On this episode of Don't Take No for An Answer, host, Lynda A. Bennett, Partner and Chair of Lowenstein's Insurance Recovery Group, is joined by David Anderson, Vice President, Cyber Liability at Woodruff Sawyer, and Heather Weaver, Counsel in Lowenstein's Insurance Recovery Group, to take a deeper dive into insurance coverage for claims arising from tracking tools. They examine the different types of policies and coverage grants that may be triggered, stress the importance of understanding potential coverage limitations for these claims including exclusions, narrow definitions, and sublimits, and discuss how the underwriting process may be impacted by the recent surge of litigation in this space.
Speakers:
Lynda A. Bennett, Partner and
Chair, Insurance Recovery
Heather
Weaver, Counsel, Insurance
Recovery
David Anderson, CIPP/US, Vice
President, Cyber Liability, Woodruff-Sawyer & Co
READ THE TRANSCRIPT
Lynda Bennett: Welcome to, Don't Take No for An Answer. I'm your host, Lynda Bennett, Chair of the Insurance Recovery Practice, here at Lowenstein Sandler. And today, I am very pleased to welcome back David Anderson, who is VP of Cyber at Woodruff Sawyer. Welcome back, Dave.
David Anderson: Thanks for having me back, Lynda.
Lynda Bennett: And I'm also pleased to welcome back Heather Weaver, who is Counsel in our Insurance Recovery Group. So thanks for coming on back, Heather, onto the show.
Heather Weaver: Thanks, Lynda. Looking forward to continuing the conversation.
Lynda Bennett: All right. Well last time, we talked about the use of pixel and other tracking devices on all of our shopping activities, our medical activities, our anything related to the internet activities, tracking our boxes as they're coming to our homes. And we talked a lot about what are these claims, why is the plaintiff's bar interested in pursuing those claims? And we started to scratch the surface of what insurance is available. And I think the key highlight of that discussion on the insurance end is, this is pretty complicated. There are a number of different policies that you can look at, to potentially access coverage.
And today, I'd really like to take our listeners into a deeper dive on what to look for in these coverage grants, so that we can trigger the coverage. And then of course, we're going to have to talk about the rabbit holes that the insurers like to try to jump down, after we're able to trigger the coverage grant. And then, we'll take a quick look at where this is all headed, given the size and scope of these liabilities.
So, Heather, let's just go by way of review, what types of policies are going to be triggered by that mutative class action lawsuit for the use of a tracking device? And what are some of the coverage grants that will be triggered by those cases?
Heather Weaver: Yeah, sure. So, it's important to look at all of your insurance coverage, or most of your insurance coverage, trying to figure out what type of policy could apply to these types of claims. Because you really might be surprised, when you actually take a deep dive at deep review into these policies, that a policy you might not expect to provide coverage for this type of claim might actually provide coverage, even through an endorsement, or some sort of addition to the policy.
So as we discussed last time, the first place that you would want to look is your cyber policy. That's the most obvious place to look, given the type of claim that we're dealing with here. But professional liability policies, such as errors and omissions and their records of officers' policies might also cover these types of claims. You would also want to look at your CGL general liability policies, management liability policies, any media liability policies that you might have, and even a crime policy might cover these types of claims. Within these policies, you'll see several different types of coverage grants that might cover the claims. You might see multiple coverage grants within a single policy that might cover these types of claims. So it's important to do, again, a thorough review of not only the main policy, but also any endorsements that might've been added to the policy, that might provide additional relevant coverage.
And we touched on some of these already, in the prior episode. But to name a couple of the most relevant or common coverages to look for within these types of policies for tracking claims, you would want to look at potential media liability coverage, that would typically cover privacy violations. You would want to look at data and network liability coverage, privacy and network security liability coverage, which typically protects insureds against losses for failure to protect customers from personally identifiable information, such as social security numbers, credit card numbers, medical information, things like that, sensitive information. You would also want to look at professional liability coverages, particularly if you have a claim in the healthcare sector. And if, as we discussed previously, sometimes professional liability policies have cyber coverage within them. So, there are many different coverages to look for within these policies.
Lynda Bennett: Yeah. So you just threw a lot at us. And Dave, as the broker that's going to place these policies in the first instance, even before the claim comes in, what are some of the kinds of things that we're going to want to look for in these coverage grants, and that you as the broker are being really careful about, when the policies are getting placed? We can break down some of these coverages. But for example, media liability. What do we need to do to best maximize coverage there?
David Anderson: Yeah, this is where the listener might want to take out a post-it note, or re-listen. I'm thinking this is where, one, your broker should shine through. Shameless plug. But definitions and exclusions matter, Lynda. Heather, you guys see this all the time, right? Almost every cyber policy includes an affirmative coverage grant for a multimedia wrongful act. But what does that wrong fact include? If it's just copyright, trade, dress, slogan, plagiarism, all of the sort of super basic level one wrongful acts, it's not going to respond. Because you need both a wrongful act and a covered situation, to trigger the policy. So, you want to make sure that you have invasion of privacy, violation of someone's right to seclusion, potentially personal advertising injury, which sometimes oscillates between GL and media. But you really want to get the broadest possible media liability wrongful coverage that you can get. That's not going to be available on every policy, and it's a decision that you are going to have to make with your broker, in terms of how much you want to spend.
The other next best example I can give you is the definition of confidential information within a cyber policy, and the definition of privacy or network security wrongful act. Let's break those down, each separately, as quickly as possible, so we don't take all the oxygen out of the room. Confidential information, as defined in the cyber policy, is the fundamental element that triggers coverage. So if I've lost a bunch of social security numbers, and my policy doesn't include social security numbers within the definition of confidential information, one, your policy sucks. And two, you're not going to trigger cover, because that's how the four walls of the contract work. And I would argue Lynda and Heather, you have no way of working around that, too.
So, if the definition of confidential information doesn't include my favorite phrasing, which is any non-public information that may trigger a privacy law, that's the best. The policies that trigger, including but not limited to, and list off a bunch of words, a five- or six-line paragraph, are not nearly as simple as beautiful as any non-public information. And then, the definition of privacy wrongful act on your basic off the shelf policies may only include an affirmative data breach, perpetrated by a third-party actor, a ransomware incident, a loss of a suitcase. It may not include wrongful collection of data by you, or one of your vendors on your behalf. Because truly, that's not a fortuitous data breach event, like a hack. It's you or someone you hired decided not to disclose what they were doing in their collection of private data. And therefore, you are liable for those actions. So, definitions matter, period. Definitions matter.
Lynda Bennett: You're preaching to the choir. And it's one of the core themes on Don't Take No for An Answer, which is the words matter. The words in an insurance policy always matter. And you're exactly right. I'm going to pick up on your shameless plug, and say, you do need somebody like Dave, in the seat as your broker. Because Dave is living and breathing this, day in and day out. And the cyber market and the terms and conditions available continue to change on a daily basis. So, for sure, you need to have Dave in your corner when you're negotiating the policy on the front end, so you don't get an unhappy surprise on the backend, once the claim has been presented.
Dave, just touch on the... Heather talked before about the data and network liability. What's the most important factor trigger that you need for that coverage grant?
David Anderson: The definition of privacy wrongful act or the definition of privacy incident. You want to make sure that your cyber policy reflects your business practices. So if I'm a widget factory, manufacturing rulers, I'm not really trading and are dealing with folks' confidential information. If I am, however, a data broker, or a marketing agency, or an advertising agency that is maybe living on the fringes of what is or is not palatable data practices, I may need to have a really tough discussion with my insurers and my brokers, to make sure that we're all on the same page. Because if you don't actually cover what my business is doing, the policy is not going to respond. We're going to have to hire Lowenstein Sandler. We're going to just try to resolve this coverage dispute. And everyone walks away feeling disappointed.
And yeah, there might have to be discussion, Lynda, about like, "Okay, do we want to pay 50% more for coverage that aligns with what we're doing? Or do we want to just check the box, and say that we have privacy cover?" The former versus the latter is the more grownup thing to do. And I will say, that the one thing that Heather didn't mention, because I think we're going to touch on it in a second, is if I don't have the coverage for it, and I outsource my advertising strategy to an agency, I might just seek their indemnification. And I'll bet you, depending on how big the contract was, they agreed to indemnify. And all of a sudden, an ad agency caress about what their policy has to say.
Lynda Bennett: Yeah. Or the question becomes, how many other indemnifications did they give out?
David Anderson: Yeah, for sure. That too, yeah.
Lynda Bennett: Yeah. What about for the professional liability coverage? You kind of touched on this. What are the two real biggies? We know that this is very much case by case. But what are the two real biggies that you need to be looking for, if you're going to be counting on your professional liability coverage grant?
Heather Weaver: If you're going to rely on your professional liability coverage grants, you would want to make sure that you have cyber liability coverage, within the professional liability policy. And just one important thing to think about here, and often you see cyber coverage embedded within a professional liability policy. And you'd want to make sure that, unless there are separate limits, you would want to think about the risk of exhausting the availability of coverage on your professional liability policy for a cyber claim. So, if you choose not to have a standalone cyber policy, it's important to make sure that your professional liability policy has adequate limits or separate limits, to sufficiently protect against both cyber risks and other professional liability risks, which could often be large expensive risks as well.
David Anderson: I would just throw in there as a cautionary tale for that advice, which is totally accurate. Just because your professional liability has cyber coverage doesn't mean that your professional liability policy is a cyber policy. Most professional liability policies only cover liability. So, third party claims for defense costs and damages. A cyber policy will respond with all of the sort of critical services you need in a true cyber-attack, which I know isn't this chat, Lynda and Heather. But, if you're telling me that your professional liability policy is also your cyber policy, my response to you, nine times out of 10, is "Okay, but it's not going to do anything for you, when your server rack is on fire. And I hope you know that."
Lynda Bennett: Yeah. No, great point to bring up, that there's a core difference there. And also, again though, to remember if you have both, to notice both. It's the patchwork built, again, coming up. Dave, just a quick question. Are you seeing for the privacy coverage, limitations being put on, in terms of the number of records covered? And I did want to amplify a point that you made before, that's very important for our listeners to consider, which is, insurance is a risk management tool that goes into a broader budget. You've brought up a couple of times now, the spend and how much you're going to spend. And I think that companies that have experienced the claim, sometimes have buyer's remorse for going for the cheaper option, and not having the real coverage there. Versus, some of these bells and whistles that you've talked about really aren't bells and whistles at all. It's giving you the kind of protection you need, when a loss is actually going to come.
So, that was really the context for my question around limits on the number of records that are going to be covered, separate and apart from a sub-limit. Where are the carriers starting to nip at that?
David Anderson: So we haven't seen... I think that's a really good question, and that's a good segue into sort of the crystal ball that Heather and I polished for you. The carriers aren't limiting coverage on a per record basis. It just gets messy, and it seems a little disingenuous, and it doesn't look good in the court of public opinion. But we are seeing cyber carriers who were the lead in-takers on these claims, start putting very specific exclusions on their policy, extremely finely crafted words that are excluding claims arising out of not getting adequate consent for some of this type of tracking information, or not following your own published posted privacy policies, all the sort of non-data breach privacy exposures. And that's what the underwriters are calling it, non-data breach privacy. They're looking to try to cut back on this.
And I will tell you, Lynda, the reason that they're doing it is not because they don't want to cover it, or because they're really just trying to not pay losses. They're doing that because much like the Telephone Consumer Protection Act, the per occurrence fines are just massively uninsurable. So, you're talking about wiretapping in some states is 1,000 per violation. The Video Privacy Protection Act, which is very much a player in this space, is $2,500 per violation. If you're doing this to 10,000 visitors a day on your website, you're going to... First, you're going to exhaust your limit with your own policy, in like 30 seconds. And two, the insurance carrier is not going to be able to sustain covering these losses.
So, we are seeing the class action, the unsavory data collection, the wrongful collection practices coming in. There was always some element of wiretapping excluded on the policy, because they're doubling down and clarifying on the language now. And I think, in the future, you may not be able to get coverage for this specific exposure, unless either the laws change, because they're kind of archaic, or this just gets exhausted, and the plaintiff bar doesn't have any new opportunities to seek damages.
Lynda Bennett: Yeah. Archaic, or being used in a totally different way than their intention.
David Anderson: Correct, yeah.
Lynda Bennett: Some might argue. Heather, let's touch on some of the other key exclusions. Dave touched on a few of them. But what are some of the other key exclusions that we're seeing carriers raise with these claims?
Heather Weaver: Seeing carriers raise the prior known acts exclusion. So if you get a policy, knowing that your company is collecting information in a way that could result in privacy claims, or there have been prior privacy claims that you didn't disclose to the insurer at the time that you were obtaining a policy, an insurer is likely to invoke the prior known acts exclusion. There is often a criminal intentional or fraudulent acts exclusion. This type of conduct exclusion, it typically includes language that it doesn't apply, unless the conduct is established in a final non-appealable adjudication, in an underlying action. So that's something that's important to look for. Because arguably, the insurer would still have a duty to defend, until there is a final non-appealable adjudication in an underlying action. The insurers are invoking breach of contract exclusions, media related exposure exclusions, what I think Dave touched on earlier before. And then, exclusions related to gathering or distribution of information.
Lynda Bennett: And as always, the words matter. I think we've kind of hammered that today, but it is a point that's worth hammering every time. Because that makes the difference of covered or non-covered claims, in many instances. All right. Well, we have just a couple of minutes left here, and I promised our listeners that you would give your predictions about what's going to happen in the market. Dave, I'll throw it to you first. I'm most interested in how you think the underwriting of these policies on a go forward basis is going to change, if at all, based on these very large claim risk exposures?
David Anderson: I think that in the short term we are going to see a little bit of a knee-jerk reaction from the insurers, because they're cutting checks on this, where they never expected to. Long-term, I see this going a couple of different ways, depending on the carrier, depending on the industry class of the policy holder, etc. So, your favorite line, it depends.
But really, I expect the sort of off the shelf response to this going forward for non-heavily negotiated contracts to go to a defense cost only type situation, and not covering the damages. If you are absolutely seeking this coverage, you might have to look for it in a very specific market, or through a very specific strategy. You can still get TCPA coverage. You can still get sweepstakes type coverage, but you have to go to specialist market. And what those markets are going to look for, Lynda, is absolute clarity that you understand what you and your vendors are doing with that tech stack, in this context. So there's no more going to be just like, "Yes, we have adequate consent clauses on our website, and we promise that we're doing everything right." They're going to take it apart, they're going to look at it, they're going to make you make representations in the underwriting, that will be held against you when the claim comes in.
And the most important thing that I can tell your listeners to do now, in the current space, is just make sure that you're working with a competent person, a privacy attorney, a media attorney. I don't know who you want to work with, pick one. So that you are collecting consent, making sure that you are doing the right thing by the visitors on your website. Because if not, you may get hit next. And once you have this claim on your history, it's really tough to get the coverage back.
Lynda Bennett: Yeah. And Heather, from your point of view, do you see the carriers actively litigating these claims? Or do you anticipate that there'll be some letter writing back and forth, and then ultimately, a commercial resolution of them?
Heather Weaver: It's a little bit hard to say. But I could see insurers litigating these claims, because a lot of them are really sizable, large real claims. And I think that insurers might be hesitant to settle some of these claims. But, I think we'll have to see where it goes.
Lynda Bennett: All right. Well, thank you both for joining us. This is certainly not the last of this conversation, since these claims are sizable, and the industries that are touched by them is wide and vast. So we'll have everybody back to have a further conversation, as these cases and these policies continue to mature. But thanks for joining me today, and sharing your insights, knowledge, and predictions. Thank you, both.
David Anderson: Thanks, Lynda.
Heather Weaver: Thanks, Lynda and Dave.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
