Tuesday, October 29, 2013

Cyber Insurance, Cyber Exclusions and Breach of Cyber Insurance Contract (aka Cyber Insurance PolicyPolicy) Part I,A

Michael Sean Quinn, Ph.D, J.D., Etc.
1300 West Lynn #208
Austin, Texas 78703
(o) 512-296-2594
(c) 512-656-0503

Breach of Cyber Contract

The Ironshore under discussion here, and some other cyber insurance  policies providing liability coverage will contain coverage for at least some breaches of contract.  This is a rarity in most run of the mill insurance policies for the real world.

Here are some ways to look for covered breach of contract obligations on the part of the insurer.
  • Check the various insuring agreements.  So more than the narrowly relevant one.
  • Look at the general definition of "wrongful act."
  • If the phrase "wrongful act" is set forth in term of being an "X activity [[or] service] wrongful act" look for it there.  Be sue to check the ones you care about, e.g., because you want to determine which coverage to purchase,  because you might try and negotiation and appropriate endorsement, because there might be a price differential.
  • Get a letter from whomever you use, whether a broker, a risk consultant, or a lawyer.  The letter should be general and particular, where the particular question(s) pertain to coverage for breaches of contract.
This potentially a subtle, hidden matter.  You may wish to use cyber-sophisticated coverage counsel.  You may not want to restrict you inquiries and analyses to a broker or to an external risk manager/consultant.  You need to be careful regarding the selection of counsel.  Experience with e-discovery is insufficient to make sure adequate knowledge is there, nor is the use of a BigFirm that promotes or advertises itself as "the go-to" group for cyber policy analysis.  Private, firm-sponsored "newsletters" don't do the job either.  Of course, none of the activities and/or presentations imply that the lawyers in that firm (and, maybe, in are relative specialty group) are unacceptable.  

 



Thursday, October 10, 2013

Ironshore Blanket Cyber Policy--Part XI: Insuring Agreement I.J



Michael Sean Quinn, Ph.D, J.D., Etc.
1300 West Lynn #208
Austin, Texas 78703
(o) 512-296-2594
(c) 512-656-0503



TechDefender

Tech E&O, Network Security, Internet Media and MPL Insurance Policy 

Insuring Agreement I.J. TECHNOLOGY AND INTERNET
LIABILITY COVERAGE
Remember: This Blog is organized around insuring agreements, definitions and exclusions. Conditions, etc., may be remarked upon briefly, but they often resemble not only so-called "Real World" policies and those found in other currently existing so-called  "Policies for the Virtual World." It also ignores policy limits, retention matters, notice requirements, time intervals for coverage, etc., important as all these are. As usual, the discussion of everything in this blog is
Be sure to read the "Concluding Remarks," Even if you don't read all--even much--of the rest of the blog.
*****************************************************************************
Insuring Agreement 

Once the temporal and procedural components are ignored, the substance of the insuring agreement looks pretty much like this:

The Insurer will pay on the Insureds behalf all Loss. . .that the Insured is legally obligated to pay as Damages as the direct result of any covered Claim alleging a Technological Wrongful Act
Wrongful Act, except to the extent the Claim "would be covered under Insuring Agreements B and C[.]"  [B is NETWORK SECURITY LIABILITY COVERAGE;  C is PRIVACY LIABILITY COVERAGE, and both have been discussed in earlier blogs regarding this policy.]

It is worth keeping in mind that actionable defects in the rendering of "professional services" are often called "errors and omissions" policies, although both an error and an omission are not required--one of them will do just fine.  They are also often called various types of "malpractice."  (A generation ago, or so, the phrase "errors and omissions" applied to errors of accountants. Those separate usages are gone.)

New Definitions
 
All, or virtually all, of the starting definitions to be found in the insuring agreements (and in the exclusions, for that matter) depend upon other definitions. A rests on B; B rests on C; and so forth. The key definition of a substantively significant matter is the particular type of wrongful act. Going over the definitions will take some time.

The starting definition with which this coverage analysis starts is a buried definition, namely, Technological Services.  Obviously, the nature of (or the character of) a "wrongful act" depends on that activity with respect to which there has been a wrongful act. This definition is complex; it takes up nearly half a page. 

One thing about the idea of Technological Services is that it includes many services that are regarded as "professional services" on some policies in the so-called "real world."  These are policies that are not ordinary policies, e.g., for life, home and similar buildings, individual vehicle (including boats and the like), etc.  They are not ordinary business policies that cover a slew of ordinary activities.  Instead they are policies that cover specialized and "high class" activities, usually by persons and their companies. Only their professional activities are covered, and in many cases the "wrongful act" is negligence. Here are some examples: physicians, lawyers, accountants, psychologists, brokers, some financiers, and so forth. The Technological Services definition covers some professional services, in this sense, but others as well.  (Then again, perhaps in cyber lingo and its system of concepts lots of activities are called professional the analogues of which in the so-called "real world" would not be counted as such.  This may be quite reasonable since it is a very complex "world.")

Here are some of them:
(1) analysis, design, [and much else] of Computer Systems
 (2) "data base design," (including the warehousing, storage, or recording or analysis of data, etc.)  [MSQ: surely including "cloud" activities],"
(3) other related services:
(a)  consulting, etc. of "technological information," plus manufacture, repair, etc., \
(b) licensing computer software,
(c) website design, and the provision of various sorts of services, etc.,
(d) design, etc., of chat rooms, etc.,
(e) "e-commerce transaction services," etc., &
(f) "electronic data destruction services."

The meaning of the phrase Technological Wrongful Act is much simpler;  it "means any or alleged actual act, unintentional error alleged act, omission neglect or breach of duty by an Insured or Service Provider to others for a fee, including the Insured's intentional breach of contract to render services to others, or the failure of the Insured's Technological Products to perform the function intended."

The idea behind Technological Products is easy to grasp.  So is the idea of Service Provider, except that it is a hireling of the Insured and does its work. (Of course both of these summaries of definitions are just that, rough summaries.)

A too limited (and somewhat speculative) summary is this: The kind of wrongful act covered has to do with fouling up work in connection with an insured's technological work (or those of its service provider) they directly harm some computer stuff belonging to someone else and found in the so-called "cyber world" damages to the company to which the cyber material. However, I.J.provide coverage to that portion of this policy "covered under insuring agreements I.B and I.C." [The emphasis is mine] 

The "and" in this exclusion\or limit built into the insuring agreement requires that an event and consequence of that event be covered under both I.B and I.C in order to be outside J-coverage.
The coverage provided in I.B is injuries and then losses inflicted upon the network security of another by means of a covered wrongful act. (See Part See III.)  Being covered by I.B but not I.C doesn't entail no coverage under I.J.  Insuring agreement I.C covers injuries and losses caused to the privacy (or privacies) of others.  (See Part IV)  .C alone does not take an injury and its losses out of I.J.  It must be conjoined to I.B.

My guess is that actionable invasions of privacy on the net can occur without the destruction of or injury to network security.  I.J is really about fouling up the rendition of cyber services.  Obviously,
inflicting damages upon a network is the same as a failure to renter satisfactory services.  Not will the latter likely to invade someone's privacy.  So why separate them off so sharply? Simplifying adjustment? Unlikely: the adjustment process with remain the same.  Premium allocation?  A little more likely, perhaps, since reinsurance would be priced differently without this "exclusion." Neither of these seem likely, however, so I am mystified.






"Wrongful Acts," "Claims Made," & "Claims Reporting"




Michael Sean Quinn, Ph.D, J.D., Etc.
2630 Exposition Blvd  #115
Austin, Texas 78703
(o) 512-296-2594
(c) 512-656-0503



Cyber- Insurance & Some Crucial Time Elements


Another thing to keep in mind is that all--or virtually all--cyber insurance policies are so-called "claims made" policies.  They fall into the pattern of D&O and professional malpractice policies to be found in the so-called "real world."   What is important is that all so-called "claims made" policies may have three very significant time elements in addition to policy limits.

In both "worlds," the phrase "claims made" is often a misleading metaphor.  A more general characteristic, which changes the policy radically, and which an insured needs to watch out for is a two or three component "claims made" period; significantly the components are all different.
 
The first one requires that the relevant covered "wrongful act" be performed during a specified length of time; often this is during the policy period; though sometimes, by agreement and an additional fee, it can be provided during a retro-active extension period; the existence of this period will usually be found on the dec sheet, though it can be found in an endorsement, for example, if it is purchased after the original purchase of the basic policy. Under some circumstances this component can cover some sections of a liability claim. 
The second one is the actual "claims made" component; this is a covered claim made against the policy holder; consequently, it is to be found in liability policies, not first party-policies, so far as I know.  The specified time for when a covered claim may be made can be extended both backwards and forward in time
The third component is the "claim reporting" requirement.  This is the time period during which the insured must report a claim to the insurer including  any claim made against it during the specified periods.  Cyber policies are new, and there  is virtually no authority as to their potentially controversial meanings. From the point of view of coverage analysis this is a new and relatively uncharted ocean. Conjecture and even guess work are required.
 In addition, it usually must also be done within a reasonable period of time, and this is described as "as soon as practicable."  If one were to look at phrases that are paradigmatically vague, this is one of them. It certainly does now and will in the future generate lots of controversy.
Again, like the other components this requirement is for liability policies. It too can be extended. These time limits can be iron clad. 
To be a covered claim, the following must be considered: (1) whether the insured received service of a lawsuit claim is required within a specified period of time; (2) whether the insured has received a demand or announcement letter (but not the lawsuit yet), and (3) whether the insurer has a reasonable belief that (1) or (2) might well happen.  #(1) is invariably a necessary condition for coverage; #(2) is usually to be found in policies; and #(3) is also to be found in policies. 
The insurance purchasing department of the insured company should make sure that those who handle risk management know this, and that all relevant management personnel are made aware of the pertinent provisions of these contract requirements. It does not matter whether they are actually there. Relevant personnel should watch all problematic acts or omissions in the company for signals of potential coverage problems.

The above discussion has concerned time requirements required by the insurance contracts. Naturally, first party policies have some similar requirements. Often the word "claim" is used in this context.  It has a different meaning.  In this context, a claim concerns the damage or potential damage to which the insured itself has or will be subjected. It's causes may involve conduct of the insured, conduct of others, damages caused (or to be caused by nature), simply adverse luck, or a combination of some or all of these. Of course, these claims must be made within specified time periods, often the policy limits, and they can include damage already occurred, or the reasonable concern that damages might occur in the future as a result of actions, omissions, or events that have occurred.

Monday, October 7, 2013

An Ironshore Cyber Policy--Part X: Insuring Agreement I.E.:




Michael Sean Quinn, Ph.D, J.D., Etc.
2630 Exposition Blvd  #115
Austin, Texas 78703
(o) 512-296-2594
(c) 512-656-0503


TechDefender

Tech E&O, Network Security, Internet Media and MPL Insurance Policy 

Insuring Agreement I.I: NETWORD EXTORTION AND REWARD PAYMENTS COVERAGE
Remember: This Blog is organized around insuring agreements, definitions and exclusions. Conditions, etc., may be remarked upon briefly, but they often resemble not only each other but those found in currently existing policies. It also ignores policy limits, retention matters, notice requirements, time intervals for coverage, etc., important as these are. As usual, the discussion of everything in this blog is tentative, partial, and perhaps mistaken here and there.  It is a new and
relatively uncharted ocean.
Be sure to read the "Concluding Remarks," Even if you don't read all--even much--of the rest of the blog.
___________________________________________________________________________

NETWORK EXTORTION THREAT AND REWARD PAYMENT COVERAGE

This title introduces a relatively new type of first-party coverage not to be found in many so-called "real world" policies, although it is to be found in some--of what might be called elite policies. Often it is to be found in (1) D&O policies for businesses, such as (a) those doing business in some overseas places, and/or (b) anywhere there is or likely to be a rebellion (or something of the sort), and/or (c) some sea areas, e.g., where companies that have significant employees sailing around not very far west of parts of Africa. (2) Less often there are crime policies in which the relevant coverage appears, at least by endorsement; and (3) there are specialty kidnap and ransom policies.  (In theory it could occur as an endorsement to maritime insurance policy, but that is doubtful.) 

Insuring Agreement 

This insurance agreement--and remember, it is first-party insurance--consists of two paragraphs.  The accord with the conjunction in the title. One pertains to expenses incurred in dealing with the threat, and this may include what must be spend after the threat is carried out.  The second paragraph  covers some payments made as rewards  to prevent execution or deal appropriately with the persons making threats after the is carried out.  (Many people are not included in the Insurer's obligation to pay for information--police persons, for example.) These same types of provisions are to be found in corresponding, or analogous,  so-called "real world" policies. 
It is best to deal with the operative definitions. These are Network Extortion Threat, Extortion Expenses, and  Extortion Payments. Nearly all of the key terms in the insuring agreement turn on these three phrases. 
Definition: "Network Extortion Threat" 

This term, roughly, refers to a credible threat or series thereof made by a natural person to an Insured
where such natural person:
  1. introduces or threatens to introduce Malicious Code into the Company's Computer System;
  2. interrupts or threatens to interrupt its System by means of a Denial of Service Attack;
  3. disseminates, divulge, or improperly utilizes or so threatens at least one of these involving Non-Public Personal Information or Confidential Corporate Information obtained from the Company's Computer System.                                                                                                                       
Roughly speaking, the definition seems to be reasonably clear as it stands, at least as to what is included and what is not. The exception to this is Confidential Corporate Information.  It includes only information of third parties, subjected to a confidential agreement,  provided to the Insured to enable it to perform Miscellaneous Professional Services for the third party for a fee. Covered Miscellaneous Services are  those listed on the dec sheet, subject to two exceptions Technological Services (a long list of computer services running from design to repair and on to licensing) and the phrase Electronic Publishing suggests its own meaning (or some of it at least). 
The definition is not without puzzles, however. Of course, virtually all terms which appear to be quite precise are actually not.  There will be disagreement about many terms, and that can lead to dispute regarding coverage claims. Could a "logic bomb" be like that?  What if "cookies" had distant dangerous cousins which are not technically "cookies"? And so forth. Furthermore, why would the covered threats be limited to those made by a natural person?  Why couldn't a corporate entity make such a threat?  Would a threat be a covered threat if it was designed, engineered, and carried out ultimately by a corporation, although it is delivered by a natural person? Why are the Company's own trade secrets left out of the list of Confidential Corporate Information? What, if anything, is the difference between "disseminating" and "divulging" something?
One very important fact is built into the definitions. It is the one referring to Miscellaneous Professional Services.  It is perfectly clear that lawyers and law firms can fit on that list.  Doesn't that fact suggest that such actors might want to make sure that there are such lists potentially favoring them and that their confidential information is covered on policies like this one? 

         Definition: "Extortion Payments" 

This phrase means "monies paid to a third party whom the Company reasonably believes to be responsible for a  Network Extortion Threat," provided that the Insurer has consented in writing, provided that the purpose of the payment is to terminate the Threat, and provided that the "Extortion Payments" do not exceed the amount of Business Interruption Income Loss the Insurer reasonably believes would have been incurred had such Extortion Payments not been made.
[One of the most important features of this definition is that it restricts the amount claimable by the Insured as equal to some normal expenses and Business Interruption Income Loss. Why would one think that the threat sums demanded would be restricted in this way?  This policy leaves the insured uninsured over this sum, and it has nothing to do with the policy limits. One can envision a policyholder or its counsel demanding that this amount be eliminated by endorsement.
Another of the most important features of this definition is that it is that it is the Insurer's reasonable beliefs as to the amount of BI Loss that control the amount owed. One can easily imagine a policyholder or its counsel asking these questions: Why should it not be the reasonable beliefs of the Insured? Or a reasonable conclusion coming from an appraisal? Or a matter subject to "quickie" arbitration? (So far as I can tell there is no mandatory arbitration clause in the contract.)  Perhaps, the Insurer might respond that the contract of insurance articulates a long and complex method of calculating the amount in question and so renders all the policy holder's problems matters of no concern.  See the Conditions section VII.D.1. But wouldn't the policy holder respond that if this were true, then why not leave the relevant calculations to the Insured?]

The Insuring Agreement

Now that the definitions have been spelled out (more or less), the actual terms of the agreement are easily formulated. 
The first paragraph reads this way (pretty much): "The Insurer will reimburse the Company for any Extortion Expenses and Extortion Payments actually paid by the Company as the result  of a Network Extortion Threat[.]"
The second and much longer paragraph reads this way (in brief part): "The Insurer will reimburse the Company for any reward paid to any person or entity, other than. . . for information leading to the arrest and conviction of any person who" is making or has made a Network Extortion Threat, provided that the Insurer has approved it in writing. [The emphasis is mine.]
[First, notice that "reimbursement" is the key idea regarding payment.  Of course, this means that the Insured has to have spent the money first. Second, the Insurer is really running the show, since it must consent in writing. Third, the Insurer has no duty to reimburse if the person making the threat has not yet been convicted of making the threat. Fourth, the information must "lead to" "arrest and conviction"; one wonders what "lead to" might mean.  It is part of a standard phrase in situations like this one. On the other hand, everything in insurance policies is open to linguistic debate.  It seems relatively clear, however, given  the number of times the word "direct" appears in the policy and given that it does not appear here, perhaps it is to be concluded that the information need not lead directly to "arrest and conviction."  Then again. . . .
Exclusions
As is often in this policy, there does not appear to be an exclusion peculiar to this insuring agreement. Narrow applications of these exclusions would be found in the definitions used in the exclusion.  The exclusions in this policy, as usual, are (or at least appear to be) drawn from the so-called "real world" policies, or they are (or--again at least appear to be) general and apply to several of the passages in the policy.   

Concluding Remarks
This is the most difficult insuring agreement of the 11 of them.  I suppose there is always one like this in any group, but it reinforces the necessity that these policies may not simply be read thoroughly and then reviewed a bit by a coverage lawyer; they must be studied. 
One of the principal functions of lawyers representing policyholders (or policyholders to be) is to advise them as to meaning. The answer must always be tentative--very guarded and explained to the client that all analyses just now are uncertain to an unusual degree. Advice of what to buy and how to think about what policy to purchase and/or what the client has in the policies it has purchased is crucial for the cyber lawyer. Many "Big Firms" have entire departments devoted to this; it seems to go with specialties in dealing with "Electronic Storage of Information." 
In addition, cyber policies have not been "around" long enough to have achieved anything like substantial and lasting stability. Clients should also be made to understand that the contents of the policies of different carriers may be strikingly different in a lot of different ways. In addition, the client must be made aware that these kinds of policies may well (and, indeed, are likely to) change at least somewhat every year for some time to come.  This can only be done right if there is encyclopedic knowledge of the nuances in complex policy language and a high level knowledge of  the complicated, quilt-like structure of concepts to be found in the innards of the policies being discussed.  Of course, both the complex language nor the hidden substantive relationship will be far less than perfect






Friday, October 4, 2013

An Ironshore Cyber Policy--Part IX: I.H: Business Interruption Income Loss--Part IX

TechDefender

Tech E&O, Network Security, Internet Media and MPL Insurance Policy 

Insuring Agreement I.H: Regulatory Proceeding Coverage
Remember: This Blog is organized around insuring agreements, definitions and exclusions. Conditions, etc., may be remarked upon briefly, but they often resemble not only each other but those found in currently existing policies. It also ignores policy limits, retention matters, notice requirements, time intervals for coverage, etc., important as these are. As usual, the discussion of everything in this blog is tentative, partial, and perhaps mistaken here and there.  It is a new and relatively uncharted ocean.
__________________________________________________

BUSINESS INTERRUPTION INCOME LOSS AND DEPENDENT BUSINESS INTERURUPTION INCOME COVERAGE is the title of this insuring agreement, I.H. 
A good part of this title is familiar from commercial first-party (often property) policies, where the idea of property damage begins with the idea of physical injury to tangible property.  Obviously, that will not be the beginning of BI*or DBI coverage in cyber-policies.  Still, in terms of purpose this insuring agreement corresponds to the similar insuring agreements found in so-called "real world" policies.

 [*BI is a standard appreciation used to denote Business Income Losses in todays so-called "real world" policies.  Previously, BI referred to Business Interpretation Losses.  Many do not know why the terminology changed, and I am one of the many.  Maybe it was to accentuate the fact that there had to be an income loss; I suspect that was always true.]
Here is the verbatim quotation of  insuring agreement of I.H:
The Insurer will pay the Company any Business Interruption Income Loss [BI], Dependent Business Interruption Income Loss [DBI] and Extra Expense the Company sustains during the Period of Restoration as the direct result of an Interruption in Services, provided that such Interruption in Services first occurs during the Policy Period. 
Before turning the central substantive definitions, several matters need to be discussed.
First, only the Company really covered; only its losses  are to be paid.
Second, under this insuring agreement, the Insurer "will pay" is a key obligation of the Insurer.  This is more flexible that "will reimburse.  Interestingly, there is no restriction of when the Insurer is obligated to pay. Probably all cyber-insurer that use this language are governed by the law--a more or less general law across at least most states in the U.S.--that requires the insurer to pay promptly, once it has the information, etc., it reasonable needs to calculate what it owes.
Third, the Period of Restoration is defined (pretty much) as the reasonable length of time it takes the Company to get its cyber operation up and running again, measured starting with the time there was covered Interruption in Services, but lasting no more than 30 days.

 Obviously, the Period of Recovery to reach out beyond the end date of coverage under the policy This topic is often a matter of dispute.  One of the principal topics of dispute is  whether the insured made is snappy to get the fix completed.  An enormous number of facts and therefore components of an (or more than one) investigation are involved in any relevant adjustment and/or adjustment dispute.  As a general rule, periods of restoration can be extended by endorsement, like lots of things in insurance policies.
Fourth, the term "direct result" again serves a crucial role. For more on  this matter, see Part VIII: I.G, for example.  The ideas of direct and indirect is illustrated nicely by the workings of "Silk Road."  Some of it is direct, I think, in particular,  the mailing of the "goods."  Some of it indirect, I believe, namely, the modes of purchasing the "goods."
Fifth, the Company's Computer System is an obvious term the meaning of which is intuitively obvious at a surface level.  Of course different companies what have different systems used for different purposes.  In this definition, an insured system is one restricted to working solely for the Company's benefit
We now arrive at what might be called the crucial topical definitions.
The definition of Interruption in Services [IS], the covered train of events which do covered injury or damage to the Company.  Which ISs are covered and which are not is to be found in this definition.  IS "means the actual and measurable interruption, suspension, failure, degradation or delay in the performances of the Company's Computer System, if directly caused by a Network Security Incident.  [Notice that the idea of being direct is a necessary condition of being an IS and therefor of coverage.  Given the general terms--one is "measurable"--one can bet that there will be disputes grounded on this idea.]
BI and  DBI are the crucial definitions for describing the types of  injuries/damages for which the Insurer will pay.

BI means, roughly speaking,  the Company's loss of "net profits before income tax" that the Company is prevented from earning as the result of IS and its normal expenses, e.g., payroll,  that "must continue" during the Period of Restoration had there been no IS

 [This is a relatively standard surface formulation of BI for a very long time.  Extra-help that has to be brought in to straighten thing out is an Extra Expense, not a loss.  Notice that the general BI can be brought about by an assortment of causes of the IS, and that the cause of the IS might actually involve more than one cause, so that the IS need not directly result from a single cause.]

DBI is one of those components of this insurance policy that contains of "direct;" once is "direct result of" and the other it is "caused directly by."  It is even more complicated than passages where there is a double occurrence of the word; for this reason it is necessary to quote some of it.  It is a BI loss "as the direct result of an IS[, and it] is caused directly by a Network Security Incident to the
Service Provider's Computer System  but only if such Network Security Incident would have been covered under the Policy had the Service Provider been entitled to insurance in accordance with the terms, conditions and other provisions of the Policy."

This is a very complicated provision.
The place to begin is with the word "dependent.  The point is that this form of BI must be triggered  by an injury to something upon which the Company depends, and--if anything--will be the Service Provider. The surface idea of a Service Provider is easy enough to understand, though it must be understood that it is a separate company, a vendor, and there is a forma contract with the Company.  It's computer system is simply a Computer System somehow and/or to some extent belongs to it, as the term is defined in the policy.  It is the Service Provider's Computer System that must be subjected to a Network Security Incident.  

That is a defined term in the policy. It, very roughly, means some sort affliction is directly imposed upon the Service Provider's Computer System, such improper use of it and/or the introduction of a Malicious Code, that directly results in specified injuries/damages to the Company's Computer System so that it is subject to IS or a "corruption or deletion" of Digital Assets."  However, under the definition of DBI there is a necessary condition:  the Service Provider must be such the Network Incident "would have been covered under [this] Policy had the Service Provider been entitled to insurance in accordance with the terms, conditions and other provision of the Policy."

One thing this means is that the insurance of the Service Provider must been equivalent to the Company's policy in terms of strength and scope for the Company to have coverage.  If the Service Provider has weaker or no coverage, the Company will have no coverage for DBI.  Something it might mean is that the Company's Digital Asserts have been "corrupted."  Unfortunately, that is not a defined term, although the term is commonly used in cyber-circles.
 So far as exclusions are concerned, there do not appear to be any that apply uniquely to this insuring agreement, and if so there are none that are prepared for it.  Plenty of exclusions that are to be found in so-called "real world" policies apply to it and to the rest of this policy, and lots of new fangled exclusions for the "virtual world" also apply to it.  Still, there is nothing further that needs to be said about this exclusionary matter just now. 


Wednesday, October 2, 2013

An Ironshoe Cyber Insurance Policy--Part VIII: Insuring Agreement I.G




Michael Sean Quinn, Ph.D, J.D., Etc.

1300 West Lynn #208
Austin, Texas 78703 
(o) 512-296-2594
(c) 512-656-0503




TechDefender

Tech E&O, Network Security, Internet Media and MPL Insurance Policy 

Insuring Agreement I.G: DIGITAL ASSET EXPENSES COVERAGE

Remember: This blog is organized around insuring agreements, definitions and exclusions. Conditions, etc., may be remarked upon briefly, but they often resemble not only each other but those found in currently existing policies. It also ignores policy limits, retention matters, notice requirements, time intervals for coverage, etc., important as these are. As usual, the discussion of everything in this blog is tentative, partial, and perhaps mistaken here and there.  It is a new and relatively uncharted ocean.

*  *  *  *  *  *
This insuring agreement is the first of three first-party coverages. It is important to quote the entirety of the agreement, and then give a quick explanation. As usual this agreement depends upon several definitions, two of which are new here; as usual they depend on others. There are more definitions than will be discussed here, since they have been discussed early in these blogs, so they will not be discussed in detail. 

Here is I.G:
"The Insurer will reimburse the Company for any Digital Asset Expenses the Company incurs as the direct result of the corruption, damage, impairment, destruction or deletion of Digital Assets directly caused by a Network Security Incident[.]"  [This is the end of what will be fully quoted in this blog.]

There are several important points to note in this definition. First, the Insurer has an obligation to reimburse.  Technically, under the wording of the contract, this means the Insured has to spend the money before it collects from the insurer. The Insured's right to reimbursement only for covered spending.  Thus, the Insurer probably has a right to "observe,"  "monitor," and maybe even to some degree "regulate"expenditures.  [The words in quotes are mine, not those of the policy.] Of course, any such regulation must be reasonable and necessary.

 The rights of the insurer and the insured parties to the contract may conflict on this and--of course--other matters. One area disputes in this area might develop is over the need for forensic investigation; carriers may sometimes assert that one is enough; while the insured may assert that it has a right to pick its own investigator.

Second, it is the Company and not the Insured that is covered in I.G. Of course, the Company is part of the Insured, but it is not the only one; the others are individuals and they are named as Insureds here.  Probably that is because it is the Company that will be incurring the expenses that are covered.

Third, the term "direct" is in I.G twice. Hence, there must be two direct, as opposed to indirect, causation's.  First, the covered expenses must directly result from a covered incident to which the covered Digital Assets were subjected. Second, the expenses must directly result from the corruption [etc.] of the Digital Assets.  

(The reader might use the following images to get an idea of required directness. Suppose Obama sends a diplomatic message to Putin. He might hand it to him. That's obviously direct. The U.S. Secretary of State might tell him or hand him a note. Is that direct? If Obama "wires" it; and the document is decoded; the Russian Foreign Secretary picks it up, reads it, and hands it along; maybe with a memo; Is this "direct"? Are there degrees of directness?  If so, how does this handle back-and-forth arguments about claims?) See Retail Ventures Inc. v. National Union Fire Insurance of Pittsburgh, PA., 691 F.3d (6th Cir. 2012)

Of course, as already said, there are many other definitions, some of which are complex right on their surfaces and some of them involve other "sub-definitions," and they may be quite complex. Many other cyber policies are like this. The reader has been warned.

Some Key Definitions

The place to begin to sketch the other key portions of this agreement I.G is with the idea of--the definition of--a Digital Asset:

"Digital Assets means Electronic Data, Software, audio files, and image files stored on the Company's Computer System." (And then is a list of what is not within the definition, e.g., some pieces of paper, "unless they have been converted to Electronic Data, and then only in that form.")  The main themes of the definitions within this definition are predictable, although there may be sub-surface subtleties; all such components will be subject to endless dispute.

The other key definition is Digital Asset Expenses:

The phrase Digital Asset Expenses, as one might expect, to what it costs to replace or restore Digital Assets that has been injured in specified ways "corruption or deletion as the direct result of a Network Security Incident. Of course the expenses must be "reasonable and necessary."  These Expenses include "disaster recovery and or computer forensic investigation efforts[.]"  In addition, the replacement or restoration must be done in specified ways, e.g., solid records or other (to some extent) matching Electric Data.

Exclusions


There are no exclusions uniquely applicable to this insuring agreement and its definitions. The definitions more or less are taken from the language of definitions found in policies, designed for the so-called "real world" apply, of course, as to the definitions formulated for all--or many--of the sections