The Midwest is experiencing record-breaking flooding this year, bringing back memories of the devastating and costly floods of 1993. Without a doubt, business losses and business interruption claims will be substantial. This post explores when an insured might have coverage for business interruption even if it does not incur significant flood-damage to its own property. As with any coverage claim, the merits will depend on the specific language in the policy and the specific circumstances of the claimed loss. But, here’s a rundown of some common policy provisions and issues to keep in mind.
In an Opinion dated May 29, 2019, the U.S. Court of Appeals, Fifth Circuit, ruled in Travelers Indemnity Co. v. Ethel Mitchell that multiple insurers must provide coverage to a defendant county and its officials sued in a §1983 wrongful imprisonment lawsuit, including certain insurers who issued policies in post-conviction years.
For several years, Lathrop Gage’s Insurance Recovery and Counseling team has been front-and-center at RIMS’ annual conference. This year’s event – taking place April 28-May 1 in Boston – is no exception! We will have a team onsite at booth #549 on the tradeshow (please come by and see us if you’re there), and we have several speaking engagements lined up.
This month, when many are working with inspiration towards their New Year’s resolutions, we urge each business policyholder to set a goal fitting of our modern high-tech age: checking its cyber insurance.
Cyber insurance is something of a fluid catch-all term, but insureds generally seek it to provide coverage for computer-based perils, such as those arising from unauthorized computer access (“hacking”), malicious software (“malware”), email fraud (“phishing” or “spoofing”), network failure or inaccessibility (“ransomware”), and the resulting breach or disclosure of protected data. Such insurance can be either first-party (covering the insured’s own losses arising from, say, a computer system malfunction, a disgruntled employee, or a cyber criminal) or third-party (covering the insured’s liability to, say, its consumers for a data breach or the government for regulatory fines).
Lathrop Gage Partners Bill Beck and Mike Abrams were recently profiled by Super Lawyers for their success in securing compensation for individuals who have been wrongfully convicted, individuals who have often spent decades in prison for crimes they did not commit. Lathrop Gage’s Civil Rights Insurance Recovery Practice group leads the nation in securing insurance proceeds for wrongfully convicted persons, recovering over $150 million for wrongfully convicted individuals and their families since 2004. Additionally, the firm has partnered with the Midwest Innocence Project to help exonerate individuals who are currently in prison for crimes they did not commit and helped to facilitate the recent release of Laquanda “Faye” Jacobs, who spent 26 years in prison after being wrongfully convicted of capital murder at the age of 16.
Interviewed by Alana McMullin and David Scheidemantle of Lathrop Gage’s Insurance Recovery & Counseling Group.
In a recent decision, the United States Court of Appeals for the Sixth Circuit considered whether a “criminal acts” exclusion in a first-party commercial insurance policy barred coverage for damage to leased property caused by the insured’s tenant in the operation of a marijuana cultivation business. K.V.G. Properties, Inc. v. Westfield Insurance Co., 2018 U.S. App. LEXIS 232296, 2018 FED App. 0178P, 2018 WL 3978211 (6th Cir. Aug. 21, 2018). Marijuana remains illegal as a Schedule 1 drug under federal law but is protected in certain circumstances under the law of Michigan, where the insured property was located. Fatal to the insured’s case, it had pleaded in an eviction proceeding that the tenant’s activities were illegal, which the Sixth Circuit took as an admission that the tenant’s conduct was illegal under Michigan as well as federal law, landing the claim within the confines of the criminal acts exclusion. While paying lip service to black letter law that the insurer bears the burden of establishing the applicability of an exclusion, the court nevertheless ruled against the insured because it had provided no evidence that the tenant had complied with Michigan’s marijuana laws. The court left open whether the exclusion still would have applied had the insured made such a showing (and hinted the outcome might have been different had the insured done so).
The CDC estimates that 1 in 6 Americans get sick from contaminated foods or beverage each year, and that 3,000 people die, resulting in total food-borne illness costs of more than $15.6 billion dollars each year. Those numbers are not surprising when food recalls seem to be an almost weekly occurrence, with salmonella-tainted foods prominently featured in multiple large-scale outbreaks in 2018. Although food contamination seems to be on the rise, experts suggest that frequency is up – not due to an actual increase in outbreaks – but, instead because we are better equipped to identify and track outbreaks. Thanks to genome sequencing, we can look at food’s DNA fingerprint to better identify its source. Even so, it is still difficult to identify precisely where in the food supply chain the contamination began. As a result, every entity in the supply chain can be, and often is, affected when contamination is discovered.
This reality can present numerous insurance coverage challenges, and all companies ranging from ingredient suppliers to processors and retailers should consider what coverage best fits their needs based on their most likely exposure given their position in the food supply chain. In reviewing coverage options, it is important to realize that not all product recall and/or contamination coverage is the same (and some policies may be triggered only by contamination, while others are triggered only by a mandatory recall).
Further, it bears noting that general liability coverage is still a relevant potential source of coverage. Bodily injury claims are the classic case for invoking a general liability policy, but even certain third-party property damage in a contamination/recall situation may also enjoy coverage under a traditional general liability policy. See, e.g., Neth. Ins. Co. v. Main St. Ingredients, Ltd. Liab. Co., 745 F.3d 909, 911 (8th Cir. 2014) (insurer had duty to defend and indemnify insured that inadvertently sold salmonella-contaminated dried milk to Malt-O-Meal, which then incorporated the milk into its instant oatmeal products).
For more information about recovering insurance in the event of a recall, continue reading here.
Hurricane Florence has caused devastation throughout the Carolinas, including as-yet-unknown property damage, business interruption, environmental contamination, and most tragically, loss of life.
When a disaster like Florence occurs, corporate policyholders enter crisis mode, doing everything they can to make sure business losses are mitigated to the extent possible, providing workarounds for customers, and generally making every effort to salvage what they can and assess the losses incurred. What might not be on any policyholder’s radar screen, however, are the steps that can be taken now to maximize insurance coverage and recovery once the immediate crisis is over.
Remember those spam emails from Nigerian royal family members needing to transfer millions of dollars out of Nigeria, requesting the recipients provide banking and personal information to “hold” the funds or otherwise front money to the fraudster to pay taxes and fees? While most people have (hopefully) wised up to that scheme, a more insidious and devastating fraud has taken hold in the corporate world – the “social engineering” scheme.
“Social engineering” schemes are shades of the Nigerian letter scams, except the fraudster pretends to be someone affiliated with your company, such as a contractor or vendor. The emails are convincing even to sophisticated employees, often instructing the recipient to follow “corporate procedures” to complete the money transfer.
Typically, this is how the scheme works:
(i) Your employee receives a phishing email from a spoofed address where the fraudster pretends to be affiliated with your company and requests a transfer of an (often substantial) amount of money;
(ii) Your spoofed employee follows in-house protocols with respect to the requested transfer, sometimes even getting approval from more senior level management;
(iii) Your employee makes the transfer to the fraudster’s account; and
(iv) Your company discovers the fraud only after the transfer.
Many companies are shocked to find only after the fact that their insurance carriers do not cover these losses. Unfortunately, not having appropriate cyber coverage can be a devastating mistake. The National Cyber Security Alliance found that as much as 60 percent of hacked small and medium-sized businesses go out of business within six months after being hit with a cyber-attack.
Businesses can greatly reduce the threat by mitigating cyber risks through managerial and technical processes, including implementing security measures such as firewalls, duo layer computer access, limiting employee access to sensitive data information, analysis of third party vendor’s security procedures, and regular and thorough training of employees. However, even the best measurers cannot fully neutralize cyber threats. Businesses remain vulnerable because of the “human factor” associated with these schemes; a skilled fraudster executes a social engineering scheme with the (unwitting) help of an innocent employee.
Recent court decisions highlight the importance of closely reviewing cyber policies to ensure that “social engineering” scams are fully covered. In Apache Corporation v. Great American Insurance Company, 662 F. App’x 252 (5th Cir. 2016), for example, the court held that the policyholder was not covered for social engineering attack despite having “computer fraud” coverage providing coverage for “loss of … money … resulting directly from the use of any computer to fraudulently cause a transfer of that property….” The Apache employee received a spoofed email with a signed letter on the vendor’s letterhead, instructing the employee to change the vendor’s account information and submit future payments to the new (fraudulent) account. The employee even called the telephone number provided on the (forged) letterhead and verified the request, while still another employee approved the transaction. Apache thereafter submitted payments to the new account. The Fifth Circuit held that the $2.4 million loss was not covered because the computer use was not the direct result of the loss, but “merely incidental” to the fraud.
This case highlights how critical it is to companies to transfer the risk of all cyber-attacks through comprehensive cyber coverage, particularly to cover risks that cannot be fully mitigated by security measures because of the “human factor.” For this reason, it is important to review policy terms to assess the scope of coverage with your broker before your company is attacked.
Excess insurance plays a vital role in mitigating the risk of large losses, but excess insurers often contend they have no obligations and are entitled to sit on the sidelines of a lawsuit against their policyholder until underlying insurers have fully paid their limits. This position harms policyholders, particularly when settlement of a lawsuit requires contribution from these excess insurers.
While courts universally acknowledge the value of pre-trial resolution and settlement, some jurisdictions have discouraged settlement of large losses by holding that excess insurers have no duty to the policyholder until primary policies have completely exhausted their limits. When excess insurers refuse to come to the settlement table, settlements often fall through, exposing policyholders to high risk verdicts.
Fortunately, some courts do acknowledge that excess insurers have pre-exhaustion obligations. The recent decision by the Ninth Circuit in Teleflex Med. Inc. v. Nat’l Union Fire Ins. Co., 851 F.3d 976 (9th Cir. 2017) is the leading case in holding that excess insurers must participate in settlement negotiations, even prior to exhaustion of underlying layers.
In Teleflex, the policyholder agreed to mediate an IP infringement lawsuit early in discovery, but excess insurer National Union refused to attend. The parties reached a proposed settlement, contingent on contributions from National Union. However, National Union refused to consent to the settlement despite the fact that policyholder risked exposure from a verdict well in excess of the underlying carrier’s $1m limit. The policyholder finalized the settlement anyway and proceeded to sue National Union for breach of contract and bad faith for the amount of its settlement contribution, and was successfully awarded over $6m by the United States District Court for the Southern District of California.
On appeal to the Ninth Circuit, the critical issue raised by National Union was the continued applicability of the so-called “Diamond Heights rule,” taken from a 1991 California Court of Appeals case. The Diamond Heights rule says that where an excess insurer is presented with a proposed settlement of a covered claim approved by policyholder and primary carrier, the excess insurer has three options:
- approve the proposed settlement;
- reject the proposed settlement and take over the defense; or
- reject both proposed settlement and defense, but face a potential lawsuit by the policyholder seeking contribution toward the settlement.
After finding the Diamond Heights rule was still good law, the Ninth Circuit rejected National Union’s attempts to distinguish that case based on the fact that the Telexflex litigation was still in relatively early stages. The Ninth Circuit countered that there are good reasons to settle during discovery rather than on the eve of trial. The Ninth Circuit proceeded to criticize National Union for months-long “foot-dragging” rather than expediently settling, and ultimately upheld the District Court’s award for breach of contract and bad faith.
Policyholders should take note. While the Diamond Heights holding may be decades-old, it takes on new force in light of the Teleflex decision. In particular, it clarifies that foot-dragging by an excess carrier, delaying the execution of a proposed settlement, is not appropriate at any stage of litigation. Where a good-faith proposed settlement is on the clock, excess insurers must either approve, agree to defend, or face a potential lawsuit for contribution.