In my previous blogs, I pointed out that security breaches are like death and taxes (i.e., unavoidable), and that insureds simply need a product that will pay for any losses from the inevitable security breaches. I also pointed out that insurance companies could help by certifying security products that were good enough to guarantee a payment under the companies’ policies if there were a breach. The recent Mondelez case points out why insureds often wonder whether carriers really intend to pay claims. There, the maker of Oreo cookies bought a policy which covered intrusions into the company’s computer code. After the advent of the Notpeya ransomware, the carrier refused claims valued in the millions based on the war exclusion. Continue Reading Insurers Band Together To Certify Security Products

Biometric Privacy Lawsuits

In early 2019, the Illinois Supreme Court opened the floodgates for advancing private causes of action under the state’s 2008 Biometric Information Privacy Act (“BIPA”), 740 ILCS 14 et seq. In Rosenbach v. Six Flags, the Court found that no proof of actual injury or damage beyond technical infringement was necessary to state a claim under the BIPA. Now, Illinois courts are seeing a wave of BIPA class action lawsuits, even though the Six Flags case merely concluded that a biometric plaintiff had standing to sue and did not resolve the legal requirements necessary to prove a negligent or intentional violation of BIPA. Continue Reading Biometrics Liability on the Rise: Are you Covered?

The entire insurance industry is suddenly abuzz about the rarely discussed “war exclusion.” A standard provision in most policies that excludes claims caused by a hostile or warlike action in time of peace or war, usually by a military or a government/sovereign power, is all the rage. Why? The billions of dollars of damages caused by the NotPetya virus and insurers attempts to avoid paying them. Continue Reading Collateral Damage: War Exclusions and Cyber Coverage

Should you stress if the insurance company issuing the policy that is supposed to be protecting your business—whether in a certificate of insurance you received from a third party or within your own insurance portfolio—is “non-admitted”?  As discussed below, there is no need to sweat.

An “admitted” insurance company is one that has been approved by a state’s department of insurance.  This generally means that the insurance company must file policy forms, underwriting guidelines, and rates with the state for approval.  Admitted insurers also pay into state guaranty funds, which are designed to step in if the insurer becomes insolvent.  Non-admitted insurers, also called surplus lines insurance, are not subject to those same regulations. Continue Reading How Risky is the Insurance from a Non-Admitted Insurer?

The European Union’s sweeping Global Data Protection Regulation (GDPR), which took effect on May 25, 2018, dramatically expanded the compliance obligations of companies collecting or using European Union citizens’ personal information. It also substantially increased regulatory exposure for companies due to its strict requirements and draconian penalties for non-compliance, including potential fines of greater than 20 million Euros or 4% of a company’s annual worldwide revenue. GDPR Art. 83, § 5. See Perkins Coie’s GDPR Resources for an overview of the regulation, and Will Your Cyber Policy Provide Coverage for GDPR Violations? for a discussion of insurance coverage issues arising from the regulation. Yet the new regulatory landscape facing companies that collect, use, or manage consumers’ personal information has expanded far beyond the GDPR, and many United States jurisdictions have enacted or are in the process of enacting regulations governing the collection, storage, and use of consumer information. As a result, any company that handles consumer personal information must have a thorough understanding of these regulations and must make sure that its insurance program aligns with its regulatory exposure in order to effectively manage the risks arising out of burgeoning cybersecurity and privacy regulations. Continue Reading Beyond GDPR: Insurance Coverage for Emerging Cybersecurity and Privacy Regulatory Exposure

Companies engaged with digital assets, particularly those companies without a track record, are finding it to be a struggle to procure broad directors & officers (“D&O”) liability coverage.  Specifically, insurance underwriters are spooked by the regulatory uncertainty surrounding digital assets, particularly Initial Coin Offerings (“ICOs”), which have emerged as an alternative to traditional equity offerings, e.g., the sale of stock in a venture.  The reality, however, is that many companies engaged with “coins” or “tokens” or other digital assets also raise capital through traditional securities offerings, and they need protection for those activities.  But many underwriters are not willing to sell coverage for those traditional activities, merely because the company also is engaged in the digital asset space.  Continue Reading Companies Engaged with Digital Assets Should Push For D&O Coverage That Protects Traditional Securities Activities

Many businesses rely upon social media to raise awareness and enhance visibility of a new product or new line of business.  Social media platforms such as Facebook are often used to generate buzz around an opening or a launch before it takes place.  Anticipatory use of social media, however, can complicate insurance coverage if the right policies are not already in place.  The Idaho Supreme Court recently upheld the denial of coverage to a business that had published a preview of a new logo prior to opening.  Scout, LLC v. Truck Ins. Exch., 434 P.3d 197 (2019).  The court held that a Facebook post by the insured pub showing a close facsimile of the anticipated logo constituted a “prior publication,” triggering an exclusion under the pub’s subsequently purchased commercial general liability policy.  Although some other courts have reached different conclusions in relatively similar circumstances, the case stands as a cautionary tale for new businesses. Continue Reading Social Media and New Businesses: Can Anticipatory Use of Social Media Threaten Insurance Coverage?

In my last posting on this blog, I opined that cyber incursions and the resulting lawsuits, defense costs, and damages payments are as inevitable as death and taxes. Thus, most companies are now trying to purchase some type of cyber insurance to cover these risks. The next question is whether your insurance will really cover a particular risk you face. My last article discussed a single product that would provide security and guarantee coverage for any breach up to a specified limit.

Today I want to discuss other defensive measures that a company might take against the inevitable, and how that might make coverage in the event of a breach more likely under a standard cyber insurance policy. Our last posting by Ms. Del Prete discussed the standard exclusions and conditions in the most common cyber policies. Those policy provisions require, e.g., that the insured follow industry standard security practices and take reasonable precautions against data breaches before coverage will attach for an incursion.  Subject to the purchase of an extended retroactive date, they also exclude breaches that occurred long before the beginning of the policy or which were facilitated by an incursion that occurred prior to the beginning of the policy.  Continue Reading Meeting the Terms of the Exceptions in Your Cyber Policy

Often called the “wild west,” the cyber insurance marketplace offers a wide variety of policy forms that vary drastically in the scope of coverage provided.  This is further compounded by the relatively small amount of case law analyzing cyber policies and the quickly-evolving cyber risks that companies face.  Insurers are quick to deny coverage based on the many exclusions in cyber policies, often leaving policyholders with the option of either spending money to fight their insurer in court or accepting the carrier’s denial.  If your company is insured by a cyber policy (or, for that matter, any type of an insurance policy), you should carefully review the policy, understand its exclusions, and, where possible, take steps to implement practices and procedures to ensure that your company’s activities do not fall within the enumerated exclusions.  Cyber insurers are often willing to modify exclusions in cyber policies to carve back certain coverages, but only when asked to do so.  Analyzing the policy and negotiating with the carrier on the front end, before a claim occurs, can save your company both time and money on the back end if a claim arises.  Continue Reading Common Exclusions Invoked by Cyber Carriers to Deny Coverage

Title III of the Americans with Disabilities Act (ADA) provides that

No individual shall be discriminated against on the basis of disability in the full and equal enjoyment of the goods, services, facilities, privileges, advantages or accommodations of any place of public accommodation by any person who owns, leases (or leases to), or operates a place of public accommodation.

42 U.S.C. Section 12182(a). What about a website? Is that a “place of public accommodation”? The answer to that question could make a big difference in determining whether your business faces legal risks and whether you can protect against those risks with insurance. A recent decision out of the Ninth Circuit highlights the split in United States jurisdictions about whether a website is subject to the prohibitions against discrimination found in the ADA.  Continue Reading Protecting your Website with an EPL Insurance Policy