This entry is part 3 of 10 in the series IRONSHORE

Tech E&O, Network Security, Internet Media, and MPL Insurance Policy

 First Insuring Agreement: #I.A

Individual Officer or Director Insurance

I have already explained in Part One, the first several words.  Now I turn to the real unadulterated cyber content of the first Insuring Agreement.  Remember, this is very sketchy.  Only a few phrases will be quoted here; only a few definitions will be spelled out, and some sections will be skipped entirely or almost completely. The main focus is on the “Insuring Agreements,” the Definitions, and the ExclusionsSubtitles and Definitions will be in bold since that is how they are in the text.
This section pertains to the first Insuring Agreement. It is a liability section, as opposed to a first-party section. Roughly speaking, it insures against Losses resulting from covered Claims against covered individual persons (see Part I) for wrongful acts (WA) falling in either of two categories, Privacy Wrongful Act (PWA) or a Network Security Wrongful Act (NSWA).
“WA” is a frequently used term combined with one or more other phrases to focus on a type of category within which there can be a WA.  In I.A there are two categories already mentioned.
WA involves the idea of negligence, but that is not all it includes. WA means “any actual or alleged act, unintentional error, omission, neglect, or breach of duty by. . . the coming two WA types: Insured or a Service Provider that results in a Privacy Incident. 
The idea of a Privacy Incident seems obvious enough, for now as is the idea of a non-owned company providing typical cyber services to the Insured.  [Remember: each of these definitions has other definitions built into them. Notice that it appears that at least some intentional acts are included within the definitions of WA.]  The idea of privacy pertains to data regarding matters people and/or companies don’t want to be disclosed or made public, and a Privacy Incident is an event like that resulting from a PWA.  (More details about the concept of Privacy Incident will be set forth in Part IV.)
The idea of NSW is well known in parts, but it is more complex. Under this definition the following are included, and the insuring agreement covers losses directly caused by WA’s in one or more of the following:
  • thefts, corruption, or deletion of Electronic Data from the Company’s Computer System, unless it comes from the outside and that is not the company’s fault [e.g., hacking?];
  • Unauthorized Accessed or Unauthorized Use of the Company’s Computer System;
  • denial of Authorized Use, unless unintended breakdown;
  • Company’s Computer System in some sort of attack on another system;
  • transmission of Malicious Code to another system.  Further insured injuries may result [There has been some controversy about whether CGL policies cover injuries to the software since it, is in part a physical object, i.e., something tangible that may suffer physical loss and loss of use.

Exclusions exceed 50 in number, counting the sub-parts, and 25 if the sub-parts are not counted.  Most of them are, to some degree or other, analogous to exclusions found in so-called “real world” policies.

Significantly there may or may not be a duty to defend, provide a defense, pay for a defense, pay on behalf of defense for an Insured.  Although the language is not completely clear, it seems likely that the duty to defend hinges, more or less, on the so-called “Eight Corners” Rule.  Then there is a duty to defend, the insurer “runs” the defense show and pays for it along the way. That is not always true in D & 0 policies, and it does not appear to be true in this policy on all occasions.  In any case, for this and other reasons,  the reader of this policy must be careful about several distinguishable phrases, “will pay,” “will indemnity,” and “will pay in behalf of.”  The last one is particularly tricky when it actually says “will pay on behalf of Insured all Loss . . . that the Insured is legally obligated to pay.”  This language may not provide the same coverage across the board.  Why else would there be different phrases?

With regard to the duty to defend, there is a particularly puzzling phraseology. Here it is: more or less:  “The Insurer will pay on behalf of. . . all Loss. . . which the. . .becomes legally obligated as damages.”  (The omissions are to leave room for different conceptions of who or what is an insured.  And the word Loss includes Damages.)  One problem in this coverage is that many insureds are not legally obligated to defend themselves; and, of two defendants, one may not only be not legally required to defend itself but it may not be legally required to defend its codefendant(s).

This problem is one of appearance only.  There is a separate section in which the duty to defend liability cases is set forth.  This fact may be confusing even to the more experienced reader.  The reason is that the duty to defend it is usually set forth in the insuring agreement section of a policy. Here the opposite is true.  That duty  gets its own section,  The insurer’s duty to defend in this policy may be weaker than in many so-called real “world policies.”  Most policies of the so-called “real world” require a liability insurer to defend its insured if the plaintiff’s pleading states–or, probably in many jurisdictions, sketches a covered claim; it does not require that the claim actually be covered.  The plaintiff (and possible victim) can be wrong about what is asserted in the pleading or even lying, and they’re still a duty to defend. The liability sections of this policy don’t appear to say that.  It at least appears that the claim must actually be covered.  I don’t see how that can be true, but if I have understood the language, that is what is says.

Of course, with so many newly defined words, there will be controversy over what is meant.  However, there is at least one that is often in dispute here in the real world.  The policy often says that it covers “direct” losses, meaning that the loss must be “directly” covered by a covered cause.  The meaning of “directly” is subject to controversy.

What is direct as opposed to indirect?

Originally posted on 09/06/2013 @ 9:23 pm

Series Navigation

<< An Ironshore Cyber Policy–Part X: Insuring Agreement I.E.:An Ironshore Cyber Policy–Part V: Privacy Breach Expenses Coverage >>

Michael Sean Quinn, PhD, JD, CPCU, Etc

Michael Sean Quinn, PhD, JD, CPCU, Etc. (530)

One of Texas's leading insurance scholars, Michael Sean Quinn is a past chair of the Insurance Section of the State Bar of Texas and has a broad legal practice.

Hits: 0