Through the Lens of a Single Policy

Introduction: The “Old Insurance World” and the “New”

My discussion of this policy will have to be divided into at least two parts  The first one will contain a Preface, a discussion of two crucial definitions, and a discussion of the Insuring Agreement. Part Two will be a discussion of a number of the Exclusions, of which there are many. Part Three will discuss a few of the Conditions and some miscellaneous clauses. Part Three will be quite brief.

Preface 

A while back, I wrote that commercial insurance for the so-called “real world,” as opposed to the “cyber world,” do not and will not apply much to the new cyber part of the “New World.” 

The Comprehensive General Liability Policy (“CGL”) is a paradigm case. One part of these policies, Coverage A, covered “bodily injury” and “property damages.” Another part, Coverage B, covered “personal injury,” a phrase contrary to ordinary English usage. It covered some acts that did not cause injuries covered in Coverage A. For the purpose of this essay, the most important provisions recently involved have been copyright infringement and invasion of privacy. Many years ago, patent disputes may have also been included in Coverage B, although at least some insurers asserted that they never intended that way.  It is gone now.  Invasion of privacy has also been covered in the past, but it has either been deleted, or it will be shortly either altogether or specifically for the cyber world.

Cases deciding the applicability of CGL provisions to the cyberworld are sparse.  In one of them, the judge decided that networks may be tangible physical property, even though they cannot be touched.  After all, said the concurring judge, it is made of  “atoms or molecules. . .and a meaningful sequence of magnetic impulses cannot float in space.”  Computer Corners, Inc. v. Fireman’s Fund Insurance Co., 46 .3d 1264 (N.M. App. 2002) (“Impaired property,” given policy language, need not be tangible physical property).  NMS Services, Inc., The Hartford, 347 Fed. Appx.  511 (4th Cir. 2003)(concurring opinion: Majority: computer damaged. Concurrence: coverage for the erasure of information from records on a physical objects is itself a physical loss. Concurrence never cited and it based on a 1983 case,)

The internal language of the CGL standard policy has recently changed substantially. Here is the new language; it is to be found within the definition of “property damage”:

“For the purposes of this insurance, electronic data is not tangible property. As used in this definition  electronic data means information, facts or programs stored as on or, created or used on, or transmitted to or from computer software, including systems and applications software, hard or floppy disks, CD-ROMS, tapes, drivers, cells, data processing devices or any other media which are used with electronically controlled equipment.”

ISO Form CG 00 01 12 07.
Obviously, it no longer matters whether information, data, and so forth are tangible physical objects, they are excluded in any case.

I will be commenting on the policy as we go along.  I will try to put such substantive comments in smaller types.  That protocol does not apply yet.

There will, of course, be mixed policy limits in both first and third-party insurance, and both of these types will be so-called claims-made policies. In this case, the first party coverage is found in the “duty o defend” and the third party coverage is to be found in the “duty to indemnify

I have already discussed policies which are “double claims-made policies.”  What I mean by this is (1) that the claim against the insured must occur during the policy period and (2) that the insured’s claims to or against the insurer must also occur during the same period of time. On top of this, the policy period is expandable in one or two directions for an additional premium, and that is helpful to insureds, so long as the price is not too high. This is one of those.

Nevertheless, there is something left over from CGL policies, and probably others, e.g., professional malpractice polices for professionals such as engineers, architects, cyber designers, Directors, and Officers policies, and others–even lawyers, though probably not dentists. The leftovers are to be found among available endorsements. 

There are different kinds of endorsements. Some add substantive matters, like changing a substantive definition; some add or subtract one or more named insureds and/or items insured, e.g., cars, boats, building; some add or subtract policy limits or periods, and the list goes on. For our purposes, the type of endorsement at the question is one that adds what might be called a new policy. It turns a “standalone policy” into a “package policy.”  Our concern here is the last of these.

Our story in this essay begins with a CGL policy. To that is added an endorsement and that is the policy under consideration here. The endorsement is entitled as follows:

“Technological Professional Liability Insurance Policy  (Claims Made),”

In this case, which was issued in 2012, the word “technological” is the key to understanding what the policy is about, and that policy is the topic of this post essay.*(*I have said the following previously.  As with (virtually) all cyberworld insurance there are no–or virtually no–published opinions of the court.  There are no reported opinions about this policy–none!  Consequently, everything I say is conjecture, to some degree.  I will not be set forth and/or discussing the whole policy.  And I make mistakes, like everyone else.**)(**Notice that I have begun using small print for comments.)

This Contract of Insurance
Declaration Pages.  One of the places to start reading, reviewing, studying, and analyzing insurance policies is with the “Declarations Page” aka “Dec Sheet(s)”  It contains a variety of bits of useful information, but often for an essay like this one, the author does not have it and cannot get it.  In this type of case, the endorsement-created-policy is often–at least in part–controlled by the dec sheet for the whole policy, and it looks like that what the dec sheet appears to say, but a lot of what’s on that sheet has been blacked out, and the Tech-Pol lists its own policy limits.  Curiously both dec sheets, if that’s the right way to talk about them, both refer to another identified document. This is not uncommon. 

Wrongful Act.  As is common in policies of this sort, and similar policies, one of the key definitions that is virtually the essence of the policy is the definition of the phrase “Wrongful Act.”  So I will begin with it:

Two Key Definitions 

“When used in this policy. . . . : the term ‘wrongful act’ means

(a) a negligent act, error or omission arising from [the] performance of ‘Technological Professional Services’ rendered to others;

(b) a network injury.”

Comments: Section(a) The phrase, “wrongful act,” is commonly used in professional malpractice insurance policies and some others.  This is a professional malpractice policy, in part, but in some ways a more general policy designed for professionals. The use of the phrase, “errors and omissions,” is also characteristic of some malpractice policies, e.g., accountants and lawyers. Here, the term “negligent” ranges overacts, errors, and omissions–all three. An intentional act that is intended to cause injury does not count as a “wrongful act.” Traditionally, it was not used in the malpractice policies of physicians.  It may strike one as unusual that the term “wrongful” would be applied exclusively to negligent performances.  Lots of other types of activities are called “wrongful” in ordinary English. But so it is. 

One feature of this definition distinguishes this policy from purely professional malpractice policies. They usually restrict coverages to injury and damage that the insured causes its own clients. That is not what this definition says. Instead, it refers to “others.” Usually, injuries directly caused by the insured others, that are not the clients, are not covered.  This difference is a big deal! (Of course,  if the damage or injury to the insured in turn causes damage or injury to another, the insurer may be liable for the damage or injury caused to the person down the line of causation.  In addition, if an uninsured person causes injury or damage to the insured and that causes the insured to injure or damage another person as the result of the insured’s own negligence, the insurer is liable. Remember: The insuring agreement cannot be understood without this key definition thoroughly in mind.)

Comments:   Section (b): There is another crucial feature of this definition, and that is section (b).  There are two different possible meanings for (b).  One goes more or less like this: “The term “wrongful act” means a negligent act, error or omission arising from the performance of Technological Professional Services rendered to a Network injury.”  I cannot see how this could make any sense.  An alternative is this: “The term ‘wrongful act’ means a negligent act, error or omission arising from the performance of Technological Professional Services to others where an injury to a relevant network is involved.”  The trouble with the second alternative is that, while it now makes grammatical sense, the policy does not really say that, and the phrase “Network Injury” is not defined in the policy or in any of the usual glossaries for terms widely and routinely used in the cyber world.  In addition, which networks and which injuries is the policy talking about?  One possibility is that it means all injuries to any network in which the insured has an insurable interest, and that is a reasonable policy.  If that is what the policy intended to say, however, it could have said that; it did not.

In order to understand the key terms within the key definition, the definition of “wrongful act,” it is necessary to understand another definition (or some parts of it “here” and other parts of it “there”), namely that of “Technological Professional Services”:

Technological Professional Services.  [This phrase means]

  1. (a) analysis, design, programming, or integration of information, network, or computer systems;
  2. (b) processing, enter, analysis, or interpretation of data;
  3. (c) development, design, integration, or licensing of computer software;
  4. (d) resale, recommendation, marketing, installing, maintenance, and training in the use of computers or network hardware and software systems;
  5. (e) website, application or data hosting, support, maintenance or management;
  6. (f ) outsourcing to outside vendors any of the services detailed in item (b), (c), (d), (e), and (f) to be performed by individuals or businesses who are not employees or controlled or owned by the Named Insured.
  7. (g) the conduct of the Named Insured’s designated operation subject to the following classification code number(s) as scheduled above and described on form AD-150 and as applies to (a), (b), (c), (d), (e), and (f) of the “technology professional services” definition
    above.

Comments: Obviously, this list–treated as a definition–is intended to be a thorough-going catalog, of the range of actions cyber-designer, cyber-engineers, and/or their “siblings” do for their customers.  It, then, sets forth the range over what the idea of “wrongful act” ranges.  As part of the list, there is a reference to “form AD-150.”  References to documents like this are to be found in a good number of insurance policies for complex activities. They are almost never, in my experience,  part of the policies; they are not provided to the insurer in advance, and often the agent broker has no more idea about them than the insured does.  They are usually documents to be found in the “Underwriting Department,” and it is a good idea for Risk Managers of companies shopping for insurance to obtain these documents, read them, try to understand them, and if there are difficulties politely demand that they be explained.

Comments: This definition includes analogies of the kind of acts and omissions usually insured in professional malpractice policies.  There are additional features, however.  To some extent, at least, this is a result of the kind of professional services offered. For example, the following elements of the list are like that: (a), (b), (c), parts of (d)., parts of (e), and (f)?, and maybe there is more. The following elements on the list do not, at least as they appear to be, look like that: parts of  (d) (e.g., “resale,” “marketing,” “installing,” etc.), part of (e), and (f)?  Of course, it may be that each of the apparently non-covered activities–non-covered simply because of the appearance of language or unclarity–are actually professional activities in the cyber world.  It must be kept in mind, however, that an insurer may contest any of these issues. At the same time, all actual ambiguities and all actual vagaries are resolved in favor of the insured.

We now turn to the agreements as to what is covered.  (Remember: The exclusions also, in the end, determine what is covered.)

Agreement as to What’s Covered

II. Coverage – TECHNOLOGY PROFESSIONAL LIABILITY

There are two lengthy parts of the Insuring Agreement. One of them pertains to what is often called the insurer’s obligation to indemnify the other pertains to the insurer’s duty to defend the insured if accursed of a wrongful act, as defined in the policy. [The phrase “duty to indemnity can be a confusing.  The term “indemnity” means that I will pay for you eventually, but often it involves your paying and then I will pay you what you have already paid.  That is not how the duty works here.

A. INSURING AGREEMENT

The Company agrees to pay on behalf of the Insured those sums which the Insured shall become legally obligated to pay as damages arising from a Wrongful Act committed by or on behalf of the Insured subsequent to the retroactive date specified above and subject to the applicable limits specified above.

Comments:Very little needs to be said about II.A now.  The definitions have already been laid out, and the insuring agreement derives immediately from those definition.  Controversies will arise out of the definitions, not out of the insuring agreement.

Comments: From my stand point so far, the confusing point  is the idea that there is coverage not only for what the insured and its legal agents do, but also actions which are performed for the insured by someone who is not its legal agent. The injuries caused by the agents of a principal are attributable back to the principal.  This is what “vicarious liability” is all about.  There is another species of person who can act on behalf of another entity, namely independent ____________ [“somethings”].  What fills in the blank depends on the industrial context. Thus, in the area of insurance adjustment there are adjusters who are the legal agents of the insurer; adjusters who are the employees of the carrier; and independent adjusters who are not, but who are vendors and  of adjustment services.  The same is true in the sale of insurance.  There are some insurance agents who are the legal agents of the carrier and some who are independent insurance agents.  The word “behalf of” does not make make that distinction.  As a consequence, this policy insures the insured for all actions of an independent ____________, so long as there is any way the insured might be held responsible for those mistakes . This could happen.  Insured orders an independent X to do a.  X does b or ~a instead.  X’s actions are outside the scope of the insured’s instructions.  Nevertheless, it gave X orders.

B. CLAIMS MADE CLAUSE 

This does not need to be discussed further.  This policy is a “double claims made policy.”

III. Coverage – Defense, Settlement, Supplementary Payments

As respects such insurance as is afforded by the other terms of this policy, the Company [the insurer] shall:

A. defend in his name and behalf any suit against the Insured alleging damages from, or connected with Wrongful Acts, even if such suit is groundless, false or fraudulent, but the Company shall have the right to make such Investigation and negotiation of any claim or suit as may be deemed expedient by the Company;

(Comments: There are a whole range of problems in III.A, but with one exception they are familiar from “real world” insurance.  )

B. reimburse the Insured for all reasonable expenses, other than loss of earnings, incurred at the Company’s request, except amounts paid in settlement of any legal liability insured under II. COVERAGE – TECHNOLOGY PROFESSIONAL LIABILITY, which liability shall be governed by the limit of liability stated in the Declarations.

(Comments: The wording implies that the insurer will pay legal expenses as the case develops and will be in charge of defending.  This means that it will price defense counsel.  The policy also implies that if the insured wants it, it must buy a separate policy for business income loss, aka business interruption loss.)

The Company shall not be obligated to pay any claim, judgement or expenses nor defend any suit, or claim on or after the applicable limits of liability have been exhausted by payment of judgments or settlements, expenses or any combination thereof.

(Comment: The cost of legal fees reduces policy limits.)

This concludes Part I of the essay on the Admiral policy.  Part II will mainly concern exclusions.