Ironshore Blanket Cyber Policy--Part XI: Insuring Agreement I.J

Michael Sean Quinn, Ph.D, J.D., Etc.

1300 West Lynn #208

Austin, Texas 78703

(o) 512-296-2594

(c) 512-656-0503

mquinn@msqlaw.com

TechDefender

Tech E&O, Network Security, Internet Media and MPL Insurance Policy 

Insuring Agreement I.J. TECHNOLOGY AND INTERNET
LIABILITY COVERAGE

Remember: This Blog is organized around insuring agreements, definitions and exclusions. Conditions, etc., may be remarked upon briefly, but they often resemble not only so-called "Real World" policies and those found in other currently existing so-called  "Policies for the Virtual World." It also ignores policy limits, retention matters, notice requirements, time intervals for coverage, etc., important as all these are. As usual, the discussion of everything in this blog is

Be sure to read the "Concluding Remarks," Even if you don't read all--even much--of the rest of the blog.

*****************************************************************************

Insuring Agreement 

Once the temporal and procedural components are ignored, the substance of the insuring agreement looks pretty much like this:

The Insurer will pay on the Insureds behalf all Loss. . .that the Insured is legally obligated to pay as Damages as the direct result of any covered Claim alleging a Technological Wrongful Act
Wrongful Act, except to the extent the Claim "would be covered under Insuring Agreements B and C[.]"  [B is NETWORK SECURITY LIABILITY COVERAGE;  C is PRIVACY LIABILITY COVERAGE, and both have been discussed in earlier blogs regarding this policy.]

It is worth keeping in mind that actionable defects in the rendering of "professional services" are often called "errors and omissions" policies, although both an error and an omission are not required--one of them will do just fine.  They are also often called various types of "malpractice."  (A generation ago, or so, the phrase "errors and omissions" applied to errors of accountants. Those separate usages are gone.)

New Definitions

 

All, or virtually all, of the starting definitions to be found in the insuring agreements (and in the exclusions, for that matter) depend upon other definitions. A rests on B; B rests on C; and so forth. The key definition of a substantively significant matter is the particular type of wrongful act. Going over the definitions will take some time.

The starting definition with which this coverage analysis starts is a buried definition, namely, Technological Services.  Obviously, the nature of (or the character of) a "wrongful act" depends on that activity with respect to which there has been a wrongful act. This definition is complex; it takes up nearly half a page. 

One thing about the idea of Technological Services is that it includes many services that are regarded as "professional services" on some policies in the so-called "real world."  These are policies that are not ordinary policies, e.g., for life, home and similar buildings, individual vehicle (including boats and the like), etc.  They are not ordinary business policies that cover a slew of ordinary activities.  Instead they are policies that cover specialized and "high class" activities, usually by persons and their companies. Only their professional activities are covered, and in many cases the "wrongful act" is negligence. Here are some examples: physicians, lawyers, accountants, psychologists, brokers, some financiers, and so forth. The Technological Services definition covers some professional services, in this sense, but others as well.  (Then again, perhaps in cyber lingo and its system of concepts lots of activities are called professional the analogues of which in the so-called "real world" would not be counted as such.  This may be quite reasonable since it is a very complex "world.")

Here are some of them:
(1) analysis, design, [and much else] of Computer Systems
 (2) "data base design," (including the warehousing, storage, or recording or analysis of data, etc.)  [MSQ: surely including "cloud" activities],"
(3) other related services:
(a)  consulting, etc. of "technological information," plus manufacture, repair, etc., \
(b) licensing computer software,
(c) website design, and the provision of various sorts of services, etc.,
(d) design, etc., of chat rooms, etc.,
(e) "e-commerce transaction services," etc., &
(f) "electronic data destruction services."

The meaning of the phrase Technological Wrongful Act is much simpler;  it "means any or alleged actual act, unintentional error alleged act, omission neglect or breach of duty by an Insured or Service Provider to others for a fee, including the Insured's intentional breach of contract to render services to others, or the failure of the Insured's Technological Products to perform the function intended."

The idea behind Technological Products is easy to grasp.  So is the idea of Service Provider, except that it is a hireling of the Insured and does its work. (Of course both of these summaries of definitions are just that, rough summaries.)

A too limited (and somewhat speculative) summary is this: The kind of wrongful act covered has to do with fouling up work in connection with an insured's technological work (or those of its service provider) they directly harm some computer stuff belonging to someone else and found in the so-called "cyber world" damages to the company to which the cyber material. However, I.J.provide coverage to that portion of this policy "covered under insuring agreements I.B and I.C." [The emphasis is mine] 

The "and" in this exclusion\or limit built into the insuring agreement requires that an event and consequence of that event be covered under both I.B and I.C in order to be outside J-coverage.
The coverage provided in I.B is injuries and then losses inflicted upon the network security of another by means of a covered wrongful act. (See Part See III.)  Being covered by I.B but not I.C doesn't entail no coverage under I.J.  Insuring agreement I.C covers injuries and losses caused to the privacy (or privacies) of others.  (See Part IV)  .C alone does not take an injury and its losses out of I.J.  It must be conjoined to I.B.

My guess is that actionable invasions of privacy on the net can occur without the destruction of or injury to network security.  I.J is really about fouling up the rendition of cyber services.  Obviously,
inflicting damages upon a network is the same as a failure to renter satisfactory services.  Not will the latter likely to invade someone's privacy.  So why separate them off so sharply? Simplifying adjustment? Unlikely: the adjustment process with remain the same.  Premium allocation?  A little more likely, perhaps, since reinsurance would be priced differently without this "exclusion." Neither of these seem likely, however, so I am mystified.

An Ironshoe Cyber Insurance Policy--Part VIII: Insuring Agreement I.G

Michael Sean Quinn, Ph.D, J.D., Etc.

1300 West Lynn #208

Austin, Texas 78703 

(o) 512-296-2594

(c) 512-656-0503

mquinn@msqlaw.com

TechDefender

Tech E&O, Network Security, Internet Media and MPL Insurance Policy 

Insuring Agreement I.G: DIGITAL ASSET EXPENSES COVERAGE

Remember: This blog is organized around insuring agreements, definitions and exclusions. Conditions, etc., may be remarked upon briefly, but they often resemble not only each other but those found in currently existing policies. It also ignores policy limits, retention matters, notice requirements, time intervals for coverage, etc., important as these are. As usual, the discussion of everything in this blog is tentative, partial, and perhaps mistaken here and there.  It is a new and relatively uncharted ocean.

*  *  *  *  *  *

This insuring agreement is the first of three first-party coverages. It is important to quote the entirety of the agreement, and then give a quick explanation. As usual this agreement depends upon several definitions, two of which are new here; as usual they depend on others. There are more definitions than will be discussed here, since they have been discussed early in these blogs, so they will not be discussed in detail. 

Here is I.G:

"The Insurer will reimburse the Company for any Digital Asset Expenses the Company incurs as the direct result of the corruption, damage, impairment, destruction or deletion of Digital Assets directly caused by a Network Security Incident[.]"  [This is the end of what will be fully quoted in this blog.]

There are several important points to note in this definition. First, the Insurer has an obligation to reimburse.  Technically, under the wording of the contract, this means the Insured has to spend the money before it collects from the insurer. The Insured's right to reimbursement only for covered spending.  Thus, the Insurer probably has a right to "observe,"  "monitor," and maybe even to some degree "regulate"expenditures.  [The words in quotes are mine, not those of the policy.] Of course, any such regulation must be reasonable and necessary.

 The rights of the insurer and the insured parties to the contract may conflict on this and--of course--other matters. One area disputes in this area might develop is over the need for forensic investigation; carriers may sometimes assert that one is enough; while the insured may assert that it has a right to pick its own investigator.

Second, it is the Company and not the Insured that is covered in I.G. Of course, the Company is part of the Insured, but it is not the only one; the others are individuals and they are named as Insureds here.  Probably that is because it is the Company that will be incurring the expenses that are covered.

Third, the term "direct" is in I.G twice. Hence, there must be two direct, as opposed to indirect, causation's.  First, the covered expenses must directly result from a covered incident to which the covered Digital Assets were subjected. Second, the expenses must directly result from the corruption [etc.] of the Digital Assets.  

(The reader might use the following images to get an idea of required directness. Suppose Obama sends a diplomatic message to Putin. He might hand it to him. That's obviously direct. The U.S. Secretary of State might tell him or hand him a note. Is that direct? If Obama "wires" it; and the document is decoded; the Russian Foreign Secretary picks it up, reads it, and hands it along; maybe with a memo; Is this "direct"? Are there degrees of directness?  If so, how does this handle back-and-forth arguments about claims?) See Retail Ventures Inc. v. National Union Fire Insurance of Pittsburgh, PA., 691 F.3d (6th Cir. 2012)

Of course, as already said, there are many other definitions, some of which are complex right on their surfaces and some of them involve other "sub-definitions," and they may be quite complex. Many other cyber policies are like this. The reader has been warned.

Some Key Definitions

The place to begin to sketch the other key portions of this agreement I.G is with the idea of--the definition of--a Digital Asset:

"Digital Assets means Electronic Data, Software, audio files, and image files stored on the Company's Computer System." (And then is a list of what is not within the definition, e.g., some pieces of paper, "unless they have been converted to Electronic Data, and then only in that form.")  The main themes of the definitions within this definition are predictable, although there may be sub-surface subtleties; all such components will be subject to endless dispute.

The other key definition is Digital Asset Expenses:

The phrase Digital Asset Expenses, as one might expect, to what it costs to replace or restore Digital Assets that has been injured in specified ways "corruption or deletion as the direct result of a Network Security Incident. Of course the expenses must be "reasonable and necessary."  These Expenses include "disaster recovery and or computer forensic investigation efforts[.]"  In addition, the replacement or restoration must be done in specified ways, e.g., solid records or other (to some extent) matching Electric Data.

Exclusions

There are no exclusions uniquely applicable to this insuring agreement and its definitions. The definitions more or less are taken from the language of definitions found in policies, designed for the so-called "real world" apply, of course, as to the definitions formulated for all--or many--of the sections

An Ironshore CyberPolicy--Part VII:Insuring Agreement I.F.

TechDefender

Tech E&O, Network Security, Internet Media and MPL Insurance Policy 

Insuring Agreement I.F: Regulatory Proceeding Coverage

Remember: This Blog is organized around insuring agreements, definitions and exclusions. Conditions, etc., may be remarked upon briefly, but they often resemble not only each other but those found in currently existing policies. It also ignores policy limits, retention matters, notice requirements, time intervals for coverage, etc., important as these are. As usual, the discussion of everything in this blog is tentative, partial, and perhaps mistaken here and there.  It is a new and relatively uncharted ocean.

*********************************************************************************

This insuring agreement is entitled Internet Media Liability Coverage.  It departs from the topics of privacy and network security and injury. 

The principal topics here are Electronic Publishing Wrongful Act and Damages.  The definition of Damages was covered in Part IV, so it will not be explicated again here, since it is lengthy, cumbersome, complex, an easily accessible.; there will be only a brief mention. 

The focus will be on the first of these two, Internet Publishing Wrongful Act.  It is complicated enough considered just by itself, partly because it hinges on another definition, Electronic Publishing, which--in turn--hangs in part on yet another definition, and it too. . . . down the pillar of definitions. Obviously, this discussion cannot complete the whole, dependent group of definitions.

The idea of a wrongful act is not itself defined in any general way, though it is sort of defined in terms of different key activities. Nevertheless, what it probably is, at least in part,  in different contexts is clear enough from the two words themselves, knowledge of the English language, and common sense.

The substance of the insuring agreement reads this way:

 The Insurer will pay on behalf of the Insured all Loss that the Insured is legally obligated to pay as Damages as a direct result of any covered Claim alleging an Electronic Publishing Wrongful Act (EPWA), provided. . . .

EPWA includes a number of actionable acts, some of which are also found in Coverage B of the Commercial General Liability policy, and there are more. The EPWAs are all linked to the Insured's Electronic Publishing.  Here is a list of some of them, which give the reader a general idea:

• defamation, 
• trade disparagement,
• plagiarism,
• false light,
• false advertising,
• violation of right of privacy,
• seclusion of a right to publicity
• copyright infringement,
• many trade infringements, of various sorts,
• unauthorized use of various things, formats, plots, etc.

Significantly, the so called "cyber-world" and "real-world" can overlap here.  Here is a crucially important example, copyright violations.  The object taken can originate in one of the worlds and the violation occur in the other. Of course, they can both happen in the "cyber-world," and this coverage apply.

Hacking is a highly publicized example of this sort of thing.  It starts in the "real world," passes into the "cyber world," and then impacts the real world.]

[Here is another, rather different, recent, distressing example. Someone got a hold of a copyrighted pornographic video, obtained the copyright for itself, and then posted them.  It found those who were then downloading it illegally (even once), sued many of them (using boilerplate pleadings), and quickly settled with those downloaders who were willing to settle for less than their costs of defense. Many people either didn't want to spend the money on defense or didn't have it.  Besides, who wants to know about your habits when it comes to porn.These scum bag lawyers and their minions made a good deal of money before getting caught and sanctioned by the court. The judge also sent information to disciplinary committees of various bar associations,  relevant information to other courts where they appeared, and saw to it that they were left open to civil suits. (Of course, criminal prosecutions may also turn up, since this was probably some sort of swindle using federal courts.)  Ingenuity 13 LLC v. John Doe, 2013 WL 1898633 (C.D. Cal., May 6, 2013).]

So an EPWA is a "WA" committed in relation to EP.  Now, how--more or less--is the phrase
Electronic Publishing defined.  It is "the reproduction, publication, dissemination, transmission or release of information, including Electronic Data and other various cyber-type things on a website or operated and owned by the Company or Computer System of the Company, provided [it is that of the Company by itself.]"  Notice that the definition of EP contains other definitions, of which--that of Electronic Data--is on the complicated side.

Several features of the insuring agreement as portrayed here are worth noting. 

First, as with some of the other insuring agreements, the insured has a very long list of propositions it has to prove in order to begin to qualify for coverage. (And this doesn't even address the exclusions, even those are for the insurer to prove, so long as they are not exceptions to the exclusion built into the exclusion.)  This is not an easily played game.

Second, the Insurer has a duty to "pay on behalf of the Insured all Loss[es]. . . ." that the "Insured is legally obligated to pay as Damages as the direct result of any. . . .   The phrase "pay on behalf of" is a crucial phrase here.  It means that the Insurer will not wait to pay the Insured until it has spend money on necessary activities; it will pay up front to whomever has a right  to be paid by the Insured

Third, the Insurer's duty to pay applies only to damages that are the "direct result" of an action.  As has already been pointed out in another Part, there is a slew of disputes arising out of  so called "real world" policies regarding the meaning of that phrase. Presumably it is a jury question, but it can be contested for a very long time.

Fourth, it is extremely important to remember that the term Loss includes not only Damages but Claim Expenses. The two ideas are obviously different. The latter includes the Insurer's duty to defend, and, so far as I can tell, not much else. 

Fifth, it is tempting to say this: the insuring agreement I.F is saying that the Insurer has the obligation to pay defense costs only if the Insured is legally obligated--and so have been found to be legally obligated--to pay Damages.  This idea is absurd from a temperate view, among others.  If I have read the language correctly, then the insurer would have no duty to make payments on behalf of the insured until after it was determined that the Insurer was legally obligated to. . . .  Hence this is not a really possible reading.

Sixth, another way to read this insuring agreement is this one: the agreement says that the Insurer will pay on behalf of the Insured all Loss "that the Insured is legally obligated to pay as damages."  But the term Loss contains two parts.  Only one of them pertains to Damages.  The Insurer has promised  to pay Damages only.  It has not promised to pay any other component of the definition of Loss.  If this is right, then the Insurer has no duty to pay for any part of the Insured's defense.  Insuring agreement I.A. does not restrict the Insurer's obligations to Damages only.  It covers all Loss, so it covers costs of defense as well.  (Now, I must confess that I have a feeling I've missed something.  Intuitively, it doesn't seem probable that a liability insurer selling a policy like this one, would not include a duty to defend. Nevertheless. . . .)

Seventh, this problem is one of appearance only.  There is a separate section in which the duty to defend liability cases is set forth.  This fact may be confusing even to the more experienced reader.  The reason is that the duty to defend it usually set forth in the insuring agreement section of a policy. Here the opposite is true.  That duty  gets its own section,  The insurer's duty to defend in this policy may be weaker than in many so-called real "world policy."  Most policies of the so-called "real world" require a liability insurer to defend its insured if the plaintiff's pleading states--or, probably in many jurisdictions, sketches  a covered claim; it does not require that the claim actually be covered.  The plaintiff (and possible victim) can be wrong about what is asserted in the pleading or even lying, and there still be a duty to defend. The liability sections of this policy don't appear to say that.  It at least appears that the claim must actually be covered.  I don't see how that can be true, but if I have understood the language, that is what is says.

With respect to exclusions, there a lot of them.  Almost all or all of them are subject to exceptions. Both of them are complicated. The list of exclusions, however is very similar to that found in so called "real world" policies. For example, there is no coverage for dishonest actions and actions performed for the purpose of profit.

One significant difference is that, like most cyber insurances but unlike many "real world policies," injuries to human bodies and tangible property are excluded. 

Another exclusion quite specially connected to I.F is an exclusion for most "unsolicited electronic disseminations, faxes, emails, of other communications by the Insured or any other third party," including those which violate statutes, with various exceptions.

Much more can be said and argued, but enough is enough.  Coverings of coverages can run on forever, and maybe this has already go on too long. So it's time to pass on.