To combat a perceived litigation tactic by plaintiffs counsel of using settlement demands within policy limits to set up insurers for bad faith, insurance company associations lobbied for statutory clarification to avoid uncertainty around insurers’ duties when faced with time-limited demands.

The result was the enactment of California Code of Civil Procedure Chapter 3.2, Sections 999–999.5, titled “Time-Limited Demands,” which goes into effect Jan. 1, 2023.

Claimants’ time-limited settlement demands often seek the available policy limits and are usually referred to in the industry as “policy limits demands,” though theoretically they could be for an amount below limits. The demands must be reasonable in order to subsequently impose extracontractual liability on an insurer for bad faith failure to settle.

For certain types of claims and policies, Section 999 imposes several new criteria that a presuit demand must comply with to be considered a reasonable offer to settle within policy limits. We’ll call these “Section 999 demands.”

Continue Reading New Statute Imposes Additional Requirements for Pre-Suit Demands—and Insurers’ Responses

An insurer in Washington could not eliminate its coverage obligation based on its insured’s recovery from a third party. T-Mobile USA, Inc. v. Steadfast Ins. Co., et al., No. 82704-9-I, 2022 WL 17246715 (Wash. Ct. App., Nov. 28, 2022). And in an Illinois case, an insurer could not refuse to cover its insured simply because its insured was able to deduct part of its settlement payment (which the insurer had refused to cover) from its tax obligation. Liberty Ins. Underwriters, Inc. v. Astellas Pharma US, Inc., Circuit Court of Cook County, Illinois County Dept., Chancery Div., 2019 CH 14483 (Nov. 28, 2022). In both cases, the courts did not have any sympathy for insurers that refused to perform under their insurance policies in the first place and then tried to take advantage of their insureds’ recoveries or reductions in liabilities. And the courts were intent on holding the insurers to the plain language of the policies and the promises they had made to the insureds. Continue Reading A Promise To Pay Is Just That: Two Courts Reject Insurers’ Bids To Escape Their Coverage Obligations by Complaining About Third Party Recoveries or Reductions in Liabilities

Multi-factor authentication (MFA) is more than an annoying popup or text message when logging onto a company’s website or platform. Not only is using MFA a sound security practice and good business,[1] it is frequently becoming a prerequisite to procuring (and keeping) cyber liability coverage. Following the May 2021 Colonial Pipeline ransomware attack which shut down the country’s largest oil pipeline for several days, more cyber insurers are now requiring policyholders to implement MFA. Last month, one tech manufacturer learned this lesson the hard way when its insurer filed suit for rescission of its insurance policy and a declaration that the insurer owed no coverage for the company’s losses stemming from a ransomware attack. Travelers Property Casualty Co. of America v. International Control Services Inc., No. 22-cv-2145, complaint filed, 2022 WL 2532994 (C.D. Ill. July 6, 2022). Continue Reading Using Multi-Factor Authentication as a Prerequisite to Cyber Liability Coverage

With news of massive data breaches making headlines in recent years, the handling of personal data has become a focus for legislators and regulators around the world.  Compliance with data privacy regulations such as the European Union’s General Data Protection Regulation (GDPR) and the California Privacy Rights Act (CPRA) promises to be one of the major challenges for businesses going forward as violations of these regulations present the risk of substantial fines or penalties.

In order to manage that potential liability, businesses have looked to cyber insurance. However, even when cyber insurance policies expressly state that they cover fines and penalties, whether or not they actually do so depends on whether fines and penalties are ‘insurable’ under the law that governs that coverage. Some jurisdictions prohibit insurance for fines and penalties as against public policy, and if the law of such a jurisdiction is deemed to govern, then even a policy that expressly promises to provide coverage may not protect the insured. Continue Reading Maximizing Your Insurance Coverage for Data Privacy Liability

I recently wrote an article for Business Insurance on how the war exclusion will affect commercial policyholders. The war exclusion has received a lot of attention over the past year, particularly since Russia invaded Ukraine in February. Policyholders’ concern that insurers will assert the exclusion as a basis to deny coverage is increasing in light of recent coverage litigation and the potential that cyberattacks emanating from Russia would have serious financial consequences.

The war exclusion is in a moment of possible flux, as insurers consider changes that could increase its scope. A few months before Russia invaded Ukraine, the Lloyd’s Market Association introduced four model clauses designed to exclude, to a greater or lesser extent, coverage for war risks from cyber policies.

In the article, I analyze the model clauses and what might happen next. One aspect of all these exclusions that is particularly worrisome is that they would give the insurer the right to determine whether a cyber operation was “indirectly” carried out “by or on behalf of” a sovereign state. The language potentially could result in the elimination of coverage for attacks in which the victim was not the intended target and the actor merely claims to be acting for the benefit, or in support of, a state rather than being directed by the state.

You can read the full article here.

Our lives and the products and devices we use become more dependent on data by the day. As a result, cyberattacks and data breaches present everchanging risks to companies and individuals, and the importance of applicable insurance never has been more important. While companies historically sought coverage for losses under traditional CGL, D&O, E&O, commercial crime, and business interruption policies, their mixed results––coupled with new exclusions singling out electronic data––have led to increasing need for cyber-specific coverages. However, as evidenced by Minnesota District Court’s recent decision in Target Corporation v. ACE American Insurance Company, 2022 WL 848095 (D. Minn. Mar. 22, 2022), CGL policies still may be in play where damages result from the inability to use tangible property. Continue Reading Continuing Use of CGL Policies to Cover Data Breach Losses

Discussions with an insured’s insurance broker are often an important part of the negotiation process for insurance claims. Brokers can provide valuable insights on the drafting and underwriting of the insurance policy as well as the attitudes of insurers on particular issues.  But are communications between a client, coverage counsel, and the client’s insurance broker privileged? A previous post addressed California decisions finding that disclosure of privileged information to an insurance broker did not waive privilege because those disclosures were reasonably necessary to provide information to the insurers. In New York, whether such disclosure constitutes a waiver is a fact-specific inquiry. Continue Reading Are Communications With Your Insurance Broker Privileged Under New York Law?

Since Illinois passed its Biometric Information Privacy Act (BIPA) in 2008, there has been a proliferation of class action lawsuits filed pursuant to the statute. BIPA generally bars private entities from collecting, capturing, purchasing, receiving, or otherwise obtaining a person’s biometric information without obtaining that person’s advance, informed consent (see 740 ILCS 14/15(b)), and grants a private right of action to individuals who are “aggrieved” by a violation of the statute, entitling them to recover liquidated or actual damages as well as attorneys’ fees and costs (see 740 ILCS 14/20).

The Illinois courts are sorting out the question of the availability of insurance coverage for such BIPA suits under Commercial General Liability (CGL) policies. Of course, the standard CGL definition of covered “personal and advertising injury” includes “oral or written publication of material that violates a person’s right of privacy.” In May of 2021, an Illinois Supreme Court case, West Bend Mutual Insurance Co. v. Krishna Schaumburg Tan, Inc., 183 N.E.3d 47 (2021), addressed the threshold question of whether BIPA claims fall within this basic definition. The court agreed that the gravamen of such claims is invasion of privacy, and that the purpose of the statute is to prevent such invasions. Krishna also rejected the insurer’s argument that the policyholder’s alleged conduct did not constitute an “oral or written publication” because biometric data was merely collected and given to a single third party (a service provider for the policyholder). The court ruled that even providing the information to one other party is a “publication”; the dissemination need not be widespread. Continue Reading Illinois Courts Largely Favor Coverage for BIPA Cases Under CGL Policies

The “war” exclusion has gotten more attention over the past couple of weeks in light of Russia’s invasion of Ukraine. For good reason. This exclusion, common in property and liability policies alike, typically eliminates coverage for losses caused by “hostile or warlike action” from a nation-state or its agencies, or by military forces. Insurers have recently invoked this exclusion in an attempt to avoid providing coverage for losses arising from Russia’s 2017 “NotPetya” cyberattack against Ukraine, which spread beyond Ukraine’s borders and caused widespread damage to computer systems, including hardware, at a number of companies around the world.

A New Jersey court recently rejected an insurer’s reliance on a “war” exclusion in a property insurance policy, under which the insured had sought coverage for losses caused by the NotPetya cyberattack. See Merck Co. Inc. et al. v. ACE American Insurance Co. et al., Case number UNN L 002682-18, in the Union County Superior Court of New Jersey. Continue Reading The War Exclusion in a Time of War

Corporate policyholders often assume their computer fraud crime insurance will cover so-called social engineering thefts. Reasonably so.  Fraudsters commit these crimes by using computers to trick innocent employees into transferring corporate funds to what they believe are legitimate bank accounts, only to discover later that the accounts are controlled by criminals who have stolen the money. Although most people would consider this to be computer fraud, crime insurers have resisted covering such thefts. And some courts have sided with the insurers. Until recently, insurers could point to the Ninth Circuit Court of Appeals as being one of those courts. On January 26, the Ninth Circuit finally set the record straight in Ernst and Haas Management Company, Inc. v. Hiscox, Inc., 23 F.4th 1195 (9th Cir. 2022), by repudiating a prior unpublished ruling and finding coverage for a social engineering theft under California law. This ruling gives policyholders a boost in their crime coverage claims for social engineering theft losses and removes a cudgel from the insurers’ hands. Continue Reading Crime Insurance for Social Engineering Thefts: The Ninth Circuit Finally Joins the Party