A cosmetic surgeon made unauthorized use of a spa’s customer list to send advertisements of its services. One recipient sued the surgeon, claiming violations of two different, federal consumer acts. The surgeon, in turn, asked his insurer for protection under a medical professional liability policy. The claim was denied and the insured asked the courts to intervene.
Below is the court’s opinion on whether protection existed for the surgeon’s communication transgression.
McAdoo Cosmetic Surgery (McAdoo) obtained a list of customers of a spa, without consent, that contained personally identifiable information (PII). McAdoo used that information to send text advertisements. David Bochenek (Bochenek) filed suit asserting that McAdoo had violated the Telephone Consumer Protection Act of 1991 (TCPA) and Consumer Fraud Act of 1986 (CFA) by sending him the unsolicited texts. McAdoo notified its insurance provider, Doctors Direct Insurance (Doctors Direct).
McAdoo had medical professional liability insurance coverage with Doctors Direct Insurance that included a cyber claims endorsement. Doctors Direct filed for summary judgment arguing that there was no duty to defend and indemnify because the allegations did not fall within the definitions of the endorsement and specifically the “privacy wrongful act” definition.
The policy read, in part, that it provided coverage:
“To reimburse protected parties, up to the applicable limit indicated in this endorsement, for costs protected parties become legally obligated to pay as a result of a Cyber Claim for any Network Security Wrongful Act or Privacy Wrongful Act. . .”
Cyber was defined as:
“a demand for money or services as compensation, such as a claim letter, notice of attorney’s lien, or a civil suit, administrative proceeding, arbitration or mediation seeking to compel such compensation in which protected parties must participate.”
The endorsement defined a “privacy wrongful act” as:
“any breach or violation of U.S. federal, state, or local statutes and regulations associated with the control and use of personally identifiable financial, credit or medical information, whether actual or alleged, but only if committed or allegedly committed by protected parties.”
The court agreed with Doctors Direct and granted it summary judgment. McAdoo appealed.
The higher court noted that the complaint was not associated with the control and use of personally identifiable financial, credit or medical information and affirmed the trial court’s decision.
Doctors Direct Ins., Inc. v. Bochenek, 2015 IL App (1st) 142919, 38 N.E.3d 116
Information Handling Expands Our Liability
Insurance policies, oddly enough, are typically considered dull and unimaginative. However, insurance policies also constantly inspire creative, even tortured interpretation of its language. Policyholders often unintentionally stumble across significant loss exposures involving how it handles information. Information-related liability may be triggered by both sensitive and non-sensitive content. Non-sensitive content that is used to mislead others or infringe on rights belonging to others commonly results in lawsuits when such use creates harm to others. Sensitive information which includes content that can lead to personally identifying others or which exposes health or financial (confidential) material may also create liability. Often, misuse of personally identifiable information may bring claims alleging violation of privacy or of breaking laws concerning data use. Insurers address such exposures deliberately, using policy language that either excludes or covers given losses.
Here is an excerpt of wording on advertising found in the AAIS Commercial Umbrella Liability’s coverage analysis in PF&M.
- Advertisement
An announcement or public notice. Such notices on the internet or that are in any type of electronic communications are also advertisement when they offer the named insured’s products, goods, or services for either of the following:
- Letting prospective customers, clients, purchasers, or patrons know of these items being for rent, lease, sale or available.
Letting those who could be supporters know about these items so that they consider their usefulness. The same criteria apply to advertisements on websites. However, only the part of the website that offers the named insured’s products, goods, or services as such is considered advertisement.
Special Exposures Are Handled By Special Coverage
Insurance professionals often have to point out exclusionary or limiting coverage wording to their clients. However, such language is not necessarily negative. Insurance products are most efficient when the premium collected is a strong match with exposures that an insurer targets to be covered by such products. The opposite is also true; exclusions that make certain a given product avoids covering losses it isn’t meant to cover makes insurance more affordable and preserves protection for eligible claims.
Below is an excerpt of wording concerning what is meant to be covered found in the ISO Cyber Liability’s Policy’s coverage analysis in PF&M.
SECTION I – INSURING AGREEMENTS
This policy contains six insuring agreements. All are subject to the same single aggregate limit although some are also subject to insuring agreement specific sublimits. All are subject to the same policy level deductible.
The coverage provided is for loss that is the result of one or more of the following:
- Cyber incident
- Extortion threat
- Security breach
- Claim
Each of the terms above can be found in the Definitions Section and should be reviewed.
Coverage applies only if the loss is discovered either during the policy period or another period of time that is provided within the Condition 15. Extended Period to Discover Loss.
When any of the bulleted items above arise from same circumstances and become a loss under any of the insuring agreements it will be considered to have been discovered during the earliest policy period in which any of those related bulleted items were discovered.
Example: On February 1 Marry Me has a denial of service incident. As forensics investigate the incident, it discovers that a security breach that exposes Marry Me’s customers’ confidential information has occurred that is directly related to the denial of service incident. In June, Marry Me receives an extortion threat that the confidential information will not be released unless appropriate payment is provided. All three of these incidents are considered to have been discovered as of February 1. |
- Security Breach Expense
Loss that is the direct result of a security breach which is discovered during the policy period is covered.
The terms security breach and discovered used in the sentence above are defined in the Section VII Definitions. The term loss is defined within this insuring agreement as security breach expenses. The term security breach expenses is then also defined within the insuring agreement.
Security breach expenses are the following six separate expenses:
- Forensics
These are the expenses made in order to determine if a security breach occurred or is occurring in the present time. If a breach is detected the following costs are also covered:
Seeking Other Sources On Special Risks
Securing expertise on complicated exposures that aren’t routine is precisely what makes insurance professionals particularly valuable in helping clients mitigate the risks faced by their businesses. Another trait of experts immersed in insurance is the widespread willingness to share their knowledge as well as taking advantage of opportunities to learn more about unfamiliar dangers.
Here is an article on an educational program centered in cyber liability. It’s from the April 2019 issue of Rough Notes Magazine.
The Accredited Cyber Risk Advisor program prepares agents to shine in the complex world of cyber liability
By Elisabeth Boone, CPCU
It wasn’t so long ago that no one had heard of cyber risk and no insurer offered coverage to address the exposure. While hackers, phishers, and assorted scam artists were swindling their way through the World Wide Web, it was business as usual for corporations, nonprofit entities, educational institutions, and healthcare providers.
Independent agents and brokers, who are on the front line of the claims handling process, likewise tended to be unaware of the threats posed by cyber criminals … until their clients started to report losses, only to be told their claims weren’t covered by any of their policies.
It’s impossible to pinpoint exactly when the business community awoke to the reality of cyber crime and insurers began to consider the fact that their existing policies didn’t address the exposure. Today cyber risk is front and center for corporations, nonprofits, educational and religious institutions, and just about anyone who uses a computer to conduct business. What’s more, insurers have responded to the threat with products specifically designed to address it.
As for agents and brokers, the challenge was to go from zero to sixty at warp speed in the quest to become knowledgeable about cyber risks and the solutions available to manage them. Suddenly their electronic mailboxes were crammed with messages encouraging them to sign up for seminars, institutes, and workshops that were designed to bring them up to speed on cyber issues.
Although some of these offerings are legitimate, in the world of cyber education it’s important to separate the wheat from the chaff. Readers of Rough Notes, and insurance professionals all across the country, know that Scott Addis’s organization, Beyond Insurance, can be counted on to provide top-quality education in all aspects of property/casualty insurance and risk management. The CRA (Certified Risk Architect) designation, launched in 2011, is held by more than 150 members of the Beyond Insurance Global Network (BIGN), and members also can pursue specialized designations like CBWA (Certified Benefits and Wellness Advisor) and TRA (Trusted Risk Advisor).
Cyber savvy
As insurers began to offer separate liability policies to address cyber risks, agents and brokers recognized the need to get up to speed on cyber so they could provide expert advice to their clients, most of whom had cyber exposures of which they were unaware.