This entry is part 3 of 3 in the series CYBER INSURANCE

This is the first “chapter” in a string of blogs focusing on cyber insurance.  This one will concern the look of “yesterday’s” policies–the ones used for a long, long time–and the look of a branch of “tomorrow’s, that is, the cyber policies.  Actually, the two groups will look remarkably alike in the organization.  When you think about it, “Really?  How could it be otherwise?”

The next chapter will concern some aspects of substantive similarity.  Other blogs will list and very briefly sketch some of the currently available policies. Somewhere along the way, there will be some definitions and some explorations or explanations of such. Most significantly, there will be chapters discussing the contents of a few actual cyber insurance policies.

There are not many meaningful, focused, or informative publications about cyber insurance.  (That is the name-phrase that will be used here; it has mostly replaced the term “E-Commerce.”) Most available writings are really ads of some sort for somebody some are attorney firms publicizing themselves and conjecturing about the future, and there are some panel discussions which would probably interest almost no one really interested in the nature of the type of insurance.  Another category of the prevailing literature is the pieces written at law firms.  Much of this is a law firm advertising its services, though sometimes that is combined with guesswork or speculations about how cyber-insurance will develop.
There are a few specimen policies issued by some of the best insurance companies, but they do not provide meaningful discussion.  A book published on this topic, and it is the only one so far as I can see, is by George S. Sutcliffe entitled E-Commerce and Internet Risks, Laws, Loss Control, and Insurance (Standard Publishing Corporation, 2001).  It has a helpful essay, which includes far too many diverse topics. The appendices, however, have a glossary, a summary of some policies, and some specimen policies.  So far as I can tell, this is the sourcebook.
No doubt, one of the reasons for the absence of a detailed study of the dimensions of cyber-insurance is that there are almost no–or even no–reported cases involving coverage disputes. (I, for example, have yet to find one such case on Westlaw; and law reviews have no informative discussions of the matter. This is not to say that there are no cyber cases–for example, cyber tort cases–that are without hints.  Several large law firm members have told me that their firms each have a dozen or so cases, but they also say that none are in or close to litigation.
There is also one (“Westlaw-‘reported'”) case involving identity theft in which a bank offered, among other things free identity theft insurance up to $25,000.00 to its customers as part of a remedy following an identity theft incident.  Alas, the plaintiff class rejected the offer.  Hammond v. Bank of N.Y. Mellon Corp., 2010 WL 2643307 (S.D.N.Y., June 25, 2010).  (Of course, one can see why–if a plaintiff thought s/he might be at the door of big damages–would reject a $25k settlement.)
So far as I can tell,  in all court-decided cases (thus not including settlements, if any) involving identity theft, the plaintiffs have lost.  For a survey and discussion of these cases, see Stephen J. Rancourt, Hacking, Theft, and Corporate Negligence: Making the Case for Mandatory Encryption of Personal Information, 18 Tex.Wesleyan Review 184, 187-199 (Winter, 2011).  There is a very recent case in which the plaintiff had not yet experienced a loss, but for that reason only, could still proceed if their injuries were not entirely speculative and not off in the far distant further.  This matter is called a matter of “Standing” under federal court jurisprudence. In re SONY GAMING NETWORKS AND CUSTOMER ATA SECURITY BREACH LITIGATION, _____ F.Supp. ____ (S.D.Cal. 2012)(2012 WL 4849054).  Most of the case was dismissed on other grounds, but an actual already existing injury is not an iron-clad requirement for a right to proceed, at least under some circumstances.
Now, before I turn to the analysis of policies and make conjectures, aka guesses, as to what their difficult sections might mean, I start with a few fundamentals for the insurance novice. These come from general insurance sources and therefore are not special when it comes to cyber insurance.  At one basic level, insurance is insurance, and so are some other contracts e.g., bonds and ancient bottom try arrangements. So let’s begin.
Virtually all primary insurance contracts have roughly the same form.  Excess and umbrella policies do not necessarily, but they often incorporate significant, if not all, provisions found in the primary policy.  Contracts of reinsurance, although they are contracts of insurance, do not follow the same formula. Here, in broad strokes, is a sketch of common sections.  Often different principal sections are identified by the names I use here and by roman numerals.
I. Declaration Page (or Sheet).  This part includes the name(s) of the actual insurer and the name(s) of the policyholders. Often it sets forth the premium, the name of the intermediary, policy limits, etc.  Sometimes they have charts or columns, and the policy includes that which is checked off.  The deductible is specified or set up, as is co-insurance if any. Other named insureds may be named elsewhere.
II. Insuring Agreement.  This part sets forth what is insured, i.e., a particular vehicle, a particular building, physical objects, one or more banquets, particular weddings, works of art, and so forth.

These agreements are usually for liability (3rd party coverage) or for things, e.g., belonging to the insured (1st party coverage.)  The agreements usually do not recite a fundamental principle of insurance and that is fortuity.  This is an axiom.  Deliberately caused injuries or damages are not covered; arson is not covered; physically smashing something up deliberately, e.g., a computer, fraud, and so forth.  Intentional acts are covered, so long as the loss was not.  There is insurance for those driving too fast, but not if they deliberately run over or smash into something.
Sometimes insurance policies offer both liability and first-party insurance, often covering the physical property.  Sometimes the first party insurance may cover abstract properties, and this is true in the area of cyber insurance, in addition to business loss and trade credit insurances.  Bottomry was like this 3000+ years ago.
III. Definitions.  There is usually an indication that there are definitions to be found in the policy: quotation marks, bold lettering, italics, etc.  Sometimes there are only a few definitions; sometimes, as in many cyber policies, the number is much larger than most current policies.  Often, at least to the layperson, the definitions are obscure.  (This is not necessarily a matter of great consequence, since definitions in engineering malpractice policies are also quite difficult for the layperson–so much so that expert witnesses often have to be used for the benefit of the jury.)
IV,  Exclusions,  This sets forth what the insurance contract does not cover.  Of course, there are exclusions quietly built into the Insurance Agreement, but this is generally not recognized.  The list of exclusions can be relatively short, or it can be quite long, as it is in most cyber insurance policies, specially packaged policies.
Policyholders have to prove that they meet the requirements of the relevant Insurance Agreements. Carriers have the burden of proof regarding exclusions; the burden shifts back to the insureds when there are exceptions to the exclusions. 
The content of many exclusions in cyber-insurance policies is likely to be substantially different since there will be few or no tangible objects or situations to exclude. (None like this: “We do not exclude the damages caused by your pets eating your bushes.”)
V. Conditions.  They have usually conditioned precedents and there are a few conditions subsequent. Among the best known of conditions are the insured’s duty to cooperate in the adjustment process and their duty of remediating losses, that is, using reasonable efforts to keep those losses from getting worse (e.g., things like storm-damaged buildings) from getting any worse.
Some requirements, which are listed in the “Conditions” section, are no conditions at all but covenants, i.e., promises. Timely notice of covered events is often not really a condition but a covenant, i.e., promise.  The requirement of cooperation may be like that. Remediation is perhaps not a condition or a promise irrespective of what the policy says, and so forth. 
It is not completely determined what contractual requirements are actually conditions and which are not.  Nevertheless, some other common obligations usually classified as conditions are these: subrogation rights, some features of contract termination, some features of cancellation, assignment, the status of other insurance, and more.  Arguments about what is a condition precedent (or subsequent) versus what is a “mere” promise, are not uncommon, and the truth is not determined by the name of the section.  Just because something is found in a section entitled “Condition” does not mean that it is a condition.
VII. Endorsements.  There can be all sorts of endorsements:  adding insuring agreements, cutting them, deleting or adding exclusions, adding or subtracting named insureds from the list, adding insured objects, things, or whatever, and much more. For standard policies, there are closets full of standardized endorsements. In large innovative industries, there will be negotiated policies, but not for long.  Purely negotiated policies make profitable underwriting nearly impossible.
VIII. Miscellaneous.  A whole variety of things can fit here.
This simple list gives one a beginning idea, at least, as to how insurance policies are divided up. The ordered list of entries is not intended to name the order of parts of the policy. Often, for example, the definitions section comes between the Insuring Agreement Section and the Exclusions Section.
It also needs to be remembered that some policies are “package” policies, meaning that they provide several different types of insurance all at once, in the same contract.  First and Third Party insurance often appear like this, e.g., in auto insurance, in homeowners insurance, and indifferent large policies. Usually, the differences are easy to recognize. 
There is no reason to think that cyber-insurance policies (that is, contracts) will be much different in form.  Rough versions of similar forms run back hundreds of years. 

Originally posted on 03/21/2013 @ 10:02 pm

Series Navigation<< Cyber-Insurance & “Established Insurance” Compared–PART #2
Michael Sean Quinn, PhD, JD, CPCU, Etc

Michael Sean Quinn, PhD, JD, CPCU, Etc. (530)

One of Texas's leading insurance scholars, Michael Sean Quinn is a past chair of the Insurance Section of the State Bar of Texas and has a broad legal practice.

Hits: 0