Tag Archives: claims-made policies

5 Takeaways From First Cyber Case

On May 11, 2015, in a case that is being widely celebrated as one of the first coverage rulings involving a “cyber” insurance policy, a federal court ruled that Travelers has no duty to defend its insured in Travelers Property Casualty Company of America, et al. v. Federal Recovery Services, Inc., et al.

Although the Travelers case does not involve cyber-specific coverage issues, the case nonetheless carries some important takeaways for insureds, insurers and many other interested spectators.

Here is a brief summary of the ruling and five key takeaways:

The Facts

The insured, Federal Recovery, was in the business of providing processing, storage, transmission and other handling of electronic data for its customers, including Global Fitness. In particular, Federal Recovery agreed to process Global Fitness’s gym members’ payments under a servicing retail installment agreement.

Global Fitness sued Federal Recovery, alleging that Federal Recovery wrongfully refused to return member account data to Global Fitness, including member credit card and bank account information. Global Fitness asserted claims for tortious interference, promissory estoppel, conversion, breach of contract and breach of the implied covenant of good faith and fair dealing.

The Cyber Policy

The policy at issue was a “CyberFirst” policy issued by Travelers. The policy included a technology errors and omissions liability form, which stated that Travelers “will pay those sums that [Federal Recovery] must pay as ‘damages’ because of loss … caused by an ‘errors and omissions wrongful act’….” The key term “errors and omissions wrongful act” was defined to include “any error, omission or negligent act.” In addition to covering potential damages, the Travelers policy provided defense coverage, stating that Travelers “will have the right and duty to defend [Federal Recovery] against any claim or ‘suit’ seeking damages for loss to which the insurance provided under one or more of ‘your cyber liability forms’ applies.”

Federal Recovery tendered the defense of the underlying Global action to Travelers, which initiated litigation seeking a declaration that it wasn’t required to provide coverage. Travelers argued that it did “not have a duty to defend [Federal Recovery] against the original or amended complaints in the Global action because Global [Fitness] does not allege damages from an ‘error, omission or negligent act.’”

The Coverage Disputes: Scope of Coverage and Duty to Defend

Although Travelers involves underlying cyber-related facts and a “cyber” insurance policy, the coverage issues arising out of the facts and policy certainly are not cyber-specific. Travelers’ declaratory judgment action raises two coverage disputes concerning: (1) the scope of coverage afforded by the technology errors and omissions policy at issue, as shaped by its key “wrongful act” definition; and (2) the scope of an insurer’s duty to defend under Utah law. While arising in the context of “cyber”-related facts surrounding electronic account and payment data, and under a “cyber” insurance policy, the coverage disputes at issue in the Travelers case are precisely the types of disputes that we routinely see in the context of errors and omissions and other claims-made liability coverages.

(1) The Scope of Coverage

As to the scope of coverage, errors and omissions, D&O, professional liability and other claims-made policies, like the policy at issue in the Travelers case, typically cover “wrongful acts,” a term that typically in turn is defined as “any negligent act, error or omission,” or similar language. There are scores of cases addressing whether intentional and non-negligent acts fall within or outside the purview of a covered “wrongful act.”

Unfortunately, and in contrast to other decisions, the U.S. District Court for the District of Utah in the Travelers case took a narrow view of the key language, ruling that “[t]o trigger Travelers’ duty to defend, there must be allegations in the [underlying] action that sound in negligence.” The court further found that there were “no such allegations.”

In contrast, other courts have appropriately upheld coverage for various types of intentional and non-negligent conduct under errors and omissions and other claims-made policies. As one commentator has summarized: Claims-made policies typically afford coverage for claims by reason of any “negligent act, error or omission.” What if an insured is held liable for a non-negligent act? Most courts have held that the insured is still entitled to coverage. The strongest argument in favor of that conclusion is that (i) an “error” or “omission” encompasses more than negligent conduct, and (ii) if only negligent errors and negligent omissions were covered, the “error or omission” language would be rendered redundant.

To the extent some may wish to reference other cases addressing cyber-related fact patterns, those cases exist. For example, in 1995, the Supreme Judicial Court of Massachusetts in USM Corp. v. First State Ins. Co.10 upheld coverage under an errors and omissions policy for a breach of express warranty claim involving the insured’s failure to develop and deliver a turnkey computer system that would perform certain functional specifications. The errors and omissions policy at issue in the USM case, similar to the policy at issue in the Travelers case, covered claims against the insured “by reason of any negligent act, error or omission.” Also, the insurers in USM, like the insurers in Travelers, argued that the policy only covered the insured for negligent acts. The USM court rejected the insurers’ arguments, noting that courts have not limited coverage under errors and omissions policies to circumstances involving negligence:

Other courts have not limited liability under “errors and omissions” policies to circumstances involving negligence but have recognized certain non-negligent errors as being within the coverage afforded. Cases involving the words such as “negligent act, error or omission” (the crucial language of the policies before us) have not consistently determined that an error must be a negligent one if coverage is to be available.

***

Because some, but not all, judicial opinions have rejected the interpretation of errors and omissions policies for which the insurers contend, if it was the insurers’ intention, the crucial words of the policy should have been amended to eliminate the ambiguity and to make clear that coverage extended only to negligent errors. Potential policyholders could then have more accurately determined whether such coverage met their needs.
Because of the uncertainty about the scope of the word “error,” the insurers as authors of the policies must suffer the consequences of the ambiguity.

The New York Appellate Division’s decision in Volney Residence, Inc. v. Atlantic Mut. Ins. Co. is likewise instructive. In that case, the Appellate Division held that the insurer had a duty to defend a federal RICO action in which the insured defendants “were alleged intentionally to have committed acts of self-dealing and fraud.” Applying well-established rules of contract interpretation, the court ruled that there was a duty to defend:

The policy provision in question covers claims arising from “a negligent act, error or omission,” which term is defined as “any negligent act, error or omission or breach of duty of [the] directors or officers while acting in their capacity as such.” The definition is susceptible of more than one meaning and can be understood to cover any breach of duty of the directors or officers, not exclusively negligent breaches of duty. Ambiguities in an insurance policy are to be resolved against the insurer.

Other cases are to the same effect.

(2) Scope of the Duty to Defend

Turning to the separate issue of the duty to defend, it is well established that the duty to defend is very broad—broader than the duty to indemnify. The duty to defend is typically triggered if there is some potential for coverage, and, in many jurisdictions, it is appropriate to look outside the facts pled in the underlying complaint to determine whether there is a duty to defend. Again, unfortunately, the court in the Travelers case took a narrow view of the insurer’s duty to defend. Even assuming for the sake of argument that the policy covered only negligence, the underlying complaint alleged, among other things, that Federal Recovery “retained possession of member accounts data, including the billing data, which was the property of Global Fitness ….” Allegations surrounding improper retention of data, even if that retention ultimately was wrongful or not legally justifiable, clearly may arise out of negligence as opposed to intentional conduct.

Travelers Takeaways

Putting aside the ultimate merits of the court’s ruling, and whether this case addresses any coverage issues that are appropriately characterized as “cyber” issues, Travelers offers at least five key takeaways:

First, Travelers illustrates that decisions involving cyber insurance policies are coming and, considering all of the attention and buzz surrounding an otherwise seemingly mundane errors and omissions case, insureds and insurers alike are anxiously awaiting and anticipating the guidance those decisions may provide.

Second, Travelers underscores that the types of coverage disputes that we will see arise out of cyber-related facts and, under cyber insurance policies, often will involve, or at least will intertwine with, the types of disputes that routinely arise in connection with traditional insurance coverages, including errors and omissions coverage and general liability coverage. This is useful for insureds to appreciate toward the goal of being prepared for future potential coverage disputes under cyber policies.

Third, Travelers underscores the importance of securing a favorable choice of forum and choice of law in insurance coverage disputes. Until the governing law applicable to an insurance contract—cyber or otherwise—is established, the policy can be, in a figurative and yet a very real sense, a blank piece of paper.

Fourth, although its label as a first cyber case is debatable, Travelers at a minimum has spotlighted the approaching disputes under cyber liability policies, which should remind insureds of the need to be prepared for, in addition to the traditional types of coverage issues and disputes that can arise under those policies, the potential cyber-specific coverage issues and disputes that may arise, such as the scope of coverage for “cloud”- related exposures.

Fifth, Travelers illustrates the importance of obtaining the best possible policy cyber language at the initial coverage placement and renewal stage. Unlike some types of traditional insurance policies, cyber policies are extremely negotiable, and the insurer’s off-the-shelf language can often be significantly negotiated and improved—often for no increase in premium. It is important for the insured to understand its unique potential risk profile and exposure— and what to ask for from the insurer.

Often in coverage disputes, the issue of coverage comes down to a few words, the sequence of a few words or even the position of a comma or other punctuation. It is important to get the policy language right before a dispute. And while the Travelers case addresses coverage issues that are not cyber-specific, the fundamentals of successfully pursuing coverage under traditional insurance coverage are important to keep in mind as we enter a time and space in which coverage disputes based on underlying cyber-related factual scenarios, and under specialized cyber insurance coverages, are poised to become commonplace.

Financial Reporting Of Medical Malpractice Self-Insured Losses

Healthcare entities, or groups of physicians (through a captive), may self-insure losses to better control the costs of medical malpractice insurance, particularly when insurance premiums rise. Self-insured losses are typically estimated by an actuary, who will provide an unbiased estimate of the loss reserves and can also forecast losses for the next policy period for purposes of budgeting and assessing the feasibility of self-insuring, while an auditor will ensure full compliance with accounting and financial reporting standards. The following will provide background information and points to be discussed with the actuary and auditor.

Common Coverages

In a self-insured program, losses are retained by the program up to the self-insured retention amount, while losses greater than the retention amount are the responsibility of the excess or reinsurance policy. A claims-made policy provides coverage for claims that are reported within the policy period; claims reported after the policy expiration date are not covered. Most programs continually purchase claims-made policies for reportings in subsequent years. Occasionally, when a program changes excess carriers, it may purchase a tail policy for prior acts that have yet to be asserted. Physicians that purchase commercial claims-made coverage may also purchase a tail policy when leaving an organization or ceasing to practice.

When following guidance in the Financial Accounting Standards Board’s (FASB) Accounting Standards Codification (ASC), most of these same entities record the self-insured liability in their financial statements on an occurrence basis. An occurrence basis is determined by when the incident happens, or occurs, regardless of when it is reported. An occurrence year can also be viewed as the combination of claims-made losses and tail reportings for claims occurring during a year that are unreported. It is important to note that if the physicians are covered on an occurrence basis by an entity (hospital or captive), but the entity purchases claims-made coverage from a commercial carrier for its physicians, then the entity is liable for the tail reportings.

Unpaid Claim Liability And IBNR

The self-insured liability recorded in financial statements has two main components: 1) case reserves on known claims and 2) an incurred but not reported (IBNR) provision for unknown losses. The case reserves are determined based on the most current available information about the known claims while IBNR losses are usually estimated by an actuary. The IBNR losses account for case reserve development on known cases, pure late reportings, reopened cases, and pipeline claims (reported but not yet recorded in the system as a claim). Liability is simply losses that have occurred but are unpaid.

Actuarial Theory

Actuaries utilize models, centered on the theory of consistency and the assumption that the past is predictive of the future, in order to project losses of a program. This includes similarities in reserving strategy, payment philosophy, homogeneous risk management exposures (same types of procedures, same mix of specialties and maturities of physicians), and other program design characteristics. Any intentional change in a program by management should be reported to the actuary to avoid redundant or inadequate estimations.

Financial Reporting Discussion Points

Five key financial reporting items to discuss with both the actuary and the auditor are listed below.

  • Discounting
    Currently, guidance in the American Institute of Certified Public Accountants (AICPA) Audit and Accounting Guide Health Care Entities permits, but does not require, medical malpractice reserves to be recorded in the financial statements on a discounted basis. In order to discount a malpractice liability: 1) the amount of the liability must be fixed or reliably determinable; 2) the amount and timing of cash payments for the liability, based on the healthcare entity’s specific experience, must be fixed or reliably determinable; and 3) the expected insurance recoveries, if any, must also be discounted. If discounted reserves are presented, management must disclose the discount and be able to support the discount rate, which may include 1) the return on investments used to pay claims expected to be realized over the period the claims are expected to mature; 2) a risk-free rate; and 3) highly rated corporate bonds with maturities matching the average length of a malpractice payment, all of which may need to be periodically adjusted for future expectations.
  • Percentile
    Some healthcare entities record malpractice liabilities and fund for these losses with a contingency margin, such as at the 75th percentile, selected by management based on the nature and loss experience of the entity. ASC 954-450-25 provides that the liability recorded is independent of funding considerations. ASC 954-450-30 states that an entity should use all relevant information, including entity-specific data and industry experience, in estimating the liability.
  • Gross vs. net presentation
    FASB Accounting Standards Update (ASU) 2010-24, Healthcare Entities (Topic 954): Presentation of Insurance Claims and Related Insurance Recoveries, requires healthcare entities to report medical malpractice and similar liabilities on a gross basis, separately reporting any receivable relating to anticipated insurance recoveries. One of the outcomes of such gross presentation is to more clearly reflect the entity’s exposure to credit risk from the insurer, as the healthcare entity generally remains primarily liable for payment of claims until the insurer makes payments. ASU 2010-24 must be applied to all policies, including ground-up commercial policies, where the entity has a gross liability even though the net liability is $0.
  • Tail liability
    As addressed in ASC 720-20-25 and ASC 450-20-25, entities that maintain claims-made coverage must accrue for incurred but not reported claims and incidents as of the reporting date if the related loss is probable and reasonably estimable. Some believe the tail should be estimated based on an unlimited basis while others assume a limit based on the entities’ historical loss experience (also known as the “working layer”). Regardless of the limit assumed, the entity cannot assume that claims-made coverage will continue to be purchased in the future.
  • Conservatism in estimates
    Management should understand the amount of conservatism in the actuary’s estimate. Understanding the impact of large losses, where estimates fall within a range, and how actual loss experience is used compared to relying on industry information is important.

Working With The Actuary And Auditor

Management should set a goal to have frequent conversations and in-person meetings with both the actuary and the auditor. Although actuarial analysis and financial reporting can be complicated, it is critical for management to have a full understanding and the ability to effectively communicate its program and story. Finally, management should not be afraid to ask questions of both the actuary and auditor as this often leads to a better understanding for all parties and supports a collaborative working relationship between management, the actuary, and the auditor.

Authors

Richard Frese collaborated with Pat Kitchen in writing this article. Pat Kitchen is an assurance partner in the Chicago office of McGladrey LLP’s Great Lakes health care and not-for-profit practice. Pat leads McGladrey’s health care practice in Chicago and in its Great Lakes region. He has more than 24 years of experience serving a variety of health care organizations, including hospitals and health systems, specialty hospitals, academic medical centers and faculty practice plans, physician practices, and continuing care retirement communities. Pat assists clients with financial statement audits and reviews, compliance audits, accounting consultation, internal control reviews, acquisition-related due diligence, agreed-upon procedures and debt and equity financings.