ACC Litigation Network June 2018 Newsletter
Message from the Chair  
Six Ways #MeToo and Time's Up Will Change How We Litigate Discrimination Cases  
Member Spotlight  
How Can the Attorney-Client Privilege Be Waived in a Corporate Environment?  
Top Tips for Selecting Cyber Insurance for Your Business  
Virtual Library
Renew Your Membership
Update Your Records
Upcoming ACC Programs
Search Back Issues

Updates from ACC Networks

Message from the Chair
Coleman Lechner

Dear Litigation Network Members,

We are right in the middle of the year and continue to forge ahead to the Annual Meeting in Austin, TX in October!  The Litigation Network is proud to sponsor 5 sessions at the Annual Meeting: 

Session 105 - Breaking Bad (News): How to Keep Your Stakeholders Calm when Your Litigation Takes a Turn for the Worse

Session 407 - Top Developments in Cyber Security Litigation

Session 505 -  Exploring Litigation and Ethics through the Media (The Sequel)

Session 605 -  Litigation Issues Arising from Mergers and Acquisitions  

Session 702 -  Handling Government Audits and Investigations

Our Network Leaders are hard at work preparing these sessions and we look forward to seeing you in the audience. Register here: ACC Annual Meeting.

As always, our Network has been working to bring timely and relevant litigation-based content to our members in the form of Legal Quick Hits, Webcasts and Publications.  In the May edition of the ACC Docket, there is a spotlight on our Network Vice Chair, Theresa Coetzee, and an interview/article on the Value of Mediation.  The interview includes tips for how in-house counsel can get the most out of mediation as well as tips for selecting a mediator. The Value of Mediation

Be on the lookout for upcoming Quick Hits and Webcasts in the summer months!

Finally, as our Network Members know, we continue to push pro bono work and especially the work of Kids In Need of Defense. On a personal note, I am proud that my Wyndham colleagues and I were recently able to secure asylum for a young boy from El Salvador who escaped horrible abuse from the MS-13 gang and also an abusive home. It truly is a rewarding experience and I encourage everyone to take up a KIND case or any form of pro bono work!

Have a great summer!

Coleman Lechner, Chair
[ Return to Top ]

Six Ways #MeToo and Time's Up Will Change How We Litigate Discrimination Cases
By JC Miller. JC Miller is the Chief Legal Officer of Athena Consulting LLC and a member of the ACC Litigation Network leadership.

A week ago, as I sat on a panel discussing the future of sexual harassment in the era of #MeToo, an audience member asked the question: how will #MeToo and Time’s Up influence litigation in the future? Great question. During the last 8 months I’ve been asked almost exclusively about how to address sexual harassment in the current environment but not how corporate legal departments will have to adjust to these new, litigation trends.The answer required some prognostication, but since I have more faith in my abilities to read litigation tea leaves than predict the winning lottery numbers, I plunged in with a response. I was able to tick off 6 ways where, if I was in Vegas and there was a big roulette wheel of litigation, I’d place my chips.

1. Harder, Longer Legal Battles: There’s still some confusion about the difference between #MeToo and Time’s Up and some clarification may be in order. #MeToo is a movement started by Tarana Burke on social media 12 years ago. Her crusade to provide support for the victims of sexual harassment and abuse gained enormous momentum in the summer of 2017 when the Harvey Weinstein story broke in the media. Time’s Up is a non-profit organization, incorporated in part with the goal of subsidizing a harassment victim’s legal defense.  And that is why it’s number one on my list. Time’s Up is raising funds to pay the legal fees of plaintiffs who, in the past, may not have been able to afford an attorney or a prolonged legal battle with an employer. Time’s Up has attracted some very talented, and experienced counsel who, funded by the organization, now have a financial cushion to sustain a hard-hitting lawsuit. Easing the financial pressures surrounding litigation and offering a panel of committed trial lawyers increases a plaintiff’s chances of bringing, maintaining, and (possibly) prevailing in a lawsuit.

2. The Resurgence of State Attorney Generals: Ok here I’ll make a disclosure- I’m one of those former State Assistant Attorney Generals and in the 1990’s we were aggressive...really aggressive.  We made case law, hunted in packs joining with other state AGs, and took on more than a few corporations and industries, not the least of which was Big Tobacco. We haven’t heard a lot from the State AGs in the last decade, but here’s something of which every in-house counsel ought to take serious note: the purchase of The Weinstein Company-the last desperate attempt to sell off Harvey Weinstein’s biggest asset- didn’t get derailed by Washington and the DOJ…that ninja move came out of Albany, New York. Using several state statutes ranging from misuse of corporate funds to citizens civil rights, the NY AG filed suit that stopped the sale of the distressed company allowing the assets to be preserved to pay out judgments that will undoubtedly be handed down in favor of sexual harassment victims. Like the ACC, State AGs have their own organization (the NAAG), and these various State AGs readily share information. I predict the moves by the NY AG will be studied and duplicated by other State AGs and more pressure will be placed on corporations that run afoul of state anti-discrimination laws.

3. Get Ready for New Causes of Action: Unless you went totally AWOL from HR orientation you know about the federal non-discrimination law Title VII. But 54 years after its passage, Title VII is showing its age.  For example, the damages cap hasn’t been raised, even for inflation, since it was first implemented by the 1991 amendments. If you’re a defendant that’s a good thing- well maybe… maybe not. Almost every state has enacted their own non-discrimination statutes as well as several counties and municipalities. But unlike Title VII, many of those state and local laws do not limit damages and because the payout may be bigger, more plaintiff’s counsels are bringing suit under state statutes than Title VII. Where Title VII allowed for some predictability on damages, many of the state and local counterparts do not. And it’s not just state anti-discrimination laws we need to watch.  If a discrimination claim will not lie, a tort cause of action might still exist and those are not always as easy to contain. A discrimination claim against the CEO still sounds less controversial than a suit for sexual assault and battery. The #MeToo movement has spawned a spate of defamation cases- plaintiffs whose claims may be time-barred still want to tell their stories and when published the accused harasser, the alleged victim, and the corporation who employed them both, may find themselves portrayed in a less than flattering light in a news story. All the parties may have claims or cross-claims of defamation and anti-Slapp statutes can be implicated, raising the question in the legal department- ‘who remembers defamation law from torts class?’   

4. The Judge and Jury Have Not Been Living in a Bubble: #MeToo has become part of our lexicon, and it has exposed the depth and breadth of sexual harassment issues like no legislative action or legal case has since the Senate confirmation hearings for Clarence Thomas’ nomination to the Supreme Court in 1991. In December 2017, #MeToo had an unprecedented impact upon the federal judiciary when two (possibly related) events occurred: 1) spurred on by the resignation of the former Chief Judge of the Ninth Circuit Court of Appeals amid sexual harassment allegations, 700 law clerks in the federal judiciary petitioned their boss, Chief Justice Roberts, for better internal reporting guidelines.  The Chief Justice quickly agreed and began overhauling the processes for how the federal judiciary will handle its own internal complaints of discrimination; and 2) during an interview, Justice Ruth Bader Ginsburg shared her own story of being sexually harassed as a young woman and opined that #MeToo had “staying power”. Just extraordinary. Despite all their constitutional powers, an Article III judge is still an employee of the federal court system, and if the top bosses say sexual harassment is a big deal and there has to be a change, then there will be a change. That attitudinal adjustment may very well filter down to influence a judge’s view of sexual harassment cases, even if it means simply denying summary judgment and letting the jury decide the case. As for juries, the gender make-up of the average pool still skews heavily towards women and women over the age of 40. Unlike past generations of jurors, today women over 40 are now likely to have spent a significant part of their life in the workforce and since some studies estimate that 81% of women have experienced sexual harassment, we need to assume that more than a few of our jurors will have their own #MeToo story.

5. The Evidence Is Going To Change: We have all seen the impact technology has had on the types of evidence- smartphone videos of an incident in the company parking lot, smoking gun emails and voicemail of the out of control co-worker. Of course, now there’s the other ace up a plaintiff’s sleeve: it’s no longer she said/he said if she kept the dirty text message. But there are other types of evidence that are going to surge in harassment cases: psychological evidence and prior bad acts. While it isn’t unusual for a harassment victim to claim psychological damages and support that claim with testimony from a treating mental health professional, evidence of psychological damage is now likely to be used in novel ways. One way might be to explain why a plaintiff did not come forward and use the company’s internal reporting procedure. Since the Supreme Court handed down the decision in Faragher v. City of Boca Raton, 524 U.S 775 (1998) employers have been relying upon what has become known as the Faragher affirmative defense- if the plaintiff has failed to avoid or mitigate harm by reporting the discrimination under company policies, the employer can argue it is not liable, or least that there are no damages. But the Faragher defense has been misinterpreted and often misapplied. The defense is only available when there has been no tangible personnel action, and when the plaintiff acted unreasonably in failing to come forward.  Mental health experts agree that victims of sexual harassment are prone to PTSD which can manifest as depression or fearfulness. A plaintiff who is suffering from a genuine mental health condition such as PTSD may be able to argue successfully that she did not act unreasonably in delaying reporting to the company.Moreover, courts have held the Faragher defense is unavailable if the plaintiff can introduce evidence that the employer’s reporting policy is ineffective. #MeToo has demonstrated that real harassers often have more than one victim, and if prior victims have reported the conduct without results, the next victim can introduce that evidence to obliterate the Faragher defense.

6. The Next Wave: The Gender Pay Gap and Age Discrimination. There’s an old saying: “a rising tide floats all boats”. As #MeToo has empowered victims of harassment to come forward and share their stories it has also highlighted the fact that many of these victims stayed silent for years.  They know they’ve missed the statute of limitations to bring suit.  But having found their voices they may decide to take on other wrongs. The Gender Pay Gap is still significant but even more so among professional employees over the age of 40-even in our own profession. One ABA study found that the gap between career earnings of women lawyers and their male counterparts is as much as $300,000. Another study by University of California found that workers in their 50s (male and female) are 29% less likely to get hired by a corporation but for women in their 50s the duration of remaining unemployed is almost a third longer than for men. And um…well…looks like in-house counsel are not immune to the problem either.  In the ACC’s 2017 survey it was reported that men are still holding higher salaried in-house jobs than women in six out of seven categories. The rising tide of the #MeToo movement may very well provide the surge for a wave of equal pay claims and age discrimination cases.

So those were my predictions. History may prove me wrong but I’m feeling pretty lucky and I’ll keep my chips down on these marks.  And maybe…buy a lottery ticket on my way home. 

Copyright  JC Miller
[ Return to Top ]

Member Spotlight
Meet JC Miller!

1. Did you follow an interesting career path to your current job? 

Well it’s been a varied one. I started with the government as a prosecutor, moved to the civil side, then to in-house, then onto private practice to be a partner in large firms, and then back to in the house. My current job developed organically.  After my company was acquired I resigned and took a sabbatical to write a book but was contacted by former clients to consult with on some significant HR and litigation issues.  That led to a start-up company and I was named the Chief Legal Officer.

2. What are your general responsibilities in your current role?  

Well, it’s a startup - so I'll pitch in and do whatever needs to be done...except windows of course!  

3. What is your favorite part of your job? Least favorite? 

The greatest part is the people I work with. We've known each other for 20 years and have enormous respect for each other and the same senses of humor. I also enjoy it when I get to take off the CLO hat and lead an investigation for a company client. My dad was a homicide detective so I think the whole investigation thing is genetic! My least favorite is drafting and negotiating vendor contracts. It doesn't hold the same sense of accomplishment for me as the other parts of the job.

4. When you are not at work, what are some of your hobbies or interests? 

I'm an avid reader usually reading 2 books at a time, and I love to cook. I competed in pie baking championships. I'm also an amateur photographer. But mostly I love to spend time with my dogs-they're great companions.

[ Return to Top ]

How Can the Attorney-Client Privilege Be Waived in a Corporate Environment?
By Stephen B. Stern, Esq.

Stephen B. Stern, Esq., is a Partner with the law firm of Hyatt & Weber, P.A., working out of the firm’s Annapolis, Maryland office, as well as its Fairfax, Virginia office, where the firm is known as Hyatt & Weber, P.A., P.C.  Mr. Stern’s practice focuses on employment counseling and litigation, commercial/business litigation, insurance issues, and conducting highly sensitive and complex investigations.  His email address is

     Companies face unique challenges that do not apply to most individuals when protecting the attorney-client privilege. As we all know, emails can be, and often are, forwarded rather easily in corporate environments. The sharing of such communications raises a host of potential issues for companies, including the potential waiver of the attorney-client privilege. Below is a discussion of two court decisions that helps illustrate some of the challenges that companies face when trying to disseminate information without waiving the attorney-client privilege.

       In AU New Haven, LLC v. YKK Corp., No. 1:15-CV-3411-GHW, 2016 WL 6820383 (S.D.N.Y. Nov. 18, 2016), the United States District Court for the Southern District of New York reviewed a number of communications to determine whether they were protected by the attorney-client privilege. Many of the communications involved were outside of the attorney-client relationship, such as non-attorney employees circulating emails within the same company or to employees of another company under common ownership. The court noted as a general rule that the attorney-client privilege is automatically waived when a privileged communication is disclosed to a third party or a litigation adversary, but it also recognized there are some exceptions to this general rule. 

      One exception concerns communications between clients and non-lawyer agents or contractors of the attorney, because communications to an attorney’s agent or contractor at the behest of the attorney may be for the purpose of obtaining legal advice. The court in YKK explained that this exception applies differently in the context of corporations, noting that in Upjohn Co. v. United States, 449 U.S. 383 (1981), the United States Supreme Court rejected the “control group” test that limited application of the attorney-client privilege only to a company’s top executives in part because an “attorney’s advice will also frequently be more significant to non-control group members than those who officially sanction the advice, and the control group test makes it more difficult to convey full and frank legal advice to the employees who will put into effect the client corporation’s policy.” Based on this principle, courts have determined that “the distribution within a corporation of legal advice received from its counsel does not, by itself, vitiate the privilege.”

     Another exception the court discussed concerns the common interest rule. To protect a privileged communication under the common interest rule, a party must show that “(1) the party who asserts the rule must share a common interest with the party with whom the information was shared and (2) the statements for which protection is sought [must have been] designed to further that interest.” The common interest must be legal in nature, not commercial. The court went on to hold that the common interest need not be “identical” because such a stringent test would “unduly hamper the purpose of the common interest rule.” In reaching this conclusion, the court noted that it is “commonplace that parties may engage in a ‘common legal strategy’ without having an exactly identical interest in the outcome of the litigation” and the “joint endeavor is not diminished solely because, in the final instance, the remedies that they derive from the litigation differ.” The court concluded that “[t]he key question is whether the parties are collaborating on a legal effort that is dependent on the disclosure of otherwise privileged information between the parties or their counsel.” The court then proceeded to evaluate whether the privilege applied to a number of documents, only some of which will be addressed here.

        One email the court examined was from Stuart Press, President of Uretek, to an employee of the company (not described or otherwise identified as an executive) concerning a patent application. The email from Press had forwarded an email from the company’s attorney to Press that described the patent application, which the court found to be a privileged communication. In this instance, without much explanation, the court found that forwarding the email to the company employee did not waive the privilege.

        Another email the court examined was from a non-attorney to eight non-attorney recipients that contained primarily non-privileged business information. Item number six of the document, however, referenced prior advice by an attorney regarding whether a certain product could be used in light of a certain patent. The court found that the advice was legal, not business, in nature, and, thus, it potentially could be privileged. The plaintiff in the litigation challenged the claim of privilege, however, on the ground that the entities with which the communication was shared did not share a common interest that was sufficient to apply the attorney-client privilege. In this regard, the attorney that gave the advice in the email represented YKK Corporation of America (“YCA”), not YKK Corporation (“YKK”), and the email was forwarded to employees of YKK. The defendants countered that YCA and YKK shared a common ownership, as YCA was a wholly owned subsidiary of YKK, and entities under a common ownership sharing privileged information are always considered a single entity for purposes of the attorney-client privilege. The court rejected the per se standard the defendants advocated, noting that privileges should be narrowly construed and, “in certain circumstances, commonly owned subsidiaries simply do not have the common purpose in litigation necessary for the invocation of the doctrine.”  Although the court rejected the per se rule advocated by the defendants (meaning communications between employees of different companies with common ownership will not always be protected by the attorney-client privilege), the court ultimately found that the common interest doctrine applied in this case and the forwarded email remained privileged.  In reaching this conclusion, the court, based on its in camera review of various documents, found that the legal departments of each member entity (meaning YCA and YKK) worked collaboratively with each other and the court credited the testimony of YCA’s Chief Legal Counsel, who testified that the two legal departments “essentially function[ed] as a single unified department which provides legal advice to all members of the YKK Group.”

       Separately, in Newman v. Highland School District No. 203, 381 P.3d 1188 (Wash. 2016), the Washington Supreme Court, in a case of first impression in that state, held that the United States Supreme Court’s decision in Upjohn did not “justify applying the attorney-client privilege outside the employer-employee relationship.” Although the court in Newman recognized that the Supreme Court’s decision in Upjohn advocated a flexible approach to applying the attorney-client privilege, which necessarily involved non-managerial employees, the court determined that the flexible approach advocated by Upjohn “presupposed attorney-client communications take place within the corporate employment relationship.” The court in Newman declined to “expand the privilege to communications outside the employer-employee relationship because former employees categorically differ from current employees with respect to the concerns identified in Upjohn” and because it found that termination of the employer-employee relationship “generally terminates the agency relationship.” In reaching that conclusion, however, the Washington State Supreme Court acknowledged that courts in other jurisdictions have recognized the attorney-client privilege extends to former employees in circumstances where a continuing agency duty exists, but the court in Newman did not make any effort to distinguish those circumstances from the one before it or to recognize any exceptions to its holding that the attorney-client privilege cannot apply to former employees. 

    The decisions in YKK and Newman are important for companies and their respective legal counsel. First, the court in YKK gives some guidance as to when communications forwarded to other employees within the company may remain privileged.  Second, YKK establishes some guidelines for companies with parent-subsidiary relationships to follow when trying to determine whether communications between the parent and subsidiary may remain privileged. Notably, even though there may be common ownership, the court in YKK did not recognize a blanket rule that allowed the common interest doctrine to apply in every instance where there is a parent-subsidiary relationship.  Third, the court’s decision in Newman sets forth a rather restrictive application of the attorney-client privilege, as it appears to establish a blanket rule that the privilege can never apply to former employees. While this strict application of the rule governs communications in the State of Washington, it is important for companies to understand the limits and reaches of the privilege in each state where they operate, as the restrictive approach taken by the Supreme Court of Washington does not apply in every state and other states do permit the privilege to apply to communications with former employees in some circumstances.

      These issues typically do not come to light until litigation arises and, in many instances, they are discovered after an inadvertent disclosure has been made or when an employee provides testimony about particular communications. Thus, considerations to protect the privilege often are taken for granted until they become a focal point in litigation. While there is no way to guarantee avoiding waiver of the attorney-client privilege in all instances, there are some steps that can be taken to help avoid potential traps when circulating emails within a company. For example, training attorneys and executives on the attorney-client privilege and risks associated with circulating privileged communications will help keep attorneys and non-attorney employees mindful of potential issues when they send/receive privileged communications.  How far up or down employees in a corporate hierarchy should be involved in such training will vary from company to company and on a case-by-case basis. Another preventative step involves appropriate labeling of communications. A default or ubiquitous “privileged” or “confidential” disclosure in every email or most emails likely may not be useful, particularly by or among non-attorney employees or with outside parties. Specific, targeted labeling of privileged communications, however, might be more useful. For example, when I send an email I expect a General Counsel or other in-house attorney or executive to circulate to non-attorney employees at a company, to help reinforce the privileged nature of the communication and identify it as privileged in future litigation (the URL from an email address is not always included when it is embedded in a forwarded email), I typically include a privileged and confidential label in the subject line and text of the email that I specifically write in all capitalized letters.

       If companies desire to avoid these potential pitfalls in litigation, it is better to be proactive and address these issues with in-house and/or outside counsel before litigation arises.
[ Return to Top ]

Top Tips for Selecting Cyber Insurance for Your Business
By Fernando M. Pinguelo, Esq. and Chris Quirk Esq.

Fernando M. Pinguelo, Esq. (CIPP) is a trial lawyer who devotes his practice to complex business disputes and “crisis litigation” with an emphasis on cyber/privacy, intellectual property, media, and employment matters in U.S. federal and state courts across the country and primarily in New Jersey and New York.  Notably, Chambers & Partners listed him as a Recognized Practitioner in 2017 Chambers USA: Privacy & Data Security guide.

To learn more about this topic and receive a complimentary copy of Fernando’s book chapter “Chapter 17 - Electronic Data, Cyber Security & Crisis Management,” eDiscovery for Corporate Counsel (Thomson-West 2018), email him at

Chris Quirk Esq., Cyber Practice Leader, ARC MidAtlantic Excess & Surplus, Inc., is a U.S. Patent Attorney and expert insurance broker.  His email is

While cyber insurance was once reserved for billion-dollar companies operating in high-risk industries, businesses of all sizes are increasingly looking to cyber insurance to cover losses linked to data breaches and other cyber threats. As many companies have learned the hard way, traditional insurance policies for general liability or basic business interruption coverage may not fully cover cyber-related losses in the absence of a special endorsement. In other cases, the policy may contain an exclusion that precludes coverage altogether. Coverage may also be limited or unavailable when incidents are attributed to third-party vendors. Going forward, reliance on general liability or business owners policies (BOP) is not a sound risk management strategy. Today, the market for stand-alone cybersecurity insurance has exploded and quality coverage is available for 

The huge cost of cyber incidents has also prompted a spike in the demand for cyber insurance policies. In 2017, the average organizational cost of a cyber-crime attack in the United States totaled $7.35 million. Not surprisingly, businesses are looking to protect themselves from shouldering the financial damage of data breaches, phishing scams, malware attacks, and other incidents. In 2016, insurers wrote $1.35 billion in direct written premium for cyber insurance, a 35 percent jump from 2015, according to reports by Fitch Ratings and A.M. Best. According to some estimates, the market is expected to grow to $6.2 billion in premium volume by 2020.

FFIEC Cyber Insurance Guidance for Financial Institutions

While no industry is immune, the financial service sector had the highest annual costs caused by cyber-crime last year. Because the industry is more vulnerable to attacks, it is even more important for financial companies to assess the scope of their coverage under existing insurance policies and evaluate the benefits of incorporating cyber insurance into their portfolio. It is a common misconception that state of the art system security will eliminate the need for a cyber insurance program. In fact, many successful attacks are less technically sophisticated today than in previous years. Whereas in the past, attacks may have focused on software weaknesses or exploits, many hackers today find it easier to dupe employees (commonly referred to as “social engineering”) into clicking malicious links or attachments in an email. This often involves an email sent to an employee of the company purporting to be from a company executive, a client, a vendor, a lawyer or some other entity trying to get the employee to open a malicious attachment. A common trap that is popular today is the past-due invoice, where the employee is asked to open “the attached past due invoice,” which appears to be  PDF file, but is actually a malicious program.

 Usually, upon clicking a malicious link, the employee will inadvertently and unknowingly provide the hackers with a set of legitimate log-in credentials which are then used to access the system directly without alerting system security. Other times the malicious link will contain a fully operational ransomware program that locks down or encrypts the system until a ransom is paid.

Another common loss vector is Social Engineering Fraud, whereby an employee is sent an urgent email, purporting to be from the company CFO or  another top executive, directing the employee to wire a large sum of money to the stated bank account immediately before an account or business deal is lost. Many times the employee will rush and issue the fraudulent transfer, believing the order to be genuine.

While technical security remains a top priority for all organizations, it is also strongly recommended that companies focus on implementing a quality cyber insurance program. Excellent security does not fully insulate the company from cyber breaches.

On April 10, 2018, the Federal Financial Institutions Examination Council (FFIEC) issued guidance to help financial institutions analyze how best to incorporate cyber insurance into their risk management programs. The members of the FFIEC include the Board of Governors of the Federal Reserve System, Consumer Financial Protection Bureau, Federal Deposit Insurance Corporation, National Credit Union Administration, Office of the Comptroller of the Currency, and the State Liaison Committee.

As the FFIEC guidance highlights, cyber insurance coverage options vary greatly and may be offered on a stand-alone basis or as additional coverage endorsed to existing insurance policies, such as general liability, business interruption, errors  and omissions, or directors’ and officers’ policies. In addition, cyber coverage options may be structured as first-party or third-party coverage. First-party coverage insures against direct expenses incurred by the insured party and may address costs related to customer notification, event management, business interruption, and cyber extortion. Meanwhile, third-party coverage protects against the claims made by financial institutions’ customers, partners, or vendors as a result of cyber incidents at financial institutions.

When seeking to incorporate cyber insurance into a risk management framework and weighing the relative benefits and costs of cyber coverage, the FFIEC offers the following guidance to financial institutions:

Involve Multiple Stakeholders in the Cyber Insurance Decision: The FFIEC highlights the importance of involving multiple stakeholders, including legal, enterprise risk management, operational risk management, finance, information technology, and information security management departments, and communicating the cyber insurance decision-making process, including the assessment of cyber insurance options, to the appropriate level of management. Companies should also assess the sufficiency of existing control environments to address the potential impact of cyber risk exposures and attestation requirements for the insurance policy.

Perform Due Diligence to Understand Coverage Options: The FFIE also reminds firms to perform adequate due diligence to understand available options for cyber insurance coverage, which should include: reviewing the scope of existing or proposed insurance coverage to identify gaps; understanding insurance policy terms, coverage, exclusions, and costs for cyber events; considering the potential benefits and costs to assess the insurance coverage appropriateness; avoiding overreliance on insurance coverage as a substitute for sound operational risk management practices; recognizing that policy terms and language may not be standardized and may be different among insurance providers and tailored for institutions; consider how the coverage is triggered, if certain types of cyber incidents (e.g., cyber terrorism) are excluded from coverage, and the impact that sub-limits may have in the total coverage and claims process; assessing the financial strength (ratings) and claims paying history of insurance companies providing coverage and their ability to fulfill obligations under the policy if multiple institutions file claims; assessing how the proposed policies fit within the business strategies, insurance programs, and risk management programs; and understanding the risk management and control requirements outlined in the policy and ensure the institution would be able to comply.

Reevaluate Cyber Insurance Annually: The FFIEC advises that financial firms should reevaluate cyber insurance as part of their annual insurance review and budgeting process and engage the board of directors in the process. This should include assessing the benefits of cyber insurance relative to the cost; determining the sufficiency of existing insurance coverage as cyber risk exposures insurance products, and the threat landscape as it may evolve , and confirming that any cyber insurance includes coverage expected by the institutions.

Reviewing coverage scope is of paramount importance. Although many policies are beginning to look similar in  structure by providing similar insuring agreements, the actual scope of coverage can vary immensely once you get into the actual terms and conditions. Cyber insurance, unlike most other types of insurance, is often very fact and situation dependent. When posed with a question of whether a claim would be covered, the answer is almost never “yes” or “no,” but rather, “it depends.” 

For example, consider the Social Engineering coverage that is offered on many cyber policies today. This coverage is designed to i nsure against a fraudulent wire transfer loss experienced by the Insured when the Insured receives the fraudulent request. Some policies will cover a social engineering loss only if the Insureds’ employee made an attempt to verify the validity of the wire transfer request through an “out of band” communication – meaning, if the original request was sent via email, then the attempted verification must be through some other form of communication, such as a telephone call. Other carriers will cover a social engineering loss as long as the Insured Entity has verification protocols in place, regardless of whether or not the employee actually followed the protocols at the time of the loss.

Despite offering similar coverages, the two example  policies above could not be more diametrically opposed in terms of coverage scope. In the first example, whether or not there is coverage depends entirely on the facts of the case: did the insured make an out-of-band verification attempt? If yes, then presumably, there is coverage. If no, then coverage is excluded. The first example offers very little real  coverage because an “out of band” verification attempt is going to stop the vast majority of potential social engineering losses. The second example offers quality coverage as the losses are likely to occur when the employee fails to follow the company wire transfer verification procedures, despite those procedures being in place. If the first example were paired with a $1,000,000 limit and the second example paired with a $100,000 limit, the first example would appear at face value to be the more attractive option. However, a close review of the actual terms and conditions reveals that this is not the case.

What if a hacker gains unauthorized entry into the Insured’s network and initiates a fraudulent wire transfer using the Insured’s online banking portal? Although this looks like a cyber claim, it actually is  not and will be excluded by most policies. This is because the Social Engineering Fraud coverage cannot trigger - the Insured did not receive a fraudulent instruction. The hacker sent the fraudulent instruction directly to the FI/Bank through the Insured’s online banking portal and the FI/Bank  complied with believing the request to be legitimately coming from the Insured. This is Electronic Funds Transfer Fraud and is generally covered by a typical Crime policy, rather than by a cyber policy (although a few cyber policies do include it – see footnote 2). Whether coverage would apply depends entirely on specific facts regarding the loss.

The dependence upon facts and circumstance shown in these examples is typical for a wide array of other coverage issues.

How to review coverage scope

The best way to review coverage scope is to first start with an anticipated loss, whether it is a cyber breach, social engineering, or the disruption of the Insured network, etc. Come up with a  factscenario involving a potential claim, and then review the applicable insuring agreement in the policy.

The insuring agreement will provide a statement granting coverage, and almost always will incorporate defined terms that have a set meaning laid out later in the definitions section of the policy. Review the scope of the defined terms in the definitions section to start painting a picture of what is covered. Many Insuring Agreements refer to a claim or loss, so review these definitions to see how well the potential claim facts would fall inside the coverage grant.

Most of the time, one definition will incorporate other definitions, each of which may incorporate other definitions. Think of it like a tree with a branch that splits into many different branches. The Insuring Agreement is the “tree” that connects one or more definitions, which in turn might connect to three more definitions, each of which might connect to one or more definitions. As the “branches” get narrower, the definitions get more fact specific and well-defined. Continue to apply the claim scenario to all possible definition “branches” connected to the agreement to see where and how it fits. Most of the time, the most important and fact-dependent language will be found in a definition that is three or four “branches” deep.

Consider this example. As a potential fact scenario, an insured wants to know whether there is regulatory coverage if a Government agency calls asking questions about a recent event. If they hire a lawyer to deal with this inquiry, will the costs be covered? In many  policies, the Insuring Agreement will link to a Claim and to a Wrongful Act (although many other policies are structured differently). The definition of Claim will probably lead to the definition of Regulatory Proceeding or something similar. The Regulatory Proceeding definition may say “a civil proceeding commenced by the service of a formal complaint, or similar proceeding brought by any federal, state or foreign governmental agency….”

Next, apply the claim scenario to the language to see how it fits. Did the government agency in the example serve the company with a formal complaint? No, they just called asking questions -- so without some other language the Regulatory coverage will not trigger at this time and any money spent defending the investigation at this stage is not going to be covered. Coverage for defense will only trigger once the company is served with a formal complaint. Other policies may define Regulatory Proceeding to include “any request for information by any federal, state, foreign Governmental Agency.” With this language, there would be  coverage the minute the company receives an inquiry from a Government agency. In the first example, coverage again depends on the facts and circumstances. It is very important to understand what facts and circumstances will trigger coverage in your policies, and what scenarios may fall through the cracks due to a technicality.

If the anticipated loss is confidently covered in one of the policy’s Insuring Agreements, the next step is to review the policy exclusions. Exclusions are in the policy to prevent specific scenarios that may otherwise fall within the scope of coverage in an Insuring Agreement from obtaining coverage under the policy. Review each exclusion with a pessimistic outlook to determine if that exclusion could apply the claim scenario. For example, a company determines that the Insuring Agreement in the policy covers the breach of personally identifiable information (PII) contained on their network. Upon reviewing the policy exclusions, the Insured notes an exclusion stating “coverage shall not apply to any claim based upon, arising out of, or attributable to any act of a foreign enemy or hostility.” What if the breach of PII were caused by actors in Russia, North Korea, or Iran? Would this breach constitute the act of a foreign enemy? If not, what facts would constitute the act of a foreign hostility in the eyes of the carrier, causing them to invoke the exclusion? As of now, nobody reliably knows. With a pessimistic outlook, the coverage may be unreliable if the breach originates from Russia, North Korea, Iran, or one of the other areas of the world that the U.S. considers a foreign enemy.

Consider another example: A company determines that the Insuring Agreement in the policy covers the breach of employee PII contained on its network. Upon reviewing the exclusions, the Insured notes an exclusion stating that “coverage shall not apply to any claim based upon, arising out of, or attributable to, any breach of fiduciary duty, responsibility, or obligation in connection with any employee benefit or pension plan.” Such an exclusion is extremely broad and could fully exclude coverage in the event an Insured’s employee benefit or pension plan is breached. This is because the Insured would have the duty and obligation to keep the Plan free and secure from breaches. If the insured were to fail this duty or obligation, then the resulting claim would “arise out of the Insured’s breach of duty or obligation in connection with the employee benefit or pension plan,” and therefore, the claim could be excluded on that basis. Under this example policy, if the Insured were asked whether it was insured for breaches of employee PII, the answer would depend on whether or not the pension/benefit plan was affected in the breach. This language appears on many cyber policies. The astute buyer in this situation would request that the exclusion  be amended to say: “based upon, arising out of, or attributable to any violations of the ERISA Act, as amended,” as this would significantly narrow the scope of the exclusion in the example.

After reviewing the Insuring Agreement and the Exclusions, next consider the Conditions section of the policy. This section involves all the things that the Insured entity must do and comply with in order to preserve coverage under the policy. The Insured’s compliance with this section at all times is a condition precedent to coverage. If they fail to meet one of the conditions, coverage for the claim may be denied. Some  policies are more relaxed in their conditions while others are draconian, forcing the Insured to walk a razor’s edge in order to obtain coverage. Some carriers rely on this section to reduce losses, knowing that some percentage of insureds will fail to adhere to the Conditions set forth in the policy. Determine what the carrier expects of you by reviewing the Conditions section, especially with respect to the timing and manner of claims handling and reporting. Many an Insured have fallen prey to very strict claims conditions, and courts have consistently declined to bail them out.

Finally, consider any Representations sections that the policy may contain. In order to get coverage, all Insureds make some kind of representation to the Insurance Carrier as to the quality and nature of the exposure for which coverage is sought. Many policies differ with respect to what happens if there were a misrepresentation in the underwriting process. Some more draconian policies provide that any misrepresentation, no matter how innocent or insignificant, will void all coverage to any claim under the policy. Some  policies have more lenient terms, and others may be silent, thereby defaulting to common law (which is generally friendly to insureds). Be wary of what representations are made to the carrier in the underwriting process and what the consequences may be if your representations were wrong, innocently or not.

Once you perform this exercise you will begin to see how each policy’s coverage is extremely fact and situation dependent, and how the answer to whether there is coverage for a given scenario is often “it depends.” The best overall policy is usually going to combine broad coverage scope, with reasonable or lenient policy conditions, and as few and narrow exclusions as possible. Once these terms and conditions are fully understood, then a decision based on limits, retentions, and premium is appropriate.

Despite its growing popularity, cyber insurance is still relatively new. As a result, there is little existing case law interpreting the insurance policies and their various exclusions. To determine your rights and obligations under a cyber insurance policy, it is imperative to thoroughly review all of the terms and consult with an experienced attorney and broker to evaluate any insurance coverage concerns.

 2017 Ponemon Institute Cost of a Data Breach Study: United States.

 Social Engineering Fraud is a similar, but separate and distinct loss from Electronic Funds Transfer Fraud. In Social Engineering Fraud, the Insured is duped into initiating a transfer by someone purporting to be from a customer, client, vendor, etc. The fraudulent instruction goes to the Insured. In Electronic Funds Transfer Fraud (which is usually covered by crime policies, but not Cyber) the Bank/FI is duped into initiating a transfer by someone purporting to be the Insured. The fraudulent instruction goes to the Bank/FI. This is an example of how a subtle fact difference can drastically influence the coverage results. 

[ Return to Top ]