As 2011 comes to a close, it may be remembered as the "year of the hack." This morning, we learned of an attack on Christmas day that compromised an information security firm, supposedly putting at risk information from the Department of Defense and allegedly exposing 90,000 credit card numbers. This is only the latest in a year that has had one profile attack after another. For a review of some of the year's high profile hacks, click here. In addition to hacking and data breaches, 2011 also saw a large scale outage from a well-known cloud services provider, disrupting businesses using the service.

If you think your business is not at risk, think again. Reflect on how central computers and IT have become even to "old fashioned" businesses. I can remember practicing law without a computer in my office. In those days, you relied on a dictaphone or even a legal pad to compose letters and write legal briefs, and, although our assistants had computer terminals for the mainframe, the good old IBM Selectric typewriter was there in case of a computer failure. Lawyers just a few years older than me can remember when there were no computers, and copies of letters were actually produced on carbon paper.

Law is not considered a particularly high tech profession, but those days are long gone. We are now completely dependent on our computers and computer networks. The vast majority of communications are by email. Court filings are either exclusively electronic in the federal courts or are gradually going that way in the state courts. Most law firms have dispensed with law libraries and now rely on computer services such as Lexis/Nexis and Westlaw.

If this is true for a somewhat stodgy profession such as the law, it is true for just about every business. Computers and the Internet have become to most of us in business what a hammer and saw are to a carpenter: Key tools that are necessary to get anything done. Even for those of us who remember doing things the old way, there is no going back. Steve Jobs and Bill Gates aimed to change the world, and they did.

Despite the importance of computer systems and IT to businesses, many businesses have not taken basic steps to secure their information, much less prevent against outside attack. Tough management that asks the right questions and implements the right policies and procedures will help minimize the risk. The IT security professionals that I have spoken to stress that the vast majority of incidents they see -- resulting in data loss, trade secret theft, or system failure -- could be prevented by better procedures.

If your company has outsourced, for example, to a cloud services provider, it needs to know what the services provider is expected to do in the event of an outage. If the cloud provider goes down, your business may go down with it. You need to understand the risks. Hint: Most form terms and conditions from providers limit any meaningful liability.

No matter what steps are taken, however, businesses will remain at risk for data loss and hacking. The costs associated with a data breach can be staggering. If you think your insurance will protect your business, you may be in for a nasty surprise. As the New York Times recently pointed out, insurers will try to avoid coverage for data loss and data breach under most conventional policies. As the article also points out, insurers are responding to the need by making new policies available that provide coverage.

If your business has not considered these issues thoroughly, what should you do? Start with the following:

1. Do a thorough review of your IT policies and procedures. If you use a cloud provider, understand what the contract provides and what the provider will do in the event of an outage. Consider engaging counsel and an IT security expert to help assist. This is not an area I am an expert in IT policies and procedures, but have followed this area closely. If you need help, contact me and I will put you in touch with one of our firm's experts or an outside expert.

2. Review your existing insurance coverage and consider purchasing insurance for added protection. This is not an area that you want to trust to a small time agent who mainly writes auto policies. There are many different products out there and they all cover different things. You need to consult with an expert in the field. If your business is at all complex, you may also want to involve coverage counsel in reviewing your company's situation. Again, if you need help, feel free to contact me.

3. If you have a breach or a data loss, you still may have coverage even if you have not purchased special insurance. Although insurers who write commercial general liability policies have tried to limit coverage for such losses, an experienced coverage lawyer may still be able to help. It depends on the type of loss, the policy, and the jurisdiction. In addition, some policies contain endorsements that may provide at least some level of coverage. Note: I am not suggesting that you simply take a chance and assume your existing coverage may be adequate. You should still review it. However, if you do have a loss, as always, do not believe your insurer's statement (or your agent's statement) that there is no coverage until you consult with an experienced coverage attorney. Again, if you need help, contact me and I will try to assist.

We live in a world that has become dependent on computers and the Internet. Although technology changes and opens new opportunities, human nature and human fallibility does not change. Anything that is made by human beings can fail and there will always be crooks and rogues among us looking to steal and disrupt. As always, the rest of us have to adapt and be vigilant.

In an earlier post, I discussed the growing efforts of insurers to exclude and endorse away coverage under commercial general liability (CGL) policies. Because CGL policies are often marketed as a first line of defense for businesses, policyholders need to make sure that they understand the limitations on their CGL coverage. An experienced agent or broker can often assist in plugging the gaps that often exist in CGL coverage, either by obtaining endosements that limit exclusions or through coverage designed to cover specific risks.

I want to make clear, however, that a policyholder should never accept at face value an insurer's determination that a claim is not covered under a CGL policy (or any other policy for that matter). Because CGL policies are written in general terms, because most courts construe ambiguities against insurers, and because most courts interpret exclusions narrowly, insurers are not always successful in their efforts to limit coverage.

For example, earlier this year, the Supreme Court of Georgia rejected an insurer's argument that negligent construction was not an "occurrence" under a CGL policy.  This decision was in the face of a number of prior decisions from the United States District Court for the Northern District of Georgia that had accepted the argument. Because the Supreme Court of Georgia has the last word in interpreting Georgia law, this contentious issue has now been decided in favor of Georgia policyholders. The law in other states varies.

Similarly, notwithstanding the breadth of the so-called "absolute pollution exclusion," it may be possible to obtain coverage under a CGL policy when a carrier denies a claim based on this exclusion. Carriers may have overplayed their hand in some instances in arguing that various substances are "pollutants." For example, the Georgia Court of Appeals declined to apply the pollution exclusion to a claim involving injuries caused by exposure to natural gas.

It goes without saying that every case is different and largely depends on its own facts. The law often differs from state to state. However, despite their efforts to restrict coverage, many carriers have been ordered to pay claims under CGL policies that they tried to deny. As stated, never accept at face value a carrier's determination that a claim is not covered.
I recently wrote an article published in the American Bar Association's "Construct!" newsletter. A copy of the article can be accessed here. Although the article deals with construction claims, much of what is said applies to any claim where an insurer reserves rights or where an insurer is defending a claim, but does not appear to be taking proactive steps to resolve it. Thanks to the ABA for permitting me to post a link to this article.
The commercial general liability ("CGL") policy has been a staple insurance product and a cornerstone of many companies' risk management programs for many years. Consistent with the name ("general" liability insurance), this coverage is often sold, sometimes in conjunction with "umbrella" policies, as covering "everything else." What is "everything else?" For a small to medium-sized business, this may be interpreted to mean "everything" not covered by worker's compensation, automobile, and perhaps employer's liability coverage.

The reality is that insurance company claims adjusters and coverage attorneys often interpret CGL policies so narrowly that it is difficult to determine what, if anything, would be covered. These narrow interpretations are buttressed by many exclusions that insurance companies add to CGL policies, either in the body of the policy or by endorsements that are stapled to the policy form. I recently reviewed a CGL policy issued by a major insurer that was endorsed with almost 20 exclusions.

Here is what happens in the real world: Insurers are forced to pay for losses under CGL policies that result in substantial losses. After a round of losses, the insurers endorse new or renewed policies to include "absolute" exclusions. Examples of this behavior include the absolute pollution exclusion adopted in the 1980s in response to environmental claims, and, more recently, fungus exclusions adopted in response to mold claims. Insurers are now trying to avoid losses related to electronically stored data and cyber liability (watch for posts on this burgeoning area in coming months).

After restricting coverage under CGL policies, insurance companies will often begin writing "special" coverage to cover the now-excluded losses, but at an additional premium, of course. For example, many insurers now sell environmental impairment liability coverage.

It never ceases to amaze me the lengths that insurance companies will go to in denying claims. With respect to CGL exclusions, one of the favorite exclusions that claims adjusters like to raise is loss "expected or intended" by the insured. It is not surprising that losses that are truly intentionally caused are not covered. However, many carrier representatives seem to believe that if a loss was conceivably foreseeable, it was "expected or intended."

Another favorite is the pollution exclusion. Claims adjusters are often very creative when it comes to arguing that accidents were caused by "pollutants." These arguments are buttressed by the definition of "pollutants," which are defined generally as "irritants" or "contaminants." Because just about any substance can, in the appropriate circumstances, be an "irritant" or "contaminant," the definition encourages claims adjusters to take aggressive positions in denying claims. Unfortunately, some courts have accepted these positions, while other courts have not.

If a carrier denies a claim based on exclusions, do not assume all is lost. Courts often do not uphold the interpretation advanced by the insurance company. Before you accept a denial, see a policyholder's coverage attorney.

Here are the immediate takeaways from this post:

  • Do not assume that your CGL policies covers "everything else."
  • Make sure that your agent or broker walks you through each of the exclusions. 
  • Be sure that your agent or broker goes over any additional coverage that you may need to plug any gaps.
  • Do not accept the insurance company's determination that a claim is not covered. See a coverage attorney.
Over the years, many of my clients have been manufacturers and distributors, many of them international companies. One of the most fundamental principles of risk management for these companies is to make sure they have a well structured insurance program. Having adequate insurance literally makes doing business in the U.S. -- notorious for its litigious nature -- possible.

International companies considering doing business in the U.S. are often told they need an accountant, and turn to an accountant to set up their business. In my view, using only an accountant is a fundamental mistake. In reality, a company doing business in the U.S. needs to engage three professionals: a business attorney, an insurance broker or agent, and an accountant. Ideally, these professionals should work together to limit the company's business risk. The same is true for new domestic companies.

This blog, however, is about insurance, so let's focus on that topic. Insurance companies make the promise of protection. Insurance companies often design and promote new products to deal with unique risks. Just this morning, I found announcements from insurers or brokers offering comprehensive pollution coverage and coverage for Foreign Corrupt Practices Act Liability. I also found an interesting piece about why privately held companies are considering (and need to consider) directors and officers liability coverage. Note: I provide links to these announcements only for informational purposes. I have not analyzed any of the products mentioned and do not endorse them. The reader must investigate any insurance product or service at its own risk.

Although it is a good thing that insurers and brokers are developing new products that can assist businesses in controlling risks, I must sound two words of caution. First, the reason that companies are coming out with these focused products is because they have tried to limit the coverage available under more traditional coverage, such as commercial general liability ("CGL") policies. I often see CGL policies that are so limited by exclusions and endorsements that calling them "general" liability policies borders on absurdity.

Second, even when these newly designed policies clearly provide coverage, that does not mean the claims department will acknowledge coverage. Here's a little secret about insurance companies: There is often little coordination between the underwriting department and the claims department. When underwriters design coverages for non-traditional risks and to bring in new premium dollars, it seems they do not tell the claims department. When the claims come in, as they inevitably will, the claims department may ignore the broader grant of coverage and deny the claim. I have seen this happen. If this happens, call an insurance coverage lawyer.

So there it is: Love and hate. I love insurance companies because they allow businesses to limit and control their risks in a litigious environment. I hate them for trying to endorse away their general coverage and when the claims department does not live up to the promises of the underwriters.