Legal Bytes : Advertising & Media Lawyer & Attorney : Reed Smith Law Firm : Marketing & Intellectual Property : Legal Bytes Law Blog

Social Media in Action in Insurance

Considerations When Purchasing Insurance

Social media claims or potential claims may arise in almost any context, from branding and advertising issues to defamation and privacy claims, and, in the U.S. context, consumer class actions and securities claims.[2]

For a number of years the insurance market in both the United States and the UK has been developing policies and coverage extensions to address the increased risk caused by the developing use of technology in business. The policies have tended to be customized and modular wordings rather than off-the-shelf products, and have tended to reflect an insured’s own perception of its exposure to this category of risk. Although initially the exposure was often labeled broadly as “cyber liability” and would cover many types of risk, the current common focus is on data protection and security and privacy. In this respect, the U.S. and UK insurance markets are currently at somewhat different stages of development. The mandatory notification requirements for data breaches that exist under U.S. state laws have crystallized an insurance market response. (See Chapter 5 – Data Privacy & Security) The U.S. market is relatively well-established, and the identification of appropriate coverage is often a board of directors-led initiative, most notably in the retail, health care and financial services sectors. The scope of protection has tended to focus on payment for the costs of compliance with mandatory notification requirements, defense costs (including defending or responding to any regulatory intervention), and the settlement costs of claims resulting from a breach. By adopting a modular approach to policy wording, an insured can play an active part in identifying the risk exposure of its own business and market sector and negotiating policy wording and coverage tailored to its needs. As a general observation, however, businesses that are particularly exposed to website content contamination and risks of defamation and copyright infringement are carefully scrutinized by underwriters.

In the UK and outside of the United States in general, the insurance market is less established for data protection and security and privacy coverage, not least because of the reduced scope of mandatory reporting. But the UK and European landscape is changing and moving closer to the U.S. model. Also, many businesses have a global reach that will require a risk assessment across a number of jurisdictions, including the United States. Although it is not always true that the UK insurance market follows the lead of the United States, there are obvious precedents, particularly in the area of directors’ and officers’ liability insurance (“D&O”), which demonstrate how this risk category might be expected to develop in Europe in the near future. The UK is currently witnessing greater regulatory activity, and the retail and financial institutions sectors in particular are starting to develop the claims history that is often necessary before the value of the coverage is fully understood. In addition, the telecommunications industry and Internet service providers will have to adapt to being measured by new standards of reporting.

The U.S. market has established itself over the past four years in particular, and international insurance brokers, who have a presence on both sides of the Atlantic, are seeing the lessons learned being applied for the benefit of an emerging UK and European market. Data protection and security and privacy coverage is available from established carriers, and an insured would be well advised to discuss with its brokers and insurance coverage counsel the particular exposure to “cyber” and technology risks generally, and data protection and privacy rules specifically, in order to ensure that any coverage purchased is properly customized to the insured’s business. This is not a sector of the insurance market where the products are sufficiently commoditized for an insured to consider an “off the shelf” purchase.

When considering purchasing or renewing insurance coverage, the steps outlined below may be helpful.

Identify Current Policies That May Provide Coverage

Companies in both the United States and the UK traditionally purchase a number of different types of insurance policies to protect themselves from exposure to claims made against the company and its management. These policies would typically include D&O liability, professional liability (“E&O”), comprehensive general liability (“CGL”) (for U.S. insureds), property damage and business interruption coverage, fidelity bond policies (which are required by regulation in some industries) and fiduciary liability policies. They may also have employment practices liability (“EPL”) and, as noted above, “cyber liability” and, most recently, data privacy and security liability insurance. Because claims may raise a variety of issues and take different guises—from common law fraud and misrepresentation claims to invasion of privacy and cyber extortion—reviewing the inventory of policies with a “social media” lens can assist in seeing and seeking potential coverage that may come into play. One thing is certain: cybercrimes and losses arising from data protection issues and privacy laws will continue to grow.[3]

For example, a CGL policy issued in the United States typically provides coverage for bodily injury and property damage, as well as for advertising and personal injury. But the language should be examined to determine if there are terms, conditions or exclusions that limit or expand coverage. Some definitions of “property damage” may exclude electronic data, while a coverage endorsement may specifically provide some coverage. “Personal injury” typically includes publication or utterances that are in violation of an individual’s right to privacy, or that are defamatory or disparaging. Although whether and how these coverages may apply depends on the language of the policy, the facts and applicable law. An insured company with business exposure in both the United States and the UK should further review the policy language to ensure that definitions and exclusions do not potentially suggest different meanings in each jurisdiction, while at the same time respecting any legal and regulatory differences that may exist. Insurance policy wording should be negotiated with an eye toward analyzing potential “buckets” for coverage should a claim be made. Similarly, a defamation claim may become an employment-related claim, and thus coverage under an EPL policy should be examined to see if there are any obvious exclusions or subtle restrictions that can be addressed when negotiating the coverage. Being pro-active in negotiating coverage before a claim arises affords much greater leverage if and when a claim hits.

Consider New Products and Recognize They are Also Negotiable

As discussed above, cyber liability and Internet-related liability policies were introduced to the market several years ago, particularly in the United States. The first versions were difficult to assess given that claims were still emerging and the policies were not yet tested. The early specialty policies also contained a number of exclusions that threatened to engulf the coverage provided. The policies have improved, however, as more insurers have entered the market, as claims have matured, and as underwriters have become more comfortable with underwriting the risks. Policyholders willing to invest in reviewing and comparing choices and policy wording may be able to tailor the coverage to their needs and potential exposures. For example, some technology, media, data privacy breach and professional liability policies provide coverage for first-party loss (damage suffered directly by the company), including internal hacker attacks or business interruption, or expenses to maintain or resurrect data. Coverage for third-party loss (claims asserted against the company by third parties) is also available.

Coverage for third-party loss may include reimbursement of defense costs and indemnification for judgments and settlements. The claims may include allegations of violations of privacy rights, and personal information, duties to secure confidential personal information under state and federal laws and regulations, breaches by employees or others, infringement of intellectual property rights, unfair competition, defamation and consumer protection, and deceptive trade practices statutes.

The coverage may also include regulatory actions, lawsuits, and demands. Further, coverage may apply to “breachless” claims, where a potential problem or disclosure can be fixed before it becomes a claim.

Key Coverage Enhancements to Seek

A Broad Definition of “Claim.” Coverage should apply to demands, investigations and requests to toll a statute of limitations, as well as to complaints, and civil, criminal, and administrative and regulatory proceedings. Keep in mind that a broader definition of “claim” also means a corresponding broader obligation to report what will now be a Claim.

A Broad Definition of “Loss.” “Loss” should encompass a broad array of relief, including statutory fines and penalties where insurable, as well as defense and investigative costs.

Narrowed Exclusions. Exclusions should be narrowly tailored and contain “exceptions” where coverage will be provided. Exclusions for bad conduct committed by insureds or employees should be triggered only by a final adjudication of the excluded conduct. Further, defense costs should be covered, and the exclusions should be severable, so that one “bad apple” doesn’t spoil coverage for others.

Defense and Settlement Flexibility. Consider whether the insurer provides a defense or the insured seeks control over the defense. Negotiate “consent to settle” provisions.

Seek Coverage Grants via Endorsement. Specialty or tailored endorsements may add coverage and should be requested.

Maximizing Potential Coverage When a Claim Arises

Maximize the Potential for Insurance Recovery

Insurance may provide valuable protection for current loss, as well as for potential and actual claims. To maximize recovery:

Gather All Potentially Relevant Insurance Policies or Indemnity Agreements. As discussed above, key policies may include commercial crime or fidelity bond policies for internal theft; data privacy and security or cyber liability coverage for claims as a result of potential breaches of security and access to private data; CGL (in the United States) and property policies for potential business interruption claims; D&O coverage for potential breaches of fiduciary duty against directors and officers or securities claims based on alleged stockdrop or financial disclosure issues. Any indemnification agreements with vendors or other third parties who may owe contractual obligations to the company should also be reviewed, as well as any insurance policies where the company may be an additional insured.

Provide Timely Notice of Breaches, Claims or Potential Claims to All Primary and Excess Insurers. Insurance policies include provisions for reporting potential breaches, claims, occurrences or loss, and should be adhered to carefully. Failure to comply may result in a coverage dispute or denial of coverage, depending on the policy requirements and applicable case law. Provisions differ by policy. For example, a fidelity bond policy will specify when the initial notice is to be provided, and a proof of loss must be filed within a designated time period of reporting the initial loss. D&O policies allow (and in some cases may require) reporting of potential claims. If the claim develops, it is “parked” in the policy in which the initial notice was provided. Claims and potential claims should be reported to both primary and excess carriers across all programs to avoid later challenges of “late notice.”

Obtain Consent to Defense Arrangements. Some insurance policies have a “duty to defend,” meaning that the insurer must provide a legal defense for insureds under the policy. Other types of policies provide for “reimbursement,” where the insured assumes its own defense obligations, subject to the insurer’s advancement or reimbursement of defense expenses. The insured typically is required to obtain the insurer’s consent to defense arrangements, which may not be unreasonably withheld. Communication with insurers at the earliest stage of a claim is important to address defense arrangements. For example, if policies with both “duty to defend” and “reimbursement” obligations apply, the insured can assess how best to manage the defense arrangements. Similarly, if the insurer proposes specific counsel but the insured objects, the insurer may be obligated to pay the cost of “independent” counsel for the insured, or the insured may have to retain and pay for separate counsel to monitor the defense, depending on the coverage defenses raised by the insurer and applicable law.

Adhere to Cooperation Obligations and Respond to Requests for Information and Coverage Defenses. Although the language of insurance policies differs, an insured generally has an obligation to cooperate with all reasonable requests of insurers. Insurers also typically have a right to associate—that is, to consult with defense counsel or, in some cases, participate—in the defense and settlement of claims involving or potentially involving their coverage.

These responsibilities of the insured may differ depending on the type of policy and whether the insurer is defending the claim. Insureds should recognize, however, that the policy language, relevant case law, and individual, specific circumstances will dictate what is required or reasonable in a given context. For example, insureds typically do not have an attorney-client privileged relationship with an insurer, especially in a non-duty to defend situation. Consequently, an insured would need to be very careful in sharing information with insurers. Confidentiality or joint defense agreements may provide some protection of sensitive disclosures, but knowledgeable counsel should be consulted to provide guidance. Insurers may also seek to interview witnesses, employ investigators, and seek out defense counsel’s analysis or fee statements. Again, these requests must be carefully examined with an eye toward insurance coverage and privilege considerations.

Insureds should also promptly respond to letters or other communications raising coverage defenses or denying coverage. Potential exclusions or other terms and conditions may not apply or may limit coverage only for part of a claim. Even if it is too early in the process to discern the full extent of coverage, an insured should make a record disagreeing with the carrier’s restrictive coverage positions, and reserve its right to supplement its response. Moreover, a strong letter replying to coverage-challenges may result in a reversal of a coverage denial. Obtaining the positions of the insurer(s), especially early in the process, may also help expedite a coverage determination through litigation, mediation or arbitration if informal negotiation is unsuccessful.

Obtain Consent to Settlement or Payment of Judgment. Know your rights and obligations. Insureds should check for any “hammer” provisions, which may limit the insured’s recovery if the insured refuses to settle where the insurer is able to resolve the underlying claim. Conversely, where the insured desires to settle but the insurer does not readily agree to pay the claim, the insured should review the “consent” provisions of the policy. Typically, consent to a settlement cannot be unreasonably withheld, but policies may also specify that the insurer has a right to participate in the negotiation of a settlement, or that an “offer” to settle requires insurer consent. Managing the insurer-insured relationship throughout the claim process in a thoughtful and diligent way will typically put the insurer and insured in a better position to reach agreement, than if the insurer is not promptly brought “into the loop.”

Resolve Coverage Disputes. If informal negotiation does not resolve a dispute, the policy may dictate the next steps to follow. Policies may contain provisions requiring that an insurance dispute be mediated, arbitrated or litigated in a particular jurisdiction, or that a certain state or country’s law be applied to the coverage dispute. These provisions should be identified early in a dispute so that strategy can be considered. Moreover, excess policies may include different provisions for resolving disputes than the primary policy(ies), making resolution of a major claim potentially challenging. It is not that unusual for an insured seeking to recover a large loss from a “tower” of insurance coverage to litigate separately in the United States and the UK (or other jurisdictions), and commence both litigation and arbitration or mediation proceedings. Knowing the applicable rules early on will make navigating the settlement course easier.

Consider Lessons Learned for Renewal. Terms, conditions, exclusions or other difficulties in resolving claims may be considered in negotiating coverage with the same or other insurers for the next year. In addition, insurance applications may request information about current pending and/or potential claims. Such applications or requests for information should be reviewed with both insurance brokers and coverage counsel, because insurance applications and the documents attached to them may be disclosed in litigation discovery. Worse, they may become the basis for potential actions by insurers to rescind or void the policy.

Bottom Line—What You Need to Do

As social media claims continue to develop, so, too, will insurance policies. During this fluid process, companies can best arm themselves with good risk management, comprehensive coverage, and sensitivity to managing and maximizing their relationships with insurers.