Protective Safeguard Endorsement: Who’s it Protecting; NY Court Holds Crime Policy Covers Spoofing Loss of Funds; Short Takes: Loss Control for Brokers & Agents; Class Action Data Breach Lawsuits; $795 an Hour

By Jerry Trupin, CPCU

A good crop of interesting cases this month. Which is great, because I’ve retired as of 7/1/17. I hope to continue following insurance and may contribute articles to the Insurance Advocate from time to time, but this will be my last regular column. I started in the insurance business by working Saturdays in my father’s insurance agency when I was 12 years old. That was 75 years ago. Ave, atque, vale.

Protective Safeguard Endorsement: Who’s It Protecting?

A fire severely damaged Jin Zun Zou and Hua Ying Gao’s home in St. Paul, MN on November 24, 2013. The fire investigator, James Novak, arrived at the house just as the firefighters were winding up their work. Novak reported:

“In the hallway [of the main floor], I observed that the smoke detector had been disconnected prior to the fire and was nowhere to be found. Light smoke damage was observed throughout the hallway. The rear master bedroom suffered light smoke damage. The smoke detector in this room was also missing….The third bedroom had suffered light to moderate smoke damage throughout. There was no smoke detector in this room. Upon examination of the hallway closet, I found three smoke detectors on the shelf.”[i]

Jin Zun Zou and Hua Ying Gao carried insurance with American Modern Home Insurance (AMI). They reported the claim, but AMI denied coverage.

The basis of AMI’s denial was the Protective Safeguard endorsement that was part of the policy. In brief, the endorsement provided that the insurance company will not pay for loss caused by fire if, prior to the fire, the insured:

Knew of any suspension or impairment in any protective safeguard listed in the Schedule above and failed to notify us of that fact; or
Failed to maintain any protective safeguard listed in the endorsement in complete working order.

The insureds sued. In the action that followed, both sides moved for summary judgment. The insurance company pointed to the fire investigator’s report, but the insureds responded that there were other working fire detectors in the house and one in fact was what had awoken them. The court granted summary judgment to insureds.[ii]

Jin Zun Zou and Hua Ying Gao were fortunate that they had a working fire detector. First, because it may have saved their lives, and second it saved their insurance claim. Two points to note for us:

Fire detectors can save lives.

Protective safeguard endorsements can imperil coverage.

Let’s look at the safeguard endorsement. The case doesn’t identify the form that was used by AMI, but the language quoted in the decision is similar to that found in ISO endorsement PROTECTIVE SAFEGUARDS (CP 04 11 09 17).

The ISO form requires that the insured:

Maintain the listed protective safeguards over which it has control, in complete working order;
Actively engage and maintain in the “on” position at all times any automatic fire alarm or other automatic system listed in the Schedule; and
Notify the insurer of any suspension or impairment of any protective safeguard listed in the Schedule.

The endorsement adds an exclusion to the policy eliminating coverage for loss resulting from fire if the insured failed to comply with any condition set forth in the endorsement.

Five specific types of protective safeguards are listed:

Automatic Sprinkler System
Automatic Fire Alarm
Security Service with a recording system or watch clock, making hourly rounds covering the entire building, when the premises are not in actual operation
Service Contract with a privately owned fire department
Automatic Commercial Cooking Exhaust And Extinguishing System

Any or all of them can be required by an entry on the endorsement. But that’s not all—the form contains a final option for the insurer to add additional requirements. (The requirement to maintain fire detectors that led to the dispute between AMI and Jin Zun Zou and Hua Ying Gao was added using this final option.)

Tell your insureds about fire detectors—they can save lives—but watch out for a protective safeguard endorsement. Try to have it removed; failing that, be certain the insured knows about it. A broker friend reviewed a prospect’s insurance and found that it contained a requirement for a sprinkler system. The building did not have one. It was a no-brainer for the insured to give him a broker-of-record letter.

NY Court Finds Crime Policy Coverage for Spoofing Theft of Funds

Medidata is a large technology company providing cloud-based computer services to medical research organizations around the world. Despite its technical sophistication, Medidata lost $4.8 million to a spoofing scam. (“Spoofing” is disguising an email so that it appears to come from an address other than the one actually belonging to the sender.)

In September 2014, an employee in Medidata’s finance department received an e-mail apparently sent by Medidata’s president, instructing her to initiate a wire transfer of funds for an imminent corporate acquisition. The message also said that an attorney, who was copied on the message, would call her. The employee believed the message was legitimate because it contained the president’s name, email address, and picture. (Medidata’s email system inserted the picture when the sender’s email address matched one in Medidata’s system.)

The same day, she received a phone call from the supposed attorney demanding a wire transfer. The employee told the attorney she would need an email authorizing the transaction from Medidata’s president, the vice president and the Director of Revenue. The employee, the vice president, and the Director of Revenue then received a group email purportedly from the president approving the payment. The employee transferred $4.8 million to a bank account provided by the attorney. The message was actually sent by a criminal using altered email accounts. The funds went to criminals in China.

Medidata submitted a claim under the Computer Fraud, Fund Transfer Fraud, and Forgery coverages of its Federal Insurance Executive Protection policy. Federal denied coverage, Medidata sued Federal.

The US District Court for the Southern District of New York agreed with Federal on the Forgery coverage, but ruled in favor of Medidata on Computer Fraud and Fund Transfer Fraud coverages.[iii] It held that even though Medidata’s computers were not directly hacked, Computer Fraud coverage was triggered because the thief sent the fraudulent emails containing computer code that made them appear as though they came from Medidata’s president. The court also ruled that Fund Transfer Fraud cover applied because the fraud induced Medidata to transfer funds from its bank account. Forgery coverage did not apply since there was no financial instrument, e.g., a check or a note, involved.

So far, so good for Medidata, but it’s not over yet. You can bet the case will be appealed. Medidata’s legal expense headaches haven’t ended. Pursuing a $4.8 million coverage claim on appeal doesn’t come cheap.

Tell your clients about this case. Here’s a technologically sophisticated insured with good loss control procedures—two corporate officers had to sign off before the employee could transfer the funds—but it still lost $4.8 million. Loss control is the first line of defense, but it doesn’t always work.[iv] Even sprinklered fire-resistive buildings burn down. As to relying on this case for coverage even if it’s affirmed, don’t do it. Less than two weeks after Medidata was decided, a Michigan Federal court decided against an insured on a similar claim.[v] The Michigan court specifically discussed the Medidata decision and disagreed with it. Insurers will continue to resist these claims under crime policies and will most likely tighten exclusionary language. In the overwhelming majority of cases like this, courts hold there’s no coverage under crime insurance policies.[vi] (A disconcerting feature of the Michigan decision is the court’s reliance on the policy’s requirement that the insured peril be the direct cause of the loss. That’s a standard provision. It appears 16 times in the ISO crime form for the various perils insured.) There is a better way: social engineering/fraudulent impersonation coverage combined with good cyber coverage. If you’ve recommended the coverage and your insureds haven’t purchased it, shame on them. If you haven’t recommended it, shame on you.

SHORT TAKES

Loss Control for Brokers & Agents

C.S. Osborne & Co., a Harrison, NJ manufacturer of industrial hand tools and supplies since 1826, was drenched by Superstorm Sandy. Osborne’s damages far exceeded the $1,000,000 flood coverage provided by its Travelers policy. Osborne sued its broker, Bollinger & Co. for not providing quotes for higher limits of flood coverage. The Appellate Court affirmed the lower court’s decision in favor of Bollinger, commenting that Bollinger was an insurance broker and not an insurance consultant; it had no duty to recommend coverage.[vii]

That seems to be the law in New Jersey and New York, as well as other states. What’s especially interesting about this case is a blog comment by an attorney who represents insureds in claims against insurance companies. He wrote:

“Bollinger’s March 2012 renewal proposal specifically stated: ‘Higher limits or sub-limits may be available so please advise us if you are interested in higher limits options so that we may secure quotations for your consideration.’ …the Court probably could have decided the case in the broker’s favor based on this statement (in the renewal proposal) alone.” (Emphasis added.)

The loss control tip for producers should be self-evident.

Practice Point: Burying a suggestion to get a quote for higher flood limits in the blizzard of items in a renewal proposal may be sufficient for a producer’s loss control needs, but it’s a losing sales technique. It may have made practical sense prior to Sandy, but it doesn’t any more. Get quotes. And bring them to your clients’ attention. You’ll improve their protection and you’ll increase your earnings.

Class Action Data Breach Lawsuits

Class actions give defendants nightmares while attorneys dream of sugar plums. A roadblock to that new yacht for your neighborhood class-action attorney in cases involving data breaches was the inability to convince Federal courts that there was sufficient injury to satisfy constitutional requirements for standing to sue. That changed in the 2015 Neiman Marcus decision when an appellate court held that the plaintiffs’ fear of future harm from the breach was sufficient to establish standing to pursue their claims.[viii] The result has been a flood of claims, many of which, on a consolidated basis, have reached some of the US District Courts of Appeal (the level just below the US Supreme Court). The latest is the Appeals Court for the District of Columbia. The case is Chantal Attitas et al v Care First, et al.[ix]

The case brought by Attitas, et al, was rejected for lack of standing to sue by the lower court, but the Appeals Court has ruled that it can go forward. With this decision, the DC Court joins the 3rd Circuit (DE, MD, NJ), the 6th Circuit (OH, KY, MI, TN), the 7th Circuit (IL, IN, WI), and the 11^th Circuit (AL, FL, GA). However some circuit courts have decided against letting the claims proceed, including the 2nd Circuit (CT, NY, VT) and the 4^th Circuit (NC, SC, VA, WV). We in the Metro-New York area are in an anomalous situation. The appeals court covering New York and Connecticut has decided a computer breach alone does not afford standing to sue, whereas the appeals court covering New Jersey has decided that the claims can proceed. Because the costs to defend such a case can be tremendous, just allowing the case to proceed may put extreme pressure on the defendant to settle.

Insureds shouldn’t ignore the problem. As judges become more familiar with data breaches, the possibility of allowing these cases to proceed will increase. In addition, the Supreme Court might step in and rule that plaintiffs have standing to sue. Class actions can result in huge settlements—if a group consists of 50,000 claimants, even $200 for damages and expenses for each claimant totals $10,000,000.

$795 an Hour

On October 3, 2008, David Vasquez, a building engineer, was fatally injured in a fall at Cohen Brothers Realty’s building at 622 3^rd Avenue in New York City. Cohen Brothers called their insurance broker and was told that this was a workers’ compensation case, so there was no need to report it to their liability insurance company.

On March 6, 2009, Vasquez’s estate obtained a court order to conduct discovery for purposes of filing a complaint against Cohen Brothers based on negligence and violations of NY Labor Law. Upon receiving the notice, Cohen Brothers notified its liability insurer, RLI Insurance Company. RLI denied for late notice on April 1, 2009.[x] The court decided that Cohen Brothers had a reasonable good faith belief that this was a workers’ compensation claim. Therefore late notice did not vitiate coverage.

The State Fund offered to provide defense, but Cohen Brothers elected to use its own attorney; State Fund paid its cost of $150 per hour towards Cohen Brothers’ attorney’s charges of $795 per hour. RLI argued the difference was a voluntary payment and therefore not covered, but the court ruled that because RLI had denied liability, it lost its right to control the defense and had to pay the fee that Cohen Brothers had agreed to. As Frank Sinatra sang: “Nice work if you can get it, and if you get it, tell me how.”

————————

^[i]    Jin Zun Zou And Hua Ying Gao, V. American Modern Home Insurance Company, US District Court, Minnesota, 86 F.Supp.3d 1050 (February 17, 2015)
^[ii]    Ibid
^[iii] Verne Pedro “Federal Court Finds Coverage for Company Spoofed by E-Mail Fraudsters” Property Insurance Coverage Law Blog, Merlin Law Group 8/1/17 www.propertyinsurancecoveragelaw.com/2017/08/articles/insurance/federal-court-finds-coverage-for-company-spoofed-by-e-mail-fraudsters/
^[iv]    Some insurers exclude social engineering/fraudulent impersonation claims unless the insured confirms the transfer by a phone call to a previously determined phone number. You don’t want a policy that requires that—insureds slip up—but it’s an excellent way of avoiding the scam. Insureds should consider it as an internal procedure.
^[v] American Tooling Center, Inc v Travelers Casualty And Surety US District Court Eastern District Of Michigan Case No. 16-12108 Filed 08/01/17. Last July there was a similar case in Canada where the court held that there was no coverage. See: The Brick Warehouse LP v. Chubb Insurance Co. of Canada, 2017 ABQB 413
[vi]   For example, see Taylor Lieberman v. Federal Insurance Company, US Court of Appeals, Ninth Circuit No. 15-56102 March 9, 2017
^[vii] C.S. Osborne & Co. v Travelers, et al,. NJ Superior Court, Appellate Division A-2182-15T4 May 1, 2017
^[viii] Hilary R Emijas et al v Neiman Marcus Group LLC, US Court of Appeals 7^th District 14-3122 July 20, 2015
^[ix]    DC US Court of Appeals 16-7108 August 1, 2017
^[x]     This claim occurred prior to the 2009 change in New York insurance law requiring that an insurer show prejudice to deny coverage for late notice.