Insurance Policy Types

As the risks associated with cyber liability continue to evolve, so do the insurance products that are theoretically meant to protect against those risks. As the insurance industry attempts to keep pace, the applications that insurers are using to capture the data they believe is necessary to underwriting these risks are also evolving and vary to a large degree. Regardless of whether an application is long or short or seeks information in generalities or in detail, all prospective policyholders must take care in completing these applications, enlisting the help of a data security professional (whether within the organization or a consultant) and possibly of a good broker that specializes in this area. Indeed, a failure to provide accurate information could cause an insurer to resist providing coverage for a claim, or attempt to rescind the policy, on the purported grounds that there was a material misrepresentation in the policy application.

This article first provides an overview of the key categories of information that most cyber-liability insurance applications seek, followed by some of the key principles of which a policyholder should be aware in the event an insurer attempts to deny a claim or rescind a policy based on alleged misrepresentations or omissions in the policy application. 
Continue Reading

Your company receives a demand letter and you realize that the claim stems from a vendor’s product or service. What do you do next? The first step for most companies will be to review the operative contract for any indemnification provisions. Next on the list will be to review any certificates of insurance issued by the vendor. All too often, however, companies at this phase learn that they were never actually added as additional insureds to their vendors’ policies or that their vendor’s coverage is inadequate.
Continue Reading

A merger, acquisition, or other corporate transaction can raise a number of issues for the insurance coverage of the parties involved.  The transaction may affect the parties’ current coverage and their rights under their historic policies.  The parties will want to specify clearly the intended interplay of other aspects of the deal, such as indemnities, with available insurance.  And the parties may wish to consider purchasing various types of insurance for aspects of the deal itself.
Continue Reading

It is becoming increasingly important for tech companies considering a merger, acquisition, or other corporate transaction to understand the use of Representation & Warranty Insurance (“R&W Insurance”). R&W Insurance is a type of insurance policy purchased in connection with corporate transactions; it covers the indemnification for certain breaches of the representations and warranties in the transaction agreements. It is designed to provide additional flexibility in addressing these obligations by, for example, reducing or eliminating the need for an escrow by the Seller. 
Continue Reading

I have several times discussed the need for cyber insurance that will actually cover reasonable claims; a need that still seems to exist. The case of Hub Parking Technology USA v. Illinois National Insurance Company (https://www.law360.com/articles/1170778/parking-tech-co-says-aig-must-defend-it-in-privacy-row) that was brought in Pennsylvania District Court in June of this year illustrates this problem. Hub bought security and privacy insurance that was intended to cover security breaches and disclosure of personal data in violation of privacy rules. Hub was then sued in underlying litigation for printing parking receipts at the Cleveland Airport that showed eight digits of credit card numbers instead of the standard last four digits permitted under various state statutes and case law. When Hub submitted the claim to its cyber insurer, the cyber insurer rejected the claim based on its conclusion that there had been no loss of privacy or security information, as well as on several exclusions, such as those for contractually assumed liability and intentional acts. Although the insurer may have had a legitimate complaint that there really was no damage from this alleged violation (and the plaintiffs had not alleged that anyone suffered actual damage or identity theft arising from the parking receipts at issue; they rather relied on an FTC study showing that similar incidents have caused actual damage, so that the potential for damage existed), that should not have prevented the insurer from providing at least a defense.  
Continue Reading

A policyholder is usually thrilled when its insurer agrees to provide a defense of a claim. However, all too often, an insurer’s position on how that defense is to be provided surprises the policyholder. Sometimes, the policyholder learns for the first time that it does not have the right to select defense counsel. Other times, it learns that it is allowed to select defense counsel but must do so from a list of pre-approved panel counsel. In yet other circumstances, the policyholder is permitted to select its own defense counsel but may be limited to the rates approved by the insurance company (which are sometimes far below what the policyholder’s preferred counsel is charging).  
Continue Reading

Directors & Officers liability insurance—commonly known simply as D&O insurance—is meant to protect corporate directors and officers from, among other things, claims alleging breaches of duty and management failings that adversely affect the value of the company’s stock. And any event in which directors or officers are deemed to have had an oversight function could ultimately result in a claim that floats up to the director- or officer-level if the company’s stock suffers. 
Continue Reading

In the wake of numerous high-profile electronic data breaches, companies are justifiably concerned about beefing up their cybersecurity programs and ensuring that they have adequate insurance coverage in the event of an electronic data breach. While the unauthorized disclosure of sensitive electronic data, whether through cyberattacks, insider malfeasance, inadvertence, or otherwise, is, of course, a substantial risk that must be addressed in any cyber insurance program, businesses should also understand and insure against their potential exposure in the event of an old-fashioned breach of sensitive information by way of paper or other non-computerized records.

These types of ink-and-paper data breaches happen more often than one might expect, given the media attention paid to electronic data heists. The healthcare industry, for example, is especially plagued by non-electronic data breaches, despite wide-spread adoption of electronic health records. According to a recent study by the American Journal of Managed Care, paper and films were the most frequent storage media at issue in data breaches that occurred in hospitals during the study period, whereas network servers were the least common. Statistics from the Office of Civil Rights Annual Report to Congress on Breaches of Unsecured Protected Health Information, published by HHS in 2012, revealed that paper records were involved in 23 percent of major breaches of protected health information (those affecting 500 or more individuals) and 61 percent of smaller breaches. See also Prevent Breaches: Don’t Forget Paper. This problem has not gone away in the intervening years: 11 major breaches of protected health information reported to date in 2019 involve paper or film records. 
Continue Reading

Can an intentional attack carried out through social media trigger liability coverage? A recent Pennsylvania case found potential coverage under a homeowner’s policy for a case of cyber bullying that ended in the suicide of the victim. The court found that the intentional actions of the insured’s son constituted an accident, and therefore an occurrence, because the claim in part alleged negligence and because the actions of the victim were not necessarily expected from the standpoint of the insured. This specific situation is, of course, unlikely to arise in the context of a businesses concerned about social media risks, but the underlying reasoning may be useful in assessing potential coverage for other intentional acts carried out over social media or other communications technology.
Continue Reading

In my previous blogs, I pointed out that security breaches are like death and taxes (i.e., unavoidable), and that insureds simply need a product that will pay for any losses from the inevitable security breaches. I also pointed out that insurance companies could help by certifying security products that were good enough to guarantee a payment under the companies’ policies if there were a breach. The recent Mondelez case points out why insureds often wonder whether carriers really intend to pay claims. There, the maker of Oreo cookies bought a policy which covered intrusions into the company’s computer code. After the advent of the Notpeya ransomware, the carrier refused claims valued in the millions based on the war exclusion.
Continue Reading