Tag Archives: liability policies

Coverage Risks From the ‘Internet of Things’

The “Internet of Things” is here.

According to Cisco, sometime during 2008, the number of things connected to the Internet exceeded the number of people.  Cows, corn, cars, fish, medical devices, appliances, power meters — practically  any item imaginable has been or can be connected. Eventually, we will be able to, for instance,  “sync” an entire home so that its heating system is programmed to adjust to  weather patterns and inhabitants’ activities.

Businesses ranging from small start-ups to long-standing conglomerates  are now embedding adaptive “smart” technologies into even mundane products, including  window shades, light bulbs and door locks.

While Internet of Things (IOT) devices create obvious value, they also expand risk. In effect, we are creating an  “infrastructure for surveillance” that constantly generates critical, sometimes exceptionally  private, data transmitted for use on servers perhaps thousands of miles away.

If an IOT device malfunctions, or if data or software is compromised or lost, individuals and  businesses may suffer devastating losses. Dosages of critical medication might be missed, for instance, or needed medical treatments omitted. In fact, the risks posed by IOT have already attracted the attention of regulatory authorities. The U.S. Food and Drug Administration has surveyed the industry and decided to update its guidance on cybersecurity for IOT medical devices, and the Federal Trade Commission has held a symposium addressing IOT issues.

As use of these products continues to expand, such risks will be realized, and manufacturers will look to their insurers for defense and indemnity protection. Coverage for product liability is typically provided under liability policies, which can be written on an occurrence or claims-made basis. Liability of the manufacturer of a malfunctioning fire alarm that fails to alert homeowners of a fire should be covered under such policies, as should bodily injuries or property damage caused by other defective products, including products that are part of the IOT. Injuries from such products may result not only from a device’s failure to work but also from a network’s failure to provide communications as needed. These failures, as well as the more traditional product failures, should continue to be covered if insurance is to continue to serve its function and transfer financial risk.

Liability policies generally define the product risk to include all bodily injury and property damage occurring away from premises you own or rent and arising out of your product or your work except:

  1. products that are still in your physical possession; or
  2. work that has not yet been completed or abandoned.

The policies define “your products” to be any property (other than real property) manufactured,  sold, handled, distributed or disposed of by the insured and to include warranties or representations made at any time with respect to the fitness, quality durability, performance or use of your product; and the providing of or failure to provide warnings or instructions.

Liabilities for malfunctions of IOT products appear to fit squarely within this definition. There are, however, some complications that insurers might put forward were they interested in denying coverage, and policyholders will need to examine their insurance to avoid the uncertainty and cost of litigation.

Coverage for IOT risk is complicated by the fact that the devices add value and efficiency by communicating with each other and distant servers on which data is stored and algorithms run. Indeed, this interoperability is the critical and promoted feature of IOT products. To see how this can complicate the coverage question, let us take a concrete example.

Let us imagine a refrigerator — the eFridge — that communicates data concerning the products it holds. When combined with complementary devices — called eShelves — it is able to keep track of all food in the kitchen. The refrigerator also keeps track of its states, including its internal temperature, and transmits its state data and food stocked to a server maintained by smartKitchens at a distant location. On this server, the data is stored and analyzed by an algorithm designed by smartKitchens’ software engineers. The algorithm, based upon eFridge state data and data on stocked food, generates recommended recipes for the week so that all food is used before it spoils. The recommendations sent from the server to the eFridge appear on a screen on the refrigerator’s front door.

There are two Internet transport protocols, TCP and UDP. The latter is often used when broadcasting within a network is needed (as it is so that the eShelves can be configured) and can be cheaper to implement, but it is also less reliable because communicating devices receive no notice when UDP datagrams — the electronic containers of transmitted data — are lost or dropped. The eFridge is designed to use UDP, and the software engineers have developed their algorithm to deal with the problem of dropped datagrams as follows: Rather than generating a warning that there is incomplete information, the algorithm assumes that the refrigerator’s state is consistent with the average state maintained over the prior two weeks. This is done to avoid multiple appearances of “error” messages on the eFridge door/screen and to increase customer satisfaction.

Now imagine that one week the server fails to receive datagrams regarding the state of the refrigerator on Monday, during which for some unknown reason the temperature inside the refrigerator exceeded room temperature. Unfortunately, as of Monday, the refrigerator contained a pound of mussels, which as a result of the temperature change are spoiled. Data concerning this temperature increase were not received by the server, and therefore the algorithm, having been designed to assume that the temperature was maintained at its average, recommends a recipe for Wednesday of mussels provençale. The consumer sustains a very serious case of food poisoning and seeks compensation from smartKitchens, which demands coverage from its insurer. Is smartKitchens covered?

The event appears to be squarely within the sort of product liability coverage that product manufacturers and distributors expect. There is a product away from the insured’s premises that made a “defective” recommendation and caused bodily injury. As such, there should be coverage.

But an aggressive insurer could construct an argument to the contrary. It might contend that the injury was caused by the algorithm, not the refrigerator. Insurers might contend that the algorithm constitutes “work that has not been completed or abandoned,” because the engineers have the ability to change the algorithm to address the possibility of spoiled mussels, and that therefore the risk is not within the product’s coverage.

Such an argument should ultimately fail. The fact that smartKitchens’ software engineers can update the algorithm does not mean that they have “not completed or abandoned” it for purposes of the insurance policy. Moreover, liability policies generally provide that “work which requires further … correction … because of defect or deficiency, but which is otherwise complete, shall be deemed completed.” In fact, here, smartKitchens let the algorithm run as it was designed to, and it did so. Nonetheless, although the insured should eventually obtain the benefit of coverage, that could very well be only after protracted and expensive litigation, reducing the value of the insurance purchased.

There is another argument as well that the insurer might make. Since about 2003, liability policies have generally included an exclusion — exclusion p, on the Insurance Services Office Inc. form — barring coverage for damages arising out of the loss of, loss of use of, damage to, corruption of, inability to access or inability to manipulate electronic data.

As used in this exclusion, electronic data means information, facts or programs stored as or on, created or used on, or transmitted to or from computer software, including systems and applications software, hard or floppy disks, CD-ROM[s], tapes, drives, cells, data processing devices or any other media which are used with electronically controlled equipment.

An insurer might contend that the problem was created, not by the eFridge, but by the loss of electronic data, when the packets were dropped. The insurer might use this argument to contend that coverage is barred.

Again, the insured should prevail were the insurer to make such an argument. The algorithm functioned as it was designed. It did not fail to process data, but processed data exactly as intended. It was merely responding as designed to an unfortunate consequence of the decision to implement the UDP protocol.

But here, too, the insured is likely to find itself in an expensive coverage dispute, depriving the insured of the value of the insurance purchased.

As always, new technologies create new risks, and new risks create the possibility of coverage disputes. These disputes should be resolved in the insured’s favor, as it is the responsibility of an insurer to draft policy language to clearly and unequivocally exclude risks. This rule has special force where, as in our example, there is an expectation that liability for products would be covered. It should, in other words, be the responsibility of underwriters to understand the products they insure and clearly state if they do not desire to cover an attendant risk. Nonetheless, as the use of IOT devices continues and expands, the past has taught that we can expect to see risks expand and insurers attempt to restrict coverage.

Mandatory Skilled Nursing Hours Claims: Are You Covered?

As coverage counsel for policyholders, we see a variety of cases, claims, and complaints. In recent years we have observed a growing trend in health care litigation. Specifically, claims alleging violations of California Health and Safety Code Section 1276.5, which requires skilled nursing facilities (SNFs) to provide at least 3.2 nursing hours per day for each facility resident (3.2 Requirement). In the past, the 3.2 Requirement was mainly enforced by the California Department of Public Health, not private individuals. However, skilled nursing facility residents have the right to bring a private cause of action alleging violations of the 3.2 Requirement (3.2 Claims). The Lavender, et al. v. Skilled Healthcare Group, Inc., et al. matter,1 which resulted in a 2010 jury verdict of more than $670 million for plaintiff skilled nursing facility residents asserting, among other things, 3.2 Claims, demonstrates how disastrous such claims can be for skilled nursing facilities that litigate such claims through trial.

This private right of action was recently addressed by the California Court of Appeal in Shuts, et al. v. Covenant Holdco LLC, et al., where the plaintiff skilled nursing facility residents asserted 3.2 Claims under Health and Safety Code Section 1430(b).2 The Court in Shuts held that Section 1430(b) permits current or former skilled nursing facility residents to bring a lawsuit against the facility for violating any of their rights under the “Skilled Nursing and Intermediate Care Facility Patient's Bill of Rights.”3 The Patient's Bill of Rights includes the entitlement to live at a skilled nursing facility that employs an “adequate number of qualified personnel.”4 Thus, Section 1276.5's requirement that facilities maintain staffing ratios compliant with the 3.2 Requirement may be enforced by residents through Section 1430(b). Additionally, Section 1430(b) allows plaintiffs to recover monetary damages, up to a maximum of $500 per violation, as well as attorneys' fees and costs. By law, these damages may be multiplied by a factor of three if such violations caused a senior citizen or disabled person to suffer.5

Very recently, the California Court of Appeal held in Nevarrez v. San Marino Skilled Nursing and Wellness Centre that Section 1430(b) permits a maximum recovery of $500 total in a civil action for violation of the Patient's Bill of Rights.6 The Court opined that $500 is the maximum recovery available “regardless of how many rights are violated or whether such rights are violated repeatedly.”7 The trial court's award of $7,000 (based on a $500 award for each of the 14 violations alleged) was therefore reversed.8 This is an important ruling for skilled nursing facilities, and may significantly curtail litigation based on alleged violations of the Patient's Bill of Rights given the potential for very limited monetary recovery.

The Nevarrez decision is not yet final and may be reversed. Indeed, the Court of Appeal granted a petition for rehearing on the issue of the maximum recovery allowable under Section 1430(b). As a result, the decision in Nevarrez is now vacated pending rehearing.9 Thus, given the potentially significant exposure facilities still face opposing 3.2 Claims, insurance coverage is critical. Such coverage turns on the policy language at issue. Generally speaking, there are two types of liability policies: those that require physical harm and those that do not. The policies that do not require physical harm are more likely to result in coverage for 3.2 Claims, as patient-plaintiffs tend to disclaim any intent to “'seek damages for personal injuries, wrongful death or other resident-specific harm that may have been caused by inadequate staff.'”10 Such disclaimers are likely included to facilitate class certification in putative class actions; if there is any indication that individual claims of injury or death could predominate the lawsuit, the facility-defendants could possibly defeat class certification.

Despite policy language indicating coverage, insurers attempt to avoid their coverage obligations by asserting various arguments, including that 3.2 Claims amount to uncovered fines and penalties (liability policies commonly contain provisions excluding coverage for “fines and penalties”). Such arguments are unpersuasive. For example, nowhere in the statute through which patient-plaintiffs assert 3.2 Claims — Section 1430(b) — are fines or penalties mentioned. To the contrary, Section 1430(b) is entitled “Actions for injunction or civil damages.”11 Additionally, in the Shuts matter, the California Court of Appeal explained that “Section 1430, subdivision (b) authorizes statutory damages, attorney fees, and injunctive relief.”12 Further, the California Supreme Court has drawn a distinction between penalties that may be assessed by the State Department of Health Services (now the Department of Public Health) for violations, and the damages that may be recovered by a private party under the Long-Term Care, Health, Safety, and Security Act of 1973 (which includes Section 1430).13 Thus, the relief available to private party plaintiffs under Section 1430(b) constitutes covered damages, not uncovered fines or penalties.

Notwithstanding the title of Section 1430(b) — “Actions for injunction or civil damages” — and the California Supreme Court's distinction between penalties and damages, the Court of Appeal in Nevarrez referred to the amount recoverable under Section 1430(b) as a “penalty.”14 Because the Nevarrez court's reference to Section 1430(b)'s imposition of supposed “penalties” (as opposed to damages) was not an issue pending before the Court, its characterization of the relief available under Section 1430(b) is non-binding dicta.

Further, it is well established in California that insurance coverage is interpreted broadly so as to afford the greatest possible protection to the insured.15 Courts will not read words into a statute to facilitate a declination of coverage.16 Additionally, an insurer bears the burden of bringing itself within a policy's exclusionary clauses and exclusions are narrowly construed against insurers.17 Policy exclusions are strictly construed and an insurer cannot escape its basic duty to insure by means of an exclusionary clause that is unclear.18

Because Section 1430(b) is properly construed to provide for damages, not fines or penalties, and insurers must meet a high burden to avoid coverage based upon exclusionary policy language, a standard “fines or penalties” coverage limitation should not preclude coverage for 3.2 Claims.

Understanding insurance coverage issues can be key for skilled nursing facilities facing 3.2 Claims. Not only can insurance funds provide a defense against such claims, they may also assist in resolving those claims so as to avoid potentially devastating results at trial.

Miles Holden collaborated with Samantha Wolff in writing this article. Ms. Wolff is an attorney at Hanson Bridgett LLP. She represents both public and private sector clients in a variety of matters, including insurance coverage disputes and putative and certified class actions, through all phases of litigation in federal and state court.

1Lavender, et al. v. Skilled Healthcare Group, Inc., et al.; California Superior Court, Humboldt County; Case No. DR060264.

2Shuts, et al. v. Covenant Holdco LLC, et al. (2012) 208 Cal.App.4th 609.

3Health & Saf. Code, § 1430, subd. (b); Shuts, 208 Cal.App.4th at p. 614.

4Health & Saf. Code, § 1599.1, subd. (a); Cal. Code Regs., tit. 22, § 72527, subd. (a)(25).

5Civ. Code, § 3345.

6Nevarrez v. San Marino Skilled Nursing and Wellness Centre (June 5, 2013, B235372) __ Cal.App.4th __ [2013 Cal.App. LEXIS 444].)

7Nevarrez, supra, __ Cal.App.4th __ [2013 Cal.App. LEXIS 444, at p. *46].

8Id. at p. *47.

9Cal. Rules of Court, rule 8.268(d).

10See, e.g., Shuts, 208 Cal.App.4th at p. 615.

11Health & Saf. Code, § 1430 (emphasis added).

12Shuts, 208 Cal.App.4th at p. 614 (emphasis added).

13Kizer v. County of San Mateo (1991) 53 Cal.3d 139, 142-43.

14Nevarrez, supra, __ Cal.App.4th __ [2013 Cal.App. LEXIS 444, at pp. *45-47].

15See, e.g., MacKinnon v. Truck Ins. Exch. (2003) 31 Cal.4th 635, 648; see also State of Cal. v. Allstate Ins. Co. (2009) 45 Cal.4th 1008, 1018 (where insurance policy terms are ambiguous, they must be interpreted to protect the objectively reasonable expectations of the insured).

16Code Civ. Proc., § 1858; see also Silicon Valley Taxpayers' Assoc., Inc. v. Santa Clara County Open Space Authority (2008) 44 Cal.4th 431, 444-45 (statutes are to be given their plain meaning and courts are not permitted to read into the meaning of a statute if the language is clear and unambiguous); People v. Guzman (2005) 35 Cal.4th 577, 587-88 (courts may not add provisions to a statute by inserting words).

17N. Am. Bldg. Maint., Inc. v. Fireman's Fund Ins. Co. (2006) 137 Cal.App.4th 627, 642; Charles E. Thomas Co. v. Transamerica Ins. Grp. (1998) 62 Cal.App.4th 379, 382.

18E.M.M.I. Inc. v. Zurich Am. Ins. Co. (2004) 32 Cal.4th 465, 471.