This entry is part 6 of 10 in the series IRONSHORE

Tech E&O, Network Security, Internet Media, and MPL Insurance Policy
Insuring Agreement I.E: Regulatory Proceeding Coverage

Remember: This post series is organized around insuring agreements, definitions, and exclusions. Conditions, etc., may be remarked upon briefly, they often resemble not only each other but those found in currently existing policies.

The first specific thing to notice here in I.E. is that the Insurer agrees to reimburse the Insured.  Be mindful of the fact that this concept is quite different from “pay on behalf of” or “pay for.”  “Reimburse,” literately understood, means that the insured pays first. There is no reason to believe that a court will not take this language literally. Second, and very important, this entire section is attached to two concepts: Privacy Incident and Regulatory Proceeding.  The first of these concepts was discussed in Part V, and a concept related to the second one, Privacy Regulation, was also discussed there. Much of what was written there is reprinted in the next paragraph. The phrase Privacy Incident briefly put includes (i) the disclosure, etc., of some information or another, that is secret, or close to it; and the disclosure is in the care, custody, or control of the Insured or Service Provider.  (ii) That disclosure must result from a Privacy Regulation or a failure of the Company to comply with its own privacy policies. The concept of Privacy Regulation includes a slew of  named statutes, both state and federal, plus regulations under those statutes, and “any similar state, federal or foreign identity theft or privacy protecting statute.”

Does the reader realize how controversial the phrase “care, custody, and control” can be in insurance disputes?  And here only immaterial entities are involved. Will that complicate matters? Does the reader recognize that there may be controversies generated by the word “similar”?  Or what about this what about the word “any”?  What about when they don’t apply? Are Bolivian privacy administrative rules applicable to problems in Oklahoma?  (Perhaps not; but consider the twists and turns, “New York lawyers” might generate out of these two ideas.)  Remember: the phrase “care, custody, and control” has caused lots of insurer-insured disputes for many years.

—MSQ

Now for the second of the two crucial concepts, Regulatory Proceeding.  This topic has not been written about in this (group of) blog(s).  The idea is pretty clear from the language.  The phrase means (1) a governmental investigation of an Insured, e.g., perhaps leading up to an adjudicative governmental hearing concerning a Privacy Incident, and/or (2) an adjudicative administrative hearing on either a Privacy Wrongful Act or a Network Wrongful Act including an appeal, either of them begun by the receipt of “a subpoena, a formal investigative demand, complaint or similar document.”

It seems odd to me, at least appears, that one of the types of wrongful acts is covered for investigations and the other one is not. Indeed, this seems so unlikely that I think I must have missed something.

The Insured’s right to be paid for its expenses in this arena is huge. This fact indicates that the insured should make sure that everyone in the organization involved knows well the terms of the policy, consults with risk management, stays in close contact with the IT and IS departments, and ask in-house or outside counsel for advice.  (Perhaps there will be an appropriately specialized attorney included within the in-house counsel department. This is not uncommon in really large law firms.) In addition, the Insured should monitor its work on these matters carefully, make sure that accurate records are kept, make sure that confessionary, personal, and other assorted messages are not entered into the cyber-systems.  It would be a good idea for the insured to institute a special, nearly unique kind of specialized “Product Management,” as it is now called.

The Insured should also make sure that it has enough coverage. The problem here is that no one really knows what is adequate coverage.  The whole field is too new; there has not been enough time to develop helpful statistical data.

On to I.F.

Originally posted on 09/16/2013 @ 5:41 pm

Series Navigation<< An Ironshore Cyber Policy–Part IIIAn Ironshore CyberPolicy–Part VII: Insuring Agreement I.F. >>
Michael Sean Quinn, PhD, JD, CPCU, Etc

Michael Sean Quinn, PhD, JD, CPCU, Etc. (530)

One of Texas's leading insurance scholars, Michael Sean Quinn is a past chair of the Insurance Section of the State Bar of Texas and has a broad legal practice.

Hits: 2