Photo of Andrew Barrios

The U.S. Securities and Exchange Commission (“SEC”) implemented rules governing registrants’ disclosure requirements pertaining to cybersecurity risk management, governance, and incident reporting on July 26, 2023. These rules are likely to give rise to novel issues pertaining to public companies’ insurance portfolios, in particular, directors’ and officers’ liability (“D&O”) and cyber insurance policies. This post provides a short overview of the rules and some of the insurance issues likely to arise going forward.

The SEC’s cyber security disclosure rules and increased exposure

The new rules require registrants to disclose information in three categories: (1) cybersecurity risk management; (2) cybersecurity governance; and (3) cybersecurity incident reporting.

With regard to cybersecurity risk management and governance, public companies are now required to annually report their cybersecurity risk processes and governance of risks in Form 10-K SEC. Under the cybersecurity risk management disclosure rules, registrants have to describe how they assess, identify, and manage material cybersecurity risks and whether they have materially affected or are reasonably likely to materially affect their businesses. Similarly, under the cybersecurity governance disclosure rules, registrants have to describe board oversight of cybersecurity risks and the role management plays in assessing and managing material cybersecurity risks.Continue Reading Insurance coverage implications of SEC’s cybersecurity disclosure rules

As cyber risks continue to grow and evolve, the cyber insurance market is increasingly likely to take steps to limit its risk profile, often in the form of new or broadened policy exclusions. Cyber insurers are continuously evaluating, amending, and restructuring their insurance products (including their capacity, and, importantly, their pricing) to reflect what they perceive to be growing risks and threats to the bottom line.

A perceived new risk: Merck v. Ace

In some cases, insurers perceive an evolving risk through a development in court decisions interpreting policy terms. The decision of a New Jersey Superior Court earlier this year in Merck & Co., Inc. et al. v. Ace American Ins. Co. et al., Case No. UNN-L-2682-18, appears to exemplify this type of situation. There, the court determined that a “hostile or warlike action” exclusion did not preclude coverage for losses caused by a “NotPetya” ransomware attack, despite insurance company arguments that the malware used in the NotPetya attack was an instrument of the Russian government “as part of its ongoing hostilities with Ukraine.”  The court reasoned that “hostile or warlike action” required “actual hostilities” and that “no court has applied a war (or hostile acts) exclusion to anything remotely close to the facts herein.”

Although Merck involved a first-party property insurance policy, its holding elicited a significant reaction from the cyber insurance market because it involved a coverage dispute related to a cyberattack. With the warning provided by Merck that courts may not be inclined to interpret traditional war exclusions as precluding coverage for state-backed cyberattacks, some insurers appear to be reevaluating their existing war exclusions and amending their policy forms to respond to Merck.Continue Reading A tightening cyber insurance market: War exclusions in the wake of Merck v. Ace

Although the policyholder bar has previously had success obtaining coverage for Biometric Information Privacy Act (BIPA) litigation under an employment practices liability (EPL) policy, insurers recently notched a win by convincing a court to deny EPL coverage for an employee-based BIPA class action.  In Church Mutual Insurance Company v. Prairie Village Supportive Living, LLC, the insured’s former employee brought a class action alleging the insured unlawfully collected, used, and disseminated employee biometric identifiers (fingerprints) in violation of BIPA, and the insured sought coverage from its insurer under its general liability (GL) and EPL policies.  No. 21 C 3752, 2022 U.S. Dist. LEXIS 143495 (N.D. Ill. Aug. 11, 2022).  Based on a unique combination of policy provisions not previously addressed in BIPA coverage litigation, the court declined to find coverage under either policy.  Rather than be discouraged from pursuing coverage for BIPA class actions involving employee biometrics, however, there are some important lessons policyholders can glean from this opinion.

The unique terms of the insured’s EPL policy precluded coverage under all policies

The combination of policy terms at issue in Church Mutual was quite unique and does not appear to be typical of those found in most insureds’ policies.  As an initial matter, although the insured had purchased both GL and EPL coverage, the EPL coverage form stated:  “Except for the insurance provided by this coverage form, the policy to which this coverage form is attached does not apply to any claim or ‘suit’ seeking damages arising out of any ‘wrongful employment practice.’”  Right off the bat, therefore, the insured was limited to seeking EPL coverage because it did not dispute that it was seeking coverage for a “wrongful employment practice” as defined in its EPL policy.  Any coverage that may have existed under the insured’s GL policy was irrelevant.

After limiting its analysis to whether EPL coverage existed, the court then focused on an exclusion in the EPL policy entitled “Violation of Laws Applicable to Employers.” Pursuant to that exclusion, the policy precluded coverage for, in relevant part:

“Any claim based on, attributable to, or arising out of any violation of any insured’s responsibilities or duties required by any other federal, state, or local statutes, rules, or regulations, and any rules or regulations promulgated therefor or amendments thereto. However this exclusion does not apply to: Title VII of the Civil Rights Act of 1964, the Americans With Disabilities Act, the Age Discrimination in Employment Act, the Equal Pay Act, the Pregnancy Discrimination Act of 1978, the Immigration Reform and Control Act of 1986, the Family and Medical Leave Act of 1993, and the Genetic Information Nondiscrimination Act of 2008 or to any rules or regulations promulgated under any of the foregoing and amendments thereto or any similar provisions of any federal, state, or local law.”Continue Reading Court’s denial of employment liability coverage for Biometric Information Privacy Act litigation should not discourage policyholders

Since the Illinois Supreme Court’s ruling that class actions alleging violations of the Illinois Biometric Information Privacy Act (“BIPA”) trigger general liability coverage, the focus of BIPA coverage litigation has shifted to the applicability of three exclusions often found in general liability policies: (1) the Employment Related Practices exclusion, (2) the Violation of Statutes exclusion, and (3) the Access or Disclosure exclusion.  Although the first quarter of 2022 brought a mixed bag of opinions, with four out of seven resulting in a finding of coverage, the scorecard with respect to each specific exclusion tells a different story that generally favors the policyholders.  As outlined in this blog post, insureds facing BIPA lawsuits therefore have plenty of reason to continue pressing their insurers for coverage.

Employment-related practices exclusions

The Employment-Related Practices exclusion bars coverage for bodily injury or personal and advertising injury to a person arising out of any of the following:

  • Refusal to employ that person
  • Termination of that person’s employment
  • Employment-related practices, policies, acts or omissions, such as coercion, demotion, evaluation, reassignment, discipline, defamation, harassment, humiliation, or discrimination directed at that person

In coverage disputes arising out of employment-based BIPA class actions, the issue is whether the conduct at issue is an employment-related practice that falls within the third prong of the exclusion.

As outlined in a previous blog post, there is case law outside of the BIPA context standing for the proposition that the phrase “employment-related” has a narrow meaning and only refers to matters that concern the employment relationship itself. According to this line of case law, where the conduct at issue in a lawsuit does not arise out of personnel management or employee discipline (i.e., the employment relationship), but instead merely happens to involve an employee, the third prong of the exclusion does not bar coverage.Continue Reading Recent opinions provide support for insureds seeking coverage for BIPA claims

Businesses with liability insurance coverage governed by Illinois law should be mindful to take advantage of Illinois’ “targeted tender” rule, which provides insureds a unique strategy for maximizing insurance recoveries for claims triggering multiple different policies. This rule recognizes an insured’s right to “target tender” one or more concurrent insurance policies from a group of policies that potentially apply to a claim against the insured, regardless of insurer efforts to offset their insuring obligations through “other insurance” or contribution.  Kajima Constr. Svcs., Inc. v. St. Paul Fire & Marine Ins. Co., 227 Ill.2d 102 (2007); John Burns Constr. Co. v. Indiana Ins. Co., 189 Ill.2d 570 (2000). Once an insured targets its tender to a particular insurer, “[t]hat insurer may not in turn seek equitable contribution from the other insurers who were not designated by the insured,” who may knowingly forgo an insurer’s involvement. John Burns, 189 Ill.2d at 575.

Illinois insureds can “target tender” away from policies with high retentions or deductibles

The “targeted tender” rule thus is particularly powerful for insureds trying to avoid or minimize the amount of risk they must absorb from “fronting” coverage or policies with substantial self-insured retentions or deductibles. For example, assume a construction company is sued in a wrongful death lawsuit after one of its truck drivers hauling heavy equipment to a job site runs over a pedestrian. The underlying complaint alleges liability triggering the construction company’s commercial auto coverage, which provides dollar-one defense coverage outside of policy limits, as well as the company’s professional liability coverage, which is subject to a $2 million retention before any coverage attaches.  After the construction company notifies both insurers of the lawsuit, they agree to split the insured’s defense costs 50/50, but the professional liability insurer refuses to reimburse any of its 50% share of the defense costs until the $2 million retention has been satisfied. Working with knowledgeable coverage counsel, the insured construction company can obtain a fully funded defense of these lawsuits by “targeting” its tender solely to the commercial auto insurer.Continue Reading “Illinois’ ‘targeted tender’ rule – a powerful strategy for insureds to select and deselect triggered policies to maximize coverage

In West Bend Mutual Insurance Co. v. Krishna Schaumburg Tan, Inc., 2021 IL 125978, the Supreme Court of Illinois held that coverage existed for a class action alleging violations of the Illinois Biometric Information Privacy Act (BIPA) under the terms of a general liability policy. Although a win for the policyholder bar, the precedential value of Krishna was arguably limited by the fact that the underlying class action targeted the insured’s use of customer biometrics. Where the use of employee biometrics is at issue instead, policyholders are likely to face unique coverage issues left open by Krishna, such as the applicability of certain exclusions that bar coverage for injuries arising out of the employment relationship. This blog post provides a brief overview of the employment-related practices (ERP) exclusion and explains why it should not apply to preclude coverage for employment-based BIPA class actions.

Employment-related practices exclusions

The ERP exclusion is a common provision in commercial general liability policies. As it is usually drafted, the exclusion bars coverage for bodily injury or personal and advertising injury to a person arising out of any of the following:

  • Refusal to employ that person
  • Termination of that person’s employment
  • Employment-related practices, policies, acts or omissions, such as coercion, demotion, evaluation, reassignment, discipline, defamation, harassment, humiliation, or discrimination directed at that person

In coverage disputes arising out of employment-based BIPA class actions, the issue will be whether the conduct at issue is an employment-related practice that falls within the third prong of the exclusion.

Case law analyzing employment-related practices exclusions

Several courts that have analyzed the scope of the ERP exclusion have concluded that it should be interpreted narrowly. For instance, in Peterborough Oil Co. v. Great American Insurance Co., after the insured fired an employee for theft and pressed charges, the employee sued the insured for malicious prosecution and intentional infliction of emotional distress. 397 F. Supp. 2d 230, 234 (D. Mass. 2005). The insured tendered the lawsuit under its commercial general liability policy, and the insurer denied coverage in reliance on the policy’s ERP exclusion. Id. at 235. The insured filed a coverage action and argued that the exclusion did not apply. Id.Continue Reading Employment-related practices exclusions and Biometric Information Privacy Act litigation

Under standard property policies, insurers are broadly claiming that the pollution exclusion applies to bar coverage for losses caused by the COVID-19 pandemic. But the insurer in Essentia Health v. ACE American Insurance Company, which involved a Premises Pollution Liability Portfolio Insurance Policy, made the precise opposite argument. Essentia alleged that COVID-19 was a covered pollution condition, while ACE claimed that COVID-19 did not involve pollution. Essentia Health v. ACE American Insurance Company, No. 21-cv-207 (ECT/LIB) (D. Minn., May 25, 2021). Because Essentia turns the usual COVID-19 arguments upside down, it may provide helpful precedent for policyholders seeking coverage. In particular, ACE argued that a separate limitation on virus coverage demonstrated that insurers recognized the risks from a virus pre-COVID-19, and accordingly chose to limit the coverage for losses from diseases that are transmitted from person to person.

The court agreed with ACE that pollution condition could not include a virus (the opposite claim to that made by insurers relating to COVID generally), particularly when read with an endorsement providing limited coverage for viruses

The court granted ACE’s motion, because Essentia sought coverage only on the ground that COVID-19 was a “pollution condition,” reasoning that “pollution condition … read in conjunction with other provisions of the policy in this case, cannot reasonably be understood to include a virus.”Continue Reading Consistency not a concern for insurers fighting COVID-19 business loss claims, but policyholders can take advantage of divergent coverage positions