Travelers Must Cover Inadvertent Data Disclosures, Court Rules

A recent Fourth Circuit case affirmed a Virginia district court ruling that insurer Travelers Indemnity Company of America had a duty to defend a class action brought against its insured, Portal Healthcare Solutions, LLC, under a cyber liability insurance policy providing coverage for the electronic publication of certain materials. Portal Healthcare provided “electronic storage and maintenance of certain medical records” as a service to its healthcare provider clients. The class action suit alleged that Portal Healthcare negligently failed to provide services when a wrong security setting on a web access portal was selected, allowing internet search engines to scoop up not only the login page as a search result, but also the underlying sub-pages containing medical records.

Travelers argued that it had neither a duty to defend nor indemnify under the 2012 and 2013 policies acquired by Portal Healthcare. The 2012 policy included a “Web Xtend Liability Endorsement” applicable to coverage for “Personal Injury, Advertising Injury and Web Site Injury Liability.” The 2013 Policy contained a Commercial General Liability Coverage Form applicable to “Personal and Advertising Injury Liability.” The applicable definitions included:

  • “Advertising injury” means injury, arising out of one or more of the following offenses: … electronic publication of material that … gives unreasonable publicity to a person’s private life
  • “Personal injury” means injury, other than “bodily injury,” arising out of one or more of the following offenses: … electronic publication of material that … gives unreasonable publicity to a person’s private life
  • “Web site injury” means injury, other than “personal injury” or “advertising injury” arising out of one or more of the following offenses: … electronic publication of material that … gives unreasonable publicity to a person’s private life …”

Travelers asserted that it owed a duty to defend Portal Healthcare only if the underlying class action complaint alleged “(1) injury arising out of the offense of “electronic publication of material that … gives unreasonable publicity to a person’s private life” (2012 Policy) or (2) injury caused by the offense of “electronic publication of material that … discloses information about a person’s private life” (2013 Policy).”

The Fourth Circuit, however, held that the Eastern District Court of Virginia correctly analyzed the matter under the “Eight Corners” rule, where the court must look first to the four corners of the contract (the insurance policy) and then the four corners of the complaint. The policy provided coverage for “publication” of electronic materials which either gave “unreasonable publicity” to or “disclosed” information about an individual’s private life.

Travelers argued that there could not be “publication” when the insured’s business was the protection of information and there was no evidence that a third party actually viewed the information. The District Court determined in the first instance that “publication” does not refer to intent (whether intentionally or unintentionally disclosed) so that argument was rejected. As to the second element, the court noted that publication occurs when placed “before the public,” without reference to whether the public actually reads the information.

Under the second requirement for coverage, Travelers maintained that “publicity” required a proactive step to “attract” interest, and “disclosure” requires a third party to actually view. The District Court held that publicity was unreasonable due to the nature of the sensitive information contained in the medical records and there was no requirement that the insured take overt action to attract attention to the information. As to the “disclosure” argument, the District Court held that disclosure occurred when the possibility of viewing by a third party happened, not when or if a third party actually viewed the information.

The District Court also addressed the fact that there was no express exclusion of the actual security failure involved and at a minimum the insurance carrier would have to defend (although it could still later argue it had no duty to indemnify) based on the law that such an ambiguity is decided in favor of the insured.

This makes it clear that it is critical to pay attention to the type of coverage purchased and to the fine print. It may also be helpful to have an insurance agent review the types of coverage you have, to look for gaps based on your business and possible risks, since each policy type includes those risks which are intentionally covered and others which are expressly excluded. Although the types of policies continue to expand to cover new technologies and new risks, depending on the carrier and the policy’s exclusion language, the coverage may not be what you think it is.

Houston Faces ‘Largest Flooding Event Since Tropical Storm Allison’

Historic flooding has left the Houston metropolitan area inundated once again this week, killing at least seven people, flooding 1,000 homes and causing more than $5 billion in estimated damages in Harris County alone. Gov. Greg Abbott declared a state of disaster for nine counties in and around the Houston area. The widespread nature of the disaster prompted the city of Houston to call this the largest flood event since Tropical Storm Allison, which devastated southeast Texas in 2001, causing $9 billion in damage and $1.1 billion in insured losses.

According to Harris County Judge Ed Emmett, about 240 billion gallons of rain fell on the Houston area this week. That’s the equivalent of 363,400 Olympic-size swimming pools, CNN reported. After 10 inches of rainfall fell in six hours Sunday night into Monday, powerful, slow-moving thunderstorms had paralyzed the region Monday, but storms continued through Wednesday.

Having some of the hardest rainfall overnight helped a bit to mitigate the dangers this week. While this made it difficult to predict, it allowed people to better make choices about going out, as opposed to last year’s floods around Memorial Day, Emmett told the Houston Chronicle. Nevertheless, emergency crews made more than 1,200 high-water rescues, many residents had to evacuate to shelters, and for those who were able to shelter in place, 123,000 homes had no power at the height of the flooding. Officials have also expressed concern about two local dams that have been rated “extremely high risk and are at about 80% capacity, but they are not in immediate danger of failing.

As I wrote in Risk Management last year, the city’s rapid urbanization and approach to land development have made it extremely vulnerable to flooding perils because there is little land surface that can absorb water in foul weather. Rivers, bayous and other receptacles for runoff are easily overwhelmed and take a considerable amount of time to return to normal levels, making the heavy, concentrated, sustained rainfall seen this week even more dangerous in such an urbanized setting. Last May, record rainfall and severe thunderstorms caused tremendous damage across Texas and Oklahoma, killing 32 people and flooding more than 5,000 homes in the metro regions of Houston, Austin and Dallas.

With this latest storm, Houston again offers a powerful reminder about the natural catastrophe perils compounded by urbanization and the need to prepare, both in the form of routine disaster preparation and urban planning. From the August issue of Risk Management:

The city has invested hundreds of millions of dollars to battle the effects of urbanization. On Buffalo Bayou alone, for example, flood control efforts totaling half a billion dollars in the past decade have included bridge replacements, the addition of detention ponds for runoff, and creation of green spaces that serve as parks in normal weather while offering more land surface that can absorb water in foul weather.

But the investments are not enough. “Houston may be doing things to try to improve…but there’s a long history of pre-existing stuff that is still there,” Walter Peacock, an urban planning professor at Texas A&M and director of the school’s Hazard Reduction and Recovery Center, told Time. “Think about every time you put in a road or a mall and you add concrete—you’ve lost the ability of rain to get into the soil and you’ve lost that permeability. It’s now impermeable, and therefore you get more runoff.”

Captive Growth Increases Need for Insurance-Experienced Board

The current climate for captive insurers is gravitating toward encouraging captives—including single-parent, association and agent-owned—to appoint experienced, independent directors to their boards. Regulators (National Association of Insurance Commissioners and Bermuda Monetary Authority) and rating organizations (A.M. Best and Standard & Poor’s) have all come out in favor of the appointment of independent directors. They believe that independent directors add value by providing independent, experienced guidance to captive owners that is separate and distinct from a captive’s other advisers, including as managers, lawyers and accountants.

Their appointment could also help a company avoid a lawsuit. Independent directors do not have conflicts of interest, can provide experience that is different from others on the board and usually have a broad captive insurance perspective.

Another point worth considering is that some captive managers may have other interests, such as brokerages, reinsurance brokerages, actuarial, claims, asset investments. Some may even provide leads for a possible fee for premium financing. Furthermore, captive owners can mistakenly believe they get all the advice they need from their current advisers.

Independents on the Horizon

In the coming months, expect to see captive owners reaching out to independent directors, both because of their value-added consulting expertise and because regulators and possibly rating agencies will require it. This practice already exists in some overseas jurisdictions, and with Solvency II, it could become more important as it may ultimately apply here in the U.S.

What is often overlooked is the value-added experience independents offer. Here is a partial list of services normally expected of experienced independent directors:

  • Help in selecting the reinsurance interme­diary. They provide an independent per­spective separate from the reinsurance broker or risk manager.
  • Advise on acquisition opportunities of the captive, if any, such as buying a third-party administrator, a licensed admitted insur­ance company, or an investment in a new start-up retail brokerage firm. These sophis­ticated ideas are an expansion of most cap­tives’ business plans and need to be consid­ered carefully given the risks they present. Keep in mind, however, that the captive landscape from the 1970s is littered with the carcasses of captives that ventured ill-advised into such businesses.
  • Help in evaluating a reinsurance program’s structure and economics.
  • Attend and advise on the rating process with outside rating agencies, such as A.M. Best.
  • Attend meetings with insurance regulators, especially if there is a regulatory concern.

Independent directors are also asked to vote on many issues, including:

  • Should the captive change fronting companies?
  • Should the captive make a large dividend payment to the parent corporation, or should it return capital to its owners?
  • Should the captive write direct procure­ment policies for the parent corporation?
  • What law firm should handle uncollectible reinsurance?
  • Should the captive litigate or arbitrate certain claims?
  • Should it change asset investment managers?
  • Should the captive expand into other lines of business, such as writing third-party reinsurance business?
  • Should it move from an offshore domicile to a domestic domicile?
  • How can the captive reduce the cost of its reinsurance program?
  • How does a captive evaluate its various service providers?
  • What are the consequences of executing reinsurance or fronting agreements?

Mexico’s Pemex Illustrates Trade Credit Risks in Latin America

With all the focus on the Middle East and Europe, it is easy to lose track of Latin America as a region with major risk issues. Companies investing and selling to Latin America have become accustomed to viewing its largest economies—Mexico and Brazil—as relatively low-risk countries with promising growth prospects. That perception has recently changed, however, largely because of a common ingredient: large state-owned oil companies on which the government depends.

With a $1.26 trillion economy and population of 122 million, Mexico is a key market for the United States and Canada, particularly since the advent of the North American Free Trade Agreement. Some $535 billion in trade occurred between the U.S. and Mexico in 2014. From 2000 through 2012, U.S. foreign direct investment into Mexico totaled $291.7 billion.

With a monopoly (until recently) on oil production and fuel distribution, Petróleos Mexicanos (Pemex) is a colossus—the largest company in the country, representing about one-third of all government tax revenues and approximately 5% of Mexican exports. From its origin in 1938, Pemex has also been a political entity, as it was nationalized at a time when foreign companies dominated the oil sector. Since then, it has become enmeshed in Mexican politics and patronage, suffering from frequent allegations of corruption.

However, in the early 2000s, Mexico’s political leadership recognized a problem: oil production was falling and Pemex lacked the resources to invest in new fields to reverse the trend. Clearly, foreign investment was going to be needed to keep Mexico competitive in world oil markets. So, in August 2014, Mexico passed the laws necessary to open up the oil, gas, and power sectors to private companies, including foreign ones. Unfortunately, with oil prices taking a serious downturn, the timing of the opening was awful. Pemex was losing its monopoly at the same time its revenue was dropping and home currency was depreciating against the US dollar, after it had accumulated enormous foreign currency debt. Not surprisingly, in November 2015, Moody’s downgraded Pemex’s credit rating from A3 to Baa1, with a negative outlook. Without the sovereign support, the rating was put at a lowly Ba3. And Pemex’s problems have directly drained the central government: this month, the Mexican government announced over $4 billion in aid for the company.

Pemex has serious cash-flow problems and is not able to pay its suppliers on time. In late 2015, citing low oil prices, it announced that it would unilaterally extend payment terms on all contracts to 180 days from the previous 60-90. For suppliers dependent on short payment terms who were already under cash-flow stress from general industry conditions, these payment delays could cause serious financial problems, including bankruptcies. Accordingly, the trade credit insurance industry—which covers buyers’ failure to pay contractual trade obligations on the due date—is already seeing claims related to Pemex and its suppliers.

Except for people who remember the early 1980s, when Mexico defaulted following the high oil prices and debt run-up of the 1970s, Pemex’s problems were unthinkable just a few years ago. This is an example of the difficulty of predicting how commodity markets, politics and financial management can mix for any given country. However, while Pemex’s problems are serious for its suppliers and represent a drag on the economy, Mexico is still forecasted to grow 2.6% in 2016 and no wide political crisis is currently underway. Many other countries dependent on oil are not so lucky. Next month we will look at one with much more serious problems and risks to investors and suppliers: Brazil.