Monday, November 18, 2013

Ironshore Cyber Insurance Policy--Part XII: Professional LIability Inasurance Again



Michael Sean Quinn, Ph.D, J.D., Etc.
1300 West Lynn #208
Austin, Texas 78703
(o) 512-296-2594
(c) 512-656-0503


TechDefender

Tech E&O, Network Security, Internet Media and MPL Insurance Policy 

Insuring Agreement I.K.:
 MISCELLANEOUS PROFESSIONAL LIABILITY  COVERAGE 


Remember: This Blog is organized around insuring agreements, definitions and exclusions. Conditions, etc., may be remarked upon briefly, but they often resemble not only so-called "Real World" policies and those found in other currently existing so-called  "Policies for the Virtual World." It also ignores policy limits, retention matters, notice requirements, time intervals for coverage, etc., important as all these are. As usual, the discussion of everything in this blog is preliminary, tentative, sometimes speculative, and--no doubt--occasionally wrong.

After all, there is almost no correcting authority, and some of the most important vocabulary is both new and diversely defined, whether in clear ways or subtle.  There may even be topographical errors here and there.
Also remember, this blog is about substantive sections of the policy only the length of an actual policy is ignored here, though it is a matter of practical  importance in several ways.  Nor is this blog concerned with policy limits at the high end or the size of retentions of the insured at the other. And so on. 
No doubt many of you, dear readers, have grown weary of "Essays on Ironshore."  It's over. OK?*
No doubt you have found this to be an amazing experience, of one sort or another.* [*/* See the end of this blog."

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

 The Insuring Agreement
This insuring agreement is easy to understand. Since it is liability insurance, it involves a promise of the Insurer to "pay on behalf of the Insured all Loss the Insured is legally obligated to pay as Damages as the direct result of any covered Claim alleging a Miscellaneous Professional Service Wrongful Act," except that I.K. does not cover any portion of any claim covered insuring agreements B and C, assuming the insured purchased those coverages. (The Insurer's duty to defend is found specified in some detail elsewhere in the policy, and the amount spent on defense is deducted from the policy limits.)  
[Unlike other insuring agreements devoted to liability coverage, the "pay on behalf of" component of this agreement is not restricted to Damages that are both the direct result of a covered Claim which it itself is the direct result of a specified Wrongful Act. In addition, in at least one other insuring agreement the last phrase in the agreement indicates that this is a package policy. When one insuring agreement is purchased it need not be the case that all of them are.]
The explication of this insuring agreement begins with the definition of Miscellaneous Professional Service and then turns to the connected Wrongful Act.
Roughly speaking the definition of Miscellaneous Professional Service is any service listed in a part of the "Declarations Page" of the policy, but it does not include Technological Services or Electronic Publishing. [Presumably, an Insured need not have purchased I.K.]
The definition of the relevant Wrongful Act is nearly as simple, although the underlying concepts are deeper and therefore more complex. The phrase means "any actual or alleged act, unintentional error, omission, neglect, or breach of duty by an Insured, or by a Service Provider, in connection with a Service Provider, in connection with the rendering or failure to render Miscellaneous Professional Services for others for a fee."
[Significantly, I.K explicitly makes clear the Doctrine of Fortuity, since it utilized the concept of intentionality in a prominent place where it spreads out over everything else.  At the same time, breaches of contract are not outside the definition. The concept of a Service Provider has already been discussed elsewhere in this string of blogs. What is important to remember is that one that is covered must be under written contract with the Insured to render relevant services to it.]

This problem is one of appearance only.  There is a separate section in which the duty to defend liability cases is set forth.  This fact may be confusing even to the more experienced reader.  The reason is that the duty to defend is usually set forth in the insuring agreement section of a policy. Here the opposite is true.  That duty  gets its own section,  The insurer's duty to defend in this policy may be weaker than in many so-called real "world policy."  Most policies of the so-called "real world" require a liability insurer to defend its insured if the plaintiff's pleading states--or, probably in many jurisdictions, sketches  a covered claim; it does not require that the claim actually be covered.  The plaintiff (and possible victim) can be wrong about what is asserted in the pleading or even lying, and there still be a duty to defend. The liability sections of this policy don't appear to say that.  It at least appears that the claim must actually be covered.  I don't see how that can be true, but if I have understood the language, that is what is says.

Exclusions

I have not noticed any Exclusions that are unique to I.K.  Moreover, I have not recognized an exclusion for breaches of contract.  Finally, I presume that the description of the professional service to be insured might itself exclude at least some exclusions.
Conclusion
I confess that I am not quite clear about what activities might count as "other" professional services.  If the general possibilities that appear to be available by filling a portion on the "dec" page and procuring an agreement from the insurer, they stretch as far as the imagination. This is not true. The Technological Services "exclusion" drives out virtually all of the professional services one would link to a high tech company, e.g., designing networks and lots of other cyber stuff.  In addition, I have understood the definition of Electronic Publishing to be, every kind of informational, therapeutic, or spiritual electronic publication, not to mention preachings of the gospel, etc. would all be excluded from I.K.  [One can almost hear the policy saying, "If you want coverage for broadcasting, etc., and it is not covered elsewhere in this policy, go buy another type of policy, perhaps a newspaper or other media coverage--you know, the type that already exists. OK?"*)

Observation: the reader will have notice that the word "directly resulting from," and its linguistic siblings and cousins appear frequently in this report on the Ironshore policy.  Sometimes in a chain of events which are linked together to create insurer liability the words appear more than one to describe the chain.  These words are becoming ever more used in various kinds of insurance policies but one sees them repeatedly in cyber policies, and certainly this one.

Disputes as to meaning are developing full boar in coverage litigation. See Retail Ventures Inc. v. National Union Fire Insurance of Pittsburgh, PA., 691 F.3d (6th Cir. 2012) 

Tuesday, October 29, 2013

Cyber Insurance, Cyber Exclusions and Breach of Cyber Insurance Contract (aka Cyber Insurance PolicyPolicy) Part I,A

Michael Sean Quinn, Ph.D, J.D., Etc.
1300 West Lynn #208
Austin, Texas 78703
(o) 512-296-2594
(c) 512-656-0503

Breach of Cyber Contract

The Ironshore under discussion here, and some other cyber insurance  policies providing liability coverage will contain coverage for at least some breaches of contract.  This is a rarity in most run of the mill insurance policies for the real world.

Here are some ways to look for covered breach of contract obligations on the part of the insurer.
  • Check the various insuring agreements.  So more than the narrowly relevant one.
  • Look at the general definition of "wrongful act."
  • If the phrase "wrongful act" is set forth in term of being an "X activity [[or] service] wrongful act" look for it there.  Be sue to check the ones you care about, e.g., because you want to determine which coverage to purchase,  because you might try and negotiation and appropriate endorsement, because there might be a price differential.
  • Get a letter from whomever you use, whether a broker, a risk consultant, or a lawyer.  The letter should be general and particular, where the particular question(s) pertain to coverage for breaches of contract.
This potentially a subtle, hidden matter.  You may wish to use cyber-sophisticated coverage counsel.  You may not want to restrict you inquiries and analyses to a broker or to an external risk manager/consultant.  You need to be careful regarding the selection of counsel.  Experience with e-discovery is insufficient to make sure adequate knowledge is there, nor is the use of a BigFirm that promotes or advertises itself as "the go-to" group for cyber policy analysis.  Private, firm-sponsored "newsletters" don't do the job either.  Of course, none of the activities and/or presentations imply that the lawyers in that firm (and, maybe, in are relative specialty group) are unacceptable.  

 



Thursday, October 10, 2013

Ironshore Blanket Cyber Policy--Part XI: Insuring Agreement I.J



Michael Sean Quinn, Ph.D, J.D., Etc.
1300 West Lynn #208
Austin, Texas 78703
(o) 512-296-2594
(c) 512-656-0503



TechDefender

Tech E&O, Network Security, Internet Media and MPL Insurance Policy 

Insuring Agreement I.J. TECHNOLOGY AND INTERNET
LIABILITY COVERAGE
Remember: This Blog is organized around insuring agreements, definitions and exclusions. Conditions, etc., may be remarked upon briefly, but they often resemble not only so-called "Real World" policies and those found in other currently existing so-called  "Policies for the Virtual World." It also ignores policy limits, retention matters, notice requirements, time intervals for coverage, etc., important as all these are. As usual, the discussion of everything in this blog is
Be sure to read the "Concluding Remarks," Even if you don't read all--even much--of the rest of the blog.
*****************************************************************************
Insuring Agreement 

Once the temporal and procedural components are ignored, the substance of the insuring agreement looks pretty much like this:

The Insurer will pay on the Insureds behalf all Loss. . .that the Insured is legally obligated to pay as Damages as the direct result of any covered Claim alleging a Technological Wrongful Act
Wrongful Act, except to the extent the Claim "would be covered under Insuring Agreements B and C[.]"  [B is NETWORK SECURITY LIABILITY COVERAGE;  C is PRIVACY LIABILITY COVERAGE, and both have been discussed in earlier blogs regarding this policy.]

It is worth keeping in mind that actionable defects in the rendering of "professional services" are often called "errors and omissions" policies, although both an error and an omission are not required--one of them will do just fine.  They are also often called various types of "malpractice."  (A generation ago, or so, the phrase "errors and omissions" applied to errors of accountants. Those separate usages are gone.)

New Definitions
 
All, or virtually all, of the starting definitions to be found in the insuring agreements (and in the exclusions, for that matter) depend upon other definitions. A rests on B; B rests on C; and so forth. The key definition of a substantively significant matter is the particular type of wrongful act. Going over the definitions will take some time.

The starting definition with which this coverage analysis starts is a buried definition, namely, Technological Services.  Obviously, the nature of (or the character of) a "wrongful act" depends on that activity with respect to which there has been a wrongful act. This definition is complex; it takes up nearly half a page. 

One thing about the idea of Technological Services is that it includes many services that are regarded as "professional services" on some policies in the so-called "real world."  These are policies that are not ordinary policies, e.g., for life, home and similar buildings, individual vehicle (including boats and the like), etc.  They are not ordinary business policies that cover a slew of ordinary activities.  Instead they are policies that cover specialized and "high class" activities, usually by persons and their companies. Only their professional activities are covered, and in many cases the "wrongful act" is negligence. Here are some examples: physicians, lawyers, accountants, psychologists, brokers, some financiers, and so forth. The Technological Services definition covers some professional services, in this sense, but others as well.  (Then again, perhaps in cyber lingo and its system of concepts lots of activities are called professional the analogues of which in the so-called "real world" would not be counted as such.  This may be quite reasonable since it is a very complex "world.")

Here are some of them:
(1) analysis, design, [and much else] of Computer Systems
 (2) "data base design," (including the warehousing, storage, or recording or analysis of data, etc.)  [MSQ: surely including "cloud" activities],"
(3) other related services:
(a)  consulting, etc. of "technological information," plus manufacture, repair, etc., \
(b) licensing computer software,
(c) website design, and the provision of various sorts of services, etc.,
(d) design, etc., of chat rooms, etc.,
(e) "e-commerce transaction services," etc., &
(f) "electronic data destruction services."

The meaning of the phrase Technological Wrongful Act is much simpler;  it "means any or alleged actual act, unintentional error alleged act, omission neglect or breach of duty by an Insured or Service Provider to others for a fee, including the Insured's intentional breach of contract to render services to others, or the failure of the Insured's Technological Products to perform the function intended."

The idea behind Technological Products is easy to grasp.  So is the idea of Service Provider, except that it is a hireling of the Insured and does its work. (Of course both of these summaries of definitions are just that, rough summaries.)

A too limited (and somewhat speculative) summary is this: The kind of wrongful act covered has to do with fouling up work in connection with an insured's technological work (or those of its service provider) they directly harm some computer stuff belonging to someone else and found in the so-called "cyber world" damages to the company to which the cyber material. However, I.J.provide coverage to that portion of this policy "covered under insuring agreements I.B and I.C." [The emphasis is mine] 

The "and" in this exclusion\or limit built into the insuring agreement requires that an event and consequence of that event be covered under both I.B and I.C in order to be outside J-coverage.
The coverage provided in I.B is injuries and then losses inflicted upon the network security of another by means of a covered wrongful act. (See Part See III.)  Being covered by I.B but not I.C doesn't entail no coverage under I.J.  Insuring agreement I.C covers injuries and losses caused to the privacy (or privacies) of others.  (See Part IV)  .C alone does not take an injury and its losses out of I.J.  It must be conjoined to I.B.

My guess is that actionable invasions of privacy on the net can occur without the destruction of or injury to network security.  I.J is really about fouling up the rendition of cyber services.  Obviously,
inflicting damages upon a network is the same as a failure to renter satisfactory services.  Not will the latter likely to invade someone's privacy.  So why separate them off so sharply? Simplifying adjustment? Unlikely: the adjustment process with remain the same.  Premium allocation?  A little more likely, perhaps, since reinsurance would be priced differently without this "exclusion." Neither of these seem likely, however, so I am mystified.






"Wrongful Acts," "Claims Made," & "Claims Reporting"




Michael Sean Quinn, Ph.D, J.D., Etc.
2630 Exposition Blvd  #115
Austin, Texas 78703
(o) 512-296-2594
(c) 512-656-0503



Cyber- Insurance & Some Crucial Time Elements


Another thing to keep in mind is that all--or virtually all--cyber insurance policies are so-called "claims made" policies.  They fall into the pattern of D&O and professional malpractice policies to be found in the so-called "real world."   What is important is that all so-called "claims made" policies may have three very significant time elements in addition to policy limits.

In both "worlds," the phrase "claims made" is often a misleading metaphor.  A more general characteristic, which changes the policy radically, and which an insured needs to watch out for is a two or three component "claims made" period; significantly the components are all different.
 
The first one requires that the relevant covered "wrongful act" be performed during a specified length of time; often this is during the policy period; though sometimes, by agreement and an additional fee, it can be provided during a retro-active extension period; the existence of this period will usually be found on the dec sheet, though it can be found in an endorsement, for example, if it is purchased after the original purchase of the basic policy. Under some circumstances this component can cover some sections of a liability claim. 
The second one is the actual "claims made" component; this is a covered claim made against the policy holder; consequently, it is to be found in liability policies, not first party-policies, so far as I know.  The specified time for when a covered claim may be made can be extended both backwards and forward in time
The third component is the "claim reporting" requirement.  This is the time period during which the insured must report a claim to the insurer including  any claim made against it during the specified periods.  Cyber policies are new, and there  is virtually no authority as to their potentially controversial meanings. From the point of view of coverage analysis this is a new and relatively uncharted ocean. Conjecture and even guess work are required.
 In addition, it usually must also be done within a reasonable period of time, and this is described as "as soon as practicable."  If one were to look at phrases that are paradigmatically vague, this is one of them. It certainly does now and will in the future generate lots of controversy.
Again, like the other components this requirement is for liability policies. It too can be extended. These time limits can be iron clad. 
To be a covered claim, the following must be considered: (1) whether the insured received service of a lawsuit claim is required within a specified period of time; (2) whether the insured has received a demand or announcement letter (but not the lawsuit yet), and (3) whether the insurer has a reasonable belief that (1) or (2) might well happen.  #(1) is invariably a necessary condition for coverage; #(2) is usually to be found in policies; and #(3) is also to be found in policies. 
The insurance purchasing department of the insured company should make sure that those who handle risk management know this, and that all relevant management personnel are made aware of the pertinent provisions of these contract requirements. It does not matter whether they are actually there. Relevant personnel should watch all problematic acts or omissions in the company for signals of potential coverage problems.

The above discussion has concerned time requirements required by the insurance contracts. Naturally, first party policies have some similar requirements. Often the word "claim" is used in this context.  It has a different meaning.  In this context, a claim concerns the damage or potential damage to which the insured itself has or will be subjected. It's causes may involve conduct of the insured, conduct of others, damages caused (or to be caused by nature), simply adverse luck, or a combination of some or all of these. Of course, these claims must be made within specified time periods, often the policy limits, and they can include damage already occurred, or the reasonable concern that damages might occur in the future as a result of actions, omissions, or events that have occurred.

Monday, October 7, 2013

An Ironshore Cyber Policy--Part X: Insuring Agreement I.E.:




Michael Sean Quinn, Ph.D, J.D., Etc.
2630 Exposition Blvd  #115
Austin, Texas 78703
(o) 512-296-2594
(c) 512-656-0503


TechDefender

Tech E&O, Network Security, Internet Media and MPL Insurance Policy 

Insuring Agreement I.I: NETWORD EXTORTION AND REWARD PAYMENTS COVERAGE
Remember: This Blog is organized around insuring agreements, definitions and exclusions. Conditions, etc., may be remarked upon briefly, but they often resemble not only each other but those found in currently existing policies. It also ignores policy limits, retention matters, notice requirements, time intervals for coverage, etc., important as these are. As usual, the discussion of everything in this blog is tentative, partial, and perhaps mistaken here and there.  It is a new and
relatively uncharted ocean.
Be sure to read the "Concluding Remarks," Even if you don't read all--even much--of the rest of the blog.
___________________________________________________________________________

NETWORK EXTORTION THREAT AND REWARD PAYMENT COVERAGE

This title introduces a relatively new type of first-party coverage not to be found in many so-called "real world" policies, although it is to be found in some--of what might be called elite policies. Often it is to be found in (1) D&O policies for businesses, such as (a) those doing business in some overseas places, and/or (b) anywhere there is or likely to be a rebellion (or something of the sort), and/or (c) some sea areas, e.g., where companies that have significant employees sailing around not very far west of parts of Africa. (2) Less often there are crime policies in which the relevant coverage appears, at least by endorsement; and (3) there are specialty kidnap and ransom policies.  (In theory it could occur as an endorsement to maritime insurance policy, but that is doubtful.) 

Insuring Agreement 

This insurance agreement--and remember, it is first-party insurance--consists of two paragraphs.  The accord with the conjunction in the title. One pertains to expenses incurred in dealing with the threat, and this may include what must be spend after the threat is carried out.  The second paragraph  covers some payments made as rewards  to prevent execution or deal appropriately with the persons making threats after the is carried out.  (Many people are not included in the Insurer's obligation to pay for information--police persons, for example.) These same types of provisions are to be found in corresponding, or analogous,  so-called "real world" policies. 
It is best to deal with the operative definitions. These are Network Extortion Threat, Extortion Expenses, and  Extortion Payments. Nearly all of the key terms in the insuring agreement turn on these three phrases. 
Definition: "Network Extortion Threat" 

This term, roughly, refers to a credible threat or series thereof made by a natural person to an Insured
where such natural person:
  1. introduces or threatens to introduce Malicious Code into the Company's Computer System;
  2. interrupts or threatens to interrupt its System by means of a Denial of Service Attack;
  3. disseminates, divulge, or improperly utilizes or so threatens at least one of these involving Non-Public Personal Information or Confidential Corporate Information obtained from the Company's Computer System.                                                                                                                       
Roughly speaking, the definition seems to be reasonably clear as it stands, at least as to what is included and what is not. The exception to this is Confidential Corporate Information.  It includes only information of third parties, subjected to a confidential agreement,  provided to the Insured to enable it to perform Miscellaneous Professional Services for the third party for a fee. Covered Miscellaneous Services are  those listed on the dec sheet, subject to two exceptions Technological Services (a long list of computer services running from design to repair and on to licensing) and the phrase Electronic Publishing suggests its own meaning (or some of it at least). 
The definition is not without puzzles, however. Of course, virtually all terms which appear to be quite precise are actually not.  There will be disagreement about many terms, and that can lead to dispute regarding coverage claims. Could a "logic bomb" be like that?  What if "cookies" had distant dangerous cousins which are not technically "cookies"? And so forth. Furthermore, why would the covered threats be limited to those made by a natural person?  Why couldn't a corporate entity make such a threat?  Would a threat be a covered threat if it was designed, engineered, and carried out ultimately by a corporation, although it is delivered by a natural person? Why are the Company's own trade secrets left out of the list of Confidential Corporate Information? What, if anything, is the difference between "disseminating" and "divulging" something?
One very important fact is built into the definitions. It is the one referring to Miscellaneous Professional Services.  It is perfectly clear that lawyers and law firms can fit on that list.  Doesn't that fact suggest that such actors might want to make sure that there are such lists potentially favoring them and that their confidential information is covered on policies like this one? 

         Definition: "Extortion Payments" 

This phrase means "monies paid to a third party whom the Company reasonably believes to be responsible for a  Network Extortion Threat," provided that the Insurer has consented in writing, provided that the purpose of the payment is to terminate the Threat, and provided that the "Extortion Payments" do not exceed the amount of Business Interruption Income Loss the Insurer reasonably believes would have been incurred had such Extortion Payments not been made.
[One of the most important features of this definition is that it restricts the amount claimable by the Insured as equal to some normal expenses and Business Interruption Income Loss. Why would one think that the threat sums demanded would be restricted in this way?  This policy leaves the insured uninsured over this sum, and it has nothing to do with the policy limits. One can envision a policyholder or its counsel demanding that this amount be eliminated by endorsement.
Another of the most important features of this definition is that it is that it is the Insurer's reasonable beliefs as to the amount of BI Loss that control the amount owed. One can easily imagine a policyholder or its counsel asking these questions: Why should it not be the reasonable beliefs of the Insured? Or a reasonable conclusion coming from an appraisal? Or a matter subject to "quickie" arbitration? (So far as I can tell there is no mandatory arbitration clause in the contract.)  Perhaps, the Insurer might respond that the contract of insurance articulates a long and complex method of calculating the amount in question and so renders all the policy holder's problems matters of no concern.  See the Conditions section VII.D.1. But wouldn't the policy holder respond that if this were true, then why not leave the relevant calculations to the Insured?]

The Insuring Agreement

Now that the definitions have been spelled out (more or less), the actual terms of the agreement are easily formulated. 
The first paragraph reads this way (pretty much): "The Insurer will reimburse the Company for any Extortion Expenses and Extortion Payments actually paid by the Company as the result  of a Network Extortion Threat[.]"
The second and much longer paragraph reads this way (in brief part): "The Insurer will reimburse the Company for any reward paid to any person or entity, other than. . . for information leading to the arrest and conviction of any person who" is making or has made a Network Extortion Threat, provided that the Insurer has approved it in writing. [The emphasis is mine.]
[First, notice that "reimbursement" is the key idea regarding payment.  Of course, this means that the Insured has to have spent the money first. Second, the Insurer is really running the show, since it must consent in writing. Third, the Insurer has no duty to reimburse if the person making the threat has not yet been convicted of making the threat. Fourth, the information must "lead to" "arrest and conviction"; one wonders what "lead to" might mean.  It is part of a standard phrase in situations like this one. On the other hand, everything in insurance policies is open to linguistic debate.  It seems relatively clear, however, given  the number of times the word "direct" appears in the policy and given that it does not appear here, perhaps it is to be concluded that the information need not lead directly to "arrest and conviction."  Then again. . . .
Exclusions
As is often in this policy, there does not appear to be an exclusion peculiar to this insuring agreement. Narrow applications of these exclusions would be found in the definitions used in the exclusion.  The exclusions in this policy, as usual, are (or at least appear to be) drawn from the so-called "real world" policies, or they are (or--again at least appear to be) general and apply to several of the passages in the policy.   

Concluding Remarks
This is the most difficult insuring agreement of the 11 of them.  I suppose there is always one like this in any group, but it reinforces the necessity that these policies may not simply be read thoroughly and then reviewed a bit by a coverage lawyer; they must be studied. 
One of the principal functions of lawyers representing policyholders (or policyholders to be) is to advise them as to meaning. The answer must always be tentative--very guarded and explained to the client that all analyses just now are uncertain to an unusual degree. Advice of what to buy and how to think about what policy to purchase and/or what the client has in the policies it has purchased is crucial for the cyber lawyer. Many "Big Firms" have entire departments devoted to this; it seems to go with specialties in dealing with "Electronic Storage of Information." 
In addition, cyber policies have not been "around" long enough to have achieved anything like substantial and lasting stability. Clients should also be made to understand that the contents of the policies of different carriers may be strikingly different in a lot of different ways. In addition, the client must be made aware that these kinds of policies may well (and, indeed, are likely to) change at least somewhat every year for some time to come.  This can only be done right if there is encyclopedic knowledge of the nuances in complex policy language and a high level knowledge of  the complicated, quilt-like structure of concepts to be found in the innards of the policies being discussed.  Of course, both the complex language nor the hidden substantive relationship will be far less than perfect






Friday, October 4, 2013

An Ironshore Cyber Policy--Part IX: I.H: Business Interruption Income Loss--Part IX

TechDefender

Tech E&O, Network Security, Internet Media and MPL Insurance Policy 

Insuring Agreement I.H: Regulatory Proceeding Coverage
Remember: This Blog is organized around insuring agreements, definitions and exclusions. Conditions, etc., may be remarked upon briefly, but they often resemble not only each other but those found in currently existing policies. It also ignores policy limits, retention matters, notice requirements, time intervals for coverage, etc., important as these are. As usual, the discussion of everything in this blog is tentative, partial, and perhaps mistaken here and there.  It is a new and relatively uncharted ocean.
__________________________________________________

BUSINESS INTERRUPTION INCOME LOSS AND DEPENDENT BUSINESS INTERURUPTION INCOME COVERAGE is the title of this insuring agreement, I.H. 
A good part of this title is familiar from commercial first-party (often property) policies, where the idea of property damage begins with the idea of physical injury to tangible property.  Obviously, that will not be the beginning of BI*or DBI coverage in cyber-policies.  Still, in terms of purpose this insuring agreement corresponds to the similar insuring agreements found in so-called "real world" policies.

 [*BI is a standard appreciation used to denote Business Income Losses in todays so-called "real world" policies.  Previously, BI referred to Business Interpretation Losses.  Many do not know why the terminology changed, and I am one of the many.  Maybe it was to accentuate the fact that there had to be an income loss; I suspect that was always true.]
Here is the verbatim quotation of  insuring agreement of I.H:
The Insurer will pay the Company any Business Interruption Income Loss [BI], Dependent Business Interruption Income Loss [DBI] and Extra Expense the Company sustains during the Period of Restoration as the direct result of an Interruption in Services, provided that such Interruption in Services first occurs during the Policy Period. 
Before turning the central substantive definitions, several matters need to be discussed.
First, only the Company really covered; only its losses  are to be paid.
Second, under this insuring agreement, the Insurer "will pay" is a key obligation of the Insurer.  This is more flexible that "will reimburse.  Interestingly, there is no restriction of when the Insurer is obligated to pay. Probably all cyber-insurer that use this language are governed by the law--a more or less general law across at least most states in the U.S.--that requires the insurer to pay promptly, once it has the information, etc., it reasonable needs to calculate what it owes.
Third, the Period of Restoration is defined (pretty much) as the reasonable length of time it takes the Company to get its cyber operation up and running again, measured starting with the time there was covered Interruption in Services, but lasting no more than 30 days.

 Obviously, the Period of Recovery to reach out beyond the end date of coverage under the policy This topic is often a matter of dispute.  One of the principal topics of dispute is  whether the insured made is snappy to get the fix completed.  An enormous number of facts and therefore components of an (or more than one) investigation are involved in any relevant adjustment and/or adjustment dispute.  As a general rule, periods of restoration can be extended by endorsement, like lots of things in insurance policies.
Fourth, the term "direct result" again serves a crucial role. For more on  this matter, see Part VIII: I.G, for example.  The ideas of direct and indirect is illustrated nicely by the workings of "Silk Road."  Some of it is direct, I think, in particular,  the mailing of the "goods."  Some of it indirect, I believe, namely, the modes of purchasing the "goods."
Fifth, the Company's Computer System is an obvious term the meaning of which is intuitively obvious at a surface level.  Of course different companies what have different systems used for different purposes.  In this definition, an insured system is one restricted to working solely for the Company's benefit
We now arrive at what might be called the crucial topical definitions.
The definition of Interruption in Services [IS], the covered train of events which do covered injury or damage to the Company.  Which ISs are covered and which are not is to be found in this definition.  IS "means the actual and measurable interruption, suspension, failure, degradation or delay in the performances of the Company's Computer System, if directly caused by a Network Security Incident.  [Notice that the idea of being direct is a necessary condition of being an IS and therefor of coverage.  Given the general terms--one is "measurable"--one can bet that there will be disputes grounded on this idea.]
BI and  DBI are the crucial definitions for describing the types of  injuries/damages for which the Insurer will pay.

BI means, roughly speaking,  the Company's loss of "net profits before income tax" that the Company is prevented from earning as the result of IS and its normal expenses, e.g., payroll,  that "must continue" during the Period of Restoration had there been no IS

 [This is a relatively standard surface formulation of BI for a very long time.  Extra-help that has to be brought in to straighten thing out is an Extra Expense, not a loss.  Notice that the general BI can be brought about by an assortment of causes of the IS, and that the cause of the IS might actually involve more than one cause, so that the IS need not directly result from a single cause.]

DBI is one of those components of this insurance policy that contains of "direct;" once is "direct result of" and the other it is "caused directly by."  It is even more complicated than passages where there is a double occurrence of the word; for this reason it is necessary to quote some of it.  It is a BI loss "as the direct result of an IS[, and it] is caused directly by a Network Security Incident to the
Service Provider's Computer System  but only if such Network Security Incident would have been covered under the Policy had the Service Provider been entitled to insurance in accordance with the terms, conditions and other provisions of the Policy."

This is a very complicated provision.
The place to begin is with the word "dependent.  The point is that this form of BI must be triggered  by an injury to something upon which the Company depends, and--if anything--will be the Service Provider. The surface idea of a Service Provider is easy enough to understand, though it must be understood that it is a separate company, a vendor, and there is a forma contract with the Company.  It's computer system is simply a Computer System somehow and/or to some extent belongs to it, as the term is defined in the policy.  It is the Service Provider's Computer System that must be subjected to a Network Security Incident.  

That is a defined term in the policy. It, very roughly, means some sort affliction is directly imposed upon the Service Provider's Computer System, such improper use of it and/or the introduction of a Malicious Code, that directly results in specified injuries/damages to the Company's Computer System so that it is subject to IS or a "corruption or deletion" of Digital Assets."  However, under the definition of DBI there is a necessary condition:  the Service Provider must be such the Network Incident "would have been covered under [this] Policy had the Service Provider been entitled to insurance in accordance with the terms, conditions and other provision of the Policy."

One thing this means is that the insurance of the Service Provider must been equivalent to the Company's policy in terms of strength and scope for the Company to have coverage.  If the Service Provider has weaker or no coverage, the Company will have no coverage for DBI.  Something it might mean is that the Company's Digital Asserts have been "corrupted."  Unfortunately, that is not a defined term, although the term is commonly used in cyber-circles.
 So far as exclusions are concerned, there do not appear to be any that apply uniquely to this insuring agreement, and if so there are none that are prepared for it.  Plenty of exclusions that are to be found in so-called "real world" policies apply to it and to the rest of this policy, and lots of new fangled exclusions for the "virtual world" also apply to it.  Still, there is nothing further that needs to be said about this exclusionary matter just now. 


Wednesday, October 2, 2013

An Ironshoe Cyber Insurance Policy--Part VIII: Insuring Agreement I.G




Michael Sean Quinn, Ph.D, J.D., Etc.

1300 West Lynn #208
Austin, Texas 78703 
(o) 512-296-2594
(c) 512-656-0503




TechDefender

Tech E&O, Network Security, Internet Media and MPL Insurance Policy 

Insuring Agreement I.G: DIGITAL ASSET EXPENSES COVERAGE

Remember: This blog is organized around insuring agreements, definitions and exclusions. Conditions, etc., may be remarked upon briefly, but they often resemble not only each other but those found in currently existing policies. It also ignores policy limits, retention matters, notice requirements, time intervals for coverage, etc., important as these are. As usual, the discussion of everything in this blog is tentative, partial, and perhaps mistaken here and there.  It is a new and relatively uncharted ocean.

*  *  *  *  *  *
This insuring agreement is the first of three first-party coverages. It is important to quote the entirety of the agreement, and then give a quick explanation. As usual this agreement depends upon several definitions, two of which are new here; as usual they depend on others. There are more definitions than will be discussed here, since they have been discussed early in these blogs, so they will not be discussed in detail. 

Here is I.G:
"The Insurer will reimburse the Company for any Digital Asset Expenses the Company incurs as the direct result of the corruption, damage, impairment, destruction or deletion of Digital Assets directly caused by a Network Security Incident[.]"  [This is the end of what will be fully quoted in this blog.]

There are several important points to note in this definition. First, the Insurer has an obligation to reimburse.  Technically, under the wording of the contract, this means the Insured has to spend the money before it collects from the insurer. The Insured's right to reimbursement only for covered spending.  Thus, the Insurer probably has a right to "observe,"  "monitor," and maybe even to some degree "regulate"expenditures.  [The words in quotes are mine, not those of the policy.] Of course, any such regulation must be reasonable and necessary.

 The rights of the insurer and the insured parties to the contract may conflict on this and--of course--other matters. One area disputes in this area might develop is over the need for forensic investigation; carriers may sometimes assert that one is enough; while the insured may assert that it has a right to pick its own investigator.

Second, it is the Company and not the Insured that is covered in I.G. Of course, the Company is part of the Insured, but it is not the only one; the others are individuals and they are named as Insureds here.  Probably that is because it is the Company that will be incurring the expenses that are covered.

Third, the term "direct" is in I.G twice. Hence, there must be two direct, as opposed to indirect, causation's.  First, the covered expenses must directly result from a covered incident to which the covered Digital Assets were subjected. Second, the expenses must directly result from the corruption [etc.] of the Digital Assets.  

(The reader might use the following images to get an idea of required directness. Suppose Obama sends a diplomatic message to Putin. He might hand it to him. That's obviously direct. The U.S. Secretary of State might tell him or hand him a note. Is that direct? If Obama "wires" it; and the document is decoded; the Russian Foreign Secretary picks it up, reads it, and hands it along; maybe with a memo; Is this "direct"? Are there degrees of directness?  If so, how does this handle back-and-forth arguments about claims?) See Retail Ventures Inc. v. National Union Fire Insurance of Pittsburgh, PA., 691 F.3d (6th Cir. 2012)

Of course, as already said, there are many other definitions, some of which are complex right on their surfaces and some of them involve other "sub-definitions," and they may be quite complex. Many other cyber policies are like this. The reader has been warned.

Some Key Definitions

The place to begin to sketch the other key portions of this agreement I.G is with the idea of--the definition of--a Digital Asset:

"Digital Assets means Electronic Data, Software, audio files, and image files stored on the Company's Computer System." (And then is a list of what is not within the definition, e.g., some pieces of paper, "unless they have been converted to Electronic Data, and then only in that form.")  The main themes of the definitions within this definition are predictable, although there may be sub-surface subtleties; all such components will be subject to endless dispute.

The other key definition is Digital Asset Expenses:

The phrase Digital Asset Expenses, as one might expect, to what it costs to replace or restore Digital Assets that has been injured in specified ways "corruption or deletion as the direct result of a Network Security Incident. Of course the expenses must be "reasonable and necessary."  These Expenses include "disaster recovery and or computer forensic investigation efforts[.]"  In addition, the replacement or restoration must be done in specified ways, e.g., solid records or other (to some extent) matching Electric Data.

Exclusions


There are no exclusions uniquely applicable to this insuring agreement and its definitions. The definitions more or less are taken from the language of definitions found in policies, designed for the so-called "real world" apply, of course, as to the definitions formulated for all--or many--of the sections

Friday, September 27, 2013

On the Rhetoric of the Ridiculous.




Michael Sean Quinn, Ph.D, J.D., Etc.
2630 Exposition Blvd  #115
Austin, Texas 78703
(o) 512-296-2594
(c) 512-656-0503


Overdoing rhetoric in briefs, motions, pleadings, etc., is a poor, tasteless and below grade "C" lawyering. There has recently been direct and unequivocal explicit support for this obviously true proposition.  Perhaps the pronouncement of the 6th Circuit will encourage those who do not realize that stridency of semantics, as opposed to restrained assertion and calm clear argument, is almost never a good idea. Let the ideas produce the desired effect; if they don't do the job, try a different approach if possible. Never resort to the crude bluster, cliche-ridden, always overdone language of the pool-hall loudmouth. Grade C lawyers at this point might say that such a position is absurd.  Such lawyers still would not have learned the lesson.

An illustration of this point is to be found in a recent insurance case.  Barbara Bennett et al v. State Farm Mutual Automobile Insurance Company, No. 13-3047, 2013 WL 5312398 (6th Cir. September 24, 2013)

In this case, Ms. Bennett was struck by an automobile as she was walking her dog. As a result of this accident she ended up on the car--not next to in on the roadway, not standing next to the car, and not under the car.

She argued that she "occupied" the car under the State Farm policy.  The District Judge held that State Farm's defense was correct: she did not "occupy" the auto, since she was not in it.  State Farm called Bennett's position "ridiculous" and did it on the first page of their brief.

The court criticized this linguistic behavior for four reasons: first, where the language was in the brief, second, because it was worded as it was; third, because State Farm's argument was fairly obviously invalid; and fourth, because State Farm was wrong.

With regards to points #1 and #2 the court, quoting another opinion from which  it wrote its opinion: "There are good reasons not to call an opponent's argument 'ridiculous,' which is what State Farm calls Barbara Bennett's principal argument here. The reasons include "civility; the near-certainty that overstatement will only push the reader away (especially when, as here, the hyperbole begins on page one of the brief, and that even when  the record supports an extreme modified, 'the better practice is usually to say out the facts and let the court reach its own conclusion.' Big Dipper Entm't, L.L.C. v. City of Warren, 641 F.3d 715, 719 (6th Cir. 2011)."  Trying to, in some sense, compel opinions by the use of "battle-station" rhetoric is ill-advise.*

With regard to the third point,  the court criticized State Farm's argument.  It argued that coverage analyses proceeded on the basis of how whole types of policies are interpreted: auto policies for example, and the "occupy" language of those types of policies. The court informed State Farm that contracts of insurance are to be interpreted one at a time and not as whole classes. That a court has decided a similar-looking policy in the way the insurer wants it interpreted does not bind a court, even itself.  Nor is the "type of" versus "this language for this situation" valid reasoning.

State Farm also tried to argue that only someone who has an "intrinsic relationship" with a car can be said to "occupy" it, and hence the court ought to be examining whether Ms. Bennett has such a relationship with the car that struck her. Instead, the court observed, there was authority in Ohio, where this suit was brought, that the intrinsic relationship test was one of several that can be applied "'where a  gray area exists concerning whether a person' was an occupant of a vehicle and thus entitled to coverage. In this case, however, the policy marks out its zone of coverage in primary colors. The policy terms therefore control."

On this ground, the court reversed the district court and entered judgment in favor of Bennett. And it did this without remanding.

One can wonder about the decision. Oddly enough the court does not include a quote from the policy. That is unusual but not really interesting as to the court's reasoning. More interesting is the fact that the court does not give a specific argument--perhaps based on a hypothetical--supporting the proposition that being on a car entails the proposition that one is occupying the car.

It also clearly, though impliedly, rejects the idea that the term "on" in this situation is ambiguous. It seems to me that one can be on a car, e.g., on top of a car, without actually occupying the car. The man that washes, waxes and cleans out my car every Saturday, does not occupy my car all the way through its work. He stands next to the car while is washing it; he climbs up on it to wax the top and gets in it to clean out the interior in various ways. It is plausible to say that only for the third part of the operation does he occupy the car.

Although the following example--nor anything like it--should ever be found in a brief (or anything like it), except as taken from a transcript of testimony. One can easily imagine a couple denying that they occupied the car while having sex on the front hood of the car (or even the roof), but "admitting" that they occupied the car when they did so in, for example, the back seat.

Perhaps--just perhaps--the court is impliedly suggesting that Bennett was occupying the car because she did have an intrinsic relationship with it. After all, she suffered further injuries as a result of being placed on the car--injuries that she would not have received had she not been knocked up onto the car.  I suppose one could argue that if one has been put onto something it occupies it.  One can easily have subscribed to this argument if the word is "into," not "onto."

One might oneself not be convinced by the court's reasoning.  Consider the dog belonging to the 2012 candidate the Republican Party recently ran for president.  It did not occupy the family car when he was attached to the roof of the car as they all drove to Canada for a vacation.  The disclosure of this fact caused a furor. Obviously, part of the general population agreed: the dog did not occupy the car. In some respects, although certainly not in other very important respects, Bennett and the dog share properties.

*I tried "battle" rhetoric first long ago in the presentation of an argument to the 8th Circuit.  It was a covenant not to compete case with federal jurisdiction on grounds of diversity.  I had tried the case and lost. Anyway, I opened by informing the court that "This case is one of national significance."  The head of one of the judges almost jerked up, and he immediately and a bit disdainfully asked, "How? Why?"  My answer had to do with the lack of case authority on how to interpret a "Uniform" act that had been passed in the relevant state.  I actually thought that a specialized uniform act, used in various ways around the country but enacted only here and there, made the matter then at hand one of national significance.  My clients loved it, but. . . . 

 I suppose  I must confess that my address there was not the last time I did that, though all the (few others, I hope and believe) were somehow triggered by a mysterious outside source, and therefore have been instances of  unintended rhetorical idiocy, so that  I am not really responsible.




Tuesday, September 24, 2013

An Ironshore CyberPolicy--Part VII:Insuring Agreement I.F.

TechDefender

Tech E&O, Network Security, Internet Media and MPL Insurance Policy 

Insuring Agreement I.F: Regulatory Proceeding Coverage

Remember: This Blog is organized around insuring agreements, definitions and exclusions. Conditions, etc., may be remarked upon briefly, but they often resemble not only each other but those found in currently existing policies. It also ignores policy limits, retention matters, notice requirements, time intervals for coverage, etc., important as these are. As usual, the discussion of everything in this blog is tentative, partial, and perhaps mistaken here and there.  It is a new and relatively uncharted ocean.
*********************************************************************************

This insuring agreement is entitled Internet Media Liability Coverage.  It departs from the topics of privacy and network security and injury. 

The principal topics here are Electronic Publishing Wrongful Act and Damages.  The definition of Damages was covered in Part IV, so it will not be explicated again here, since it is lengthy, cumbersome, complex, an easily accessible.; there will be only a brief mention. 
The focus will be on the first of these two, Internet Publishing Wrongful Act.  It is complicated enough considered just by itself, partly because it hinges on another definition, Electronic Publishing, which--in turn--hangs in part on yet another definition, and it too. . . . down the pillar of definitions. Obviously, this discussion cannot complete the whole, dependent group of definitions.

The idea of a wrongful act is not itself defined in any general way, though it is sort of defined in terms of different key activities. Nevertheless, what it probably is, at least in part,  in different contexts is clear enough from the two words themselves, knowledge of the English language, and common sense.

The substance of the insuring agreement reads this way:
 The Insurer will pay on behalf of the Insured all Loss that the Insured is legally obligated to pay as Damages as a direct result of any covered Claim alleging an Electronic Publishing Wrongful Act (EPWA), provided. . . .
EPWA includes a number of actionable acts, some of which are also found in Coverage B of the Commercial General Liability policy, and there are more. The EPWAs are all linked to the Insured's Electronic Publishing.  Here is a list of some of them, which give the reader a general idea:
  • defamation, 
  • trade disparagement,
  • plagiarism,
  • false light,
  • false advertising,
  • violation of right of privacy,
  • seclusion of a right to publicity
  • copyright infringement,
  • many trade infringements, of various sorts,
  • unauthorized use of various things, formats, plots, etc.

Significantly, the so called "cyber-world" and "real-world" can overlap here.  Here is a crucially important example, copyright violations.  The object taken can originate in one of the worlds and the violation occur in the other. Of course, they can both happen in the "cyber-world," and this coverage apply.

Hacking is a highly publicized example of this sort of thing.  It starts in the "real world," passes into the "cyber world," and then impacts the real world.]

[Here is another, rather different, recent, distressing example. Someone got a hold of a copyrighted pornographic video, obtained the copyright for itself, and then posted them.  It found those who were then downloading it illegally (even once), sued many of them (using boilerplate pleadings), and quickly settled with those downloaders who were willing to settle for less than their costs of defense. Many people either didn't want to spend the money on defense or didn't have it.  Besides, who wants to know about your habits when it comes to porn.These scum bag lawyers and their minions made a good deal of money before getting caught and sanctioned by the court. The judge also sent information to disciplinary committees of various bar associations,  relevant information to other courts where they appeared, and saw to it that they were left open to civil suits. (Of course, criminal prosecutions may also turn up, since this was probably some sort of swindle using federal courts.)  Ingenuity 13 LLC v. John Doe, 2013 WL 1898633 (C.D. Cal., May 6, 2013).]

So an EPWA is a "WA" committed in relation to EP.  Now, how--more or less--is the phrase
Electronic Publishing defined.  It is "the reproduction, publication, dissemination, transmission or release of information, including Electronic Data and other various cyber-type things on a website or operated and owned by the Company or Computer System of the Company, provided [it is that of the Company by itself.]"  Notice that the definition of EP contains other definitions, of which--that of Electronic Data--is on the complicated side.

Several features of the insuring agreement as portrayed here are worth noting. 

First, as with some of the other insuring agreements, the insured has a very long list of propositions it has to prove in order to begin to qualify for coverage. (And this doesn't even address the exclusions, even those are for the insurer to prove, so long as they are not exceptions to the exclusion built into the exclusion.)  This is not an easily played game.

Second, the Insurer has a duty to "pay on behalf of the Insured all Loss[es]. . . ." that the "Insured is legally obligated to pay as Damages as the direct result of any. . . .   The phrase "pay on behalf of" is a crucial phrase here.  It means that the Insurer will not wait to pay the Insured until it has spend money on necessary activities; it will pay up front to whomever has a right  to be paid by the Insured

Third, the Insurer's duty to pay applies only to damages that are the "direct result" of an action.  As has already been pointed out in another Part, there is a slew of disputes arising out of  so called "real world" policies regarding the meaning of that phrase. Presumably it is a jury question, but it can be contested for a very long time.

Fourth, it is extremely important to remember that the term Loss includes not only Damages but Claim Expenses. The two ideas are obviously different. The latter includes the Insurer's duty to defend, and, so far as I can tell, not much else. 

Fifth, it is tempting to say this: the insuring agreement I.F is saying that the Insurer has the obligation to pay defense costs only if the Insured is legally obligated--and so have been found to be legally obligated--to pay Damages.  This idea is absurd from a temperate view, among others.  If I have read the language correctly, then the insurer would have no duty to make payments on behalf of the insured until after it was determined that the Insurer was legally obligated to. . . .  Hence this is not a really possible reading.

Sixth, another way to read this insuring agreement is this one: the agreement says that the Insurer will pay on behalf of the Insured all Loss "that the Insured is legally obligated to pay as damages."  But the term Loss contains two parts.  Only one of them pertains to Damages.  The Insurer has promised  to pay Damages only.  It has not promised to pay any other component of the definition of Loss.  If this is right, then the Insurer has no duty to pay for any part of the Insured's defense.  Insuring agreement I.A. does not restrict the Insurer's obligations to Damages only.  It covers all Loss, so it covers costs of defense as well.  (Now, I must confess that I have a feeling I've missed something.  Intuitively, it doesn't seem probable that a liability insurer selling a policy like this one, would not include a duty to defend. Nevertheless. . . .)

Seventh, this problem is one of appearance only.  There is a separate section in which the duty to defend liability cases is set forth.  This fact may be confusing even to the more experienced reader.  The reason is that the duty to defend it usually set forth in the insuring agreement section of a policy. Here the opposite is true.  That duty  gets its own section,  The insurer's duty to defend in this policy may be weaker than in many so-called real "world policy."  Most policies of the so-called "real world" require a liability insurer to defend its insured if the plaintiff's pleading states--or, probably in many jurisdictions, sketches  a covered claim; it does not require that the claim actually be covered.  The plaintiff (and possible victim) can be wrong about what is asserted in the pleading or even lying, and there still be a duty to defend. The liability sections of this policy don't appear to say that.  It at least appears that the claim must actually be covered.  I don't see how that can be true, but if I have understood the language, that is what is says.

With respect to exclusions, there a lot of them.  Almost all or all of them are subject to exceptions. Both of them are complicated. The list of exclusions, however is very similar to that found in so called "real world" policies. For example, there is no coverage for dishonest actions and actions performed for the purpose of profit.

One significant difference is that, like most cyber insurances but unlike many "real world policies," injuries to human bodies and tangible property are excluded. 

Another exclusion quite specially connected to I.F is an exclusion for most "unsolicited electronic disseminations, faxes, emails, of other communications by the Insured or any other third party," including those which violate statutes, with various exceptions.

Much more can be said and argued, but enough is enough.  Coverings of coverages can run on forever, and maybe this has already go on too long. So it's time to pass on.










Tuesday, September 17, 2013

"Cyber-[Somethings]"--A Readily Rejectable Revolutionary Nomenclature

No policy of insurance should ever be named "Cyberworld Insurance" or "Insurance for the Cyberworld" or anything of the like.  This blog explains why.

Discussions of  the Internet and its numerous "cousins" haft  to use language naming the group or set of "somethings."  Obviously, that language--those names--must be somehow conjoined to the word "cyber."  Here are some widely used locutions: "cyberworld," "cyber-world," "cyberspace," "cyber-space," "cyber-reality," "virtual-[all the preceding]," and more. 

Many are nervous, frustrated, irritated, upset, etc., by the fact that these new semantic constructions are MISLEADING, par excel lance. And rightly so.  Of course, history changes language.  "The phrase "fuck you" has a whole new--and now widely used--meaning.  The new active verb "to text" is grating to the ear; the noun "mouse" is an odd addition,, but what the hell.

The nouns "cyber-something]" are a wholly different matter.  They are terms with a kind of revolutionary (implied) meaning which--get this--dangerously transforms most acceptable metaphysical, ontological theories of (or overall views of)  the real world, of everything that exists.

Calling something a "cyberworld" or "cyber-world" implies that there are two separate worlds.  Any conception of any world involves the world consisting of some sort something, whether it is physical object, ideas in the mind of the Creator, ideas in the mind of each person, and so forth.  In every case, they are part of the same world.  There is no physically respectable view in which there are two separate worlds.  There is no such thing even possible as a "real world" and a "virtual world," both of which exist.  The whole idea of a "virtual world" suggests that such a world does not really exist but almost does.

Even if the mind and the body, something about which there has  been philosophical controversy for well more than 2500 years, are separate and "made out of distinct substances," one material and the other not, they are not part of the same world.  It is not the case that one exists, and does not but comes close.

Even those who believe in God or gods and make Him/Her/or/It the creator(s) of the universe, they are still part of the same world.  Neither of them is somehow "virtual reality."  This is a phrase for psychologists trying to deal with an atheist or agnostic possessed by a huge but befuddled imagination.  Not even those who believe in flying dragons--or, better yet--splendid and glorious angels, believe that they are not part of this world, if they exist.

Every term that is a name of an existing something, virtually on its face, that which is named is part of this world, if it exists. If mathematical concepts and/or equations exist independent of minds, they are part of this world--the one and only existing world.

There is no reality opposed to a cyber world.  Yet the opposite is exactly what the phrases being discussed suggest. The opposition suggests that there is real opposition between something which is real and something that is unreal.  There is no something that is not real. Even if the mind and the body are not, as it were, made of the same stuff--thus there is the "Mind-Body Problem"--they still inhabit the same world. The idea that there exists something that is not real also warps the imagination; it stands in the way of a grasping true reality--as if anything else could possibly exist, and it retards (and will retard) intellectual progress in the heads of both young and old.

The iniquitous phraseology, will--alas--lead to a whole new system of words. Here are some examples: "cyberworldology," "cyberworldification," cyberworldmystification."  Phrasings somewhat like this are not problematic; consider "cyber bullying"; however, most of them contain no suggestion of a separate reality.  That would pop into implied virtual being if the phrase was "cyberworld bullying."  Rest assured! Such bullying is fully and not just virtually real.  Now consider a genuinely puzzling case.  Is there such a thing as cyberworld bullshit?  What would this be?  Virtually existing manure from a type of cow? Of course, "cyber-shit" is a good usage; all that says is that there is metaphorical shit to be found "on" the Internet.  The idea of cyber mysticism seems to work as well, although there cannot be such a thing as mystical knowledge of the cyberworld, since the latter does not exist, even if the former does.

Alas, many will continue to use the phrases; I certainly will, even though it causes the very oddest of dreams.  Most of the true, unbelieving, anti-cyber-world advocates continue this dangerous course because no one can come up with an alternative usage--a usage that would actually work. 

Maybe we all are simply stuck.  There is a problem with that reality.  It is a misrepresentation to have an insurance policy named "Cyberworld Insurance."  But since there is no such thing as a cyberworld, is not the name of the policy suggesting that there is such a thing, and isn't that a misrepresentation?

Monday, September 16, 2013

An Ironshore Cyberpolicy--Part VI: Insuring Agreement I.E.

TechDefender

Tech E&O, Network Security, Internet Media and MPL Insurance Policy 

Insuring Agreement I.E: Regulatory Proceeding Coverage
Remember: This Blog is organized around insuring agreements, definitions and exclusions. Conditions, etc., may be remarked upon briefly, they often resemble not only each other but those found in currently existing policies.
The first specific thing to notice here in I.E. is that the Insurer agrees to reimburse the Insured.  Be mindful of the fact that this concept is quite different from "pay on behalf of" or "pay for."  "Reimburse," literately understood, means that the insured pays first. There is no reason to believe that a court will not take this language literally.

Second, and very important, this entire section is attached to two concepts: Privacy Incident
and Regulatory Proceeding.  The first of these concepts was discussed in Part V, and a concept related to the second one, Privacy Regulation, was also discussed there. Much of what was written there is reprinted in the next paragraph.

The phrase Privacy Incident briefly put includes (i) the disclosure, etc., of some information or another, that is secret, or close to it; and the disclosure is in the care, custody or control of the Insured or Service Provider.  (ii) That disclosure must result from a Privacy Regulation or a failure of the Company to comply with its own privacy policies. The concept of Privacy Regulation includes a slew of  named statues, both state and federal, plus regulations under those statutes, and "any similar state, federal or foreign identity theft or privacy protecting statute." 

[MSQ:  Does the reader realize how controversial the phrase "care, custody and control" can be in insurance disputes?  And here only immaterial entities are involved. Will that complicate matters? Does the reader recognize that there may be controversies generated by the word "similar"?  Or what about this what about the word "any"?  What about when they don't apply? Are Bolivian privacy administrative rules applicable to problems in Oklahoma?  (Perhaps not; but consider the twists and turns, "New York lawyers" might generate out of these two ideas.)  Remember: the phrase "care, custody and control" has caused lots of  insurer-insured disputes for many years.

Now for the second of the two crucial concepts, Regulatory Proceeding.  This topic has not been written about in this (group of) blog(s).  The idea is pretty clear from the language.  The phrase means (1) a governmental investigation of an Insured, e.g., perhaps leading up to a adjudicative governmental hearing concerning a Privacy Incident and/or (2) an adjudicative administrative hearing on either a Privacy Wrongful Act or a Network Wrongful Act including an appeal, either of them begun by the receipt of "a subpoena, a formal investigative demand, complaint or similar document."

It seems odd to me, at least appears, that one of the types of wrongful acts is covered for investigations and the other one is not. Indeed, this seems so unlikely that I think I must have missed something.

The Insured's right to be paid for its expenses in this arena is huge. This fact indicates that the insured should make sure that everyone in its organization involved knows well the terms of the policy, consults with risk management, stays in close contact with the IT and IS departments, and ask in-house or outside counsel for advice.  (Perhaps there will be an appropriately specializing attorney included within the in-house counsel department. This is not uncommon in really large law firms.) In addition, the Insured should monitor its work on these matters carefully, make sure that accurate records are kept, make sure that confessionary, personal, and other assorted messages are not entered into the cyber-systems.  It would be a good idea for the insured to institute a special, nearly unique kind of specialized "Product Management," as it is now called.

The Insured should also make sure that it has enough coverage. The problem here is that no one really knows what is adequate coverage.  The whole field is too new; there has not been enough time to develop helpful statistical data.

On to I.F.