For several years, Lathrop Gage’s Insurance Recovery and Counseling team has been front-and-center at RIMS’ annual conference. This year’s event – taking place April 28-May 1 in Boston – is no exception! We will have a team onsite at booth #549 on the tradeshow (please come by and see us if you’re there), and we have several speaking engagements lined up.
This month, when many are working with inspiration towards their New Year’s resolutions, we urge each business policyholder to set a goal fitting of our modern high-tech age: checking its cyber insurance.
Cyber insurance is something of a fluid catch-all term, but insureds generally seek it to provide coverage for computer-based perils, such as those arising from unauthorized computer access (“hacking”), malicious software (“malware”), email fraud (“phishing” or “spoofing”), network failure or inaccessibility (“ransomware”), and the resulting breach or disclosure of protected data. Such insurance can be either first-party (covering the insured’s own losses arising from, say, a computer system malfunction, a disgruntled employee, or a cyber criminal) or third-party (covering the insured’s liability to, say, its consumers for a data breach or the government for regulatory fines).
Lathrop Gage Partners Bill Beck and Mike Abrams were recently profiled by Super Lawyers for their success in securing compensation for individuals who have been wrongfully convicted, individuals who have often spent decades in prison for crimes they did not commit. Lathrop Gage’s Civil Rights Insurance Recovery Practice group leads the nation in securing insurance proceeds for wrongfully convicted persons, recovering over $150 million for wrongfully convicted individuals and their families since 2004. Additionally, the firm has partnered with the Midwest Innocence Project to help exonerate individuals who are currently in prison for crimes they did not commit and helped to facilitate the recent release of Laquanda “Faye” Jacobs, who spent 26 years in prison after being wrongfully convicted of capital murder at the age of 16.
Interviewed by Alana McMullin and David Scheidemantle of Lathrop Gage’s Insurance Recovery & Counseling Group.
In a recent decision, the United States Court of Appeals for the Sixth Circuit considered whether a “criminal acts” exclusion in a first-party commercial insurance policy barred coverage for damage to leased property caused by the insured’s tenant in the operation of a marijuana cultivation business. K.V.G. Properties, Inc. v. Westfield Insurance Co., 2018 U.S. App. LEXIS 232296, 2018 FED App. 0178P, 2018 WL 3978211 (6th Cir. Aug. 21, 2018). Marijuana remains illegal as a Schedule 1 drug under federal law but is protected in certain circumstances under the law of Michigan, where the insured property was located. Fatal to the insured’s case, it had pleaded in an eviction proceeding that the tenant’s activities were illegal, which the Sixth Circuit took as an admission that the tenant’s conduct was illegal under Michigan as well as federal law, landing the claim within the confines of the criminal acts exclusion. While paying lip service to black letter law that the insurer bears the burden of establishing the applicability of an exclusion, the court nevertheless ruled against the insured because it had provided no evidence that the tenant had complied with Michigan’s marijuana laws. The court left open whether the exclusion still would have applied had the insured made such a showing (and hinted the outcome might have been different had the insured done so).
The CDC estimates that 1 in 6 Americans get sick from contaminated foods or beverage each year, and that 3,000 people die, resulting in total food-borne illness costs of more than $15.6 billion dollars each year. Those numbers are not surprising when food recalls seem to be an almost weekly occurrence, with salmonella-tainted foods prominently featured in multiple large-scale outbreaks in 2018. Although food contamination seems to be on the rise, experts suggest that frequency is up – not due to an actual increase in outbreaks – but, instead because we are better equipped to identify and track outbreaks. Thanks to genome sequencing, we can look at food’s DNA fingerprint to better identify its source. Even so, it is still difficult to identify precisely where in the food supply chain the contamination began. As a result, every entity in the supply chain can be, and often is, affected when contamination is discovered.
This reality can present numerous insurance coverage challenges, and all companies ranging from ingredient suppliers to processors and retailers should consider what coverage best fits their needs based on their most likely exposure given their position in the food supply chain. In reviewing coverage options, it is important to realize that not all product recall and/or contamination coverage is the same (and some policies may be triggered only by contamination, while others are triggered only by a mandatory recall).
Further, it bears noting that general liability coverage is still a relevant potential source of coverage. Bodily injury claims are the classic case for invoking a general liability policy, but even certain third-party property damage in a contamination/recall situation may also enjoy coverage under a traditional general liability policy. See, e.g., Neth. Ins. Co. v. Main St. Ingredients, Ltd. Liab. Co., 745 F.3d 909, 911 (8th Cir. 2014) (insurer had duty to defend and indemnify insured that inadvertently sold salmonella-contaminated dried milk to Malt-O-Meal, which then incorporated the milk into its instant oatmeal products).
For more information about recovering insurance in the event of a recall, continue reading here.
Hurricane Florence has caused devastation throughout the Carolinas, including as-yet-unknown property damage, business interruption, environmental contamination, and most tragically, loss of life.
When a disaster like Florence occurs, corporate policyholders enter crisis mode, doing everything they can to make sure business losses are mitigated to the extent possible, providing workarounds for customers, and generally making every effort to salvage what they can and assess the losses incurred. What might not be on any policyholder’s radar screen, however, are the steps that can be taken now to maximize insurance coverage and recovery once the immediate crisis is over.
Remember those spam emails from Nigerian royal family members needing to transfer millions of dollars out of Nigeria, requesting the recipients provide banking and personal information to “hold” the funds or otherwise front money to the fraudster to pay taxes and fees? While most people have (hopefully) wised up to that scheme, a more insidious and devastating fraud has taken hold in the corporate world – the “social engineering” scheme.
“Social engineering” schemes are shades of the Nigerian letter scams, except the fraudster pretends to be someone affiliated with your company, such as a contractor or vendor. The emails are convincing even to sophisticated employees, often instructing the recipient to follow “corporate procedures” to complete the money transfer.
Typically, this is how the scheme works:
(i) Your employee receives a phishing email from a spoofed address where the fraudster pretends to be affiliated with your company and requests a transfer of an (often substantial) amount of money;
(ii) Your spoofed employee follows in-house protocols with respect to the requested transfer, sometimes even getting approval from more senior level management;
(iii) Your employee makes the transfer to the fraudster’s account; and
(iv) Your company discovers the fraud only after the transfer.
Many companies are shocked to find only after the fact that their insurance carriers do not cover these losses. Unfortunately, not having appropriate cyber coverage can be a devastating mistake. The National Cyber Security Alliance found that as much as 60 percent of hacked small and medium-sized businesses go out of business within six months after being hit with a cyber-attack.
Businesses can greatly reduce the threat by mitigating cyber risks through managerial and technical processes, including implementing security measures such as firewalls, duo layer computer access, limiting employee access to sensitive data information, analysis of third party vendor’s security procedures, and regular and thorough training of employees. However, even the best measurers cannot fully neutralize cyber threats. Businesses remain vulnerable because of the “human factor” associated with these schemes; a skilled fraudster executes a social engineering scheme with the (unwitting) help of an innocent employee.
Recent court decisions highlight the importance of closely reviewing cyber policies to ensure that “social engineering” scams are fully covered. In Apache Corporation v. Great American Insurance Company, 662 F. App’x 252 (5th Cir. 2016), for example, the court held that the policyholder was not covered for social engineering attack despite having “computer fraud” coverage providing coverage for “loss of … money … resulting directly from the use of any computer to fraudulently cause a transfer of that property….” The Apache employee received a spoofed email with a signed letter on the vendor’s letterhead, instructing the employee to change the vendor’s account information and submit future payments to the new (fraudulent) account. The employee even called the telephone number provided on the (forged) letterhead and verified the request, while still another employee approved the transaction. Apache thereafter submitted payments to the new account. The Fifth Circuit held that the $2.4 million loss was not covered because the computer use was not the direct result of the loss, but “merely incidental” to the fraud.
This case highlights how critical it is to companies to transfer the risk of all cyber-attacks through comprehensive cyber coverage, particularly to cover risks that cannot be fully mitigated by security measures because of the “human factor.” For this reason, it is important to review policy terms to assess the scope of coverage with your broker before your company is attacked.
Excess insurance plays a vital role in mitigating the risk of large losses, but excess insurers often contend they have no obligations and are entitled to sit on the sidelines of a lawsuit against their policyholder until underlying insurers have fully paid their limits. This position harms policyholders, particularly when settlement of a lawsuit requires contribution from these excess insurers.
While courts universally acknowledge the value of pre-trial resolution and settlement, some jurisdictions have discouraged settlement of large losses by holding that excess insurers have no duty to the policyholder until primary policies have completely exhausted their limits. When excess insurers refuse to come to the settlement table, settlements often fall through, exposing policyholders to high risk verdicts.
Fortunately, some courts do acknowledge that excess insurers have pre-exhaustion obligations. The recent decision by the Ninth Circuit in Teleflex Med. Inc. v. Nat’l Union Fire Ins. Co., 851 F.3d 976 (9th Cir. 2017) is the leading case in holding that excess insurers must participate in settlement negotiations, even prior to exhaustion of underlying layers.
In Teleflex, the policyholder agreed to mediate an IP infringement lawsuit early in discovery, but excess insurer National Union refused to attend. The parties reached a proposed settlement, contingent on contributions from National Union. However, National Union refused to consent to the settlement despite the fact that policyholder risked exposure from a verdict well in excess of the underlying carrier’s $1m limit. The policyholder finalized the settlement anyway and proceeded to sue National Union for breach of contract and bad faith for the amount of its settlement contribution, and was successfully awarded over $6m by the United States District Court for the Southern District of California.
On appeal to the Ninth Circuit, the critical issue raised by National Union was the continued applicability of the so-called “Diamond Heights rule,” taken from a 1991 California Court of Appeals case. The Diamond Heights rule says that where an excess insurer is presented with a proposed settlement of a covered claim approved by policyholder and primary carrier, the excess insurer has three options:
- approve the proposed settlement;
- reject the proposed settlement and take over the defense; or
- reject both proposed settlement and defense, but face a potential lawsuit by the policyholder seeking contribution toward the settlement.
After finding the Diamond Heights rule was still good law, the Ninth Circuit rejected National Union’s attempts to distinguish that case based on the fact that the Telexflex litigation was still in relatively early stages. The Ninth Circuit countered that there are good reasons to settle during discovery rather than on the eve of trial. The Ninth Circuit proceeded to criticize National Union for months-long “foot-dragging” rather than expediently settling, and ultimately upheld the District Court’s award for breach of contract and bad faith.
Policyholders should take note. While the Diamond Heights holding may be decades-old, it takes on new force in light of the Teleflex decision. In particular, it clarifies that foot-dragging by an excess carrier, delaying the execution of a proposed settlement, is not appropriate at any stage of litigation. Where a good-faith proposed settlement is on the clock, excess insurers must either approve, agree to defend, or face a potential lawsuit for contribution.
In late 2017, in a move favoring policyholders, the Missouri Court of Appeals for the Eastern District applied the “all-sums” approach to allocating and exhausting insurance coverage for a continuous asbestos harm in Nooter Corp. v. Allianz Underwriters Ins. Co., 536 S.W.3d 251 (Mo. App. 2017). Although Nooter has sparked significant chatter in the insurance world, Lathrop Gage is dedicated to educating its clients on what Nooter means to you.
In Nooter, plaintiff Nooter Corporation was in the business of designing, installing, and distributing pressure vessels for refiners and chemical plants. Some of Nooter’s sites had become contaminated with asbestos over the course of many years, and Nooter began receiving claims for asbestos-related bodily injuries in the late 1990s. Nooter sued eight of its excess insurers for coverage spanning from 1949 to 1985 to cover the defense costs and liabilities associated with defending these claims. One of the many battles taken up by the parties at the trial court was, assuming the policies were triggered, whether the court should allocate the losses among the insurance companies using the “all sums” approach or the “pro-rata” approach, the two leading methods of allocation in American courts. The trial court applied the “all sums” approach, and the excess insurers appealed. The Missouri Court of Appeals affirmed the trial court on this issue and the Missouri Supreme Court subsequently denied the insurers’ appeal.
So what is the “all sums” approach to allocation and exhaustion and why does it matter?
Many companies, just like Nooter, are facing claims or allegations of different types of “long-tail” liabilities, i.e. allegedly continuous or escalating damage over a range of time and implicating several policies and insurance companies. Examples of long-tail liabilities include asbestos claims (like in Nooter), mass products litigation, or toxic tort. Because the damage cannot be traced to a single incident or event, it can be difficult to identify which policies are implicated, and even more difficult, how the losses will be allocated among the insurers.
Many insurers, like the insurers in Nooter, advocate for a “pro-rata” approach to allocation of losses. Under this theory, losses are allocated proportionally across all triggered policies for each year of damage or exposure, and accordingly, policies are exhausted “horizontally” across each layer of coverage. However, the policyholder would be responsible for any losses that are apportioned to an uninsured or under-insured year of exposure.
In contrast, the “all-sums” approach essentially makes the insurers’ liability to the policyholder joint and several. The result is that the policyholder is entitled to select a triggered policy, exhaust the policy completely, and move onto the next, regardless of whether the losses actually occurred during that policy period. The insurers are then left to allocate the losses between themselves by seeking contributions from each other. This is consistent with the theory of “vertical exhaustion,” i.e. policies are exhausted up the stack of coverage.
Nooter is part of a growing trend of courts applying the “all sums” theory of allocation and exhaustion. The approach has received significant consideration since the New York Court of Appeals’s 2016 decision in Viking Pump, and the trend does not appear to be slowing down. In addition, early last month a federal judge sitting in the Eastern District of Missouri held that Nooter required application of the “all sums” theory to long-tail liabilities in Missouri. Zurich American Insurance Co. v. Ins. Co. of N. America, No. 4:14 CV 1112 CDP, 2018 U.S. Dist. LEXIS 77061 (E.D. Mo. May, 8, 2018). While the court had previously predicted that the Missouri Supreme Court would apply the “pro rata” approach, it reversed its prior ruling because post-Nooter it was clear that “the Missouri Supreme court would apply an ‘all sums’ method to allocate the  loss.” Id. at *14.
While application of the “all sums” doctrine is no guaranty, the Nooter decision shows Missouri’s willingness to apply the “all sums” doctrine in appropriate scenarios. The Lathrop Gage insurance recovery team is willing and able to assist you as you navigate the intricacies of your post-Nooter, insurance recovery needs.
 In the Matter of Viking Pump, Inc. and Warren Pumps, LLC Insurance Appeals, 52 N.E.3d 1144 (N.Y. 2016)
 See ALI’s Proposed Final Draft of the Restatement of Law, Liability Insurance, § 41 cmt. d, and recognizing a “split of authority regarding the allocation rule.”
In 2017, the Missouri Supreme Court handed down its Doe Run decision, where it interpreted, as a matter of first impression, an insurance policy’s so-called “absolute pollution exclusion,” holding that it barred coverage for environmental-degradation claims arising from the release of toxic industrial byproducts. We believe this policyholder-adverse decision is limited by its facts and reasoning, and thus policyholders can still invoke the earlier and more favorable Hocker Oil and Wyatt decisions when seeking insurance coverage in other contexts.