Tag Archives: Insurers

Caveat Emptor in the Brave New World of Cyber Insurance Coverage

databreach

Guest Blogger:  Martin Bienstock, Weisbrod Matteis & Copley PLLC

There are two types of entities in the world, goes the adage: those who have learned that their data was breached; and those who just don’t know it yet.  The cost of these data breaches is no laughing matter, however; according to a recent study sponsored by IBM, the average data breach costs a company more than $200 for each record lost.[1]  (In the health-care sector, the cost are even greater, approaching $400 per-record lost record.[2])  The more records that are lost, the greater the per-record expense, so that a large data breach may give rise to exorbitant costs.[3]

Thoughtful executives can mitigate these costs through effective utilization of insurance coverage.  Insurance companies aggressively are marketing new cyber-insurance policies that provide first-party and third-party coverage in the event of a data breach.  Often, the new policies are accompanied by an exclusion in the entity’s Commercial General Liability Policy for losses arising from a data breach.

Entities entering the market for cyber coverage therefore must be vigilant to ensure that, at the end of the day, their efforts not yield less coverage than previously had been available.

Cyber Insurance Policies Are Often Conditioned Upon Maintaining a Particular Level of IT Security.

The new cyber policies typically require an applicant to complete a comprehensive assessment of its cyber security measures, affirming, for example, that it has in place “up-to-date, active firewall technology,” and “updated anti-virus software active on all computers and networks.”[4]   Coverage may be conditioned on the accuracy of these representations.[5]   In the event of a breach, if it turns out that the IT security information represented in the application form was inaccurate, coverage might not be available.

Thus, in one recent case,[6] an insurer sought to deny coverage because, among other things, the insured health-care provider had not maintained the level of IT security described in its application.  The insurer argued that the policy therefore was void.[7]  Under cyber-liability policies, then, an insured might be excluded from coverage in the event that it was negligent in implementing cyber-security measures – hardly the result that the insured had in mind when it purchased the policy.

Traditional CGL Policies Offer Some Protection for Data Breaches Even When the Insured Failed to Maintain Adequate IT Security.

When a data breach arises from an entity’s failure to maintain security, third-party coverage likely would be available under a standard Commercial General Liability Policy.  The standard CGL Policy provides coverage for “advertising injury.”  It defines such advertising injury to include injury caused by “oral or written publication, including publication by electronic means,” which “disclosed information about a person’s private life.”

This definition of “advertising injury” is ill-suited for costs arising from a data breach since it depends upon “publication.”  In the event of a data breach, many of the costs are unrelated to the actual publication of private data; the costs arise from the mere possibility of publication, not its actuality.  Conditioning data-breach coverage upon an irrelevant “publication” standard makes little sense.

Two recent cases highlight the limitation of relying on the “publication” standard to provide protection against data-breach claims.  In one case, electronic data concerning 50,000 employees fell out of a transport van and never was recovered.  The Connecticut Supreme Court held that the data had not been “published,” since there no factual support for the conclusion that the data, which was not in a readily usable format, ever was accessed by anyone.[8]  In contrast, in another recent case, the Fourth Circuit Court of Appeals affirmed a district court decision that damages resulting from a data-breach did constitute “advertising injury” because the information had been made available on the internet, and therefore was “published.”[9]

Cyber-data and Cyber-security policies can be better designed than the CGL “advertising injury” coverage, so that coverage is not dependent on publication.  But as some insureds have learned to their dismay, cyber-liability policies may be drafted to shift the costs of negligence back to the insured, and to make coverage unavailable for the very data breaches for which the insured purchased the insurance in the first place.

Caveat Emptor

Cyber-risk insurance therefore may serve a useful purpose by providing coverage that is targeted specifically towards data breaches, and that covers damages that go beyond the scope of the traditional CGL Policy. Buyers must beware however that the extra financial and administrative burden they assume in buying such policies not leave them worse-off than before.

For more information, please contact Marty at mbienstock@wmclaw.com or 202.751.2002.

 

[1] IBM 2015 Cost of Data Breach Study United States, conducted by Ponemon Institute LLC (May 2015) at 1.

[2] Id. at 7.

[3] Id. at 7.

[4] A sample cyber-risk policy issued by Travelers Group and containing these representations (last accessed on the date of publication) is available here .

[5] Id., Cyber-Risk Policy at III.M. (p. 22).

[6] Columbia Cas. Co. v. Cottage Health Sys., 15-cv-3432 (2015 C.D. Cal.).

[7] Id., Dkt No. 22.

[8] Recall Total Info. Mgmt., Inc. v. Fed. Ins., 317 Conn. 46, 115 A.3d 458 (2015).  The Connecticut Supreme Court adopted the reasoning of the appellate court in Recall Total Information Management, Inc. v. Federal Ins. Co., 147 Conn.App. 450, 465, 83 A.3d 664 (2014).

[9] Travelers Indem. Co. of Am. v. Portal Healthcare Sols., L.L.C No. 14-1944, 2016 WL 1399517, at *2 (4th Cir. Apr. 11, 2016).

Insuring Success: The Transfer of Insurance Assets in Corporate Mergers and Acquisitions

Corporate America is in a constant state of flux. Mergers, acquisitions and spin-offs continue unabated. As a consequence, virtually every major insurance coverage case involves an examination of the corporate policyholder’s history and its rights to insurance for liabilities caused by predecessors and after-acquired entities.

While great care is devoted to documenting and perfecting these sophisticated corporate transactions, all too often, not enough attention is paid to the transfer of insurance assets.  For example, to the extent that insurance assets are addressed, transferring documents often deal only with the disposition of currently in force insurance policies and are silent with respect historic insurance policies.  As we now know, however, long tail liabilities arising out of asbestos, environmental and other exposures often trigger coverage under insurance policies dating back decades.

Equally troublesome is the virtually universal inclusion of so-called “anti-assignment” clauses in insurance policies that purport to require the insurer’s consent before rights under an insurance policy are transferred.  A typical “anti-assignment” clause provides as follows: “Assignment of the interest under this policy shall not bind the company until its consent is endorsed thereon.”  Insurers argue that these clauses are designed to prevent policyholders from saddling insurers with risks they never anticipated nor underwrote.

Courts throughout the country have been grappling with these and other issues.  Although holdings vary from jurisdiction to jurisdiction, some general legal principles have emerged:

  • After a merger, the insurance assets of the predecessor entity typically transfer, along with any liabilities, to the successor entity.
  • The transfer of insurance assets pursuant to other corporate transactions, such as asset purchase agreements, is largely dependent on the wording of the agreement.
  • “Anti-assignment” clauses typically do not bar the transfer of insurance assets and rights after a merger or for losses that occur before the transfer.
  • A successor entity is generally not entitled to insurance coverage under its own insurance policies for liabilities of after-acquired subsidiaries that are based on events that occurred prior to the transfer.

All of this suggests that great care should be devoted to the treatment of insurance assets in any corporate transaction.

Questions? Contact Lee Epstein at Weisbrod Matteis & Copley PLLC.

Three’s a Crowd: Adventures in the Tripartite Relationship

An insurance company’s duty to defend its policyholder is at least as important as its duty to indemnify — if not more so. Indeed, it has been estimated that 55 cents out of every claim dollar is paid for defense.

The not insignificant expense associated with defending claims has caused insurers to seek greater control over the defense of claims asserted against policyholders. With increasing frequency, insurers are insisting on the use of panel defense counsel, the adherence to strict billing guidelines and the pre-approval of even the most basic costs. The resulting tensions have led defense counsel to seek guidance from their bar associations and policyholders to seek relief from the courts. Those tensions are exacerbated even further when conflicts of interest between insurers and policyholders arise.

This article discusses the nuances of the tripartite relationship involving insurers, policyholders and defense counsel and examines the current state of the law governing that relationship.

I. The Policyholder Is Always The Client

Even when an insurer is defending an action without reservation, the policyholder remains the client of the defense counsel retained and paid by the insurer. In certain jurisdictions, however, the insurer is also considered the client when a tripartite relationship is formed. Notwithstanding whether the insurer is also considered the client, insurers will invariably insist that they are entitled to control that defense, especially when they are defending without reservation.

According to insurers, the right to control will include the right to select defense counsel, approve all tactical decisions and settle any claim within policy limits. At times, however, the policyholder and insurer may have divergent views on how to defend a case or the policyholder may have business reasons for not wanting to settle a case within policy limits. In those situations, the Model Rules of Professional Conduct for attorneys provide necessary guidance for defense counsel and their clients.

Rule 1.2(a) of the Model Rules dictates that the lawyer must consult with and abide by a client’s decisions concerning the representation. Moreover, Model Rule 5.4(c) provides that a lawyer “shall not permit a person who recommends, employs or pays a lawyer to render legal services for another to direct or regulate the lawyer’s professional judgment in rendering . . . legal services.” Thus, irrespective of whether the insurer is also deemed the client, defense counsel must consult with the policyholder, and not permit the insurer to interfere with counsel’s judgment in defending the interests of the policyholder.

II. An Insurer May Not Insist On Unfettered Compliance With Its Billing Guidelines   

In an effort to reduce litigation costs, insurers are increasingly insisting that defense counsel comply with stringent billing guidelines. Those guidelines typically impose strict reporting requirements and require defense counsel to seek prior insurer approval of any significant costs to be incurred. The insurer’s interest in reducing costs will, in many instances, diverge from the policyholder’s interests in obtaining the best possible defense.
When compliance with insurer-imposed billing guidelines will compromise the defense, defense counsel must protect the policyholder’s interests. In those circumstances, defense counsel must first consult with both the insurer and the policyholder. If the insurer is unwilling to modify or withdraw the limitation a billing guideline places on the defense, and the policyholder is unwilling to accept that limitation, Rule 1.7(b) requires that defense counsel withdraw from representation of both the policyholder and the insurer. Rule 1.7(b) provides, in pertinent part, that “[a] lawyer shall not represent a client if the representation of that client will be materially limited by the lawyer’s responsibilities to another client or to a third person . . . .”

A specific cost-reduction mechanism employed by insurers, which has come under fire recently, is the use of third-party auditors to review defense counsel bills. Such “legal bill audits,” typically involve an examination of hourly rates charged, time spent and defense counsel’s work product to determine the reasonableness of the amounts charged. In the usual case, defense counsel may share this type of information with the insurer because such sharing is either required by the insurance policy or it is permissible in those jurisdictions in which the insurer is also considered the client of defense counsel. When the disclosure would affect a material interest of the policyholder, however, defense counsel may not share such information with the insurer, absent informed consent from the policyholder. For example, defense counsel are usually prohibited from disclosing information to the insurer that could adversely affect the policyholder’s coverage under the insurance policy at issue. An apt example was provided by the Pennsylvania Bar Association:

Generally, an attorney representing an insured need only inform the Insurer of the information necessary to evaluate a claim. For example, assume an attorney represents an Insured in a premise liability slip and fall. During the course of the representation, the attorney discovers that the subject property is a rental property, not a residential property as set forth in the policy.
Although this information may radically affect coverage, the attorney is prohibited from releasing this information to the Insurer or any other third parties. In the foregoing hypothetical, the attorney would simply inform the Insurer of the nature of the injuries claimed by plaintiff and the circumstances surrounding the incident. The insurer would have all of the information necessary to evaluate the value and basis for the claim and the Insured’s confidentiality would be protected.

Pa. Bar Assoc. Comm. On Legal Ethics and Prof. Resp. Informal Op., No. 97-119, 1997 WL 816708 at *2 (Oct. 7, 1997).

Moreover, the majority of jurisdictions have concluded that defense counsel may not disclose confidential information to a third-party auditor, absent the policyholder’s informed consent. Unlike the case with insurers, disclosure of such information to third-party auditors, with whom defense counsel have no employment or contractual relationship, may result in a waiver of any applicable privilege. In order to secure informed consent from the policyholder, defense counsel must discuss the nature of the disclosures sought by the third-party auditor as well as the consequences of disclosure (i.e., potential waiver of privilege) and non-disclosure (i.e., insurer may view non-disclosure as a breach of the duty to cooperate under the insurance policy).

III. When Conflicts Arise, The Insurer Must Relinquish Control Over The Defense 

When a conflict of interest between the insurer and policyholder arises, an insurer must typically relinquish any right to control the defense, including the right to select defense counsel. “It is settled law that where conflicts of interest between an insurer and policyholder arise, such that a question as to the loyalty of the insurer’s counsel to that policyholder is raised, the policyholder is entitled to select its counsel, whose reasonable fee is to be paid by the insurer.” St. Peter’s Church v. American Nat. Fire Ins. Co., No. 00-2806, 2002 WL 59333 at *10 (E.D. Pa. Jan 14, 2002).

A classic example of a conflict necessitating the retention of independent counsel may arise where the insurer reserves the right to deny coverage for certain of the underlying claims, but not others. In that situation, an insurer “would be tempted to construct a defense which would place any damage award outside policy coverage.” Public Serv. Mut. Ins. Co. v. Goldfarb, 442 N.Y.S.2d 422, 427 (N.Y. 1981).

Another prime example of a conflict sufficient to cause an insurer to relinquish the control over the defense is where the insurer lacks the economic motive for mounting a vigorous defense. This situation may arise where the underlying claimant prays for damages that are well in excess of the insurer’s policy limits. See, e.g., Emons Indus., Inc. v. Liberty Mut. Ins. Co., 749 F. Supp. 1289, 1297 (S.D.N.Y. 1990).

IV. Conclusion

The tripartite relationship between the insurer, policyholder and defense counsel provides fertile ground for confusion and abuse. Even when an insurer defends a matter without reservation, the policyholder remains the client and can properly object to any limitations placed on the defense by the insurer. If defense counsel reasonably believes that an insurer-imposed limitation will materially impair the defense, defense counsel must withdraw from representing both the insurer and the policyholder.

When a conflict of interest between the insurer and policyholder arises, the insurer must relinquish control over the defense and the policyholder is entitled to select defense counsel. Such a conflict may arise where an insurer reserves the right to deny coverage for only certain of the underlying claims, or where the insurer does not have an economic incentive to defend vigorously, or where the insurer could construct a defense placing any damage award outside of coverage.

Questions? Contact Lee Epstein at Weisbrod Matteis & Copley PLLC.

%d bloggers like this: