Insurance Policy Types

The European Union’s sweeping Global Data Protection Regulation (GDPR), which took effect on May 25, 2018, dramatically expanded the compliance obligations of companies collecting or using European Union citizens’ personal information. It also substantially increased regulatory exposure for companies due to its strict requirements and draconian penalties for non-compliance, including potential fines of greater than 20 million Euros or 4% of a company’s annual worldwide revenue. GDPR Art. 83, § 5. See Perkins Coie’s GDPR Resources for an overview of the regulation, and Will Your Cyber Policy Provide Coverage for GDPR Violations? for a discussion of insurance coverage issues arising from the regulation. Yet the new regulatory landscape facing companies that collect, use, or manage consumers’ personal information has expanded far beyond the GDPR, and many United States jurisdictions have enacted or are in the process of enacting regulations governing the collection, storage, and use of consumer information. As a result, any company that handles consumer personal information must have a thorough understanding of these regulations and must make sure that its insurance program aligns with its regulatory exposure in order to effectively manage the risks arising out of burgeoning cybersecurity and privacy regulations.
Continue Reading

Companies engaged with digital assets, particularly those companies without a track record, are finding it to be a struggle to procure broad directors & officers (“D&O”) liability coverage.  Specifically, insurance underwriters are spooked by the regulatory uncertainty surrounding digital assets, particularly Initial Coin Offerings (“ICOs”), which have emerged as an alternative to traditional equity offerings, e.g., the sale of stock in a venture.  The reality, however, is that many companies engaged with “coins” or “tokens” or other digital assets also raise capital through traditional securities offerings, and they need protection for those activities.  But many underwriters are not willing to sell coverage for those traditional activities, merely because the company also is engaged in the digital asset space. 
Continue Reading

Many businesses rely upon social media to raise awareness and enhance visibility of a new product or new line of business.  Social media platforms such as Facebook are often used to generate buzz around an opening or a launch before it takes place.  Anticipatory use of social media, however, can complicate insurance coverage if the right policies are not already in place.  The Idaho Supreme Court recently upheld the denial of coverage to a business that had published a preview of a new logo prior to opening.  Scout, LLC v. Truck Ins. Exch., 434 P.3d 197 (2019).  The court held that a Facebook post by the insured pub showing a close facsimile of the anticipated logo constituted a “prior publication,” triggering an exclusion under the pub’s subsequently purchased commercial general liability policy.  Although some other courts have reached different conclusions in relatively similar circumstances, the case stands as a cautionary tale for new businesses.
Continue Reading

Title III of the Americans with Disabilities Act (ADA) provides that

No individual shall be discriminated against on the basis of disability in the full and equal enjoyment of the goods, services, facilities, privileges, advantages or accommodations of any place of public accommodation by any person who owns, leases (or leases to), or operates a place of public accommodation.

42 U.S.C. Section 12182(a). What about a website? Is that a “place of public accommodation”? The answer to that question could make a big difference in determining whether your business faces legal risks and whether you can protect against those risks with insurance. A recent decision out of the Ninth Circuit highlights the split in United States jurisdictions about whether a website is subject to the prohibitions against discrimination found in the ADA. 
Continue Reading

Despite the increase in data breaches and cyberattacks involving large corporations, efforts to hold directors and officers personally liable for these events have largely been unsuccessful. However, recent developments in two high-profile data breach cases suggest that the relative safety directors and officers have previously experienced from cybersecurity-related suits may be coming to an end. On January 4, 2019, the Superior Court of California approved a $29 million settlement in consolidated derivative litigation brought against directors and officers of Yahoo, Inc. arising out of two data breaches compromising sensitive information of over one billion Yahoo users. See In re Yahoo! Inc. Shareholder Litig., Case No. 17-CV-307054, (Cal. Supp. Ct Jan. 4, 2019). This settlement, which includes a court-approved plaintiff’s counsel’s fee of $8.6 million, represents the first significant recovery in a data-breach related derivative lawsuit targeting directors and officers for breach of fiduciary duty.
Continue Reading

Selecting an appropriate cyber insurance policy can seem daunting. There are a number of different cyber events that have the possibility to impact businesses differently based on a number of factors, including the company’s network design and cyber security readiness. The market for cyber insurance policies does not have a widely-accepted form that is predominantly used by carriers, brokers, or policyholders, resulting in approximately 70 carriers drafting their own cyber insurance policies, many of which are negotiable. Lastly, the risks and technology at issue evolve quickly, adding uncertainty and the potential for a “new” event that may not be covered appropriately by your company’s current policies.
Continue Reading

The recent series of significant hacks to Marriott, Target, Anthem, Home Depot, and other businesses make it clear that there is now another inevitable event to add to death and taxes, namely intrusions to businesses’ on-line databases of their customers’ personal information. These intrusions include outside vigilante hackers who are simply trying to sell their services and then try to incite the government or private plaintiffs to assert damage claims against the targeted businesses from the exploited vulnerabilities. To counteract the inevitability of such intrusions, cyber-security providers and insurance companies are now considering offering a new product that would combine guarding against unwanted intrusions with guaranteed coverage for the cost of the inevitable hack. The product would basically warrant that there will be no damaging access or release of on-line data, and would provide a specified but limited payment to compensate for any damages should an intrusion and/or release of data nonetheless occur.
Continue Reading

On November 9, 2018, the Ninth Circuit certified an important coverage question to the Washington Supreme Court about whether a certificate of insurance (COI) purporting to add T-Mobile as an additional insured on another company’s insurance policy binds the insurance company listed on the certificate. T-Mobile USA Inc. v. Selective Insurance Company of America, 908 F.3d 581 (9th Cir. 2018).

The case should serve as a reminder that businesses may not be able to rely on, and should not rely on, a certificate of insurance alone when they sign agreements with third parties who are supposed to add them as additional insureds.
Continue Reading

Welcome to The Perkins Coie Tech Risk Report, a source for updates on, and analysis and interpretation of, insurance issues relevant to emerging technologies. We will address coverage issues related to cyber coverage, privacy, digital assets like cryptocurrency, Blockchain and other emerging technologies. The blog is written for start-ups and other companies dealing with emerging

In an all too common scenario, someone in your organization’s finance department receives an email that purports to be from a supplier informing your organization of the supplier’s supposedly changed bank account and a request for you to make all future payments to the new account. Even after some likely back and forth via phone and/or email with the “supplier,” your employee ultimately changes the payment information in your systems, and future invoices are paid to the new pay-to account. Everything seems fine for a while, and then the problems begin.

Eventually, your company receives an email from the supplier asking why it hasn’t received payment of its recent invoices. When the supplier insists that it has not received payment, in spite of your company’s assurances that all invoices have been paid, your IT department investigates. The IT team figures out that the emails with the new payment information and the phone calls were fraudulent—they were not from your supplier but from a bad actor. It is, of course, too late to recover the fraudulently obtained payments, and in the interest of keeping the supplier, your company pays again.
Continue Reading