Last week, two of my partners and I gave a presentation to the Japan-American Society of Georgia on Finding Buried Treasure in your Insurance Resources, a subject covered previously on this blog. The presentation included discussions of the difference between "occurrence" and "claims made" policies, and why decades old occurrence policies may still potentially provide coverage for "long tail" environmental and asbestos claims. We also discussed the potential value of the defense obligation under many liability policies, an obligation that may save insureds hundreds of thousands of dollars or more. The presentation also covered how modern commercial general liability (CGL) policies are not so general any more, due to the ever increasing number of exclusions added by carriers. Therefore, particularly in this age of "a la carte" coverage, it is more important than ever to have an experienced insurance agent who takes the time to understand your business and its risks and to procure the necessary coverage. We also discussed common sense steps policyholders can take to maximize their insurance resources.
The presentation included a very lively discussion, which, unfortunately, cannot be reproduced here. However, you can access the slides here.
There may be a few products that are less transparent and more shrouded in mystery than business insurance, but not many. As a coverage attorney, I am usually asked to look at a coverage issue after the fact in the context of whether a claim is covered. Occasionally, I am asked to assist with evaluating coverage while it is being purchased. Based on these experiences, I can only say: “Buyer beware.”
When you go to Best Buy to buy a new TV, you can compare the various models for size, features, and picture quality. When you make a decision and pay your money, you can be quite confident that the TV you take home will perform in the same manner as the demonstration unit in the store.
Buying insurance is much different. First, you buy insurance through an agent. Most businesses, particularly small businesses, seem to do little research or evaluation of the agent. Usually, the reference seems to be from a brother-in-law or similar source who knows “someone” in the insurance business. Just because someone is licensed to sell insurance does not mean they have the necessary experience, competence and professionalism to do a good job.
In fact, many agents do not seem to have a clue about what they are doing. They may spend a little time with a business owner to develop some level of understanding, but seldom seem to take a deep dive into the risks faced by the business. Often, they will sell based on price rather than the breadth of coverage or the quality of the insurer. I have seen a couple of very unfortunate recent instances where agents have placed coverage with large holes in coverage, and without informing the insured.
Many growing businesses may also stay with an agent long after their business has outgrown the sophistication of the agent to analyze and deal with its risks. There is a corresponding tendency simply to renew an existing program year after year, without thorough consideration of whether it meets current needs.
Even with a good agent, the process is often shrouded in mystery. Policies are typically not delivered until months after they are purchased. When they are delivered, the policies will contain exclusions and endorsements. As I have noted previously in this blog, some commercial general liability policies are so heavily endorsed with exclusions that it is difficult to know what they cover.
Because of the mysterious way in which policies are purchased and delivered, it brings to mind Forrest Gump’s mother’s famous comment that “life is like a box of chocolates. You never know what you are going to get.” Unfortunately, many business policyholders do not know what they purchased until they have a major claim.
It does not have to be that way. Here are a few common sense suggestions that may help:
1. Research the background of your agent. What is the agent’s educational background? Does the agent’s educational background include training in risk management and insurance? Although many may not realize it, universities offer degrees in risk management and insurance. Does the agent service other businesses of a similar size and risk profile (or larger) as your company?
2. Is the agent willing to spend time truly learning about your company and its risks? Does it offer risk management services? Basically, what you are trying to determine is whether you are dealing with an “order taker” or a professional who is truly interested in helping protect your company.
3. Before buying, insist that the agent walk you through the basic policy terms, including all endorsements that limit coverage. The quote from the carrier should be based on a particular policy form and schedule of endorsements, which should be available to the agent in specimen form. Although an agent cannot predict how an insurer will handle specific claims (many insurers will try to avoid coverage obligations even when the basis for doing so is weak), this process should help identify potential holes in the program before you buy. If so, the agent may be able to offer specialty products to cover the risk. Note: An agent that takes the time to do this may also be able to offer assistance in dealing with a carrier if the carrier takes an aggressive or unwarranted stance regarding coverage in the event of a claim.
4. In some instances, you may want to involve a policyholder’s coverage attorney in the review process, particularly if your company has an unusual business, faces large risks, or if it has had insurers deny or try to deny claims in the past.
As a policyholder's insurance coverage lawyer, I often battle with claims adjusters and claims counsel for insurance companies. At the same time, as a general proposition (as opposed to particular cases), I do not view the insurance industry as the enemy. Quite to the contrary, a well structured insurance program is a cornerstone -- often the cornerstone -- of a business's risk management program.
That said, I do approach the insurance industry with a healthy dose of caution. There is one certainty about insurance companies: They are always willing to take the premium with a smile. When it comes to handling claims fairly, the results are mixed. Insurance companies often try to limit their exposure at both the micro level and the macro level.
At the micro level, carriers will often deny particular claims or try to limit their exposure. In my view, insurance company claims adjusters often take unjustified positions because they know that few insureds really understand their policies and fewer still understand how policies are supposed to be interpreted. The rule here is simple: If an insurance company issues a strong reservation of rights or an outright denial, seek advice from an experienced coverage attorney. Do not simply accept the determination of your insurance company, or of your own insurance agent, that there is no coverage.
The approach of carriers at the macro level in trying to limit their risks is also not understood by most businesses. Quite simply, again and again, insurance companies have been forced to pay a certain category of clams under commercial general liability (CGL) policies, the most common type of policy issued to businesses. Time and time again, carriers then issue industry-wide endorsements to new policies to try to eliminate exposure for that type of risk. For example, when faced with paying environmental claims in the 1970s and 1980s, carriers responded by adopting the "absolute pollution exclusion" in new policies. When faced with mold claims in the 1990s, carriers responded with fungus exclusions. Apparently perceiving a risk from claims based on silica exposure, the carriers adopted silica exclusions. These are only a few examples.
CGL policies were formerly known as "comprehensive general liability" policies. Now the name has been subtly changed to "commercial general liability" policies, implying a limitation on coverage. As reported previously on this blog, I have seen some CGL policies that are so heavily endorsed with exclusions that it is difficult to determine what risks they intend to cover.
After attempting to choke off coverage under CGL policies, underwriters respond with new policy forms (sometimes by endorsement) offering coverage for specific risks at an additional premium. For example, environmental impairment liability coverage and coverage for on-site clean up costs are now available -- for an additional premium, of course. Carriers now feel, apparently, that they have the expertise to underwrite environmental risks.
How does this rather lengthy exposition fit into the title of this post? Quite simply, it is my belief that we are at the vanguard of an explosion of cyber-related claims. These claims will include first party claims, such as data loss or damage to IT infrastructure by malware and hackers. These claims will also include third party claims, including clams for data breaches involving customer information, which could include claims for compromising confidential information or trade secrets, claims for release of personally identifiable information (such as credit card information) and the like. The cost of responding to a single data breach can be truly staggering.
For more information, I recommend reading this quite comprehensive article from Computerworld. Although one might quibble with particular statements in the article, it does a very good job of laying out the risks, how businesses are currently responding to (or ignoring) the risks, and the issues associated with current insurance products (especially high cost).
One of the key points in the Computerworld article is that legal and risk management departments often do not interact with the IT department in identifying risks and considering whether they should be insured. This observation is consistent with an article that I wrote last year in TechJournalSouth regarding the need for a comprehensive management approach for cyber-related risks. Only a full understanding of cyber risks across the enterprise will allow management to respond appropriately.
Companies should carefully consider their cyber-related risks across management and reporting lines. Companies should involve third party security and IT experts as necessary. Businesses should consult with experienced insurance brokers who fully understand the current insurance options and that are willing to spend the time necessary to help a business evaluate its risks. Although it is not always necessary, involving coverage counsel in the effort should also be considered.
From an insurance claims perspective, businesses should be aware that carriers will, rightly or wrongly, try to deny coverage for most cyber-related claims under CGL policies. My experience also suggests that, even when a business has purchased insurance for cyber-related risks, insurance company claims adjusters and attorneys may balk at recognizing the coverage obligation. Businesses faced with such a scenario need to involve coverage counsel and to push back.
As 2011 comes to a close, it may be remembered as the "year of the hack." This morning, we learned of an attack on Christmas day that compromised an information security firm, supposedly putting at risk information from the Department of Defense and allegedly exposing 90,000 credit card numbers. This is only the latest in a year that has had one profile attack after another. For a review of some of the year's high profile hacks, click here. In addition to hacking and data breaches, 2011 also saw a large scale outage from a well-known cloud services provider, disrupting businesses using the service.
If you think your business is not at risk, think again. Reflect on how central computers and IT have become even to "old fashioned" businesses. I can remember practicing law without a computer in my office. In those days, you relied on a dictaphone or even a legal pad to compose letters and write legal briefs, and, although our assistants had computer terminals for the mainframe, the good old IBM Selectric typewriter was there in case of a computer failure. Lawyers just a few years older than me can remember when there were no computers, and copies of letters were actually produced on carbon paper.
Law is not considered a particularly high tech profession, but those days are long gone. We are now completely dependent on our computers and computer networks. The vast majority of communications are by email. Court filings are either exclusively electronic in the federal courts or are gradually going that way in the state courts. Most law firms have dispensed with law libraries and now rely on computer services such as Lexis/Nexis and Westlaw.
If this is true for a somewhat stodgy profession such as the law, it is true for just about every business. Computers and the Internet have become to most of us in business what a hammer and saw are to a carpenter: Key tools that are necessary to get anything done. Even for those of us who remember doing things the old way, there is no going back. Steve Jobs and Bill Gates aimed to change the world, and they did.
Despite the importance of computer systems and IT to businesses, many businesses have not taken basic steps to secure their information, much less prevent against outside attack. Tough management that asks the right questions and implements the right policies and procedures will help minimize the risk. The IT security professionals that I have spoken to stress that the vast majority of incidents they see -- resulting in data loss, trade secret theft, or system failure -- could be prevented by better procedures.
If your company has outsourced, for example, to a cloud services provider, it needs to know what the services provider is expected to do in the event of an outage. If the cloud provider goes down, your business may go down with it. You need to understand the risks. Hint: Most form terms and conditions from providers limit any meaningful liability.
No matter what steps are taken, however, businesses will remain at risk for data loss and hacking. The costs associated with a data breach can be staggering. If you think your insurance will protect your business, you may be in for a nasty surprise. As the New York Times recently pointed out, insurers will try to avoid coverage for data loss and data breach under most conventional policies. As the article also points out, insurers are responding to the need by making new policies available that provide coverage.
If your business has not considered these issues thoroughly, what should you do? Start with the following:
1. Do a thorough review of your IT policies and procedures. If you use a cloud provider, understand what the contract provides and what the provider will do in the event of an outage. Consider engaging counsel and an IT security expert to help assist. This is not an area I am an expert in IT policies and procedures, but have followed this area closely. If you need help, contact me and I will put you in touch with one of our firm's experts or an outside expert.
2. Review your existing insurance coverage and consider purchasing insurance for added protection. This is not an area that you want to trust to a small time agent who mainly writes auto policies. There are many different products out there and they all cover different things. You need to consult with an expert in the field. If your business is at all complex, you may also want to involve coverage counsel in reviewing your company's situation. Again, if you need help, feel free to contact me.
3. If you have a breach or a data loss, you still may have coverage even if you have not purchased special insurance. Although insurers who write commercial general liability policies have tried to limit coverage for such losses, an experienced coverage lawyer may still be able to help. It depends on the type of loss, the policy, and the jurisdiction. In addition, some policies contain endorsements that may provide at least some level of coverage. Note: I am not suggesting that you simply take a chance and assume your existing coverage may be adequate. You should still review it. However, if you do have a loss, as always, do not believe your insurer's statement (or your agent's statement) that there is no coverage until you consult with an experienced coverage attorney. Again, if you need help, contact me and I will try to assist.
We live in a world that has become dependent on computers and the Internet. Although technology changes and opens new opportunities, human nature and human fallibility does not change. Anything that is made by human beings can fail and there will always be crooks and rogues among us looking to steal and disrupt. As always, the rest of us have to adapt and be vigilant.
Many companies are sitting on buried treasure and are not even aware of it. Where is the buried treasure? It's in their insurance policies. Many older insurance policies may provide coverage for liabilities resulting from long-tail exposures, such as environmental claims and asbestos claims. Older policies may lack exclusions, such as the "absolute" pollution exclusion, that are prevalent in more recent policies. These older policies can sometimes provide literally millions of dollars to pay defense costs and to respond to claims for bodily injury or property damage.
Buried treasure may also be found in claims files. A company may have put a carrier on notice of a claim which the carrier denied. Several years later, the company may have come out of pocket hundreds of thousands or even millions of dollars to defend and settle the claim. The carrier may have erroneously denied the claim, or it may have taken an aggressive position not clearly supported by the law. Sometimes, the law may have changed in a way that no longer supports the denial. In such instances, it may be possible to recover some or all of the defense and settlement costs.
For more information on finding buried treasure in your insurance policies, check out this article that I wrote with my law partner, Jim Leonard, that appeared in the Corporate Counselor. If your company has long tail liabilities or regularly faces claims, it is worth the time to consult with coverage counsel. Even if you have a single significant claim that has been denied, you should consider having coverage counsel review the denial.
My article on American Empire Surplus Lines v. Hathaway Development Co. appeared as the lead article in this month's Georgia Bar Journal.
Hathaway is a very important case decided by the Supreme Court of Georgia which holds that negligent construction is an "occurrence" under a commercial general liability (CGL) insurance policy. Hathway effectively overrules a line of cases decided in the federal courts in Georgia, applying Georgia law, that held to the contrary. Hathaway provides substantial rights for Georgia insureds facing construction defect claims. The law of other states varies, but the trend in the decisions appears to be in the direction of the result in Hathaway.
The article, reprinted from the Georgia Bar Journal, can be accessed here.
In an earlier post, I discussed the growing efforts of insurers to exclude and endorse away coverage under commercial general liability (CGL) policies. Because CGL policies are often marketed as a first line of defense for businesses, policyholders need to make sure that they understand the limitations on their CGL coverage. An experienced agent or broker can often assist in plugging the gaps that often exist in CGL coverage, either by obtaining endosements that limit exclusions or through coverage designed to cover specific risks.
I want to make clear, however, that a policyholder should never accept at face value an insurer's determination that a claim is not covered under a CGL policy (or any other policy for that matter). Because CGL policies are written in general terms, because most courts construe ambiguities against insurers, and because most courts interpret exclusions narrowly, insurers are not always successful in their efforts to limit coverage.
For example, earlier this year, the Supreme Court of Georgia rejected an insurer's argument that negligent construction was not an "occurrence" under a CGL policy. This decision was in the face of a number of prior decisions from the United States District Court for the Northern District of Georgia that had accepted the argument. Because the Supreme Court of Georgia has the last word in interpreting Georgia law, this contentious issue has now been decided in favor of Georgia policyholders. The law in other states varies.
Similarly, notwithstanding the breadth of the so-called "absolute pollution exclusion," it may be possible to obtain coverage under a CGL policy when a carrier denies a claim based on this exclusion. Carriers may have overplayed their hand in some instances in arguing that various substances are "pollutants." For example, the Georgia Court of Appeals declined to apply the pollution exclusion to a claim involving injuries caused by exposure to natural gas.
It goes without saying that every case is different and largely depends on its own facts. The law often differs from state to state. However, despite their efforts to restrict coverage, many carriers have been ordered to pay claims under CGL policies that they tried to deny. As stated, never accept at face value a carrier's determination that a claim is not covered.
I recently wrote an article published in the American Bar Association's "Construct!" newsletter. A copy of the article can be accessed here. Although the article deals with construction claims, much of what is said applies to any claim where an insurer reserves rights or where an insurer is defending a claim, but does not appear to be taking proactive steps to resolve it. Thanks to the ABA for permitting me to post a link to this article.
The commercial general liability ("CGL") policy has been a staple insurance product and a cornerstone of many companies' risk management programs for many years. Consistent with the name ("general" liability insurance), this coverage is often sold, sometimes in conjunction with "umbrella" policies, as covering "everything else." What is "everything else?" For a small to medium-sized business, this may be interpreted to mean "everything" not covered by worker's compensation, automobile, and perhaps employer's liability coverage.
The reality is that insurance company claims adjusters and coverage attorneys often interpret CGL policies so narrowly that it is difficult to determine what, if anything, would be covered. These narrow interpretations are buttressed by many exclusions that insurance companies add to CGL policies, either in the body of the policy or by endorsements that are stapled to the policy form. I recently reviewed a CGL policy issued by a major insurer that was endorsed with almost 20 exclusions.
Here is what happens in the real world: Insurers are forced to pay for losses under CGL policies that result in substantial losses. After a round of losses, the insurers endorse new or renewed policies to include "absolute" exclusions. Examples of this behavior include the absolute pollution exclusion adopted in the 1980s in response to environmental claims, and, more recently, fungus exclusions adopted in response to mold claims. Insurers are now trying to avoid losses related to electronically stored data and cyber liability (watch for posts on this burgeoning area in coming months).
After restricting coverage under CGL policies, insurance companies will often begin writing "special" coverage to cover the now-excluded losses, but at an additional premium, of course. For example, many insurers now sell environmental impairment liability coverage.
It never ceases to amaze me the lengths that insurance companies will go to in denying claims. With respect to CGL exclusions, one of the favorite exclusions that claims adjusters like to raise is loss "expected or intended" by the insured. It is not surprising that losses that are truly intentionally caused are not covered. However, many carrier representatives seem to believe that if a loss was conceivably foreseeable, it was "expected or intended."
Another favorite is the pollution exclusion. Claims adjusters are often very creative when it comes to arguing that accidents were caused by "pollutants." These arguments are buttressed by the definition of "pollutants," which are defined generally as "irritants" or "contaminants." Because just about any substance can, in the appropriate circumstances, be an "irritant" or "contaminant," the definition encourages claims adjusters to take aggressive positions in denying claims. Unfortunately, some courts have accepted these positions, while other courts have not.
If a carrier denies a claim based on exclusions, do not assume all is lost. Courts often do not uphold the interpretation advanced by the insurance company. Before you accept a denial, see a policyholder's coverage attorney.
Here are the immediate takeaways from this post:
Over the years, many of my clients have been manufacturers and distributors, many of them international companies. One of the most fundamental principles of risk management for these companies is to make sure they have a well structured insurance program. Having adequate insurance literally makes doing business in the U.S. -- notorious for its litigious nature -- possible.
International companies considering doing business in the U.S. are often told they need an accountant, and turn to an accountant to set up their business. In my view, using only an accountant is a fundamental mistake. In reality, a company doing business in the U.S. needs to engage three professionals: a business attorney, an insurance broker or agent, and an accountant. Ideally, these professionals should work together to limit the company's business risk. The same is true for new domestic companies.
This blog, however, is about insurance, so let's focus on that topic. Insurance companies make the promise of protection. Insurance companies often design and promote new products to deal with unique risks. Just this morning, I found announcements from insurers or brokers offering comprehensive pollution coverage and coverage for Foreign Corrupt Practices Act Liability. I also found an interesting piece about why privately held companies are considering (and need to consider) directors and officers liability coverage. Note: I provide links to these announcements only for informational purposes. I have not analyzed any of the products mentioned and do not endorse them. The reader must investigate any insurance product or service at its own risk.
Although it is a good thing that insurers and brokers are developing new products that can assist businesses in controlling risks, I must sound two words of caution. First, the reason that companies are coming out with these focused products is because they have tried to limit the coverage available under more traditional coverage, such as commercial general liability ("CGL") policies. I often see CGL policies that are so limited by exclusions and endorsements that calling them "general" liability policies borders on absurdity.
Second, even when these newly designed policies clearly provide coverage, that does not mean the claims department will acknowledge coverage. Here's a little secret about insurance companies: There is often little coordination between the underwriting department and the claims department. When underwriters design coverages for non-traditional risks and to bring in new premium dollars, it seems they do not tell the claims department. When the claims come in, as they inevitably will, the claims department may ignore the broader grant of coverage and deny the claim. I have seen this happen. If this happens, call an insurance coverage lawyer.
So there it is: Love and hate. I love insurance companies because they allow businesses to limit and control their risks in a litigious environment. I hate them for trying to endorse away their general coverage and when the claims department does not live up to the promises of the underwriters.
John L. Watkins
John Watkins is a Partner with Thompson Hine LLP in Atlanta, Georgia, who represents business policyholders in claims and disputes with their insurance companies.