its sale to Verizon at a $350 million loss
In 2013, 40 million debit and credit card numbers were stolen at various Target stores across the country. This resulted in a plethora of consumer lawsuits, bank lawsuits, state AG claims, and a series of credit card company claims seeking reimbursement for losses they suffered as a result of Target’s breach. Target faced roughly $240 million in reported loses for fraudulent charges, with overall expenses exceeding $290 million. Target also suffered massive financial losses in the 4th quarter of 2013.
In 2015, Anthem suffered a customer database breach impacting 69 to 80 million customers. This resulted in more than 50 class action lawsuits, a series of state AG claims and a number of prominent governmental investigations. Reported losses were in the billions of dollars. A significant portion of Anthem’s loss was the cost of notifications to customers as required by law.
In 2011 cyber criminals targeted Sony’s PlayStation network, resulting in the loss of personal and credit card information. 102 million people were impacted, and the gaming system was temporarily interrupted. This resulted in the filing of roughly 65 class action lawsuits, with reported losses of $171 million.
2. What Cyber Insurance Should Cover
this sampling of incidents illustrates, in a very basic way, some of the main areas that cyber insurance should cover. These include:
Coverage for the costs of defending and settling governmental Investigations, including the recovery of regulatory fines and penalties imposed;
Class action and consumer lawsuit defense and settlement coverage;
Coverage for credit card reimbursements;
Coverage for notification expenditures;
Coverage for remediation costs and forensic investigations;
Coverage for losses caused by the interruption of business, lost business, and related financial losses.
3. How Insurance Carriers Have Responded to Cyber Claims
The insurance industries response to each of these kinds of losses is, for the most part, to vigorously fight against coverage. The number of cases working their way through the courts on cyber insurance denials is astounding, as are the reasons for denials.
For example, with governmental investigations, insurers routinely contended that no coverage is afforded unless the policyholder has been sued. Then, even if the policyholder is sued by the government, insurers argue that damages associated with governmental settlements are not covered because of alleged policyholder wrongdoing. Similarly, for credit card reimbursement exposures, insurers argue that contractual liability exclusions preclude coverage, even though case law holds to the contrary. And, for business related losses, insurers routinely contend that no coverage is provided because insurers did not anticipate covering these kinds of losses. In many instances, insurers are taking these positions, irrespective of case law finding coverage, and irrespective of policy language affording coverage.
There is a solution, but it requires a thorough understanding case law, policy language, and the law pertaining to how insurance provisions are construed.
A good insurance broker is critical to securing the best possible cyber insurance coverage. Insurance brokers have an understanding of what insurers are selling. This is valuable, because there are no standards for cyber coverage. Different insurers approach the same problem from different angles. Insurance brokers, however, typically do not opine on what the policies cover, as this is a legal function, and brokers do not practice law.
For this reason, sophisticated corporations often seek an independent legal review of their cyber-insurance programs.
Seeing opportunity, law firms have also jumped into this hot new area, with newly minted cyber-experts available to review corporate insurance policies. These lawyers can talk circles around most anyone when it comes to cyber-buzz words, but, when it comes to insurance coverage, they have little judgment or experience, and their counsel, quite frankly, is not that helpful. Others have a great deal of experience, but their experience comes from representing insurance companies.
There are many Insurance company lawyers who represent insurers , but also sell their “cyber-review” services to policyholders. Their marketing materials claim that no one knows better then them as to what the policies cover — as they drafted them in the first instance. Ethically, these firms see no legal conflicts in doing this, as long as things don’t get too contentious. Even if they are correct on the conflicts issue, insurance company lawyers have the wrong mindset for this kind of work. Insurance company lawyers are trained from day one not to see coverage. They place emphasis on irrelevant things, like what insurers like to do, rather than policy language, which is the determining factor for coverage.
In today’s blog post, Mark Miller addresses another issue pertaining to the role of insurance broker claims advocates, namely a misperception that some brokers have about the best way to maximize insurance claim value. Here, Mark addresses a recent visit with a prominent insurance broker seeking referrals from Miller Friel. During that visit, the brokers proudly touted marketing materials about everything they had to offer. One of the ways this broker thought they were creating value, was by preventing lawyers from providing advice regarding the scope of insurance coverage. This prompted us to think about some of the most successful insurance recoveries we have had for corporate clients and how best to use insurance brokers in the process.
Does a Divided Approach Make Sense?
On one hand, what the broker is saying makes some sense. This broker was really touting its ability to help policyholders settle claims as insurance broker claims advocates. Helping policyholders settle insurance claims is an important function of brokers. Brokers know the right people at the insurance companies, and in many instances, they help settle claims. It only makes sense to leverage contacts.
On the other hand, what this broker is saying is completely foolish. Brokers know a lot of things. They know what insurance companies have paid on claims in the past. Brokers know how insurance companies handle claims. And, oftentimes, brokers know what insurance companies might be willing to pay. But, all of this has nothing to do with what is covered under the insurance policies. Insurance policy coverage is purely a legal issue that has nothing to do with insurance company custom and practice, or what an insurance company is happy to pay to settle a claim. Insurance coverage is controlled by the law, and despite what insurance brokers do, most don’t practice law all that well.
The Role of Insurance Broker Claims Advocates and Lawyers
So, what is an insurance broker claims advocate and what is their role? Lawyers use the word advocate quite seriously, recognizing their obligation to zealously advocate. Insurance brokers use the word more as a marketing phrase, to illustrate that they are helpful in the process of settling claims. What insurance broker claims advocates do is more akin to a lobbyist than an advocate. Insurance broker claims advocates work with insurance companies to see if they can find common ground on a claim. They leverage their contacts to get meetings with insurers. Like a lobbyist, they provide access and contacts. They don’t, however, advocate for coverage in the way that insurance coverage lawyers are bound to do for their clients.
In working with insurance brokers to settle some of the largest insurance claims in the country, we have found that there is a better way. Brokers and lawyers are a team, not advocates against one another. Each has a different but equally important function. Lawyers determine what is covered based on the law and develop strategies to pressure the insurance carrier to pay. This may include submission of legal analysis to the insurer to help them reverse their position on coverage, or it may include other dispute resolution mechanisms. Brokers keep communications open with the insurer, and search for common ground. Together, the whole is much greater than the sum of its parts.
Please watch the video to learn more, or Contact us if you have any questions.