Setting Priorities
When multiple insurance policies cover a significant loss event, priority of coverage often becomes an issue for all of the insurers. Data breach incidents and other cyber loss events are no exception to this general rule. Insureds may request coverage from a broad array of insurance policies for a cyber event, not just from the “cyber insurer,” and multiple insurers may answer the call. This situation can present challenges, in part because the insured’s claims are usually presented on a time-sensitive basis.
For example, a well-insured health care provider is aware of its applicable federal and state breach response laws, and pays for several insurance policies: an information and privacy policy with data-breach notification coverage; a management liability policy; a professional errors and omissions liability policy with medical information protection provisions; and a tower of commercial general liability insurance.
A sample claim scenario may be when an employee’s laptop is lost or stolen. The laptop contains personal health information of more than 10,000 customers, including their medical histories and conditions, prescription information and premium payments. Initially, the notified insurers promptly identify their responsibilities to the insured. The insured complies with the applicable states’ breach notification laws. The insured’s intent may have been to rely on its cyber insurer for reimbursement of its payments for notification costs and credit monitoring costs.
However, different insurers have developed different cyber insurance forms, so the facts of the coverage claim may not squarely match up to the specifically insured cyber perils. Meanwhile, each liability insurer, not just cyber liability insurers, considers the applicable jurisdictions’ law on their duty to defend and whether it makes sense to participate in the insured’s defense and attorney fee reimbursement.
Next, challenges for both liability insurers and property insurers include how they relate to, and cooperate with, each other. Multiple insurers may have concurrent responsibilities for shares of the insured expenses involved in a cyber loss investigation, and eventually for governmental penalties or resolution amounts, and/or liability for settlements or judgments. Some breach events may not fit into cyber coverage at all.
To illustrate, if a hacker sends a phony email that dupes a corporate accounts-payable department into wire transferring money to a fake account, it could be subject to the corporation’s crime coverage. But cyber insurance may not respond merely because the thief uses a computer and an email as instruments of deception.
Sometimes it is possible to harmonize “other insurance” clauses issued by multiple triggered insurers, but more often there are clauses that conflict. Depending on how applicable law resolves such conflicting clauses, the insurers are often left to resolve their differences by cooperation.
Alternatively, when insurers consider what types of risks their policies were intended to cover, they may decide that one type of coverage should stand aside
until after another type of coverage exhausts. For instance, loss coverages may clearly define “loss” to exclude notices to affected parties and the related investigation costs after a data breach event.
Ideally, all insurers can work constructively to agree on reasonable allocations of their mutual responsibilities for the insured risks. Further complications can arise when different retained limits and sub-limits are issued by different insurers. Such risk-limiting agreements can provide the insured with an incentive to participate in, or even direct, prioritization among its multiple insurers.
It may be impossible to fully align the interests of every insurer that is presented with a complex cyber coverage claim. Cooperation can lead to efficient resolution of the issues, ideally with minimal delay and minimized transactional costs.
Best’s Review contributor Michael D. Handler, a member attorney at Cozen O’Connor, is experienced in professional and specialty risks as advisory and litigation counsel. He can be reached at [email protected].