Cyber-Insurance aka E-Commerce Insurance--Part #1
Michael Sean Quinn, Author*
This is the first "chapter" in a string of blogs focusing on cyber insurance. This one will concern the look of "yesterday's" policies--the ones use for a log, long time--and the look of a branch of "tomorrow's, that is, the cyber policies. Actually, the two groups will look remarkably alike in organization. When you think about it, "Really? How could it be otherwise?"
The next chapter will concern some aspects of substantive similarity. Other blogs will list an very briefly sketch some of current available policies. Somewhere along the way, there will be some definitions and some explorations or explanations of such. Most significantly, there will be chapters discussing the contents of a few actual cyber insurance policies.
There is not much meaningful, focused, or informative publications about cyber-insurance. (That is the name-phrase that will be used here; it has mostly replaced the term "E-Commerce.") Most available writings are really ads of some sort for somebody some are attorney firms publicizing themselves an conjecturing about the future; and there some panel discussions which would probably interest almost no one really interested in the nature of the type of insurance. Another category of the prevailing literature are the pieces written at law firms. Much of this is a law firm advertising its services, though sometimes that is combined with guesswork or speculations about how cyber-insurance will develop.
There are a few specimen policies issued by some of the best insurance companies, but they do not provide meaningful discussion. A book published on this topic, and it is the only one so far as I can see, is by George S. Sutcliffe entitled E-Commerce and Internet Risks, Laws, Loss Control, and Insurance (Standard Publishing Corporation, 2001). It has a helpful essay, which includes far too many diverse topics. The appendices, however, have a glossary, a summary of some policies, and some specimen policies. So far as I can tell, this is the source book.
No doubt, one of the reasons the absence of detailed study of the dimensions of cyber-insurance is that there are almost no--or even no--reported cases involving coverage disputes. (I for example, I have yet to find one such case on WestLaw; and law reviews have no informative discussions of the matter. This is not to say that there are no cyber cases--for example, cyber tort cases--that are without hints. Several large law firm members have told me that their firms each have a dozen or so cases, but they also say that none are in or close to litigation.
There is also one ("WestLaw-'reported'") case involving identity theft in which a bank offered, among other thinga free identity theft insurance up to $25,000.00 to its customers as part of a remedy following an identify theft incident. Alas, the plaintiff class rejected the offer. Hammond v. Bank of N.Y. Mellon Corp., 2010 WL 2643307 (S.D.N.Y., June 25, 2010). (Of course, one can see why--if a plaintiff thought s/he might be at the door of big damages--would reject a $25k settlement.)
So far as I can tell, in all court decided cases (thus not including settlements, if any) involving identity theft, the plaintiffs have lost. For a survey and discussion of these cases, see Stephen J. Rancourt, Hacking, Theft, and Corporate Negligence: Making the Case for Mandatory Encryption of Personal Information, 18 Tex.Wesleyan Review 184, 187-199 (Winter, 2011). There is a very recent case in which the plaintiff had not yet experienced a loss, but for that reason only, could still proceed if their injuries were not entirely speculative and not off in the far distant futher. This matter is calle a matter of "Standing" under federal court jurisprudence. In re SONY GAMING NETWORKS AND CUSTOMER ATA SECURITY BREACH LITIGATION, _____ F.Supp. ____ (S.D.Cal. 2012)(2012 WL 4849054). Most of the case was dismissed on other grounds, but actual already existing injury is not an iron-clad requirement for a right to proceed, at least under some circumstance.
Now, before I turn to the analysis of policies and make conjectures, aka guesses, as to what their difficult sections might mean, I start with a few fundamentals for the insurance novice. These come from general insurance sources, and therefore are not special when it comes to cyber insurance. At one basic level, insurance is insurance, and so are some other contracts e.g., bonds and ancient bottomtry arrangements. So let's begin.
Virtually all primary insurance contracts have roughly the same form. Excess and umbrella policies do not necessarily, but they often incorporate significant, if not all, provisions found in the primary policy. Contracts of reinsurance, although they are contracts of insurance, do not follow the same formula. Here, in broad strokes, is a sketch of common sections. Often different principal sections are identified by the names I use here and by roman numerals.
I. Declaration Page (or Sheet). This part includes the name(s) of the actual insurer and the name(s) of the policyholders. Often it sets forth the premium, the name of the intermediary, policy limits, etc. Sometimes they have charts or columns, and the policy includes that which is checked off. The deductible is specified or set up, as is co-insurance, if any. Other named insureds may be named elsewhere.
II. Insuring Agreement. This parts sets forth what is insured, i.e., a particular vehicle, a particular building, physical objects, one or more banquets, particular weddings, works of art, and so forth.
These agreement are usually for liability (3rd party coverage) or for things, e.g., belonging to the insured (1st party coverage.) The agreements usually do not recite a fundamental principle of insurance and that is fortuity. This is an axiom. Deliberately caused injuries or damages are not covered; arson is not covered; physically smashing something up deliberately, e.g., a computer, fraud, and so forth. Intentional acts are covered, so long as the loss was not. There is insurance for those driving too fast, but not if they deliberately run over or smash into something.
Sometimes insurance policies offer both liability and first party insurance, often covering physical property. Sometimes the first party insurance may cover abstract properties, and this is true in the area of cyber insurance, in addition to business loss and trade credit insurances. Bottomry was like this 3000+ years ago.
III. Definitions. There is usually an indication that there are definitions to be found in the policy: quotation marks, bold lettering, italics, etc. Sometimes there are only a few definitions; sometimes, as in many cyber policies, the number is much larger than most current policies. Often, at least to the lay person, the definitions are obscure. (This is not necessarily a matter of great consequent, since definitions in engineering malpractice policies are also quite difficult for the lay person--so much so that expert witness often have to be used for the benefit of the jury.)
IV, Exclusions, This sets forth what the insurance contract does not cover. Of course, there are exclusions quietly built into Insurance Agreement, but this is generally not recognized. The list of exclusions can be relatively short, or it can be quite long, as it is in most cyber insurance policies, especially packaged policies.
Policyholders have to prove that they meet the requirements of the relevant Insurance Agreements. Carriers have the burden of proof regarding exclusions; the burden shifts back to the insureds when there are exceptions to the exclusions.
The content of many exclusions in cyber-insurance policies are likely to be substantially different, since there will be few or no tangible objects or situations to exclude. (None like this: "We do not exclude the damages caused by your pets eating your bushes.")
V. Conditions. The are usually condition precedents and there are a few condition subsequents. Among the best known of the conditions are the insureds duty to cooperate in the adjustment process and their duty of remediating losses, that is, using reasonable efforts to keep those losses from getting worse (e.g., things like storm damaged buildings) from getting any worse.
Some requirements, which are listed in the "Conditions" section, are not conditions at all but covenants, i.e., promises. Timely notice of covered events is often not really a condition but a covenant, i.e., promise. The requirement of cooperation may be like that. Remediation is perhaps not a condition or a promise irrespective of what the policy says, and so forth.
It is not completely determined what contractual requirements are actually conditions and which are not. Nevertheless, some other common obligations usually classified as conditions are these: subrogation rights, some features of contract termination, some features of cancellation, assignment, status of other insurance, and more. Arguments about what is a condition precedent (or subsequent) versus what is a "mere" promise, are not uncommon, and the truth is not determined by the name of the section. Just because something is found in a section entitled "Condition" does not mean that it is a condition.
VII. Endorsements. There can be all sorts of endorsements: adding insuring agreements, cutting them, deleting or adding exclusions, adding or subtracting named insureds from the list, adding insured objects, things, or whatever, and much more. For standard policies, there are closets full of standardized endorsements. In large innovative industries, there will be negotiated policies, but not for long. Purely negotiated policies make profitable underwriting nearly impossible.
VIII. Miscellaneous. A whole variety of things can fit here.
This simple list gives one a beginning idea, at least, as to how insurance policies are divided divided up. The ordered list of entries are not intended to name the order of parts of the policy. Often, for example, the definitions section comes between the Insuring Agreement Section and the Exclusions Section.
It also needs to be remembered that some policies are "package" policies, meaning that they provide several different types of insurance all at once, in the same contract. First and Third Party insurance often appear like this, e.g., in auto insurance, in home owners insurance, and in different large policies. Usually the differences are easy to recognize.
There is no reason to think that cyber-insurance policies (that is, contracts) will be much different in form. Rough versions of similar forms run back hundreds of years.
Michael Sean Quinn, Ph.D., J.D., c.p.c.u. . . .
The Law Firm of Michael Sean Quinn
Quinn and Quinn
Quinn and Quinn
1300 West Lynn Street, Suite 208
Austin, Texas 78703
(512) 296-2594
(512-656-0503
(512) 344-9466 - Fax
No comments:
Post a Comment