Last week, two of my partners and I gave a presentation to the Japan-American Society of Georgia on Finding Buried Treasure in your Insurance Resources, a subject covered previously on this blog. The presentation included discussions of the difference between "occurrence" and "claims made" policies, and why decades old occurrence policies may still potentially provide coverage for "long tail" environmental and asbestos claims. We also discussed the potential value of the defense obligation under many liability policies, an obligation that may save insureds hundreds of thousands of dollars or more. The presentation also covered how modern commercial general liability (CGL) policies are not so general any more, due to the ever increasing number of exclusions added by carriers. Therefore, particularly in this age of "a la carte" coverage, it is more important than ever to have an experienced insurance agent who takes the time to understand your business and its risks and to procure the necessary coverage. We also discussed common sense steps policyholders can take to maximize their insurance resources.
The presentation included a very lively discussion, which, unfortunately, cannot be reproduced here. However, you can access the slides here.
As a policyholder's insurance coverage lawyer, I often battle with claims adjusters and claims counsel for insurance companies. At the same time, as a general proposition (as opposed to particular cases), I do not view the insurance industry as the enemy. Quite to the contrary, a well structured insurance program is a cornerstone -- often the cornerstone -- of a business's risk management program.
That said, I do approach the insurance industry with a healthy dose of caution. There is one certainty about insurance companies: They are always willing to take the premium with a smile. When it comes to handling claims fairly, the results are mixed. Insurance companies often try to limit their exposure at both the micro level and the macro level.
At the micro level, carriers will often deny particular claims or try to limit their exposure. In my view, insurance company claims adjusters often take unjustified positions because they know that few insureds really understand their policies and fewer still understand how policies are supposed to be interpreted. The rule here is simple: If an insurance company issues a strong reservation of rights or an outright denial, seek advice from an experienced coverage attorney. Do not simply accept the determination of your insurance company, or of your own insurance agent, that there is no coverage.
The approach of carriers at the macro level in trying to limit their risks is also not understood by most businesses. Quite simply, again and again, insurance companies have been forced to pay a certain category of clams under commercial general liability (CGL) policies, the most common type of policy issued to businesses. Time and time again, carriers then issue industry-wide endorsements to new policies to try to eliminate exposure for that type of risk. For example, when faced with paying environmental claims in the 1970s and 1980s, carriers responded by adopting the "absolute pollution exclusion" in new policies. When faced with mold claims in the 1990s, carriers responded with fungus exclusions. Apparently perceiving a risk from claims based on silica exposure, the carriers adopted silica exclusions. These are only a few examples.
CGL policies were formerly known as "comprehensive general liability" policies. Now the name has been subtly changed to "commercial general liability" policies, implying a limitation on coverage. As reported previously on this blog, I have seen some CGL policies that are so heavily endorsed with exclusions that it is difficult to determine what risks they intend to cover.
After attempting to choke off coverage under CGL policies, underwriters respond with new policy forms (sometimes by endorsement) offering coverage for specific risks at an additional premium. For example, environmental impairment liability coverage and coverage for on-site clean up costs are now available -- for an additional premium, of course. Carriers now feel, apparently, that they have the expertise to underwrite environmental risks.
How does this rather lengthy exposition fit into the title of this post? Quite simply, it is my belief that we are at the vanguard of an explosion of cyber-related claims. These claims will include first party claims, such as data loss or damage to IT infrastructure by malware and hackers. These claims will also include third party claims, including clams for data breaches involving customer information, which could include claims for compromising confidential information or trade secrets, claims for release of personally identifiable information (such as credit card information) and the like. The cost of responding to a single data breach can be truly staggering.
For more information, I recommend reading this quite comprehensive article from Computerworld. Although one might quibble with particular statements in the article, it does a very good job of laying out the risks, how businesses are currently responding to (or ignoring) the risks, and the issues associated with current insurance products (especially high cost).
One of the key points in the Computerworld article is that legal and risk management departments often do not interact with the IT department in identifying risks and considering whether they should be insured. This observation is consistent with an article that I wrote last year in TechJournalSouth regarding the need for a comprehensive management approach for cyber-related risks. Only a full understanding of cyber risks across the enterprise will allow management to respond appropriately.
Companies should carefully consider their cyber-related risks across management and reporting lines. Companies should involve third party security and IT experts as necessary. Businesses should consult with experienced insurance brokers who fully understand the current insurance options and that are willing to spend the time necessary to help a business evaluate its risks. Although it is not always necessary, involving coverage counsel in the effort should also be considered.
From an insurance claims perspective, businesses should be aware that carriers will, rightly or wrongly, try to deny coverage for most cyber-related claims under CGL policies. My experience also suggests that, even when a business has purchased insurance for cyber-related risks, insurance company claims adjusters and attorneys may balk at recognizing the coverage obligation. Businesses faced with such a scenario need to involve coverage counsel and to push back.
The commercial general liability ("CGL") policy has been a staple insurance product and a cornerstone of many companies' risk management programs for many years. Consistent with the name ("general" liability insurance), this coverage is often sold, sometimes in conjunction with "umbrella" policies, as covering "everything else." What is "everything else?" For a small to medium-sized business, this may be interpreted to mean "everything" not covered by worker's compensation, automobile, and perhaps employer's liability coverage.
The reality is that insurance company claims adjusters and coverage attorneys often interpret CGL policies so narrowly that it is difficult to determine what, if anything, would be covered. These narrow interpretations are buttressed by many exclusions that insurance companies add to CGL policies, either in the body of the policy or by endorsements that are stapled to the policy form. I recently reviewed a CGL policy issued by a major insurer that was endorsed with almost 20 exclusions.
Here is what happens in the real world: Insurers are forced to pay for losses under CGL policies that result in substantial losses. After a round of losses, the insurers endorse new or renewed policies to include "absolute" exclusions. Examples of this behavior include the absolute pollution exclusion adopted in the 1980s in response to environmental claims, and, more recently, fungus exclusions adopted in response to mold claims. Insurers are now trying to avoid losses related to electronically stored data and cyber liability (watch for posts on this burgeoning area in coming months).
After restricting coverage under CGL policies, insurance companies will often begin writing "special" coverage to cover the now-excluded losses, but at an additional premium, of course. For example, many insurers now sell environmental impairment liability coverage.
It never ceases to amaze me the lengths that insurance companies will go to in denying claims. With respect to CGL exclusions, one of the favorite exclusions that claims adjusters like to raise is loss "expected or intended" by the insured. It is not surprising that losses that are truly intentionally caused are not covered. However, many carrier representatives seem to believe that if a loss was conceivably foreseeable, it was "expected or intended."
Another favorite is the pollution exclusion. Claims adjusters are often very creative when it comes to arguing that accidents were caused by "pollutants." These arguments are buttressed by the definition of "pollutants," which are defined generally as "irritants" or "contaminants." Because just about any substance can, in the appropriate circumstances, be an "irritant" or "contaminant," the definition encourages claims adjusters to take aggressive positions in denying claims. Unfortunately, some courts have accepted these positions, while other courts have not.
If a carrier denies a claim based on exclusions, do not assume all is lost. Courts often do not uphold the interpretation advanced by the insurance company. Before you accept a denial, see a policyholder's coverage attorney.
Here are the immediate takeaways from this post: