Why You Need More Than Just a Certificate of Insurance

It is common practice for entities such as owners, contractors and design professionals to contractually require another party to provide insurance. The most common method of providing information related to this requirement is through a certificate of insurance. A certificate is usually issued on a form copyrighted by an organization named ACORD (Association for Cooperative Operations Research and Development). Other forms can be used, but because the ACORD form is the most commonly used form today, this discussion will focus on the terms of that form of certificate.

Many individuals place too much significance on the certificate and are surprised to learn of its limitations. Here are the top five reasons to not rely on a certificate:

1. Information Only. The most important thing to remember is that a certificate is provided for information purposes only and is not part of the insurance policy. If you look carefully at the most recent ACORD form (Form 25, Certificate of Liability Insurance), you will see that it contains a disclaimer: “This certificate is issued as a matter of information only and confers no rights upon the certificate holder. This certificate does not affirmatively or negatively amend, extend or alter the coverage afforded by the policies below.” Practically, this means that even though a certificate states that certain insurance coverage exists, this does not mean that it does. Of course, brokers and agents have obligations to fill out certificates with accurate information, but if the information is incorrect, you likely won’t be able to rely on a certificate alone for coverage.

2. Additional Insured. Just because the certificate states that you are an additional insured doesn’t mean that you are. The only way that a party can be added as an additional insured is by endorsement. Therefore, even if the certificate states that you are an additional insured, you will not be afforded such a status unless the insurance carrier actually endorses the policy. A good business practice is to not rely on the certificate as evidence that you are an additional insured; request an actual copy of the additional-insured endorsement along with the certificate. This will also allow you to verify whether the endorsement matches the contract requirements.

3. Notice of Cancellation. Don’t be surprised if you are not provided with notice of a cancellation or nonrenewal. In 2009, ACORD changed its form language to state: “Should any of the above described policies be cancelled before the expiration date thereof, notice will be delivered in accordance with the policy provisions.” This statement reaffirms the general rule that an insurance carrier is under no obligation to provide notice unless the terms and conditions of the policy provide for the notice. In addition, notice is usually provided only to “named insureds” and not additional insureds. A good business practice is to specifically include notice requirements in the contract between you and the other party or consider requesting that the policy be endorsed to provide cancellation notices.

4. Not Matching Contractual Requirements. Many entities receive a certificate and assume that any contractual insurance requirements between the parties have been met. When a broker or agent completes a certificate, however, he or she may not compare the terms of the insurance policy with the contractual insurance requirements between the parties. Be sure to review the certificate against the contractual requirements and request additional evidence or explanation if needed.

5. Snapshot in Time. A certificate is limited to providing information about a policy at a given time. Because it is just a snapshot in time, the certificate will not reflect future changes in the policy, such as added exclusions or reduced coverages. Therefore, it is imperative that the insurance requirements be clearly articulated in the contract between you and the other party to protect your interests. Don’t rely on the certificate as proof that insurance coverage will continue and not change.

In sum, a certificate still provides a good starting point for obtaining information about another party’s insurance information and should be used. A certificate is especially important in identifying insurance carriers and policy numbers in the event of a claim. But be aware of its limitations and adjust your business practices accordingly. Remember to always review a certificate for any errors or information that conflicts with the contractual requirements.

Did the Ore Sup Ct Abolish Common Law Indemnity for Defense Costs?

"Frequent-fliers" in the world of construction-defect litigation know that defense costs are often the biggest exposure, particularly for subcontractors.  That is why securing a paid-for defense from an insurance carrier is such a hot topic on this blog (and elsewhere).  And whether there is insurance to cover defense costs or not, defendants in complex disputes (including insurers) often threaten to sue other co-defendants to recover part of their defense costs, which can drive settlement discussions.  So any development in the law relating to defense cost recovery has an impact on policyholders - and that's why I'm writing about this new case, which on its face has nothing to do with insurance.

On March 19, 2015 the Oregon Supreme Court issued a somewhat surprising decision in Eclectic Investment v. Patterson & Jackson County et al., in which the court appears to have changed some fundamental assumptions about whether one defendant can recover defense costs from another defendant.  In Eclectic a landowner sued a contractor that had done excavating work for him and the county that inspected and permitted the excavation, after the excavated hillside eroded and damaged commercial buildings on owner's property.  A jury found that the landowner was more than 50% at fault, meaning that under Oregon's comparative fault law neither the county nor the contractor had to pay any damages (both the county and the contractor were found to be slightly at fault).  The county had asserted a common-law indemnity claim against the contractor, and after the trial pursued that claim to recover its defense costs.

Common-law indemnity is an equitable theory used when there is no contractual relationship between the parties or the contract does not contain an indemnity provision.  Under one formulation of the legal standard for the claim, Defendant A will owe Defendant B indemnity if Defendant A's negligence was "active" or "primary" while Defendant B's negligence was "passive" or "secondary."  Another way of phrasing the test is whether in fairness, Defendant A "should" pay for Defendant B's costs in the suit.

The issue before the Oregon Supreme Court in Eclectic Investment was how to determine if the county was entitled to indemnity, since neither the county nor the contractor were liable for damages, and each was found to have played a minor role in the incident.  The court recounted the rather vague legal tests that Oregon courts had developed over the years to determine whether in equity one party owes another indemnity (see above).  The court observed, however, that Oregon law changed after common-law indemnity was adopted, replacing the older "joint liability" regime with the current comparative-fault regime in which each defendant is assessed only its percentage share of any damages by the jury using a questionnaire.  Therefore, according to the court, the rationale for common-law indemnity has disappeared, because under the new scheme one party will never be made to pay damages that were in fact attributable to the "active" fault of another party.

The problem, of course, is that the defense costs incurred by the defendants are not part of the jury's consideration.  (In reality, those costs can only be determined once the litigation is done.)  But the court made it clear, in a final footnote, that where the comparative fault rules apply, common-law indemnity cannot be used as the theory on which to recover even defense costs.  The court stated that it would countenance recovery of defense costs on some other theory, citing cases from other states that allowed such claims under a quasi-contract theory - but that such claims could only lie where the indemnitee incurred defense costs only because of the indemnitor's negligence.  Applying that concept to the facts of the case, the court stated that because plaintiff had sued the county and the contractor, it was clear that the county's involvement in the litigation was not solely because of the contractor's negligence, so the county would have been out of luck in recovering defense costs under an alternative theory.

The court's decision will change some of the leverage points in multi-defendant litigation where not all players have contractual indemnity claims.  It also emphasizes the importance of having Oregon courts enforce insurance contracts providing a paid-for defense.   If defendants cannot rely on common-law indemnity to recover defense costs when they are dragged into lawsuits in which they play a minor part, it is critical that insurers understand and heed their contractual obligation to cover those defense costs.

Washington Policyholders, Check Your Cyber Policy as Data BreachNotification Law Moves Forward

Washington has moved a step closer to bringing its data-breach notification law in line with the laws of many states (including Oregon) that require notification in the majority of scenarios, closing what some viewed as loopholes in the law and mandating notification within 45 days, rather than the prior "as soon as possible" requirement.  (Oregon law still lacks a specific presumptive deadline).  In particular, the new Washington bill removes the exemption for lost or stolen data that is "encrypted," in recognition of the fact that "encryption" can fail if the technology used was old or if the encryption key was also stolen.  The Washington bill has passed the House and it set for hearings in the Senate later this week, and is expected to pass.

What does this mean from an insurance standpoint?  Cyber insurance policies typically provide "first-party" coverage for the costs of data breach notification, but often contain very low sub-limits on that coverage.  In a state like Washington with a weak data breach notification law a business could in theory get away with a low sub-limit because only in a rare set circumstances would broad-based notification be required.  That will no longer be the case and so those sub-limits, and any other restrictions placed on notification coverage, need to be re-examined.  And of course if your business lacks cyber coverage entirely, it is time to explore your options.  The most recent data on the cost of data breaches indicates that the cost of notification is the fourth-biggest category of impact from a data breach (after lost reputation; lost time/productivity; cost of new technology).  By comparison the cost of regulatory fines and lawsuits was tenth in the ranking of impacts on businesses experiencing a breach.   The conventional wisdom is that a business should expect to spend at least $188 per record  on notification and similar first-party response-related costs.  With the number of records routinely stored by businesses, particularly those in the online retail or cloud computing sector, it is easy to see why low sub-limits could be a huge problem if a breach occurs.  So check your policies, and call your insurance advisers, to get ahead of these changes in the law in Washington.

ps.  Speaking of Washington, not 48 hours after news broke this week of a major data breach at Premera in Washington a class action was filed. But the cause of action -- breach of contract -- may cause coverage problems. The liability portions of cyber policies often exclude breach of contract actions. One more reason to check those policies.

Update April 22: The bill has passed and is now awaiting signature by the Governor.

Cyber Coverage No Longer a Novelty But Many Concerns Remain

That is the message that I took away from last week's annual conference of the ABA's Insurance Coverage Litigation Committee in Tucson, Arizona.  Gone was the "gee whiz" discussion of the technology and its risks, and most presenters avoided the scare tactics all too commonly used in the industry to drum up sales.  (Not that there isn't reason to be scared - but the horror stories are so widely reported it hardly seems necessary to dwell on them at a conference of insurance coverage pros).

One particularly useful panel  took a deep dive into problematic policy language and the limitations of the products currently offered.  This is critically important because although cyber coverage is no longer new, the language of the policies is not yet standardized.  A few of the many things to look out for are:

- long "waiting periods" for business interruption coverage.  Business interruption coverage is "time loss" cover in that the loss amount is calculated (generally speaking) as average sales per hour multiplied by the number of hours of downtime due the covered event.  However, some chunk of time (the "waiting period") is routinely excluded as a kind of deductible.  Some cyber insurers default to a 24 hour waiting period (an eternity for an many businesses and particularly online retailers) putting the burden on the policyholder to ask for a more reasonable period.  According to the panel (and my own experience has shown this to be true) carriers will agree to 12 hours or less - sometimes 8 hours.  If your business relies on closing sales around the clock, cutting down the waiting period could mean hundreds of thousands of dollars more in business interruption coverage.

-  liability coverage limited to liability for the insured's own wrongful acts. Because so much electronic data is now routinely hosted, handled or safeguarded in some manner by vendors, any kind of strict limitation with regard to who made the "oops" may result in no coverage, even though the insured may be held liable as the owner of the data. The panel discussed several recent data breach incidents in which the error that allowed confidential data to be stolen was committed by one entity, but liability was imposed on another entity (e.g. the Target hack, where intruders gained access through a "phishing" scam on Target's HVAC contractor).  Companies need to pay careful attention to the language of their policies and candidly assess their risks associated with vendors and consultants, particularly in the retail and healthcare sectors.

- coverage for fines and penalties.  The number of regulatory bodies (state and federal) that are being given authority to issues fines and penalties for data breach violations is growing at a fast clip.  Some policies strictly exclude coverage for any kind of fine or penalty, while some do not.  Policyholders should examine their current coverage and evaluate whether their current and future coverage needs are being met, depending on the regulatory environment in which they operate.

The upside of the fact that cyber coverage is still issued largely on a "manuscript" basis (that is, without relying on industry-wide forms) is that insurers are sometimes willing to negotiate on policy language even for relatively small accounts, and oftentimes mid-period if circumstances have changed.  Careful attention to  evolving risks from "cyber" events combined with close examination of your policy language  can lead to productive conversations with your broker and carrier and needn't wait until renewal.

* Update: This morning Apple is experiencing a major outage in its iTunes store, among other services.  Some are estimating that the six-hour outage has cost Apple $7 million - now that's a serious cyber-business interruption loss (if covered).

WA Fed Court: "Spin, Massage, Speculation and Sophistry" Do Not Create Duty to Defend

In Wargacki v. Western National Assurance Co. Judge Leighton of the Western District of Washington held that a homeowner's carrier had no duty to defend a civil suit where the insured shot his pregnant girlfriend, and then shot himself - despite the allegation in the complaint that the boyfriend acted "either negligently, intentionally or recklessly" and that the shooting was "at least negligent."

The court held that the allegation that the shooting was negligent and thus not barred by the intentional acts exclusion was not plausible, and characterized the girlfriend's estate's argument as "spin, massage, speculation or sophistry."  Although this decision appears rooted in common sense, it appears to be inconsistent with Washington law on the burden of proof in the duty-to-defend situation.  The court took the plaintiff to task for failing to allege any facts that would have supported the shooting being negligent, rather than intentional.  But that was not the plaintiff's burden.  Under Washington law, as under the law in most states, the duty to defend is based only on what is pled in the complaint.  If the complaint itself is compliant with court rules on factual pleading, it is simply not up to the judge in a coverage case to fault the plaintiff for not pleading more.  If the complaint could allow the presentation of evidence to support a covered loss (such as proof that the shooting was negligent), then there should be a duty to defend.

That is not to say that the decision was necessarily incorrect.  The plaintiff's complaint alleged not only negligence but also in the same claim the tort of outrage, which (according to the judge) requires intent.  If the decision had relied on that pleading, then the decision might be easier to reconcile with Washington law.  However, the decision only cites that fact as further evidence that there was no duty to defend.

This decision highlights the importance of careful analysis of coverage issues before embarking on any kind of litigation and when crafting an opening pleading, but also the importance of the burden of proof in coverage disputes.  It is not "sophistry" or "spin" to plead in the alternative where the facts are reasonably in dispute and as a result different legal theories may be implicated.  Forensic science and life experience teach us that our gut-level beliefs about such things as motive and causation are often incorrect.  Courts should recognize that and approach duty-to-defend questions accordingly.

Ore. Appeals Court Important Holding on Construction Indemnity Agreements

Just as the ball began to fall in New York to herald the New Year Oregon's Court of Appeals issued an important ruling on contractual indemnity agreements in construction contracts.  The decision isn't directly on insurance coverage, but is important because of the overlap between additional insured issues, contractual indemnity, and Oregon's "anti-indemnity" statute (ORS 30.140).  The progress of the case, Sunset Presbyterian Church v. Andersen Construction, has been closely watched because the trial court issued a written decision, one of the few on this subject.

Here is a bit of background: a  new addition to the church suffered from many problems, involving the work of several subcontractors (including one called "B&B"), as well as the general contractor, Andersen.  Andersen's form subcontract included a broad indemnity provision requiring all subcontractors to defend Andersen if suit was brought on the project.  Therefore, Andersen tendered the suit to its subcontractors.  B&B refused the tender.  Andersen settled with the owner, and assigned to the owner its claims against B&B for breach of the duty to defend.  The owner moved for summary judgment on the duty to defend, and prevailed.  However, the trial court awarded the church (as Andersen's assignee) no damages, because the church could not prove how much time Andersen's lawyers had spent dealing with the claims involving B&B's alleged negligence, as opposed to its own negligence or the negligence of other subcontractors.  The trial court relied on Oregon's anti-indemnity statute (ORS 30.140) -- which only applies to construction contracts -- as the basis for putting the burden on the church /Andersen to allocate the defense costs.  (I analyzed the trial court's ruling in more detail in an article for the June 2013 newsletter of the OSB Construction Law Section, available here,)

The church appealed, arguing that the statute did not require that kind of allocation for various reasons, including that the standard applied in the insurance "duty to defend" context should apply to the duty to defend in a contractual indemnity provision.  As a matter of insurance law, an insurer has a duty to defend all claims -- even claims that are not potentially covered -- if any one claim in a suit triggers the duty to defend.  The insurer may not allocate its defense costs based on covered versus uncovered claims.  The Court of Appeals rejected that argument as to ORS 30.140 (and all of the church's other arguments) based on the court's analysis of the legislative history.  However, the Court of Appeals did not reach many of the practical issues presented by the case, finding them moot because of the church's failure to even try to meet the burden of proof articulated by the trial court.  (See the Construction Law Section newsletter article mentioned above for an explanation of those issues).  The case was sent back to the trial court for additional proceedings including (potentially) an award to B&B of its attorney fees, since the Court of Appeals reversed the trial court as to who was the prevailing party.

The general take away is this: if a general contractor (or the GC's insurer) wants to recover its defense costs from a subcontractor that refuses to pick up the defense, it must require its law firm to write time descriptions in such a way that a court can later determine how much time was spent on the negligence of each subcontractor.  Of interest to readers of this blog, that requirement will likely lead to all kinds of issues between GC's and their insurers about management of the defense, and also may complicate additional insured claims on subcontractors, involving coverage counsel for the subcontractors.  Happy New Year!

Oregon Trial Court Adopts "All-Sums" In Environmental Coverage Case

A great win last month for the Zidell real-estate group (owner of much land in the South Waterfront area of Portland, including a historic ship-repair yard) in the longest-running environmental contamination case in Oregon history: a Multnomah County judge held that Zidell's carriers must pay for environmental remediation based on the "all sums" approach.  (Click here for Zidell's reply brief in support of its motion for summary judgment, and here for the court's order granting Zidell's motion).

The case centers around costs that Zidell paid many, many years ago to clean up contamination portions of the Willamette River in downtown Portland upriver from the Portland Harbor Superfund Site.  The dispute, which is between Zidell (or really its "ZRZ Realty" entity) and numerous carriers including various Lloyd's syndicates, is back in the trial court after its umpteenth trip into the appeals courts.  Recently, the court was asked to decide (among other things) whether the insurance carriers could limit their indemnity obligations based on the so-called "time on the risk" approach, where each carrier only pays in proportion to the number of years that it issued policies to the insured, meaning that if the insured settled with other carriers, or was uninsured for any years, there could be large portions of the costs that are not reimbursed.  The alternative is the "all sums" approach, in which the carrier is liable to pay for all of the property damage if there was property damage during any of its policy years, up the limit of its policies.

The Oregon Environmental Cleanup Assistance Act (OECAA) specifically wrote the "all sums" approach into law for certain policies, and, separately, there is Oregon case law endorsing the "all sums" approach.  Zidell's carriers, however, argued that the OECAA's provisions could not apply to them, and that the "all sums" approach is unfair.  The arguments on both sides are complex and detailed.  Fortunately, the Multnomah County Circuit Court saw the light and rejected the carrier-side arguments, holding that the indemnity obligations will be resolved based on "all sums."  This appears to be the first of hopefully many trial-court decisions adopting the "all-sums" approach in connection with indemnification for environmental liabilities in Oregon.  As the date for issuance of the ROD in the Portland Harbor comes nearer (although several years away), decisions like this one (which will hopefully be affirmed on appeal) will help shape the resolution of hundreds of coverage disputes over paying the billion-plus tab to clean up the downstream portions of the Willamette.