Encryption Flaw "Heartbleed" Creates Data Risk: How Insurance Can Stanch the Bleeding
By Kristi Singleton and Richard Gallena
In early April, news broke of an encryption flaw named “Heartbleed” that exposed companies to data breaches for over two and one half years. Heartbleed is a vulnerability in OpenSSL, an open-source set of libraries for encrypting online services that nearly two-thirds of all websites use. The vulnerability allows hackers to steal personal information, such as bank account information, social security numbers, and passwords, from companies, with little risk of detection. Given the length of exposure and the ease of exploitation, Heartbleed has been described by cybersecurity professionals as one of the biggest flaws in Internet history. And the technology community has not been able to stop the bleeding. In June, researchers found additional vulnerabilities in OpenSSL that implicate many of the same data breach concerns triggered by Heartbleed.
While the ability to escape detection makes the extent to which hackers have exploited these vulnerabilities unclear, for many companies, costs and future liabilities related to Heartbleed may be very substantial. Insurance policies may be available to help stem the hemorrhaging of financial losses and liabilities. This article discusses the rise in cybersecurity attacks, and examines first- and third-party coverage potentially available under different types of insurance policies.
Please click here to continue reading the article.
Orrick Secures Favorable Verdict in Missouri Asbestos Coverage Trial
In a case involving complex questions of insurance coverage for asbestos claims, a team led by insurance recovery litigation partner David Elkind won a jury verdict last month in Missouri state court, obtaining substantial damages for Orrick’s client, a manufacturer of industrial equipment. (Our client has asked that its name not be used in this report.) The client was named in thousands of lawsuits alleging injury from exposure to asbestos the client manufactured. Before trial, three of the insurer defendants paid $4 million of the policyholder’s damages. Our client sought an additional $14 million from these defendants at trial, including attorney's fees of $5 million, which it sought as punitive damages. The jury awarded $8 million from the lead defendant, Evanston Insurance Company, including nearly half of our client’s attorney’s fees. During cross-examination and in closing argument, Orrick demonstrated that Evanston had failed to investigate the claims and provide the coverage it owed. Moreover, in testimony at trial, the president of the claims handling company for the other two insurers announced that they would make full payment to the client of its remaining damages.
Although the trial involved three defendants, the full action included eight insurance company defendants. Just before trial, Orrick obtained several favorable rulings on summary judgment, which resolved important questions of law that the jury did not have to decide. When the court issues its final judgment, it will include a declaratory judgment that will entitle Orrick’s client to some $300 million in coverage, which is expected to provide full protection against future asbestos claims.
Six Essential Insurance Questions for Emerging Companies
By Darren S. Teshima
Emerging companies combine energy and innovation with a focus on long-term growth and success. Given the stage of their development, they often face unique risks that do not confront large, public companies. At the same time, they often do not have a risk manager to help them assess their insurance issues. The risks they face nevertheless must be addressed to ensure the companies’ continued success. Below we discuss key insurance questions emerging companies frequently face.
1. When Do We Need Directors & Officers Coverage?
Directors and officers (D&O) coverage is not just for public companies; emerging companies can also benefit from D&O insurance. In addition to the coverage it provides, D&O insurance can help emerging companies attract new directors and may be required to obtain venture capital funding. As more private companies contemplate IPOs under the JOBS Act, obtaining D&O coverage while still private can help develop a relationship with a public-company insurer.
2. Do We Need Cyber Coverage?
If a company maintains any consumer or employee data, it should consider purchasing cyber insurance, which protects against losses and claims arising out of data breaches. For many companies, the question is when—not if—a data breach will occur. Traditional general liability policies are currently being written to exclude coverage for data breaches, so companies should consider a separate cyber policy, which provides coverage for a variety of damages and losses. Cyber policies are complicated, not standardized, and rapidly evolving, so they require careful analysis.
3. Are Intellectual Property Infringement Claims Insured?
Although most policies do not provide coverage for patent infringement claims, coverage for non-patent infringement claims, like trademark and copyright infringement, is available. Technology errors and omissions policies often provide media activities liability coverage for claims resulting from information on a company’s website or other distribution of information on the Internet.
4. What Should We Tell an Insurer When Renewing a Policy?
Emerging companies are dynamic and their businesses can grow and change quickly. Because insurers underwrite particular risks, if a company expands or changes its business model, insurers may argue that their insurance does not provide coverage. When obtaining a new or renewal policy, emerging companies should work closely with their broker to inform their insurer of new developments. Keeping the insurer informed will help protect against a later denial of a claim.
5. When Should We Notify an Insurer of a Claim?
If a company receives a claim—perhaps a complaint from a disgruntled employee or a cease-and-desist letter from a competitor—the company should consider promptly telling its insurer. Especially if the policy period is about to expire, prompt notification is critical, as policies often require notification of a claim within the policy period. Even if the claim is not a formal lawsuit, the company should provide notice to the insurer if it wants to seek coverage in the future.
6. How Do We Respond to an Insurer Who Refuses to Cover a Claim?
Because emerging companies face novel issues that an insurer may not have handled before, the insurer’s initial response may be to refuse coverage. If an insurer denies a claim, or refuses to immediately provide coverage and asks difficult questions, an emerging company should seek out experienced coverage counsel to analyze the potential for coverage. Insurers are always looking for ways to deny coverage, so the company needs to respond to their inquiries with care.
Excess Insurance Policies Triggered Once Primary Policies are Exhausted by Any Claims, Even Claims Not Covered by Excess Policies, Fifth Circuit Holds
On June 23, 2014, the Fifth Circuit held that four excess insurers’ policies were triggered even though the claims exhausting the underlying primary policies were not covered under the excess policies. Indem. Ins. Co. of N. Am. v. W & T Offshore, Inc., No. 13-20512 (5th Cir. June 23, 2014). In 2008, Hurricane Ike damaged the insured’s offshore drilling platforms in the Gulf of Mexico. The insured exhausted its underlying insurance policies with property damage and operators’ extra expenses claims, which were not covered by the excess policies. The insured planned to seek coverage from the excess insurers for its removal of debris claims, which both the underlying policies and the umbrella policies covered. The excess insurers filed for declaratory relief, arguing that the excess policies’ retained limit—the amount of underlying insurance that must be exhausted to trigger the excess coverage—could only be exhausted by the payment of claims that would be covered under their policies and thus could not be exhausted by the property damage and operators’ extra expenses claims. Reversing the lower court, the Fifth Circuit rejected the excess insurers’ argument and held that the plain text of the excess policies states that the retained limit must be exhausted but does not specify how it must be exhausted. The court found that the policy language as a whole was consistent with the interpretation that the retained limit could be exhausted by claims not covered by the excess policies.
California Supreme Court Narrowly Construes Advertising Injury Coverage
In Hartford Casualty Ins. Co. v. Swift Distribution, Inc., Case No. S207172 (June 12, 2014) , the California Supreme Court clarified an insurer’s duty to defend against advertising injury claims arising out of the “publication of material that . . . disparages a person’s or organization’s goods, products or services.” In Swift, the plaintiff alleged that defendant manufactured a specialized cart that infringed on plaintiff’s patents and trademarks, and engaged in unfair competition and misleading advertising. The complaint, however, did not allege any specific statements about the competitor’s goods. Affirming lower court rulings, the California Supreme Court found that an insurer’s defense obligation for disparagement is limited to a lawsuit alleging a false or misleading statement that “(1) specifically refers to plaintiff’s product or business and (2) clearly derogates that product or business.” Each requirement can be satisfied expressly, or if there is no mention of the competing product, by “clear implication.” But the insurer has no duty to defend a product disparagement claim where the allegedly false statements are too general to be construed as derogatory to a specific product. Thus, Swift disapproved Travelers Property Casualty Co. of Am. v. Charlotte Russe Holding, Inc., 207 Cal.App.4th 969 (2012), which had found that a clothing distributor’s lawsuit against a retailer that alleged that the retailer had heavily discounted plaintiff’s clothing stated a claim for product disparagement that gave rise to the insurer’s duty to defend.
Washington Appellate Court Adopts Broad Construction of “Suit” in CGL Policy but Finds No Duty to Defend Non-Coercive Agency Action
On June 2, 2014, a Washington Court of Appeals held that insurers’ duty to defend was not triggered where the policyholder did not receive any threat of an environmental clean-up action but instead undertook a voluntary remediation to comply with Washington’s Model Toxics Control Act (the “MTCA”). Gull Indus., Inc. v. State Farm Fire & Cas. Co., 69569-0-1, 2014 WL 2457236 (Wash. Ct. App. June 2, 2014). After discovering leaks from its underground storage tanks, the insured gas station owner undertook voluntary remediation efforts, including investigation and clean-up of soil and groundwater. The insured then notified the Washington Department of Ecology of the contamination, and DOE responded by sending a letter of acknowledgment, without any further clean-up instructions or demands. The insured tendered claims for defense and indemnification to its CGL insurers, whose policies provided that the insurers had the “duty to defend any suit against the Insured,” but did not define the term “suit.” The insurers denied coverage, asserting that no suit had triggered their duty to defend. The appellate court acknowledged that under Washington law, the term “suit” is ambiguous and may be broadly construed to include enforcement actions that are the “functional equivalent” of a lawsuit. But where DOE had not issued any letter on its own, and merely responded to the policyholder’s notification, the court held that there was no such functional equivalent, which must be “adversarial or coercive in nature.”
D.C. Trial Court Holds That Securities Claims are Barred by Broadly Worded Professional Services Exclusion
Relying on a broadly worded professional services exclusion, the District of Columbia Superior Court recently held that a management liability policy did not cover defense costs arising out of securities lawsuits alleging various misrepresentations and investment mismanagement. Carlyle Investment Mgmt L.L.C. v. ACE Am. Ins. Co., No. 2013 CA 003190 B (D.C. Super. Ct. May 15, 2014). The underlying lawsuits alleged that the policyholders enticed investors into unsafe investments by falsely promising high returns with minimal risk, and then mismanaged investments in the face of deteriorating market conditions. The court held that each claim in the underlying complaints fit within the policy’s broad definition of excluded “professional services,” which included the rendering of investment management services. The policyholders argued that the exclusion was intended to only exclude coverage from services in the nature of those provided by lawyers and accountants, not “management liability” claims alleging acts, errors, or omissions in corporate governance. The court rejected this argument, applying the so-called “eight corners rule” by focusing solely on the policy language and allegations pleaded in the complaint. The court concluded that each of the underlying claims arose from the provision of “professional services,” as defined in the policy.
New York State Appeals Court Rejects Insurer’s Notice Argument on Potentially “Interrelated” Claims
On May 29, 2014, a New York state appeals court denied an insurer’s motion to dismiss its policyholder’s breach of contract claim under a D&O policy. Sirius XM Radio Inc. v. XL Specialty Ins. Co. and U.S. Specialty Ins. Co., No. 650831/13 (N.Y. App. Div. May 29, 2014). The insurer argued that the policyholder failed to provide timely notice concerning underlying lawsuits that alleged wrongdoing by directors and officers in connection with a merger. The appellate court rejected the insurer’s argument, holding that the policy was ambiguous as to whether the policyholder had to issue separate notifications to the insurer with respect to claims that were “interrelated” with prior, reported claims. The court also found that triable issues were raised by language in the policyholder’s primary policy, which allowed the primary insurer to deny coverage if the policyholder had previously notified other insurance companies that provided coverage in prior policy years.
Sixth Circuit Rejects Property Insurer’s Attempt to Reduce Actual Cash Value Payout Based on Market Value Decline
The Sixth Circuit recently held that a property insurer could not reduce the amount of its insurance payout by the decreased market value of the policyholder’s condominium, which had been destroyed by a fire. Whitehouse Condo. Grp., LLC v. Cincinnati Ins. Co., No. 13-2376 (6th Cir. June 17, 2014). The insurance policy defined “actual cash value” as the “replacement cost less a deduction that reflects depreciation, age, condition and obsolescence.” The issue before the court was the meaning of the undefined term “obsolescence”. The insurer contended that the term extended beyond functional obsolescence to include “economic obsolescence,” which means a loss of value due to external market factors. In the court’s words, the dispute was over whether the insurer “gets the benefit of a decrease in market values in Flint, Michigan.” The court rejected this argument and affirmed the trial court, finding that (i) the term “obsolescence” did not have a special meaning under the policy, (ii) the common understanding of the term did not include market decline, and (iii) any ambiguity in the insurance policy must be strictly construed against the insurer.