Washington Policyholders, Check Your Cyber Policy as Data BreachNotification Law Moves Forward

Washington has moved a step closer to bringing its data-breach notification law in line with the laws of many states (including Oregon) that require notification in the majority of scenarios, closing what some viewed as loopholes in the law and mandating notification within 45 days, rather than the prior "as soon as possible" requirement.  (Oregon law still lacks a specific presumptive deadline).  In particular, the new Washington bill removes the exemption for lost or stolen data that is "encrypted," in recognition of the fact that "encryption" can fail if the technology used was old or if the encryption key was also stolen.  The Washington bill has passed the House and it set for hearings in the Senate later this week, and is expected to pass.

What does this mean from an insurance standpoint?  Cyber insurance policies typically provide "first-party" coverage for the costs of data breach notification, but often contain very low sub-limits on that coverage.  In a state like Washington with a weak data breach notification law a business could in theory get away with a low sub-limit because only in a rare set circumstances would broad-based notification be required.  That will no longer be the case and so those sub-limits, and any other restrictions placed on notification coverage, need to be re-examined.  And of course if your business lacks cyber coverage entirely, it is time to explore your options.  The most recent data on the cost of data breaches indicates that the cost of notification is the fourth-biggest category of impact from a data breach (after lost reputation; lost time/productivity; cost of new technology).  By comparison the cost of regulatory fines and lawsuits was tenth in the ranking of impacts on businesses experiencing a breach.   The conventional wisdom is that a business should expect to spend at least $188 per record  on notification and similar first-party response-related costs.  With the number of records routinely stored by businesses, particularly those in the online retail or cloud computing sector, it is easy to see why low sub-limits could be a huge problem if a breach occurs.  So check your policies, and call your insurance advisers, to get ahead of these changes in the law in Washington.

ps.  Speaking of Washington, not 48 hours after news broke this week of a major data breach at Premera in Washington a class action was filed. But the cause of action -- breach of contract -- may cause coverage problems. The liability portions of cyber policies often exclude breach of contract actions. One more reason to check those policies.

Update April 22: The bill has passed and is now awaiting signature by the Governor.

Cyber Coverage No Longer a Novelty But Many Concerns Remain

That is the message that I took away from last week's annual conference of the ABA's Insurance Coverage Litigation Committee in Tucson, Arizona.  Gone was the "gee whiz" discussion of the technology and its risks, and most presenters avoided the scare tactics all too commonly used in the industry to drum up sales.  (Not that there isn't reason to be scared - but the horror stories are so widely reported it hardly seems necessary to dwell on them at a conference of insurance coverage pros).

One particularly useful panel  took a deep dive into problematic policy language and the limitations of the products currently offered.  This is critically important because although cyber coverage is no longer new, the language of the policies is not yet standardized.  A few of the many things to look out for are:

- long "waiting periods" for business interruption coverage.  Business interruption coverage is "time loss" cover in that the loss amount is calculated (generally speaking) as average sales per hour multiplied by the number of hours of downtime due the covered event.  However, some chunk of time (the "waiting period") is routinely excluded as a kind of deductible.  Some cyber insurers default to a 24 hour waiting period (an eternity for an many businesses and particularly online retailers) putting the burden on the policyholder to ask for a more reasonable period.  According to the panel (and my own experience has shown this to be true) carriers will agree to 12 hours or less - sometimes 8 hours.  If your business relies on closing sales around the clock, cutting down the waiting period could mean hundreds of thousands of dollars more in business interruption coverage.

-  liability coverage limited to liability for the insured's own wrongful acts. Because so much electronic data is now routinely hosted, handled or safeguarded in some manner by vendors, any kind of strict limitation with regard to who made the "oops" may result in no coverage, even though the insured may be held liable as the owner of the data. The panel discussed several recent data breach incidents in which the error that allowed confidential data to be stolen was committed by one entity, but liability was imposed on another entity (e.g. the Target hack, where intruders gained access through a "phishing" scam on Target's HVAC contractor).  Companies need to pay careful attention to the language of their policies and candidly assess their risks associated with vendors and consultants, particularly in the retail and healthcare sectors.

- coverage for fines and penalties.  The number of regulatory bodies (state and federal) that are being given authority to issues fines and penalties for data breach violations is growing at a fast clip.  Some policies strictly exclude coverage for any kind of fine or penalty, while some do not.  Policyholders should examine their current coverage and evaluate whether their current and future coverage needs are being met, depending on the regulatory environment in which they operate.

The upside of the fact that cyber coverage is still issued largely on a "manuscript" basis (that is, without relying on industry-wide forms) is that insurers are sometimes willing to negotiate on policy language even for relatively small accounts, and oftentimes mid-period if circumstances have changed.  Careful attention to  evolving risks from "cyber" events combined with close examination of your policy language  can lead to productive conversations with your broker and carrier and needn't wait until renewal.

* Update: This morning Apple is experiencing a major outage in its iTunes store, among other services.  Some are estimating that the six-hour outage has cost Apple $7 million - now that's a serious cyber-business interruption loss (if covered).

Court of Appeals: Insured Cannot Place Extra-contractual Conditions on Compliance with Policy

When an insurance policy requires the insured to provide information to the insurer, may the insured demand that the insurer enter into a confidentiality agreement, even when the request from the insurer is reasonable?  Heck no, says the Oregon Court of Appeals in a new decision, Safeco v. Masood.  According to the decision, the policyholder suffered a fire loss and them, to add insult to injury, had personal items stolen from the home while the fire was being investigated.  Masood tendered the loss to his first-party carrier.  The carrier demanded all kinds of information from Masood about the missing items.  Although Masood did not contest the information request itself, he sought to have the insurer sign a confidentiality agreement restricting its use of the information.  The carrier refused.

The insured contended that the terms of the policy requiring the insured to provide information did not preclude a separate confidentiality agreement, and that the carrier's duty of good faith and fair dealing (inherent in every contract, under Oregon law) required the insurer to enter into a confidentiality agreement where the insured had a good reason for it.

The Court of Appeals pointed out a few important facts: the policy stated that the insured "must" provide the information requested by the carrier; the insured did not contend that the scope of the insurer's request for information was unreasonably broad (although it certainly appeared to be); and the insurer was already by law and other legal principles not to disclose or misuse the insured's information.  The Court of Appeals held, therefore, that what the insured was demanding was not only entirely outside of the terms of the policy but also beyond  the carrier's duty of good faith and fair dealing.

The court appears to have taken some care to limit its holding to this set of facts, and it seems unlikely that this case will have much impact, if any, on the approach taken by Oregon courts in the majority of cases, because most cases in which the duty of good faith and fair dealing is invoked involve much closer questions of the insurer's duties.

Oregon Supreme Court Sets Limits on What Constitutes "Proof of Loss" For Attorney Fee Purposes

Today the Oregon Supreme Court held that a policyholder is not entitled to attorney fees under Oregon's fee-recovery statute for insurance coverage disputes (ORS 742.061) until the insured has given the insurance company information that at least suggests that coverage is requested under the policy  The case is Zimmerman v. Allstate.  The facts, briefly: Zimmerman was injured in an accident with a motorist who it turns out was underinsured (UIM), but she didn't seek UIM coverage from Allstate from the outset of her claim, because she didn't know the extend of her injuries and didn't know what the policy limits of the other motorist were.  So at the outset she only made a claim for personal injury (PIP) benefits under her Allstate policy.  Later, after retaining a lawyer, discovering that her injuries exceeded her PIP benefit, and discovery that the other motorist only had the minimum in coverage, she made a demand for UIM benefits.  Allstate paid, and she then sought her attorney fees all the way back to the time that she submitted her first claim.

Oregon's attorney fee statute allows recovery of attorney fees if the carrier does not settle the claim within six months of "proof of loss."  (For UIM claims, a carrier may avoid fee exposure by doing other things as well, but that is specific to UIM claims).  The Oregon courts have interpreted the phrase "proof of loss" very broadly, to encompass virtually any kind of notice provided by the insured about the loss.  However, in this case the Court did not award fees all the way back to the initial notice, because auto coverage comes in two parts (reduced to its essence): PIP coverage, and UIM coverage.  The Court reasoned that because the trigger of coverage between the two forms of benefit are so different, and the initial notice provided by Zimmerman did not contain information directed at the UIM trigger of coverage, attorney fees would only apply based on the timing of the notice from Zimmerman that UIM coverage was being sought.

The Court went to great lengths to emphasize that the general law applicable to "proof of loss" was not changed by the decision, which was driven by the type of coverage involved.  It is, however, a reminder that policyholder counsel should inform carriers as soon as possible of every type of coverage claim that may potentially be implicated by a loss.

New York investigates insurance companies’ cyber security

I was very interested to read this morning that Governor Cuomo of New York will investigate insurance companies’ cyber security.  According to the article the focus of the investigation will be what safeguards insurers have in place to protect customers' sensitive personal and financial information.  Hopefully this inquiry will take into account commercial-lines policyholders' data as well.  Recent experience has made me skeptical about how well insurers do just about anything related to information management.  I recently had an insurer claim that it would have to review reams of paper files to find information on a group of claims that are currently being adjusted.  Investigation revealed that in fact the carrier has multiple electronic data repositories, but many them do not talk to each other, and that much coordination relies on information kept in the heads of certain supervisors!

Insurers demand a great deal of sensitive information about commercial policyholders in the underwriting process, from social security numbers and driving records of employees, to information on security systems.  I will be very interested to see what New York turns up about the cyber security measures, or lack thereof, at the nation's larger insurers.

'via Blog this'

Washington and Now Idaho Limit Attorney-Client Privilege in Bad Faith Cases

My former colleagues at Bullivant Houser Bailey have done a nice job of summarizing two recent decisions, one from Washington and one from Idaho, limiting the application of the attorney-client privilege where outside coverage counsel participates in a fact investigation for coverage purposes.  Both decisions (Idaho's Stewart Title v. Credit Suisse in federal court, Washington's Cedell v. Farmers in state court) made it clear that an insurance company cannot seek to shield a coverage determination made in bad faith behind the privilege by using outside counsel, whether it's a first-party or a third-party coverage issue.  In both cases the insured sought discovery of counsel's work product to support a bad-faith claim.  It is hard enough to prove bad faith in either state; it's nice to see judges recognizing a common carrier tactic for what it is: an effort to make it nearly impossible.



'via Blog this'

Understanding Coinsurance Problems In Builder's Risk Policies

Coinsurance is a difficult subject to understand, but it can have many implications for coverage in the context of ongoing-operations and first-party coverage, particularly in the Builder's Risk arena.  We have litigated under many of these policies and find coinsurance to be one of the knottier problems.  One of our excellent summer clerks helped me address these issues last year in an article for the OSB's Construction Law newsletter, available here.