Duty of Defense Rejected
In 2011, Bryan Brettin, an orthodontist in Hudson, Wis., used a neighbor’s computer to pose as an unhappy patient of a competing dental practice.
In 2012, Brettin, his employer Daniel Sletten, and Sletten & Brettin Orthodontics (S&B) were sued by Douglas Wolf, a dentist at St. Croix, for defamation and libel, civil conspiracy and unfair competition.
Brettin, Sletten and S&B requested a defense from Continental Casualty Co., from which they had purchased general liability and personal liability coverage. They later added Wells Fargo Insurance Services to the case, as S&B was never added to the policy as a named insured.
The U.S. District Court for the District of Minnesota dismissed the case, ruling that the policy excluded coverage for acts done with the intent to injure. It declined to address the issue of whether S&B should have been a named insured, since there was no duty to defend.
On March 19, the U.S. 8th Circuit Court of Appeals upheld that ruling, dismissing the dentists’ argument that the coverage was ambiguous because it provided coverage for defamation but also precluded it by defining an occurrence as an accident, and including an intent-to-injure exclusion.
The court ruled, however, that the two provisions “are opposite sides of the same coin,” and noted that it was possible to defame someone without intent to injure.
Scorecard: Continental Casualty did not need to provide a defense for the dentists or their dental practice.
Takeaway: Excluding coverage for intentional acts is designed to eliminate an “insured’s ability to cause harm intentionally with impunity.”
Hurricane Damage Partially Covered
In September 2005, Hurricane Rita struck along the Louisiana coast, bending the H-2 offshore well owned by Prime Natural Resources about 7 feet above the mud line, toppling the adjacent H-platform away from the well, and damaging the pipeline that attached the well and platform to a nearby facility.
Prime sought coverage from policies issued by a group of Lloyd’s of London syndicates and Navigators Insurance Co. UK, asking for all costs to restore the well and getting it back into production.
The underwriters declared the H-platform “to be a constructive total loss,” and paid Prime $900,000 for its 50 percent interest in the platform’s replacement cost value, according to legal documents.
The insurers also paid Prime $225,000 (25 percent of the replacement cost value) for debris removal from the platform and $2.88 million for claims related to pipeline damage and debris removal, and well-redrill operations. That was the maximum amount recoverable, they said.
Arguing that its total expenses were “unambiguously covered” by its policy, Prime sued the insurers in Texas District Court for breach of contract. The court dismissed the case.
On appeal to the Court of Appeals for the First District of Texas, the underwriters again prevailed, as the court ruled on March 26 that the contested portions of the policy covered wells and costs to regain control of wells “which get out of control,” but not to restore the wells.
It also ruled that the policy conditions related to physical damage to the platform included removal of debris and not restoring it to its pre-damage state, disagreeing with Prime’s argument that restoration of the platform was necessary to restore the well to production.
Scorecard: The insurers did not have to pay $4.7 million for breach of contract, lost business opportunities, lost profits or attorneys’ fees.
Takeaway: Prime’s costs to refurbish the platform were not accepted as “proactive” efforts to prevent the well from getting out of control.
Insurer on Hook for Cargo Damage
On Dec. 22, 2006, a train derailment near Newberry Springs, Calif., damaged cargo that was being shipped from Ohio and Indiana to Australia.
A.P. MollerMaersk, which had agreed to transport the goods on a single shipping contract that covered the entire journey, had subcontracted with BNSF Railway Co. to transport the cargo by rail from Illinois to California, where it was to be loaded on a Maersk ship for the ocean voyage to Australia.
American Home Assurance Co. sued Maersk seeking to recover damages to the cargo, and Maersk sought indemnification from BNSF.
In 2011, a U.S. District Court ruled the Carmack Amendment, which covers liability of carriers under bills of lading, was the governing rule affecting the inland leg of the shipment, and in 2014, a court granted Maersk’s motion for a summary judgment.
American Home appealed. It argued that Maersk “assumed entire responsibility for the transportation of the cargo, and thus placed itself in the position that BNSF would have been had BNSF contracted directly” with the insurer.
The U.S. 2nd Circuit Court of Appeals ruled on March 25 that the lower court had properly interpreted the Carmack Amendment to determine that Maersk “is neither a rail carrier nor a freight forwarder and that Maersk did not agree to liability” under that amendment.
It also ruled that American Home could not argue the case on a contract claim, while on appeal, when previously it argued based on the Carmack Amendment.
Scorecard: The insurer could not recover damages from the ocean line.
Takeaway: Because American Home previously argued that the Carmack Amendment was the governing rule of the case, it had waived its right to later change to a contract-based argument.
Risk Managers Rank Global Risks
Damage to brand and reputation is the No. 1 risk facing companies today, according to Aon’s 2015 Global Risk Management Survey.
“There’s a lot behind that which is driving that [ranking],” said Theresa Bourdon, group managing director, Aon Global Risk Consulting.
One of those factors is cyber risk, which for the first time in the survey’s history, since 2007, jumped into the top 10 risks, coming in at No. 9. It had been 18 in the last survey, which is taken every two years.
“If you talk to our clients, that’s no surprise,” she said. “The frequency is very low for these cyber events but it is obviously increasing.”
And, just as obviously, there is a correlation between cyber events and brand. Just look at Target, which is still struggling to regain its footing after the personal information of about 110 million of its customers was stolen in 2013.
According to U.S. Reputation Leaders Network, Target’s reputation saw its biggest drop after the cyber attack – and it was the largest drop of any U.S. company from 2013 to 2014, according to an article in “The Street.”
The remaining top 10 risks are: economic slowdown/slow recovery; regulatory/legislative changes; increasing competition; failure to attract or retain key talent; failure to innovate/meet customer needs; business interruption; third party liability; and property damage.
Other key movement in the rankings were the inclusion of property damage, which moved up to No. 10, from 17 in 2013; and third party liability, which had been 13 but moved up to 8.
One risk that dropped off as a top 10 risk was commodity price risk. It had been 8 in 2013, and moved down to 11 in the 2015 survey.
Bourdon said that one risk that remains top of mind for risk managers is regulatory and legislative issues. “It’s consistently a top 3 risk,” she said, noting that it was projected to remain so when risk managers were asked to project their top risks three years from now.
“Organizations are really challenged to respond to the pace at which regulations are coming,” she said. “There is a strong need for governance and a compliance framework.”
That risk, also, she said, relates to the reputational and brand damage that a company can suffer.
As for cyber, one surprising finding of the study — which surveyed 1,400 risk decision-makers in 28 industry sectors in 60 countries — was that 82 percent of the respondents said their companies were ready for a cyber attack, Bourdon said.
At the same time, 58 percent of the respondents said their companies have not done an internal assessment of their cyber risk exposure.
“Realistically speaking, this is relatively new territory that everybody is trying to get their arms around, organizations, insurance companies and those of us who are risk advisers,” she said.
“The goal for the industry as you look at these risks today and in the future is, how are we going to innovate and support these risks.”
Cyber, in particular, needs solutions, she said. “There is not enough insurance out there for the demand.”
Risk managers understand they need more data and analytics to “help them navigate this world” of increasingly complex risks, she said.
More risk managers, Bourdon said, are looking at their organizations holistically and not just focusing on insurance purchasing.
“It’s a much bigger and challenging role than it ever used to be and if you are using the same tools and techniques you were using 10 years ago, then you are not leading your organization down the right path.”
Implantable Devices: Medical Devices Open to Cyber Threats
SCENARIO: Pay off an anonymous hacker or face the possibility that patients with implantable defibrillators would die. That was the dilemma facing Janet Smith, CEO of Midtowne Community Hospital.
Too late she found out that the computer system of one of the surgical practices employed by the hospital was hacked. It was a simple enough operation. One unthinking click by the administrative staff on a link in an official-looking email, and the system was surreptitiously compromised.
The back-door access to the computer system provided the hackers with a treasure trove of unencrypted patient data including name, medical history, type of medical device implanted, and models and serial numbers of the devices.
While the hackers had a selection of devices to choose from — pacemakers, insulin pumps, cochlear hearing implants, blood glucose monitors and deep brain stimulators, among others — they targeted patients with implantable cardiac defibrillators (ICDs), which monitor and respond to heart activity by sending shocks to the system to restore normal heart rhythm.
The ICDs were designed to be wirelessly connected to external wands and ICD programmers. Data collected in the wands was downloaded to the IT system in the surgical practice so the physicians could review and manage each patient’s medical problems.
The RFID-enabled wands were supposed to be unidirectional, but the hackers were able to reverse-engineer the access after determining the radio frequency used and the engineering specifications of the ICDs and wands, which they found online — mostly in the technical and user manuals published by the manufacturers.
Each of the ICDs contained a small computer chip similar to those found in smart thermostats, televisions and refrigerators, all of which have been hacked recently to send out spam or just annoy users.
The hackers wrote and inserted programming code into the IT system of the surgical practice so that when information from the ICD devices was downloaded, code would be inserted that could induce fatal heart arrhythmia via the patients’ defibrillators.
It only required the hackers to trigger the code to activate it. And that’s what they threatened to do if the ransom was not paid.
While the extortion scheme was similar to the ‘Cryptolocker’ shakedown — which locks organizations out of their own files, forcing them to pay for access — this ICD threat offered a much more deadly outcome. And there was no positive outcome that Smith could see.
ANALYSIS: The hacking threat to implantable cardiac defibrillators has been known since at least 2008, when a team of university researchers proved it was able to reverse-engineer an ICD’s communications protocol to reprogram it to change the operation of the defibrillator, including its therapy settings.
Kevin Fu, an associate professor at the University of Michigan, who was on the team and is a leader in the field of device security research, likened implantable medical devices to unlocked cars during a presentation at Dartmouth University.
“There are people, if given the chance, who will cause harm and we shouldn’t just leave our doors unlocked,” he said.
While hacking is usually done for financial reasons, there have been instances where physical harm was intended, he said, mentioning an attack seven years ago on an epilepsy support group website, where hackers embedded flashing animation that induced seizures in those using the site.
“I think it would be naïve to ignore the fact that some of these people exist so we need to at least have a certain level of protection against this kind of maliciousness,” Fu said.
Michael Thoma, vice president, chief underwriting officer, global technology at Travelers, said he was “not aware of any actual claim or incident beyond what is available in the literature that it can be done,” he said.
“When you stop to think about the environment we are heading into — where hospitals are completely relying upon electronic medical records that are integrated to control medical devices in hospitals and obtain information back from the devices — the scenario exists that something like that could happen.
“You read all the time about attempts to attack all sorts of institutions, and hospitals are not immune to that. When you think about the ‘Cryptolocker’ scenario, not only could it bring a hospital to a complete standstill, but the reputational harm would be huge.
“It would make what happened in Dallas after Ebola at that hospital look minor,” he said.
‘A Hard Line to Cross’
“At the end of the day,” said Todd Lauer, vice president, medtech division, OneBeacon Technology Insurance, “you can sum it up in one sentence: Anything is possible for a determined hacker.”
Even so, he doubts most hackers would target the devices. “Most hackers are not looking to cause bodily injury,” he said. “They are looking to extort money from large corporations. That’s crossing a line. To cause bodily injury or death, that’s a hard line to cross.”
That leaves the possibility, however, that it could become a focus for terrorists looking to create panic and death, Lauer said.
Experts noted that as of now, hacking of implantable devices is only being done by researchers, universities and hackers who identify and expose security weaknesses.
“We are talking about something that certainly is possible, but it’s not an exposure that keeps me up at night as an underwriter.” — Mark Wood, president and CEO, LifeScienceRisk
Mark Wood, president and CEO of LifeScienceRisk, a series of RSG Underwriting Managers, acknowledged that it was “theoretically possible … . Am I aware that it’s happened? I have not yet seen a claim or a report that it’s happened.
“We are talking about something that certainly is possible, but it’s not an exposure that keeps me up at night as an underwriter.”
It’s more likely that instead of the sophisticated scenario portrayed above, hackers would simply use RFID to jam the devices with a denial-of-service attack, said Jerry Irvine, CIO of Prescient Solutions, who is also on the National Cybersecurity Task Force.
“They could basically overburden it so much that it can no longer react, so people will die or equipment will malfunction or give an overdose of medication,” he said.
“That’s the easiest thing you can do. You can do that from 100 to 300 yards away with targeted antennas or high-powered antennas. These are things that are not difficult to do.”
In addition, researchers have noted that many hospital IT systems lack cutting-edge cyber security.
“Unfortunately, computer security in many hospitals and similar providers reminds me of the very early days of computer security when security was the domain of system administrators and network security types,” said Gary McGraw, chief technology officer at software security consultancy Cigital Inc., in an article on SearchSecurity.com, a site of “Information Security” magazine.
McGraw likened hospital network security administrators to “plumbers who make sure that infrastructure is properly designed and operates smoothly. Generally speaking, though they are certainly important, plumbers are not very strategic thinkers and neither are system administrators.”
Federal Government Action
In 2012, the U.S. Government Accountability Office found that in controlled settings that did not involve actual patients, security researchers “recently manipulated two medical devices with wireless capabilities — a defibrillator and an insulin pump, a type of infusion pump — demonstrating their vulnerabilities to information security threats.”
It concluded that implantable medical devices (IMDs) are “susceptible to unintentional and intentional threats … . Information security risks resulting from certain threats and vulnerabilities could affect the safety and effectiveness of medical devices. These risks include unauthorized changes of device settings resulting from a lack of appropriate access controls.”
The report also noted that the “growing use of wireless capabilities and software has raised questions about how well [IMDs] are protected against information security risks, as these risks might affect devices’ safety and effectiveness.”
That prompted a review by the U.S. Food and Drug Administration, which two years later, in 2014, offered guidance to strengthen the safety of medical devices to better manage cyber security risks.
“There is no such thing as a threat-proof medical device,” Dr. Suzanne Schwartz, director of emergency preparedness/operations and medical countermeasures at the FDA’s Center for Devices and Radiological Health, said at the time. “It is important for medical device manufacturers to remain vigilant about cyber security and to appropriately protect patients from those risks.”
Top concerns included malware infections on network-connected medical devices or computers, smartphones and tablets used to access patient data; and failure to provide timely security software updates or patches to devices or networks.
The guidance recommended to manufacturers that they consider cyber security risks as part of the design and implementation of medical devices, and submit documentation to the FDA about the risks they identified and the controls put in place to mitigate those risks.
It also recommended that manufacturers submit plans for providing patches and updates to operating systems and medical software.
Still, said Jay Radcliffe during a presentation at the 2013 Black Hat Conference, cyber security concerns have not been cited by the FDA as a reason for rejecting any implantable medical devices.
And, said OneBeacon’s Lauer, patching implanted devices is difficult, as it often requires surgery.
Manufacturers rarely seek to enhance devices via patching because it requires “an onerous regulatory process” with the FDA, said Tam Woodron, a software executive at GE Healthcare, in an article in “MIT Technology Review.”
The article also noted that reporting of incidents is not required by the FDA unless a patient is harmed.
A study by researchers at MIT and the University of Massachusetts at Amherst found that there are millions of people with wireless implantable medical devices, and about 300,000 such IMDs are implanted every year. The life of such a device can last up to 10 years.
Wood of LifeScienceRisk said that if a device malfunctions and results in bodily injury, regardless of the reason, there would likely be an allegation of product liability.
“There wouldn’t be any limitation, at least in the coverage we write, about whether a software error created the problem,” he said. “The malfunction in and of itself would trigger coverage if it caused bodily injury.”
If a carrier’s coverage did exclude software issues, the insured’s E&O policy would probably be triggered, he said.
As for who would be involved in such a claim, the list could be a long one, including the hospital, physician, caregivers, device manufacturer, Internet provider, cloud provider, and anyone who provided consulting services to anyone involved in the process, plus all of their insurance companies.
Lauer noted that when claims involve device manufacturers, a U.S. Supreme Court ruling prevents plaintiffs from relying on state negligence or liability rulings; the High Court determined that such laws cannot pre-empt federal laws and the FDA’s safety determinations.
“The exposure is going to be different for any set of facts,” Wood said. “The more complicated the loss scenario, the more potential for coverage issues in trying to figure out whether and how a claim should be covered.”
Complete coverage of 2015’s Most Dangerous Emerging Risks:
Corporate Privacy: Nowhere to Hide. Rapid advances in technology are ushering in an era of hyper-transparency.
Implantable Devices: Medical Devices Open to Cyber Threats. The threat of hacking implantable defibrillators and other devices is growing.
Athletic Head Injuries: An Increasing Liability. Liability for brain injury and disease isn’t limited to professional sports organizations.
Vaping: Smoking Gun. As e-cigarette usage rises, danger lies in the lack of regulations and unknown long-term health effects.
Aquifer: Nothing in the Bank. Once we deplete our aquifers, there is nothing helping us get through extended droughts.
Most Dangerous Emerging Risks: A Look Back. Each year since 2011, we identified and reported on the Most Dangerous Emerging Risks. Here’s how we did on some of them.