Five Lessons Health Care Companies Should Learn From Cyberattacks
By Richard DeNatale and Celia Jackson
The American health care industry is under attack by sophisticated hackers seeking access to electronic medical records. Since January, three health insurers have announced major data breaches involving millions of records, with the largest one at Anthem Inc., involving nearly 80 million records. There have been dozens of smaller breaches as well. According to statistics kept by the U.S. Department of Health and Human Services, in 2009 the health care sector experienced 18 data breaches involving 500 or more individuals. In the first three months of 2015, more than 50 such breaches were reported.
These incidents bear similarities to the cyberattacks on the retail sector in 2013 and 2014. As one retailer after another fell victim, important lessons emerged on the best ways of preparing for attacks and responding to ones that occur. While some retailers made errors that exacerbated their losses, others were able to minimize harm through careful planning and effective response. While some companies incurred significant financial losses, others were able to shift a large portion of the costs to their insurers.
As the health care sector braces for the current wave of attacks, it remains to be seen which companies will profit from these lessons.
Please click here to continue reading the article.
Blog Highlights
Five Things to Look For in Your Cyber Coverage
by Russell Cohen, Matthew Jeweler and Andrew Ardinger
The data breach earlier this month that potentially exposed information about millions of federal government employees is yet another reminder that any organization that maintains data is at risk of being hacked. And rest assured that if you get hacked, you will incur substantial costs as a result, including substantial notice and related costs and potentially massive third-party liability claims.
We have written extensively about so-called "cyber" insurance, including how cyber insurance is neither comprehensive nor standardized. As a result, when you are shopping for your first (or next) cyber policy it is important to understand what types of coverages, exclusions and conditions are in the market. Making a well-informed purchase starts with knowing your options.
There are too many differences between cyber policies to cover in one blog post, and the market, still in its youth, is rapidly evolving. But here is a list of five important things—in no particular order—to consider when you're in the market for cyber insurance.
Please click here to read more.
In Early Case Construing Cyber Policy, Court Finds No Duty to Defend
by David Klein and Bryan Coffey
The waiting has ended. On May 11, a Utah federal court handed down one of the first coverage decisions in the country construing a so called "cyber" policy. While the case did not deal with a data breach or other cyber event of the type that companies typically have in mind when procuring cyber insurance, it nevertheless may provide guidance on the scope of coverage under such policies.
Please click here to read more.
Oh-FAC! There's Coverage for That?
by Alex Lathrop, Kristi Singleton and Richard Gallena
Policyholders can include violations of economic sanctions among the laundry list of risks their companies face. Economic and trade sanctions are administered by the Office of Foreign Assets Control ("OFAC"), a little known agency within the U.S. Department of the Treasury. The sanctions that OFAC administers and enforces include broad embargoes of Crimea, Cuba, Iran, North Korea, Sudan and Syria, as well as restrictions against doing business with designated individuals and certain of their affiliates. As recent events show, failing to abide by these sanctions can result in significant liability. And where there is liability, policyholders should consider whether there may be insurance coverage.
Please click here to read more.
Well-Suited: The Texas Supreme Court Finds Insurers Have a Duty to Defend EPA Administrative Proceedings
by Celia Jackson and Steve Foresta
Most standard form commercial general liability insurance policies provide that the insurer has the duty to defend any "suit" against the insured that seeks damages covered under the policy. In CGL policies issued before 1986, the term "suit" was not defined. And while all courts could agree that a "suit" encompasses a civil complaint filed in a court of law, they disagreed on whether proceedings that take place outside the courtroom, such as the administrative process initiated by a government "PRP" notice, are "suits" that give rise to the insurer's duty to defend.
The Texas Supreme Court is the latest court to weigh in on this issue, and its decision is good news for policyholders. On June 26, 2015, in a 5-4 decision, the court held that the term "suit" encompasses administrative enforcement actions by the Environmental Protection Agency under the Comprehensive Environmental Response, Compensation, and Liability Act of 1980 (CERCLA).
Please click here to read more.
Blurred Lines: The Professional Services Exclusion in D&O Policies for Services Companies
by Darren S. Teshima and Bryan Coffey
Professional services companies need to be extra-careful when placing Directors and Officers liability ("D&O") coverage to ensure that their policies don't take away with one hand what they appear to give with the other. A new district court ruling suggests that a professional services exclusion found in most D&O policies may erase most of the coverage such companies believe they're purchasing.
Banks and other financial institutions, like most companies, usually carry D&O insurance to protect themselves and their decision-makers from claims of alleged "Wrongful Acts," including alleged negligence or misleading statements. They may also have Errors and Omissions or Professional Liability ("E&O") coverage to respond to claims arising from the performance of services requiring special training or expertise. To avoid overlapping coverage for claims that may be covered under an E&O policy, D&O policies typically include a so-called "professional services" exclusion that draws a line between these two lines of coverage. When applied to a professional services company, however, this line becomes blurred. As demonstrated by a recent decision from the U.S. District Court for the Southern District of Florida, broadly applying this exclusion to services companies like financial institutions threatens to eviscerate the companies' D&O coverage.
Please click here to read more.
Ironshore Drills Deepwater Deeper
by Richard DeNatale, David Klein, Alison Roffi and Jacquelyn Hehir
When the Texas Supreme Court decided In re Deepwater Horizon earlier this year, it portended significant changes in the rights of companies named as "additional insureds" pursuant to contractual requirements. In limiting BP's coverage for the Gulf of Mexico oil spill, the Court departed from the principle that insurance policies should be interpreted based on their express terms. The Texas Supreme Court instead based its ruling on BP's drilling contracts, which were not mentioned in the insurance policies. Now the U.S. Court of Appeals for the Fifth Circuit, in Ironshore Specialty Insurance Co. v. Aspen Underwriting, Ltd., has extended Deepwater Horizon and starkly illustrated its implications.
Please click here to read more.
