Directors & Officers liability insurance—commonly known simply as D&O insurance—is meant to protect corporate directors and officers from, among other things, claims alleging breaches of duty and management failings that adversely affect the value of the company’s stock. And any event in which directors or officers are deemed to have had an oversight function could ultimately result in a claim that floats up to the director- or officer-level if the company’s stock suffers.  Continue Reading D&O Coverage for Tech Risks – Don’t Let the “Invasion of Privacy” and “Professional Services” Exclusions Take You by Surprise

In the wake of numerous high-profile electronic data breaches, companies are justifiably concerned about beefing up their cybersecurity programs and ensuring that they have adequate insurance coverage in the event of an electronic data breach. While the unauthorized disclosure of sensitive electronic data, whether through cyberattacks, insider malfeasance, inadvertence, or otherwise, is, of course, a substantial risk that must be addressed in any cyber insurance program, businesses should also understand and insure against their potential exposure in the event of an old-fashioned breach of sensitive information by way of paper or other non-computerized records.

These types of ink-and-paper data breaches happen more often than one might expect, given the media attention paid to electronic data heists. The healthcare industry, for example, is especially plagued by non-electronic data breaches, despite wide-spread adoption of electronic health records. According to a recent study by the American Journal of Managed Care, paper and films were the most frequent storage media at issue in data breaches that occurred in hospitals during the study period, whereas network servers were the least common. Statistics from the Office of Civil Rights Annual Report to Congress on Breaches of Unsecured Protected Health Information, published by HHS in 2012, revealed that paper records were involved in 23 percent of major breaches of protected health information (those affecting 500 or more individuals) and 61 percent of smaller breaches. See also Prevent Breaches: Don’t Forget Paper. This problem has not gone away in the intervening years: 11 major breaches of protected health information reported to date in 2019 involve paper or film records.  Continue Reading Lookout for Luddites: Don’t Overlook the Risk of a Non-Electronic Data Breach When Evaluating Your Cyber Insurance Program

The consequences of a data breach can be far-reaching. While the initial issues in the wake of a breach often involve investigation into the cause of the breach and sending notification to those affected (both of which are covered by most cyber insurance policies), coverage for certain types of third-party claims stemming from cyber breaches may be available under Commercial General Liability (“CGL”) insurance policies.

CGL insurance policies provide coverage for claims of “Bodily Injury,” “Property Damage,” and “Personal and Advertising Injury.” Bodily Injury and Property Damage claims are covered under Coverage A of CGL policies, while Personal and Advertising Injury claims are covered under Coverage B. This blog post briefly summarizes the major issues policyholders encounter when seeking coverage for Personal and Advertising Injury (Coverage B) under CGL policies that arise out of a cyber incident.  Continue Reading Are Cyber Claims Covered Under Coverage B of CGL Policies?

Can an intentional attack carried out through social media trigger liability coverage? A recent Pennsylvania case found potential coverage under a homeowner’s policy for a case of cyber bullying that ended in the suicide of the victim. The court found that the intentional actions of the insured’s son constituted an accident, and therefore an occurrence, because the claim in part alleged negligence and because the actions of the victim were not necessarily expected from the standpoint of the insured. This specific situation is, of course, unlikely to arise in the context of a businesses concerned about social media risks, but the underlying reasoning may be useful in assessing potential coverage for other intentional acts carried out over social media or other communications technology. Continue Reading Can There Be a Duty to Defend Intentional Acts on Social Media?

In my previous blogs, I pointed out that security breaches are like death and taxes (i.e., unavoidable), and that insureds simply need a product that will pay for any losses from the inevitable security breaches. I also pointed out that insurance companies could help by certifying security products that were good enough to guarantee a payment under the companies’ policies if there were a breach. The recent Mondelez case points out why insureds often wonder whether carriers really intend to pay claims. There, the maker of Oreo cookies bought a policy which covered intrusions into the company’s computer code. After the advent of the Notpeya ransomware, the carrier refused claims valued in the millions based on the war exclusion. Continue Reading Insurers Band Together To Certify Security Products

Biometric Privacy Lawsuits

In early 2019, the Illinois Supreme Court opened the floodgates for advancing private causes of action under the state’s 2008 Biometric Information Privacy Act (“BIPA”), 740 ILCS 14 et seq. In Rosenbach v. Six Flags, the Court found that no proof of actual injury or damage beyond technical infringement was necessary to state a claim under the BIPA. Now, Illinois courts are seeing a wave of BIPA class action lawsuits, even though the Six Flags case merely concluded that a biometric plaintiff had standing to sue and did not resolve the legal requirements necessary to prove a negligent or intentional violation of BIPA. Continue Reading Biometrics Liability on the Rise: Are you Covered?

The entire insurance industry is suddenly abuzz about the rarely discussed “war exclusion.” A standard provision in most policies that excludes claims caused by a hostile or warlike action in time of peace or war, usually by a military or a government/sovereign power, is all the rage. Why? The billions of dollars of damages caused by the NotPetya virus and insurers attempts to avoid paying them. Continue Reading Collateral Damage: War Exclusions and Cyber Coverage

Should you stress if the insurance company issuing the policy that is supposed to be protecting your business—whether in a certificate of insurance you received from a third party or within your own insurance portfolio—is “non-admitted”?  As discussed below, there is no need to sweat.

An “admitted” insurance company is one that has been approved by a state’s department of insurance.  This generally means that the insurance company must file policy forms, underwriting guidelines, and rates with the state for approval.  Admitted insurers also pay into state guaranty funds, which are designed to step in if the insurer becomes insolvent.  Non-admitted insurers, also called surplus lines insurance, are not subject to those same regulations. Continue Reading How Risky is the Insurance from a Non-Admitted Insurer?

The European Union’s sweeping Global Data Protection Regulation (GDPR), which took effect on May 25, 2018, dramatically expanded the compliance obligations of companies collecting or using European Union citizens’ personal information. It also substantially increased regulatory exposure for companies due to its strict requirements and draconian penalties for non-compliance, including potential fines of greater than 20 million Euros or 4% of a company’s annual worldwide revenue. GDPR Art. 83, § 5. See Perkins Coie’s GDPR Resources for an overview of the regulation, and Will Your Cyber Policy Provide Coverage for GDPR Violations? for a discussion of insurance coverage issues arising from the regulation. Yet the new regulatory landscape facing companies that collect, use, or manage consumers’ personal information has expanded far beyond the GDPR, and many United States jurisdictions have enacted or are in the process of enacting regulations governing the collection, storage, and use of consumer information. As a result, any company that handles consumer personal information must have a thorough understanding of these regulations and must make sure that its insurance program aligns with its regulatory exposure in order to effectively manage the risks arising out of burgeoning cybersecurity and privacy regulations. Continue Reading Beyond GDPR: Insurance Coverage for Emerging Cybersecurity and Privacy Regulatory Exposure

Companies engaged with digital assets, particularly those companies without a track record, are finding it to be a struggle to procure broad directors & officers (“D&O”) liability coverage.  Specifically, insurance underwriters are spooked by the regulatory uncertainty surrounding digital assets, particularly Initial Coin Offerings (“ICOs”), which have emerged as an alternative to traditional equity offerings, e.g., the sale of stock in a venture.  The reality, however, is that many companies engaged with “coins” or “tokens” or other digital assets also raise capital through traditional securities offerings, and they need protection for those activities.  But many underwriters are not willing to sell coverage for those traditional activities, merely because the company also is engaged in the digital asset space.  Continue Reading Companies Engaged with Digital Assets Should Push For D&O Coverage That Protects Traditional Securities Activities