When a Cyberattack Has a Physical Impact
By Alex Lathrop and Andrew Ardinger
October ordinarily brings the return of crisp air, fall foliage and Halloween. This year, for the first time, it also brought National Cybersecurity Awareness Month. Yet designating a month to increase cybersecurity awareness seems redundant. We are reminded almost daily of the importance of cybersecurity, as media reports of cyberbreaches have become commonplace. Of course, the most widely reported cyber incidents have been data privacy breaches that have affected tens of millions of consumers nationwide. These are the sorts of incidents that have spawned a growing market for so-called “cyber policies” (although the CEO of one of the largest insurers has acknowledged that cyberinsurance capacity remains relatively small).
But a potentially more damaging cyberthreat that may cause enormous property and economic losses has been getting much less attention, both in the media and by insurers—the risk of large-scale physical property damage and business interruption losses stemming from a cyberbreach. As the U.S. Department of Homeland Security aptly notes on its National Cybersecurity Awareness Month Web page, “[a]s a nation, we face constant cyberthreats against our critical infrastructure and economy.” A hacker who is able to infiltrate a company’s computer systems and reach its operational or plant controls could, for example, reconfigure sensitive manufacturing equipment causing a breakdown in assembly or even destruction of a plant. A hacker could also reroute incoming or outgoing shipments and cause huge supply chain issues, which could lead to lost sales or spoliation of merchandise or components.
Though very few such incidents have been reported—an article earlier this year identified only two publicly known incidents, including an attack that caused “massive” damage at an “unnamed steel mill in Germany”—the effects could be devastating for a business.
Please click here to continue reading the article.
Blog Highlights
Does the Schrems Decision Open the Door to New Cyber Insurance Exclusions?
by Russell Cohen and Jacquelyn Hehir
The shockwaves continue from the October 6, 2015 ruling of the Court of Justice of the European Union (CJEU), the European Union’s highest court, invalidating the U.S.-EU “Safe Harbor” data transfer regime in a controversy arising out of Maximillian Schrems’ complaint to the Irish Data Protection Commissioner. The Schrems decision obviously has huge privacy implications for companies that transferred data under the Safe Harbor regime, but it may also impact such companies’ cyber insurance.
The Safe Harbor program has been in place since 2000 and was meant to bridge the gap between the regulatory requirements for handling of personal data in the EU and U.S. The Safe Harbor created a self-certification mechanism by which companies in the U.S. could opt into a set of rules governing the handling of EU personal information in order to meet EU privacy law requirements. If a company opted in, it was then able to receive data transfers from the EU to the U.S. without further approval.
The Schrems ruling, explained in detail here by our privacy team, found that the Safe Harbor protections afforded were in fact not adequate. The CJEU noted that the protections required to meet Safe Harbor obligations could actually be disregarded for a number of reasons, including at the request of certain government entities or where preempted by U.S. law. The CJEU held that a company’s decision to opt into the Safe Harbor therefore does not necessarily protect the personal data of EU citizens and it would no longer consider such Safe Harbor participation by a U.S. company sufficient to meet the requirements of EU privacy laws.
Please click here to read more.
One Little Word: New York Federal Court Rejects Attempt to Broaden Employer’s Liability Exclusion
by Steve Foresta and Matthew Jeweler
So much depends on a single word! Recently, a New York federal court refused to construe an employer’s liability exclusion in a CGL policy to bar coverage for a bodily injury suit brought by the employee of an insured parent company against a subsidiary insured under the same policy as the parent. Considering both the language and purpose of the exclusion, this was the right outcome. But it might have come out the other way if one three-letter word in the policy had been different.
Please click here to read more.
Cumis is Catching On: Nevada High Court Adopts California’s Right to Independent Defense Counsel
by Darren S. Teshima and Bryan Coffey
When an insurer agrees to defend its insured for a liability claim, it retains counsel to represent the interests of the insured, forming a so-called “tripartite relationship.” Often the interests of the insured and insurer are aligned: both want to avoid or minimize liability. Situations sometime arise where the interests of the insured and the insurer are in conflict, like when an insurer agrees to defend but reserves its right to deny coverage based on certain policy exclusions. In those cases, the defense counsel could have divided loyalty on how to defend the claim where it might espouse one theory to avoid liability for the insurer, but saddle the insured with uncovered liability. A classic example is when an insurer reserves its right to deny coverage for conduct found to be intentional and not negligent. The defense counsel can try to prove negligence and require the insurer to indemnify a judgment; or counsel could protect the interests of the party who pays the bills (and retains her on a consistent basis) and not fight against a finding that the insured acted intentionally.
Please click here to read more.
There’s a New Sheriff In Town: Coverage for World Bank Investigations and Sanctions
By David Klein and Daniel Streim
Led primarily by the U.S. DOJ and SEC, global anti-corruption efforts have escalated markedly over the past decade. The increased number of investigations and high-dollar penalties associated with FCPA have caught the attention of the both insurers and insureds, even leading some companies to purchase standalone liability policies that cover FCPA-like violations. But while a number of significant international treaties promoting the fight against corruption were enacted beginning in the mid-1990s, member states beyond the U.S. have been somewhat slow to join the enforcement brigade. UK prosecutors have shown some desire to bring cases under the UK Bribery Act, but thus far their efforts have not nearly approached those of prosecutors in the U.S. But in the past few years, a completely new player has emerged: the World Bank.
Please click here to read more.
Tipoff for the Question of Whether D&O Policies Cover TCPA Related Claims
by Barry Levin and Alison Roffi
In 1991 Congress passed the Telephone Consumer Protection Act (“TCPA”) to protect customers from unsolicited telemarketing. It has since become an attractive avenue for consumer class action litigation. In the past, defendant-policyholders sought coverage under their Commercial General Liability (CGL) policies for costs incurred as a result of TCPA claims. When CGL policies began to include exclusions for TCPA claims, insureds began to seek coverage elsewhere, including under D&O policies. When presented with a TCPA claim, many D&O carriers have argued that coverage is precluded under the personal injury claim exclusion—particularly the “invasion of privacy” provision of the personal injury claim exclusion—found in the majority of private company D&O policies. While some courts have relied on this exclusion to bar coverage for TCPA claims, its application is questionable. Now the Ninth Circuit is about to weigh in.
Please click here to read more.
“Escape” Clause Offers Insurer No Escape from Duty to Defend
by Mark Plumer
Houdini managed an escape from a straight jacket while suspended 40 feet in the air. But that trick turned out to be easier than a primary insurer’s recent attempt to escape its duty to defend in California. In Underwriters of Interest Subscribing to Policy No. A15274001 v. ProBuilders Specialty Ins. Co., Case No. D066615, Ct. App. Dist. 4, Oct. 23, 2015 (“Underwriters”), the California Court of Appeal ruled that an “other insurance” clause in a CGL policy that purported to eliminate an insurer’s duty to defend if another insurer picked up the defense was unenforceable.
Underwriters filed an equitable contribution action against a co-insurer, ProBuilders, claiming ProBuilders had shirked its duty to pay a portion of defense costs that Underwriters had agreed to pay to defend a mutual policyholder in a construction defect case. ProBuilders claimed that it had no duty to defend principally based on the language of an “other insurance” clause in its policies. That clause stated that ProBuilders had the right and duty to defend the insured against any suit seeking damages to which the insurance applied, provided that no other insurance affording a defense against such a suit was available to the insured. ProBuilders argued that since Underwriters had agreed to defend the policyholder, there was other defense insurance available to the policyholder, thus excusing ProBuilders from its obligation to provide a defense. The trial court agreed.
Not so fast, the Court of Appeal found. It observed that the “other insurance” clause in the Probuilders’ policies was an “escape” clause—so named because if enforced, it permitted a primary insurer to escape the defense obligation it otherwise agreed to assume.
Please click here to read more.
