Cyber Insurance for Cyber Risks
I have maintained a healthy interest in cybercrimes, cyber risks and related liability exposures, for at least two reasons central to the topics of this blog. The first is that, other than credit card companies, probably no one holds more protected personal information than the entities involved with ERISA plans, from health insurers to mutual fund companies to plan sponsors to record keepers. The second is that, from an insurance coverage perspective, developments in this area echo – more than vaguely even if less than resoundingly – the impact on insureds and on the insurance industry of the expansion of environmental liabilities approximately thirty years ago. Then, as now, you had the sudden creation of new potential liabilities – in that case, environmental exposures – that were not foreseen and taken into account by insurers in setting premiums, followed, in short order, by two developments: first, litigation over whether the exposures should be covered under previously issued policies that were not necessarily underwritten in a manner that would account for those risks and then, second, by the industry altering forms and policy language (such as the wording of pollution exclusions and the increased use of the claims made form) in reaction to those events.
You can see the beginnings of exactly those same events now, with regard to the rise of liability for cyber-crimes and related computer security breaches, as insureds, insurers and their coverage lawyers debate the extent to which standard general liability policy language captures or instead excludes those risks, while at the same time the industry develops products and policy language to respond to those exposures. A colleague and I presented this exact theory, as a lens for understanding the insurance coverage issues raised by cyber liabilities, in a major presentation last year, which is captured in this PowerPoint presentation.
I thought of this today, as I read this article pressing the idea that courts will be expanding the liabilities imposed on corporations for data and similar breaches. If the author is right, both the amount of insurance coverage litigation over coverage for cyber liabilities and the creation of new policy language by the insurance industry to deal with the issue will expand hand in hand with that development, in the same way both moved in tandem with the increase in environmental liabilities thirty years ago.
Back to the Future: Insurance Coverage Law from Asbestos to Cyber Risks
This is a very fun – if you can use that word for insurance disputes – discussion of the United Kingdom’s Supreme Court determining what trigger applies under insurance policies issued to insureds sued for asbestos related injuries. Its partly fun because it replays a highly contentious and, for all involved, expensive chapter in American legal history, namely the decade or so long battle in the United States courts to decide which insurance policies were triggered by – and thus had to cover – injuries caused by asbestos exposure. The courts here struggled for many years to decide which of many possible triggers apply, including: a continuous or multiple trigger which found coverage under all policies in effect from the time the worker was exposed to asbestos through the incubation period in the worker to the time the worker’s illness actually came to exist; an exposure trigger, making policies in effect when the worker was exposed to asbestos applicable; a manifestation trigger, under which policies in effect when the asbestos related disease manifested itself apply; and an injury-in- fact trigger, under which the policies apply that were in effect when a worker, previously exposed to asbestos years before, actually suffered injury from the exposure. Because of the diverse American legal system, with its numerous federal circuits and 50 state court systems, no one, single rule was ever settled upon as universally applicable. It appears in the UK, though, they are settling on one single rule, at least according to the article.
Some of you, particularly those of you who have heard me speak over the years, are familiar with my view that modern American insurance law, for all intents and purposes, springs out of the trigger of coverage and other disputes from the early 1980s concerning coverage for asbestos related losses, and in particular out of the D.C. federal court’s adoption of the multiple trigger standard for applying general liability policies to asbestos losses; in part, these events became the touchstone for coverage disputes to come because of the ease with which court decisions on these issues could, by analogy, be extended to other types of long tail exposures, such as environmental losses and other types of toxic torts, in which - as with asbestos - the event that would eventually cause injury (whether to person or property) happens years before either injury occurs or is learned of. In my view, before then, insurance law had changed little (speaking broadly) for generations. After the explosion in coverage litigation over asbestos, close textual analysis of key terms in insuring agreements, policy definitions and exclusions became crucially important and widespread, far more than it was before these watershed events; indeed, some of the methodology applied by courts at that time and the decisions they made in interpreting policy terms still reverberate in coverage decisions today. Many issues and developments in the insurance industry and the law of insurance coverage can be traced back to these events, from the expansion in use of the claims made policy form to the existence of significant, always on-call insurance coverage practice groups representing policyholders.
A few months ago, I spoke on the subject of cyberinsurance before a large insurance industry group, and the organizing principle of my talk was the idea that the evolution of coverage forms and coverage litigation involving insurance for cyber exposures was mimicking, and would continue to mimic, the industry’s past experience with both asbestos and – in terms both of temporal proximity and legal analysis – its close cousin, environmental exposures. The reality is that, while past performance may not guarantee future results, the development of new insurance coverage exposures as well as of policy forms to deal with them always harken back at this point to the legal and industry developments of 30 years ago that arose out of asbestos and environmental exposures, but almost never, interestingly enough, to legal and industry developments that predate that.
Depends on What You Mean By "Related"
Well, here’s a story on an unpublished Ninth Circuit decision on the impact on the duty to defend of related claims provisions in claims made insurance policies. Although policies vary in the language and structure they use to accomplish it, these provisions essentially declare a claim made during a policy period to be linked to earlier events or an earlier claim if they all arise from related events, with there being no coverage if the earlier related events occurred before the policy period of the policy under which coverage is being sought. The operation of these provisions is of crucial importance for the operation of claims made insurance policies and for insurance programs built on them, in that a claims made policy is built around the idea that the policy will only provide coverage for claims - such as lawsuits - actually first made against the insured during the effective period of that policy, and that the policy won’t provide any coverage if the loss for which coverage is sought relates to a claim that began before the commencement of that policy period. Claims made policies are priced on only covering claims actually first arising during the policy period - and not on covering those that started before the policy period or were not made until after it ended. By precluding coverage when a particular claim actually stems from events or another claim that predated the policy, the related acts language is the mechanism for effectuating this intent. I will warn you up-front that this is a very simplistic introduction to a fairly complicated subject, but it captures the idea.
The article discusses an example of a court refusing to apply such language in that way, by instead finding events that predated the policy to not be related to the claim made during the policy period and for which coverage is sought. The article, however, overstates the case by making it sound as though there is some sort of blanket prohibition against this approach to limiting coverage under claims made insurance policies, and that courts simply won’t find a claim during a policy period to not be covered when it is related to events that occurred before the policy period. That is, however, overstating the case. This issue is inevitably highly fact specific, and courts look closely at the factual interrelationship of the events at issue to decide this, rather than simply rejecting outright the assertion of such a linkage or denying the legitimacy of policy terms voiding coverage in the presence of such a linkage. While it is fair to say that, to some extent, such linkage is in the eye of the beholder and thus the denial of coverage on this ground is never simply an easy, mechanistic activity, it is simultaneously unfair to present it - as the article at least intimates - as a policy defense that is not accepted by the courts or ever applicable.
Deconstructing the Language of Insurance Policies
I have been thinking a lot recently about the development and history of particular aspects of insurance policy language, and how they reflect the continuing efforts of drafters to take language that can often be imprecise and refine it to more accurately reinforce what the insurer actually intends to take on as a covered risk. Over time, many policy forms are revised as insurers find that limited knowledge about a particular type of risk at the time a policy provision is first crafted or changes in the development of the law in a particular area after the initial drafting mean that the original language chosen by the policy drafters did not accurately enough capture the extent to which an insurer meant to include, or instead exclude, a particular exposure from coverage. Historically, for those old enough to remember it, my favorite example was the exclusion written by many carriers before asbestos litigation broke out in waves, that precluded coverage of claims for asbestosis. Personally, I have little doubt that those who drafted that policy language thought they were saying by that language that the policies do not cover any bodily injury/tort liabilities arising from the mining, sale, use, etc. of asbestos and asbestos based products, and that based on what the authors knew of the subject at that time, they thought they were writing such a broad limitation on coverage. As time moves on though, it becomes clear that many suits arising out of asbestos involve other physical ailments, and not just the particular disease of asbestosis. End result? Courts find that the exclusion does not apply to the other types of injuries, since they fall outside the express wording of the exclusions, which were only written as applying to asbestosis, even though the authors undoubtedly understood the word asbestosis to mean something much more than just the specific disease that would bear that name. Indeed, what possible logic could there be behind intentionally excluding just the tens of thousands of claims for asbestosis, and not the tens of thousands of claims arising from other, similar diseases that stem from asbestos exposure and inhalation?
The history of pollution exclusions in liability policies is much the same, and another classic example. It has only taken some forty years for policy language to catch up to the extent of exposure created by environmental liabilities, and the industry has spent an untold fortune covering such claims and defending against claims for coverage of such claims in the interim. That this occurred is completely understandable, as the extent of exposure for pollution losses expanded exponentially only after much of the (then) standard policy language governing this issue was written.
Of course, a sane person might ask why I am spending so much time thinking about this these days, and there are a number of answers to that question, some even halfway legitimate or rational. But the reason is primarily that very interesting articles on the historical development of particular pieces of policy language or structure keep crossing my desk, and they keep reinforcing these points.
Here are two of them. First, the D & O diarist, Kevin LaCroix, has as well written a history of the development and adoption of the breach of contract exclusion that has become standard in many forms of policies as I have seen anywhere. As he explains, insurers always understood that the insuring agreement in their policies covered tort liability, and did not expand coverage to contractual liability; in essence, insurers and insureds alike understood that policies did not cover an insured’s failure to comply with its contractual undertakings, without any need for particular or express policy language detailing that point. However, as Kevin captures in his piece, over time this understanding started to fade into the ether, and insurers found it necessary to add a specific exclusion to policies expressly stating what had, in the past, simply been understood by all concerned, without any need for an express exclusion to that effect.
The second is this historical overview of the development and expansion of claims made policies. In this instance, as the author explains, claims made policies were developed for a particular type of exposure, but because of the usefulness of that structure with regard to such issues as setting premiums and other practicalities of the insurance business, it expanded into other forms of coverage, becoming, eventually, the industry’s “go to” form of coverage.
All of these examples bring one back to the same point, which is that the seemingly dry, contractual recitations in insurance policies are actually only the current manifestation (pun intended, for any insurance coverage lawyers reading this) of what is actually a living, breathing, ever evolving form of literature.
If it walks like a duck, looks like a duck, and quacks like a duck, is it a claim?
When is a demand, or a threat, or another communication from a potential claimant a claim? The answer matters, particularly in corporate insurance programs built upon claims made policies. Normally, courts either apply the specific definition of the term claim contained in the policy at issue or else, in the case of a policy that does not contain such a definition, a general common law rule that the term claim means a demand for something as of right.
Not too long ago, I litigated a case in which an insured received a demand from an aggrieved party, but that demand did not qualify as a claim as defined in the claims made policy in effect at that time; as a result, it did not trigger coverage under that policy because claims made policies are generally only triggered by claims, as defined either by the policy or common law, that are made while they are in force.
The next year, when that demand evolved into the filing of a lawsuit, a different carrier insured the company, under a policy with a different definition of the term claim. The demand made the year before qualified as a claim under the definition of that term in the policy in force that year. The policy in force that year did not cover the lawsuit as a result, because for purposes of that policy, the claim was made before the policy took effect and claims made policies do not cover claims made before they take effect.
Both insurers correctly denied coverage, based on the definition of the term claim in their policies, and the insured, despite having purchased policies that were in effect both when the demand was made and when a subsequent lawsuit arising out of the same events was filed, lacked coverage for the lawsuit. In that particular instance, the insured eventually had to sue, and recover from, its own insurance broker, for having set up a program that would allow such a gap in coverage.
The United States District Court for the Northern District of West Virginia just released a memorandum opinion deftly applying these rules to claims made policies that contained a detailed definition of the term claim. The court, correctly, broke down the specific textual requirements of the definition of claim in the policies, such as the requirement that it be in writing and seek damages, and applied them to the notice that the insured received during the policy period about the events at issue, concluding that certain communications during the policy period did not constitute a claim that would trigger coverage because they did not satisfy those requirements. The case is Cornett Management Company v. Lexington Insurance Company, Fireman's Fund Insurance Company, Brady Risk Management, Inc. and Hartan Brokerage, Inc., a copy of which is available here: Download file