Tag Archives: property damage

Space, Aviation Risks and Higher Education

What do you do when a group of precocious students decide to build a satellite and launch it into space? Or, when they decide to build an unmanned aviation vehicle (UAV)—more commonly known as a drone—and fly it over a busy urban market? Or, when they design and launch a few rockets October Sky-style from a training field on campus before heading to a NASA competition for a chance at $50,000 in prize money?

As a risk manager, considering the answer to these questions may cause a heart palpitation or two as you think about the potential effects of these educational opportunities on the educational institution. Not only does the institution face increased liability and property damage risks, but there is also the potential for increased risk to reputation and even regulatory compliance considerations.

Insurance was likely the last thing the students at St. Thomas More Catholic School in Arlington, VA, were thinking about when they began construction on a shoebox-sized satellite called Cubesat. According to a Washington Post article, the purpose of Cubesat, which was released from the International Space Station on Feb. 15, 2016, is to beam photos from 200 miles above the Earth back to computers in their school library. You can view pictures from the satellite here.

See Also: Should We Take This Risk?

Insurance was also, probably, the last thing students from the University of Wisconsin-Whitewater were thinking about in October 2015 when they launched their drone to capture aerial images of the new Whitewater City Market. According to the University of Wisconsin News, the purpose of the project was to respond to the market organizer’s request to geographically depict the organic growth of the Whitewater City Market. A video of the aerial images has been posted to YouTube and can be viewed here.

To the 54 college teams selected by NASA for 2015-2016 NASA Launch Challenge, insurance was likely pretty low on the list of considerations as the teams worked to design, construct, test, launch and successfully recover a high-powered reusable rocket and its payloads. The purpose of the challenge is to encourage participation in STEM fields and to examine innovative solutions to potential issues that may arise during space travel. There is also $50,000 in prize money for the top three teams that complete the challenge. For 2015-16, the competing rockets will be launched on April 16, 2016.

So, what are the risks associated with these types of activities, and how can insurance assist the college in transferring some of these risks?

According to a white paper recently published by Allianz, a large commercial insurer, these types of aviation/space risks can be bifurcated into two areas: (1) ground or pre-launch risks and (2) in-orbit or post launch risks.

Ground risks include:

  • Hazard or catastrophic risk to facilities because of fire. This type of risk can be significantly increased if someone is using flammable chemicals, such as nitrogen or any of the components present in rocket fuel. Keeping these materials on campus can create additional risk for the institution, which may not be contemplated in current insurance programs.
  • Transportation risk increases the risk of property and liability losses. Moving rocket components, including flammable materials, increases the potential for losses to (1) the components themselves and (2) a third party that may be injured as a result of an incident on the road.
  • Liability loss because of launch failure may result in damage to property near the launch site or even injury to a third party, faculty member or student. Failure to take adequate safety precautions during design/construction—working with chemicals, power tools and other materials—may result in increased potential for injury to students and faculty participating in the project.

Post-launch risks:

  • Loss of the object because of malfunction, damage or equipment failure, items that represent a significant investment of time, resources, and materials. Such a loss may result in the inability to participate in a competition, a loss of grant money or additional time spent rebuilding or reworking the project.
  • Liability loss due to in-air collision, falling objects or interference with another aerial object (such as a satellite signal or an airplane’s operating equipment)—these types of incidents may result in significant bodily injury or property damage of a third-party property.

Typical insurance policies maintained by most institutions may not provide adequate coverage for space/aviation risks:

Property policy—Provides coverage for loss or damage to property, equipment and materials of the university. Coverage is generally broad but may exclude: (1) hazardous materials, (2) property in transit or off premise, (3) property not owned by the university and (4) pollution because of the release of a hazardous substance or chemical.

General liability policy—Provides coverage for the injury or property damage of a third party because of the negligence of the institution or those operating on behalf of the institution. Coverage responds to a wide range of standard risks, but there may be exclusions for: (1) aviation risks, (2) loss caused by the acts of a third party, such as a student or contractor, (3) third-party liability related to a discharge of pollutants/chemicals, (4) loss of institutional reputation or cost of a crisis management team, (5) coverage for regulatory fines and penalties for failure to obtain proper permits, etc. and (6) the liability to a third party because of the failure of a vessel to perform as expected or because of a design flaw.

Automobile liability policy—Provides coverage for liability and property damage associated with the operation of a motor vehicle. Coverage responds to a wide range of standard risks, but there may be exclusions for: (1) pollution because of the discharge of a chemical substance transported on or in the vehicle, (2) liability for use of third-party transportation, such as a rental vehicle or bus charter or the use of a personal vehicle by a faculty member or student and (3) property damage to institutional property being transported on or in the vehicle.

There are additional types of coverage that may be needed, including:

Pollution coverage—Including premises pollution (to provide coverage for the institution’s own facilities) and pollution liability coverage (to provide coverage for third-party exposure to pollutants)

Aviation/space coverage—Specialized policies can provide coverage for losses to an aerial vessel or its equipment and, also, for the most common types of liability loss (collision, crash or interference). Note: Special endorsements may be required for drones.

Inland marine rider/policy—Provides coverage for scheduled equipment and property that may not otherwise be covered by the institution’s standard property coverage. This can include coverage for property that is being transported in a vehicle

Crisis management coverage—Provides coverage for loss or damage to the institution’s reputation; this may include coverage for the costs to engage a crisis mitigation team and public relations experts or the cost to take other steps to preserve and restore the reputation of the institution.

See Also: What Is the Future for Drones?

Professional liability—Provides coverage to professionals because of the failure of the design/construction or for the failure of the devise to perform as intended. This coverage may include coverage for damages not related to injury or to property damage— including the financial loss and the costs for rework and redesign.

Not all insurance policies are created equal—individual coverage and policies may respond differently. Please consult with an expert if you if you have questions about coverage for these types of institutional activities.

Has an International Cyber War Begun?

Cyber attacks were once on the periphery of American business consciousness. That mindset changed over the past two years. A series of devastating events, including the 2014 cyber attack against Sony, catapulted cyber liability concerns from an IT department issue to a major priority for boardrooms across America. As U.S. government officials concluded that North Korea was behind the attack, many C-suite executives suddenly found themselves asking questions. Is this the start of a cyber war? Could we be the next victim? If we are, how will it affect our operations and our bottom line? Do our insurance policies cover any of these costs?

g1

Today, many insurance buyers look to their cyber insurance policies to fill coverage gaps that often exist in other policies. For example, a property policy may respond to physical damage from a named peril, but it will likely exclude loss for non-tangible assets as a result of a cyber attack. Similarly, a commercial general liability policy will likely provide liability coverage for causing bodily injury because of negligence but exclude coverage for liability because of a failure to secure sensitive data from hackers.

Many policyholders may be unaware that some, though not all, of these cyber policies contain specific terrorism and war exclusions. As a result, gaps in cyber insurance coverage can exist in cases like the Sony breach, where government agencies, like the FBI, conclude that a foreign government or terrorist organization is responsible for the attack.

Is a Cyber Attack “Terrorism” or “War”?

Immediately following the Sony attack, President Obama referred to it by saying, “I don’t think it was an act of war . . . but cyber vandalism.” Then, on April 1, 2015, President Obama signed the Executive Order on Cybersecurity with the goal of protecting the private sector against hackers and thereby bolstering national security. The order seeks to identify and punish individuals behind attacks, but it could also lead some to categorize an apparent hacking event or act of cyber terrorism as an “act of war.”

Changes in government definitions trickle down into coverage disputes because many policies that exclude or include “war,” “terrorism” or “cyber terrorism” either fail to define those terms or define them by referring to standard government definitions.

Government Definitions of Terrorism, Cyber Terrorism and War

THE TERRORISM RISK INSURANCE ACT (TRIA)

“Act of terrorism” is defined as any act certified by the secretary of the Treasury in concurrence with the secretary of State and the attorney general of the U.S. to be:

» an act of terrorism

» a violent act or an act that is dangerous to human life, property or infrastructure

» an act resulting in damage within the United States or Outside (on a U.S.-flagged vessel, aircraft or U.S. mission)

» an act committed by an individual or individuals acting on behalf of any foreign person or foreign interest, as part of an effort to coerce the civilian population, U.S. policy or the U.S. government.

The secretary of the Treasury may not delegate his certification authority, and his decision to certify an act or not is not subject to judicial review.

DEPARTMENT OF DEFENSE (DOD)

The DOD defines “terrorism” as “the unlawful use of violence or threat of violence, often motivated by religious, political or other ideological beliefs, to instill fear and coerce governments or societies in pursuit of goals that are usually political.” The term “act of war” is understood to mean “a use of force [that may] invoke a state’s inherent right to lawful self-defense.”

DEPARTMENT OF JUSTICE (DOJ)/FEDERAL BUREAU OF INVESTIGATION (FBI)

The FBI defines “cyber terrorism” as “the premeditated, politically motivated attack against information, computer systems, computer programs and data [that] results in violence against non-combatant targets by subnational groups or clandestine agents.”

DEPARTMENT OF HOMELAND SECURITY (DHS)

The National Infrastructure Protection Center (NIPC), (formally a branch of DHS), defines “cyber terrorism” as “a criminal act perpetrated through computers resulting in violence, death and/or destruction and creating terror for the purpose of coercing a government to change its policies.”

Cyber Terrorism and the ‘Act of War’ Exclusion

Cyber policies are relatively new and manuscript products; as such, the wording varies significantly. Many policies contain a standard exclusion for “war, invasion, acts of foreign enemies, hostilities (whether war is declared or not), civil war, rebellion, revolution, insurrection, military or usurped power, confiscation, nationalization, requisition, or destruction of, or damage to, property by or under the order of any government, public or local authority…” An attack by the Taliban, for example, would probably fit within the exclusion as an act sponsored by a “public or local authority.”

Traditionally, war exclusions were relatively narrow; they required an actual war or, at the very least, “warlike operations”; “for there to be a ‘war,’ a sovereign or quasi-sovereign must engage in hostilities.” Pan Am. World Airways, Inc. v. Aetna Cas. & Sur. Co., 505 F.2d 989, 1005 (2d Cir. 1974) (finding that a Jordanian terrorist group that hijacked a plane was not a de facto government for the purposes of applying the war exception).

However, the events of Sept. 11, 2001, changed the way certain events and groups were perceived and classified, ultimately leading many to label the 2014 cyber attack on Sony an “act of war.”

Screen Shot 2015-12-22 at 1.53.07 PM

Litigation surrounding the Sept. 11 attacks led directly to an expanded view of the war exclusion. For one thing, the Second Circuit Court of Appeals ruled that the attacks were an “act of war.” In re Sept. 11 Litig., 931 F. Supp. 2d 496, 512 (S.D.N.Y. 2013), an owner of a building near the site of the World Trade Center attacks sought to recover cleanup and abatement expenses for removing pulverized dust that infiltrated into the owner’s building after the collapse of the Twin Towers. He sued under the Comprehensive Environmental Response, Compensation, and Liability Act [CERCLA], which allows strict liability claims in pollution cases, but the court applied CERCLA’s “act of war” exception to strict liability.

In concluding that the attacks were an act of war, the court commented that “Al Qaeda’s leadership declared war on the United States, and organized a sophisticated, coordinated, and well-financed set of attacks intended to bring down the leading commercial and political institutions of the United States,” id. at 509, and that “as we learned in the twentieth century, and as has been true throughout history, war can take on a formal structure of armies in contrasting uniforms confronting each other on battlefields, and war can persist for years, fought by irregular, insurgent forces and capable of causing extraordinary damage,” id. at 511.

This expansion of the legal definition of “act of war” to include acts by “irregular, insurgent forces and capable of causing extraordinary damage” could lead to attacks by hacktivist groups or foreign intelligence services being considered acts of war and therefore excluded from cyber policies.

Cyber Insurance and TRIA

The Terrorism Risk Insurance Act (TRIA) is a government program designed to provide a backstop for reinsurers in the event of large terrorism-related losses (more than $100 million). There is debate over whether TRIA applies to cyber policies at all. TRIA applies to commercial property and casualty insurance coverage, but some cyber policies are written as another line of coverage, such as professional liability, which is not included in TRIA.

Even assuming that TRIA would apply to cyber insurance, for TRIA coverage to be in effect, (1) there must be losses, resulting from property damage, exceeding $100 million; and (2) they must be caused by a certified terrorism event:

(1) Property Damage: For TRIA to apply, physical property damage must occur, and what constitutes “physical damage” in the context of a cyber attack remains an open question. What we do know is that TRIA will probably not cover business interruption or reductions in business income absent some physical loss or property damage. Many cyber attacks do not involve any physical damage, which would exclude TRIA coverage.

(2) A Certified Terrorism Event: For TRIA to apply to any event, the event would need to be certified as an act of terrorism. This onerous and political certification process requires the secretary of the Treasury, secretary of State and attorney general to agree that an incident was an “act of terrorism.” Many political and economic issues factor into certifying a terrorism event, which can lead to counterintuitive results. For instance, as of the date of this publication, the April 2013 Boston Marathon bombing has not been certified as a terrorist act.

Conclusion

To ensure coverage for cyber terrorism and cyber warfare, buyers of cyber insurance will need to seek out a cyber risk insurance policy that explicitly includes this coverage in the broadest terms possible. As more insurance carriers enter the cyber insurance market, one must be wary that policy terms will vary from one policy form to the next, and some will have coverage terms superior to others.

Don’t Do It Yourself on Property Claims

It’s okay to get help!

Recently, we hired a business development professional. In learning our business model and marketing strategy, he asked, “Who is your biggest competitor?” We said: our customers — the “do-it-yourselfers.” This struck him as odd, but it is the absolute truth.

We are in the business of preparing property claims that usually involve physical damage and business interruption. This is a very specialized practice that is part accounting, part insurance and part art. However, the companies we approach often feel they are in the best position to handle this process and do not need outside assistance.

Why is that?

When a claim is reported, the insurance company will assign an adjuster to the claim — either an inside adjuster or an independent adjuster — sometimes both. The adjuster is hired by and paid for by the insurance company to make sure the claim fits within terms and conditions of the insurance contract. The adjuster will rely on specialists of his own — usually forensic accountants and forensic engineers. The specialists allow the adjuster to focus on his job of interpreting the coverage, reporting back to the insurance company and negotiating settlement on behalf of the insurance company. The specialists are there to verify the details of the claim that is presented to them by the policyholder. The insurance adjuster alone cannot and does not take on all of the responsibilities. The adjusters are the experts at this process — it is their business and they do it every day — but they still get specialized help.

So if the insurer handles claims this way, why would the insured not get expert help?

Think of the “do-it-yourselfer” project at home. Let’s say you’re pretty handy around the house, so you look at that bathroom that needs remodeling and decide, “I’ll do it myself this weekend.” Technically, you CAN do it yourself — you can take your crowbar and sawzall and do the demolition; you can handle laying the tile; and, with a little research, you could figure out the plumbing. The first weekend you go out to buy the extra tools you need and some supplies, and you get to work. Maybe the demo will go easily, but if you’ve ever tackled a home project, you know nothing is as easy as it seems, and it always takes more time than expected.

If you make it through the demo, you spend the rest of the weekend figuring out your strategy for the new bathroom. Because you have a day job, each evening that next week you try to make progress, but by the end of the week you are bleary-eyed from the stress of this unfamiliar work and the late nights of trial and error. The next weekend, you cannot get back to the work, because you have family activities. When the vanity arrives, you realize it does not quite fit the way it should. Next, you realize you need more tools. Your weekend project turns into months of disarray. If you stay the course, months later you’ll have a functional bathroom, but there are usually a few steps that you decide you’ll have to get to eventually. At this point, you’re getting busier at work, and you just don’t have the bandwidth to get back to the myriad of subsequent bathroom issues, so you consider bringing in an expert to bail you out.

Preparing a claim is very similar, if you do it yourself. In addition to saving time, stress and compromising the results, your claim preparation expert has the tools of the trade, the skills and the experience to achieve an accurate and timely recovery. In contrast to the home improvement example, though, your claim preparer’s fees should be covered, in part or in full, by your property policy. So, if you’re not saving time or money by doing it yourself, and an expert will get you a better result, why would you not engage a professional claim preparer?

That question seems like a no-brainer, yet so many still take the DIY approach to property claims.

To sum up, it is okay to ask for help. The policyholder is not expected to be able to “do it yourself.” That is why you have professional fees coverage. The insurance company assigns its experts to adjust and audit your claims, and they’ll be better-equipped to meet their objectives than you will if you take the DIY approach. They are the insurers experts, so it is advisable for you to bring in your experts to represent your interests.

Here are a few suggestions of what to look for in a firm to prepare your claims.

  1. A loss accounting specialist, because insurance accounting is a unique trade. Typically, the firm will identify itself as forensic accountants.
  2. Experience with the types of property claims you have, in your industry or similar ones, and with at least 10 years in the field.
  3. Independence. This will ensure the firm is on your side with no conflicts of interest. Avoid allowing your insurer’s accountants to calculate your losses. The same hold for any other party that may have a conflict.
  4. A firm that qualifies for professional fees coverage. The fees should be based on an hourly rating scale, not on contingencies. Property policies will have specific exclusions, such as public adjusters and broker affiliated services.
  5. A firm that is respected by insurers, adjusters and brokers. Your accountants should not threaten your relationships to achieve the result.

If you see the benefit of engaging a team to prepare your property and business interruption claims, do your due diligence ahead of a loss. Interview any qualifying candidates and make your choice. The firm should be involved in your claim from the very beginning.

If you take this advice, your claims will go much smoother, and the claim will be free of leaks and loose tiles.

5 Steps for Covering Data Breaches

Target’s $19 million settlement with MasterCard[1] underscores very significant sources of potential exposure that often follow a data breach that involves payment cards. Retailers and other organizations that accept those cards are likely to face—in addition to a slew of claims from consumers and investors— claims from financial institutions that seek to recover losses associated with issuing replacement credit and debit cards, among other losses. The financial institution card issuers typically allege, among other things, negligence, breach of data-protection statutes and non-compliance with Payment Card Industry Data Security Standards (PCI DSS). Likewise, as Target’s recent settlement illustrates, organizations can expect to face claims from the payment brands, such as MasterCard, VISA and Discover, seeking substantial fines, penalties and assessments for purported PCI DSS non-compliance.

These potential sources of liability can eclipse others. While consumer lawsuits often get dismissed for lack of Article III standing,[2] for example, or may settle for relatively modest amounts,[3] the Target financial institution litigation survived a motion to dismiss[4] and involved a relatively high settlement amount as compared with the consumer litigation settlement. So did TJZ’s prior $24 million settlement with card issuers.[5] The current settlement involves only MasterCard,[6] moreover, and the Target financial institution litigation will proceed with any issuer of MasterCard-branded cards that declines to partake of the $19 million settlement offer. The amended class action in the Target cases alleges that the financial institutions’ losses “could eventually exceed $18 billion.”[7]

Organizations should be aware that these significant potential sources of data breach and payment brand liability may be covered by insurance, including commercial general liability insurance (CGL), which most companies have in place, and specialty cybersecurity/data privacy insurance.

Here are five steps for securing coverage for data breach and PCI DSS-related liability:

Step 1:            Look to CGL Coverage

                        Coverage A: “Property Damage” Coverage

Payment card issuers typically seek damages because of the necessity to replace cards and, often, also specifically allege damages because of the loss of use of those payment cards, including lost interest, transaction fees and the like. By way of illustration, the amended class action complaint in the Target litigation alleges:

The financial institutions that issued the debit and credit cards involved in Target’s data breach have suffered substantial losses as a result of Target’s failure to adequately protect its sensitive payment data. This includes sums associated with notifying customers of the data breach, reissuing debit and credit cards, reimbursing customers for fraudulent transactions, monitoring customer accounts to prevent fraudulent charges, addressing customer confusion and complaints, changing or canceling accounts and facing the decrease or suspension of their customers’ use of affected cards during the busiest shopping season of the year.[8]

The litigation further alleges that “plaintiffs and the FI [financial institution] class also lost interest and transaction fees (including interchange fees) as a result of decreased, or ceased, card usage in the wake of the Target data breach.”[9]

These allegations fall squarely within the standard-form definition of covered “property” damage under CGL Coverage A. Under Coverage A, the insurer commits to “pay those sums that the insured becomes legally obligated to pay as damages because of … ‘property damage’… caused by an ‘occurrence’”[10] that “occurs during the policy period.”[11] The insurer also has “the right and duty to defend the insured against any … civil proceeding in which damages because of … ‘property damage’ … are alleged.”[12]

Importantly, the key term “property damage” is defined to include not just “physical injury to tangible property” but also “loss of use of tangible property that is not physically injured.” The key definition in the current standard-form CGL insurance policy states as follows:

  1. “Property damage” means:
  2. Physical injury to tangible property, including all resulting loss of use of that property. All such loss of use shall be deemed to occur at the time of the physical injury that caused it; or
  3. Loss of use of tangible property that is not physically injured. All such loss of use shall be deemed to occur at the time of the “occurrence” that caused it.

For the purposes of this insurance, electronic data is not tangible property.

In this definition, “electronic data” means information, facts or programs stored as or on, created or used on or transmitted to or from computer software, including systems and applications software, hard or floppy disks, CD-ROMs, tapes, drives, cells, data processing devices or any other media that are used with electronically controlled equipment.[13]

Although the current definition states that “electronic data is not tangible property,” to the extent this standard-form language may be present in the specific policy at issue (coverage terms should not be assumed; rather the specific policy language at issue should always be carefully reviewed),[14] the limitation is largely, perhaps entirely, irrelevant in this context because card issuer complaints, like the amended class action complaint in the Target litigation, typically allege damages because of the need to replace physical, tangible payment cards.[15] The complaints further often expressly allege that the issuers have suffered damages because of a decrease or cessation in the card usage.

These types of allegations are squarely within the “property damage” coverage offered by CGL Coverage A, and courts have properly upheld coverage in privacy-related cases where allegations of loss of use of property are present.[16]

            Coverage B: “Personal and Advertising Injury” Coverage

There is significant potential coverage for data breach-related liability, including card issuer litigation, under CGL Coverage B. Under Coverage B, the insurer commits to “pay those sums that the insured becomes legally obligated to pay as damages because of ‘personal and advertising injury,’”[17] which is “caused by an offense arising out of [the insured’s] business … during the policy period.”[18] Similar to Coverage A, the policy further states that the insurer “will have the right and duty to defend the insured against any … civil proceeding in which damages because of … ‘personal and advertising injury’ to which this insurance applies are alleged.”[19]

The key term “personal and advertising injury” is defined to include a list of specifically enumerated offenses, which include “oral or written publication, in any manner, of material that violates a person’s right of privacy.”[20]

Considering this key language, courts have upheld coverage under CGL Coverage B for claims arising out of data breaches and for a wide variety of other claims alleging violations of privacy rights.[21] It warrants mention that, although the trial court in the Sony PlayStation data breach litigation recently ruled against coverage, the trial court’s decision — which turned on the court’s finding that, essentially, Coverage B is triggered only by purposeful actions by the insured (Sony) and not by the actions of the third parties who hacked into its network — that decision is currently on appeal to the New York Appellate Division and may soon be reversed. Nowhere in the insuring agreement or its key definition does the CGL policy require any action by the insured. As the coverage’s name “Commercial General Liability” indicates, the coverage does not require intentional action by the insured, as argued by the insurers in the Sony case, but rather is triggered by the insured’s liability, i.e., the insurer commits to pay sums that the insured “becomes legally obligated to pay” that “arise out of” the covered “offenses.” The broad insuring language, moreover, extends to the insured’s liability for publication “in any manner,” i.e., via a hacking attack or otherwise. The cases cited by the insurer in the Sony case are factually inapposite and interpret entirely different policy language. Indeed, Sony’s insurer, Zurich, itself acknowledged in 2009 that CGL policies may provide coverage for data breaches via hacking, which by definition involves third-party actions.[22]

Organizations also should be aware that the Insurance Services Office (ISO), the insurance industry organization responsible for drafting standard-form CGL language, recently promulgated a series of data breach exclusionary endorsements.[23] ISO acknowledged that there currently is data breach coverage for hacking activities under CGL policies. In particular, ISO stated that the new exclusions may be a “reduction in personal and advertising injury coverage”—the implication being that there is coverage in the absence of the new exclusions.

At the time the ISO CGL and CLU policies were developed, certain hacking activities or data breaches were not prevalent and, therefore, coverages related to the access to or disclosure of personal or confidential information and associated with such events were not necessarily contemplated under the policy. As the exposures to data breaches increased over time, stand-alone policies started to become available in the marketplace to provide certain coverage with respect to data breach and access to or disclosure of confidential or personal information.

To the extent that any access or disclosure of confidential or personal information results in an oral or written publication that violates a person’s right of privacy, this revision may be considered a reduction in personal and advertising injury coverage.[24]

Other than the trial court’s decision in the Sony case, no decision has held that an insured must itself publish information to obtain CGL Coverage B coverage, and a number of decisions have appropriately upheld coverage for liability that the insured has resulting from third-party publications.[25]

The bottom line: There may be very significant coverage under CGL policies, including for data breaches that result in the disclosure of personally identifiable information and other claims alleging violation of a right to privacy, including claims brought by card issuers.

Step 2:           Look to “Cyber” Coverage

Organizations are increasingly purchasing so-called “cyber” insurance, and a major component of the coverage offered under most “cyber” insurance policies is coverage for the spectrum of issues that an organization typically confronts in the wake of a data breach incident. This usually includes, not only defense and indemnity coverage in connection with consumer litigation and regulatory investigation, but also defense and indemnity coverage in connection with card issuer litigation. By way of example, one specimen policy insuring agreement states that the insurer will “pay … all loss” that the “insured is legally obligated to pay resulting from a claim alleging a security failure or a privacy event.” The key term “privacy event” includes “any failure to protect confidential information,” a term that is broadly defined to include “information from which an individual may be uniquely and reliably identified or contacted, including, without limitation, an individual’s name, address, telephone number, Social Security number, account relationships, account numbers, account balances, account histories and passwords.” “Loss” includes “compensatory damages, judgments, settlements, pre-judgment and post-judgment interest and defense costs.” Litigation brought by card issuers is squarely within the coverage afforded by the insuring agreement and its key definitions.

Importantly, a number of “cyber” insurance policies also expressly cover PCI DSS-related liability. By way of example, the specimen policy quoted above expressly defines covered “loss” to include “amounts payable in connection with a PCI-DSS Assessment,” which is defined as follows:

“PCI-DSS assessment” means any written demand received by an insured from a payment card association (e.g., MasterCard, Visa, American Express) or bank processing payment card transactions (i.e., an “acquiring bank”) for a monetary assessment (including a contractual fine or penalty) in connection with an insured’s non-compliance with PCI Data Security Standards that resulted in a security failure or privacy event.

This can be a very important coverage, given that, as the recent Target settlement illustrates, organizations face substantial liability arising out of the card brand and association claims for fines, penalties and assessments for purported non-compliance with PCI DSS. The payment card brands routinely claim that an organization was not PCI DSS-compliant and that the PCI forensic investigator assigned to investigate compliance routinely determines that the organization was not compliant at the time of a breach. As the payment industry has stated, “no compromised entity has yet been found to be in compliance with PCI DSS at the time of a breach.”[26]

The bottom line: “Cyber” insurance policies may provide broad, solid coverage for the costs and expenses that organizations may incur in connection with card-issuer litigation and payment brand claims alleging PCI non-compliance.

Step 3:            Look to Other Potential Coverage

It is important not to overlook other types of insurance policies that may respond to cover various types of exposure flowing from a breach. For example, there may be coverage under directors’ and officers’ (D&O) policies, professional liability or errors and omissions (E&O) policies and commercial crime policies. After a data breach, companies are advised to provide prompt notice under all potentially implicated policies, excepting in particular circumstances that may justify refraining to do so, and to carefully evaluate all potentially applicable coverages.

Step 4:            Don’t Take “No” For an Answer

Unfortunately, even where there is a legitimate claim for coverage under the policy language and applicable law, an insurer may deny a claim. Indeed, insurers can be expected to argue, as Sony’s insurers argued, that data breaches are not covered under CGL insurance policies. Nevertheless, insureds that refuse to take “no” for an answer may be able to secure valuable coverage.

If, for example, an insurer reflexively raises the “electronic data” exclusion in response to a claim under CGL Coverage A, which purports to exclude, under the standard form, “[d]amages arising out of the loss of, loss of use of, damage to, corruption of, inability to access or inability to manipulate electronic data,”[27] insureds are encouraged to point out that the damages alleged by card issuers for replacing physical cards and for lost interest and transaction fees, etc., resulting from loss of use of those cards, are clearly outside the purview of the exclusion. Likewise, if an insurer raises the standard “Recording And Distribution Of Material Or Information In Violation Of Law” exclusion, insureds are encouraged to point out that the exclusion has been narrowly interpreted, does not address common-law claims and has been held inapplicable where the law at issue fashions relief for common law rights.[28]

Importantly, exclusions and other limitations to coverage are construed narrowly against the insurer and in favor of coverage under well-established rules of insurance policy interpretation,[29] and the burden is on the insurer to demonstrate an exclusion’s applicability.[30]

Step 5:            Maximize Cover Across the Entire Insurance Portfolio

Various types of insurance policies may be triggered by a data breach, and the various triggered policies may carry different insurance limits, deductibles, retentions and other self-insurance features, together with various different and potentially conflicting provisions addressing, for example, other insurance, erosion of self-insurance and stacking of limits. For this reason, in addition to considering the scope of substantive coverage under an insured’s different policies, it is important to carefully consider the best strategy for pursing coverage in a manner that will maximize the potentially available coverage across the insured’s entire insurance portfolio. By way of example, if there is potentially overlapping CGL and “cyber” insurance coverage, remember that defense costs often do not erode CGL policy limits, and structure the coverage strategy accordingly.

When facing a data breach, companies should carefully consider the insurance coverage that may be available. Insurance is a valuable asset. Before a breach, companies should take the opportunity to carefully evaluate and address their risk profile, potential exposure, risk tolerance, sufficiency of their existing insurance coverage and the role of specialized cyber coverage. In considering that coverage, please note that there are many specialty “cyber” products on the market. Although many, if not most, of these policies purport to cover many of the same basic risks, including data breaches and other types of “cyber” and data privacy-related risk, the policies vary dramatically. It is important to carefully review policies for appropriate coverage prior to purchase and, in the event of a claim, to carefully review the scope of all potentially available coverage.

This article was first published in Law360.

 

[1] Target Strikes $19M Deal With MasterCard Over Data Breach, Law360 (April 15, 2015). The settlement is contingent upon at least 90% of the eligible MasterCard issuers accepting their alternative recovery offers by May 20.

[2] See, e.g., No Data Misuse? No Standing For Data Breach Plaintiffs, Law360 (April 24, 2014).

[3] Target Will Pay Consumers $10M To End Data Breach MDL, Law360, New York (March 19, 2015).

[4] See, e.g., Target Loses Bid to KO Banks’ Data Breach Litigation, Law360 (April 15, 2015).

[5] TJX Reaches $24M Deal With MasterCard Issuers, Law360 (April 2, 2008).

[6] The company is reported to be in similar negotiations with Visa.

[7] In re: Target Corporation Customer Data Security Breach Litigation, MDL No. 14-2522 (PAM/JJK) (D. Minn), at ¶ 87 (filed August 1, 2014).

[8] Id., ¶ 2 (emphasis added).

[9] Id., ¶ 86 (emphasis added).

[10] ISO Form CG 00 01 04 13 (2012), Section I, Coverage A, §1.a., §1.b.(1).

[11] Id., Section I, Coverage A, §1.b.(2).

[12] Id., Section I, Coverage A, §1.a.; Section V, §18.

[13] ISO Form CG 00 01 04 13 (2012), Section V, §17 (emphasis added).

[14] In the absence of such language, a number of courts have held that damaged or corrupted software or data is “tangible property” that can suffer “physical injury.” See, e.g., Retail Sys., Inc. v. CNA Ins. Co., 469 N.W.2d 735 (Minn. Ct. App. 1991); Centennial Ins. Co. v. Applied Health Care Sys., Inc., 710 F.2d 1288 (7th Cir. 1983) (California law); Computer Corner, Inc. v. Fireman’s Fund Ins. Co., No. CV97-10380 (2d Dist. Ct. N.M. May 24, 2000).

[15] See also Eyeblaster, Inc. v. Federal Ins. Co., 613 F.3d 797 (8th Cir. 2010).

[16] See, e.g., District of Illinois in Travelers Prop. Cas. Co. of America v DISH Network, LLC, 2014 WL 1217668 (C.D, Ill. Mar. 24, 2014); Columbia Cas. Co. v. HIAR Holding, L.L.C., 411 S.W.3d 258 (Mo. 2013).

[17] ISO Form CG 00 01 04 13 (2012), Section I, Coverage B, §1.a.

[18] Id., Section I, Coverage B, §1.b..

[19] Id.. Section I, Coverage B, §1.a.; Section V, §18.

[20] Id.. Section V, §14.e.

[21] See, e.g., Hartford Cas. Ins. Co. v. Corcino & Assocs,. 2013 WL 5687527 (C.D. Cal. Oct. 7, 2013).

[22] Zurich, Data security: A growing liability threat (2009), available at http://www.zurichna.com/NR/rdonlyres/23D619DB-AC59-42FF-9589-C0D6B160BE11/0/DOCold2DataSecurity082609.pdf (emphasis added).

[23] These new exclusions became effective in most states last May 2014. One of the exclusionary endorsements, titled “Exclusion – Access Or Disclosure Of Confidential Or Personal Information,” adds the following exclusion to the standard form policy:

This insurance does not apply to:

Access Or Disclosure Of Confidential Or Personal Information

“Personal and advertising injury” arising out of any access to or disclosure of any person’s or organization’s confidential or personal information, including patents, trade secrets, processing methods, customer lists, financial information, credit card information, health information or any other type of non public information.

CG 21 08 05 14 (2013). See also Coming To A CGL Policy Near You: Data Breach Exclusions, Law360 (April 23, 2014).

[24] ISO Commercial Lines Forms Filing CL-2013-0DBFR, at pp. 3, 7-8 (emphasis added).

[25] See, e.g., Hartford Cas. Ins. Co. v. Corcino & Assocs,. 2013 WL 5687527 (C.D. Cal. Oct. 7, 2013).

[26] Visa: Post-breach criticism of PCI standard misplaced (March 20, 2009), available at http://www.computerworld.com.au/article/296278/visa_post-breach_criticism_pci_standard_misplaced/

[27] CG 00 01 04 13 (2012), Section I, Coverage A, §2.p.

[28] See, e.g., Hartford Cas. Ins. Co. v. Corcino & Assocs,. 2013 WL 5687527 (C.D. Cal. Oct. 7, 2013). For example, in the Corcino case, the court upheld coverage for statutory damages arising out hospital data breach that compromised the confidential medical records of nearly 20,000 patients, notwithstanding an express exclusion for “personal and advertising Injury …. [a]rising out of the violation of a person’s right to privacy created by any state or federal act.” Corcino and numerous other decisions underscore that, notwithstanding a growing prevalence of exclusions purporting to limit coverage for data breach and other privacy related claims, there may yet be valuable privacy and data breach coverage under “traditional” or “legacy” policies that should not be overlooked.

[29] See, e.g., 2 Couch on Insurance § 22:31 (“the rule is that, such terms are strictly construed against the insurer where they are of uncertain import or reasonably susceptible of a double construction, or negate coverage provided elsewhere in the policy”).

[30] See, e.g., 17A Couch on Insurance § 254:12 (“The insurer bears the burden of proving the applicability of policy exclusions and limitations or other types of affirmative defenses”).

7 Common Issues on Property Claims

When a property claim occurs, with or without business interruption, it is very common to assume that it will be straightforward. Just submit your invoices, and your insurer sends you a check. You may think, “We can do it ourselves,” or, “We have it under control.” If this has been your approach, you need to read on.

There are many potential issues when preparing a property claim that are commonly overlooked or misunderstood. The challenge is even greater if there is a business interruption component to your claim.

From experience, my partners and I have identified the most common property claim issues that can slow down the claim process and have an adverse affect on recovery.

  1. Repair vs. Replacement

Repair vs. replacement comes up in almost every significant property claim. The issue arises when it becomes a battle of opinions and assumptions. We all know the humor on opinions and assumptions — but your property damage claim is no laughing matter, so let’s explore what can happen.

If you have a replacement policy, you have the option to repair or replace. If it makes more sense to replace with a new and improved item, then you should do what’s best for your business. However, if repairs are possible and at a lower cost, the adjuster will undoubtedly dispute the claim, and you’ll be debating a matter of opinion. When the adjuster’s experts recommend repairs that you know are not guaranteed to work, especially long-term, you face a challenge. As a business, you cannot afford to risk a failed repair, so you elect to go with new equipment with a warranty. The repair option will now be a theoretical scenario that your insurer can leverage to adjust your claim payment. Regardless of the adjuster’s position, you did what was best for your business, but there’s a way to neutralize this potential adjustment.

  • First, the worst thing you can do is proceed on a plan without sharing your logic with the adjuster. Include the adjuster in the initial assessment and decision-making process. While you have the right to do what is best for your business, the adjuster’s involvement and buy-in early on will make her part of the decision and can help to avoid an issue down the road.
  • Next, get several (at least three) independent quotes to repair or replace the equipment — these quotes should include the time, expense and predicted reliability of the repair. If you only get a quote from the original manufacturer, there could be a perception that it has an ulterior motive. Armed with data, you will have an easier time justifying your decision. For example, the repair option may be cheaper, but if it takes longer to complete, it will add to your business interruption claim and ultimately cost more.
  • Finally, perform a realistic analysis of various failed repairs scenarios and the potential impact on timing and costs. Discuss your findings with the adjuster to ensure any subsequent repairs and resulting business interruption would be covered as part of this claim and not a separate occurrence. After all, everything is technically repairable — it is just a matter of determining the most practical solution given all the circumstances.
  1. Betterments

Losses often present opportunities to make useful changes and improvements to operations. Adjusters anticipate this and will be prepared with reasons to limit recovery by labeling certain repairs, reconfigurations, and replacements as betterments. Most of the time, newer is better, and that is why you pay for a replacement policy. However, just because something is better does not mean you should not get full replacement value.

Let’s say you are replacing a piece of production equipment that was damaged as part of your loss. In searching for a replacement, you find that the as-was capacity replacement for your equipment is no longer available and that the alternative equipment has a 10% greater production capacity than the damaged property. In this case, the adjuster may argue for a credit for the increased capacity. Though the new equipment is clearly a benefit to your business, because the exact model that is being replaced is no longer available, you don’t have an equivalent alternative. If required to justify and validate your decision, simply compare the cost/time differential between your decision and a custom order built to spec. In cases like this, you should not be penalized for the betterment.

There are valid adjustments for betterments, but it’s important to understand the difference between a betterment and your rights to a replacement of like kind and quality.

  1. Property Damage vs. Extra Expense

From a policyholder perspective, the types of expenses related to the claim do not really matter because they are necessary to get back in business. The insurance company, however, needs to see expenses segregated into their proper insurance claim buckets. To ensure a smooth claim process, knowing how best to account for expenses is critical to the outcome of your claim. Let’s say you have payroll expenses for cleanup and remediation. If you consider that property and extra expense are subject to different limits and deductibles, it makes good sense to claim them according to your coverage limits. As a rule of thumb, look at the property bucket first for expenses related to cleanup and repair of the property because the extra-expense bucket will offset business interruption, thus allowing you to operate as normally as possible during the indemnity period.

As an example, assume you have production labor working overtime to keep production going and to clean up and repair damage from the loss. This time should be separated as normal labor, property damage cleanup and repair and extra expense. To complicate things further, both normal rates and overtime rates need to be factored into each calculation. Finally, you have to keep detailed records that document the who, what, when and where that is involved in the work being done.

Remember, when appropriate, it’s best to claim expenses as property damage, provided the costs can be documented. It is a more tangible approach and will avoid conflicting with the business interruption calculations for extra expense and inefficiencies, which are based on assumptions and subject to debate.

  1. Actual Cash Value

Immediately after a loss, you are entitled to recover the documented actual cash value (ACV) of your damaged property. You may claim ACV as the amount you are due before exploring replacement options. This is a good tactic if you want to get the cash flowing early in the process while the replacement values are being determined and decisions on replacement are made. However, accurately determining ACV can be challenging.

Typically, the starting point is the asset ledger that shows a depreciated value of the asset. However, this number is usually used for tax purposes and may not represent the actual value of the asset. Other options to value the asset include pricing based on what a willing buyer would pay or replacement less physical depreciation based on the actual life of the asset. These methods vary state by state. Do your research to value the asset appropriately under the circumstances and know that there is not one right answer.

Additionally, some policies allow you to recover full replacement value for assets even if you do not replace them. The policies usually require that you spend the money on a capital project that was not approved at the time of the loss. The capital improvement does not necessarily have to replace capability of the lost assets. If this is of interest, check with your broker about adding this option to your program.

  1. Period of Indemnity Impact

In general, the period of indemnity is the length of time it takes (or should take) to make property repairs. Once repairs are complete or should have been complete, the period of indemnity terminates. While you can, and should, attempt to settle portions of the property claim as you go, any agreements related to the property side of your claim can have a costly impact on the indemnity period for the time-element portion of the claim. It is critically important to address property issues in tandem with time element, to avoid unnecessary recovery issues.

This can be a little confusing. As an example, let’s assume you have a total loss to a piece of equipment, and the replacement cost is known. It would be reasonable to settle for the replacement cost of that equipment. However, the adjuster assumes an aggressive timeline to order and install the equipment, not considering how installation might affect continuing production. When this happens, make sure the timeline and assumptions for installation are clear and acceptable before settling on the cost to replace the equipment. Otherwise, you might get what you want on the property settlement and then lose on the time element.

If you have a separate team working on the property and time-element claims, collaboration is essential to avoid assumption-based adjustments, This becomes especially important when repairs are theoretical, as this will be the basis for the time-element recovery. Always remember to consider all assumptions needed for time-element claims as part of any property settlement.

  1. Residual Value Adjustment

If you have a significant property claim, you may need to purchase equipment or supplies on a temporary basis. The validity of these purchases is not in question, but their use once permanent repairs are made is. For items such as this, the adjuster may look to take a residual value credit. Essentially, the adjuster agrees that you needed that item, but when the permanent repairs are made (and paid for), you will no longer need it. This may be true, but this does not always mean you should not get full value for the item.

For example, you have an electrical loss that will keep you out of business for an extended period. You purchase a generator to provide basic power to areas of your business. When repairs are complete and power is restored, you no longer need the generator but still have the unit. Because you still have it, the adjuster takes a residual value credit. Is that fair?

The first question you need to ask is whether you want to keep the generator. If there is some value to you, a fair credit can be negotiated with the insurance company. If you do not want to keep the item or do not feel the credit is reasonable, you can have the insurance company take possession — after all, the insurer paid for it. If the insurance company thinks it can get value from the generator by taking possession and selling it, the company will probably take you up on this. More often than not, this is not cost-effective, and you can minimize or eliminate the residual value credit.

  1. Documentation

If you have never been through a significant property claim, you might not appreciate the level of detail that is required to document your claim. The general perception is that you gather some invoices and quotes on a sample basis, and that should be enough. Unfortunately, the requirements for an insurance claim are more detailed than most capital projects and audits. Quotes and estimates need to be extremely detailed, and proof of payment needs to be documented almost entirely — if you cannot properly document a claim, it will likely not be paid. It may not be acceptable to the insurance company to use a dollar threshold for charges because the company will insist on auditing 100% of the charges.

To demonstrate the level of scrutiny that claims come under, I refer to an experience I had on one of the largest claims I worked on. The property portion of the claim was close to $200 million. Months of work and tons (literally) of paper were presented to support this claim. During a meeting between the accountants and engineers, one of the engineers made copies for everyone of one invoice presented for payment. He adamantly pointed out that the invoice had been duplicated in our claim submission. It was for one $5 roll of duct tape.

The point is that handling and organizing all the documentation required to support your claim can be daunting. To avoid mistakes, it is advisable to assign a dedicated person or team to locate, scan, print and manage all the support documentation. Bringing in an expert forensic accountant is always a good option to consider, especially for larger, complicated claims or just to relieve your team from these tedious and burdensome tasks. Forensic accountants that specialize in claim preparation may be covered in your policy to work on your behalf. Though you will still have some work to do, your claim will go more smoothly, with fewer pitfalls.

Now you know why property claims are not as easy and straightforward as you might expect. After decades of preparing claims for policyholders, we can attest that what you don’t know comes at a cost in both time and money. We hope the information above can help you prepare for at least some of the issues you might encounter should you have a future property damage claim.