- Cyber Insurance, Cyber Exclusions and Breach of Cyber Insurance Contract
- An Ironshore Cyber Policy–Part X: Insuring Agreement I.E.:
- An Ironshore Cyber Policy–Part II
- An Ironshore Cyber Policy–Part V: Privacy Breach Expenses Coverage
- An Ironshore Cyber Policy–Part III
- An Ironshore Cyberpolicy–Part VI: Insuring Agreement I.E.
- An Ironshore CyberPolicy–Part VII: Insuring Agreement I.F.
- An Ironshore Cyber Policy–Part IX: I.H: Business Interruption Income Loss–Part IX
- Ironshore Blanket Cyber Policy–Part XI: Insuring Agreement I.J
- Ironshore Cyber Insurance Policy
Tech E&O, Network Security, Internet Media, and MPL Insurance Policy
Insuring Agreement I.E: Regulatory Proceeding Coverage
Remember: This post series is organized around insuring agreements, definitions, and exclusions. Conditions, etc., may be remarked upon briefly, they often resemble not only each other but those found in currently existing policies.
The first specific thing to notice here in I.E. is that the Insurer agrees to reimburse the Insured. Be mindful of the fact that this concept is quite different from “pay on behalf of” or “pay for.” “Reimburse,” literately understood, means that the insured pays first. There is no reason to believe that a court will not take this language literally. Second, and very important, this entire section is attached to two concepts: Privacy Incident and Regulatory Proceeding. The first of these concepts was discussed in Part V, and a concept related to the second one, Privacy Regulation, was also discussed there. Much of what was written there is reprinted in the next paragraph. The phrase Privacy Incident briefly put includes (i) the disclosure, etc., of some information or another, that is secret, or close to it; and the disclosure is in the care, custody, or control of the Insured or Service Provider. (ii) That disclosure must result from a Privacy Regulation or a failure of the Company to comply with its own privacy policies. The concept of Privacy Regulation includes a slew of named statutes, both state and federal, plus regulations under those statutes, and “any similar state, federal or foreign identity theft or privacy protecting statute.”
Now for the second of the two crucial concepts, Regulatory Proceeding. This topic has not been written about in this (group of) blog(s). The idea is pretty clear from the language. The phrase means (1) a governmental investigation of an Insured, e.g., perhaps leading up to an adjudicative governmental hearing concerning a Privacy Incident, and/or (2) an adjudicative administrative hearing on either a Privacy Wrongful Act or a Network Wrongful Act including an appeal, either of them begun by the receipt of “a subpoena, a formal investigative demand, complaint or similar document.”
It seems odd to me, at least appears, that one of the types of wrongful acts is covered for investigations and the other one is not. Indeed, this seems so unlikely that I think I must have missed something.
The Insured’s right to be paid for its expenses in this arena is huge. This fact indicates that the insured should make sure that everyone in the organization involved knows well the terms of the policy, consults with risk management, stays in close contact with the IT and IS departments, and ask in-house or outside counsel for advice. (Perhaps there will be an appropriately specialized attorney included within the in-house counsel department. This is not uncommon in really large law firms.) In addition, the Insured should monitor its work on these matters carefully, make sure that accurate records are kept, make sure that confessionary, personal, and other assorted messages are not entered into the cyber-systems. It would be a good idea for the insured to institute a special, nearly unique kind of specialized “Product Management,” as it is now called.
The Insured should also make sure that it has enough coverage. The problem here is that no one really knows what is adequate coverage. The whole field is too new; there has not been enough time to develop helpful statistical data.
On to I.F.
Originally posted on 09/16/2013 @ 5:41 pm