Cyber Insurance for Cyber Risks
I have maintained a healthy interest in cybercrimes, cyber risks and related liability exposures, for at least two reasons central to the topics of this blog. The first is that, other than credit card companies, probably no one holds more protected personal information than the entities involved with ERISA plans, from health insurers to mutual fund companies to plan sponsors to record keepers. The second is that, from an insurance coverage perspective, developments in this area echo – more than vaguely even if less than resoundingly – the impact on insureds and on the insurance industry of the expansion of environmental liabilities approximately thirty years ago. Then, as now, you had the sudden creation of new potential liabilities – in that case, environmental exposures – that were not foreseen and taken into account by insurers in setting premiums, followed, in short order, by two developments: first, litigation over whether the exposures should be covered under previously issued policies that were not necessarily underwritten in a manner that would account for those risks and then, second, by the industry altering forms and policy language (such as the wording of pollution exclusions and the increased use of the claims made form) in reaction to those events.
You can see the beginnings of exactly those same events now, with regard to the rise of liability for cyber-crimes and related computer security breaches, as insureds, insurers and their coverage lawyers debate the extent to which standard general liability policy language captures or instead excludes those risks, while at the same time the industry develops products and policy language to respond to those exposures. A colleague and I presented this exact theory, as a lens for understanding the insurance coverage issues raised by cyber liabilities, in a major presentation last year, which is captured in this PowerPoint presentation.
I thought of this today, as I read this article pressing the idea that courts will be expanding the liabilities imposed on corporations for data and similar breaches. If the author is right, both the amount of insurance coverage litigation over coverage for cyber liabilities and the creation of new policy language by the insurance industry to deal with the issue will expand hand in hand with that development, in the same way both moved in tandem with the increase in environmental liabilities thirty years ago.
A Good Reason to Read Your Insurance Policy
Wow. This is a fascinating insurance coverage story - I know, people who don’t practice in that area will email me in droves to tell me there is no such thing, but still - that illustrates some important points. It is the story of the corporate officer of a juvenile facility that was involved, apparently without his knowledge, in bribing a judge to feed kids to the facility, and who has now been found to have no coverage, including of his defense costs, for the claims against him that resulted. There are two teaching moments in this story. The first is an insurance law point: despite his lack of involvement in the events at issue, he lost coverage because the policy contained exclusions that barred coverage for claims arising from the criminal acts of any insured, and it is well established that exclusions that apply when “any insured” commits the excluded act preclude coverage for all insureds, even those who played no role in the acts that triggered the exclusion. In contrast, policies often include exclusionary language that is much narrower and prevents exclusions from applying to insureds who were not actually involved in the excluded conduct, such as language stating that the exclusion only applies to “an insured” or “the insured” who commits the excluded act (rather than to “any insured”) or language stating that the exclusion does not apply to an insured who did not “in fact” participate in the conduct that triggered the exclusion. The insured in the story has learned the hard way that an exclusion that applies when “any insured” commits an excluded act deprives uninvolved insureds of coverage as well.
This leads to the second teaching moment provided by the story, and which echoes something I have often said in posts: insurance coverage cannot just be purchased and ignored until the time, if ever, a claim arises. It is important in advance to understand the scope of what is being purchased and what is excluded. The “any insured” problem posed in this case could have been avoided had the insured and its broker sought out a policy that uses narrower exclusionary language to avoid the exclusions applying to innocent insureds. I suspect without knowing that for a few dollars more, the company could have found a policy along those lines. It’s a day late and a dollar short to figure this out after the fact.
Niche Insurance and Government Investigations
Permalink | I had two different, perhaps more substantive things in line to talk about today, but I think I am going to push them back to later in the week, to instead pass along a highly entertaining article (at least to people who really like the ins and outs and oddities of the insurance industry) that showed up on my doorstep in yesterday’s New York Times. I have talked before about a number of themes in insurance coverage, including niche coverages and the difficulty for individuals of funding their own defense against complicated lawsuits; both of these themes came together right here, in this recent post about directors and officers coverage and in particular concerning a niche product targeted solely at protecting former directors and officers.
This story here out of the New York Times is perhaps one of the more remarkable tales of niche insurance coverage, and tells the tale of a specialty insurance agency that exists solely to sell insurance to CIA, FBI and similar government employees that covers them against lawsuits and government investigations arising from their work. I have to admit, I have always wondered about this a little bit, as congressional investigations and government prosecutions of a variety of federal law enforcement and similar employees have piled up over the years, a curiosity that may have begun all the way back when I used to see Robert McFarlane, implicated in the Iran Contra affair, in the hallways of the office building where I had one of my first post-collegiate jobs. The article explains that the policy covers tens of thousands of government employees, is relatively inexpensive and provides “up to $200,000 in legal fees for administrative matters like investigations by Congress or an inspector general, or cases involving demotion or dismissal [plus] [a]n additional $100,000 is available for legal fees in criminal investigations, and the policy pays up to $1 million in damages in a civil suit.”
An insurance/business note that you should not overlook in the article is that the product really drives home the impact of risk sharing across a broad insured population. The coverage, which provides a fair amount of dollars of protection (although, as the article points out, probably nowhere near enough to cover the legal costs generated in the highest profile cases), costs each insured only a few hundred dollars, a pretty big gap between premium and the potential payout. However, when you note that the policy is purchased by tens of thousands of employees but only a tiny handful ever end up needing the specialized coverage it provides, you can see how the numbers work out to allow the insurer to provide such coverage at such a low and manageable cost for the insureds.
Insureds, Prior Knowledge and Insurance Coverage
Permalink | One of the more ambiguous and gray areas in insurance coverage law is the question of when an insured is or should be aware that a claim is on its way. The law recognizes that this can certainly occur at some point before the insured actually is handed suit papers by a process server, but the law is certainly not crystal clear as to when that is. This is a question of particular importance for insureds because various contractual policy terms in a policy and various common law principles read into the insurance relationship can all preclude coverage if that date is deemed to be before the effective date of the insurance in force when the insured actually is served with the suit papers. For instance, many policies contain terms precluding coverage if the insured knew or should have known of the potential claim before a policy took effect and, for that matter as well, failure to disclose an expected claim in applying for a policy can result in the policy being voided for misrepresentation in many jurisdictions.
Of interest on this topic is this article here at Law.com concerning whether attorneys, covered under professional liability policies, are on notice in this manner whenever an unhappy client complains about a case or, if not whenever the client complains, how much complaining is necessary for the insured to be aware that a claim is likely and to lose coverage as a result if and when that client does file suit. A new declaratory judgment action filed in New Jersey seeks to answer that particular question. Of particular interest to me, however, is the fact context in which the complaining arose. It concerned a client unhappy with the terms of a settlement negotiated by the insured attorney. It’s a cliche of mediation, uttered by every mediator trying to push two unhappy parties to reach agreement on a resolution, that “a good settlement is one where both sides are unhappy.” Well, if that’s the case, then does the complaining after the fact mean that the lawyers involved are always thereafter on notice of a potential claim that they have to report to their malpractice insurers? It would be kind of silly to have a legal rule holding that the usual griping that often accompanies settlement has to be reported to the lawyers’ insurers to protect their rights to coverage in those one out of a million times that the complaining eventually morphs into a malpractice suit. Admittedly, this is something of a deliberately far fetched example, but it does point out the practical considerations that have to be factored into the question of how far in advance of the filing of suit the insured’s obligations can attach. Too far in advance, and the legal rule creates an unworkable, burdensome scenario for all involved, including insurers who would have to process multiple and unnecessary notices concerning many events that will never lead to suit; not far enough in advance and insurers lose the protections those policy terms and common law doctrines were intended to provide.
The First Circuit on Professional Liability Insurance
Permalink | What SCOTUSBLOG does for the Supreme Court - maintaining a steady and running review of goings on at the high court - Appellate Law and Practice does for the First Circuit, only with a little more humor and quirkiness than SCOTUSBLOG employs. A regular check of Appellate Law and Practice ensures that you don’t miss anything at all, yet alone anything of importance to your own practice areas, that takes place at the First Circuit.
I mention this today because Appellate Law and Practice has the story of a decision out of the First Circuit last week concluding that, as is in fact the rule, business decisions and activities that are not unique to the type of professional services conducted by an insured are not within the scope of that insured’s professional liability coverage. To quote Appellate Law and Practice,
In short, under what the First thinks is Massachusetts law, professional “Errors and Omissions” insurance (in this case for an insurance broker) doesn’t cover business decisions, which, in this case was a breach of an exclusivity agreement that resulted in an arbitration award. Or, in the words of the First, “A promise by an agent to represent one insurer exclusively for certain lines of insurance is not itself a professional service, nor does a diversion of business in breach of such a contract comprise the performance of professional service. The closest cases interpreting Massachusetts insurance law hold that overcharging clients in fees, even though for work done in a professional capacity, is not itself a professional service covered by malpractice or E&O policies.”
The First Circuit is right about this issue, and between rulings out of that circuit and from the state courts, Massachusetts is becoming a jurisdiction in which this rule is clear and can be expected to be enforced. Not all jurisdictions are like that about this issue, and it can sometimes be hard to convince a court that this is the rule, because it is a limitation on coverage that is generally not expressly laid out in professional liability policies and is instead something that logically flows from the language and structure of the policy. This is not the case in the First Circuit or Massachusetts, however, where the courts clearly get this point.
Insurance Coverage for Pension Plan Fiduciaries
Permalink | There is an interesting interrelationship between the two primary subjects of this blog, ERISA litigation and insurance coverage, and one that I had not really thought much about until Rick Shoff, who works with Mike Pratico over at CapTrust Financial Advisors, raised it in a conversation recently. As I have mentioned in the past, Mike and his colleagues at CapTrust serve as fiduciary advisors to retirement plans and their sponsors, and he and Rick commented to me about the issue of errors and omissions insurance and the necessary amount of coverage for fiduciary advisors.
Two points came out of our conversation that I thought I would pass along. First, what is the appropriate amount of coverage for a fiduciary advisor under its E&O insurance? What should the relationship be between the limits selected and the amount of assets in the plans that the advisor works with? Obviously, the limits can’t match the asset amounts, as any good advisor is likely advising on plans with assets far higher than the amount the advisor could purchase in E&O insurance, at least not without paying every penny the advisor earns over to the insurance company as premiums (and even then, I doubt limits that high could be obtained). It also would not be necessary, since an advisor’s potential exposure to a lawsuit undoubtedly would never equal the total amount of the assets in a particular plan, but instead would equal only some portion of it that was supposedly affected by an error by the advisor. My own take is that the proper policy limit is somewhere around the amount that would make a plaintiff in a hypothetical claim consider settlement within the policy limits, without trying to obtain an excess verdict that the advisor itself would have to pay.
The second issue that popped up is the range of actors out there who are involved in providing advice to retirement plans, participants and the like. It may well be that not all such companies and consultants, even if they have professional liability or general liability insurance coverage, are actually covered for claims arising out of their role in providing such advice. Many policies, unless they are specifically underwritten to cover a professional engaged in ERISA related activities, contain exclusions for ERISA related claims that would preclude coverage of claims involving ERISA governed plans. As a result, a plan sponsor cannot assume that all advisors to a plan actually have coverage for claims arising out of their activities, and the sponsor must instead actually examine their advisors’ insurance coverage to know whether or not this is the case.
Legal Malpractice and Professional Liability Policies
If an attorney gets duped into executing a check and distributing its proceeds as part of an elaborate fraudulent check scheme - an act which will then of course inevitably get him sued - is he covered for that act under his professional liability coverage? A Massachusetts Superior Court judge has astutely, and on the correct reasoning, found that the answer is no. As I have discussed in other posts, Massachusetts law is clear that professional liability coverages are subject to what is in effect an extracontractual limitation on coverage, namely a requirement that the loss arise out of the unique specialty of the type of professional covered by the policy, and not out of routine practices that, one, did not require that specialized expertise and, two, could have occurred in any type of business. Judges and courts sometimes get fooled by this, and don’t recognize that this limitation exists because it is not expressly stated in the insuring agreement of professional liability policies. However, rationally, that restriction is clearly inherent in the simple statement in professional liability insuring agreements that claims arising out of the insured’s professional services are what is covered; the absence of this restriction would transform a professional services policy into an extraordinarily broad general liability policy covering practically anything and everything that happens in a professional services business.
The trial judge in this case didn’t get that wrong, granting summary judgment to the insurer, and finding, in part, that:
Massachusetts courts have interpreted a professional act to be 'one arising out of a vocation, calling, occupation, or employment involving specialized knowledge, labor, or skill, and the labor or skill involved is predominately mental or intellectual, rather than physical or manual. ...' ... When deciding whether an act is 'professional' in nature, the court has 'look[ed] not to the title or character of the party performing the act, but to the act itself.' ... Therefore, tasks a professional performs are not covered by professional liability insurance if they are '"ordinary" activities "achievable by those lacking the relevant professional training and expertise."' ...
Although there is no appellate decision dealing with the precise factual situation involved with this case, there are decisions to assist the court in understanding the nature of professional legal services and its boundaries. . .
With the guidance of these cases, this court finds that Wolsky's actions that amounted to the receipt, endorsement, and deposit of a check, and the distribution of funds did not require a lawyer's specialized knowledge, labor, or skill, i.e., they were not professional services. ... Wolsky was merely an essential pawn in an elaborate fraudulent check scheme, a role which did not call upon his professional skills but rather required Wolsky's blind trust to act as a facilitator to convert a check to cash.
The case is Fleet National Bank v. Wolsky v. American Guaranty & Liability Insurance Company (Civil Action No. 04-CV-5075), and you can find more on it, including a source to order the entire opinion, here.
Professional Liability Coverage for Medical Billing Errors
There is an interesting story out of Massachusetts concerning a $1.9 million settlement entered into by a physician related to allegedly fraudulent medical billing; the article is at http://www.masslawyersweekly.com/ (subscription required for the full article). In fairness and to be accurate, note that the physician denies the charges and has stated that the real problem was confusion on the part of federal officials over how certain unique services should actually be coded. I have no idea who is right, but what interests me is whether there is coverage for it under the doctor's professional liability policy. Massachusetts has well developed case law, in both the state and federal courts, concerning the limits of professional liability coverage. The case law establishes that such coverage encompasses only claims that require the expertise of the covered professional, and not those that, although part of that professional's business operations, would be common to both the professional's practice and any other business. You can review an article I published on this issue here, Download file.
In this, Massachusetts law is consistent with that of most jurisdictions. Where Massachusetts case law departs somewhat from other jurisdictions is in the specificity of its case law; both the state and federal courts have written extensively on this issue, including cases to the effect that billing and similar "back room" operations are not part of professional services for purposes of professional liability coverage (or for that matter, for purposes of professional liability exclusions).
What is interesting about this settlement, however, is the question of whether that would be different in this instance. Pure overbilling, or intentional fraud (I do not know what was the actual cause of the alleged overbilling in this case, and the physician's position is that this was not the case in this matter) presumably would fall within the province of prior decisions precluding coverage under professional liability insuring agreements for such "back office" operations. But it would seem to me the case may be different if the overbilling allegations stemmed, as the physician asserts, from judgment calls over how to code the procedure for billing purposes, because in that instance the physician's professional judgment may have been involved. A case can be made under the jurisprudence of this circuit that professional liability coverage should extend to the billing problems if they actually stem from decisions on coding that required the provider's expertise and professional judgment.
Again, I do not know what actually occurred in this case. Interesting grist for the mill, however, concerning a particular, and oft litigated, insurance coverage issue.