Cyber incidents and attacks, whereby hackers target companies for ransom, to obtain sensitive information, or for other reasons, are a significant and growing threat. In 2021 alone, cyber incidents caused roughly $6 trillion in losses, and the consensus is that the threat of incidents will remain strong. Corporations are increasingly seeking insurance against this risk, but coverage for cyber incidents is still a relatively new and rapidly changing field. In this post, we focus on key considerations for general counsel, chief technology officers and cyber security officers when it comes to cyber insurance and protecting against cyber risk.

Does my company need cyber insurance?

Getting cyber insurance is a unique business decision for each company weighing a variety of factors, but virtually every company faces risks from cyber incidents. Although cyber breaches involving customer or consumer data tend to get the most attention, even companies that collect no sensitive customer or consumer information may fall prey. For one thing, companies may possess private, sensitive information about their employees, including medical or pension information. Moreover, companies may have proprietary information or trade secrets that hackers would want to get their hands on.

In fact, many dangerous and costly cyber incidents actually do not involve the theft of sensitive personal information, because the risk of disclosure of any data of value to a company may be used as extortion leverage. Ransomware can encrypt a company’s data and information systems, and attackers then demand a ransom from the company to restore access. Finally, companies may be targeted as a means of obtaining access to the systems of third parties doing business with the targeted company, which may expose the target to liability to those parties as well as its own incident response and data restoration costs. This explains why the risk is so widespread.Continue Reading Key questions corporate tech, legal, and security officers need to ask when considering cyber coverage

On the heels of last year’s special session on Florida’s property insurance crisis, which, among other things, eliminated one-way fee shifting in property insurance cases, the Florida Legislature has now passed even more aggressive pro-insurer legislation as part of a broader tort reform bill aimed at addressing “frivolous” litigation. House Bill 837 is not limited to property insurance issues, and instead includes various measures aimed at protecting insurance companies from liability for bad faith conduct and prevailing party attorney fees across all kinds of coverage disputes. HB 837 raises several important issues for policyholders and insurance litigation overall going forward. We discuss some of these issues below.

Fee-shifting allowed only in certain declaratory judgment actions

First, HB 837 appears to extend last year’s fee-shifting repeals to all lines and types of insurance coverage disputes, not just property insurance disputes, while creating a new limited fee-shifting statute for certain kinds of insurance disputes brought as declaratory judgment actions. This would allow for fee-shifting in declaratory judgment actions brought after an insurer has made a “total coverage denial.” The phrase “total coverage denial” is not defined, but according to the bill, would not include situations where a liability insurer provides a defense under a reservation of rights. The bill does not say whether an insurer who also claims a right to reimbursement for defense costs paid on the insured’s behalf effectively seeks a total denial of coverage.Continue Reading Key issues for policyholders under Florida’s new tort reform bill 

Corporations embroiled in coverage disputes with their D&O insurers may be in the unenviable position of having to bring a lawsuit to enforce their rights. One of the first considerations the corporation faces is where it should file its coverage action. Some may assume that they are limited to the jurisdiction where the corporation principally operates or is headquartered, where its D&O policy was “issued” (often the same jurisdiction as it principal place of business), or where the underlying insured matter is centered. But if the corporation is incorporated in Delaware (which many obviously are), then bringing the action in Delaware is an important additional option that the corporation would be well-advised to consider. Of course, this option begs some important questions.    

Why would a corporation principally operating outside of Delaware want to bring its coverage action in Delaware, particularly when that may mean giving up its “home field advantage” or incurring additional costs to litigate in a distant jurisdiction? Continue Reading D&O coverage dispute? Don’t forget about the Delaware option

The landscape of biometric privacy litigation already has changed dramatically in 2023. Last month, the Illinois Supreme Court ruled in Tims v. Black Horse Carriers, Inc., 2023 IL 127801, that claims for violations of the Illinois Biometric Information Privacy Act (BIPA) (which allows individuals to sue companies directly for the wrongful collection or disclosure of their biometric data) are subject to a five-year statute of limitations. Later that month, in Cothron v. White Castle System, Inc., 2023 IL 128004, the court ruled that a BIPA violation accrues each time an individual’s data is improperly collected or shared, not merely the first time. Taken together, these rulings significantly broaden the scope of claims facing companies that have violated BIPA and the damages flowing from such violations.

In recognition of the dystopian risks presented by the rampant, unlawful sharing of biometric data, several more states are jumping on Illinois’ bandwagon, attempting to pass BIPA-like laws. According to Bloomberg, legislation proposed in nine other states also would grant a private right of action to individuals whose biometric data was wrongly collected or shared.

Despite the growing threat of civil litigation related to the mishandling of biometric data, there is a silver lining for corporate policyholders: the opportunity to obtain insurance coverage for biometric privacy liability has never been greater.Continue Reading Key considerations for policyholders after landmark biometric privacy decisions reshape insurance landscape

As a general rule, if a policyholder reasonably attempts to settle a case for an amount at or within the limits of its insurance policy, the insurance company must put the policyholder’s interests above its own. Typically, if the insurance company does not accept a reasonable settlement within limits, then it may be responsible for a judgment amount in excess of the policy limits if the insurance company’s refusal to settle was unreasonable. The insurance company’s failure to settle may result in a bad faith claim. But what if the insurance company refuses to settle and the policyholder prevails at trial? According to a federal district court in New Jersey, if the insurance company’s decision not to settle was unreasonable, it may still be liable for bad faith.

Summary of recent New Jersey federal court decision

BrightView Enterprise Solutions, LLC v. Farm Family Casualty Insurance Company, No. 20cv7915 (EP) (AME), 2023 U.S. Dist. LEXIS 20764 (D.N.J. Feb. 7, 2023) is not your typical bad faith “failure to settle” case. It involved three different companies that were insured under a single commercial general liability insurance policy issued by Farm Family. The three companies were involved in a project to overhaul an irrigation system at a Bank of America branch in New Jersey. A Bank of America employee “slipped and fell” on a puddle of water and hit her head. The injured employee filed suit against all three companies, alleging that her “slip and fall” caused a permanent disability. Farm Family agreed to defend and provide coverage for all three defendants up to its $1 million policy limit.Continue Reading An insurance company’s refusal to settle can be bad faith, even if the policyholder ultimately prevails at trial

Following the February 3, 2023 derailment of 38 train cars carrying hazardous materials, resulting in a chemical spill and controlled burn in East Palestine, Ohio, several lawsuits have been filed seeking medical monitoring for people living in the affected areas.

Medical monitoring programs may allow for the early discovery and treatment of latent injuries even years after exposure to toxic substances, but such programs also present a substantial expense for any company. Medical monitoring claims may be covered by insurance, but coverage heavily depends on the underlying facts, policy language, and the law governing policy interpretation.Continue Reading Coverage issues for medical monitoring claims

At the end of January, the Rhode Island Supreme Court concluded that a pollution exclusion contained in a general liability policy did not bar coverage for a suit alleging that the policyholder’s negligence caused 170 gallons of home heating oil to leak into its customer’s basement resulting in property damage.  Regan Heating & Air Conditioning v. Arbella Protection Insurance Co., No. 2020-170-Appeal.

  • First, the court confirmed that context matters. Just because a substance can be a “pollutant” in some contexts does not mean that all losses alleging damage caused by that substance are excluded “pollution” claims. 
  • Second, the court recognized that a split in judicial opinions as to the meaning of a disputed policy term is “proof positive” of ambiguity – or, at a minimum, supports a finding that the policy is susceptible to more than one reasonable interpretation.

The Regan ruling is consistent with well-settled principles of policy interpretation. The onus has always been on insurance companies, who hold the drafting pen and the bargaining power, to use clear and unequivocal language to describe what is (or is not) covered. In the absence of clear language, or where reasonable minds could differ – as was the case in Regan – the policy is ambiguous and must be interpreted in favor of coverage.Continue Reading Rhode Island Supreme Court recognizes that context and case law matter in interpreting policy exclusions

M&A activity is making a comeback in 2023, according to Bloomberg Law (“M&A Roars Back in $40 Billion Surge Led by Miners, Storage” A. Kirchfeld and D. Nair, Feb. 6, 2023). The rise in transactions—and the likelihood of claims involving them—will no doubt lead to continued D&O insurance coverage disputes over the “bump up” exclusion.

Policyholders can navigate this speed bump, carriers waving the recent Seventh Circuit decision in Komatsu Mining Corp. v. Columbia Casualty Co., No. 21-2695 (7th Cir. Jan. 23, 2023), and the Final Statement of Decision After Phase One Court Trial entered in Onyx Pharmaceuticals, Inc. v. Old Republic Insurance Co., Case No. CIV 538248 (Cal. Super. Ct. San Mateo Cty. Dec. 30, 2022), notwithstanding. 

Rules for the Road to keep in mind:

1. Choice of law matters

Several courts have addressed the bump-up exclusion recently, and arrived at different results. Indeed, despite analyzing the same bump-up exclusion, the San Mateo County Court in California (applying California law) ruled in favor of insurers in Onyx whereas the Delaware Superior Court ruled in favor of the policyholders in Northrup Grumman Innovation Systems, Inc. v. Zurich American Insurance Co., 2021 Del. Super. LEXIS 92 (February 2, 2021) (the Delaware Supreme Court denied interlocutory appeal), and the Eastern District of Virginia Court (applying Virginia law) did as well in Towers Watson & Co. v. National Union Fire Insurance Co., 2021 U.S. Dist. LEXIS 192480 (E.D. Va. Oct. 5, 2021) (currently on appeal in the Fourth Circuit). The Seventh Circuit applied Wisconsin law in Komatsu, ruling in favor of insurers based on a different version of the exclusion. In short, Delaware and Virginia law remain favorable whereas policyholders have not fared as well thus far under California and Wisconsin law. Continue Reading Navigating the “Bump-Up” exclusion in 2023: Rules for the road

When a loss event badly damages a key piece of equipment or machinery, an insured business often faces the complicated question: repair or replace? This is especially so when the extent of the damage is unclear because some may still be hidden.

A business presented with this dilemma is well advised to go through that decision-making process assuming that it is spending its own money.

In all likelihood, however, the business will have insurance for the loss event, and most commercial property policies are written on a “replacement cost” basis. Yet, those policies often define “replacement cost” as being the lesser of “the cost to repair, rebuild or replace” the damaged property with property of comparable size, material and quality. They commonly include coverage for the loss of business income sustained by the insured due to the suspension of the insured’s business during the “period of restoration,” and tie the length of that period to the date when the damaged property should be “repaired, rebuilt or replaced” with reasonable diligence. 

These standard commercial property provisions contain a trap for the unwary. Hidden within them lurks the opportunity for the insurance company to second guess the decisions that its insured is now forced to make under abnormal conditions and while facing financial distress.Continue Reading Too damaged to repair? How to maximize your insurance recovery