Our prior post discussed three potential enhancements to cyber-related liability insurance policies designed to maximize their potential responsiveness to actions initiated by consumers or the state attorney general under the California Consumer Privacy Act (CCPA). Today, we offer four additional suggested coverage enhancements for consideration in advance of the CCPA’s January 20, 2020, effective date:
4. Our prior post discussed seeking the enhancement cyber-related liability policies so that they cover “penalties” the state attorney general may seek under the CCPA. An additional enhancement is needed, however, since “penalties” might not be legally indemnifiable under the law of a particular jurisdiction whose law could apply to an insured’s policy. A standard “choice of law” provision is not optimal because it would fix the law of a single state as necessarily applying to the policy.
A better approach to the jurisdictional variance on the insurability penalties is a provision that the law of the jurisdiction most favorable to the insurability of penalties will determine whether the insured can enforce the insurer’s agreement to indemnify it for the payment penalties. This provides the insured with many potential choices of law, instead of the law of a single state chosen at the policy’s time of issuance.
Potentially applicable jurisdictions under this approach include: (i) California, where the penalty was assessed; (ii) the jurisdiction in which the insured is incorporated; (iii) the jurisdiction in which the insured maintains its principal place of business; (iv) the jurisdiction in which the insured’s risk management functions are conducted; (v) the jurisdiction in which the insurer is incorporated; (vi) the jurisdiction in which the insurer maintains its principal place of business; and (vii) the jurisdiction in which the policy was brokered, etc.
5. Liability insurance policies do not indemnify insureds against deliberate wrongdoing, intentionally caused harm, or purposefully fraudulent conduct. The law generally prohibits indemnification for this type of conduct, as well. Lawsuits routinely allege that the defendant committed deliberate misconduct, knowingly or purposefully wrongful actions or purposeful fraud. Most cases, however, are resolved long before a judge or jury assesses whether any of this, in fact, occurred.
To minimize disputes with insurers, and to facilitate the payment of the costs of defense by the insurer while a CCPA action proceeds, the policy should say that this type of exclusion (however worded) will apply only if a final, non-appealable judgment or other decision is entered adjudicating that the insured engaged in the kind of intentional, fraudulent, or deliberate misconduct not covered under the policy. Further protection, in the form of the “most favorable jurisdiction” provision discussed above, is also available.
The likelihood that a “deliberate misconduct” exclusion will bar coverage in the face of an appropriately worded limitation and a “most favorable jurisdiction” choice of law provision is small.
6. An insured can insulate itself further from a “deliberate misconduct” exclusion by isolating the act or knowledge of a “rogue” employee that willfully or knowingly violates the CCPA. A typical provision found in certain liability policies provides that only the knowledge or conduct of high-level company executives such as the chief executive officer, chief financial officer, chief information officer, chief privacy officer, chief security officer, chief technology officer, risk manager, general counsel, or similarly identified persons, will be imputed to the insured company. Cyber-related liability policies can include this provision, as well.
7. The CCPA permits courts to issue injunctive or declaratory relief. The cost of complying with this relief is not typically indemnifiable because it does not result in the payment of damages. It usually involves particularized business expenses not subject to meaningful advanced underwriting by the insurer.
The costs of defending against suits seeking declaratory or injunctive relief are, however, normal litigation expenses of the type insurers typically pay. The type of “claims expenses” payable by an insurer under a cyber-related liability policy can be expanded so that it reads:
“Reasonable and necessary fees for a claim defended by an attorney . . . as well as other reasonable and necessary fees, costs, and expenses that result from the investigation, adjustment, negotiation, arbitration, defense or appeal of a claim or an action, including an action seeking injunctive and/or declaratory relief.”
This would require the insurer to pay the cost of defending a lawsuit seeking injunctive or declaratory relief even though it would not be obligated to pay any compliance costs that might result from the action.
* * * * *
The cyber-related coverage enhancements to address insurance challenges posed by the CCPA, as discussed in this post, are not unique to the CCPA. They appear in many “financial lines” insurance policies such as Directors & Officers, Errors & Omissions, and Fiduciary Liability policies. They do not tend to expand underwriting intent, but rather seek to confirm and codify underwriting intent. Insureds and their brokers should examine their cyber-related liability policies in advance of the January 1, 2020, effective date of the CCPA to determine whether amendments or endorsements to coverage grants and exclusions are needed to address the act’s challenges.