Ironshore Blanket Cyber Policy--Part XI: Insuring Agreement I.J

Michael Sean Quinn, Ph.D, J.D., Etc.

1300 West Lynn #208

Austin, Texas 78703

(o) 512-296-2594

(c) 512-656-0503

mquinn@msqlaw.com

TechDefender

Tech E&O, Network Security, Internet Media and MPL Insurance Policy 

Insuring Agreement I.J. TECHNOLOGY AND INTERNET
LIABILITY COVERAGE

Remember: This Blog is organized around insuring agreements, definitions and exclusions. Conditions, etc., may be remarked upon briefly, but they often resemble not only so-called "Real World" policies and those found in other currently existing so-called  "Policies for the Virtual World." It also ignores policy limits, retention matters, notice requirements, time intervals for coverage, etc., important as all these are. As usual, the discussion of everything in this blog is

Be sure to read the "Concluding Remarks," Even if you don't read all--even much--of the rest of the blog.

*****************************************************************************

Insuring Agreement 

Once the temporal and procedural components are ignored, the substance of the insuring agreement looks pretty much like this:

The Insurer will pay on the Insureds behalf all Loss. . .that the Insured is legally obligated to pay as Damages as the direct result of any covered Claim alleging a Technological Wrongful Act
Wrongful Act, except to the extent the Claim "would be covered under Insuring Agreements B and C[.]"  [B is NETWORK SECURITY LIABILITY COVERAGE;  C is PRIVACY LIABILITY COVERAGE, and both have been discussed in earlier blogs regarding this policy.]

It is worth keeping in mind that actionable defects in the rendering of "professional services" are often called "errors and omissions" policies, although both an error and an omission are not required--one of them will do just fine.  They are also often called various types of "malpractice."  (A generation ago, or so, the phrase "errors and omissions" applied to errors of accountants. Those separate usages are gone.)

New Definitions

 

All, or virtually all, of the starting definitions to be found in the insuring agreements (and in the exclusions, for that matter) depend upon other definitions. A rests on B; B rests on C; and so forth. The key definition of a substantively significant matter is the particular type of wrongful act. Going over the definitions will take some time.

The starting definition with which this coverage analysis starts is a buried definition, namely, Technological Services.  Obviously, the nature of (or the character of) a "wrongful act" depends on that activity with respect to which there has been a wrongful act. This definition is complex; it takes up nearly half a page. 

One thing about the idea of Technological Services is that it includes many services that are regarded as "professional services" on some policies in the so-called "real world."  These are policies that are not ordinary policies, e.g., for life, home and similar buildings, individual vehicle (including boats and the like), etc.  They are not ordinary business policies that cover a slew of ordinary activities.  Instead they are policies that cover specialized and "high class" activities, usually by persons and their companies. Only their professional activities are covered, and in many cases the "wrongful act" is negligence. Here are some examples: physicians, lawyers, accountants, psychologists, brokers, some financiers, and so forth. The Technological Services definition covers some professional services, in this sense, but others as well.  (Then again, perhaps in cyber lingo and its system of concepts lots of activities are called professional the analogues of which in the so-called "real world" would not be counted as such.  This may be quite reasonable since it is a very complex "world.")

Here are some of them:
(1) analysis, design, [and much else] of Computer Systems
 (2) "data base design," (including the warehousing, storage, or recording or analysis of data, etc.)  [MSQ: surely including "cloud" activities],"
(3) other related services:
(a)  consulting, etc. of "technological information," plus manufacture, repair, etc., \
(b) licensing computer software,
(c) website design, and the provision of various sorts of services, etc.,
(d) design, etc., of chat rooms, etc.,
(e) "e-commerce transaction services," etc., &
(f) "electronic data destruction services."

The meaning of the phrase Technological Wrongful Act is much simpler;  it "means any or alleged actual act, unintentional error alleged act, omission neglect or breach of duty by an Insured or Service Provider to others for a fee, including the Insured's intentional breach of contract to render services to others, or the failure of the Insured's Technological Products to perform the function intended."

The idea behind Technological Products is easy to grasp.  So is the idea of Service Provider, except that it is a hireling of the Insured and does its work. (Of course both of these summaries of definitions are just that, rough summaries.)

A too limited (and somewhat speculative) summary is this: The kind of wrongful act covered has to do with fouling up work in connection with an insured's technological work (or those of its service provider) they directly harm some computer stuff belonging to someone else and found in the so-called "cyber world" damages to the company to which the cyber material. However, I.J.provide coverage to that portion of this policy "covered under insuring agreements I.B and I.C." [The emphasis is mine] 

The "and" in this exclusion\or limit built into the insuring agreement requires that an event and consequence of that event be covered under both I.B and I.C in order to be outside J-coverage.
The coverage provided in I.B is injuries and then losses inflicted upon the network security of another by means of a covered wrongful act. (See Part See III.)  Being covered by I.B but not I.C doesn't entail no coverage under I.J.  Insuring agreement I.C covers injuries and losses caused to the privacy (or privacies) of others.  (See Part IV)  .C alone does not take an injury and its losses out of I.J.  It must be conjoined to I.B.

My guess is that actionable invasions of privacy on the net can occur without the destruction of or injury to network security.  I.J is really about fouling up the rendition of cyber services.  Obviously,
inflicting damages upon a network is the same as a failure to renter satisfactory services.  Not will the latter likely to invade someone's privacy.  So why separate them off so sharply? Simplifying adjustment? Unlikely: the adjustment process with remain the same.  Premium allocation?  A little more likely, perhaps, since reinsurance would be priced differently without this "exclusion." Neither of these seem likely, however, so I am mystified.

An Ironshoe Cyber Insurance Policy--Part VIII: Insuring Agreement I.G

Michael Sean Quinn, Ph.D, J.D., Etc.

1300 West Lynn #208

Austin, Texas 78703 

(o) 512-296-2594

(c) 512-656-0503

mquinn@msqlaw.com

TechDefender

Tech E&O, Network Security, Internet Media and MPL Insurance Policy 

Insuring Agreement I.G: DIGITAL ASSET EXPENSES COVERAGE

Remember: This blog is organized around insuring agreements, definitions and exclusions. Conditions, etc., may be remarked upon briefly, but they often resemble not only each other but those found in currently existing policies. It also ignores policy limits, retention matters, notice requirements, time intervals for coverage, etc., important as these are. As usual, the discussion of everything in this blog is tentative, partial, and perhaps mistaken here and there.  It is a new and relatively uncharted ocean.

*  *  *  *  *  *

This insuring agreement is the first of three first-party coverages. It is important to quote the entirety of the agreement, and then give a quick explanation. As usual this agreement depends upon several definitions, two of which are new here; as usual they depend on others. There are more definitions than will be discussed here, since they have been discussed early in these blogs, so they will not be discussed in detail. 

Here is I.G:

"The Insurer will reimburse the Company for any Digital Asset Expenses the Company incurs as the direct result of the corruption, damage, impairment, destruction or deletion of Digital Assets directly caused by a Network Security Incident[.]"  [This is the end of what will be fully quoted in this blog.]

There are several important points to note in this definition. First, the Insurer has an obligation to reimburse.  Technically, under the wording of the contract, this means the Insured has to spend the money before it collects from the insurer. The Insured's right to reimbursement only for covered spending.  Thus, the Insurer probably has a right to "observe,"  "monitor," and maybe even to some degree "regulate"expenditures.  [The words in quotes are mine, not those of the policy.] Of course, any such regulation must be reasonable and necessary.

 The rights of the insurer and the insured parties to the contract may conflict on this and--of course--other matters. One area disputes in this area might develop is over the need for forensic investigation; carriers may sometimes assert that one is enough; while the insured may assert that it has a right to pick its own investigator.

Second, it is the Company and not the Insured that is covered in I.G. Of course, the Company is part of the Insured, but it is not the only one; the others are individuals and they are named as Insureds here.  Probably that is because it is the Company that will be incurring the expenses that are covered.

Third, the term "direct" is in I.G twice. Hence, there must be two direct, as opposed to indirect, causation's.  First, the covered expenses must directly result from a covered incident to which the covered Digital Assets were subjected. Second, the expenses must directly result from the corruption [etc.] of the Digital Assets.  

(The reader might use the following images to get an idea of required directness. Suppose Obama sends a diplomatic message to Putin. He might hand it to him. That's obviously direct. The U.S. Secretary of State might tell him or hand him a note. Is that direct? If Obama "wires" it; and the document is decoded; the Russian Foreign Secretary picks it up, reads it, and hands it along; maybe with a memo; Is this "direct"? Are there degrees of directness?  If so, how does this handle back-and-forth arguments about claims?) See Retail Ventures Inc. v. National Union Fire Insurance of Pittsburgh, PA., 691 F.3d (6th Cir. 2012)

Of course, as already said, there are many other definitions, some of which are complex right on their surfaces and some of them involve other "sub-definitions," and they may be quite complex. Many other cyber policies are like this. The reader has been warned.

Some Key Definitions

The place to begin to sketch the other key portions of this agreement I.G is with the idea of--the definition of--a Digital Asset:

"Digital Assets means Electronic Data, Software, audio files, and image files stored on the Company's Computer System." (And then is a list of what is not within the definition, e.g., some pieces of paper, "unless they have been converted to Electronic Data, and then only in that form.")  The main themes of the definitions within this definition are predictable, although there may be sub-surface subtleties; all such components will be subject to endless dispute.

The other key definition is Digital Asset Expenses:

The phrase Digital Asset Expenses, as one might expect, to what it costs to replace or restore Digital Assets that has been injured in specified ways "corruption or deletion as the direct result of a Network Security Incident. Of course the expenses must be "reasonable and necessary."  These Expenses include "disaster recovery and or computer forensic investigation efforts[.]"  In addition, the replacement or restoration must be done in specified ways, e.g., solid records or other (to some extent) matching Electric Data.

Exclusions

There are no exclusions uniquely applicable to this insuring agreement and its definitions. The definitions more or less are taken from the language of definitions found in policies, designed for the so-called "real world" apply, of course, as to the definitions formulated for all--or many--of the sections

An Ironshore CyberPolicy--Part VII:Insuring Agreement I.F.

TechDefender

Tech E&O, Network Security, Internet Media and MPL Insurance Policy 

Insuring Agreement I.F: Regulatory Proceeding Coverage

Remember: This Blog is organized around insuring agreements, definitions and exclusions. Conditions, etc., may be remarked upon briefly, but they often resemble not only each other but those found in currently existing policies. It also ignores policy limits, retention matters, notice requirements, time intervals for coverage, etc., important as these are. As usual, the discussion of everything in this blog is tentative, partial, and perhaps mistaken here and there.  It is a new and relatively uncharted ocean.

*********************************************************************************

This insuring agreement is entitled Internet Media Liability Coverage.  It departs from the topics of privacy and network security and injury. 

The principal topics here are Electronic Publishing Wrongful Act and Damages.  The definition of Damages was covered in Part IV, so it will not be explicated again here, since it is lengthy, cumbersome, complex, an easily accessible.; there will be only a brief mention. 

The focus will be on the first of these two, Internet Publishing Wrongful Act.  It is complicated enough considered just by itself, partly because it hinges on another definition, Electronic Publishing, which--in turn--hangs in part on yet another definition, and it too. . . . down the pillar of definitions. Obviously, this discussion cannot complete the whole, dependent group of definitions.

The idea of a wrongful act is not itself defined in any general way, though it is sort of defined in terms of different key activities. Nevertheless, what it probably is, at least in part,  in different contexts is clear enough from the two words themselves, knowledge of the English language, and common sense.

The substance of the insuring agreement reads this way:

 The Insurer will pay on behalf of the Insured all Loss that the Insured is legally obligated to pay as Damages as a direct result of any covered Claim alleging an Electronic Publishing Wrongful Act (EPWA), provided. . . .

EPWA includes a number of actionable acts, some of which are also found in Coverage B of the Commercial General Liability policy, and there are more. The EPWAs are all linked to the Insured's Electronic Publishing.  Here is a list of some of them, which give the reader a general idea:

• defamation, 
• trade disparagement,
• plagiarism,
• false light,
• false advertising,
• violation of right of privacy,
• seclusion of a right to publicity
• copyright infringement,
• many trade infringements, of various sorts,
• unauthorized use of various things, formats, plots, etc.

Significantly, the so called "cyber-world" and "real-world" can overlap here.  Here is a crucially important example, copyright violations.  The object taken can originate in one of the worlds and the violation occur in the other. Of course, they can both happen in the "cyber-world," and this coverage apply.

Hacking is a highly publicized example of this sort of thing.  It starts in the "real world," passes into the "cyber world," and then impacts the real world.]

[Here is another, rather different, recent, distressing example. Someone got a hold of a copyrighted pornographic video, obtained the copyright for itself, and then posted them.  It found those who were then downloading it illegally (even once), sued many of them (using boilerplate pleadings), and quickly settled with those downloaders who were willing to settle for less than their costs of defense. Many people either didn't want to spend the money on defense or didn't have it.  Besides, who wants to know about your habits when it comes to porn.These scum bag lawyers and their minions made a good deal of money before getting caught and sanctioned by the court. The judge also sent information to disciplinary committees of various bar associations,  relevant information to other courts where they appeared, and saw to it that they were left open to civil suits. (Of course, criminal prosecutions may also turn up, since this was probably some sort of swindle using federal courts.)  Ingenuity 13 LLC v. John Doe, 2013 WL 1898633 (C.D. Cal., May 6, 2013).]

So an EPWA is a "WA" committed in relation to EP.  Now, how--more or less--is the phrase
Electronic Publishing defined.  It is "the reproduction, publication, dissemination, transmission or release of information, including Electronic Data and other various cyber-type things on a website or operated and owned by the Company or Computer System of the Company, provided [it is that of the Company by itself.]"  Notice that the definition of EP contains other definitions, of which--that of Electronic Data--is on the complicated side.

Several features of the insuring agreement as portrayed here are worth noting. 

First, as with some of the other insuring agreements, the insured has a very long list of propositions it has to prove in order to begin to qualify for coverage. (And this doesn't even address the exclusions, even those are for the insurer to prove, so long as they are not exceptions to the exclusion built into the exclusion.)  This is not an easily played game.

Second, the Insurer has a duty to "pay on behalf of the Insured all Loss[es]. . . ." that the "Insured is legally obligated to pay as Damages as the direct result of any. . . .   The phrase "pay on behalf of" is a crucial phrase here.  It means that the Insurer will not wait to pay the Insured until it has spend money on necessary activities; it will pay up front to whomever has a right  to be paid by the Insured

Third, the Insurer's duty to pay applies only to damages that are the "direct result" of an action.  As has already been pointed out in another Part, there is a slew of disputes arising out of  so called "real world" policies regarding the meaning of that phrase. Presumably it is a jury question, but it can be contested for a very long time.

Fourth, it is extremely important to remember that the term Loss includes not only Damages but Claim Expenses. The two ideas are obviously different. The latter includes the Insurer's duty to defend, and, so far as I can tell, not much else. 

Fifth, it is tempting to say this: the insuring agreement I.F is saying that the Insurer has the obligation to pay defense costs only if the Insured is legally obligated--and so have been found to be legally obligated--to pay Damages.  This idea is absurd from a temperate view, among others.  If I have read the language correctly, then the insurer would have no duty to make payments on behalf of the insured until after it was determined that the Insurer was legally obligated to. . . .  Hence this is not a really possible reading.

Sixth, another way to read this insuring agreement is this one: the agreement says that the Insurer will pay on behalf of the Insured all Loss "that the Insured is legally obligated to pay as damages."  But the term Loss contains two parts.  Only one of them pertains to Damages.  The Insurer has promised  to pay Damages only.  It has not promised to pay any other component of the definition of Loss.  If this is right, then the Insurer has no duty to pay for any part of the Insured's defense.  Insuring agreement I.A. does not restrict the Insurer's obligations to Damages only.  It covers all Loss, so it covers costs of defense as well.  (Now, I must confess that I have a feeling I've missed something.  Intuitively, it doesn't seem probable that a liability insurer selling a policy like this one, would not include a duty to defend. Nevertheless. . . .)

Seventh, this problem is one of appearance only.  There is a separate section in which the duty to defend liability cases is set forth.  This fact may be confusing even to the more experienced reader.  The reason is that the duty to defend it usually set forth in the insuring agreement section of a policy. Here the opposite is true.  That duty  gets its own section,  The insurer's duty to defend in this policy may be weaker than in many so-called real "world policy."  Most policies of the so-called "real world" require a liability insurer to defend its insured if the plaintiff's pleading states--or, probably in many jurisdictions, sketches  a covered claim; it does not require that the claim actually be covered.  The plaintiff (and possible victim) can be wrong about what is asserted in the pleading or even lying, and there still be a duty to defend. The liability sections of this policy don't appear to say that.  It at least appears that the claim must actually be covered.  I don't see how that can be true, but if I have understood the language, that is what is says.

With respect to exclusions, there a lot of them.  Almost all or all of them are subject to exceptions. Both of them are complicated. The list of exclusions, however is very similar to that found in so called "real world" policies. For example, there is no coverage for dishonest actions and actions performed for the purpose of profit.

One significant difference is that, like most cyber insurances but unlike many "real world policies," injuries to human bodies and tangible property are excluded. 

Another exclusion quite specially connected to I.F is an exclusion for most "unsolicited electronic disseminations, faxes, emails, of other communications by the Insured or any other third party," including those which violate statutes, with various exceptions.

Much more can be said and argued, but enough is enough.  Coverings of coverages can run on forever, and maybe this has already go on too long. So it's time to pass on.

Cyber Insurance and CGL Packages: Part I

Introduction: The "Old Insurance World" and the "New"
Through the Lens of a Single Policy




My discussion of this policy will have to be divided into at least two parts  The first one will contain a Preface, a discussion of two crucial definitions, and a discussion of the Insuring Agreement. Part Two will be a discussion of a number of the Exclusions, of which there are many. Part Three will discuss a few of the Conditions and some miscellaneous clauses. Part Three will be quite brief.

Preface

Awhile back, I wrote that commercial insurance for the so-called "real world," as opposed to the "cyber world," do not and will not apply much to the new cyber part of the "New World." 
The Comprehensive General Liability Policy ("CGL") is a paradigm case. One part of these policies, Coverage A, covered "bodily injury" and "property damages." Another part, Coverage B, covered "personal injury," a phrase contrary to ordinary English usage. It covered some acts that did not cause injuries covered in Coverage A. For the purpose of this essay, the most important provisions recently involved have been copyright infringement and invasion of privacy. Many years ago, patent disputes may have also been included in Coverage B, although at at least some insurers asserted that they never intended that way.  It is gone now.  Invasion of privacy has also been covered in the past, but it have either been deleted, or it will be shortly either altogether or specifically for the cyber world.




Cases deciding the applicability of CGL provisions to the cyberworld are sparse.  In one of them the judge decided that networks may be tangible physical property, even though it cannot be touched.  After all said the concurring judge, it is made of  "atoms or molecules. . .and a meaningful sequence of of magnetic impulses cannot float in space."  Computer Corners, Inc. v. Fireman's Fund Insurance Co., 46 .3d 1264 (N.M. App. 2002) ("Impaired property," given policy language, need not be tangible physical property).  NMS Services, Inc., The Hartford, 347 Fed. Appx.  511 (4th Cir. 2003)(concurring opinion: Majority: computer damaged. Concurrence: coverage for erasure of information from records on physical object is itself a physical loss. Concurrence never cited and it based on a 1983 case,)

The internal language of the CGL standard policy has recently changed substantially. Here is the new language; it is to be found within the definition of "property damage":

"For the purposes of this insurance, electronic data is not tangible property. As used in this definition  electronic data means information, facts or programs stored as on or, created or used on, or transmitted to or from computer software, including systems and applications software, hard or floppy disks, CD-ROMS, tapes, drivers, cells, data processing devices or any other media which are used with electronically controlled equipment."

ISO Form CG 00 01 12 07.

Obviously, it no longer matters whether information, data, and so forth are tangible physical objects, they are excluded in any case.






I will be commenting on the policy as we go along.  I will try to put such substantive comments  in smaller type.  That protocol does not apply yet.

There will, of course, be mixed policy limits in both first and third party insurance, and both of these types will be so-called claims made policies. In this case, the first party coverage is found in the "duty o defend" and the third party coverage is to be found in the "duty to indemnify

I have already discussed policies which are "double claims-made policies."  What I mean by this is (1) that the claim against the insured must occur during the policy period and (2) that the insured's claims to or against the insurer must also occur during the same period of time. On top of this, the policy period is expandable in one or two directions for an additional premium, and that is helpful to insureds, so long as the price is not too high.This is one of those.

Nevertheless, there is something left over from CGL policies, and probably others, e.g., professional malpractice polices for professionals such as engineers, architects, cyber designers, Directors and Officers policies, and others--even lawyers, though probably not dentists. The leftovers are to be found among available endorsements. 

There are different kinds of endorsements. Some add substantive matters, like changing a substantive definition; some add or subtract one or more named insureds and/or items insured, e.g., cars, boats, building; some add or subtract policy limits or periods; and the list goes on. For our purposes the type of endorsement at question is one which adds what might be called a new policy. It turns a "standalone policy" into a "package policy."  Our concern here is the last of these.

Our story in this essay begins with a CGL policy. To that is added an endorsement and that is the policy under consideration here. The endorsement is entitles as follows:

"Technological Professional Liability Insurance Policy  (Claims Made),"

In this case, which was issued in 2012, the word "technological" is the key to understanding what the policy is about, and that policy is the topic of this blog-essay.*(*I have said the following previously.  As with (virtually) all cyberworld insurance there are no--or virtually no--published opinions of the court.  There are no reported opinions about this policy--none!  Consequently, everything I say is conjecture, to some degree.  I will not be setting forth and/or discussing the whole policy.  And I make mistakes, like everyone else.**)(**Notice that I have begun using small print for comments.)

This Contract of Insurance

Declaration Pages.  One of the places to start reading, reviewing, studying, and analysing insurance policies is with the "Declarations Page" aka "Dec Sheet(s)"  It contains a variety of bits of useful information, but often for an essay like this one, the author does not have it and cannot get it.  In this type of case, the endorsement-created-policy is often--at least in part--controlled by the dec sheet for the whole policy, and it looks like that what the dec sheet appears to say, but a lot of what's on that sheet has been blacked out, and the Tech-Pol lists its own policy limits.  Curiously both dec sheets, if that's the right way to talk about them, both refer to another identified document. This is not uncommon. 

Wrongful Act.  As is common in policies of this sort, and similar policies, one of the key definitions that is virtually the essence of the policy is the definition of the phrase "Wrongful Act."  So I will begin with it:

Two Key Definitions 

 "When used in this policy. . . . : the term 'wrongful act' means

                    (a) a negligent act, error or omission arising from [the] performance of 'Technological

                         Professional Services' rendered to others;

                    (b) a network injury."

Comments: Section(a) The phrase, "wrongful act," is commonly used in professional malpractice insurance policies and some others.  This is a professional malpractice policy, in part, but in some ways a more general policy designed for professionals. The use of the phrase, "errors and omissions," is also characteristic of some malpractice policies, e.g., accountants and lawyers. Here, the term "negligent" ranges over acts, errors, and omissions--all three. An intentional act that is intended to cause injury does not count as a "wrongful act." Traditionally, it was not used in the malpractice policies  of physicians.  It may strike one as unusual that the term "wrongful" would be applied exclusively to negligent performances.  Lots of other types of activities are called "wrongful" in ordinary English. But so it is. 

One feature of this definition distinguishes this policy from  purely professional malpractice policies. They usually restrict coverages to injury and damage that the insured causes its own clients. That is not what this definition says. Instead, it refers to "others." Usually, injuries directly caused by the insured others, that are not the clients, are not covered.  This difference is a big deal! (Of course,  if the damage or injury to the insured in turn cause damage or injury to another, the insurer may be liable for the damage or injury causes to the the person down the line of causation.  In addition, if an uninsured person causes injury or damage to the insured and that causes the insured to injure or damage another person as the result of the insureds own negligence, the insurer is liable. Remember: The insuring agreement cannot be understood without this key definition thoroughly in mind.)

Comments:   Section (b): There is another crucial feature of this definition, and that is section (b).  There are two different possible meanings for (b).  One goes more or less like this: "The term "wrongful act" means a negligent act, error or omission arising from the performance of Technological Professional Services rendered to a Network injury."  I cannot see how this could make any sense.  An alternative is this: "The term 'wrongful act' means a negligent act, error or omission arising from the performance of Technological Professional Services to others where a injury to a relevant network is involved."  The trouble with the second alternative is that, while it now makes grammatical sense, the policy does not really say that, and the phrase "Network Injury" is not defined in the policy or in any of the usual glossaries for terms widely and routinely used in the cyberworld.  In addition, which networks and which injuries is the policy talking about?  One possibility is that it means all injuries to any network in which the insured has an insurable interest, and that is a reasonable policy.  If that is what the policy intended to say, however, it could have said that; it did not.

In order to understand the key terms within the key definition, the definition of "wrongful act," it is necessary to understand another definition (or some parts of it "here" and other parts of it "there"), namely that of "Technological Professional Services":

Technological Professional Services.  [This phrase means]
                      (a) analysis, design, programming or integration of information, network or computer
                           systems;
                      (b) processing, enter, analysis or interpretation of data;
                      (c) development, design, integration or licensing of computer software;
                      (d) resale, recommendation, marketing, installing, maintenance and training in the use of
                           computers or network hardware and software systems;
                      (e) website, application or data hosting, support, maintenance or management;
                      (f ) outsourcing to outside vendors any of the services detailed in item (b), (c), (d), (e) and (f)
                            to be performed by individuals or businesses who are not employees or controlled or
                            owned by the Named Insured.
                       (g) the conduct of the Named Insured's designated operation subject to the following      
                            classification code number(s) as scheduled above and described on form AD-150 and as
                            applies to (a), (b), (c), (d), (e), and (f) of the "technology professional services" definition
                            above.

Comments: Obviously, this list--treated as a definition--is intended to be a thorough-going catalogue, of the range of actions cyber-designer, cyber-engineers, and/or  their "siblings" do for their customers.  It, then, sets forth the range over what the idea "wrongful act" ranges.  As part of the list there is a reference to "form AD-150."  References to documents like this are to be found in a good number of insurance policies for complex activities. They are almost never, in my experience,  part of the policies; they are not provided to the insurer in advance; and often the agent-broker has no more idea about them that the insured does.  They are usually documents to be found in the "Underwriting Department," and it is a good idea for Risk Managers of companies shopping for insurance to obtain these documents, read them, try to understand them,and if there are difficulties politely demand that they be explained.

Comments: This definition includes analogies of the kind of acts and omissions usually insured in professional malpractice policies.  There are additional features, however.  To some extent, at least, this is a result of the kind of professional services offered. For example, the following elements of the list are like that: (a), (b), (c), parts of (d)., parts of (e), and (f)?, and maybe there is more. The following elements on the list do not, at least as they appear to be, look like that: parts of  (d) (e.g., "resale," "marketing," "installing," etc.), part of (e), and (f)?  Of course, it may be that each of the apparently non-covered activities--non-covered simply because of the appearance of language or unclarity--are actually professional activities in the cyber world.  It must be kept in mind, however, that an insurer may contest any of these issues. At the same time, all actual ambiguities and all actual vagaries are resolved in favor of the insured.

We now turn to the agreements as to what is covered.  (Remember: The exclusions also, in the end, determine what is covered.)

Agreement as to What's Covered

II. Coverage - TECHNOLOGY PROFESSIONAL LIABILITY

There are two lengthy parts of the Insuring Agreement. One of them pertains to what is often called the insurer's obligation to indemnify the other pertains to the insurer's duty to defend the insured if accursed of a wrongful act, as defined in the policy. [The phrase "duty to indemnity can be a confusing.  The term "indemnity" means that I will pay for you eventually, but often it involves your paying and then I will pay you what you have already paid.  That is not how the duty works here.

A. INSURING AGREEMENT

The Company agrees to pay on behalf of the Insured those sums which the Insured shall become legally obligated to pay as damages arising from a Wrongful Act committed by or on behalf of the Insured subsequent to the retroactive date specified above and subject to the applicable limits specified above.

Comments:Very little needs to be said about II.A now.  The definitions have already been laid out, and the insuring agreement derives immediately from those definition.  Controversies will arise out of the definitions, not out of the insuring agreement.

Comments: From my stand point so far, the confusing point  is the idea that there is coverage not only for what the insured and its legal agents do, but also actions which are performed for the insured by someone who is not its legal agent. The injuries caused by the agents of a principal are attributable back to the principal.  This is what "vicarious liability" is all about.  There is another species of person who can act on behalf of another entity, namely independent ____________ ["somethings"].  What fills in the blank depends on the industrial context. Thus, in the area of insurance adjustment there are adjusters who are the legal agents of the insurer; adjusters who are the employees of the carrier; and independent adjusters who are not, but who are vendors and  of adjustment services.  The same is true in the sale of insurance.  There are some insurance agents who are the legal agents of the carrier and some who are independent insurance agents.  The word "behalf of" does not make make that distinction.  As a consequence, this policy insures the insured for all actions of an independent ____________, so long as there is any way the insured might be held responsible for those mistakes . This could happen.  Insured orders an independent X to do a.  X does b or ~a instead.  X's actions are outside the scope of the insured's instructions.  Nevertheless, it gave X orders.

B. CLAIMS MADE CLAUSE  This does not need to be discussed further.  This policy is a "double claims made policy."

III. Coverage - Defense, Settlement, Supplementary Payments

As respects such insurance as is afforded by the other terms of this policy, the Company [the insurer] shall:

A. defend in his name and behalf any suit against the Insured alleging damages from, or connected with Wrongful Acts, even if such suit is groundless, false or fraudulent, but the Company shall have the right to make such Investigation and negotiation of any claim or suit as may be deemed expedient by the Company;

(Comments: There are a whole range of problems in III.A, but with one exception they are familiar from "real world" insurance.  )

B. reimburse the Insured for all reasonable expenses, other than loss of earnings, incurred at the Company's request, except amounts paid in settlement of any legal liability insured under II. COVERAGE - TECHNOLOGY PROFESSIONAL LIABILITY, which liability shall be governed by the limit of liability stated in the Declarations.

(Comments: The wording implies that the insurer will pay legal expenses as the case develops and will be in charge of defending.  This means that it will price defense counsel.  The policy also implies that if the insured wants it, it must buy a separate policy for business income loss, aka business interruption loss.)

The Company shall not be obligated to pay any claim, judgement or expenses nor defend any suit, or claim on or after the applicable limits of liability have been exhausted by payment of judgments or settlements, expenses or any combination thereof.

(Comment: The cost of legal fees reduces policy limits.)


This concludes Part I of the essay on the Admiral policy.  Part II will mainly concern exclusions.