If an insurance company owes a duty to defend, the dispute should be decided promptly, on the pleadings. Any delay undermines the duty to defend. The scope of the duty to defend should be adjudicated on the pleadings as quickly as possible to give policyholders the true value of their policies and the benefit of their contracts.

The value and purpose of the duty to defend

The duty to defend is one of the most valuable components of an insurance policy. Like it or not, American society is litigious. Companies cannot prevent lawsuits through good conduct, laudable intentions, or strong compliance programs.  Refuting liability and damages is expensive even if the core facts are undisputed or the case is frivolous.

For a single company or individual, the frequency and size of litigation generally is unpredictable, making budgeting for defense costs a difficult task.  In any single year, the risk of litigation is low, but when a claim does come in, defense costs can be significant.  This litigation landscape is a problem for legal departments trying to budget or reserve for litigation costs.

The duty to defend addresses this problem using the principles of risk transfer and risk pooling.

  • Risk transfer: the risk and costs of defending litigation is transferred to the insurance company in exchange for a premium payment.
  • Risk pooling: the insurance company takes the collective risks of litigation against all policyholders in a pool large enough that aggregate defense costs can be statistically analyzed and predicted on an annual basis.

This way no one has to assess the risk that any individual company is sued or anticipate those defense costs. Policyholders can include insurance premium costs in their legal budgets, and shift covered defense costs onto the insurer. The insurance company underwriters can evaluate the aggregate defense spend at a gross systemic level and charge premiums to cover those costs (with a healthy profit margin).Continue Reading The duty to defend requires an early judgment

In a recent unanimous decision, the Appellate Division First Department provided clarity on the pleading requirements for policyholders seeking special or consequential damages allowed under the landmark decision of Bi-Economy Market v. Harleysville Insurance Company of New York, 856 N.Y.S.2d 505 (N.Y., Feb. 19, 2008). Under Bi-Economy, policyholders may seek special or consequential damages resulting from an insurance company’s failure to provide coverage if such damages were foreseen or should have been foreseen when the insurance contract was made. Id. at 508. In its prior ruling in Panasia Estates v. Hudson Insurance Company, the First Department noted that the “reference to such damages as ‘special’ in Bi-Economy Mkt. … was not intended to establish a requirement of specificity in pleading.” 889 N.Y.S.2d 452, 453 (N.Y.A.D. 1 Dept., Dec. 15, 2009). The ruling, however, left open the question of what pleading requirements policyholders had to meet in order to state a claim for special damages, a question that it recently answered in D.K. Property v. National Union Fire Insurance Company of Pittsburgh, PA, 2019 WL 237454 (N.Y.A.D. 1 Dept., Jan. 17, 2019).
Continue Reading Lightening the load: New York Appellate Division rejects heightened pleading standard for policyholders seeking Bi-Economy Market consequential damages

In an encouraging development for insureds, the United States Court of Appeals for the Fourth Circuit held that a health care company’s general liability insurer was required to defend the company against claims stemming from an alleged failure to secure electronic medical records. In The Travelers Indemnity Co. of America v. Portal Healthcare Solutions, L.L.C., No. 14-1944 (4th Cir. Apr. 11, 2016), the Fourth Circuit held that the breach resulted in a “publication” of medical records, thus falling within the scope of the general liability policy issued to Portal Healthcare Solutions, L.L.C. (“Portal”).  The decision reaffirms that insureds that experience adverse cyber events are not limited to cyber-specific policies as the source of potential insurance coverage.

Portal’s insurer, The Travelers Indemnity Company of America (“Travelers”), commenced litigation in the United States District Court for the Eastern District of Virginia, seeking a determination that it was not required to defend Portal against a putative class action alleging that Portal negligently failed to secure a server hosting medical records, which resulted in those records becoming available on the Internet. Ruling on cross-motions for summary judgment, the District Court sided with Portal, reasoning that the allegations “at least potentially or arguably” alleged a “publication” of private medical information that either (a) gave “unreasonable publicity” to the patient’s private life, or (b) “disclose[d] information” about the patient’s private life.  Either circumstance triggered a coverage obligation under the Travelers policies.Continue Reading Court Upholds Coverage Under General Liability Policy for Claim Alleging Failure to Protect Data

The New York Department of Financial Services (NYDFS) announced last week a series of measures it plans to take “to help strengthen cyber hacking defenses at insurers.” Those measures include, among other things: regular, targeted assessments of cyber security preparedness at insurance companies; putting forward enhanced regulations requiring institutions to meet heightened standards for cyber security; and considering the ways in which NYDFS can support and encourage the development of the cyber security insurance market. The NYDFS stated that it plans to initiate these measures in the coming weeks and months.
Continue Reading New York Department of Financial Services Announces New Cyber Security Measures Directed at Strengthening Insurers’ Cyber Defenses

A recent study reports that the median amount of time between a breach of a company’s computer network and the discovery of the incident is 229 days. But some cyberliability policy forms require that both the breach event and discovery of loss (or resulting claim) occur during the policy period. So what happens when a breach is discovered three months into the policy period but, unbeknownst at the time, the intrusion actually occurred six months before, or even earlier? If your company’s cyberliability insurance policy excludes breach events occurring before the inception of the policy period, the company could find itself without coverage for an otherwise-covered claim or loss.
Continue Reading Hackers Don’t Care About Your Insurance

Since the President’s February 2013 Executive Order directing the National Institute of Standards and Technology (NIST) to lead the development of a voluntary framework to address and reduce cyber risks, the agencies and stakeholders involved have been exploring whether to tie the February 2014 Framework for Improving Critical Infrastructure Cybersecurity (the NIST Framework) to incentives such as cyberliability insurance. For example, in a Report to the President on Cybersecurity Incentives, the Treasury Department suggested that “[c]yber insurance can promote adoption of stronger security measures” because, among other reasons, “insurers could require policyholders to comply with minimum security standards as a condition of insurance coverage, including adoption of the Framework.”

The Treasury Department held a public meeting on November 6 that included a discussion of developments in the market for cyberliability insurance and the NIST Framework.
Continue Reading As Federal and State Agencies Warn of Increased Cyber Threats, Insurance Incentives for Compliance with NIST Cybersecurity Framework May Be on the Horizon

The evolving market for cyberliability insurance coverage reveals significant differences in the scope of coverage afforded under available policies. A coverage gap that may exist under some policies is for insider cyber attacks. While external attacks receive substantial news coverage, a recent study finds that businesses may be far less equipped to stave off attacks involving insiders: employees, vendors, suppliers and others who may have authorized access to critical or sensitive data.
Continue Reading Beware Of Gaps In Your Cyber Risk Policy – Are You Covered In the Event of an Insider Attack or Data Breach?

While policyholders frequently negotiate the terms and conditions of primary insurance, it is somewhat less common for policyholders to give the same attention to the language in their excess coverage. Excess policies which state that coverage attaches only after the underlying insurer pays out its full-limits of liability can frustrate policyholders attempting to resolve a coverage dispute with an underlying insurer. Policy wording is critical – as demonstrated in a recent Texas appellate court.
Continue Reading Excess Insurance Implications of a Below Limits Settlement

Every day, there is a new story about Ebola in the media. While some commentators suggest that the threat of Ebola in the United States is overblown – and we hope they are right – now is still the time for all businesses to review their insurance policies to understand what insurance coverage, if any, they may have available should an Ebola-related liability and/or loss occur.
Continue Reading All Businesses Should Review Insurance Coverage in Face of Ebola Crisis