Tag Archives: reimbursement

Ending Cost-Shifting to Workers’ Comp

An April 2016 study by the Worker’s Compensation Research Institute (WCRI) titled, “Do Higher Fee Schedules Increase the Number of Workers’ Compensation Cases?” found that, in many states, workers’ compensation reimbursement rates were higher than group health reimbursement rates. The study stated that cost shifting is more common with soft tissue injuries, especially in states with higher workers’ compensation reimbursement rates. The study found that an estimated 20% increase in workers’ compensation payments for physician services provided during an office visit is associated with increases in the number of soft-tissue injuries being called “work-related” by 6%.

This study goes hand-in-hand with another study by the WCRI called, “Will The Affordable Care Act Shift Claims to Worker’s Compensation Payors” (September 2015), which said that if only 3% of group health soft tissue conditions were shifted to workers’ compensation in Pennsylvania, costs could increase nearly $100 million annually — in California, this cost shifting to workers’ compensation could increase costs more than $225 million.

See Also: What Will Workers’ Comp Be in 20 Years?

Soft-tissue injuries typically defined as musculoskeletal disorders (MSD) are typically muscle or nerve conditions that primarily affect the neck, back and shoulders and can include conditions such as cumulative trauma, neck, back sprain/strains or any damage to the muscles, ligaments and tendons. They are often difficult to diagnose and treat because there are very few reliable objective tests that demonstrate soft tissue injuries. The diagnosis is often based on the patient’s history and the doctor’s physical examination of the patient. Therefore, the diagnosis frequently depends on the individual’s subjective complaints of pain, as well as the individual’s compliance and genuine effort during the musculoskeletal and neurological phases of the exam. Historically, in workers’ compensation, both the patient’s subjective complaints and his or her effort during the physical exam are often unreliable. Inaccurate histories and poor effort on physical exams can, more often than not, lead to misdiagnoses and ineffective or inappropriate treatments, which increase the cost, shifting burden to the employer even more.

In many states, the burden to determine causation of a soft tissue injury and to determine if the medical necessity of treatment falls under workers’ compensation or group health resides solely with the treating physician. In fact, states like Florida place an extra burden on doctors because of an apportionment law that states that the individual is responsible for the non-work-related treatment. If there is a major discrepancy in reimbursement between workers’ compensation and commercial insurance, the treating physician is tempted to accept the patient’s history of the event and does not have an incentive to investigate history that may place the causation of the patient’s symptoms in doubt. If clear-cut evidence documenting a pre-existing condition is lacking or not reviewed, the physician’s decision can be affected by secondary gain, and the physician is more likely to state that the soft tissue injury is work-related.

In these economic times, the cost-shifting issue is hard to resist for physicians. That is coupled with the fact that soft tissue injuries are often hard to demonstrate radiographically or with objective testing. In addition, radiographic tests are unreliable at timing injuries. X-rays and MRIs can show chronic changes like osteophytes and severely collapsed discs that usually take years to develop, but if a patient states that all of the pain began after a work-related injury, the treating physician may be tempted to attribute causation to the work-related event despite conflicting (yet unclear) radiographic findings. If this trend continues and remains uncontrolled, employers’ workers’ compensation costs can skyrocket.

The key to this issue is only accepting claims that arise out of the course and the scope of treatment. The law in each jurisdiction has one simple common theme: The employee needs to be returned to baseline.

An electrodiagnostic functional assessment soft tissue management (EFA-STM) program can resolve the issues. It is a bookend solution that measures current and new employees before and after a work-related event is reported. It assists in determining if an injury arose over the course and scope of employment (AOECOE) and helps in providing better care for the work-related condition.

EFA-STM is non-discriminatory. It objectively determines pre-injury status and whether there is a change in condition after a reported occurrence. A baseline assessment is performed and the unread data is immediately stored in a secure database. When a work-related event is reported, a post-injury assessment is conducted and compared with the baseline test to determine whether there is a change in condition. Without a pre-injury exam for comparison, no radiographic test (including an MRI) can accurately time a soft-tissue injury and, thus, the ultimate opinion on causation of injury can be subject to bias.

In addition, it is commonly accepted that an MRI, for example, shows structural abnormalities that are common in asymptomatic patients. The EFA-STM program allows physicians to more accurately determine if structural changes on an MRI are causing nerve/muscle irritation and disturbance. Therefore, more accurate diagnoses are made and more appropriate treatments are recommended. Unnecessary, costly and invasive tests (e.g. discography) and treatments can be avoided.

See Also: 25 Axioms of medical Care in Workers’ Comp System

The EFA-STM program is specifically designed to allow better treatment for the work-related condition and has proven invaluable to prevent cost shifting to workers’ compensation. The program provides objective information that enables doctors to more accurately establish causation and to avoid the potential temptation to shift the burden to a work comp carrier if a soft tissue injury is not work-related. Finally, the EFA-STM program minimizes false positive structural abnormalities that are commonly seen on an MRI and allows for more accurate diagnoses so that safer, more cost-effective treatments can be rendered.

10 Reasons Why Healthcare Varies

Imagine your recommended medical treatment came with this warning label: “Your results may vary. Your results are not guaranteed. Outcomes can include preventable complications, up to (and including) hospital-acquired infections, hospital readmission and premature death.”

Caveat emptor or, “buyer beware,” has never been truer than in today’s healthcare system.

The use of evidence-based medicine) protocols delivers higher quality, lower prices and improved outcomes throughout the country for many different treatments. Scientific studies have proven the efficacy of following best-practice guidelines. Achievable results include reduced premature mortality, improved quality of life and better clinical outcomes, which means faster recovery.

See Also: Cutting Healthcare Costs Doesn’t Lower Quality

By no means is this a blanket assertion that the practice of all medicine can be reduced to a checklist, a differential diagnosis and a universal treatment regimen. The seven billion human beings on this planet each have trillions of cells and billions of possible variations. In addition, there are many social determinants of health, including social, economic and physical environmental factors.

The fact is, no treatment regimen works 100% of the time on 100% of the people.

However, there are proven, evidence-based strategies that effectively deliver higher quality and better outcomes with scale (which means lower costs). Therefore, it is incumbent upon healthcare providers and purchasers to live up to their fiduciary responsibility to act in the best interest of the consumer and the insured employee.

So, what happens in the practice of medicine that results in so much variability in treatment?

Today’s medicine is part science and part art. Unfortunately, for too many years, perverse reimbursement incentives have clouded and conflicted an industry that requires incredibly nuanced judgment on conditions with many variables and possible outcomes.

Outcomes are largely determined by the skill and experience of a physician or team of physicians. Parity may exist in professional sports, but that is not the case in the practice of medicine.

As a result, the practice of medicine is significantly influenced by individual providers and their practice patterns, beliefs, biases, needs and preferences, what we call “10 Reasons Why Medical Quality, Price and Outcomes May Vary.”

See Also: Healthcare Costs: We’ve Had Enough!

Depending on your location, your level of engagement and your particular treatment, the quality, price and outcome are likely to be affected by the actual provider of services. The following list includes 10 reasons why the practice of medicine is driven by the attitude, behavior and skill of the provider:

Screen Shot 2016-04-22 at 12.12.31 PM

The typical American healthcare consumer still believes he is a patient and acts accordingly to eliminate the illness, not always recognizing the role he plays in his outcomes. The irreversible change taking place is that individuals have to learn to become consumers of healthcare by becoming engaged and taking responsibility for both their life outside the medical system and the choices they make when accessing medical care. The risks are real.

Understanding the risk can empower recognition and awareness that acting like a consumer is in your best interest, and that might just save your life. For additional free assistance on avoiding wasteful, unnecessary or poor quality medical tests, treatments or procedures go to www.choosingwisely.org.

Why Healthcare Costs Soar (Part 4)

The first three articles in this series by David Toomey and me are here, here and here.

Over the last few years, the buzz in the healthcare industry has been about accountable care organizations (ACOs), and the next wave will be the promotion of “value-based contracting.” These are similar approaches, different words.

Generally, an ACO is formed around a physician group or a hospital linked to physicians. The basic concept is for the provider system to be accountable for patients, with the providers financially motivated to affect their patient population’s overall costs. Makes sense, right?

For the past 25 or so years, physicians have been linked to independent practice associations, medical groups and management services organizations. Many of these provider organizations have had financial incentives tied to performance. Data have been available to assess physician performance. So, what’s different now?

Today the Feds are re-emphasizing performance in their physician contracting under the new Medicare Access and CHIP Reauthorization (MACRA), which replaces the current reimbursement formula.

Beginning in 2019, the existing incentive programs now used for Medicare physicians will be replaced by a new performance-based model with four components. Those components are 1) quality, 2) resource use, 3) meaningful use of technology and 4) clinical practice improvement.

Based on the Medicare physicians’ results, the reimbursements can be decreased by as much as 4% (adjusting to 9% by 2022). The program will have upside incentive for achieving exceptional performance of as much as 12% in 2019.

As the largest purchaser, Medicare is striving to establish per-unit cost consistency in every market. Yet Medicare’s 2014 costs vary from $6,631 to $10,610 across markets. Why? Even if the cost per unit of service is standardized, extremely wide variation exists in how patients are treated for given conditions. When wide variation in care plans exists, some are right and some are wrong, as regular readers of Cracking Health Costs know. Some are better, and some are worse. Period.

It’ll be interesting to see if the four new performance measures under MACRA will have a better impact than what’s in place today.

Self-insured employers don’t need to wait four or five years to see the results. They can leverage their purchasing scale with the providers to drive out both inappropriate care and unit price variations. The time to start is now.

What Physicians Say on Workers’ Comp

At the 2015 Harbor Health MPN Medical Directors Meeting, a panel discussed current issues affecting workers’ compensation. The panel consisted of:

  • Dr. Tedd Blatt (moderator)
  • Dr. Craig Uejo
  • Dr. Don Dinwoodie
  • Dr. Minh Nguyen
  • Dr. Kayvon Yadidi

Question: What are the things physicians can do or should do to improve workers comp?

  • Physicians need to assist in training their peers. There is inadequate training of occupational medicine physicians on the nuances of the workers’ compensation system. This is something other stakeholders in the system could also assist with.
  • Physicians need to be considering psycho-social issues in the treatment of patients. These can have a significant impact on claim outcomes.
  • There is not enough training for physicians on how to properly write medical reports, especially in the workers’ compensation arena.
  • It is imperative that physicians are responsive to questions from the payers. Failure to respond in a timely way to questions causes delays in reimbursement and creates animosity.

Question: How should physicians be approaching the issues of opioids, and are payers willing to consider alternatives?

  • This is something that needs to be considered from the initial visit forward. These drugs can lead to long-term issues, and prescribing them cannot be taken lightly. Too many physicians just prescribe these to make the patient happy.
  • There are inadequate detox programs to wean people off these drugs. Patients tend to bounce from one pain clinic to the next, which just continues the cycle of using these drugs.
  • Payers are often hesitant to authorize detox programs or non-pharmaceutical pain management alternatives because they view these things as experimental.
  • Physicians will soon be required to utilize CURES, the California prescription drug monitoring program, prior to prescribing opioids. This is intended to identify people who are doctor-shopping to abuse the opioids.
  • If you don’t prescribe the opioids, the patient will find someone else who does. Until there is a consistent approach to how these drugs are prescribed, this will continue to be a problem.
  • This is the greatest physician-created public health crisis in the history of the U.S. These drugs are massively overprescribed and should only be used for a very short term for post-operative care. They should never be used for long-term treatment.

Question: What do you think about utilization review? Are there things that you feel should always be subject to utilization review?

  • All surgeries should be subject to mandatory utilization review. Too many physicians are conducting unnecessary surgeries, which cause harm to their patients.
  • Compound medications and medications not usually prescribed in workers’ comp should be subject to utilization review.
  • There needs to be a level of common sense in UR. It should not be used if the recommended treatment is part of the normal course of care for an injury. Payers also are sometimes paying more for the UR review than the actual service requested costs.
  • If you have quantified that a physician is producing better outcomes for injured workers, these physicians should be subject to less utilization review.
  • The UR process needs to be more selective and focus on the outliers, not routine care. The perception from providers is that UR is being grossly overused. Physicians view this as punitive.

Question: More physicians are becoming part of larger health systems. Is this a positive change?

  • This is a positive change because the physicians have a better support structure to assist in writing reports and navigating the nuances of the workers’ compensation system.

Question: Is the Affordable Care Act going to affect workers’ compensation?

  • We will see an increased focus on outcomes, and, if a physician does not deliver superior outcomes, then payers will not refer patients to them for treatment.
  • Many of the policies under the exchanges have high deductibles and, because of this, it is likely we will continue to see pressure to push treatment into the workers’ compensation space.

Question: What changes would you recommend on the claims administrator side?

  • There needs to be more focus on better internal communication within claims organizations. Physicians end up sending reports and responding to requests multiple times because the claims organization does not have good internal communication.
  • The fee structure is affecting the number of physicians willing to treat workers’ compensation patients. Many specialists have stopped treating workers’ compensation patients because they do not feel adequately compensated for the amount of work required.

5 Steps for Covering Data Breaches

Target’s $19 million settlement with MasterCard[1] underscores very significant sources of potential exposure that often follow a data breach that involves payment cards. Retailers and other organizations that accept those cards are likely to face—in addition to a slew of claims from consumers and investors— claims from financial institutions that seek to recover losses associated with issuing replacement credit and debit cards, among other losses. The financial institution card issuers typically allege, among other things, negligence, breach of data-protection statutes and non-compliance with Payment Card Industry Data Security Standards (PCI DSS). Likewise, as Target’s recent settlement illustrates, organizations can expect to face claims from the payment brands, such as MasterCard, VISA and Discover, seeking substantial fines, penalties and assessments for purported PCI DSS non-compliance.

These potential sources of liability can eclipse others. While consumer lawsuits often get dismissed for lack of Article III standing,[2] for example, or may settle for relatively modest amounts,[3] the Target financial institution litigation survived a motion to dismiss[4] and involved a relatively high settlement amount as compared with the consumer litigation settlement. So did TJZ’s prior $24 million settlement with card issuers.[5] The current settlement involves only MasterCard,[6] moreover, and the Target financial institution litigation will proceed with any issuer of MasterCard-branded cards that declines to partake of the $19 million settlement offer. The amended class action in the Target cases alleges that the financial institutions’ losses “could eventually exceed $18 billion.”[7]

Organizations should be aware that these significant potential sources of data breach and payment brand liability may be covered by insurance, including commercial general liability insurance (CGL), which most companies have in place, and specialty cybersecurity/data privacy insurance.

Here are five steps for securing coverage for data breach and PCI DSS-related liability:

Step 1:            Look to CGL Coverage

                        Coverage A: “Property Damage” Coverage

Payment card issuers typically seek damages because of the necessity to replace cards and, often, also specifically allege damages because of the loss of use of those payment cards, including lost interest, transaction fees and the like. By way of illustration, the amended class action complaint in the Target litigation alleges:

The financial institutions that issued the debit and credit cards involved in Target’s data breach have suffered substantial losses as a result of Target’s failure to adequately protect its sensitive payment data. This includes sums associated with notifying customers of the data breach, reissuing debit and credit cards, reimbursing customers for fraudulent transactions, monitoring customer accounts to prevent fraudulent charges, addressing customer confusion and complaints, changing or canceling accounts and facing the decrease or suspension of their customers’ use of affected cards during the busiest shopping season of the year.[8]

The litigation further alleges that “plaintiffs and the FI [financial institution] class also lost interest and transaction fees (including interchange fees) as a result of decreased, or ceased, card usage in the wake of the Target data breach.”[9]

These allegations fall squarely within the standard-form definition of covered “property” damage under CGL Coverage A. Under Coverage A, the insurer commits to “pay those sums that the insured becomes legally obligated to pay as damages because of … ‘property damage’… caused by an ‘occurrence’”[10] that “occurs during the policy period.”[11] The insurer also has “the right and duty to defend the insured against any … civil proceeding in which damages because of … ‘property damage’ … are alleged.”[12]

Importantly, the key term “property damage” is defined to include not just “physical injury to tangible property” but also “loss of use of tangible property that is not physically injured.” The key definition in the current standard-form CGL insurance policy states as follows:

  1. “Property damage” means:
  2. Physical injury to tangible property, including all resulting loss of use of that property. All such loss of use shall be deemed to occur at the time of the physical injury that caused it; or
  3. Loss of use of tangible property that is not physically injured. All such loss of use shall be deemed to occur at the time of the “occurrence” that caused it.

For the purposes of this insurance, electronic data is not tangible property.

In this definition, “electronic data” means information, facts or programs stored as or on, created or used on or transmitted to or from computer software, including systems and applications software, hard or floppy disks, CD-ROMs, tapes, drives, cells, data processing devices or any other media that are used with electronically controlled equipment.[13]

Although the current definition states that “electronic data is not tangible property,” to the extent this standard-form language may be present in the specific policy at issue (coverage terms should not be assumed; rather the specific policy language at issue should always be carefully reviewed),[14] the limitation is largely, perhaps entirely, irrelevant in this context because card issuer complaints, like the amended class action complaint in the Target litigation, typically allege damages because of the need to replace physical, tangible payment cards.[15] The complaints further often expressly allege that the issuers have suffered damages because of a decrease or cessation in the card usage.

These types of allegations are squarely within the “property damage” coverage offered by CGL Coverage A, and courts have properly upheld coverage in privacy-related cases where allegations of loss of use of property are present.[16]

            Coverage B: “Personal and Advertising Injury” Coverage

There is significant potential coverage for data breach-related liability, including card issuer litigation, under CGL Coverage B. Under Coverage B, the insurer commits to “pay those sums that the insured becomes legally obligated to pay as damages because of ‘personal and advertising injury,’”[17] which is “caused by an offense arising out of [the insured’s] business … during the policy period.”[18] Similar to Coverage A, the policy further states that the insurer “will have the right and duty to defend the insured against any … civil proceeding in which damages because of … ‘personal and advertising injury’ to which this insurance applies are alleged.”[19]

The key term “personal and advertising injury” is defined to include a list of specifically enumerated offenses, which include “oral or written publication, in any manner, of material that violates a person’s right of privacy.”[20]

Considering this key language, courts have upheld coverage under CGL Coverage B for claims arising out of data breaches and for a wide variety of other claims alleging violations of privacy rights.[21] It warrants mention that, although the trial court in the Sony PlayStation data breach litigation recently ruled against coverage, the trial court’s decision — which turned on the court’s finding that, essentially, Coverage B is triggered only by purposeful actions by the insured (Sony) and not by the actions of the third parties who hacked into its network — that decision is currently on appeal to the New York Appellate Division and may soon be reversed. Nowhere in the insuring agreement or its key definition does the CGL policy require any action by the insured. As the coverage’s name “Commercial General Liability” indicates, the coverage does not require intentional action by the insured, as argued by the insurers in the Sony case, but rather is triggered by the insured’s liability, i.e., the insurer commits to pay sums that the insured “becomes legally obligated to pay” that “arise out of” the covered “offenses.” The broad insuring language, moreover, extends to the insured’s liability for publication “in any manner,” i.e., via a hacking attack or otherwise. The cases cited by the insurer in the Sony case are factually inapposite and interpret entirely different policy language. Indeed, Sony’s insurer, Zurich, itself acknowledged in 2009 that CGL policies may provide coverage for data breaches via hacking, which by definition involves third-party actions.[22]

Organizations also should be aware that the Insurance Services Office (ISO), the insurance industry organization responsible for drafting standard-form CGL language, recently promulgated a series of data breach exclusionary endorsements.[23] ISO acknowledged that there currently is data breach coverage for hacking activities under CGL policies. In particular, ISO stated that the new exclusions may be a “reduction in personal and advertising injury coverage”—the implication being that there is coverage in the absence of the new exclusions.

At the time the ISO CGL and CLU policies were developed, certain hacking activities or data breaches were not prevalent and, therefore, coverages related to the access to or disclosure of personal or confidential information and associated with such events were not necessarily contemplated under the policy. As the exposures to data breaches increased over time, stand-alone policies started to become available in the marketplace to provide certain coverage with respect to data breach and access to or disclosure of confidential or personal information.

To the extent that any access or disclosure of confidential or personal information results in an oral or written publication that violates a person’s right of privacy, this revision may be considered a reduction in personal and advertising injury coverage.[24]

Other than the trial court’s decision in the Sony case, no decision has held that an insured must itself publish information to obtain CGL Coverage B coverage, and a number of decisions have appropriately upheld coverage for liability that the insured has resulting from third-party publications.[25]

The bottom line: There may be very significant coverage under CGL policies, including for data breaches that result in the disclosure of personally identifiable information and other claims alleging violation of a right to privacy, including claims brought by card issuers.

Step 2:           Look to “Cyber” Coverage

Organizations are increasingly purchasing so-called “cyber” insurance, and a major component of the coverage offered under most “cyber” insurance policies is coverage for the spectrum of issues that an organization typically confronts in the wake of a data breach incident. This usually includes, not only defense and indemnity coverage in connection with consumer litigation and regulatory investigation, but also defense and indemnity coverage in connection with card issuer litigation. By way of example, one specimen policy insuring agreement states that the insurer will “pay … all loss” that the “insured is legally obligated to pay resulting from a claim alleging a security failure or a privacy event.” The key term “privacy event” includes “any failure to protect confidential information,” a term that is broadly defined to include “information from which an individual may be uniquely and reliably identified or contacted, including, without limitation, an individual’s name, address, telephone number, Social Security number, account relationships, account numbers, account balances, account histories and passwords.” “Loss” includes “compensatory damages, judgments, settlements, pre-judgment and post-judgment interest and defense costs.” Litigation brought by card issuers is squarely within the coverage afforded by the insuring agreement and its key definitions.

Importantly, a number of “cyber” insurance policies also expressly cover PCI DSS-related liability. By way of example, the specimen policy quoted above expressly defines covered “loss” to include “amounts payable in connection with a PCI-DSS Assessment,” which is defined as follows:

“PCI-DSS assessment” means any written demand received by an insured from a payment card association (e.g., MasterCard, Visa, American Express) or bank processing payment card transactions (i.e., an “acquiring bank”) for a monetary assessment (including a contractual fine or penalty) in connection with an insured’s non-compliance with PCI Data Security Standards that resulted in a security failure or privacy event.

This can be a very important coverage, given that, as the recent Target settlement illustrates, organizations face substantial liability arising out of the card brand and association claims for fines, penalties and assessments for purported non-compliance with PCI DSS. The payment card brands routinely claim that an organization was not PCI DSS-compliant and that the PCI forensic investigator assigned to investigate compliance routinely determines that the organization was not compliant at the time of a breach. As the payment industry has stated, “no compromised entity has yet been found to be in compliance with PCI DSS at the time of a breach.”[26]

The bottom line: “Cyber” insurance policies may provide broad, solid coverage for the costs and expenses that organizations may incur in connection with card-issuer litigation and payment brand claims alleging PCI non-compliance.

Step 3:            Look to Other Potential Coverage

It is important not to overlook other types of insurance policies that may respond to cover various types of exposure flowing from a breach. For example, there may be coverage under directors’ and officers’ (D&O) policies, professional liability or errors and omissions (E&O) policies and commercial crime policies. After a data breach, companies are advised to provide prompt notice under all potentially implicated policies, excepting in particular circumstances that may justify refraining to do so, and to carefully evaluate all potentially applicable coverages.

Step 4:            Don’t Take “No” For an Answer

Unfortunately, even where there is a legitimate claim for coverage under the policy language and applicable law, an insurer may deny a claim. Indeed, insurers can be expected to argue, as Sony’s insurers argued, that data breaches are not covered under CGL insurance policies. Nevertheless, insureds that refuse to take “no” for an answer may be able to secure valuable coverage.

If, for example, an insurer reflexively raises the “electronic data” exclusion in response to a claim under CGL Coverage A, which purports to exclude, under the standard form, “[d]amages arising out of the loss of, loss of use of, damage to, corruption of, inability to access or inability to manipulate electronic data,”[27] insureds are encouraged to point out that the damages alleged by card issuers for replacing physical cards and for lost interest and transaction fees, etc., resulting from loss of use of those cards, are clearly outside the purview of the exclusion. Likewise, if an insurer raises the standard “Recording And Distribution Of Material Or Information In Violation Of Law” exclusion, insureds are encouraged to point out that the exclusion has been narrowly interpreted, does not address common-law claims and has been held inapplicable where the law at issue fashions relief for common law rights.[28]

Importantly, exclusions and other limitations to coverage are construed narrowly against the insurer and in favor of coverage under well-established rules of insurance policy interpretation,[29] and the burden is on the insurer to demonstrate an exclusion’s applicability.[30]

Step 5:            Maximize Cover Across the Entire Insurance Portfolio

Various types of insurance policies may be triggered by a data breach, and the various triggered policies may carry different insurance limits, deductibles, retentions and other self-insurance features, together with various different and potentially conflicting provisions addressing, for example, other insurance, erosion of self-insurance and stacking of limits. For this reason, in addition to considering the scope of substantive coverage under an insured’s different policies, it is important to carefully consider the best strategy for pursing coverage in a manner that will maximize the potentially available coverage across the insured’s entire insurance portfolio. By way of example, if there is potentially overlapping CGL and “cyber” insurance coverage, remember that defense costs often do not erode CGL policy limits, and structure the coverage strategy accordingly.

When facing a data breach, companies should carefully consider the insurance coverage that may be available. Insurance is a valuable asset. Before a breach, companies should take the opportunity to carefully evaluate and address their risk profile, potential exposure, risk tolerance, sufficiency of their existing insurance coverage and the role of specialized cyber coverage. In considering that coverage, please note that there are many specialty “cyber” products on the market. Although many, if not most, of these policies purport to cover many of the same basic risks, including data breaches and other types of “cyber” and data privacy-related risk, the policies vary dramatically. It is important to carefully review policies for appropriate coverage prior to purchase and, in the event of a claim, to carefully review the scope of all potentially available coverage.

This article was first published in Law360.

 

[1] Target Strikes $19M Deal With MasterCard Over Data Breach, Law360 (April 15, 2015). The settlement is contingent upon at least 90% of the eligible MasterCard issuers accepting their alternative recovery offers by May 20.

[2] See, e.g., No Data Misuse? No Standing For Data Breach Plaintiffs, Law360 (April 24, 2014).

[3] Target Will Pay Consumers $10M To End Data Breach MDL, Law360, New York (March 19, 2015).

[4] See, e.g., Target Loses Bid to KO Banks’ Data Breach Litigation, Law360 (April 15, 2015).

[5] TJX Reaches $24M Deal With MasterCard Issuers, Law360 (April 2, 2008).

[6] The company is reported to be in similar negotiations with Visa.

[7] In re: Target Corporation Customer Data Security Breach Litigation, MDL No. 14-2522 (PAM/JJK) (D. Minn), at ¶ 87 (filed August 1, 2014).

[8] Id., ¶ 2 (emphasis added).

[9] Id., ¶ 86 (emphasis added).

[10] ISO Form CG 00 01 04 13 (2012), Section I, Coverage A, §1.a., §1.b.(1).

[11] Id., Section I, Coverage A, §1.b.(2).

[12] Id., Section I, Coverage A, §1.a.; Section V, §18.

[13] ISO Form CG 00 01 04 13 (2012), Section V, §17 (emphasis added).

[14] In the absence of such language, a number of courts have held that damaged or corrupted software or data is “tangible property” that can suffer “physical injury.” See, e.g., Retail Sys., Inc. v. CNA Ins. Co., 469 N.W.2d 735 (Minn. Ct. App. 1991); Centennial Ins. Co. v. Applied Health Care Sys., Inc., 710 F.2d 1288 (7th Cir. 1983) (California law); Computer Corner, Inc. v. Fireman’s Fund Ins. Co., No. CV97-10380 (2d Dist. Ct. N.M. May 24, 2000).

[15] See also Eyeblaster, Inc. v. Federal Ins. Co., 613 F.3d 797 (8th Cir. 2010).

[16] See, e.g., District of Illinois in Travelers Prop. Cas. Co. of America v DISH Network, LLC, 2014 WL 1217668 (C.D, Ill. Mar. 24, 2014); Columbia Cas. Co. v. HIAR Holding, L.L.C., 411 S.W.3d 258 (Mo. 2013).

[17] ISO Form CG 00 01 04 13 (2012), Section I, Coverage B, §1.a.

[18] Id., Section I, Coverage B, §1.b..

[19] Id.. Section I, Coverage B, §1.a.; Section V, §18.

[20] Id.. Section V, §14.e.

[21] See, e.g., Hartford Cas. Ins. Co. v. Corcino & Assocs,. 2013 WL 5687527 (C.D. Cal. Oct. 7, 2013).

[22] Zurich, Data security: A growing liability threat (2009), available at http://www.zurichna.com/NR/rdonlyres/23D619DB-AC59-42FF-9589-C0D6B160BE11/0/DOCold2DataSecurity082609.pdf (emphasis added).

[23] These new exclusions became effective in most states last May 2014. One of the exclusionary endorsements, titled “Exclusion – Access Or Disclosure Of Confidential Or Personal Information,” adds the following exclusion to the standard form policy:

This insurance does not apply to:

Access Or Disclosure Of Confidential Or Personal Information

“Personal and advertising injury” arising out of any access to or disclosure of any person’s or organization’s confidential or personal information, including patents, trade secrets, processing methods, customer lists, financial information, credit card information, health information or any other type of non public information.

CG 21 08 05 14 (2013). See also Coming To A CGL Policy Near You: Data Breach Exclusions, Law360 (April 23, 2014).

[24] ISO Commercial Lines Forms Filing CL-2013-0DBFR, at pp. 3, 7-8 (emphasis added).

[25] See, e.g., Hartford Cas. Ins. Co. v. Corcino & Assocs,. 2013 WL 5687527 (C.D. Cal. Oct. 7, 2013).

[26] Visa: Post-breach criticism of PCI standard misplaced (March 20, 2009), available at http://www.computerworld.com.au/article/296278/visa_post-breach_criticism_pci_standard_misplaced/

[27] CG 00 01 04 13 (2012), Section I, Coverage A, §2.p.

[28] See, e.g., Hartford Cas. Ins. Co. v. Corcino & Assocs,. 2013 WL 5687527 (C.D. Cal. Oct. 7, 2013). For example, in the Corcino case, the court upheld coverage for statutory damages arising out hospital data breach that compromised the confidential medical records of nearly 20,000 patients, notwithstanding an express exclusion for “personal and advertising Injury …. [a]rising out of the violation of a person’s right to privacy created by any state or federal act.” Corcino and numerous other decisions underscore that, notwithstanding a growing prevalence of exclusions purporting to limit coverage for data breach and other privacy related claims, there may yet be valuable privacy and data breach coverage under “traditional” or “legacy” policies that should not be overlooked.

[29] See, e.g., 2 Couch on Insurance § 22:31 (“the rule is that, such terms are strictly construed against the insurer where they are of uncertain import or reasonably susceptible of a double construction, or negate coverage provided elsewhere in the policy”).

[30] See, e.g., 17A Couch on Insurance § 254:12 (“The insurer bears the burden of proving the applicability of policy exclusions and limitations or other types of affirmative defenses”).