covid-19 cyber issuesSince March, litigation has engulfed many organizations in disputes stemming from the novel coronavirus pandemic. Class action securities litigation, bodily injury lawsuits, and insurance coverage litigation have already made their way to courts nationwide.

As court systems across the country begin to embrace the operational changes needed for legal systems to return to some level of normalcy, we can expect more categories of litigation to get filed in response to the massive casualties, disruption, and social divisions over coronavirus. Pandemic-fueled litigation will test the reliability of the insurance coverage that many organizations have purchased. A rise in litigation will necessarily translate into a rise in insurance claims under policyholders’ third-party liability insurance.

Industries reliant upon people gathering in the same location will suffer the brunt of the business displacement. The cruise industry, casinos, sports leagues, theaters, restaurants, and travel businesses generally will feel a disproportionate amount of pain, at least for the near term.

With an effective vaccine several months away, at least, and with no evidence of a sharp decline in new infections on the horizon in the United States, crashing stock prices in certain business segments will lead inevitably to shareholder suits. Investors will want their money back, so to speak. Directors and officers (D&O) insurance coverage will be key to protecting senior management against liability.

Claims will be asserted that companies did not properly disclose certain risks to operations from viral outbreaks or that they failed to properly manage the risk. Whether those suits have any viability may be beside the point, given how expensive class action investor suits are to defend. Given this reality, a number of coverage fights are likely to ensue under D&O insurance policies.

 

Covid-19 Hacking Risks and Privacy Issues

On the cyber liability front, coronavirus poses two main perils: First, intrusion by a hacker into computer systems, with opportunity heightened by a massive shift to telecommuting and a worried (and sometimes desperate) populace clicking on links that promise official-looking relief payments or medical “alerts,” and second, a major breakdown in privacy norms, where entire populations will be tracked, monitored, and biometrically encoded as part of an unprecedented public health response.

Cyber (and likely other lines of) insurance will be called upon to offer vital protection against hacking-related claims and class action complaints that assert privacy rights were violated.

Policyholders filing claims under D&O and cyber policies will have to be aware, however, of defenses against coverage that insurance companies have deployed in the past. They will need to be vigilant against overly broad application of exclusions and arguments that their insurance policies do not provide coverage for bodily injury–related claims or governmental investigations. And they will have to analyze their insurance portfolios to locate points where one policy type can cover gaps in another.

 

D&O Insurance in the Era of Covid-19

Certain investors will seek to recoup losses triggered by the pandemic by alleging that mismanagement, inaccurate disclosures, false statements, and other acts or omissions caused losses to their investments. Absent a clear and express exclusion, investor suits should trigger most D&O coverage.

Some insurance companies may try to deny coverage under D&O insurance policies where exclusions for claims of bodily injury or property damage are included. Given that coronavirus can cause bodily injuries and property damage, D&O insurance companies may try to avoid coverage by arguing that bodily injury or property damage exclusions limit coverage (through some form of allocation argument) or bar coverage altogether.

Despite this, D&O insurance policyholders should have coverage in most instances. To determine D&O coverage in this setting, it is important to focus on what the underlying investor complaint is alleging for purposes of recovery: damages for bodily injury or property damage, on the one hand, or monetary damages for investment losses attributed to alleged wrongful acts by the officers or directors in their capacity as such?

In Michigan Crop Improvement Assoc. v. Colonia Insurance. Co., No. 20668, 1999 Mich. App. LEXIS 2580 (Ct. App. Oct. 29, 1999), for example, management sought D&O coverage where litigation was instituted for a failure to detect bacterial ring rot in its agribusiness. The D&O insurance policy contained a property damage exclusion that the insurance company invoked against the policyholder. In the D&O coverage litigation ensuing after the insurance company contested coverage, the court held that the underlying claims were not excluded by the D&O insurance policy’s “property damage” exclusion.

Similarly, in Clark v. General Accident Insurance Co., 1996 WL 165004 (D.V.I. Jan. 25, 1996), the D&O insurance company contested coverage, under a bodily injury exclusion and a property damage exclusion, for claims alleging the officers had committed wrongful acts concerning the management of funds for repairs in the wake of hurricane damage and destruction. The court rejected the insurance company’s defense and found that the claims were for the actions of management and not for the hurricane damage. See also Sealed Air v. Royal Indem. Co., 961 A. 2d 1165 (Super. Ct. N.J. 2008) (rejecting application of pollution exclusion to D&O coverage for underlying securities claim alleging misrepresentations by management for pollution claim exposures); Philadelphia Indem. Ins. Co. v. Maryland Yacht Club, 742 A.2d 79 (Md. 1999) (rejecting application of bodily injury exclusion to employment claim stemming from allegations concerning on-the-job physical injuries); Scottsdale Ins. Co. v. Coapt Sys., No. C-12-1780, 2013 U.S. Dist. LEXIS 86414 (N.D. Cal. June 18, 2013) (rejecting application of D&O policy’s bodily injury exclusion for fraudulent conveyance claims brought by patients who alleged defective products injured them); Owens Corning v. National Union Fire Ins. Co. of Pittsburgh, Pa., No. 97-3367, 1998 U.S. Dist. LEXIS 26233 (6th Cir. Oct. 13, 1998) (rejecting D&O insurance company’s refusal to provide insurance coverage for securities suit on basis of asbestos exclusion sold to maker of insulation where underlying claims alleged misrepresentation of assessment of asbestos liabilities).

D&O coverage should be available for securities claims that were precipitated by the financial whirlwinds generated by the pandemic. While there is no question that Covid-19 can kill and damage, securities lawsuits are typically not filed for the purpose of seeking damages for either of those perils. Instead, the underlying allegations and relief sought in a securities lawsuit is one for compensatory damages to redress harm to an investor as a result of a management “wrongful act” in the insured’s capacity as an officer or director of the organization.

 

Cyber Insurance Coverage

Telecommuting on a massive scale leaves many organizations vulnerable to additional cyber perils. Indeed, even before most local and federal governments were sounding the alarm over Covid-19, cyber scammers were using the fear, confusion, and national angst over the coronavirus as a way to hack systems and steal. Phony “official”-looking governmental communications have been a mechanism used by cyber criminals to infiltrate systems and commit crimes. Cyber insurance coverage should be available for cyber perils that trade off of coronavirus fear and distraction, whether it occurs during telecommuting or when using computer systems in the office.

Like D&O insurance, many cyber policies contain some version of an exclusion for bodily injury and property damage claims. As with D&O insurance, these exclusions should be inapplicable, even where it is argued that if traced to the source, the cyber crime was perpetrated and made possible by the pandemic causing injuries and damage.

Policyholders may face liability where private or sensitive information is either accessed or released by a hacker. If workers telecommuting fail to exercise sound cyber practices from home systems, or fail to update their security with patches and other computer-virus protections, then third-party cyber claims from customers, clients, patients, and guests may be faced. Most cyber insurance policies promise coverage for claims, including class action and regulatory ones, for harm resulting from a cybersecurity incident (or “event”).

Privacy claims abound when financial or health information is not kept secure. A privacy claim can arise not only when a hacker accesses sensitive computer files, but also when companies fail to safeguard the data they handle—even where no cybercriminal is involved. Privacy claims will undoubtedly arise as organizations track, monitor, and share health information as part of the Covid-19 public health response.

Such claims should be covered under cyber insurance policies and other liability insurance policies. See West Bend Mutual Insurance Co. v. Krishna Schaumburg Tan, No. 1-19-1834 (Ill. App. 2020) (affirming defense costs coverage under CGL policy protection for privacy claims for a proposed class action accusing policyholder of violating the Biometric Information Privacy Act in connection with the handling of customer fingerprint data) and Travelers Indemnity Company of America v. Portal Healthcare Solutions (4th Cir. 2016) (holding that a CGL policy covered the policyholder’s defense for class action lawsuit concerning alleged violation of privacy when health data was accessible through Internet search).

Thus far, disputes under dedicated cyber insurance specialty products have been limited, but an onslaught of cyber claims arising from the pandemic could well change the insurance claim landscape. Accordingly, whether dealing with cyber insurance claims or ones made under D&O insurance coverage, policyholders may need to fight for their right to insurance coverage.

 


Joshua Gold is a shareholder in Anderson Kill’s New York office and is chair of the cyber insurance recovery practice group and co-chair of the Marine Cargo Insurance Group.


 

From: New York Law Journal