Category Archives: Guest Bloggers

START SPREADIN’ THE NEWS…NEW YORK’S HIGHEST COURT SAYS PRO RATA ALLOCATION IS LEAVING TODAY

new_york_1

Guest Blogger: John G. Koch, Weisbrod Matteis & Copley PLLC

In a much anticipated decision, New York’s highest court handed policyholders a significant victory in In re Viking Pump, Inc. & Warren Pumps, LLC, Insurance Appeals, No. 59 (N.Y. May 3, 2016).  In the context of long-tail bodily injuries or property damage spanning multiple policy periods, the Court declared that policy language is the King of New York and trumps all else when determining whether the “all sums” or “pro rata” allocation approach applies to a liability insurer’s indemnity obligation.  Specifically, the Court held that the “all sums” approach applies to an insurer’s indemnity obligation where the policy contains language inconsistent with a pro rata approach. In this case, the Court reasoned that a “non-cumulation” or “anti-stacking” clause is inconsistent with allocating an insurer’s liability on a pro rata basis.  Although Viking Pump dealt only with the duty to indemnify, its ruling applies to the broader duty to defend and bolsters existing case law recognizing that the duty to defend language in most general liability policies cannot be reconciled with a pro rata allocation approach.

To put the Viking Pump decision in context, insurers usually prefer a pro rata approach, meaning they can only be liable for their share of a loss based on the time period their policies were in force compared to the overall period that the long term injury or property damage occurred.  This rests on the legal fiction that a single indivisible loss taking place over many years can be treated as one occurrence in each successive policy period, which is an expedient method for dividing the indivisible loss among multiple successive policies based upon each policy’s time on the risk, as opposed to the extent of actual injury or damage that took place during any specific period.  Id.  As the Court stated, the foundation of this approach is that no insurer will have to pay for any injury or damage that occurs outside of its policy period.  Viking Pump, slip op. at 11-12.

Insurers usually prefer the pro rata approach because their risk is typically reduced and the risk of lost policies, insurer insolvencies or other gaps in coverage may fall upon the policyholder.  In contrast, under the “all sums” approach, each successive insurance policy triggered by a long term injury or damage is, essentially, jointly and severally liable for the entire loss up until the policy’s limits are exhausted.  Under this approach, the insured may target one or many insurers for the entire loss, leaving it to the insurers to seek contribution from one another.

Prior to Viking Pump, insurers often brandished Consolidated Edison Co. of New York v. Allstate Insurance Co., 98 N.Y.2d 208 (2002), to assert that New York is a “pro rata” state.  But in Viking Pump, the Court of Appeals distinguished and limited the reach of Consolidated Edison by pointing out that it never formed a blanket rule for pro rata allocation and that the policies in Consolidated Edison did not contain non-cumulation or similar clauses.  Viking Pump, slip op. at 11-12.

The Viking Pump Court held that non-cumulation clauses are antithetical to the concept of a pro rata allocation.  Non-cumulation clauses essentially provide that where a single loss triggers successive policies, any amount paid by a prior policy will reduce the limits of the policy containing the non-cumulation clause.  The original purpose of the clause was to prevent policyholders from double dipping when the industry made the switch from accident based policies to occurrence based policies.  Non-cumulation clauses are inconsistent with a pro rata allocation because they “plainly contemplate that multiple successive insurance policies can indemnify the insured for the same loss or occurrence,” whereas the entire premise underlying pro rata allocation is that an insurer cannot be liable for the same loss to the extent the loss occurs in another insurer’s policy period – hence the legal fiction that a separate occurrence takes place in each successive policy period.  Id. at 18 (emphasis added).  The two provisions are logically inconsistent.  Thus, adopting the pro rata approach would render the non-cumulation clause superfluous in violation of New York’s principles of policy interpretation. For this reason, the Court determined that the “all sums” approach applies to policies containing a non-cumulation clause.

In addition to the pro rata versus all sums allocation issue, the Court determined that the proper method for allocating between primary and excess layers of insurance under the “all sums” method is vertical exhaustion – meaning that a single primary policy may be required to respond to the long term loss up to its policy limits, at which time the excess coverage above that policy is pierced on an all sums basis.  The Court rejected the argument that horizontal exhaustion should apply, where all primary coverage would have to be exhausted before any excess coverage must respond to a loss, noting that the excess coverage was tied to the exhaustion of only the underlying policy, not prior or subsequent policies.  Thus, the Court ruled that vertical exhaustion is the appropriate method.

Although Viking Pump specifically addressed the effect of non-cumulation clauses, it undoubtedly stands for the propositions that: (1) no blanket rule controls how an  insurer’s indemnity obligation must be allocated, and (2), where language or a clause in an insurance policy is inconsistent with the pro rata approach, pro rata allocation does not apply.

The latter point is especially important when considering the issue of whether the duty to defend is subject to pro rata allocation.  Most general liability policies provide that the insurer has a duty to defend “any suit” in which at least one potentially covered claim is alleged.  New York courts have interpreted this language as requiring the defense of the entire lawsuit so long as at least one claim is at least in part potentially covered.  A pro rata allocation is inconsistent with the language obligating insurers to “defend” “any suit” if at least one potentially covered claim is alleged.  Thus, the reasoning in Viking Pump suggests that the “all sums” approach is the appropriate method respecting the duty to defend and is consistent with the duty to defend language found in most liability policies.

To learn more, contact John G. Koch

Every Dawg Has Its Day – A Report From Philly I-Day 2016

cyber securityGuest Blogger: Emily Breslin Markos, Weisbrod Matteis & Copley PLLC

On Thursday, April 28th, I had the pleasure of attending Philly I-Day, an annual event where insurance professionals gather to network, share ideas and get informed about industry trends.  The attendees had the opportunity to hear from Tom Finan, who previously served as the Senior Cybersecurity Strategist and Counsel with the Department of Homeland Security.  While in this role, he established and led the agency’s Cyber Incident Data and Analysis Working Group (CIDAWG), which I previously blogged about.  I appreciated hearing him speak about the important work that the CIDAWG has done to secure businesses against cyber-attacks.  Mr. Finan shared that the National Protection and Programs Directorate (NPPD) recently held a workshop to focus on the execution of the repository for reporting cyber incidents, as described in my previous blog post.

I was surprised to learn that Mr. Finan invented the acronym CIDAWG for the working group, and intentionally made it, well, awesome.  He boasted that it is the best acronym in the federal government to date, and I tend to agree, at least until we all start calling the President “P-Dawg.”   To learn more about the CIDAWG’s continuing cyber-security efforts, please visit:  www.dhs.gov/cybersecurity-insurance.

While at the event, I also had the opportunity to attend a Presentation given by our own Lee Epstein, with Kevin M. McPoyle of KMRD Partners, on effective communications between brokers and policyholders.  In our work representing policyholders, we have seen our clients rely on brokers as an incredible source of expertise, guidance, and comfort when it comes to our client’s coverage needs.  Unfortunately, we have also had the firsthand experience of having communications between the policyholder and broker unearthed in coverage litigation, and sometimes used against the policyholder.

For example, when a broker gives the unequivocal opinion that a certain claim is not covered, that can come back to haunt the policyholder.  The insurer may rely on that statement as evidence of no coverage, and a court may find the broker’s statement compelling.  In light of that, Lee and Kevin discussed how can brokers strike a balance between providing helpful and definitive advice to their clients, while aware that their statements can carry a great deal of weight if the claim is ever litigated.

Two main themes emerged from the discussion.  First, the broker’s role is to offer business advice, not legal advice, and couching communications in business terms can avoid many problems if the claim ever goes to litigation.  Second, when there is a question as to the scope of coverage, setting forth advice in terms of what the insurer’s position may be provides sound advice to the policyholder, but also protects the policyholder in the event of litigation.  It was an eye-opening Presentation, and fodder for continuing discussion.

To learn more, contact Emily Breslin Markos

Caveat Emptor in the Brave New World of Cyber Insurance Coverage

databreach

Guest Blogger:  Martin Bienstock, Weisbrod Matteis & Copley PLLC

There are two types of entities in the world, goes the adage: those who have learned that their data was breached; and those who just don’t know it yet.  The cost of these data breaches is no laughing matter, however; according to a recent study sponsored by IBM, the average data breach costs a company more than $200 for each record lost.[1]  (In the health-care sector, the cost are even greater, approaching $400 per-record lost record.[2])  The more records that are lost, the greater the per-record expense, so that a large data breach may give rise to exorbitant costs.[3]

Thoughtful executives can mitigate these costs through effective utilization of insurance coverage.  Insurance companies aggressively are marketing new cyber-insurance policies that provide first-party and third-party coverage in the event of a data breach.  Often, the new policies are accompanied by an exclusion in the entity’s Commercial General Liability Policy for losses arising from a data breach.

Entities entering the market for cyber coverage therefore must be vigilant to ensure that, at the end of the day, their efforts not yield less coverage than previously had been available.

Cyber Insurance Policies Are Often Conditioned Upon Maintaining a Particular Level of IT Security.

The new cyber policies typically require an applicant to complete a comprehensive assessment of its cyber security measures, affirming, for example, that it has in place “up-to-date, active firewall technology,” and “updated anti-virus software active on all computers and networks.”[4]   Coverage may be conditioned on the accuracy of these representations.[5]   In the event of a breach, if it turns out that the IT security information represented in the application form was inaccurate, coverage might not be available.

Thus, in one recent case,[6] an insurer sought to deny coverage because, among other things, the insured health-care provider had not maintained the level of IT security described in its application.  The insurer argued that the policy therefore was void.[7]  Under cyber-liability policies, then, an insured might be excluded from coverage in the event that it was negligent in implementing cyber-security measures – hardly the result that the insured had in mind when it purchased the policy.

Traditional CGL Policies Offer Some Protection for Data Breaches Even When the Insured Failed to Maintain Adequate IT Security.

When a data breach arises from an entity’s failure to maintain security, third-party coverage likely would be available under a standard Commercial General Liability Policy.  The standard CGL Policy provides coverage for “advertising injury.”  It defines such advertising injury to include injury caused by “oral or written publication, including publication by electronic means,” which “disclosed information about a person’s private life.”

This definition of “advertising injury” is ill-suited for costs arising from a data breach since it depends upon “publication.”  In the event of a data breach, many of the costs are unrelated to the actual publication of private data; the costs arise from the mere possibility of publication, not its actuality.  Conditioning data-breach coverage upon an irrelevant “publication” standard makes little sense.

Two recent cases highlight the limitation of relying on the “publication” standard to provide protection against data-breach claims.  In one case, electronic data concerning 50,000 employees fell out of a transport van and never was recovered.  The Connecticut Supreme Court held that the data had not been “published,” since there no factual support for the conclusion that the data, which was not in a readily usable format, ever was accessed by anyone.[8]  In contrast, in another recent case, the Fourth Circuit Court of Appeals affirmed a district court decision that damages resulting from a data-breach did constitute “advertising injury” because the information had been made available on the internet, and therefore was “published.”[9]

Cyber-data and Cyber-security policies can be better designed than the CGL “advertising injury” coverage, so that coverage is not dependent on publication.  But as some insureds have learned to their dismay, cyber-liability policies may be drafted to shift the costs of negligence back to the insured, and to make coverage unavailable for the very data breaches for which the insured purchased the insurance in the first place.

Caveat Emptor

Cyber-risk insurance therefore may serve a useful purpose by providing coverage that is targeted specifically towards data breaches, and that covers damages that go beyond the scope of the traditional CGL Policy. Buyers must beware however that the extra financial and administrative burden they assume in buying such policies not leave them worse-off than before.

For more information, please contact Marty at mbienstock@wmclaw.com or 202.751.2002.

 

[1] IBM 2015 Cost of Data Breach Study United States, conducted by Ponemon Institute LLC (May 2015) at 1.

[2] Id. at 7.

[3] Id. at 7.

[4] A sample cyber-risk policy issued by Travelers Group and containing these representations (last accessed on the date of publication) is available here .

[5] Id., Cyber-Risk Policy at III.M. (p. 22).

[6] Columbia Cas. Co. v. Cottage Health Sys., 15-cv-3432 (2015 C.D. Cal.).

[7] Id., Dkt No. 22.

[8] Recall Total Info. Mgmt., Inc. v. Fed. Ins., 317 Conn. 46, 115 A.3d 458 (2015).  The Connecticut Supreme Court adopted the reasoning of the appellate court in Recall Total Information Management, Inc. v. Federal Ins. Co., 147 Conn.App. 450, 465, 83 A.3d 664 (2014).

[9] Travelers Indem. Co. of Am. v. Portal Healthcare Sols., L.L.C No. 14-1944, 2016 WL 1399517, at *2 (4th Cir. Apr. 11, 2016).

“UBER” Liabilities: Legislatures Respond To Emerging RideShare Liabilities With New Insurance Laws

Guest Blogger, Annie Kernicky, Esq.

The growing popularity of rideshare services like Uber and Lyft is resulting in new and emerging liabilities. Just last week in Michigan, for example, an Uber driver, in between shooting six people, allegedly picked up passengers for Uber. Passengers flock to rideshares for their touch-and-go convenience and low cost, and courts and legislatures are trying to keep up.

Situations such as the Michigan shooting will not only spur an increase rise in litigation connected to rideshare services (see previous blog post), but are also prompting new laws across the county to ensure that minimum insurance and adequate coverage exist during, and even before, a passenger’s trip in a rideshare vehicle.uBER 3

California, for example, recently enacted a new law designed to clarify what insurance coverage is required during the various phases that a rideshare driver goes through during a day of driving – i.e. Period 1, the time when the Uber app is on, but the driver hasn’t yet been matched to a driver; and Periods 2 and 3, which includes when the driver is matched with a rider, when the driver picks up the rider, and the entire drive until the rider is dropped off at the destination.

Like others of its kind across the country, the new California law sets insurance coverage requirements for all Transportation Network (TNCs) and driver partners while they are logged into the Uber platform and waiting for a trip request, i.e. Period 1.  The law requires either the TNC, Uber’s affiliate Rasier-CA LLC, or the rideshare driver partner to maintain primary third-party liability insurance that provides coverage in the amounts of $50,000 per individual with a total of $100,000 per accident along with up to $30,000 for property damage during Period 1.  Prior to the law, California’s minimum insurance requirement was $15,000. The new law also means that standard and optional coverages a driver may have purchased on their own personal auto policy no longer apply while the driver is logged into the app (in California only).

Outside of California, other states are enacting similar insurance-related laws, especially during Period 1 when other insurance may not be applicable because a passenger has not yet been picked up. At the beginning of February, in Florida, the Senate Judiciary Committee voted in favor of the law, which would set minimum insurance coverage requirements for when drivers are using their personal vehicles and are logged into the companies’ apps, but not in the act of transporting a paying passenger.  Among others, the Florida bill would require a TNC driver or company to maintain primary automobile insurance issued by specified insurers with certain coverages in specified amounts during the different periods, and also require a TNC driver to carry proof of insurance coverage at all times during the use of a personal vehicle for rideshare services.

Certainly the trend is to require rideshare drivers (or companies) to have higher insurance minimums when a driver has the company app on, even with no passengers in the vehicle.  These measures not only help protect public safety, but also ensure that there is adequate coverage and responsibility if an accident or potential liability does occur while a driver is using a rideshare app.

Sharing is Caring: A Proposed National Data Repository for “Cyber Incidents” to Benefit Policyholders

Guest Blogger: Emily Breslin Markos, Esq., Weisbrod Matteis & Copley PLLC

It has become commonplace for the news to be peppered with accounts of data breaches affecting a wide range of entities, from large retailers, to motion picture studios, to the federal government.  Unfortunately, the increasing frequency of the events has not yet led to an insurance industry standard for affordable, robust and effective coverage for cyber incidents. cyber security

To address the gap in insurance coverage, as well as the broad spectrum of harms arising from cyber incidents, the Department of Homeland Security (DHS) has established the Cyber Incident Data and Analysis Working Group (CIDAWG).  The CIDAWG recently published the first of a series of white papers on the possibility of establishing a national data repository where cyber incidents can be reported and collected in a uniform and central way.

Such a data repository would increase information sharing among the “Federal government, enterprise risk owners, and insurers” with the goal of enhancing risk mitigation strategies and “also improve and expand upon existing cybersecurity insurance offerings.”  One of the obstacles to establishing insurance coverage for cyber incidents is a lack of data needed to inform “actuarial calculations and related underwriting considerations by insurers.”  The repository would seek to close that information gap.  As it stands, certain industry groups have methods to share information about cyber incidents within the industry group, but there is no centralized way to share the wealth of information that companies have about hacking activity, but are understandably reticent to share.

The CIDAWG’s first white paper concludes that there is value to policyholders if the repository is structured the right way. Its next white paper will address what cyber incident “data points” should be included for evaluation.

Interestingly, though perhaps not surprisingly, the white paper notes that “[t]here are currently no plans for DHS or other Federal departments or agencies to build or manage such a repository. A resulting repository could potentially be managed by a private organization.”

If this idea continues to gain traction, it will be a positive development for policyholders as a productive step in allowing insurers to provide informed and effective cyber incident insurance protection.

Emily Breslin Markos is an associate at Weisbrod Matteis & Copley PLLC, where she focuses her practice on commercial litigation and insurance coverage counseling and litigation for policyholders. She received a B.A. from Brywn Mawr College in 2004 and graduated magna cum laude from Rutgers University School of Law – Camden in 2010. She can be reached at emarkos@wmclaw.com or 267.262.5589.

%d bloggers like this: