One thing is for certain: cyberattacks have become the norm, not the exception. Not even the NSA is capable of completely warding off security breaches. Major banking and retail institutions, as well as the government, are not surprisingly the most likely targets because of the amount of sensitive and private data they control. Still, other companies outside these sectors must heed the warnings and not become the next cyber victim. Protecting against cyber vulnerability is not merely a domestic issue. Rather, multinational companies are prime targets, and are currently undergoing institutional changes to navigate the EU General Data Protection Regulation (GDPR) that goes into effect May 2018.
It’s that time of the year when Americans gather together, enjoy a feast, and fall asleep in front of the TV. But before the tryptophan kicks in, we also like to give thanks for the good things that have happened in the past year. Corporate policyholders can share in the tradition, as this year has produced a number of court decisions that favored insureds and protected their coverage expectations. Here are a few of the cases we are most thankful for:
This case out of the South Carolina Supreme Court gave generously to policyholders in a number of ways this year (giving us the opportunity to post in this blog again and again and again). The case involved defective construction claims against a developer. The developer’s insurer, Harleysville, provided a defense under a vague reservation of rights letter. After the underlying plaintiffs were awarded verdicts against the developer, Harleysville sued to avoid covering the judgments. The court ruled against Harleysville on four issues:
- Harleysville’s vague, general reservation of rights letter did not effectively reserve its rights to contest coverage under the terms and exclusions in the policy;
- Where the underlying verdicts did not apportion the damages between covered and uncovered losses, the insurer bore the burden of proving amounts allocable to uncovered losses. Where the insurer failed to meet that burden, it had to cover the entire verdict;
- Punitive damages awarded in the verdicts were found to be covered under Harleysville’s policy; and
- The owners’ association, which was asserting the dissolved developer’s coverage rights in the case, had standing to challenge the insurer’s reservation of rights letter.
Harleysville is a case that just keeps on giving.
The duty to provide a defense, or reimburse defense costs, is one of the most important features of liability insurance. You could say it’s the stuffing, where indemnity is the turkey. The Delaware Superior Court emphasized that obligation in Verizon to the tune of $48 million in defense costs that the insurer had refused to pay. This decision was important because it rejected the insurer’s attempt to define the vague term “securities claim” narrowly to avoid its obligation to pay defense costs. More broadly, the court upheld the pro-policyholder interpretative doctrine of contra proferentem, rejecting the insurer’s argument that the doctrine should not apply where the insured is a large, sophisticated corporation. Applying the doctrine, the court held that unless it can be shown that the insured had a hand in drafting the policy language, ambiguous terms should be interpreted against the insurer. A more detailed analysis of the decision by this firm can be found here.
Thanksgiving dinner is always better with more guests. Additional Insured endorsements in policies extend the invitation to more parties that may require a seat at the table of insurance protection. This is especially important in the construction context, where developers and general contractors rely on numerous subcontractors’ insurance policies to protect them from liability arising from those subcontractors’ work. These two decisions rejected insurers’ attempts to narrow the application of additional insured endorsements.
In All State Interior, previously highlighted here, a New York County trial court interpreted an endorsement broadly, granting additional insured status to companies that didn’t technically contract with the subcontractor, and who weren’t named in the endorsement. The court, in essence, incorporated the terms of the contract between All State and the subcontractor into the endorsement to trigger additional insured coverage for the project owner, site lessor, and construction manager as All State’s “partners, directors, officers, employees, agents and representatives.”
In McMillin, the insurer’s policy granted additional insured status to McMillin, the general contractor of a project, for “liability arising out of [the subcontractor’s] ongoing operations,” and excluded additional insured status for the insured’s completed operations. The insurer denied defense coverage on the basis that the subcontractor had finished working on the project. The California Court of Appeal disagreed, stating that the endorsement’s phrase “arising out of” is broader than “during,” and so the liability did not have to arise while the insured was still working on the project.
When it’s time for dessert, allocating the available pie to make sure everyone gets what they deserve can be tricky. This year, Missouri joined the ranks of “all sums” states that maximize coverage for policyholders with long-tail claims stretching over several years. The “all sums” method of allocation allows an insured to allocate all of its damages from long-tail losses to a single year of coverage. This ruling by the Missouri Court of Appeals was based on the plain language of the policies, which promise to indemnify the insured for all sums the insured is legally obligated to pay for occurrences during the policy period. The court also ruled that all triggered primary policies across a period of years need not be exhausted before excess policies in the period selected by the policyholder can be triggered. The court ruled that only the primary policy in one year needs to be exhausted before that year’s excess policies are triggered. For a more thorough analysis of this case, click here.
Rather than brave the stampedes of Black Friday, one can get good deals on holiday gifts on Cyber Monday. But to protect against cyber thieves, make sure your insurance coverage will protect you. In this case, the U.S. District Court for the Southern District of New York interpreted the computer fraud provision of a crime policy to do just that. Policyholder Medidata was the victim of fraud when someone tricked its employees into wiring money overseas, using spoofed emails that looked like they came from the company’s president. Medidata’s insurer denied its claim, stating that the computer fraud clause of the crime coverage required actual hacking into and manipulation of Medidata’s computer system. But the court sided with Medidata, ruling that the spoofing of emails violated the integrity of the insured’s computer system enough to trigger coverage, and actual entry by hackers was not required by the policy language or by precedent.
We at Pillsbury hope you all had a very Happy Thanksgiving!
As summer comes to a close, road repair crews across the country are identifying the street repairs and potholes that must be filled before the cold weather approaches. Now is also a good time for policyholders to identify some of the “potholes” that may accompany their claims-made insurance policies and get them filled before it is too late.
Every single industry or business in this day and age has either been the victim of a cyber attack or is concerned they will be next. A few examples from the last couple of months show how widespread the problem is. In June, a global ransomeware attack quickly spread across 64 countries, impacting organizations from law firms, banks and governments to food producers and hospitals. The attackers demanded $300 in Bitcoin—approximately $977,000 U.S. dollars in total—from each victim to unlock their data. At the annual DefCon computer security conference in late July, hackers took less than 90 minutes to hack voter-ballot machines and at least one hacker even broke into the system wirelessly, suggesting that U.S. computer-ballot boxes may be susceptible to attack.
The costs and penalties associated with a cyber attack or data breach should not be underestimated. For example, NPR recently calculated the average cost of a health care breach at more than $2.2 million, “not to mention the reputation damage.” And the FCC recently ordered AT&T to pay $25 million in connection with the exposure of more than 250,000 U.S. customers’ information.
Cyber insurance continues to be one of the hottest topics in the insurance industry. In the last several years it has evolved from a little-known specialty product to a standard purchase for some corporate risk departments. By now, most companies generally are aware that cyber attacks present substantial risks. Many unfortunately have first-hand experience as victims of an attack. But many companies still do not necessarily view cyber insurance as a “must-have” type of insurance, like general liability or property insurance. Some companies may believe their potential cyber exposure is minimal or simply think that cyber coverage is cost prohibitive. A recent D.C. Circuit decision is a sobering reminder that cyber insurance should at least be considered in connection with a company’s risk management plan, and is probably a “must-have” for companies that maintain records containing a substantial amount of personal information.
On May 12, 2017, a massive ransomware cyber-attack infected over 100,000 computers in more than 150 countries. This malware, a Trojan virus known as “WannaCry,” encrypts files, and then threatens to destroy them, unless the victim pays a ransom. Colleagues Jamie Bobotek and Peri Mahaley opined about this recent attack and stress the necessity to take the time now to review and confirm your cyber-privacy insurance in a Pillsbury client alert.
Cyber sages tell us the question is not whether your business will suffer a data breach, but when. To prepare for the inevitable, businesses want to know what is the next threat on the horizon. In the past few months, experts have offered many views on the top cyber trends for 2017, and plenty of advice about security measures companies should take in light of these predictions. But if some loss is a given, businesses also want to know if there will be insurance to cover that loss. We look at some of the forecasts and try to answer that question.
In its Fourth Annual Data Breach Industry Forecast, Experian Data Breach Resolution, a vendor of data breach response and protection services with a track record of handling high-profile incidents, issued and identified five top data breach trends for 2017. We’ll address the first two of those trends in this post.
The vaults of the world’s financial capital are getting stronger locks. On March 1, 2017, new “first-in-the-nation” cybersecurity regulations of the New York Department of Financial Services (DFS) went into effect to protect consumers and the financial system from cyber attacks. While the regulations apply to covered finance and insurance companies, their influence is likely to be felt beyond the companies targeted initially. For this reason, it’s important that all companies with cybersecurity risks understand how the new DFS regulations work, and the insurance coverage issues they may raise.
Out of the blue one morning, a destination hotel’s operator receives an email informing it that the hotel’s computer and electronic key systems have been infiltrated, leaving the hotel locked out of its own computer system and, even more distressing, preventing hotel guests from utilizing their key cards to gain entry to their rooms and other hotel amenities. The email demands payment in the amount of 2 Bitcoin (approximately $1,900) to restore computer and key card functionality, which will double if not paid by the end of the day. The email provides details to access a Bitcoin wallet to make the payment, and then ends by stating, “Have a nice day!”