An Ironshore Cyber Policy–Part V: Privacy Breach Expenses Coverage

An Ironshore Cyber Policy–Part V: Privacy Breach Expenses Coverage

0

Tech E&O, Network Security, Internet Media, and MPL Insurance Policy

Roughly speaking, this insuring agreement, I.D., regards amounts of money the Insurer will reimburse the Company for certain expenses–its Privacy Breach Expenses–after the Company has inflicted–and perhaps has been held responsible for inflicting–cyber-injuries on a third party and that injury directly results from a Privacy Incident. In other words, this is first-party coverage that the Insured will have as a result of its mistake–perhaps “mistake” could be put this way: as a result of its tort or its injury-causing statutory violation. Real-world general liability policies do not carry such first-party rights for an insured, so far as I know. Obviously, the phrase Privacy Incident is crucial. Briefly, it includes (i) the disclosure, etc., of some information of another, that is secret, or close to it; and the disclosure is in the care, custody, or control of the Insured or Service Provider.  (ii) That disclosure must result from a Privacy Regulation or a failure of the Company to comply with its own privacy policies.  The concept of Privacy Regulation includes a slew of  named statutes, both state and federal, plus regulations under those statutes, and “any similar state, federal or foreign identity theft or privacy protecting statute.”  [MSQ: Does the reader recognize that there may be controversies generated by the word “similar”?  Or what about this what about the word “any”?  What about when they don’t apply? Are Romanian privacy administrative rules applicable to problems in Oklahoma?  Perhaps not; but consider the twists and turns, “New York lawyers” might generate out of this.] In any case, the definition of Privacy Breach Expenses is a complex checklist. There are 7 paragraph-length, Yes-answers  (one of which has 3 separate parts) all following a short but “rich”  introduction.  In addition, there are then 9 shorter No-answers. [MSQ: Interestingly, many of the definitions have “This is included.” versus “This is not included” lists.] Here are brief sketches of some “Yeses”; of course, nothing on the list is provided without the consent/endorsement of the Insurer, and that consent may not be unreasonably refused by the Insurer.

[MSQ: Another probable area for insurer-insured controversy?]

Remember: the following is just an incomplete sketch: 

reasonable and necessary fee for obtaining lawyers, accountants, public relations firms, or others to”get access to a ‘privacy breach coach'” (through a particular source. . .) to determine the obligation to notify examine Insurer’s rights to indemnity from. . .review Insureds compliance with any [and all] Privacy Regulation[s]. . .“conduct computer analysis” to determine cause and effectdevise and implement public relations campaignnotify affected others. . .procure call center and identify restoration. . .procure credit freezes,reimburse Insured for fines, etc., levied by private organizations with jurisdiction. [Remember: Reimbursement comes after money spent.

The list of the “Noes” is even longer.  Remember: this is a sketch, and they are always incomplete: remuneration for wages, expenses, overhead, benefits, and so forth,

expenses for fixing or improving a variety of computer-related “stuff,”same sort of thing for Software errors or vulnerabilities,cost of researching and developing  Digital Assets,  including trade secrets

The idea of Digital Asserts will be briefly and partially explained presently,—MSQ

dealing with software defects, and the like, the economic or market value of Digital Assets,loss out of liability to others

The word here in the policy is not in bold and the first letter is not capitalized.  This means that the kind of loss involved here is not that which is suffered by the “injured” victim.  It is probably the loss to the Company created by its liability and its consequences, other than the amounts which have to be paid to the victim.—MSQ

contractual penalties,

Plus there is a whole slew of causes of situations elsewhere defined in the policy that are not within this insuring agreement and are hence not covered there.

This sketch gives the reader some sense of how the Privacy Breach Expenses Coverage insuring agreement works.  It is a forest of thickets that will generate coverage disputes for generations to come.  It is also extremely expensive.  The reader must keep in mind that all of these expenses eat away at policy limits.

Read More
An Ironshore Cyber Policy–Part III

An Ironshore Cyber Policy–Part III

0

Tech E&O, Network Security, Internet Media, and MPL Insurance PolicyInsuring Agreement: I.B Network Security Liability Coverage

This part will focus on the Insurance Agreement to be found in I.B.  It is entitled Network Security Liability Coverage.  The phrase Network Security and Network Security Wrongful Act have already been sketched in Part II.

The difference between I A and I.B is that the word Insured plays a key role in the insurance agreement.  What is crucial in I.A is that it covers only Individual Director[s] or Officer[s] and not the Company.  I.B covers both the individuals and the Company and other Individual Insureds. The third category of insured includes:

certain past, present, or future employees acting within their scopes of employment and/or their “functional equivalents,” [The idea of future employees having liability is entreating.] an independent contractor working for the Company (on its behalf and for its “benefit”) and committing a Wrongful Action while within the scope of his retention, which must be in writing.

Thus, this is not a “Side Excess” policy, and so individuals who are directors or officers (or both) do not have as much coverage.

As yourself, whether the responsibilities of an Insurer to provide a defense for its Insured is the same as in I.A.

Keep in mind, there is a duty to defend. There is a separate section in which the duty to defend liability cases is set forth.  This fact may be confusing even to the more experienced reader.  The reason is that the duty to defend it is usually set forth in the insuring agreement section of a policy. Here the opposite is true.  That duty  gets its own section,  The insurer’s duty to defend in this policy may be weaker than in many so-called real “world policies.”  Most policies of the so-called “real world” require a liability insurer to defend its insured if the plaintiff’s pleading states–or, probably in many jurisdictions, sketches a covered claim; it does not require that the claim actually be covered.  The plaintiff (and possible victim) can be wrong about what is asserted in the pleading or even lying, and they’re still a duty to defend. The liability sections of this policy don’t appear to say that.  It at least appears that the claim must actually be covered.  I don’t see how that can be true, but if I have understood the language, that is what it says.

Almost certainly I.B can be removed by endorsement.

I should have mentioned this point before, but the policy is not typical of at least some other important cyber policies, or–more accurately–other groups of cyber policies. (There is just too much in this one to be typical of the simpler or narrower ones.  Several simple ones have been blogged earlier in this blog string.)—MSQ

Remember: This post is organized around insuring agreements, definitions, and exclusions. Conditions, etc., may be remarked upon briefly, but they often resemble not only each other but those found in currently existing policies.—MSQ

Read More

An Ironshore Cyber Policy–Part II

0

  TechDefender
Tech E&O, Network Security, Internet Media, and MPL Insurance Policy
 First Insuring Agreement: #I.A
Individual Officer or Director Insurance
I have already explained in Part One, the first several words.  Now I turn to the real unadulterated cyber content of the first Insuring Agreement.  Remember, this is very sketchy.  Only a few phrases will be quoted here; only a few definitions will be spelled out, and some sections will be skipped entirely or almost completely. The main focus is on the “Insuring Agreements,” the Definitions, and the Exclusions.  Subtitles and Definitions will be in bold since that is how they are in the text.

This section pertains to the first Insuring Agreement. It is a liability section, as opposed to a first-party section. Roughly speaking, it insures against Losses resulting from covered Claims against covered individual persons (see Part I) for wrongful acts (WA) falling in either of two categories, Privacy Wrongful Act (PWA) or a Network Security Wrongful Act (NSWA).

“WA” is a frequently used term combined with one or more other phrases to focus on a type of category within which there can be a WA.  In I.A there are two categories already mentioned.

WA involves the idea of negligence, but that is not all it includes. WA means “any actual or alleged act, unintentional error, omission, neglect, or breach of duty by. . . the coming two WA types: Insured or a Service Provider that results in a Privacy Incident. 

The idea of a Privacy Incident seems obvious enough, for now as is the idea of a non-owned company providing typical cyber services to the Insured.  [Remember: each of these definitions has other definitions built into them. Notice that it appears that at least some intentional acts are included within the definitions of WA.]  The idea of privacy pertains to data regarding matters people and/or companies don’t want to be disclosed or made public, and a Privacy Incident is an event like that resulting from a PWA.  (More details about the concept of Privacy Incident will be set forth in Part IV.)

The idea of NSW is well known in parts, but it is more complex. Under this definition the following are included, and the insuring agreement covers losses directly caused by WA’s in one or more of the following:

thefts, corruption, or deletion of Electronic Data from the Company’s Computer System, unless it comes from the outside and that is not the company’s fault [e.g., hacking?];
Unauthorized Accessed or Unauthorized Use of the Company’s Computer System;
denial of Authorized Use, unless unintended breakdown;
Company’s Computer System in some sort of attack on another system;
transmission of Malicious Code to another system.  Further insured injuries may result [There has been some controversy about whether CGL policies cover injuries to the software since it, is in part a physical object, i.e., something tangible that may suffer physical loss and loss of use.

Exclusions exceed 50 in number, counting the sub-parts, and 25 if the sub-parts are not counted.  Most of them are, to some degree or other, analogous to exclusions found in so-called “real world” policies.

Significantly there may or may not be a duty to defend, provide a defense, pay for a defense, pay on behalf of defense for an Insured.  Although the language is not completely clear, it seems likely that the duty to defend hinges, more or less, on the so-called “Eight Corners” Rule.  Then there is a duty to defend, the insurer “runs” the defense show and pays for it along the way. That is not always true in D & 0 policies, and it does not appear to be true in this policy on all occasions.  In any case, for this and other reasons,  the reader of this policy must be careful about several distinguishable phrases, “will pay,” “will indemnity,” and “will pay in behalf of.”  The last one is particularly tricky when it actually says “will pay on behalf of Insured all Loss . . . that the Insured is legally obligated to pay.”  This language may not provide the same coverage across the board.  Why else would there be different phrases?

With regard to the duty to defend, there is a particularly puzzling phraseology. Here it is: more or less:  “The Insurer will pay on behalf of. . . all Loss. . . which the. . .becomes legally obligated as damages.”  (The omissions are to leave room for different conceptions of who or what is an insured.  And the word Loss includes Damages.)  One problem in this coverage is that many insureds are not legally obligated to defend themselves; and, of two defendants, one may not only be not legally required to defend itself but it may not be legally required to defend its codefendant(s).

This problem is one of appearance only.  There is a separate section in which the duty to defend liability cases is set forth.  This fact may be confusing even to the more experienced reader.  The reason is that the duty to defend it is usually set forth in the insuring agreement section of a policy. Here the opposite is true.  That duty  gets its own section,  The insurer’s duty to defend in this policy may be weaker than in many so-called real “world policies.”  Most policies of the so-called “real world” require a liability insurer to defend its insured if the plaintiff’s pleading states–or, probably in many jurisdictions, sketches a covered claim; it does not require that the claim actually be covered.  The plaintiff (and possible victim) can be wrong about what is asserted in the pleading or even lying, and they’re still a duty to defend. The liability sections of this policy don’t appear to say that.  It at least appears that the claim must actually be covered.  I don’t see how that can be true, but if I have understood the language, that is what is says.

Of course, with so many newly defined words, there will be controversy over what is meant.  However, there is at least one that is often in dispute here in the real world.  The policy often says that it covers “direct” losses, meaning that the loss must be “directly” covered by a covered cause.  The meaning of “directly” is subject to controversy.

What is direct as opposed to indirect?

Read More
Deposition Topic:”Prudent to have x?” “Prudent to do x?”

Deposition Topic:”Prudent to have x?” “Prudent to do x?”

0

Consider the following dialogue at a deposition:  It concerns a situation in which a new business did not demand a copy of its insurance policy from its agent.

Q. It would have been prudent for them to ask for it, true?A. Yes. Of course, it was not imprudent not to ask.

Q. Why do you say that?A. Because at least 999 times out of 1000, and probably more, it is not needed.

Q. Isn’t it uncommon not to have it?A. Not really. People and businesses often don’t have them.

Q. What about the Certificate of Insurance?A. That is usually needed when a customer demands having it, and even then it is not actually needed in      by far the vast majority of cases.

Q. Would you agree with me that it is prudent to have a copy of the policy?A. Certainly, but it is not imprudent not to have it.  The same often goes for the Certificates.

Q. Won’t you agree that it is wise to ask for and get it?A.  The insured shouldn’t have to ask.

Q. But if it does have to ask, wouldn’t it be wise to ask for it?A. I don’t really know, since, as it stands the question is muddled. 

Q. Why?A.  The answer depends upon what the meaning of the word “wise” is.  And the applicability of it in the different sorts of situations. The word “wise” has lots of different levels and lots of different applications.

[At this place a dialog on the word “wise” or the concept of wisdom begins.]

Read More
The Insurance Appraisal Process Part IV

The Insurance Appraisal Process Part IV

0

Some  New Ideas

Part IV

There is a set of persistent problems in dealing with Umps, namely their selection; the problem is buried in a series of steps for the “opposing” appraisers.

(1) Each of the two appraisers is appointed by one of the sides.

(2) They frequently see themselves as advocates not a cooperative committee of two.

(3) Frequently, they don’t know how to agree on an Ump, or they don’t know the same people, or they are not paid enough to put much time into the matter, or one of them jumps the gun and goes to a judge and gets and Ump appointed before s/he is needed.

(4) There is are no explicit standard governing both of the first two participants as to how to select an Ump.  If the opposing parties in the appraisal process together imposed standards of Ump selection on their appointees some of the problems arising out of Umps might be solved. 

(5) There are no rules on how to deal with the judges appointing the ump. There should be (i) Surely there should be notification of application by the side that wants an Up chosen to the other side.  (ii) Surely when there is a disagreement about who to appoint as ump there should be a hearing if possible. It need not be a long one. (ii) Surely both sides should present a list of candidates and their qualifications. Of course, it would be best there was agreement about the names of the list. 

(6) Umps must understand that they do not work for anyone involved. They work only to establish justifiable truth.

(7) A candidate should not have a history that suggests bias. A person who has been a lifelong adjuster for the This-&-That Insurance Company, Inc., should not be appointed as an Ump.

To qualify to be on the list of the qualified, candidates should not only know about and be sympathetic to the subject of reasonable adjustment and the logic of the reasonable and rational argument but must have the drive to embrace these behaviors and ideals.  A musicologist should not be involved in adjusting a loss involving a giant bridge–and probably any other physical item other than a piano, etc.

(8) Perhaps there should be a type of agreement entitled “Selection of the Umpire Principles,” or maybe “Criteria of Selection of  Umpire.” It may be a short document, but expressly require everything of an Ump that is required of the appraisers, and at the same level of the bar, and above all require the Ump to sign, and maybe swear to his having specified qualifications and that he will determine the dispute if the original two cannot.

(9) The requirement and the “sheet” should be adopted as industry-wide as possible.

(10) Umps should be required to have signed it, and maybe even swore to it. 

There is another special problem.  It focuses on Umps but it spreads out across all those involved in appraisal. Umps are not judges. Thinking of umps as judges distort the process of appraisal The paradigms for Umps are to be found in sports. Consider baseball. The Ump there must know more about the game than the player and usually more than the coaches. The same is true in football. The competence of Umps is not to make reasoned decisions based on what others argue to them, as judges are conceived. Umps are in the field. It is not, for example, characteristic of judges to go out to a site and make realistic and informed empirical observations of alleged damages, yet this is exactly what is generally involved in being an Ump. Judges need not have expertise on the issues in dispute; Umps must.

Thus, as already stated, Umps are not judges. Umps must gather at least some of their own empirical data. Judges rarely do this. I have already discussed this fact, this problem; I have already suggested some solutions to it. Sometimes it is said that Umps are so much like judges that they should be thought of like that. Judges try cases about welding without themselves being welders, that is not exactly true about Umps. They have to know a good deal more than basic fundamentals. They themselves must find independent support for their decisions. They do not usually have witnesses, transcripts, depositions, or arguments.  

Similarly, just stepping up to the plate as an Ump does not make you suddenly and particularly knowledgeable about roofs and hail for most purposes. An Ump in a hail case, for instance, should not look merely to the estimates provided by the opposing appraisers. An Ump needs to have enough information, and enough background and experience, to review the claim and the damage before it and make a reasoned decision.  Umps are not judges. The fact that the word “quasi-judicial” is sometimes used to describe appraisals does not make the Ump judge-like. The term is for the whole process. The whole process is designed to avoid litigation-type situations, and there is an underlying idea of cooperation designed to reach just results quickly. Granted, Umps are not mediators, but they also are not the messenger-servants of one side or the other. And they are required to be knowledgeable about the kind of damages at issue. It takes judges some time to learn topics about which they know nothing or little, at least usually speaking. Appraisals cannot work that way; otherwise speed is undermined, and that is one of the chief purposes of appraisal. 

Judges may not be satisfactory Umps. It is also worth pointing out that/although some are, many, many Umps are not and never have been judges. They may not even have a really good feel for what it is that judges really do. It is much more important than an Ump, like an appraiser, know more about the substantive issues of a case: about hail, about smoke, about arson, about interruptions of business income.  

Judges may not even be good appointers of Umps.  I have “seen” (or otherwise be acquainted with stories about) judges pick their long-time friends, associates, pals, and lawyers- in-need as Umps, and those selections have not always been successful. ConclusionThe point of this blog–all four parts of it–is to set forth or vindicate the proposition that appraisal is intended to be a relatively rapid rational process. Such a process requires that all the members of the temporally changeable committee must be appropriately knowledgeable, reasonable, rational, dedicated, dedicated to getting to as much truth as possible. The appraisers must be able to reason with others; they must not be biased in favor of the side that appointed them and the side appointing them must be dedicated to the same idea. The Ump must recognize and accept the proposition that he is not in control of the operation, that he is not the lone, ultimate decider. The Ump might consider the idea that he should try to create reasonable debate before he takes it aside, in other words, the Ump might consider the idea of fostering (even more) cooperative discussions.

Read More

Quinn Quotes

Truth is not a relative (or relativistic) concept. Factual propositions are true; they are false; they are too vague to have a true value, or their true value has not been determined. We don’t know, or we do not know yet, is a permissible answer to a question, so long as it is true. It is not always the case that false propositions must be apparently false. Sometimes a false proposition can look true. And vice versa. ~Michael Sean Quinn, PhD, JD, CPCU, Etc.Tweet

The books shown are NOT affiliate links.
MSQ (site) does not receive any compensation for books listed or sold.
Books are shown for the reader's convenience only.

Newsletter

Michael Sean Quinn, PhD, JD, CPCU, Etc*., is available as an expert witness in insurance disputes and other litigation matters. Contact