Navigating D&O Coverage for Cyber Fraud: Lessons from Alaska
An Alaska federal court recently dismissed a construction company’s lawsuit, accusing a D&O insurer of bad faith refusal to provide coverage for an email spoofing scheme that resulted in nearly $2 million in fraudulent wire transfers. Alaska Frontier Constructors, Inc., v. Travelers Cas. and Sur. Co. of Am., No. 3:24-cv-00259 (D. Alaska, Nov. 11, 2024). While the case was voluntarily dismissed before the D&O insurer responded to the complaint, the policyholder’s allegations tell a familiar story and highlight several areas of dispute that companies face when navigating the fallout from cyber incidents.
Background
Alaska Frontier Constructors, Inc. (AFC) experienced a 2023 cyber incident where an imposter tricked AFC into wiring $1.9 million into a fraudulent bank account via email. AFC’s CFO received an email that appeared to have been sent by the CFO of another company, Kuukpik, whom AFC worked closely with. The spoofed email asked when a payment would be made for money owed to Kuukpik by Nanuq, a wholly owned subsidiary of Kuukpik that AFC worked with closely on many projects.
This email was actually sent by a black hat hacker presenting to be Kuukpik’s CFO. Kuukpik and AFC provided cash payments to one another on a regular basis by an intercompany account shared by the two.
The spoofed email contained a similar email address to that of Kuukpik’s CFO, and the hacker later sent instructions via email to AFC’s CFO to send a wire to a bank in New Jersey. AFC’s controller initiated the automatic clearing house transfer to the New Jersey bank account as instructed by the hacker which caused Nanuq’s bank to transfer $1,915,448.32 into the fraudulent account. By the time AFC and Kuukpik realized the payment had been wired but not received by Kuukpik, the hacker and the money were gone.
Nanuq demanded that AFC compensate it for the money it lost and sent draft complaints with causes of action for negligence and negligent supervision and training. AFC sought coverage under its D&O policy for the fraudulent wire transfer that resulted from the spoofed email. AFC’s D&O insurer denied AFC’s claim under a “Data and Privacy Exclusion” endorsement that barred coverage all claims based upon or arising out of a list of cyber-related events that included “any unauthorized access to a computer system.”
The Coverage Lawsuit
AFC filed suit in Alaska, where AFC is incorporated and has its principal place of business. Its complaint alleged that the insurer breached the policy in refusing to defend and failing to indemnify AFC’s losses and acted in bad faith in adjusting and denying coverage for the $1.9 million in losses flowing from the fraudulent email scheme.
AFC asserted that, in denying coverage under the data and privacy exclusion, the insurer ignored the Alaska Change Endorsement, which states claims cannot be denied if an excluded cause of loss is secondary to a dominant covered cause of loss in an unbroken chain of events leading to the loss. The dominant cause of loss, AFC alleged, was AFC’s failure to use reasonable care when initiating the wire transfers and not the imposter CFO’s communication of wiring instructions. As a result, the Alaska Change Endorsement prevented the data and privacy exclusion from eliminating coverage.
AFC also contended that the insurer failed to account for the Data and Privacy Exclusion endorsement’s carveback for claims under Insuring Agreement A for non-indemnified losses of insured persons. The company asserted that this carveback applied to the company’s CFO and Controller. Having been “abandoned” by its insurer, AFC ultimately settled the case for nearly $1.7 million and then sought to recover those losses from the D&O insurer.
Before the insurer filed its answer, AFC voluntarily dismissed the lawsuit with prejudice.
Takeaways
The early dismissal likely was the result of an out-of-court confidential settlement or other negotiated resolution. Notwithstanding AFC’s voluntary dismissal, the dispute highlights several recurring coverage issues that can help or hinder the chances of recovery if a claim occurs.
Address cyber exclusions. Many D&O insurers routinely add “cyber” exclusions to D&O policies, usually through endorsement and usually covering a laundry list of underlying cyber events. The intent is to shift “cyber” risks to cyber insurance policies. But as with most insurance issues, the devil is in the details, and many times cyber exclusions are written so broadly that they can encompass D&O exposures with only attenuated connections to the enumerated cyber incidents.
The cyber exclusion endorsement in AFC’s policy was broad—it applied to “any claim based upon or arising out of,” among other things, loss or theft of, disclosure of, or unauthorized access to or use of personal private or confidential information, any unauthorized access to computer systems, any authorized access to cause intentional harm to a computer system, or any violation of law regarding the protection, use, collection, disclosure of, access to, or storage of personal private or confidential information. Policyholders should carefully assess whether their D&O policy has such an exclusion. If it cannot be eliminated entirely, consider limiting its scope by, for example, narrowing the broad causation language.
Policy coordination can avoid coverage gaps. While careful analysis and customization of D&O policy language can help prevent unexpected denials for cyber-related losses, focusing on a single line of coverage for significant loss events, especially cybersecurity incidents, may not be sufficient. D&O policies should be reviewed alongside other complementary coverages—like cyber policies—to ensure coverage grants and exclusions are working as intended and do not result in any unintended gaps.
The global cost of a data breach in the US now has reached $4.88 million on average in 2024, a double-digit percentage increase year to year and the highest total ever. Given those staggering costs, negotiating robust liability coverages with an eye towards cyber incidents is even more important because cyber policies may be quickly eroded and not available to respond to follow-on litigation, investigations, and other claims arising out of a cyber incident.
Understand governing law and its impact on coverage. The AFC dispute also showed how insurance outcomes can differ depending on governing law. Because AFC was an Alaskan company, its policy had an Alaska Change Endorsement that could intervene and preserve coverage based on dominant and secondary causes of loss. But that analysis could differ materially if a policy is governed by another state’s law or has a different state amendatory endorsement applying another rule. Policies may also have choice-of-law, choice-of-venue, and similar provisions that further impact what law governs the insurance claim and what coverage is available under a particular policy.
Evaluating these and other insurance issues in D&O and other liability policies proactively as part of regular insurance reviews can help place and renew stronger policies, maximize recovery, and prevent unexpected denials should a claim arise.
UK Appeal Court Provides Authoritative Guidance on Construction All Risks Insurance Policies
In the UK Court of Appeal decision in Sky UK Limited and Mace Limited v Riverstone, authoritative guidance has been provided on the key principles that apply to Construction All Risks (CAR) insurance policies.
The decision is of great importance to all those involved with the insurance of construction projects because it provides clarification on: (i) the meaning of “damage” under these policies, (ii) recovery of foreseeable damage occurring outside of the policy period, (iii) the recoverability of investigation costs, and (iv) the mechanics of aggregation and deductibles.
Background
From 2014 to 2016, Sky’s global headquarters (Sky Central) was constructed by Mace Limited (Mace) as the main contractor under a Design and Build Contract. For the purpose of the construction, Mace alongside Sky UK Limited (Sky) were insureds under a Construction All Risks (CAR) insurance policy, which ran from 1 February 2014 (commencement of the project) to 15 July 2017 (one-year post-completion).
Sky Central’s roof covers an area of about 16,000 square meters and is said to be the largest timber flat roof in Europe. The roof is made up of 472 individual wooden cassettes, which were installed between December 2014 and May 2015. Following installation, the cassettes were left waiting for permanent waterproofing and it later became apparent that rainwater had entered the cassettes from an early stage. By March 2015, standing water was found inside the gutter compartments of 27 cassettes which had entered these cassettes and remained there, leading to a wetting of internal timbers. The ingress of water mostly occurred during the construction and therefore within the policy period. The appeal concerned crucial issues under the CAR policy arising from of this extensive water damage.
Court of Appeal decision
The Meaning of “Damage” Within the Insuring Clause
The insuring clause in the CAR policy provided that insurers would “indemnify the Insured against physical loss or damage to Property Insured, occurring during the Period of Insurance, from any cause whatsoever…”1 The parties disagreed on whether the wetting of the internal timbers was itself “damage”. The insurers argued that, to constitute “damage”, the timbers needed to have reached a condition where they required immediate replacement or repair. They argued that wetting that could be cured by drying out was not “damage”.
The Court disagreed and determined that, in line with criminal law authorities, “damage” amounted to “any change to the physical nature of tangible property which impair[s] its value or usefulness to its owner or operator.”2 There was no reason to take a different approach—this was the natural and ordinary meaning of “damage”.
It followed that the insurers’ position—that “damage” required the cassettes to have reached a stage which impaired their structural performance and integrity—was rejected. The entry of moisture into the cassettes was a tangible physical change to the cassettes as long as the presence of water, if left unattended, would affect the structural stability, strength, functionality, or useable life of the cassettes (or would do so if left unremedied).
Recovery of Foreseeable Development and Deterioration Damage Occurring Outside the Policy Period
The Court noted that, by a well-established line of authority, a property insurance claim is a claim for unliquidated damages, which means the measure of recovery is based on the common law principles governing damages for breach of contract. The general objective of damages for breach of contract is to put the innocent party back in the position they would have been in had the breach not occurred. While it is open to the parties to the insurance contract to modify the measure of damages that the general law provides for, the exclusion of the usual remedies must be expressed in clear words. As a result, the cost of remedying the foreseeable deterioration and development damage—which occurred after the policy period but resulted from insured damage occurring during the policy period—was within the measure of recovery under the policy.
The Court also noted that this conclusion accords with business common sense. A businessperson in the shoes of the insured would “reasonably expect to be compensated for the consequences of the insured damage deteriorating or developing, absent a contract term excluding such recovery.”3 If this was not the case, there would be “serious and unacceptable adverse consequences” because it would make deterioration and development damage occurring after the policy period uninsurable under any subsequent insurance cover.4
Investigation Costs
Concerning the recoverability of investigation costs, the Court determined that, as a matter of principle, where insured damage has occurred for which damages are recoverable under the policy of insurance, the costs of investigating the extent and nature of the damage (including any development and deterioration damage) are recoverable if they are “reasonably incurred in order to determine how to remediate it”.4 Thus, the reasonable costs of investigation of what is reasonably necessary to remedy insured damage was “self-evidently” part of the “full cost of repairing or reinstating” insured damage.6
Aggregation / Deductibles
Lastly, the Court considered whether a deductible of £150,000 “any one event” (the Retained Liability Provision) applied once to the whole of the claim or applied separately in respect of damage to each individual cassette. At first instance, the judge had decided that one deductible of £150,000 applied to Sky’s claim because the proximate cause of the water ingress was the deficient design of the works that failed to provide for a temporary roof over the cassettes during construction. The decision not to provide this roof was therefore the “any one event” for the application of the deductible.
The insurers appealed on the basis that the judge had erred in his construction and application of the Retained Liability Provision by: (a) treating the relevant single “event” as the design decision not to use a temporary roof; and (b) in failing to identify each individual cassette as the “part” or “parts” of the property insured to which the Retained Liability Provision applied. The insurers argued that the term “event” applies to the damage suffered not the cause of the damage—meaning there were numerous “events” for the purposes of this deductible.
The Court dismissed the insurers’ appeal, noting that “any one event” is an expression used in aggregation clauses both for the purposes of deductibles and policy limits and, in this context, has a well-established meaning, which both parties were taken to have been aware of. “Event” refers to the cause of the damage, not the damage itself, and a decision (in this case not to provide a temporary roof) could amount to an “event” for these purposes. “Any one event” is a classic term for aggregation of losses by reference to the cause of the losses.
Conclusion
The key points for policyholders are:
Damage can involve any change to the physical nature of tangible property that impairs its value or usefulness. Property can be damaged even if such damage is capable of remedy.
Recovery is not necessarily confined to damage physically present at the time the policy expires. Unless the policy provides otherwise, the costs of remedying the foreseeable deterioration and development damage are recoverable under the contractual principles that govern common law damages, even if such damage extends beyond the policy period.
Once it is established that there is insured damage, reasonable investigation costs incurred in investigating the cause and extent of the damage should be recoverable.
Lastly, reference to “any one event” in the context of an aggregation clause determining the number of policy deductibles meant the event causing the damage—not the damage itself.
Footnotes
1 [2024] EWCA Civ 1567, [2].
2 [2024] EWCA Civ 1567, [107].
3 [2024] EWCA Civ 1567, [80].
4 [2024] EWCA Civ 1567, [81].
5 [2024] EWCA Civ 1567, [89].
6 [2024] EWCA Civ 1567, [90].
Delaware Supreme Court Clarifies “Related” Claim D&O Analysis in Delaware
Analysis of “relatedness” in directors and officers liability insurance claims has shifted over time in Delaware. In last week’s decision in Alexion Pharmaceuticals, Inc. Insurance Appeals, Case Nos. 154, 2024 and 157, 2024 (Del. Feb. 4, 2025), the Delaware Supreme Court adopted a “meaningful linkage” standard for relatedness analysis in overturning the trial court’s holding on relatedness. Related claims is an inherently unpredictable and fact-specific issue, and the Alexion decision provides further guidance to Delaware policyholders on how to navigate those disputes in the future.
Background
In Alexion, a pharmaceutical company sought coverage under its D&O liability insurance policies. The company had a 2014-2015 D&O policy program, which consisted of a primary policy and a series of excess policies. The company also had a 2015-2017 D&O policy program, which consisted of a primary policy and a series of excess policies. The primary insurers were the same for both policy programs, and the line of excess insurers were nearly identical.
The 2014-2015 D&O policy program included a related claim provision which stated that “any Claim which arises out of such Wrongful Act shall be deemed to have been first made at the time such written notice was received by the Insurer.” The related claim provision in the 2015-2017 D&O policy program used similar language to the earlier policy program, such as “alleging,” “based upon,” “arising out of,” and “attributable.”
The company first contacted the primary insurer in June 2015 to report, via a notice of circumstances, an SEC subpoena served on the insured in 2015. At that time, the primary insurer did not consider the company’s communication to be a claim and stated it needed additional information. The company later provided notice in January 2017 of a securities class action filed against the company in 2016.
The primary insurer ultimately decided that the SEC subpoena and the securities class action were related, and thus took the position that “the Securities Action, among other actions, was a single ‘Claim’ first made in the 2014-2015 policy period.” But one of the excess insurers under the 2014-2015 D&O policy program took a contrary position that the securities class action was not covered under the program because the SEC subpoena and the securities class action did not sufficiently overlap. And the second level, third-level, and ninth-level excess insurers under the 2015-2017 D&O policy program denied coverage for the securities class action under the program based on their position that the SEC subpoena and the securities class action were related and were, therefore, deemed to have been first made during the early 2014-2015 policy period before the excess insurers’ policies incepted.
The company then filed suit and the issue before both the trial court and the appellate court in Alexion was whether the SEC subpoena and the securities class action were related claims.
The Appellate Decision
In the appeal of the earlier Alexion decision, the insurers argued that the trial court erred by treating the 2015 notice of the SEC subpoena from the company to the insurers as a claim rather than a disclosure of facts or circumstances that may give rise to a future claim. The trial court erred, the insurers asserted, by analyzing whether the SEC subpoena and securities class action were meaningfully linked, instead of analyzing whether the securities class action arose from any wrongful act, fact, or circumstance that was the subject of the notice. In contrast, the company argued that the trial court correctly held that the SEC subpoena and the securities class action were not related because they had different focuses.
The Delaware Supreme Court agreed with the insurers. It first considered the language of the related claims provisions in the policies. Because terms used in those provisions were undefined, and there was no other textual evidence of the parties’ intent about those terms, the court interpreted the “arises out of” language in the related claim provisions as requiring a “meaningful linkage” between two conditions for them to be related. The linkage must be meaningful and not merely tangential.
The court then clarified that the appropriate “objects of comparison” in assessing meaningful linkage is whether the securities class action is materially linked to any alleged wrongful acts that were disclosed in the notice of the SEC subpoena. Based on this analysis, the court held that the SEC subpoena and the securities class action were related claims because they involved the same underlying wrongful acts. The common underlying wrongful acts were the company’s alleged improper sales tactics worldwide, including its grantmaking activities.
If claims are related, an exclusion may be triggered that limits or bars coverage under a later policy. Because the appellate court held that an SEC subpoena and a later-filed securities class action at issue in Alexion were related, the insurance coverage for both was limited to the earlier of two D&O policy programs, and the company could recover only up to the one policy limit.
Takeaways
There are several aspects of the Alexion ruling that bear on future related-claim disputes in Delaware.
First, related claims analysis is inherently unpredictable because policy language concerning related claims is often broad and indefinite, and the related claims analysis used by courts is fact-specific. This case-by-case inquiry is compounded by the fact that insurers and policyholders can usually find support both for and against relatedness in any given dispute; and because the analysis is fact-specific, small changes in circumstances can materially impact the result in terms of whether claims are related.
Second, despite unpredictability in related claims analysis, the Delaware Supreme Court confirmed that “meaningful linkage” is the appropriate related-claim standard, at least where insurance policies include the same “arises out of” causation language. The court also provided guidance on what must be compared to determine whether there is a meaningful linkage.
Third, even though the Delaware Supreme Court previously ruled that Delaware law applies to D&O coverage disputes involving Delaware corporations, policyholders should not assume that Delaware law controls in all case. That is because some policies include choice-of-law provisions stating that another state’s laws governs interpretation of the policy. And those variations in applicable law can result in different outcomes based on how other states have interpreted related-claim provisions. In the recent related-claim dispute in Benefytt Tech., Inc. v. Capitol Specialty Ins. Corp., Case No. N21C-02-143 PRW CCLD (Del. Super. Ct. Jan. 2, 2025), for example, the Delaware Superior Court applied New York law to a Delaware dispute because that’s what the policy required. Choice of law provisions matter and can depart from what the venue court would otherwise do.
Finally, while the Alexion court reversed and ruled in favor of the insurers, the ruling does not uniformly inure to the benefit of D&O insurers because they may take contrary positions against relatedness depending on the circumstances. Stated differently, related claims analysis is not an issue where policyholders or insurers uniformly argue in favor or against relatedness. For example, a policyholder may argue in favor or relatedness to avoid multiple retentions across multiple policy years, while in another case the policyholder may argue against relatedness to recover under greater policy limits across multiple policy years. The specific facts of the case are important when determining whether to argue in favor or against relatedness, and the analysis on how to proceed can be complicated.
Where There’s Smoke, Is There Coverage? A Closer Look at Bottega, LLC v. National Surety and Gharibian v. Wawanesa
For policyholders, insurance is meant to provide peace of mind—a promise that when disaster strikes, they’ll have financial support to rebuild and recover. But as two recent cases show, the question of what qualifies as covered “direct physical loss or damage” can lead to drastically different outcomes in court.
In two recent California cases, both policyholders sought coverage after wildfire smoke and debris affected their properties. One court ruled in favor of coverage. Bottega, LLC v. National Surety Corporation, No. 21-cv-03614-JSC (N.D. Cal. Jan. 10, 2025). The other sided with the insurer. Gharibian v. Wawanesa General Insurance Co., No. B325859, 2025 WL 426092 (Cal. Ct. App. Feb. 7, 2025). These contrasting decisions highlight issues policyholders may encounter in securing coverage for smoke-related damage and the ongoing debate over what constitutes “direct physical loss or damage,” a key phrase in most property insurance policies.[1]
This article explores these cases, the influence of COVID-19 coverage litigation on the interpretation of “direct physical loss or damage,” and what policyholders can learn to better protect their rights.[2]
The Importance of “Direct Physical Loss or Damage” in Insurance Disputes
At the heart of both cases is a fundamental question: What does it mean for a property to suffer “direct physical loss or damage” under an insurance policy?
Insurance companies often take a narrow view, arguing that physical loss requires structural damage, like a collapsed roof. Policyholders, on the other hand, argue that contamination—such as smoke infiltration or toxic debris—permeates property and cannot simply be dusted off or ventilated, rendering property unusable for its intended use and qualifying as a covered physical loss.
Courts struggled with this question in the wake of the COVID-19 pandemic which sparked thousands of lawsuits over business closures and contamination claims. Some courts have ruled that lasting, tangible physical alteration of property is required, while others have found that loss of use due to presence of the virus in air or on surfaces was enough.
This debate played out in Bottega and Gharibian, with strikingly different results.
Bottega, LLC v. National Surety Corporation: A Win for the Policyholder
In Bottega, a Napa Valley restaurant faced significant disruptions after the 2017 North Bay Fires. Although the fires did not burn the restaurant itself, thick smoke, soot, and ash inundated the premises, forcing it to close for one day after the fire and for a week shortly thereafter. When it did reopen, for the next few months, it was limited to less than one-third of the seating temporarily because of the smell of the smoke, soot, and ash. Throughout this period, employees routinely cleaned the walls and upholstery to remove the smell and ultimately replaced the upholstery. The smell of fire remained for two years. The restaurant sought coverage under its commercial property insurance policy, which covered losses due to “direct physical loss or damage.”
The insurer, National Surety, initially made some payments under the policy’s civil authority provision but later denied broader coverage. The insurer argued that because the restaurant was still physically intact, it had not suffered a “physical loss” as required by the policy.
The court rejected National Surety’s narrow interpretation, ruling in favor of Bottega. The key findings were:
Smoke and soot contamination rendered the property unfit for normal use, meeting the standard for “direct physical loss.”
The restaurant had to suspend operations, triggering business income coverage under the policy.
The insurer’s own admissions confirmed that the premises had suffered smoke damage, undermining its argument against coverage.
Unlike many COVID-19 which relied on the issuance of stay-at-home orders to conclude that the virus did not cause loss or damage, the Bottega court found that the insured reopened during the state of emergency declared for the fire. It also described, in some depth, the nature and extent of the damage caused by the smoke. This decision aligns with prior rulings recognizing that contamination impairing the usability of a property—whether from smoke, chemicals, or other pollutants—can meet the threshold for physical loss. Courts have previously found that asbestos contamination, toxic fumes, and harmful mold all permeated property and constituted physical damage, even if the structure itself remains intact.
In Bottega, the policyholder’s success was largely due to strong evidence showing that smoke infiltration impacted business operations and required extensive remediation, causing the policyholder’s loss.
Gharibian v. Wawanesa General Insurance Co.: A Win for the Insurer
While Bottega marked a win for policyholders, Gharibian v. Wawanesa shows how courts can take a different approach, often to the detriment of policyholders.
Homeowners in Granada Hills sought coverage after the 2019 Saddle Ridge Fire deposited wildfire debris around their home. Although the flames did not reach their property, their property was covered in soot and ash, and plaintiffs asserted that smoke odors lingered within the home.
Their insurer, Wawanesa, paid $23,000 for professional cleaning services that plaintiffs never used, but later denied additional coverage, arguing that there was no “direct physical loss to property” because the home was structurally intact and that removable debris did not qualify.
The court sided with the insurer, emphasizing that:
The smoke and soot did not cause structural damage or permanently alter the property.
The debris did not “alter the property itself in a lasting and persistent manner” and was “easily cleaned or removed from the property.”
The plaintiffs’ own expert concluded that “soot by itself does not physically damage a structure” and that ash only creates physical damage when left on the structure and exposed to water, which didn’t appear to have happened. He also acknowledged that “the home could be fully cleaned by wiping the services, HEPA vacuuming and power washing the outside.” It followed that he could not establish that the property suffered lasting harm from the smoke.
The Long Shadow of COVID-19 Litigation: Raising the Bar for “Physical Loss or Damage”
Given the large volume of COVID-19 coverage cases, the courts’ experience doubtless has shaped how they interpret “physical loss or damage” in insurance policies, particularly concerning business interruption claims. Many businesses sought coverage for losses incurred due to (1) government-mandated shutdowns, arguing that the inability to use their properties constituted a direct physical loss, or (2) the presence of COVID-19 in air or on surfaces made properties unsafe for normal use. In the COVID-19 context, courts have largely rejected both arguments.
These decisions effectively raised the threshold for what constitutes “physical loss or damage,” making it more challenging for policyholders to claim coverage for intangible or non-structural impairments. This heightened standard has significant implications for claims involving smoke contamination from wildfires. The differing rulings in Bottega and Gharibian show the inconsistencies the standard yields.
In Gharibian, the court, in a case in which there was no evidence that the insured undertook any remediation yet the insurer still paid considerable monies, cited California Supreme Court precedent, which held that COVID-19 did not cause physical loss because (1) the virus did not physically alter property, and (2) it was a temporary condition that can be remedied by cleaning. Another Planet Entertainment, LLC v. Vigilant Insurance Co., 15 Cal. 5th 1106 (2024). Applying this logic, the Gharibian court determined that in that particular case, the evidence was (1) soot and char debris did not alter the property in a lasting and persistent manner, and (2) the debris was easily cleaned or removed from the property. Therefore, fire debris does not constitute “direct physical loss to property.”
Meanwhile, the Bottega court, with the benefit of a robust showing of how smoke permeated the property of a sympathetic plaintiff, cited another COVID-19 business interruption case, Inns-by-the-Sea v. California Mutual Ins. Co., 71 Cal. App. 5th 688 (2021), to reach the opposite conclusion. The court found that, whereas a virus like COVID-19 can be removed through cleaning and disinfecting, smoke is more like noxious substances and fumes that physically alter property.
To reconcile these results in their favor, policyholders must now provide compelling evidence that such contamination has caused tangible, physical alterations to their property to meet this elevated threshold. This development underscores the importance of thorough documentation and expert testimony in substantiating claims for non-visible damage.
Key Takeaways
These cases illustrate the fine line courts draw when assessing whether contamination rises to the level of a physical loss:
The nature of the damage matters – In Bottega, the insured proved that smoke infiltration rendered the property temporarily unfit for use. In Gharibian, the court saw the debris as a removable nuisance rather than a physical loss.
Burden of proof is critical – The Bottega plaintiffs provided stronger evidence linking their loss to physical damage, while Gharibian plaintiffs could not show a lasting impact on their property (much less one the insured felt required remediation).
Challenge denials with expert testimony – Some insurers may argue that smoke and soot are “removable” and do not qualify as damage. Policyholders should counter this with expert evidence demonstrating how smoke contamination affects long-term usability and air quality.
Consider the forum for litigation – As seen in Bottega and Gharibian, which court hears the case can significantly affect the outcome. When possible, policyholders should seek a jurisdiction with favorable precedents or challenge insurers’ attempts to move cases to less policyholder-friendly forums.
Final Thoughts
Wildfires raise critical questions about insurance coverage for smoke and debris damage. The rulings in Bottega and Gharibian show the ongoing battle over what counts as “direct physical loss,” with courts reaching different conclusions.
While Bottega is a win for policyholders, Gharibian suggests that insurers will continue to push for restrictive interpretations and to analogize losses to COVID-19. Policyholders must be proactive—documenting their losses, seeking expert opinions, and being prepared to challenge denials.
Ultimately, courts and policymakers must recognize that insurance should protect against real-world risks, not just total destruction. Until then, policyholders must be prepared to fight for the coverage they deserve.
[1] While these policies did not expressly cover smoke damage, many property policies do and questions concerning whether the policies cover smoke-related damage would not be available to insurers. This underscores the importance of reviewing the policy wording and speaking with your insurance agents and policyholder side insurance counsel.
[2] Even when the insurance company acknowledges that their policy covers smoke-related damage, there may be disputes concerning the amounts they are obligated to pay. To assess the scope of the insurer remediation proposal, policyholders are encouraged to retain their own remediation consultants to provide their own proposals, which can then serve as the basis for ensuring an apples-to-apples comparison and negotiation.
Count Your Eggs Before They Crack: Coverage Options in the Event of a Poultry Crisis
The recent surge in the cost of eggs because of the avian influenza (bird flu) is impacting many consumers. Multiple grocery store chains have implemented limitations on the amount of eggs a customer can buy and restaurants have imposed surcharges on menu items with eggs. Consumers, however, are not the only ones feeling the economic impact of the ravage to poultry flocks, poultry farmers and producers are also feeling the financial strain. As we have explained in the past, insurance can help mitigate the risks to poultry farmers and producers associated with these kinds of events. Here, we explore how some types of coverages can help protect poultry farmers and producers who face unexpected events, such as those stemming from illness or contamination of a flock, that disrupt operations or cause a business loss.
Poultry-Related Risks Coverage
Poultry farm insurance is meant to protect poultry farming operations from an array of losses because of damages to equipment and property; and the death, injury or illness of the birds. Insurance products specific to poultry risks can also cover animal loss and loss of production due to diseases. Poultry insurance can also protect against unexpected mortality (like sudden death due to a farming accident or natural disaster), theft, contamination and flock repopulation costs. Insurance for poultry farmers and producers is also available in certain livestock policies, which also cover some risks associated with poultry farming.
Disease & Contamination Coverage
Disease or contamination insurance covers losses resulting from the outbreak of diseases, like bird flu and salmonella, that can affect the egg-production process. Some policies include coverage for flock culling (the process of removing birds from a flock and often later replacing them) to prevent the spread of a disease or illness within a flock. In some cases, coverage may even be available for costs of treatments for ill birds and for sanitizing a poultry farm before bringing new birds in. Disease or contamination coverage may also cover costs for poultry farmers and producers who face egg recalls and government mandates to destroy an egg supply due to contamination or suspected contamination.
Business Interruption Coverage
Business interruption coverage protects against income losses. Often, this type of insurance also covers the additional costs of keeping a business running after an interruption caused by events like supply chain issues, natural disasters and potential disease outbreaks. In some instances, business income insurance also covers lost income due to direct loss of a poultry farming operation. Some insurance offerings also protect against risk of loss due to market conditions that impact livestock businesses and owners considering events like the bird flu. For example, “gross margin” insurance policies, which are part of a federal risk-management program, protect against the loss of gross margins when costs to feed and care for animals exceeds the market value of the animals. Notably, however, business interruption coverage may require a showing of direct physical loss to insured property, which may vary depending on the policy. In this regard, insurers might also attempt to apply pro-insurer rulings from cases arising from the Covid-19 pandemic that interpret the meaning of “physical loss or damage” to limit what otherwise would have been a covered business interruption loss arising from bird flu-related issues. Instances of such insurer conduct have already been seen in cases involving smoke damage from California wildfires.
Key Takeaways
Poultry farming involves many unique risks, from disease outbreaks and egg recalls, to devastation resulting from severe weather conditions. For that reason, it is key for farmers and producers in the poultry industry to understand the various insurance products and unique elements associated with events that can impact their flocks and their finances. As a best practice, poultry businesses should assess potential risks of loss early and identify which insurance offerings can maximize their coverage options if their flock and farm operations are impacted by an event that leads to a loss.
Alundai J. Benjamin also contributed to this article.
Insurance Premium Finance Exemption — Maryland Commercial Finance Disclosure Legislation
Maryland recently introduced Commercial Finance Disclosure Law (“CFDL”) legislation in both the House (HB 693) and Senate (SB 754), following a path of other states with laws requiring consumer-like disclosures in certain commercial loans. Maryland has introduced similar legislation in the past but has not yet garnered sufficient support to reach the Governor’s desk.
This legislative session, the sponsors of these bills have added an additional exemption from the law’s application should it be enacted. The bills include an exemption for, among other types of loan products, commercial financing transactions that are insurance premium finance loans. Insurance premium financing loans are short-term, secured loans that enable businesses to purchase insurance coverage. Businesses of all sizes obtain commercial, property, casualty, and liability insurance policies to mitigate operational risk and to protect their interests and those of their customers. While some businesses may choose to pay insurance premiums in full at the time of purchase, others either do not have sufficient funds to pay the premiums in full up front or prefer to finance the premiums permitting other uses of capital. The majority of states regulate insurance premium financing transactions, including Maryland.
This additional CFDL exemption appears appropriate. Insurance premium finance transactions are extensively regulated by the Maryland Department of Insurance and subject to laws that mandate the disclosure of financial terms. (Md. Code Ann., Ins., §§ 23-101 et seq.) Current insurance premium finance law in Maryland requires the disclosure of loan related information in the insurance premium finance agreement itself, including: (i) the total amount of the premiums under the policies purchased; (ii) the amount of the down payment on the loan; (ii) the principal balance; (iii) the amount of the finance charge; (iv) the balance payable by the insured; (v) the number of installments required, the amount of each installment expressed in dollars, and the due date or period of each installment; (vi) any electronic payment fee; and (vii) prepayment particulars. Substantially similar disclosures contemplated under the proposed CFDL bills are required under existing Maryland law regulating insurance premium finance loans. Imposing CFDL standards for insurance premium finance transactions, when already required by other Maryland law, appears redundant and unnecessary. Further, application of multiple disclosure laws could potentially present conflicting obligations for insurance premium finance companies, duplicative regulation by multiple administrative departments, and inconsistent information for borrowers when comparing insurance premium finance loans.
Caution: Beware of Escape Hatch Allowing Successive Insurers to Dodge Claims that “Involve” Circumstances Reported to Former Insurers
The recent California federal court decision Scottsdale Ins. Co. v. Beachcomber Mgmt. Crystal Cove, LLC, et al. illustrates the perils that corporate policyholders may face in obtaining the full benefit of the bargain when they procure new D&O insurance after making a claim under a prior policy. 2025 WL 257599, at *13 (C.D. Cal. Jan. 21, 2025). In Scottsdale, the court agreed that an insurer who sold a D&O policy could deny coverage for a lawsuit filed against two corporate executives during its policy period because that lawsuit involved some of the same allegations of wrongdoing as did a claim the policyholder previously submitted to a former D&O insurer. The new policy contained a very broadly worded “prior notice exclusion” that barred coverage for all claims “in any way involving” any wrongful conduct, facts, circumstances, or situations as to which notice had been given to a prior D&O insurer. As discussed below, the company had notified its prior insurer when it received a draft version of the lawsuit a year earlier, and that insurer accepted coverage. When the claimants formally filed their litigation, however, they alleged new wrongdoing and sought new relief, so the company prudently made a claim under its new policy as well. The court acknowledged that the new claims made the formal complaint different than the draft complaint, but invoked the prior notice exclusion to bar coverage because some aspects were the same, and that was all that the plain language of the prior notice exclusion in that case required. This ruling is a cautionary tale for policyholders that underscores the importance of paying close attention to the detailed terms and conditions of existing and prospective insurance policies, particularly with respect to whether and how reporting a claim under one policy may limit or preclude coverage under a replacement or later-in-time policy.
In Beachcomber, the central issue was whether an insurer that sold a D&O policy to replace another D&O policy would cover a litigation that included some of the same claims and allegations as did prior claims, but that also included new and different claims and allegations. During the prior policy period, corporate creditors prepared a draft complaint as part of bankruptcy proceedings accusing two business executives of breaching their fiduciary duties by allegedly causing the company to make distributions that were not in the company’s best interest. The company’s then D&O insurer agreed to cover that claim. Afterward, and as part of the company’s reorganization efforts, the company procured a new D&O insurance policy from a different insurer. After that new policy was in effect, the bankruptcy trustee filed its broader complaint echoing the breach-of-fiduciary-duty allegations from the draft complaint, and also alleging other misconduct, including usurping business opportunities and devoting and transferring corporate financial resources for the benefit of other businesses.
The new D&O insurer ultimately sought a declaratory judgment that it did not owe coverage for the litigation, culminating in Beachcomber. Notably, the new insurer initially had agreed to provide coverage for the claims alleged in the trustee’s formal complaint, but changed its mind and invoked the prior notice exclusion to bar coverage when it learned that the prior insurer had already accepted coverage based on the draft complaint. Thereafter, the new insurer filed summary judgment focused on the point that the company’s notice of the earlier draft complaint to its former insurer satisfied and barred coverage under the prior notice exclusion. As already mentioned, the particular version of the prior notice exclusion at issue included the expansive phrase “in any way involving,” and the court found those words meant that any overlap between the wrongful acts, facts, circumstances, or situations in the draft and as-filed complaints could satisfy the exclusion. In the court’s view, it did not matter that the filed complaint had allegations not present in the earlier draft complaint; so long as both complaints “in any way involve[d]” the same facts and law, they came within the scope of the exclusion.
Notably, in reaching its decision that the prior notice exclusion barred coverage, the court expressly declined to consider cases addressing whether successive claims are “related” for coverage purposes under policy terms and conditions other than the prior notice exclusion. The court’s narrow focus was significant to the result in Beachcomber, because the Ninth Circuit Court of Appeals has shown much greater willingness to differentiate among successive claims with overlapping facts and allegations in other coverage contexts, such as the application of the Interrelated Wrongful Acts provision at issue in Fin. Mgmt. Advisors, LLC v. Am. Int’l Specialty Lines Ins. Co., 506 F.3d 922, 926 (9th Cir. 2007). In FMA, the Ninth Circuit declined to find “related,” for coverage purposes, two lawsuits filed by different investors who had received financial advice from an investment advisory firm, even though the two lawsuits included some common allegations of wrongdoing. In the appellate court’s view, it was more important that some of the wrongful acts alleged in the two lawsuits were different than it was that both claims included some common allegations. The court in Beachcomber ultimately reached the opposite conclusion, and held that the overlap between the draft complaint and the filed complaint was more important than the fact that the filed complaint included expanded facts and claims.
Beachcomber is a reminder of the importance for policyholders to carefully examine and understand the intricacies of their insurance policies, including how policies effective during different time periods can interact. Beachcomber also highlights the potential benefit to policyholders of evaluating their rights at the outset of insurance claims, including those related to reporting claims under their policies. Indeed, having a detailed understanding of the insurance policies implicated by the claim at issue is essential to ensuring that policyholders are adequately protecting their interests. Policyholders may avoid costly errors, or inadvertent oversight, and be prepared to navigate the nuanced nature of insurance claims by contacting insurance counsel who can help them better understand their coverage.
$10.00 CAR INSURANCE?: Quote Wizard Draws Complaint Over Advertisement that Does Not Comport With “Basic Common Sense”
Is this real?
So Lending Tree hasn’t apologized yet.
But I am over it.
Unrelated, picked up this odd complaint in Michigan that I thought was interesting.
Apparently Quote Wizard was running ads suggesting they could provide full auto insurance coverage for $10.00.
At least that’s the gist of the complaint I was provided.
The consumer says:
QuoteWizard.com, LLC is running at least 29 illegal advertisements to solicit insurance in the State of Michigan in violation of Michigan Compiled Law (MCL) 500.2003, 500.2005, 500.2005a, 500.2007. The Michigan Insurance Code states that unfair methods of competition and unfair and deceptive acts include the making, publishing, disseminating, circulating, etc. of any assertion with respect to the business of insurance or with respect to any person in the conduct of his insurance business, which is untrue, deceptive or misleading. MCL § 500.2007. The Michigan Insurance Code further prohibits the use of marketing that fails to disclose in a conspicuous manner that its purpose is solicitation of insurance and that contact will be made by an insurance agent or insurance company. MCL § 500.2005a. Quotewizard.com, LLC runs a variety of advertisements on Meta’s Facebook platform. These ads, which I have copied links to view in Meta’s Ad Library, are untrue, deceptive, and misleading. Quotewizard.com, LLC advertises a new insurance rate as ” New Rate $10 Full Coverage”. As a licensed insurance agency in the State of Michigan Quotewizard.com, LLC must follow the law. Based on information, belief, and the application of basic common sense, Quotewizard.com, LLC cannot offer an automobile insurance policy with “full coverage (which in common parlance generally means to include both collision and comprehensive coverage) for $10. If Quotewizard.com, LLC is in fact selling $10 auto insurance policies we have an even bigger problem because based on a search of DIFS website QuoteWizard.com, LLC is not appointed by a single insurance carrier to transact business in the state. Quotewizard.com, LLC appears to be preying on Michigan’s financially venerable [editor’s note: probably means vulnerable] population that can barely afford their car insurance and is trying to entice them to click their advertisement in hopes of financial relief. Instead clicking the advertisement will simply forward you information to dozens of insurance agents that will call you over and over trying to sell you insurance at rates that we would customarily expect to receive not $10.
Just because a consumer says this is true doesn’t make it true. But the ads library looks pretty legit. So maybe Quote Wizard was knowingly or unknowingly tricking people into visiting its website. Or maybe somebody is submitting false stuff to a Michigan regulator. *Shrug.*
Regardless, I am sharing this because it does raise a pretty important issue for folks buying leads– you need to understand your entire funnel.
If you are accepting clicks–or even inbound calls–from social media ads that contain false content you may end up being pursued by a state agency. (That hasn’t happened here, BTW, just a complaint– but one everyone can learn from.)
And I know Musk may have just killed the CFPB and the feds look unlikely to regulate anyone or anything–at least for a while– but the states can be plenty aggressive. So watch out!
Insurtech in 2025: Opportunity and Risk
The explosion in artificial intelligence (AI) capability and applications has increased the potential for industry disruptions. One industry experiencing recent material disruption is about as traditional as it gets: insurance. While some level of disruption in the insurance industry is nothing new, AI has been accelerating more significant changes to industry fundamentals. This is the first advisory in a series exploring the legal risks and strategies surrounding disruptive insurance technologies, particularly those leveraging AI, known as Insurtech.
What is Insurtech?
Insurtech is a broad term that encompasses every stage of the insurance lifecycle. Cutting-edge technology can be instrumental in advertising, lead generation, sales, underwriting, claims processing and fraud detection, among others. Generative AI can assist in client management and retention. Insurtech can augment traditional forms of insurance such as car and health insurance, and facilitate less traditional forms of insurance, such as parametric insurance or microinsurance at scale.
Legal and Regulatory Risks of Insurtech
As Insurtech continues to evolve, designers, providers and deployers must be aware of the legal and regulatory risks inherent in the use of Insurtech at all stages. These risks are particularly heightened in the insurance world, where vendors and carriers process an enormous amount of personal information in the course of decision-making that impacts individuals’ rights, from advertising to product pricing to coverage decisions.
The heavily regulated nature of the traditional industry is also enhanced in the Insurtech context, given overlapping regulatory interests in regulating new technology applications. These additional layers of oversight – which in traditional applications may not be as much of a primary concern – include the Federal Trade Commission, states’ Attorneys’ General and in some jurisdictions, state-level privacy regulators.
Building Compliance for Insurtech Solutions
Designing, providing and deploying Insurtech solutions requires a multifaceted, customized approach to position agents, vendors, carriers and indeed any entity in the insurance stack for compliance. Taking early action to build appropriate governance for your Insurtech product or application is critical to building a defensive regulatory position. For entities that have an eye on raising capital, engaging in mergers or acquisitions, or other collaborative marketplace activity, such governance will minimize friction that can impede success.
Additionally, consumers are increasingly attentive to data privacy and AI governance standards. Incorporating proper data privacy and AI governance regimes from day one is not only a forward-thinking business decision to mitigate risk and facilitate success; it is also a market imperative.
Looking Ahead: Risks and Opportunities in 2025
Over the next few months, we will take a closer look into more discrete risks and opportunities that Insurtech providers and deployers need to keep in mind throughout 2025. Follow along as we explore this exciting area that in recent years has demonstrated enormous potential for continued growth.
The BR Privacy & Security Download: February 2025
STATE & LOCAL LAWS & REGULATIONS
New York Legislature Passes Comprehensive Health Privacy Law: The New York state legislature passed SB-929 (the “Bill”), providing for the protection of health information. The Bill broadly defines “regulated health information” as “any information that is reasonably linkable to an individual, or a device, and is collected or processed in connection with the physical or mental health of an individual.” Regulated health information includes location and payment information, as well as inferences derived from an individual’s physical or mental health. The term “individual” is not defined. Accordingly, the Bill contains no terms restricting its application to consumers acting in an individual or household context. The Bill would apply to regulated entities, which are entities that (1) are located in New York and control the processing of regulated health information, or (2) control the processing of regulated health information of New York residents or individuals physically present in New York. Among other things, the Bill would restrict regulated entities to processing regulated health information only with a valid authorization, or when strictly necessary for certain specified activities. The Bill also provides for individual rights and requires the implementation of reasonable administrative, physical, and technical safeguards to protect regulated health information. The Bill would take effect one year after being signed into law and currently awaits New York Governor Kathy Hochul’s signature.
New York Data Breach Notification Law Updated: Two bills, SO2659 and SO2376, that amended the state’s data breach notification law were signed into law by New York Governor Kathy Hochul. The bills change the timing requirement in which notice must be provided to New York residents, add data elements to the definition of “private information,” and adds the New York Department of Financial Services to the list of regulators that must be notified. Previously, New York’s data breach notification statute did not have a hard deadline within which notice must be provided. The amendments now require affected individuals to be notified no later than 30 days after discovery of the breach, except for delays arising from the legitimate needs of law enforcement. Additionally, as of March 25, 2025, “private information” subject to the law’s notification requirements will include medical information and health insurance information.
California AG Issues Legal Advisory on Application of California Law to AI: California’s Attorney General has issued legal advisories to clarify that existing state laws apply to AI development and use, emphasizing that California is not an AI “wild west.” These advisories cover consumer protection, civil rights, competition, data privacy, and election misinformation. AI systems, while beneficial, present risks such as bias, discrimination, and the spread of disinformation. Therefore, entities that develop or use AI must comply with all state, federal, and local laws. The advisories highlight key laws, including the Unfair Competition Law and the California Consumer Privacy Act. The advisories also highlight new laws effective on January 1, 2025, which include disclosure requirements for businesses, restrictions on the unauthorized use of likeness, and regulations for AI use in elections and healthcare. These advisories stress the importance of transparency and compliance to prevent harm from AI.
New Jersey AG Publishes Guidance on Algorithmic Discrimination: On January 9, 2025, New Jersey’s Attorney General and Division on Civil Rights announced a new civil rights and technology initiative to address the risks of discrimination and bias-based harassment in AI and other advanced technologies. The initiative includes the publication of a Guidance Document, which addresses the applicability of New Jersey’s Law Against Discrimination (“LAD”) to automated decision-making tools and technologies. It focuses on the threats posed by automated decision-making technologies in the housing, employment, healthcare, and financial services contexts, emphasizing that the LAD applies to discrimination regardless of the technology at issue. Also included in the announcement is the launch of a new Civil Rights Innovation lab, which “will aim to leverage technology responsibly to advance [the Division’s] mission to prevent, address, and remedy discrimination.” The Lab will partner with experts and relevant industry stakeholders to identify and develop technology to enhance the Division’s enforcement, outreach, and public education work, and will develop protocols to facilitate the responsible deployment of AI and related decision-making technology. This initiative, along with the recently effective New Jersey Data Protection Act, shows a significantly increased focus from the New Jersey Attorney General on issues relating to data privacy and automated decision-making technologies.
New Jersey Publishes Comprehensive Privacy Law FAQs: The New Jersey Division of Consumer Affairs Cyber Fraud Unit (“Division”) published FAQs that provide a general summary of the New Jersey Data Privacy Law (“NJDPL”), including its scope, key definitions, consumer rights, and enforcement. The NJDPL took effect on January 15, 2025, and the FAQs state that controllers subject to the NJDPL are expected to comply by such date. However, the FAQs also emphasize that until July 1, 2026, the Division will provide notice and a 30-day cure period for potential violations. The FAQs also suggest that the Division may adopt a stricter approach to minors’ privacy. While the text of the NJDPL requires consent for processing the personal data of consumers between the ages of 13 and 16 for purposes of targeted advertising, sale, and profiling, the FAQs state that when a controller knows or willfully disregards that a consumer is between the ages of 13 and 16, consent is required to process their personal data more generally.
CPPA Extends Formal Comment Period for Automated Decision-Making Technology Regulations: The California Privacy Protection Agency (“CPPA”) extended the public comment period for its proposed regulations on cybersecurity audits, risk assessments, automated decision-making technology (“ADMT”), and insurance companies under the California Privacy Rights Act. The public comment period opened on November 22, 2024, and was set to close on January 14, 2025. However, due to the wildfires in Southern California, the public comment period was extended to February 19, 2025. The CPPA will also be holding a public hearing on that date for interested parties to present oral and written statements or arguments regarding the proposed regulations.
Oregon DOJ Publishes Toolkit for Consumer Privacy Rights: The Oregon Department of Justice announced the release of a new toolkit designed to help Oregonians protect their online information. The toolkit is designed to help families understand their rights under the Oregon Consumer Privacy Act. The Oregon DOJ reminded consumers how to submit complaints when businesses are not responsive to privacy rights requests. The Oregon DOJ also stated it has received 118 complaints since the Oregon Consumer Privacy Act took effect last July and had sent notices of violation to businesses that have been identified as non-compliant.
California, Colorado, and Connecticut AGs Remind Consumers of Opt-Out Rights: California Attorney General Rob Bonta published a press release reminding residents of their right to opt out of the sale and sharing of their personal information. The California Attorney General also cited the robust privacy protections of Colorado and Connecticut laws that provide for similar opt-out protections. The press release urged consumers to familiarize themselves with the Global Privacy Control (“GPC”), a browser setting or extension that automatically signals to businesses that they should not sell or share a consumer’s personal information, including for targeted advertising. The Attorney General also provided instructions for the use of the GPC and for exercising op-outs by visiting the websites of individual businesses.
FEDERAL LAWS & REGULATIONS
FTC Finalizes Updates to COPPA Rule: The FTC announced the finalization of updates to the Children’s Online Privacy Protection Rule (the “Rule”). The updated Rule makes a number of changes, including requiring opt-in consent to engage in targeted advertising to children and to disclose children’s personal information to third parties. The Rule also adds biometric identifiers to the definition of personal information and prohibits operators from retaining children’s personal information for longer than necessary for the specific documented business purposes for which it was collected. Operators must maintain a written data retention policy that documents the business purpose for data retention and the retention period for data. The Commission voted 5-0 to adopt the Rule, but new FTC Chair Andrew Ferguson filed a separate statement describing “serious problems” with the rule. Ferguson specifically stated that it was unclear whether an entirely new consent would be required if an operator added a new third party with whom personal information would be shared, potentially creating a significant burden for businesses. The Rule will be effective 60 days after its publication in the Federal Register.
Trump Rescinds Biden’s Executive Order on the Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence: President Donald Trump took action to rescind former President Biden’s Executive Order on the Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence (“AI EO”). According to a Biden administration statement released in October, many action items from the AI EO have already been completed. Recommendations, reports, and opportunities for research that were completed prior to revocation of the AI EO may continue in place unless replaced by additional federal agency action. It remains unclear whether the Trump Administration will issue its own executive orders relating to AI.
U.S. Justice Department Issues Final Rule on Transfer of Sensitive Personal Data to Foreign Adversaries: The U.S. Justice Department issued final regulations to implement a presidential Executive Order regarding access to bulk sensitive personal data of U.S. citizens by foreign adversaries. The regulations restrict transfers involving designated countries of concern – China, Cuba, Iran, North Korea, Russia, and Venezuela. At a high level, transfers are restricted if they could result in bulk sensitive personal data access by a country of concern or a “covered person,” which is an entity that is majority-owned by a country of concern, organized under the laws of a country of concern, has its principle place of business in a country of concern, or is an individual whose primary residence is in a county of concern. Data covered by the regulation includes precise geolocation data, biometric identifiers, genetic data, health data, financial data, government-issued identification numbers, and certain other identifiers, including device or hardware-based identifiers, advertising identifiers, and demographic or contact data.
First Complaint Filed Under Protecting Americans’ Data from Foreign Adversaries Act: The Electronic Privacy Information Center (“EPIC”) and the Irish Counsel for Civil Liberties (“ICCL”) Enforce Unit filed the first-ever complaint under the Protecting Americans’ Data from Foreign Adversaries Act (“PADFAA”). PADFAA makes it unlawful for a data broker to sell, license, rent, trade, transfer, release, disclose, or otherwise make available specified personally identifiable sensitive data of individuals residing in the United States to North Korea, China, Russia, Iran, or an entity controlled by one of those countries. The complaint alleges that Google’s real-time bidding system data includes personally identifiable sensitive data, that Google executives were aware that data from its real-time bidding system may have been resold, and that Google’s public list of certified companies that receive real-time bidding bid request data include multiple companies based in foreign adversary countries.
FDA Issues Draft Guidance for AI-Enabled Device Software Functions: The U.S. Food and Drug Administration (“FDA”) published its January 2025 Draft Guidance for Industry and FDA Staff regarding AI-enabled device software functionality. The Draft provides recommendations regarding the contents of marketing submissions for AI-enabled medical devices, including documentation and information that will support the FDA’s evaluation of their safety and effectiveness. The Draft Guidance is designed to reflect a “comprehensive approach” to the management of devices through their total product life cycle and includes recommendations for the design, development, and implementation of AI-enabled devices. The FDA is accepting comments on the Draft Guidance, which may be submitted online until April 7, 2025.
Industry Coalition Pushes for Unified National Data Privacy Law: A coalition of over thirty industry groups, including the U.S. Chamber of Commerce, sent a letter to Congress urging it to enact a comprehensive national data privacy law. The letter highlights the urgent need for a cohesive federal standard to replace the fragmented state laws that complicate compliance and stifle competition. The letter advocates for legislation based on principles to empower startups and small businesses by reducing costs and improving consumer access to services. The letter supports granting consumers the right to understand, correct, and delete their data, and to opt out of targeted advertising, while emphasizing transparency by requiring companies to disclose data practices and secure consent for processing sensitive information. It also focuses on the principles of limiting data collection to essential purposes and implementing robust security measures. While the principles aim to override strong state laws like that in California, the proposal notably excludes data broker regulation, a previous point of contention. The coalition cautions against legislation that could lead to frivolous litigation, advocating for balanced enforcement and collaborative compliance. By adhering to these principles, the industry groups seek to ensure legal certainty and promote responsible data use, benefiting both businesses and consumers.
Cyber Trust Mark Unveiled: The White House launched a labeling scheme for internet-of-things devices designed to inform consumers when devices meet certain government-determined cybersecurity standards. The program has been in development for several months and involves collaboration between the White House, the National Institute of Standards and Technology, and the Federal Communications Commission. UL Solutions, a global safety and testing company headquartered in Illinois, has been selected as the lead administrator of the program along with 10 other firms as deputy administrators. With the main goal of helping consumers make more cyber-secure choices when purchasing products, the White House hopes to have products with the new cyber trust mark hit shelves before the end of 2025.
U.S. LITIGATION
Texas Attorney General Sues Insurance Company for Unlawful Collection and Sharing of Driving Data: Texas Attorney General Ken Paxton filed a lawsuit against Allstate and its data analytics subsidiary, Arity. The lawsuit alleges that Arity paid app developers to incorporate its software development kit that tracked location data from over 45 million consumers in the U.S. According to the lawsuit, Arity then shared that data with Allstate and other insurers, who would use the data to justify increasing car insurance premiums. The sale of precise geolocation data of Texans violated the Texas Data Privacy and Security Act (“TDPSA”) according to the Texas Attorney General. The TDPSA requires the companies to provide notice and obtain informed consent to use the sensitive data of Texas residents, which includes precise geolocation data. The Texas Attorney General sued General Motors in August of 2024, alleging similar practices relating to the collection and sale of driver data.
Eleventh Circuit Overturns FCC’s One-to-One Consent Rule, Upholds Broader Telemarketing Practices: In Insurance Marketing Coalition, Ltd. v. Federal Communications Commission, No. 24-10277, 2025 WL 289152 (11th Cir. Jan. 24, 2025), the Eleventh Circuit vacated the FCC’s one-to-one consent rule under the Telephone Consumer Protection Act (“TCPA”). The court found that the rule exceeded the FCC’s authority and conflicted with the statutory meaning of “prior express consent.” By requiring separate consent for each seller and topic-related call, the rule was deemed unnecessary. This decision allows businesses to continue using broader consent practices, maintaining shared consent agreements. The ruling emphasizes that consent should align with common-law principles rather than be restricted to a single entity. While the FCC’s next steps remain uncertain, the decision reduces compliance burdens and may challenge other TCPA regulations.
California Judge Blocks Enforcement of Social Media Addiction Law: The California Protecting Our Kids from Social Media Addiction Act (the “Act”) has been temporarily blocked. The Act was set to take effect on January 1, 2025. The law aims to prevent social media platforms from using algorithms to provide addictive content to children. Judge Edward J. Davila initially declined to block key parts of the law but agreed to pause enforcement until February 1, 2025, to allow the Ninth Circuit to review the case. NetChoice, a tech trade group, is challenging the law on First Amendment grounds. NetChoice argues that restricting minors’ access to personalized feeds violates the First Amendment. The group has appealed to the Ninth Circuit and is seeking an injunction to prevent the law from taking effect. Judge Davila’s decision recognized the “novel, difficult, and important” constitutional issues presented by the case. The law includes provisions to restrict minors’ access to personalized feeds, limit their ability to view likes and other feedback, and restrict third-party interaction.
U.S. ENFORCEMENT
FTC Settles Enforcement Action Against General Motors for Sharing Geolocation and Driving Behavior Data Without Consent: The Federal Trade Commission (“FTC”) announced a proposed order to settle FTC allegations against General Motors that it collected, used, and sold driver’s precise geolocation data and driving behavior information from millions of vehicles without adequately notifying consumers and obtaining their affirmative consent. The FTC specifically alleged General Motors used a misleading enrollment process to get consumers to sign up for its OnStar-connected vehicle service and Smart Driver feature without proper notice or consent during that process. The information was then sold to third parties, including consumer reporting agencies, according to the FTC. As part of the settlement, General Motors will be prohibited from disclosing driver data to consumer reporting agencies, required to allow consumers to obtain and delete their data, required to obtain consent prior to collection, and required to allow consumers to limit data collected from their vehicles.
FTC Releases Proposed Order Against GoDaddy for Alleged Data Security Failures: The Federal Trade Commission (“FTC”) has announced it had reached a proposed settlement in its action against GoDaddy Inc. (“GoDaddy”) for failing to implement reasonable and appropriate security measures, which resulted in several major data breaches between 2019 and 2022. According to the FTC’s complaint, GoDaddy misled customers of its data security practices, through claims on its websites and in email and social media ads, and by representing it was in compliance with the EU-U.S. and Swiss-U.S. Privacy Shield Frameworks. However, the FTC found that GoDaddy failed to inventory and manage assets and software updates, assess risks to its shared hosting services, adequately log and monitor security-related events, and segment its shared hosting from less secure environments. The FTC’s proposed order against GoDaddy prohibits GoDaddy from misleading its customers about its security practices and requires GoDaddy to implement a comprehensive information security program. GoDaddy must also hire a third-party assessor to conduct biennial reviews of its information security program.
CPPA Reaches Settlements with Additional Data Brokers: Following their announcement of a public investigative sweep of data broker registration compliance, the CPPA has settled with additional data brokers PayDae, Inc. d/b/a Infillion (“Infillion”), The Data Group, LLC (“The Data Group”), and Key Marketing Advantage, LLC (“KMA”) for failing to register as a data broker and pay an annual fee as required by California’s Delete Act. Infillion will pay $54,200 for failing to register between February 1, 2024, and November 4, 2024. The Data Group will pay $46,600 for failing to register between February 1, 2024, and September 20, 2024. KMA will pay $55,800 for failing to register between February 1, 2024, and November 5, 2024. In addition to the fines, the companies have agreed to injunctive terms. The Delete Act imposes fines of $200 per day for failing to register by the deadline.
Mortgage Company Fined by State Financial Regulators for Cybersecurity Breach: Bayview Asset Management LLC and three affiliates (collectively, “Bayview”) agreed to pay a $20 million fine and improve their cybersecurity programs to settle allegations from 53 state financial regulators. The Conference of State Bank Supervisors (“CSBS”) alleged that the mortgage companies had deficient cybersecurity practices and did not fully cooperate with regulators after a 2021 data breach. The data breach compromised data for 5.8 million customers. The coordinated enforcement action was led by financial regulators in California, Maryland, North Carolina, and Washington State. The regulators said the companies’ information technology and cybersecurity practices did not meet federal or state requirements. The firms also delayed the supervisory process by withholding requested information and providing redacted documents in the initial stages of a post-breach exam. The companies also agreed to undergo independent assessments and provide three years of additional reporting to the state regulators.
SEC Reaches Settlement over Misleading Cybersecurity Disclosures: The SEC announced it has settled charges with Ashford Inc., an asset management firm, over misleading disclosures related to a cybersecurity incident. This enforcement action stemmed from a ransomware attack in September 2023, compromising over 12 terabytes of sensitive hotel customer data, including driver’s licenses and credit card numbers. Despite the breach, Ashford falsely reported in its November 2023 filings that no customer information was exposed. The SEC alleged negligence in Ashford’s disclosures, citing violations of the Securities Act of 1933 and the Exchange Act of 1934. Without admitting or denying the allegations, Ashford agreed to a $115,231 penalty and an injunction. This case highlights the critical importance of accurate cybersecurity disclosures and demonstrates the SEC’s commitment to ensuring transparency and accountability in corporate reporting.
FTC Finalizes Data Breach-Related Settlement with Marriott: The FTC has finalized its order against Marriott International, Inc. (“Marriott”) and its subsidiary Starwood Hotels & Resorts Worldwide LLC (“Starwood”). As previously reported, the FTC entered into a settlement with Marriott and Starwood for three data breaches the companies experienced between 2014 and 2020, which collectively impacted more than 344 million guest records. Under the finalized order, Marriott and Starwood are required to establish a comprehensive information security program, implement a policy to retain personal information only for as long as reasonably necessary, and establish a link on their website for U.S. customers to request deletion of their personal information associated with their email address or loyalty rewards account number. The order also requires Marriott to review loyalty rewards accounts upon customer request and restore stolen loyalty points. The companies are further prohibited from misrepresenting their information collection practices and data security measures.
New York Attorney General Settles with Auto Insurance Company over Data Breach: The New York Attorney General settled with automobile insurance company, Noblr, for a data breach the company experienced in January 2021. Noblr’s online insurance quoting tool exposed full, plaintext driver’s license numbers, including on the backend of its website and in PDFs generated when a purchase was made. The data breach impacted the personal information of more than 80,000 New Yorkers. The data breach was part of an industry-wide campaign to steal personal information (e.g., driver’s license numbers and dates of birth) from online automobile insurance quoting applications to be used to file fraudulent unemployment claims during the COVID-19 pandemic. As part of its settlement, Noblr must pay the New York Attorney General $500,000 in penalties and strengthen its data security measures such as by enhancing its web application defenses and maintaining a comprehensive information security program, data inventory, access controls (e.g., authentication procedures), and logging and monitoring systems.
FTC Alleges Video Game Maker Violated COPPA and Engaged in Deceptive Marketing Practices: The Federal Trade Commission (“FTC”) has taken action against Cognosphere Pte. Ltd and its subsidiary Cognosphere LLC, also known as HoYoverse, the developer of the game Genshin Impact (“HoYoverse”). The FTC alleges that HoYoverse violated the Children’s Online Privacy Protection Act (“COPPA”) and engaged in deceptive marketing practices. Specifically, the company is accused of unfairly marketing loot boxes to children and misleading players about the odds of winning prizes and the true cost of in-game transactions. To settle these charges, HoYoverse will pay a $20 million fine and is prohibited from allowing children under 16 to make in-game purchases without parental consent. Additionally, the company must provide an option to purchase loot boxes directly with real money and disclose loot box odds and exchange rates. HoYoverse is also required to delete personal information collected from children under 13 without parental consent. The FTC’s actions aim to protect consumers, especially children and teens, from deceptive practices related to in-game purchases.
OCR Finalizes Several Settlements for HIPAA Violations: Prior to the inauguration of President Trump, the U.S. Department of Health and Human Services Office for Civil Rights (“OCR”) brought enforcement actions against four entities, USR Holdings, LLC (“USR”), Elgon Information Systems (“Elgon”), Solara Medical Supplies, LLC (“Solara”) and Northeast Surgical Group, P.C. (“NESG”), for potential violations of the Health Insurance Portability and Accountability Act’s (“HIPAA”) Security Rule due to the data breaches the entities experienced. USR reported that between August 23, 2018, and December 8, 2018, a database containing the electronic protected health information (“ePHI”) of 2,903 individuals was accessed by an unauthorized third party who was able to delete the ePHI in the database. Elgon and NESG each discovered a ransomware attack in March 2023, which affected the protected health information (“PHI”) of approximately 31,248 individuals and 15,298 individuals, respectively. Solara experienced a phishing attack that allowed an unauthorized third party to gain access to eight of Solara’s employees’ email accounts between April and June 2019, resulting in the compromise of 114,007 individuals’ ePHI. As part of their settlements, each of the entities is required to pay a fine to OCR: USR $337,750, Elgon $80,000, Solara $3,000,000, and NESG $10,000. Additionally, each of the entities is required to implement certain data security measures such as conducting a risk analysis, implementing a risk management plan, maintaining written policies and procedures to comply with HIPAA, and distributing such policies or providing training on such policies to its workforce.
Virgina Attorney General Sues TikTok for Addictive Fees and Allowing Chinese Government to Access Data: Virginia Attorney General Jason Miyares announced his office had filed a lawsuit against TikTok and ByteDance Ltd, the Chinese-based parent company of TikTok. The lawsuit alleges that TikTok was intentionally designed to be addictive for adolescent users and that the company deceived parents about TikTok content, including by claiming the app is appropriate for children over the age of 12 in violation of the Virginia Consumer Protection Act.
INTERNATIONAL LAWS & REGULATIONS
UK ICO Publishes Guidance on Pay or Consent Model: On January 23, the UK’s Information Commissioner’s Office (“ICO”) published its Guidance for Organizations Implementing or Considering Implementing Consent or Pay Models. The guidance is designed to clarify how organizations can deploy ‘consent or pay’ models in a manner that gives users meaningful control over the privacy of their information while still supporting their economic viability. The guidance addresses the requirements of applicable UK laws, including PECR and the UK GDPR, and provides extensive guidance as to how appropriate fees may be calculated and how to address imbalances of power. The guidance includes a set of factors that organizations can use to assess their consent models and includes plans to further engage with online consent management platforms, which are typically used by businesses to manage the use of essential and non-essential online trackers. Businesses with operations in the UK should carefully review their current online tracker consent management tools in light of this new guidance.
EU Commission to Pay Damages for Sending IP Address to Meta: The European General Court has ordered the European Commission to pay a German citizen, Thomas Bindl, €400 in damages for unlawfully transferring his personal data to the U.S. This decision sets a new precedent regarding EU data protection litigation. The court found that the Commission breached data protection regulations by operating a website with a “sign in with Facebook” option. This resulted in Bindl’s IP address, along with other data, being transferred to Meta without ensuring adequate safeguards were in place. The transfer happened during the transition period between the EU-U.S. Privacy Shield and the EU-U.S. Data Protection Framework. The court determined that this left Bindl in a position of uncertainty about how his data was being processed. The ruling is significant because it recognizes “intrinsic harm” and may pave the way for large-scale collective redress actions.
European Data Protection Board Releases AI Bias Assessment and Data Subject Rights Tools: The European Data Protection Board (“EDPB”) released two AI tools as part of the AI: Complex Algorithms and effective Data Protection Supervision Projects. The EDPB launched the project in the context of the Support Pool of Experts program at the request of the German Federal Data Protection Authority. The Support Pool of Experts program aims to help data protection authorities increase their enforcement capacity by developing common tools and giving them access to a wide pool of experts. The new documents address best practices for bias evaluation and the effective implementation of data subject rights, specifically the rights to rectification and erasure when AI systems have been developed with personal data.
European Data Protection Board Adopts New Guidelines on Pseudonymization: The EDPB released new guidelines on pseudonymization for public consultation (the “Guidelines”). Although pseudonymized data still constitutes personal data under the GDPR, pseudonymization can reduce the risks to the data subjects by preventing the attribution of personal data to natural persons in the course of the processing of the data, and in the event of unauthorized access or use. In certain circumstances, the risk reduction resulting from pseudonymization may enable controllers to rely on legitimate interests as the legal basis for processing personal data under the GDPR, provided they meet the other requirements, or help guarantee an essentially equivalent level of protection for data they intend to export. The Guidelines provide real-world examples illustrating the use of pseudonymization in various scenarios, such as internal analysis, external analysis, and research.
CJEU Issues Ruling on Excessive Data Subject Requests: On January 9, the Court of Justice of the European Union (“CJEU”) issued its ruling in the case Österreichische Datenschutzbehörde (C‑416/23). The primary question before the Court was when a European data protection authority may deny consumer requests due to their excessive nature. Rather than specifying an arbitrary numerical threshold of requests received, the CJEU found that authorities must consider the relevant facts to determine whether the individual submitting the request has “an abusive intention.” While the number of requests submitted may be a factor in determining this intention, it is not the only factor. Additionally, the CJEU emphasized that Data Protection Authorities should strongly consider charging a “reasonable fee” for handling requests they suspect may be excessive prior to simply denying them.
Daniel R. Saeedi, Rachel L. Schaller Gabrielle N. Ganz, Ana Tagvoryan, P. Gavin Eastgate, Timothy W. Dickens, Jason C. Hirsch, Tianmei Ann Huang, Adam J. Landy, Amanda M. Noonan, and Karen H. Shin contributed to this article
HHS’s Proposed Security Rule Updates Will Substantially Increase the Controls Needed to Comply with the Technical Safeguard Requirements
In this week’s installment of our blog series on the U.S. Department of Health and Human Services’ (HHS) HIPAA Security Rule updates in its January 6 Notice of Proposed Rulemaking (NPRM), we are tackling the proposed updates to the HIPAA Security Rule’s technical safeguard requirements (45 C.F.R. § 164.312). Last week’s post on group health plan and sponsor practices is available here.
Existing Requirements
Under the existing regulations, HIPAA-covered entities and business associates must generally implement the following five standard technical safeguards for electronic protected health information (ePHI):
Access Controls – Implementing technical policies and procedures for its electronic information systems that maintain ePHI to allow only authorized persons to access ePHI.
Audit Controls – Implement hardware, software, and/or procedural mechanisms to record and examine activity in information systems that contain or use ePHI.
Integrity – Implementing policies and procedures to ensure that ePHI is not improperly altered or destroyed.
Authentication – Implementing procedures to verify that a person seeking access to ePHI is who they say they are.
Transmission Security – Implementing technical security measures to guard against unauthorized access to ePHI that is being transmitted over an electronic network.
The existing requirements either do not identify the specific control methods or technologies to implement or are otherwise “addressable” as opposed to “required” in some circumstances for regulated entities — until now.
What Are the New Technical Safeguard Requirements?
The NPRM substantially modifies and specifies the particular technical safeguards needed for compliance. In particular, the NPRM restructured and recategorized existing requirements and added stringent standard and implementation specifications, and HHS has proposed removing the distinction between “required” and “addressable” implementation specifications, making all implementation specifications required with specific, limited exceptions.
A handful of the new or updated standards are summarized below:
Access Controls – New implementation specifications to require technical controls to ensure access are limited to individuals and technology assets that need access. Two of the controls that will be required are network segmentation and account suspension/disabling capabilities for multiple log-in failures.
Encryption and Decryption – Formerly an addressable implementation specification, the NPRM would make encryption of ePHI at-rest and in-transit mandatory, with a handful of limited exceptions, such as when the individual requests to receive their ePHI in an unencrypted manner.
Configuration Management – This new standard would require a regulated entity to establish and deploy technical controls for securing relevant electronic information systems and the technology assets in its relevant electronic information systems, including workstations, in a consistent manner. A regulated entity also would be required to establish and maintain a minimum level of security for its information systems and technology assets.
Audit Trail and System Log Controls – Identified as “crucial” in the NPRM, this reorganized standard formerly identified as the “audit control” would require covered entities to monitor in real-time all activity in its electronic information systems for indications of unauthorized access and activity. This standard would require the entity to perform and document an audit at least once every 12 months.
Authentication – This standard enhances the implementation specifications needed to ensure ePHI is properly protected from improper alteration or destruction. Of note, the NPRM would require all regulated entities to deploy multi-factor authentication (MFA) on all technology assets, subject to limited exceptions with compensating controls, such as during an emergency when MFA is infeasible. One exemption is where the regulated entity’s existing technology does not support MFA. However, the entity would need to implement a transition plan to have the ePHI transferred to another technology asset that does support MFA within a reasonable time. Medical devices authorized for marketing by the FDA before March 2023 would be exempt from MFA if the entity deployed all recommended updates and after that date if the manufacturer supports the device or the entity deployed any manufacturer-recommended updates or patches.
Other Notable Standards – In addition to the above, the NPRM would add standards for integrity, transmission security, vulnerability management, data backup and recovery, and information systems backup and recovery. These new standards would prescribe new or updated implementation specifications, such as conducting vulnerability scanning for technical vulnerabilities, including annual penetration testing and implementing a patch management program.
Listen to this article
The Double-Edged Sword of AI Disclosures: Insurance & AI Risk Mitigation
Artificial intelligence (AI) is reshaping the corporate landscape, offering transformative potential and fostering innovation across industries. But as AI becomes more deeply integrated into business operations, it introduces complex challenges, particularly around transparency and the disclosure of AI-related risks. A recent lawsuit filed in the US District Court for the Southern District of New York—Sarria v. Telus International (Cda) Inc. et al., No. 1:25-cv-00889 (S.D.N.Y. Jan 30, 2025)—highlights the dual risks associated with AI-related disclosures: the dangers posed by action and inaction alike. The Telus lawsuit underscores not only the importance of legally compliant corporate disclosures, but also the dangers that can accompany corporate transparency. Maintaining a carefully tailored insurance program can help to mitigate those dangers.
Background
On January 30, 2025, a class action was brought against Telus International (CDA) Inc., a Canadian company, along with its former and current corporate leaders. Known for its digital solutions enhancing customer experience, including AI services, cloud solutions and user interface design, Telus faces allegations of failing to disclose crucial information about its AI initiatives.
The lawsuit claims that Telus failed to inform stakeholders that its AI offerings required the cannibalization of higher-margin products, that profitability declines could result from its AI development and that the shift toward AI could exert greater pressure on company margins than had been disclosed. When these risks became reality, Telus’ stock dropped precipitously and the lawsuit followed. According to the complaint, the omissions allegedly constitute violations of Sections 10(b) and 20(a) of the Securities Exchange Act of 1934 and Rule 10b-5.
Implications for Corporate Risk Profiles
As we have explained previously, businesses face AI-related disclosure risks for affirmative misstatements. Telus highlights another important part of this conversation in the form of potential liability for the failure to make AI-related risk disclosures. Put differently, companies can face securities claims for both understating and overstating AI-related risks (the latter often being referred to as “AI washing”).
These risks are growing. Indeed, according Cornerstone’s recent securities class action report, the pace of AI-related securities litigation has increased, with 15 filings in 2024 after only 7 such filings in 2023. Moreover, every cohort of AI-related securities filings were dismissed at a lower rate than other core federal filings.
Insurance as a Risk Management Tool
Considering the potential for AI-related disclosure lawsuits, businesses may wish to strategically consider insurance as a risk mitigation tool. Key considerations include:
Audit Business-Specific AI Risk: As we have explained before, AI risks are inherently unique to each business, heavily influenced by how AI is integrated and the jurisdictions in which a business operates. Companies may want to conduct thorough audits to identify these risks, especially as they navigate an increasingly complex regulatory landscape shaped by a patchwork of state and federal policies.
Involve Relevant Stakeholders: Effective risk assessments should involve relevant stakeholders, including various business units, third-party vendors and AI providers. This comprehensive approach ensures that all facets of a company’s AI risk profile are thoroughly evaluated and addressed
Consider AI Training and Educational Initiatives: Given the rapidly developing nature of AI and its corresponding risks, businesses may wish to consider education and training initiatives for employees, officers and board members alike. After all, developing effective strategies for mitigating AI risks can turn in the first instance on a familiarity with AI technologies themselves and the risks they pose.
Evaluate Insurance Needs Holistically: Following business-specific AI audits, companies may wish to meticulously review their insurance programs to identify potential coverage gaps that could lead to uninsured liabilities. Directors and officers (D&O) programs can be particularly important, as they can serve as a critical line of defense against lawsuits similar to the Telus class action. As we explained in a recent blog post, there are several key features of a successful D&O insurance review that can help increase the likelihood that insurance picks up the tab for potential settlements or judgments.
Consider AI-Specific Policy Language: As insurers adapt to the evolving AI landscape, companies should be vigilant about reviewing their policies for AI exclusions and limitations. In cases where traditional insurance products fall short, businesses might consider AI-specific policies or endorsements, such as Munich Re’s aiSure, to facilitate comprehensive coverage that aligns with their specific risk profiles.
Conclusion
The integration of AI into business operations presents both a promising opportunity and a multifaceted challenge. Companies may wish to navigate these complexities with care, ensuring transparency in their AI-related disclosures while leveraging insurance and stakeholder involvement to safeguard against potential liabilities.