Many businesses rely upon social media to raise awareness and enhance visibility of a new product or new line of business. Social media platforms such as Facebook are often used to generate buzz around an opening or a launch before it takes place. Anticipatory use of social media, however, can complicate insurance coverage if the right policies are not already in place. The Idaho Supreme Court recently upheld the denial of coverage to a business that had published a preview of a new logo prior to opening. Scout, LLC v. Truck Ins. Exch., 434 P.3d 197 (2019). The court held that a Facebook post by the insured pub showing a close facsimile of the anticipated logo constituted a “prior publication,” triggering an exclusion under the pub’s subsequently purchased commercial general liability policy. Although some other courts have reached different conclusions in relatively similar circumstances, the case stands as a cautionary tale for new businesses. Continue Reading Social Media and New Businesses: Can Anticipatory Use of Social Media Threaten Insurance Coverage?
In my last posting on this blog, I opined that cyber incursions and the resulting lawsuits, defense costs, and damages payments are as inevitable as death and taxes. Thus, most companies are now trying to purchase some type of cyber insurance to cover these risks. The next question is whether your insurance will really cover a particular risk you face. My last article discussed a single product that would provide security and guarantee coverage for any breach up to a specified limit.
Today I want to discuss other defensive measures that a company might take against the inevitable, and how that might make coverage in the event of a breach more likely under a standard cyber insurance policy. Our last posting by Ms. Del Prete discussed the standard exclusions and conditions in the most common cyber policies. Those policy provisions require, e.g., that the insured follow industry standard security practices and take reasonable precautions against data breaches before coverage will attach for an incursion. Subject to the purchase of an extended retroactive date, they also exclude breaches that occurred long before the beginning of the policy or which were facilitated by an incursion that occurred prior to the beginning of the policy. Continue Reading Meeting the Terms of the Exceptions in Your Cyber Policy
Often called the “wild west,” the cyber insurance marketplace offers a wide variety of policy forms that vary drastically in the scope of coverage provided. This is further compounded by the relatively small amount of case law analyzing cyber policies and the quickly-evolving cyber risks that companies face. Insurers are quick to deny coverage based on the many exclusions in cyber policies, often leaving policyholders with the option of either spending money to fight their insurer in court or accepting the carrier’s denial. If your company is insured by a cyber policy (or, for that matter, any type of an insurance policy), you should carefully review the policy, understand its exclusions, and, where possible, take steps to implement practices and procedures to ensure that your company’s activities do not fall within the enumerated exclusions. Cyber insurers are often willing to modify exclusions in cyber policies to carve back certain coverages, but only when asked to do so. Analyzing the policy and negotiating with the carrier on the front end, before a claim occurs, can save your company both time and money on the back end if a claim arises. Continue Reading Common Exclusions Invoked by Cyber Carriers to Deny Coverage
Title III of the Americans with Disabilities Act (ADA) provides that
No individual shall be discriminated against on the basis of disability in the full and equal enjoyment of the goods, services, facilities, privileges, advantages or accommodations of any place of public accommodation by any person who owns, leases (or leases to), or operates a place of public accommodation.
42 U.S.C. Section 12182(a). What about a website? Is that a “place of public accommodation”? The answer to that question could make a big difference in determining whether your business faces legal risks and whether you can protect against those risks with insurance. A recent decision out of the Ninth Circuit highlights the split in United States jurisdictions about whether a website is subject to the prohibitions against discrimination found in the ADA. Continue Reading Protecting your Website with an EPL Insurance Policy
Despite the increase in data breaches and cyberattacks involving large corporations, efforts to hold directors and officers personally liable for these events have largely been unsuccessful. However, recent developments in two high-profile data breach cases suggest that the relative safety directors and officers have previously experienced from cybersecurity-related suits may be coming to an end. On January 4, 2019, the Superior Court of California approved a $29 million settlement in consolidated derivative litigation brought against directors and officers of Yahoo, Inc. arising out of two data breaches compromising sensitive information of over one billion Yahoo users. See In re Yahoo! Inc. Shareholder Litig., Case No. 17-CV-307054, (Cal. Supp. Ct Jan. 4, 2019). This settlement, which includes a court-approved plaintiff’s counsel’s fee of $8.6 million, represents the first significant recovery in a data-breach related derivative lawsuit targeting directors and officers for breach of fiduciary duty. Continue Reading Recent Developments in Yahoo and Equifax Data Breach Litigation Suggest Increased Risk of Personal Liability for Directors and Officers for Cybersecurity Incidents
Selecting an appropriate cyber insurance policy can seem daunting. There are a number of different cyber events that have the possibility to impact businesses differently based on a number of factors, including the company’s network design and cyber security readiness. The market for cyber insurance policies does not have a widely-accepted form that is predominantly used by carriers, brokers, or policyholders, resulting in approximately 70 carriers drafting their own cyber insurance policies, many of which are negotiable. Lastly, the risks and technology at issue evolve quickly, adding uncertainty and the potential for a “new” event that may not be covered appropriately by your company’s current policies. Continue Reading Evaluating Your Company’s Coverage for Ransomware Attacks Under Its Cyber Insurance Policy
For approximately the past decade, cryptocurrencies were used by those who wanted to transact business anonymously and without oversight or restrictions imposed by any governmental authority. More recently, the concept of cryptocurrencies has been used to raise capital outside of traditional financial structures. Indeed, the rise of raising money through the issuance of “virtual tokens” using “Initial Coin Offerings” (“ICOs”) has caused a sharp rise in the prevalence and market value of cryptocurrencies.
Those involved with cryptocurrencies believe that their virtues include stronger security against theft, easier transactions, and insulation from government-induced currency fluctuations, among other things. But the inescapable reality is that hackers, technical errors, and fraud happen. In addition, regulators have been taking notice and have been attempting to flex their authority, although the manner in which any given regulation applies to cryptocurrencies is far from certain. One thing that is certain, is that the cryptocurrency “industry” poses unique and evolving risk. Given this, the insurance industry is also engaged in attempting address the needs of this emerging market, although underwriters can be expected to rigorously assess the risks posed, and insurance procurement can be a challenge for some. Continue Reading The New Money: Cryptocurrencies and the Role of Insurance
Social engineering and electronic impersonation scams have increased in recent years, as have cases involving resulting claims for insurance coverage. Claims typically involve the impersonation of a company executive, employee, or client and a fraudulent electronic communication directing an employee of the policyholder to transfer funds to another account. As outlined in our update of November 8, 2017, courts differ significantly as to whether or not this situation triggers coverage under a standard crime policy or fidelity bond. For example, some courts have held that the scheme does not produce a loss “resulting directly” from the “use of a computer” as required for certain “computer fraud” coverage. E.g., Apache Corp. v. Great Am. Ins. Co., 662 Fed. Appx. 252, 258 (5th Cir. 2016); Incomm Holdings, Inc. v. Great Am. Ins. Co., No. 1:15-cv-2671-WSD, 2017 WL 1021749, at *8-*10 (N.D. Ga. Mar. 16, 2017). Other courts have reached the opposite conclusion and found coverage. E.g., Medidata Solutions, Inc. v. Fed. Ins. Co., 268 F. Supp. 3d 471, 477-78 (S.D.N.Y. 2017), aff’d 729 Fed. Appx. 117 (2d Cir. 2018); Principle Solutions Grp., LLC v. Ironshore Indem., Inc., No. 1:15-CV-4130-RWS, 2016 WL 4618761, at *2, *5 (N.D. Ga. Aug. 30, 2016).
The recent series of significant hacks to Marriott, Target, Anthem, Home Depot, and other businesses make it clear that there is now another inevitable event to add to death and taxes, namely intrusions to businesses’ on-line databases of their customers’ personal information. These intrusions include outside vigilante hackers who are simply trying to sell their services and then try to incite the government or private plaintiffs to assert damage claims against the targeted businesses from the exploited vulnerabilities. To counteract the inevitability of such intrusions, cyber-security providers and insurance companies are now considering offering a new product that would combine guarding against unwanted intrusions with guaranteed coverage for the cost of the inevitable hack. The product would basically warrant that there will be no damaging access or release of on-line data, and would provide a specified but limited payment to compensate for any damages should an intrusion and/or release of data nonetheless occur. Continue Reading Developments in Cyber-Coverage Options
The European Union’s Global Data Protection Regulation (GDPR) took effect on May 25, 2018, and drastically expanded the compliance obligations of companies involved in the collection, use, and management of any European Union citizens’ data. The GDPR imposes a strict regulatory scheme with steep penalties for non-compliance, with maximum fines set at the greater of 20 million Euros or 4% of a company’s annual worldwide revenue. GDPR Art. 83, § 5. Please refer to Perkins Coie’s GDPR Resources for a more comprehensive overview. Continue Reading Will your cyber policy provide coverage for GDPR violations?