Insurance coverage for cyberliability

Posted by Gene Killian on January 11, 2013

At the end of this month (January 26, to be exact), assuming that the Mayans remain incorrect, I’ll be doing a presentation to the New Jersey Institute for Continuing Legal Education on the topic of insurance coverage for cyberthreats.  Of course, I probably should be disqualified from making any comments whatsoever about trends in computer-related coverage, since I was a charter subscriber to the Mealey’s Y2K Litigation Reporter, the litigation world’s version of the Ford Edsel.

In any event, Willie Sutton is supposed to have remarked that he robbed banks because “that’s where the money is.”  (He denied making such a comment, but I’m not going to let the facts get in the way of a good story.)  Nowadays, the money is accessible without dynamite, drills or guns, to a new breed of criminal – so much so that the SEC now recommends that companies disclose the extent of their cybersecurity risks, including the availability of “relevant insurance coverage.”  (You can read the SEC guidance here.)  Liability associated with network security breaches is extreme.  According to one study of 137 events that took place between 2009 and 2011, the average total cost per incident was $3.7 million (including remedial costs and legal fees).     

I’ve previously blogged about Retail Ventures, Inc. v. National Union, 691 F.3d 821 (6th Cir. 2012), in which a chain of shoe stores had its wireless network hacked, and the Court found coverage under a computer fraud rider to a blanket (first-party) crime policy.  You can read that post here.

I’d now like to review briefly an interesting cyberliability case involving third-party coverage, Eyeblaster, Inc. v. Federal Ins. Co., 613 F.3d 797 (8th Cir. 2010).  (You can read the full Eyeblaster decision here.)  Facts: Eyeblaster is a marketing company that helps run advertising campaigns on the internet.  A computer user (Sefton) sued Eyeblaster, alleging that Eyeblaster injured his computer, software, and data after he visited an Eyeblaster website, through, among other things, the unauthorized installation of cookies on Sefton’s computer. Sefton contended that, after Eyeblaster did its thing, his computer slowed to a crawl and he had difficulty remediating the problem.

With respect to Eyeblaster’s general liability coverage, the issue was whether there had been damage to “tangible property,” so as to trigger property damage coverage.  The Court said yes,  writing as follows:  “Federal did not include a definition of ‘tangible property’ in its General Liability policy, except to exclude ‘software, data or other information that is in electronic form.’ The plain meaning of tangible property includes computers, and the Sefton complaint alleges repeatedly the ‘loss of use’ of his computer. We conclude that the allegations are within the scope of the General Liability policy.”

What we see here is that, at least under general liability policies, hardware tends to be viewed as more “tangible” than software, so that if there are allegations of any harm to hardware, there’s more likely to be coverage.

Along these lines, for those of you who may be dealing with cyberliability issues under standard liability policies, keep in mind that there are ISO exclusions that may apply.  The 2001 version of the exclusion reads: “For purposes of this insurance, electronic data is not tangible property.”  The 2004 version of the exclusion excludes ”[d]amages arising out of the loss of, loss of use of, damage to, corruption of, inability to access or inability to manipulate electronic data.”  Even if the 2004 exclusion had been in play in Eyeblaster, however, the Court likely would have found coverage.  The Eyeblaster Court focused on the idea that the hardware itself did not work, as opposed to electronic data (which may be an intangible concept) being corrupted.

As to the E&O coverage, Federal argued that there was no coverage for intentional acts, even if they result in unintentional damage.   The Court disagreed with that argument as well, writing:  “Sefton alleges that Eyeblaster installed tracking cookies, Flash technology, and JavaScript on his computer, all of which are intentional acts. However, Federal can point to no evidence that doing so is intentionally wrongful. As Eyeblaster points out in an affidavit filed with the district court, Federal's parent company utilizes JavaScript, Flash technology, and cookies on its own website. Federal cannot label such conduct as intentionally wrongful merely because it is included in the Sefton complaint; Federal has a duty to show that the use of such technology is outside its policy's coverage.”  (I always admire good lawyering; going to Chubb’s website and finding similar applications there was a nice touch.)

There are, of course, new insurance products coming onto the market specifically to deal with cyberliability issues, such as Marsh’s “Cloud Protect,” which is designed to protect small and midsized businesses against losses stemming from a cloud service provider’s failure.  When reviewing any of the new policies, pay specific attention to the definition of the terms “computer system” or “computer network,” to make sure that what you want to have covered, is in fact covered.

The "Eight Corners" Rule and the Duty to Defend

Posted by Gene Killian on July 13, 2012

One of the issues that frequently comes up in complicated third-party cases is:  How far outside the underlying complaint does the carrier have to go to determine whether coverage exists?  New Jersey is not an “eight corners” state (in which all the court considers is the four corners of the policy and the four corners of the complaint). The New Jersey Supreme Court has specifically held: “Insureds expect their coverage and defense benefits to be determined by the nature of the claim  against them, not by the fortuity of how the plaintiff, a third party, chooses to phrase the complaint against the insured. To allow the insurance company ‘to construct a formal fortress of the third party's pleadings and to retreat behind its walls, thereby successfully ignoring true but unpleaded facts within its knowledge that require it, under the insurance policy, to conduct the putative insured's defense’ would not be fair.’” SL Industries, Inc. v. American Motorists Insurance Co., 128 N.J. 188, 197 (1992) (citations omitted).  

Along these lines, some time ago, I wrote about the New Jersey Appellate Division’s decision in Adams-Stiefel Funeral Home v. Zurich American, which involved issues of coverage for companies that were essentially “innocent bystanders” in an illegal plot to harvest body parts from corpses.  In a companion case, the New Jersey Supremes have now affirmed the Appellate Division’s ruling of no coverage.  The case facts are a little unique (and ghoulish), but the decision raises some important questions about the scope of the duty to defend.  The Supreme Court decision is here.  

Memorial Properties and Mt. Hebron are the owner and manager (respectively) of a cemetery known as Liberty Grove Memorial Gardens.  They were implicated in a scheme in which a New Jersey dentist and a New Jersey “master embalmer” worked in conjunction with funeral homes and crematories to obtain access to human remains, and to sell body parts.  Memorial and Mount Hebron denied any involvement in the plot, and consistently maintained that, when they received bodies from funeral directors for cremation, the remains were already in sealed containers that were not opened by Memorial and Mt. Hebron prior to cremation. They also argued that the documentation accompanying the remains appeared proper.    

The families of the decedents alleged that, following the deaths of their relatives on various dates in 2003, 2004 and 2005, two persons not connected with Memorial Properties or Mt. Hebron extracted tissue, bones and organs from the remains without authorization, sometimes replacing harvested bone with polyvinyl chloride (PVC) piping so that the bodies would appear intact. The families contended that these persons falsified decedents' medical and funeral records to conceal the illegal tampering with the remains.  The families allege that they were unaware of the “harvesting” until law enforcement authorities told them about it in 2006.  They claimed, among other things (and understandably), damages relating to emotional distress.

Two insurance companies – Assurance and Maryland Casualty - denied coverage for the families’ claims. The policies involved are specially tailored to the funeral home industry, but they basically contain “occurrence”-based coverage.

The Assurance policy provided coverage for the year 2003 for claims arising from damage to human remains and bodily injury, including mental anguish.  Assurance took a “no pay” position, on the ground that the occurrences were outside of the policy period, since the families only learned of the harvesting scheme in 2006. 

In upholding the Assurance denial, the Supreme Court wrote in part:         “The decedent's surviving spouse seeks damages for ‘severe pain and suffering, severe emotional distress and harm, [and] financial or economic loss,’ including lost wages. Her alleged damages derive from her distress upon learning of the unauthorized harvesting of her husband's tissue, bones and organs, and not from a purported cause of action based on property damage to her decedent's remains. Accordingly, in the New Jersey case in which the harvesting took place in 2003, the ‘occurrence’ was the plaintiff-spouse's alleged emotional distress upon discovery of the harvesting scheme in a 2006 conversation with law enforcement, and her claim falls outside of the policy period set forth in the Assurance policy.”

In other words, the Supremes divorced damage to the body (the “property”) from the emotional damage suffered by the plaintiffs.  Since the plaintiffs’ emotional damage only took place after 2003 (hence outside the policy period), no coverage.  Burt how does this square with the principles of SL Industries?  Since the cause of action was in fact based upon damage to the decedent’s body (without that, there would have been no “emotional distress”), wouldn’t a reasonable policyholder expect coverage for this claim?

The other carrier, Maryland Casualty, denied coverage based upon an exclusion removing coverage for claims based upon such activities conducted "by any insured or anyone for whom the insured is legally responsible" including "disarticulation" of body parts from a deceased body, "distribution, sale, loaning, donating or giving away" parts of a deceased body, and “any criminal act.”  Based upon this exclusion, the Supremes wrote in part that the underlying plaintiffs had alleged “an active role by Memorial and Mt. Hebron in the harvesting scheme” which fell “squarely within the parameters of the exclusionary clause.”  

The problem with the ruling in favor of Maryland Casualty is that the policyholders presented evidence that they had not participated in the scheme, and that the bodies had been delivered to them in sealed containers with appropriate certifications.  The Supremes simply resolved that issue against the policyholder without apparently conducting the outside-the-eight-corners analysis required by SL Industries…which is disappointing, to say the least. 

Disability insurance in a war zone

Posted by Gene Killian on May 21, 2012

The New Jersey Law Journal reports that defense contractors' employees who worked in Iraq and Afghanistan are suing Prudential Insurance, alleging that it sold policies without disclosing that war-zone deaths and injuries were not covered.

The policies, sold to civilians at U.S. military bases overseas, were worthless as a result, the plaintiffs charge in Menkes v. Prudential, No. 12-2880, filed in federal court in Newark last week.

Long-term disability, supplemental term life and supplemental accidental death and dismemberment policies excluded claims "due to war, declared or undeclared, or any act of war." The putative class action seeks compensation for workers for defense contractors in Iraq or Afghanistan from Feb. 10, 2006, to the present who bought the policies that contained the war-zone exclusion. It also seeks compensation for a subclass of workers whose claims were denied based on the exclusion.

The plaintiffs are represented by Michael Galpern, of the Locks Law Firm in Cherry Hill.

The case will be interesting to follow.  In my experience, New Jersey federal courts tend to be defense-oriented, but this matter has a large sympathy factor involved.

Fidelity insurance and Ponzi schemes

Posted by Gene Killian on March 19, 2012

Spring is a time of rebirth and hope, especially for baseball fans.  No matter how badly your team played last year, when March rolls around, you’re tied for first!  That is, unless (like me) you’re a fan of the woeful New York Mets.  After just a few weeks of spring training, their third baseman already has a rib injury; their first baseman (who missed most of last year after spraining his ankle by tripping over his own feet) has come down with some sort of weird desert fever; and one of their key relief pitchers is out for at least six weeks with a torn meniscus.  Oh, I almost forgot, their All-Star shortstop now plays for someone else.  

Can it get any worse?  When it comes to the Mets, yes, of course it can! There’s the little matter of Bernie Madoff.  Mets ownership has now been ordered to return $83 million to Madoff’s victims. 

Leaving the Mets and my baseball misery to one side, the Madoff situation in general has given rise to some interesting insurance coverage questions.  Recently, in Jacobson Family Investments v. National Union, a New York state court judge rejected efforts by carriers to lump named insureds together for the purpose of showing that on the whole, they were “net winners” in the Madoff fraud and therefore not entitled to insurance recovery for their losses from the Ponzi scheme.  The case involved a fidelity-type bond or policy, in part covering damages caused by “outside investment advisors.”  

The plaintiff-policyholders were investment vehicles set up by the heirs to the founders of industrial equipment supplier MSC Industrial Direct Co. Inc. and affiliated with Jacobson Family Investments, Inc.  The carriers argued that, because the investment vehicles were all listed in the policy under the heading “Complete Named Insured,” they were in essence one policyholder, and their net wins and losses had to be aggregated.  Because the aggregate amount of all of the policyholders’ net account balances with Madoff actually made them a “net” equity winner (together, they had withdrawn $5.9 million more than they invested with Madoff), the argument was that there was no compensable loss for insurance purposes.  

Based upon the clear terms of the policy, the judge wasn’t buying it.  The Court stated that the named insured rider “does not provide that [the] entities’ net wins and losses should be aggregated…it is [simply] an informational declaration of all the entities and individuals who may draw from the bond.”  

The carriers also tried to rely upon the “Single Loss” provision of the policy, which states:  “Subject to the Aggregate Limit of Liability, the Underwriter’s liability for each Single Loss shall not exceed the applicable Single Loss Limit of Liability…If a Single Loss is covered under more than one Insuring Agreement or Coverage, the maximum payable shall not exceed the largest applicable Single Loss Limit of Liability.”  “Single Loss” was defined as “all covered loss” resulting from a fraud.  Therefore, the carriers again argued, all of the policyholders’ wins and losses had to be aggregated to determine whether there was a compensable “Single Loss.”  

Again, the Court wasn’t buying.  First, the Court held that the purpose of the “Single Loss” provision was simply “to limit [the primary carrier’s] liability, under the Bond, for separate acts of malfeasance,” not to require aggregation of wins and losses.  Second, the Court held that a “Single Loss” was defined as “all covered losses, not all covered net losses.”  The Court stated:  “Courts should be extremely reluctant to interpret an agreement as impliedly stating something which the parties have neglected to specifically include.”  

Finally, the carriers cited a “Joint Insured Provision” in an effort to support the argument that all of the named insureds’ wins and loses had to be aggregated together.  The “Joint Insured Provision” states, in part:  “If two or more Insureds are covered under this bond, the first named Insured shall act for all Insureds.  Payment by the Underwriter to the first named Insured of loss sustained by any Insured shall fully release the Underwriter on the account of such loss…The liability of the Underwriter for loss or losses sustained by all Insureds shall not exceed the amount for which the underwriter would have been liable had all such loss or losses been sustained by one Insured.”  

The Court shot that argument down as well, writing:  “It is clear from the cited language that the main purpose of this Provision was to create an organized procedure to make claims under the Bond.  There are over 160 entities or individuals covered under this Bond…and if each entity had a claim…the insurance company would be processing significant amounts of paperwork.  Assigning one of the Insureds the power to act for others covered under the Bond resolves this issue.”  

This decision shows that, even in cases involving so-called “sophisticated” policyholders, some Courts will still apply strict rules of construction against carriers.  Interestingly, at no point did the Court say that the policy was ambiguous.  Rather, the Court essentially said that the carriers were attempting to engraft terms upon the policy that did not actually exist.  This is known in our business as “post-loss underwriting.”  

The excellent policyholder attorney Robin Cohen and her great team at Kasowitz Benson handled this case for the policyholders. 

Employment practices liability insurance

Posted by Gene Killian on September 29, 2011

Lots of times, businesspeople who buy insurance make (reasonable) assumptions.  For example:  “If I have employment practices liability insurance, I must be covered for claims arising out of employment practices…right?” 

Mmmmm…not so fast.  Most EPLI policies contain a hidden gap that’s wide enough to drive an eighteen-wheeler through. 

EPLI coverage came on the market a few years back when employers started to try to make claims for workplace harassment suits under Part Two of their workers’ compensation policies (the “employers’ liability” coverage).  Of course, what the claims department views as “no pay,” the marketing department views as an opportunity.  (Remember environmental impairment liability insurance?) 

Basically. EPLI is supposed to provide protection from employment law claims made by employees, former employees, or potential employees.  This includes claims of discrimination, wrongful termination of employment, and sexual harassment.  The policy provides coverage to the business, its directors and officers. 

EPLI is less standardized than other forms of coverage, which makes it scary as a matter of principle.  Sometimes it’s bundled in a business owner’s policy, or as a part of other liability insurance. 

Now, let’s consider how some employment claims actually work.   In certain circumstances (federal Title VII claims), the employee has to file a charge with the EEOC first.  The EEOC investigates the matter and tries to resolve it.  In some circumstances, though, the EEOC will file suit on behalf of the employee.  Obviously, when the EEOC files such a suit, it does so on behalf of the employee.  (The basic process can be found at the EEOC website here.) 

All of which brings us to the recent federal case of Cracker Barrel v. Cincinnati Insurance Company, a federal case from the great state of Tennessee.  (I’m writing about a Tennessee case because we have plenty of “strict constructionist” judges here in New Jersey, too.)  Between December 1999 and March 2001, ten Cracker Barrel employees filed charges with the State of Illinois and with the EEOC, alleging sexual or racial discrimination.  In 2004, the EEOC brought suit against Cracker Barrel on behalf of the charging parties (the employees).  Cracker Barrel duly filed an insurance claim under its EPLI policy.  

The policy covered “a civil, administrative or arbitration proceeding commenced by the service of a complaint or charge, which is brought by any past, present or prospective employee.” 

The carrier’s claims department and its lawyers took the position that the underlying lawsuit had been brought solely by the EEOC, which was not an employee of Cracker Barrel, and that, therefore, the EEOC lawsuit was not even arguably covered under the definition.  (Maybe I’m jaded  by 26 years of representing policyholders, but to me, that argument didn’t even get past the “red face” test.  Shows what I know.) In response, Cracker Barrel argued that the policy language meant that the underlying complaint or charge must be brought by an employee, not the proceeding; in other words, the proceeding must merely be commenced by a complaint or charge brought by an employee. 

Remarkably (given the generally accepted principle that the policyholder gets the benefit of the doubt when it comes to policy language), the Court bought the carrier’s argument.  The Court wrote:  “The EEOC Lawsuit was not ‘commenced by the service of’ a charge, according to the plain meaning of that language, even though it may have arisen because previous administrative charges brought potentially illegal activity to the EEOC’s attention…The complaint that  commenced the EEOC Lawsuit was not brought  by an employee, and, therefore, even under [Cracker Barrel’s] interpretation of the definition, the lawsuit is not a ‘claim’ under the policies.” 

The judge who wrote the opinion, Senior Judge John T. Nixon of the Middle District of Tennessee, recently awarded $1 million to an employee of Whirlpool for alleged race and sex discrimination.  I have to wonder whether he takes a dim view of management generally, and feels that management needs to be punished for discrimination, without access to insurance.  (Sometimes we forget that judges are people too, and bring their own worldview to the bench, just as jurors bring their life experience to the deliberation room.  In other words, settle whenever you can.) 

In any event, the Cracker Barrel decision seems to miss a major point: the purpose of the policy was to provide protection (in exchange for substantial premiums) against discrimination claims.  If the EEOC brings suit on behalf of an employee, it is the functional equivalent of the employee bringing suit himself.  Judge Nixon elevated form over substance.  You can almost hear the claim department twittering (small “T”).   

Takeaway:  if you have EPLI coverage, go over it with your broker to see what is and isn't covered.  If claims brought by administrative agencies are not covered, see whether you can plug that gap (and how much it would cost to do so).  More importantly, make sure your organization is engaged in good management practices, to minimize the chances of such claims ever happening.     

 

 

 

 

Reformation of Insurance Policies Due To "Mutual Mistake"

Posted by Gene Killian on September 01, 2011

Back in the 1980s, when we were all fighting over the meaning of the “sudden and accidental” pollution exclusion, it became fashionable for coverage lawyers to quote “Alice in Wonderland.”  If memory serves, there was even a battle of law review articles (sponsored by the insurance industry on one side and corporate policyholders on the other) in which the dueling parties tried to out-Lewis-Carroll one another.  

The most favored quotation was the following exchange: 

“When I use a word,” Humpty Dumpty said in a rather scornful tone, “it means just what I choose it to mean – neither more nor less.”  

“The question is,” said Alice, “whether you can make words mean so many different things.”  

“The question is,” said Humpty Dumpty, “which is to be master - - that’s all.”  

I thought of that quote for the first time in a long time when I read the recent Third Circuit decision in Illinois National Insurance Co. v. Wyndham Worldwide Operations, Inc. 

First, the facts: Illinois National sold aircraft fleet management insurance coverage to an aircraft maintenance company called Jet Aviation for successive one-year periods from 2004 through 2008.  The policies provided coverage for Jet Aviation and some of Jet Aviation’s clients, so long as Jet Aviation managed the particular client’s aircraft and aircraft usage.  Wyndham was one of Jet Aviation’s clients (and a named insured under the policy).

In the 2008 renewal, the requirement that Jet Aviation manage the client’s aircraft was deleted and replaced by language stating that the aircraft simply had to be operated or used by a named insured  - not necessarily by Jet Aviation.

You can guess what’s coming next.  Plane crash, five dead, plane rented by Wyndham (a named insured under the policy) - but not managed by Jet Aviation.  Naturally, Humpty Dumpty – er, Illinois National – denied the resulting claim, on the ground that “a word means just what I choose it to mean – neither more nor less.”  Specifically, Illinois National contended that the reason for the wording change was “to make it more clear that entities affiliated with Jet Aviation were covered,” and not to delete the requirement that Jet Aviation manage the aircraft.

The trial court, able to read English, disagreed, holding that there could be no reformation of the contract based on “mutual mistake,” since Wyndham had not even been involved in the contract negotiations. 

Unfortunately, in a 2-1 decision, the appeals court reversed, and bought the Humpty Dumpty argument, writing:  “Jet Aviation and Illinois National agree that their intent, at the time the contract was drafted, was to limit coverage for non-owned aircraft to aircraft used by or at the direction of Jet Aviation.” 

Who cares what Jet Aviation (out to protect its policy limits and not wanting a premium increase) or Illinois National (out to protect its profits) “agreed”? To operate its business, Wyndham – a named insured - was relying on the coverage that Illinois National sold.  If it had known that the coverage was worthless in some circumstances, it might have gone out and bought other, supplemental coverage.  At least Wyndham should have had that opportunity.  But unless and until courts make insurance companies answer to a higher standard (and also make them behave like the fiduciaries they’re supposed to be), insurance companies will continue to make spurious arguments and get away with it.

On the positive side (such as it is), Justice Nygaard (also able to read English) dissented rather vociferously, writing that there “is simply no support in state law for the conclusion that the insurer’s failure to read the plain language of its own policy before issuing it to the insured justifies [disregarding the plain meaning of a contract].”  Sounds like he was inviting a petition for en banc review.

As for the logic of the majority decision, I guess the best thing to do is to quote from the Mock Turtle:  “Well, I never heard it before, but it sounds uncommon nonsense.”     

Insurance coverage for SEC investigations

Posted by Gene Killian on May 24, 2011

The SEC has been getting more and more aggressive with investigations into alleged securities fraud, as well as with filing civil securities fraud actions.  In fact, we just got an SEC securities fraud action dismissed against one of our clients a couple of weeks ago...but it was an expensive fight.  Over at Property Casualty 360, they've posted an excellent article on insurance coverage for SEC investigations.  If you're with a public company, or if you advise public companies, it's worth a read. 

Spider-Man and Event Cancellation Insurance

Posted by Gene Killian on March 10, 2011

This weekend, my family is taking me to see “Spider-Man:  Turn off the Dark” to celebrate the 12th anniversary of my 39th birthday.  (The show is still in interminable previews.)  Given how things have gone so far for Spidey, I’m hoping that one of the actors doesn’t land on my head.  Anyway, over at Property Casualty 360, there’s an interesting piece about event cancellation insurance and how it might work with respect to the many well-publicized problems that have plagued the show.  The article quotes Roger A. Sandau of Doodson Insurance Brokerage, LLC, which specializes in large events internationally, as saying that contingency insurance—also known as non-appearance or event cancellation insurance—was designed for shows where there is a central talent that is part of the performance. In the case of Spider-Man, the delays caused by injuries to key performers “is the type of risk for which this insurance is designed.”

Sandau added, “If the show is shut down for violations of regulations or the law, that is not insurable. Cancellation insurance is not designed to respond.”