Hurricane Harvey has devastated Houston and the Gulf Coast. Hurricane Irma was not as bad as initially feared, but still did substantial damage in Florida and Georgia. Tens of thousands have had their homes and businesses damaged or destroyed and their lives turned upside down. Many are uninsured. Others will learn that their losses are partially covered or not covered at all. We pray for the victims.
My prior post provided a summary of issues regarding insurance coverage for cyber liabilities. My article, Danger in the Wires: Insurance Coverage for Cyber Risks, appears as the lead article in the January 2016 edition of Pratt's Privacy and Cybersecurity Law Review. This article provides a much more detailed treatment. A copy can be accessed through this link to my firm's website. I hope it is useful to you.
We live in a world where hack attacks and cyber breaches are common. In addition to the well-publicized Target and Sony breaches, the federal government just admitted it experienced a breach involving over 20 million individuals, and that included highly sensitive security clearance forms.
The risk is not limited, however, to large companies or the government. Almost every business relies on electronically-stored information in one way or another. But if your company experienced a data breach and was sued, your insurance would cover it, wouldn't it?
The short answer is "maybe, but maybe not." Commercial General Liability ("CGL") policies provide the most common liability coverage for businesses. Most CGL policies are written on forms written by the Insurance Services Office ("ISO"), an organization that prepares insurance policy forms for the insurance industry.
The CGL policy used to be called "comprehensive general liability" coverage, but that nomenclature changed in the 1980s. Today, CGL policies are neither that comprehensive nor that general. I have written about the ever-shrinking CGL policy on prior occasions.
In the realm of data breach risks, policyholders have had some luck--but hardly universal luck--in finding coverage under CGL policies. For example, some insureds have been able to recover under "Coverage B" for "personal and advertising injury," which is often defined to include the "offense" of “oral or written publication, in any manner, of material that violates a person’s right of privacy.” The results, however, have been far from uniform. The insurance companies tend to fight these claims hard, and sometimes they win.
More importantly, since 2001, ISO has repeatedly either modified the CGL coverage form or prepared endorsements for CGL policies designed to restrict or eliminate claims for data breaches. An endorsement is simply an amendment to a policy that can either expand or restrict coverage. When a policy contains such restrictive provisions, it becomes even harder to recover.
Unfortunately, my experience is that many businesses have no idea what their policies contain. They do not know, for example, whether their CGL policy, which they may have been faithfully renewing for many years, has been changed to limit coverage for cyber-related risks.
There is not all bad news. If an insured knows about the restrictions, it may be possible for a savvy agent or broker to eliminate restrictive endorsements. Many carriers now also offer stand-alone cyber coverage. ISO has also now promulgated forms for add-on cyber coverage.
This is still, however, an evolving area of insurance. The new policy forms differ greatly. It is difficult to compare offerings. There has also not been much experience with how carriers will, as a practical matter, handle claims. There are indications, however, that some carriers will take aggressive coverage positions even for these specially-designed products.
For now, policyholders will want to assess their risks, and review their coverage. They may want to consider discussing additional coverage options with a broker, and, if necessary, a coverage attorney.
After spending nearly three years at Barnes & Thornburg's Atlanta office, I have begun a new chapter of my career and have joined the Atlanta office of Thompson Hine LLP as a partner. This is a very exciting and important change for me for two primary reasons.
First, the Atlanta office of Thompson Hine is managed by Russ Rogers. Russ is an old and dear friend who began his career in Atlanta working for me as an associate at Long Aldridge & Norman in the 1990s. Russ was the best lawyer I ever worked with, and we had a great deal of success as he rose through the ranks and made partner. Even after Russ made partner, we continued to work together when possible. After we both concluded several years ago that our careers were better served by joining other firms, we continued to collaborate. Russ and I had always hoped that we could end up practicing under the same roof again, and the stars finally aligned to make that possible.
Second, although a large part of my practice involves advising business clients (many of which are international companies) on sales contracts, non-disclosure agreements, insurance, risk management and other matters, I continue to concentrate on complex commercial litigation. I began my career as a litigator, and litigation, arbitration, mediation, and dispute resolution are mainstays in my practice. Thompson Hine's Atlanta office has over 15 lawyers who focus on litigation at many different experience levels. For the past several years, I have lacked support from senior associates and junior partners on litigation matters. It is important for clients (and for me) to have reliable back-up. Thompson Hine provides that.
This change should in no way be viewed as a knock on Barnes & Thornburg. It is a great firm, and it has been a great place to work. I have many friends at BT and hope to be able to work with them in the future. It simply boils down to a judgment that, at this point in my career, and given the mix of attorneys at the respective Atlanta offices, Thompson Hine is a better fit for me.
In terms of what I will be doing, the focus should be largely the same: Representing domestic and international companies in business matters, and also focusing on commercial litigation, arbitration, mediation and dispute resolution. My litigation practice will continue to involve disputes involving insurance coverage, trade secrets, municipalities, financial institutions, contracts, corporations, LLCs, shareholders, and other matters.
I do look forward to working with younger attorneys, and serving as a resource for them, while they serve as a resource for my clients and me. Over the years, many younger lawyers I have worked with have matured into really fine attorneys. Playing just a small part in their success is very rewarding. I really look forward to returning to being a teacher and mentor, which is exactly what I should be doing at this stage of my career.
My friend and partner from BT, Roy Hadley, is also joining Thompson Hine. Roy works with some of my clients, and I work with some of his. Roy will be a strong addition to Thompson Hine's corporate and technology teams, and will ensure that my business clients also have support and back-up.
In addition to Russ, I know many of the attorneys in the Thompson Hine office, and all of the people at the firm have been very supportive and welcoming. It already feels like home.
Many disputes with insurance companies involve litigation. Last week, LexisNexis, the large legal publisher, published a white paper I wrote on strategic considerations in business litigation. Although it is not written specifically for insurance litigation, the principles apply to all business litigation.
A copy can be accessed through this link.
Last week, two of my partners and I gave a presentation to the Japan-American Society of Georgia on Finding Buried Treasure in your Insurance Resources, a subject covered previously on this blog. The presentation included discussions of the difference between "occurrence" and "claims made" policies, and why decades old occurrence policies may still potentially provide coverage for "long tail" environmental and asbestos claims. We also discussed the potential value of the defense obligation under many liability policies, an obligation that may save insureds hundreds of thousands of dollars or more. The presentation also covered how modern commercial general liability (CGL) policies are not so general any more, due to the ever increasing number of exclusions added by carriers. Therefore, particularly in this age of "a la carte" coverage, it is more important than ever to have an experienced insurance agent who takes the time to understand your business and its risks and to procure the necessary coverage. We also discussed common sense steps policyholders can take to maximize their insurance resources.
The presentation included a very lively discussion, which, unfortunately, cannot be reproduced here. However, you can access the slides here.
There may be a few products that are less transparent and more shrouded in mystery than business insurance, but not many. As a coverage attorney, I am usually asked to look at a coverage issue after the fact in the context of whether a claim is covered. Occasionally, I am asked to assist with evaluating coverage while it is being purchased. Based on these experiences, I can only say: “Buyer beware.”
When you go to Best Buy to buy a new TV, you can compare the various models for size, features, and picture quality. When you make a decision and pay your money, you can be quite confident that the TV you take home will perform in the same manner as the demonstration unit in the store.
Buying insurance is much different. First, you buy insurance through an agent. Most businesses, particularly small businesses, seem to do little research or evaluation of the agent. Usually, the reference seems to be from a brother-in-law or similar source who knows “someone” in the insurance business. Just because someone is licensed to sell insurance does not mean they have the necessary experience, competence and professionalism to do a good job.
In fact, many agents do not seem to have a clue about what they are doing. They may spend a little time with a business owner to develop some level of understanding, but seldom seem to take a deep dive into the risks faced by the business. Often, they will sell based on price rather than the breadth of coverage or the quality of the insurer. I have seen a couple of very unfortunate recent instances where agents have placed coverage with large holes in coverage, and without informing the insured.
Many growing businesses may also stay with an agent long after their business has outgrown the sophistication of the agent to analyze and deal with its risks. There is a corresponding tendency simply to renew an existing program year after year, without thorough consideration of whether it meets current needs.
Even with a good agent, the process is often shrouded in mystery. Policies are typically not delivered until months after they are purchased. When they are delivered, the policies will contain exclusions and endorsements. As I have noted previously in this blog, some commercial general liability policies are so heavily endorsed with exclusions that it is difficult to know what they cover.
Because of the mysterious way in which policies are purchased and delivered, it brings to mind Forrest Gump’s mother’s famous comment that “life is like a box of chocolates. You never know what you are going to get.” Unfortunately, many business policyholders do not know what they purchased until they have a major claim.
It does not have to be that way. Here are a few common sense suggestions that may help:
1. Research the background of your agent. What is the agent’s educational background? Does the agent’s educational background include training in risk management and insurance? Although many may not realize it, universities offer degrees in risk management and insurance. Does the agent service other businesses of a similar size and risk profile (or larger) as your company?
2. Is the agent willing to spend time truly learning about your company and its risks? Does it offer risk management services? Basically, what you are trying to determine is whether you are dealing with an “order taker” or a professional who is truly interested in helping protect your company.
3. Before buying, insist that the agent walk you through the basic policy terms, including all endorsements that limit coverage. The quote from the carrier should be based on a particular policy form and schedule of endorsements, which should be available to the agent in specimen form. Although an agent cannot predict how an insurer will handle specific claims (many insurers will try to avoid coverage obligations even when the basis for doing so is weak), this process should help identify potential holes in the program before you buy. If so, the agent may be able to offer specialty products to cover the risk. Note: An agent that takes the time to do this may also be able to offer assistance in dealing with a carrier if the carrier takes an aggressive or unwarranted stance regarding coverage in the event of a claim.
4. In some instances, you may want to involve a policyholder’s coverage attorney in the review process, particularly if your company has an unusual business, faces large risks, or if it has had insurers deny or try to deny claims in the past.
As a policyholder's insurance coverage lawyer, I often battle with claims adjusters and claims counsel for insurance companies. At the same time, as a general proposition (as opposed to particular cases), I do not view the insurance industry as the enemy. Quite to the contrary, a well structured insurance program is a cornerstone -- often the cornerstone -- of a business's risk management program.
That said, I do approach the insurance industry with a healthy dose of caution. There is one certainty about insurance companies: They are always willing to take the premium with a smile. When it comes to handling claims fairly, the results are mixed. Insurance companies often try to limit their exposure at both the micro level and the macro level.
At the micro level, carriers will often deny particular claims or try to limit their exposure. In my view, insurance company claims adjusters often take unjustified positions because they know that few insureds really understand their policies and fewer still understand how policies are supposed to be interpreted. The rule here is simple: If an insurance company issues a strong reservation of rights or an outright denial, seek advice from an experienced coverage attorney. Do not simply accept the determination of your insurance company, or of your own insurance agent, that there is no coverage.
The approach of carriers at the macro level in trying to limit their risks is also not understood by most businesses. Quite simply, again and again, insurance companies have been forced to pay a certain category of clams under commercial general liability (CGL) policies, the most common type of policy issued to businesses. Time and time again, carriers then issue industry-wide endorsements to new policies to try to eliminate exposure for that type of risk. For example, when faced with paying environmental claims in the 1970s and 1980s, carriers responded by adopting the "absolute pollution exclusion" in new policies. When faced with mold claims in the 1990s, carriers responded with fungus exclusions. Apparently perceiving a risk from claims based on silica exposure, the carriers adopted silica exclusions. These are only a few examples.
CGL policies were formerly known as "comprehensive general liability" policies. Now the name has been subtly changed to "commercial general liability" policies, implying a limitation on coverage. As reported previously on this blog, I have seen some CGL policies that are so heavily endorsed with exclusions that it is difficult to determine what risks they intend to cover.
After attempting to choke off coverage under CGL policies, underwriters respond with new policy forms (sometimes by endorsement) offering coverage for specific risks at an additional premium. For example, environmental impairment liability coverage and coverage for on-site clean up costs are now available -- for an additional premium, of course. Carriers now feel, apparently, that they have the expertise to underwrite environmental risks.
How does this rather lengthy exposition fit into the title of this post? Quite simply, it is my belief that we are at the vanguard of an explosion of cyber-related claims. These claims will include first party claims, such as data loss or damage to IT infrastructure by malware and hackers. These claims will also include third party claims, including clams for data breaches involving customer information, which could include claims for compromising confidential information or trade secrets, claims for release of personally identifiable information (such as credit card information) and the like. The cost of responding to a single data breach can be truly staggering.
For more information, I recommend reading this quite comprehensive article from Computerworld. Although one might quibble with particular statements in the article, it does a very good job of laying out the risks, how businesses are currently responding to (or ignoring) the risks, and the issues associated with current insurance products (especially high cost).
One of the key points in the Computerworld article is that legal and risk management departments often do not interact with the IT department in identifying risks and considering whether they should be insured. This observation is consistent with an article that I wrote last year in TechJournalSouth regarding the need for a comprehensive management approach for cyber-related risks. Only a full understanding of cyber risks across the enterprise will allow management to respond appropriately.
Companies should carefully consider their cyber-related risks across management and reporting lines. Companies should involve third party security and IT experts as necessary. Businesses should consult with experienced insurance brokers who fully understand the current insurance options and that are willing to spend the time necessary to help a business evaluate its risks. Although it is not always necessary, involving coverage counsel in the effort should also be considered.
From an insurance claims perspective, businesses should be aware that carriers will, rightly or wrongly, try to deny coverage for most cyber-related claims under CGL policies. My experience also suggests that, even when a business has purchased insurance for cyber-related risks, insurance company claims adjusters and attorneys may balk at recognizing the coverage obligation. Businesses faced with such a scenario need to involve coverage counsel and to push back.
As 2011 comes to a close, it may be remembered as the "year of the hack." This morning, we learned of an attack on Christmas day that compromised an information security firm, supposedly putting at risk information from the Department of Defense and allegedly exposing 90,000 credit card numbers. This is only the latest in a year that has had one profile attack after another. For a review of some of the year's high profile hacks, click here. In addition to hacking and data breaches, 2011 also saw a large scale outage from a well-known cloud services provider, disrupting businesses using the service.
If you think your business is not at risk, think again. Reflect on how central computers and IT have become even to "old fashioned" businesses. I can remember practicing law without a computer in my office. In those days, you relied on a dictaphone or even a legal pad to compose letters and write legal briefs, and, although our assistants had computer terminals for the mainframe, the good old IBM Selectric typewriter was there in case of a computer failure. Lawyers just a few years older than me can remember when there were no computers, and copies of letters were actually produced on carbon paper.
Law is not considered a particularly high tech profession, but those days are long gone. We are now completely dependent on our computers and computer networks. The vast majority of communications are by email. Court filings are either exclusively electronic in the federal courts or are gradually going that way in the state courts. Most law firms have dispensed with law libraries and now rely on computer services such as Lexis/Nexis and Westlaw.
If this is true for a somewhat stodgy profession such as the law, it is true for just about every business. Computers and the Internet have become to most of us in business what a hammer and saw are to a carpenter: Key tools that are necessary to get anything done. Even for those of us who remember doing things the old way, there is no going back. Steve Jobs and Bill Gates aimed to change the world, and they did.
Despite the importance of computer systems and IT to businesses, many businesses have not taken basic steps to secure their information, much less prevent against outside attack. Tough management that asks the right questions and implements the right policies and procedures will help minimize the risk. The IT security professionals that I have spoken to stress that the vast majority of incidents they see -- resulting in data loss, trade secret theft, or system failure -- could be prevented by better procedures.
If your company has outsourced, for example, to a cloud services provider, it needs to know what the services provider is expected to do in the event of an outage. If the cloud provider goes down, your business may go down with it. You need to understand the risks. Hint: Most form terms and conditions from providers limit any meaningful liability.
No matter what steps are taken, however, businesses will remain at risk for data loss and hacking. The costs associated with a data breach can be staggering. If you think your insurance will protect your business, you may be in for a nasty surprise. As the New York Times recently pointed out, insurers will try to avoid coverage for data loss and data breach under most conventional policies. As the article also points out, insurers are responding to the need by making new policies available that provide coverage.
If your business has not considered these issues thoroughly, what should you do? Start with the following:
1. Do a thorough review of your IT policies and procedures. If you use a cloud provider, understand what the contract provides and what the provider will do in the event of an outage. Consider engaging counsel and an IT security expert to help assist. This is not an area I am an expert in IT policies and procedures, but have followed this area closely. If you need help, contact me and I will put you in touch with one of our firm's experts or an outside expert.
2. Review your existing insurance coverage and consider purchasing insurance for added protection. This is not an area that you want to trust to a small time agent who mainly writes auto policies. There are many different products out there and they all cover different things. You need to consult with an expert in the field. If your business is at all complex, you may also want to involve coverage counsel in reviewing your company's situation. Again, if you need help, feel free to contact me.
3. If you have a breach or a data loss, you still may have coverage even if you have not purchased special insurance. Although insurers who write commercial general liability policies have tried to limit coverage for such losses, an experienced coverage lawyer may still be able to help. It depends on the type of loss, the policy, and the jurisdiction. In addition, some policies contain endorsements that may provide at least some level of coverage. Note: I am not suggesting that you simply take a chance and assume your existing coverage may be adequate. You should still review it. However, if you do have a loss, as always, do not believe your insurer's statement (or your agent's statement) that there is no coverage until you consult with an experienced coverage attorney. Again, if you need help, contact me and I will try to assist.
We live in a world that has become dependent on computers and the Internet. Although technology changes and opens new opportunities, human nature and human fallibility does not change. Anything that is made by human beings can fail and there will always be crooks and rogues among us looking to steal and disrupt. As always, the rest of us have to adapt and be vigilant.
John L. Watkins
John Watkins is a Partner with Thompson Hine LLP in Atlanta, Georgia, who represents business policyholders in claims and disputes with their insurance companies.