P.F. Chang’s $1.9 Million Cyber Claim Denied
On June 10, 2014, P.F Chang’s China Bistro Inc. learned that hackers stole about 60,000 customer credit card numbers. It notified its insurer, Federal Insurance Co., that same day. Chang’s had a CyberSecurity by Chubb policy with an annual premium of $134,052. It promised to cover “direct loss, legal liability, and consequential loss resulting from cyber security breaches.”
Federal reimbursed Chang’s more than $1.7 million for costs, including a forensic investigation and litigation. However, it denied a claim for $1.9 million that was assessed against Chang’s by Bank of America Merchant Services (BAMS), which processes credit card payments for the restaurant.
BAMS had billed Chang’s for fraud recovery, operational reimbursement and case management fees, including notifying cardholders affected by the data breach, reimbursing fraudulent charges and reissuing new credit cards.
Federal said the fees did not fall within the coverage and that certain exclusions barred coverage.
The U.S. District Court for the District of Arizona agreed with most of the insurer’s arguments. It ruled that Chang’s coverage did not include the fraud recovery fees because BAMS did not sustain a privacy injury itself.
While it agreed with the restaurant that the operational reimbursement and case management fees would be covered by the policy, the court ruled that those fees were excluded by another part of the policy because they “arise out of liability assumed by Chang’s to BAMS” in the merchant service agreement.
The court also ruled Chang’s had no “reasonable expectation” the policy would cover the fees, and noted that as a “sophisticated” purchaser of insurance, the restaurant could have negotiated such coverage if it was desired.
Scorecard: Federal Insurance Co. will not have to pay a $1.9 million claim related to data breach charges.
Takeaway: Insureds with cyber policies should determine whether liabilities assumed under contracts with third parties are covered.
Insurance Company Must Provide a Defense
In 2013, E. Mishan & Sons. Inc. (Emson) was accused in two class-action lawsuits of “deceptively” trapping customers into recurring credit card charges by sharing private customer information with telemarketers.
The lawsuits were filed in the Circuit Court of Cook County, Ill., and the U.S. District Court for the Western District of Michigan.
Emson sought a defense from its commercial general liability insurers, National Fire Insurance Co. of Hartford, Valley Forge Insurance Co., and Transportation Insurance Co. under “personal and advertising injury” coverage.
The insurers denied the request, citing the exclusion for “knowing violations of another’s rights.” In a lawsuit filed in the U.S. District Court for the Southern District of New York, the insurers sought a judgment that they were not required to provide a defense to Emson in the underlying lawsuits.
The court concluded the allegations against Emson were excluded and ruled for the insurers.
The U.S. 2nd Circuit Court of Appeals reversed that decision on June 1, ruling that an insurer has a duty to defend “until it is determined with certainty that the policy does not provide coverage.”
The underlying lawsuits, it said, described conduct that could have been performed without intent to harm and that even if all claims but one were excluded, the insured is still due a defense.
Scorecard: The court granted Emson a defense by its insurance companies.
Takeaway: If any allegations are potentially covered, insurers have a duty to defend.
Employee Negligence Did Not Void Coverage
On Oct. 27, 2011, an employee of the state bank of Bellingham in Minnesota left two tokens overnight in a computer that required both tokens to be inserted to make wire transfers. The next day, she discovered two unauthorized wire transfers to two different banks in Poland.
Although the Federal Reserve refused to reverse the wire transfers, it did inform the other institutions that the transfers were fraudulent. One of the transfers was reversed. The other, for $485,000, was not.
Bellingham notified BancInsure Inc. (now known as Red Rock Insurance Co.), which issued a financial institution bond to the bank in 2010. An investigation revealed that a “Zeus Trojan horse” virus infected the computer and permitted access for the fraudulent transfers.
BancInsure denied the claim, relying on exclusions for loss caused by an employee, for theft of confidential information, and for mechanical breakdown or deterioration of a computer.
A U.S. District Court issued a summary judgment in favor of Bellingham in September 2014, finding that the virus was the “efficient and proximate cause” of the loss, even if the employee actions, and failure to update antivirus software may have played an “essential role” in the loss.
“It was not … a ‘foreseeable and natural consequence’ that a hacker would make a fraudulent wire transfer,” the court ruled.
On May 20, the U.S. 8th Circuit Court of Appeals agreed. It ruled that an “insured is entitled to recover from an insurer when cause of the loss is not excluded under the policy, even though an excluded cause may also have contributed to the loss.”
Scorecard: The bank was awarded $620,187 for losses, including interest.
Takeaway: The “overriding cause” of the loss was the criminal activity, not the employee’s negligent actions.
$102 Million Excluded From Coverage
PNC Financial Services Group Inc. agreed in 2010 and 2012 to pay $102 million to settle six class-action lawsuits that claimed the bank manipulated transactions to increase revenues from overdraft charges.
Following the settlements, PNC sought indemnification from its insurers, Houston Casualty Co., which had issued a $25 million liability policy; and Axis Insurance Co., which issued a $25 million excess policy for claims that exceeded $50 million. PNC self-insured the first $25 million.
Both insurers denied coverage, saying the settlement was a refund of overdraft fees and was excluded as they were “fees, commissions or charges for Professional Services paid or payable to an insured.”
After PNC sued the insurers in 2013, the U.S. District Court for the Western District of Pennsylvania concluded that the Professional Services exclusion applied to the $102 million settlement payment, with the exception of about $30 million for attorneys’ fees, which were covered by the policies.
Houston and PNC settled their dispute in 2015.
On May 2, the U.S. 3rd Circuit Court of Appeals ruled that none of the $102 million was covered by the Axis policy. It noted that the settlement agreements explicitly provided that attorneys’ fees were to be paid from the settlement funds — meaning that PNC was not paying the attorneys, the class-action plaintiffs were.
Scorecard: The insurance company did not have to pay a $102 million claim to PNC.
Takeaway: The Professional Services clause unambiguously excluded third-party losses that constituted fees or charges for professional services.
Lack of Prior Consent Voids Claim
A fatal worksite accident in July 2007 delayed work on a construction project, leading general contractor Mortenson to file suit against Stresscon Corp., a subcontracting concrete company, for the interruption.
Stresscon sought indemnification from Travelers Property Casualty Co. of America.
On Dec. 31, 2008, Mortenson and Stresscon entered into a settlement agreement without consulting Travelers. Stresscon still had not informed Travelers of the settlement when it filed suit in March 2009 against the insurer and others for bad faith in unreasonably delaying or denying its claim.
A Colorado district court awarded Stresscon damages, and that judgment was upheld by an appellate court. Both courts ruled against Travelers’ argument that it had no duty of indemnification because the insurance policy stated that the insured could not assume any obligation or expense “without our consent,” known as the “no voluntary payments provision.”
The courts ruled the insured should have the opportunity to demonstrate that the insurance company was not prejudiced by the late notice. The Colorado Supreme Court disagreed.
On April 25, in a 4-3 opinion, it ruled the issue of whether the insurer was prejudiced by the late notice did not overrule the no-voluntary-payments clause, and it ordered the lower court to direct a verdict in favor of Travelers.
Scorecard: Travelers will not need to indemnify Stresscon for payments the contractor made without its consent.
Takeaway: The ruling may convince more insureds to litigate claims when they can’t convince their insurers to settle a claim.
Insurers Don’t Need to Pay $20 Million
In January and February 2009, King Supply Co. sent about 670,000 faxes to about 143,250 recipients advertising its services.
CE Design Ltd. and Paldo Sign and Display Co. were lead plaintiffs in a federal class-action lawsuit against King, alleging violations of the federal Telephone Consumer Protection Act (TCPA) and violations of the Illinois consumer fraud act.
King sought defense and indemnification from its insurers, National Fire Insurance Co., and Valley Forge Insurance Co., which had issued commercial general liability policies covering those timeframes, and Continental Casualty Co., which had issued an umbrella liability policy. All of the insurers were part of CNA Financial (CNA).
King and the plaintiffs eventually settled the lawsuit for $20.2 million. The agreement called for King to pay $200,000 and its insurers to pay the remaining balance of $20 million.
The insurers denied coverage, citing a policy exclusion for material distribution in “violation of statues.”
CE Design and Paldo filed suit in Lake County, Ill., seeking an order that the insurers had a duty to defend and indemnify King. That court dismissed the case, citing the exclusion. The 2nd District Appellate Court of Illinois upheld that decision on May 2.
The appeals court found the exclusions were properly approved by the Texas Department of Insurance, where the policies were issued. It also rejected a claim by CE Design and Paldo that the faxes were not in violation of the TCPA.
Scorecard: The insurance companies do not have to pay $20 million toward the settlement.
Takeaway: Because the insurers could show that regulators had approved of the “violation of statues” exclusion, they were allowed to deny the claim.
Think You Don’t Need Environmental Insurance?
“I don’t work with hazardous materials.”
“My industry isn’t regulated by the EPA.”
“We have an environmental health and safety team, and a response plan in place.”
“We’ve never had an environmental loss.”
“I have coverage through my other general liability and property policies.”
These are the justifications clients most often give insurers for not procuring environmental insurance. For companies outside of sectors with obvious exposure — oil and gas, manufacturing, transportation — the risk of environmental damage may appear marginal and coverage unnecessary.
“Environmental insurance is not like every other insurance,” said Mary Ann Susavidge, Chief Underwriting Officer, Environmental, XL Catlin. “The exposure is unique for every operation and claims don’t happen often, so many businesses view coverage as a discretionary purchase. But the truth is that no one is immune to environmental liability risk.”
Every business needs to be aware of their environmental exposures. To do that, they need a partner with the experience to help them identify exposures and guide them through the remediation claims process after an incident. The environmental team at XL Catlin has been underwriting these risks for 30 years.
“Insureds might not experience this type of claim every day, but our environmental team does,” said Matt O’Malley, President, North America Environmental, XL Catlin. “We’ve seen what can happen if you’re not prepared.”
Susavidge and O’Malley debunked some of the common myths behind decisions to forego environmental coverage:
Myth: My business is not subject to environmental regulations.
Reality: Other regulators and business partners will require some degree of environmental protection.
Regulatory agencies like OSHA are more diligent than ever about indoor air quality and water systems testing after several outbreaks of Legionnaires disease.
“The regulators often set the trends in environmental claims,” Susavidge said. “In the real estate area it started with testing for radon, and now there’s more concern over mold and legionella.”
Multiple hotels have been forced to shut down after testing revealed legionella in their plumbing or cooling systems. In addition to remediation costs, business interruption losses can climb quickly.
For some industries, environmental insurance acts as a critical business enabler because investors require it. Many real estate developers, for example, are moving into urban areas where their clients want to live and work, but vacant lots are scarce. Those still available may be covering up an urban landfill or a brownfield.
“We’re able to provide expertise on those sites and the development risks so the contractor can get comfortable working on it. It’s about allowing our clients to stay relevant in their markets,” O’Malley said. “In this case, the developer is not an insured with a typical environmental exposure. But if there is a contaminant on the worksite, they could inadvertently disperse it. In a high-population urban area, the impact could be large.”
Banks also quite often require the coverage specifically because developers are turning to these locations with higher potential environmental risk.
“Though it’s not a legal requirement, insurance is a facilitator to the deal that developers really can’t operate without,” Susavidge said.
Myth: The small environmental exposure I have would be covered under other polices.
Reality: Environmental losses can result from exposure to off-site events and are excluded by many property and casualty policies.
Environmental risks on adjoining properties can lead to major third party losses. Vapor intrusion under the foundation of one property, for example, can unknowingly underlie the neighboring properties as well. The vapor intrusion can then seep into the surrounding properties, endangering employees and guests.
In other words, your neighbor’s environmental exposure may become your environmental exposure.
O’Malley described a claim in which a petroleum pipeline burst, affecting properties and natural resources 10 miles downstream even though the pipeline was shut off two minutes after the rupture. The energy company that owns the pipeline might have coverage, but what about the other impacted organizations? Many other property policies exclude environmental damage.
Sometimes the exposure is even more unexpected. In 2005, for example, a train carrying tons of chlorine gas crashed into a parked train set sitting in the yard of Avondale Mills — a South Carolina textile plant. The gas permanently damaged plant equipment and forced the operation to shut down.
“It’s not always obvious when you have an environmental exposure,” Susavidge said.
“When there is a big loss or a pattern of losses, the casualty market will typically move to exclude it,” said O’Malley. “And that’s where the environmental team looks for a solution. Environmental coverage has been developed to fill the gaps that other coverages won’t touch.”
Myth: We already have a thorough response plan if there is an incident.
Reality: Properly handling an environmental event requires experience and expertise.
In addition to coverage, risk managers need experience and expertise on their side when navigating environmental claims.
“For many of our clients, their first environmental claim is a very different experience because the claimant is not always a typical third party – it’s a government agency or some other organization that they lack experience with,” Susavidge said. “Our claims team is made up of attorneys that have specific domain experience litigating environmental claims issues.”
Beyond its legal staff, XL Catlin’s claims consulting team and risk engineers come with specialized expertise in environmental issues. 85 to 90 percent of the team members are former environmental engineers and scientists, civil engineers, chemists, and geologists.
“Handling environmental claims requires specialized expertise with contaminants and different types of pollution events,” O’Malley said. “That’s why our 30 years of experience makes a difference.”
Thirty years in the business also means 30 years of loss data.
“That informs us as a carrier how to provide the right types of services for the right clients,” Susavidge said. “It gives us insight into what our insureds are likely to experience and help us determine what support they need.”
Insureds also benefit from the relationships that XL Catlin has built in the industry over those 30 years. When the XL Catlin team is engaged following a covered pollution event, the XL Catlin claims team can deploy seasoned, experienced third party contractors that partner with the insured to address the spill and the potential reputational risk. And they receive guidance on communicating with regulatory bodies and following proper reporting procedures.
“The value of the policy goes beyond the words that are written,” O’Malley said. “It’s the service we provide to help clients get back on their feet, so they can focus on their business rather than the event itself.”
For more information on XL Catlin’s environmental coverage and services, visit http://xlcatlin.com/insurance/insurance-coverage/casualty-insurance.
The information contained herein is intended for informational purposes only. Insurance coverage in any particular case will depend upon the type of policy in effect, the terms, conditions and exclusions in any such policy, and the facts of each unique situation. No representation is made that any specific insurance coverage would apply in the circumstances outlined herein. Please refer to the individual policy forms for specific coverage details. XL Catlin, the XL Catlin logo and Make Your World Go are trademarks of XL Group Ltd companies. XL Catlin is the global brand used by XL Group Ltd’s (re)insurance subsidiaries. In the US, the insurance companies of XL Group Ltd are: Catlin Indemnity Company, Catlin Insurance Company, Inc., Catlin Specialty Insurance Company, Greenwich Insurance Company, Indian Harbor Insurance Company, XL Insurance America, Inc., and XL Specialty Insurance Company. Not all of the insurers do business in all jurisdictions nor is coverage available in all jurisdictions. Information accurate as of September 2016.
This article was produced by the R&I Brand Studio, a unit of the advertising department of Risk & Insurance, in collaboration with XL Catlin. The editorial staff of Risk & Insurance had no role in its preparation.