California Privacy Protection Agency Clarifies Application of the CCPA to Insurance Companies
The California Privacy Protection Agency board voted on November 8, 2024, to advance a proposed rulemaking package for, among other things, a proposed regulation to clarify the application of the California Consumer Privacy Act (CCPA) to insurance companies.
Quick Hits
The California Privacy Protection Agency voted in November 2024 to advance a proposed regulation to clarify the application of the California Consumer Privacy Act (CCPA) to insurance companies.
The proposed regulation defines “insurance company” and specifies that the CCPA applies to personal data not governed by the California Insurance Code.
Illustrations in the proposed regulation clarify that insurance companies must comply with the CCPA for personal data collected from website visitors and employees.
Information obtained in an insurance transaction is governed by the federal Gramm-Leach-Bliley Act. Given this, there has been uncertainty about the CCPA’s application to insurance companies, which are state regulated. In a brief proposed regulation, the agency attempted to clarify this issue to a certain degree.
As an initial matter, the proposed regulation defines the term “insurance company” as any person or company that is subject to the California Insurance Code and its regulations, including insurance institutions, agents, and insurance support organizations. The term “insurance institution” means “any corporation, association, partnership, reciprocal exchange, interinsurer, Lloyd’s insurer, fraternal benefit society, or other person engaged in the business of insurance.
The term “agents” means a person who is licensed to transact insurance in California and an “insurance support organization” means any person who regularly engages, in whole or in part, in the business of assembling or collecting information about natural persons for the primary purpose of providing the information to an insurance institution or agent for insurance transactions.
Having defined the scope, the proposed regulation states that the CCPA applies “to any personal information not subject to the Insurance Code and its regulations.” Although the statement lacks definite clarity, the proposed regulation provides some guidance with an additional statement that the CCPA’s requirements apply to information “that is collected for purposes not in connection with an insurance transaction, as that term is defined in Insurance Code, section 791.02.” Section 791.02(m) defines insurance transaction as “any transaction involving insurance primarily for personal, family, or household needs rather than business or professional needs that entails either of the following: (1) The determination of an individual’s eligibility for an insurance coverage, benefit, or payment. (2) The servicing of an insurance application, policy, contract, or certificate.”
The proposed regulation provides two illustrations that further clarify the application of the CCPA:
“Insurance company A collects personal information from visitors of its website who have not applied for any insurance product or other financial product or service from Company A. This information is used to tailor personalized advertisements across different business websites. Insurance company A must comply with the CCPA, including by providing consumers the right to opt-out of the sale/sharing of their personal information and honoring opt-out preference signals, because the personal information collected from the website browsing is not related to an application for or provision of an insurance transaction or other financial product or service.”
“Insurance company B collects personal information from its employees and job applicants for employment purposes. Insurance company B must comply with the CCPA with regard to employee information, including by providing a Notice at Collection to the employees and job applicants at or before the time their personal information is collected. This is because the personal information collected in this situation is not subject to the Insurance Code or its regulations.”
Insurers may also want to note that the second illustration applies only to California resident job applicants and employees. The notice to job applicants required under the CCPA should be provided if the company solicits applicants from California.
Finally, the CCPA is not the only privacy law or regulation that needs to be considered with regard to the collection and use of consumer data and information. In particular, California Penal Code sections 630 and 638.51 are currently the subject of numerous lawsuits.
The Impact of AI Regulations on Insurtech
Insurtech is steeped in artificial intelligence (AI), leveraging the technology to improve insurance marketing, sales, underwriting, claims processing, fraud detection and more. Insurtech companies are likely only scratching the surface of what is possible in these areas. In parallel, the regulation of AI is expected to create additional legal considerations at each step of the design, deployment and operation of AI systems working in these contexts.
Legal Considerations and AI Exposure
As with data privacy regulations, the answer to the question “Which AI laws apply?” is highly fact-specific and often dependent on the model’s exposure or data input. Applicable laws tend to trigger based on the types of data or location of the individuals whose data is leveraged in training the models rather than the location of the designer or deployer. As a result, unless a model’s use is strictly narrowed to a single jurisdiction, there is likely to be exposure to several overlapping regulations (in addition to data privacy concerns) impacting the design and deployment of an Insurtech AI model.
Managing Regulatory Risk in AI Design
Given this complexity, the breadth of an Insurtech AI model’s exposure can be an important threshold design consideration. Companies should adequately assess the level of risk from the perspective of limiting unnecessary regulatory oversight or creating the potential for regulatory liabilities, such as penalties or fines. For instance, an Insurtech company leveraging AI should consider if the model in question is intended to be used for domestic insurance matters only and if there is value in leveraging data related to international data subjects. Taking steps to ensure that the model has no exposure to international data subjects can limit the application of extraterritorial, international laws governing AI and minimize the potential risk of leveraging an AI solution. On the other hand, if exposure to the broadest possible data is desirable from an operations standpoint, for instance, to augment training data, companies need to be aware of the legal ramifications of such decisions before making them.
Recent State-Level AI Legislation
In 2024, several U.S. states passed AI laws governing the technology’s use, several of which can impact Insurtech developers and deployers. Notably, state-level AI bills are not uniform. These laws range from comprehensive regulatory frameworks, such as Colorado’s Artificial Intelligence Act, to narrower disclosure-based laws such as California’s AB 2013, which will require AI developers to publicly post documentation detailing their model’s training data. Several additional bills relating to AI regulation are already pending in 2025, including:
Massachusetts’ HD 3750: Would require health insurers to disclose the AI use including, but not limited to, in the claims review process and submit annual reports regarding training sets as well as an attestation regarding bias minimization.
Virginia’s HB 2094: Known as the High-Risk Artificial Intelligence Developer and Deployer Act, would require the implementation of a risk management policy and program for “high-risk artificial intelligence systems,” defined to include “any artificial intelligence system that is specifically intended to autonomously make, or be a substantial factor in making, a consequential decision (subject to certain exceptions).
Illinois’ HB 3506: Among other things, this bill would require developers to publish risk assessment reports every 90 days and to complete annual third-party audits.
The Growing Importance of Compliance
With the federal government’s evident step back in pursuing an overarching AI regulation, businesses can expect state authorities to take the lead in AI regulation and enforcement. Given the broad and often consequential use of AI in the Insurtech context, and the expectation that this use will only increase over time given its utility, businesses in this space are advised to keep a close watch on current and pending AI laws to ensure compliance. Non-compliance can raise exposure not only to state regulators tasked with enforcing these regulations but also potentially to direct consumer lawsuits. As noted in our prior advisory, being well-positioned for compliance is also imperative for the market from a transactional perspective.
The Insurtech space is growing in parallel with the expanding patchwork of U.S. AI regulations. Prudent growth in the industry requires awareness of the associated legal dynamics, including emerging regulatory concepts across the nation.
Corporate Risk Management Basics: What Every Business Should Know
Introduction
Risk management is a critical component of any successful business strategy. It involves identifying, assessing, and mitigating potential threats that could adversely affect an organization’s operations, assets, or reputation. These risks can be financial, operational, legal, or strategic in nature. By implementing effective risk management practices, businesses can safeguard their interests and ensure long-term stability.
What Is Risk Management?
Risk management is the systematic process of identifying potential risks, evaluating their likelihood and impact, and developing strategies to address them. This proactive approach enables businesses to minimize potential losses and capitalize on opportunities. As Brenda Wells, an expert in risk management emphasizes, risk management isn’t just about reacting to problems; it’s about planning ahead to prevent them.
Major Focus Areas in Risk Management
Risk management involves multiple dimensions, each critical to the overall success and resilience of an organization. Addressing these areas holistically can help businesses maintain operational efficiency and financial security. Effective risk management encompasses several key areas:
Operational Risks: These pertain to disruptions in day-to-day business activities, such as supply chain interruptions, equipment failures, or human errors. Managing operational risks involves implementing robust internal controls and contingency plans to maintain business continuity.
Financial Risks: These involve uncertainties related to financial markets, including interest rate fluctuations, credit risks, and liquidity challenges. Businesses must monitor their financial exposures and employ strategies like diversification and hedging to mitigate these risks.
Legal and Compliance Risks: Organizations must adhere to various laws and regulations pertinent to their industry. Non-compliance can lead to legal penalties and reputational damage. Regular compliance audits and staying updated with regulatory changes are essential practices.
Cybersecurity Risks: In today’s digital age, cyber threats such as data breaches and theft of intellectual property (IP) are prevalent. Alex Sharpe, a cybersecurity expert, warns that many businesses underestimate their exposure to cyber risks, but a single incident can cripple a company financially and erode customer trust. Implementing robust cybersecurity measures and employee training can mitigate these risks. In today’s hyper-connected world, we can no longer only look at ourselves. We also need to look at third parties we depend upon.
Reputational Risks: These arise from negative public perceptions due to poor customer service, product failures, or unethical practices. Maintaining transparency, ethical operations, and effective communication strategies are vital to protecting a company’s reputation.
Key Legal and Financial Terms in Risk Management
Understanding specific legal and financial terms is crucial for effective risk management. These terms often occur when discussing mitigating risks and ensuring regulatory compliance:
Derivatives: Financial instruments whose value is derived from underlying assets like stocks, bonds, or commodities. They are commonly used for hedging financial risks.
Directors and Officers (D&O) Liability Insurance: This insurance provides coverage to company leaders against claims arising from alleged wrongful acts in their managerial capacity.
Third-Party Risk Management (TPRM): Involves assessing and managing risks associated with external entities that a business engages with, such as suppliers or service providers.
Compliance Program: A structured set of internal policies and procedures implemented by a company to ensure adherence to laws, regulations, and ethical standards. A robust compliance program helps in identifying regulatory risks and implementing measures to mitigate them.
The Role of Insurance in Risk Management
Insurance is a fundamental tool in transferring risk. Sue Myers, a seasoned expert in risk and insurance, emphasizes the need for strategic planning in risk management. By obtaining appropriate insurance coverage, businesses can protect themselves against significant financial losses resulting from unforeseen events. However, as David Pooser points out, “insurance transfers risk, but it doesn’t eliminate it. A solid risk management plan includes prevention and mitigation strategies.” Therefore, while insurance provides a safety net, it should be complemented with proactive risk mitigation efforts.
Selecting the Right Insurance Agent/Broker
An insurance agent or broker plays a pivotal role in a company’s risk management strategy. A knowledgeable agent can help identify potential coverage gaps and ensure that the business is adequately protected. Reid Peterson advises business owners to seek agents who possess a deep understanding of their specific industry and can offer tailored recommendations. He encourages businesses to think of their insurance agent as part of their advisory team, just like a lawyer or accountant.
Building a Comprehensive Business Advisory Team
A multidisciplinary advisory team enhances a company’s ability to manage risks effectively. Key members should include:
Attorney: Handles legal matters, ensures regulatory compliance, and manages potential litigation.
Accountant: Oversees financial health, conducts audits, and advises on tax-related issues.
Insurance Agent: Assesses risk exposures and recommends appropriate insurance solutions.
Cybersecurity Expert: Develops strategies to protect against digital threats and ensures data integrity.
This collaborative approach ensures that all potential risks are identified and managed comprehensively.
Common Risk Management Pitfalls
Businesses often encounter challenges in their risk management efforts. Common risk management pitfalls include:
Neglecting Regular Updates: As businesses evolve, so do their risk exposures. It’s crucial to regularly review and update risk management strategies and insurance coverages to align with current operations.
Overlooking Cybersecurity: With the increasing reliance on digital systems, neglecting cybersecurity can leave businesses vulnerable to costly data breaches.
Lack of Crisis Management Plans: Many companies fail to prepare for potential crises, which can lead to disorganized responses and increased financial losses.
Failure to Review Contracts: Poorly drafted contracts can expose businesses to unnecessary legal and financial risks. Having legal professionals review agreements can prevent future disputes.
Final Thoughts
Risk management is an essential part of running a successful business. By taking a proactive approach — identifying risks, developing mitigation strategies, and working with the right advisors — businesses can protect themselves from costly disruptions. As Brenda Wells emphasizes, risk management isn’t about avoiding all risks — it’s about being prepared for them.
To learn more about this topic view Corporate Risk Management / Corporate Risk Management Basics. The quoted remarks referenced in this article were made either during this webinar or shortly thereafter during post-webinar interviews with the panelists. Readers may also be interested to read other articles about managing business risks.
This article was originally published here.
©2025. DailyDACTM, LLC d/b/a/ Financial PoiseTM. This article is subject to the disclaimers found here.
Congress Extends Certain Telehealth Flexibilities Through March 31, 2025
Overview
KEY UPDATE
At the close of 2024, US Congress passed a short-term extension of Medicare telehealth flexibilities as part of the American Relief Act, 2025 (ARA). The Medicare telehealth waivers, originally enacted as part of the COVID-19 public health emergency (PHE) and subsequently extended through legislation, were set to end on December 31, 2024. These flexibilities, along with the Acute Hospital Care at Home waiver program, are now set to expire March 31, 2025. The ARA failed to extend other waivers, such as the temporary safe harbor for high-deductible health plans (HDHPs) to provide first-dollar coverage of telehealth without interfering with health savings account (HSA) eligibility. While the short-term extension provides continued access to telehealth for Medicare patients, stakeholders should continue to engage with Congress for a more permanent solution.
WHY IT MATTERS
The ARA extension is limited to certain Medicare policies and is only effective through March 31, 2025. Some bipartisan policies, such as the extension of the telehealth HDHP safe harbor, were not included in the ARA. Additionally, the flexibilities related to coverage of cardiac and pulmonary rehabilitation services provided via telehealth were not extended.
The extension indicates bipartisan support for continuing coverage for telehealth services, but the short timeline warrants continued stakeholder engagement for the extension and eventual permanence of the Medicare telehealth flexibilities and reinstatement of the HDHP safe harbor. As the new administration takes office, it is unclear where telehealth will fall on the list of priorities.
In Depth
Historically, Medicare has provided coverage for telehealth services in instances where patients would otherwise be geographically distant from approved providers (e.g., physicians, nurse practitioners, and clinical psychologists). Section 1834(m) of the Social Security Act provides that telehealth services are covered if the beneficiary is seen:
At an approved “originating site” (e.g., physician office, hospital, or skilled nursing facility) that is located within a rural health professional shortage area that is either outside of a metropolitan statistical area (MSA), in a rural census tract, or in a county outside of an MSA
By an approved provider
For a defined set of services
Using certain telecommunications technologies.
Many of these Medicare restrictions regarding coverage and payment for telehealth services were waived via authority delegated in the Coronavirus Aid, Relief, and Economic Security (CARES) Act. Congress subsequently extended the waivers in other pieces of legislation, including the Consolidated Appropriations Act (CAA) 2022 and CAA 2023, with the flexibilities most recently set to expire on December 31, 2024.
The ARA extended the following Medicare flexibilities through March 31, 2025:
Geographic restrictions and originating sites. Patients’ homes will continue to serve as eligible originating sites for all telehealth services (ARA § 3207(a)(2)). Geographic restrictions also remain waived (ARA § 3207(a)(1)).
Eligible practitioners. The expanded definition of the term “practitioner” will continue to apply. The expanded definition includes qualified occupational therapists, physical therapists, speech-language pathologists, and audiologists (ARA § 3207(b)).
Audio-only. Audio-only telehealth services remain eligible for reimbursement (ARA § 3207(e)).
Extending telehealth services for federally qualified health centers (FQHCs) and rural health clinics (RHCs). The US Department of Health and Human Services will cover telehealth services furnished via FQHCs and RHCs to eligible individuals (ARA § 3207(c)).
In-person requirements for mental health. The in-person requirement for mental health care to be reimbursed under Medicare has been delayed until April 1, 2025 (ARA § 3207(d)(1)).
Telehealth for hospice. Telehealth can continue to be used for the required face-to-face encounter prior to the recertification of a patient’s eligibility for hospice care (ARA § 3207(f)).
The ARA also extended the Acute Hospital Care at Home waiver program through March 31, 2025. In the midst of the PHE, the Centers for Medicare & Medicaid Services (CMS) used its PHE flexibilities to issue waivers to certain Medicare hospital conditions of participation (CoPs). These waivers, along with the PHE-related telehealth flexibilities, allowed Medicare-certified hospitals to furnish inpatient-level care in patients’ homes. Addressing hospital bed capacity during the pandemic was a high priority for CMS. These waivers and flexibilities, collectively referred to as the AHCAH Initiative, included:
Waiver of the CoP requiring nursing services to be provided on-premises 24 hours a day, seven days a week.
Waiver of the CoP requiring immediate on-premises availability of a registered nurse for care of any patient.
Waiver of CoPs that define structural and physical environment criteria specific to the hospital setting.
Telehealth flexibility allowing the home or temporary residence of an individual to serve as an originating telehealth site.
Telehealth flexibility allowing a hospital to use remote clinician services in combination with in-home nursing services to provide inpatient-level care in the patient’s home.
As with the Medicare telehealth flexibilities, these had been previously extended through December 31, 2024.
Notable flexibilities that expired or were absent from the ARA include the following:
The telehealth safe harbor for HDHPs. The CARES Act created a temporary safe harbor that permitted HDHPs to cover telehealth and remote care services on a first-dollar basis without jeopardizing eligibility for HSA contributions. By permitting health plans to provide HDHP participants coverage for telehealth services without requiring them to first meet the minimum required deductible, the safe harbor increased access to telehealth services. Additionally, covered individuals who received these services were still able to make or receive contributions to their HSAs because telehealth services were temporarily disregarded in determining eligibility for HSA contributions. Previously, the telehealth HDHP safe harbor ceased for three months from January 1, 2022, to March 31, 2022, before the CAA 2022 renewed it. Most recently extended by the CAA 2023, the telehealth safe harbor for HDHPs expired on December 31, 2024. Starting on January 1, 2025, health plans, insurers, and health plan vendors that previously relied on the telehealth HDHP safe harbor may need to update telehealth coverage for HDHP participants, such as updating plan design and/or cost sharing, to prevent disqualifying HDHP participants from making or receiving HSA contributions.
The SPEAK Act, which would establish a task force to improve access to health IT for non-English speakers.
The PREVENT DIABETES Act, which would broaden access to diabetes prevention services through the Medicare Diabetes Prevention Program.
The Sustainable Cardiopulmonary Rehabilitation Services in the Home Act, which would permanently codify cardiopulmonary rehabilitation Medicare telehealth flexibilities.
With the March 31, 2025, deadline in the not-too-distant future, stakeholders should continue to engage with Congress regarding an extension and permanent solution for the telehealth flexibilities, reinstatement of flexibilities that expired, and inclusion of the other bipartisan telehealth policies that were not included in the final ARA.
Lisa Mazur, Sarah G. Raaii, and Dale C. Van Demark contributed to this article.
Remote Work in Puerto Rico: A Legal Update for Global Employers
Puerto Rico has recently relaxed its requirements for remote work, implementing significant changes. The first set of changes occurred in 2022 with the enactment of Law 52-2022. In January 2024, further reforms were enacted with the signing of Law 27-2024 by then-governor Pedro Pierluisi.
Quick Hits
Puerto Rico has relaxed its remote work requirements with Law 52-2022, which exempts foreign employers without a nexus to Puerto Rico from making income tax withholdings for employees working remotely in Puerto Rico, provided certain conditions are met.
Law 27-2024, effective January 2024, clarifies that nondomiciled employees temporarily residing in Puerto Rico are exempt from Puerto Rican employment laws and contributions, with their employment governed by their domiciles’ laws.
Puerto Rico’s new remote work regulations have provided increased flexibility for foreign employers and employees, allowing remote work without the burden of local employment laws and tax obligations, reflecting a global trend toward accommodating remote work arrangements.
Law 52-2022
Law 52-2022 exempts foreign employers without a nexus to Puerto Rico from making income tax withholdings for employees working remotely in Puerto Rico, provided certain conditions are met. These conditions include:
The employer must be a foreign entity, not registered or organized under Puerto Rican laws.
The employer must have no economic nexus to Puerto Rico, meaning no business operations, tax filings, fixed place of business, or sales of goods or services in Puerto Rico through employees, independent contractors, or any affiliates.
Remote workers cannot provide services to clients with a nexus in Puerto Rico and cannot be officers, directors, or majority owners of the employer.
Employers must ensure that Social Security and payroll contributions for employees are filed either through a W-2 in the United States or in Puerto Rico.
If these conditions are met, foreign employers can hire remote workers in Puerto Rico without the obligation of withholding and remitting income taxes to the Puerto Rico Department of the Treasury (Departamento de Hacienda de Puerto Rico).
Law 27-2024
Law 27-2024 addresses which employment laws will govern the employment relationships of remote employees working from Puerto Rico for employers with no business nexus to Puerto Rico, depending on whether the employees are domiciled in Puerto Rico or elsewhere. Law 27-2024 exempts nondomiciled employees temporarily residing in Puerto Rico from Puerto Rican employment laws and contributions. These employees are not entitled to employment benefits under Puerto Rican law, including workers’ compensation, unemployment, or certain disability benefits. The employment relationship will be governed by the employment contract, or if there is no contract, by the laws of the employee’s domicile location. The employer will have no income tax withholding obligations for these employees. If there is any tax obligation, the employee will be the one to file separately.
Domicile Considerations
The concept of “domicile” is crucial in determining the applicable laws. Domicile is based on the employee’s intention to reside in a particular location. Factors such as where the employee’s family, doctors, and children’s schools are located will be considered. If an employee is domiciled in Puerto Rico, and exempt under the Fair Labor Standards Act (FLSA), certain requirements apply. The employment relationship will be covered by an agreement between the parties, and Puerto Rican employment laws will not apply unless agreed upon. However, workers’ compensation, short-term disability, unemployment insurance, and driver’s insurance for employees who drive as part of their duties in Puerto Rico will be applicable unless the employer provides similar or greater benefits through private insurance.
Implications for Employers
Foreign employers hiring domiciled employees in Puerto Rico must comply with specific requirements. For example, if short-term disability and unemployment benefits are provided through a private policy or in another state, employers do not need to register with the Puerto Rico Department of Labor or obtain workers’ compensation insurance. However, if these benefits are not provided, employers must register and make the necessary contributions (even when income tax withholdings are not required).
Note: The exclusions and rules apply only to (i) nondomiciled employees and (ii) domiciled employees who are exempt under the FLSA. For domiciled, nonexempt employees covered by the FLSA, all Puerto Rican employment laws will be applicable.
Future Trends in Remote Work
There is a noticeable trend of employers accommodating remote work arrangements. This trend is proliferating globally, allowing employees to work remotely without being subject to local employment laws and tax obligations. Puerto Rico, as a U.S. territory, is at the forefront of this trend, providing increased flexibility for employees to work remotely and for employers to hire remote workers without the burden of compliance with local employment laws and tax obligations. Similar changes are likely to be adopted in other jurisdictions, further increasing the flexibility of remote work arrangements.
Conclusion
The new rules governing remote work in Puerto Rico represent a significant shift in employment law, providing greater flexibility for both employers and employees. As companies continue to adapt to the post-COVID-19 landscape, these changes offer a promising start for more flexible remote work arrangements.
Insurance – Texas Style, Part 1: Stowers Liability and Insurance Towers
This is the first in a series of discussions about insurance issues unique to the Lone Star State.
For nearly a century, the Stowers doctrine has been a critical cornerstone of Texas insurance law protecting insureds facing the threat of a nuclear verdict. This doctrine, named after the seminal 1929 case G.A. Stowers Furniture Co. v. American Indemnity Co., is both a powerful sword for plaintiffs – allowing them to recover damages exceeding the available insurance limits – and a shield for insureds – shifting the risk of an excess judgment to the insurer. But obtaining Stowers protection can be a challenge for defendants with multiple layers of coverage.
Under the Stowers doctrine, an insurer faced with a settlement offer within policy limits must accept the offer if “an ordinarily prudent insurer would do so” (G.A. Stowers Furniture Co., 15 S.W.2d 544, 547 (Tex. Comm’n App. 1929)). If the insurer rejects that offer, the insurer is liable to its insured for the resulting judgment – even if that judgment exceeds the insurance policy limits. Stowers liability is based on the premise that it is usually the insurer, not the insured, who has the power of the purse and therefore control over both settlement and defense of the case, as provided in a standard form commercial general liability policy.
In the common circumstance of a single insurer with a single policy, the risk of Stowers liability is clear. The insurer controls settlement discussions and bears the corresponding Stowers risk. For example, standard form ISO commercial auto policies (CA 00 01 11 20), CGL polices (CG 00 01 04 13), and cyber liability policies (CY 00 02 11 21) all cede control of both defense and settlement to the insurer. Any proper Stowers demands made within the policy limits of these policies raise the specter of excess exposure for the insurer. But what if there are multiple insurers, such as an umbrella or excess insurer? Under standard form ISO commercial umbrella (CU 00 01 04 13) and excess policies (CX 00 01 04 13), the insurer can only take control of defense and settlement once the underlying limits have been exhausted. The interplay between the duties of the primary and umbrella/excess insurers can put insureds at risk.
Let’s use a basic $3 million, three-layer insurance program as an example. Insurer A provides coverage for the insured’s first $1 million in liability, Insurer B covers the second $1 million under an umbrella policy, and Insurer C covers the final $1 million under an excess policy – for a total of $3 million in liability coverage. A wrongful death claimant sues the insured, alleging liability within the limits of all three policies, and makes a settlement demand against the insurers for $3 million. Are the three insurers in this hypothetical subject to Stowers liability?
The insurers may contend that Stowers does not apply if they do not agree on settlement strategy. The Stowers doctrine rests on the premise that an insurer confronted with a properly made Stowers demand controls the decision to settle, and accordingly should be held to account for an unreasonable refusal to do so. In the hypothetical above, the insurers may disagree on strategy and, as a result, contend that none of them controls the settlement. Insurers A and B may wish to accept the settlement offer, but both are powerless to accept the full $3 million demand unless Insurer C also agrees. Furthermore, Insurer C may argue that its policy is not implicated until Insurer A’s and Insurer B’s policy limits are exhausted by payment of judgment or settlement. Insurers will cite case law suggesting that Stowers liability does not attach in this scenario. See, e.g., AFTCO Enterprises, Inc. v. Acceptance Indem. Ins. Co. 321 S.W.3d 65 (Tex. App. 2010). But relieving all three insurers of their Stowers obligations would effectively eliminate the critical protection Stowers provides — leaving the insured exposed to a potentially nuclear verdict arising from the insurers’ collective refusal to settle. This outcome would be particularly perverse given that only relatively high-value claims implicate multiple layers of insurance.
Insureds can turn to a federal district court case, Pride Transp. v. Cont. Cas. Co., 804 F.Supp.2d 520 (N.D. Tex. 2011), as a solution. Pride provides a guidepost for how umbrella and excess insurers can still be held to their Stowers obligation if the lower insurers tender their policy limits to the excess insurers. Interestingly, Pride is the reverse of the prototypical Stowers case, as it involved the insurer arguing that its Stowers duties were triggered and the insured arguing that no Stowers duty existed. Pride involved an auto accident where the owner of the at-fault vehicle, Pride Transportation, was insured by a $1 million primary policy and a $4 million excess policy. The underlying plaintiff made a Stowers demand against Pride’s driver for $5 million – the combined limits of the primary and excess policies. Pride demanded that its primary insurer (Continental) tender its limits to its excess insurer (Lexington) – which Continental did. Lexington then settled the claims against Pride’s driver for the full $5 million limits of both insurance policies. After settling the claims against the driver, Lexington withdrew its defense of Pride, and Pride’s exposure was left uninsured. Pride sued Continental and Lexington for breach of contract, arguing in part that the insurers had no duty to accept the $5 million demand against Pride’s driver because the demand did not impose Stowers liability. Relying on AFTCO, Pride argued that there could be no Stowers liability where the demand exceeded each individual policy’s limits. The court rejected this argument, reasoning that, because Continental had tendered its limits to Lexington, Lexington could unilaterally accept the $5 million demand, triggering Lexington’s Stowers duty (804 F. Supp. 2d at 529-530).
So, what are the practical implications for a Texas insured covered by a multi-layer insurance tower? Once a claim has been made, an insured faced with a Stowers demand that implicates multiple layers of its insurance tower should demand that the lower-tier insurers tender their limits to the highest insurer. The highest insurer, now in complete control of the settlement – and therefore now subject to Stowers liability – may find itself open to a settlement it previously rejected.
While the excess insurer may not be contractually bound to accept the tender of the lower-level policy limits, Stowers liability may attach even if the excess rejects the tender. As the Texas Supreme Court has noted, Stowers liability can arise from “the insurer’s control over settlement” – not just from the insurer’s formal duty to defend (Rocor Intern., Inc. v. National Union Fire Ins. Co. of Pittsburgh, PA, 77 S.W.3d 253, 263 (Tex. 2002)). Once the primary insurer tenders its limits to the excess insurer and cedes control of settlement negotiations to the excess insurer, the excess insurer would have the sole and unilateral ability to settle the case within its policy limits – which is the hallmark of Stowers liability – regardless of whether the excess insurer exercises that control. Furthermore, an excess insurer who refuses to exercise the settlement authority provided by the lower-level insurers could also be pursued by those same lower-level insurers (in addition to the insured) should an excess verdict result.
In sum, Texas policyholders faced with a Stowers demand should demand that their insurers tender the limits to the highest excess insurer in play and then demand that the excess insurer settle the case or face Stowers liability. Doing so will increase the possibility that the insurer – not the insured – bears the risk of an excess verdict.
Listen to this post
Micro-captive Insurance Reportable Transactions and the Reporting Requirements
Certain micro-captive transactions are back to being reportable. On January 14, 2025, the Treasury Department and the Internal Revenue Service (“IRS”) published final regulations (the “Regulations”) that named some micro-captive insurance transactions as listed transactions and others as transactions of interest. See Internal Revenue Service, Treasury. “Micro-Captive Listed Transactions and Micro-Captive Transactions of Interest. 90 Fed. Reg. 3534 (Jan. 14, 2025). These formal rules replace the reporting regime that developed first under IRS Notice 2016-66, which was voided for failure to comply with the Administrative Procedure Act.
A “Captive” elects 831(b) treatment and is at least 20% owned by an Insured-related party
The Regulations apply only to certain companies defined as “Captives.” A “Captive” is an entity that elects to be taxed under Section 831(b) of the Internal Revenue Code, issues or reinsures a contract that any party treats as insurance when filing federal taxes, and is at least 20 percent owned by an “Insured”, an “Owner” of an Insured, or a person related to an Insured or an Owner. The Regulations further define an “Insured” as any person who enters a contract with a Captive and treats amounts paid under the contract as insurance premiums for federal income tax purposes. An “Owner” is someone with a direct or indirect ownership interest in an Insured or its assets.
Reportability depends on loss ratio and related-party financing
The Regulations define the micro-captive listed transaction and the micro-captive transaction of interest based on two core ideas: loss ratio and related-party financing. The regulations calculate the loss ratio as:
The loss ratio is measured over a period of years, not just a single taxable year. For a transaction of interest, the loss ratio is measured over ten years or the life of the Captive, whichever is shorter. If the loss ratio is less than 60 percent over those years, then the Captive is a transaction of interest. For a listed transaction, the time period is the most recent ten years. So, a Captive must be at least ten years old to become a listed transaction. If the loss ratio over the most recent ten years is less than 30 percent, then the Captive may be a listed transaction.
The Regulations’ other focus is related-party financing. Related-party financing occurs when the Captive makes funds available to an Insured, an Owner, or some other related party through a non-taxable arrangement (e.g., a loan) and the amount made available is greater than the Captive’s cumulative after-tax earnings on investments. A Captive that has engaged in a related party financing in the last five years with an outstanding balance in effect at any point during an open tax year is a transaction of interest. If that Captive also has a loss ratio less than 30 percent over the most recent ten years, then the Captive is a listed transaction.
This interaction can be summarized in a convenient tabular format:
A transaction of interest is one where the IRS requires additional information to consider whether tax avoidance is present. A listed transaction is one where the IRS believes tax avoidance is present. Listed transactions are treated more consequentially than transactions of interest. Therefore, a Captive that meets both categories must file as a listed transaction.
“Seller’s Captives” and some employee-benefits captives are excluded
The Regulations offer two exceptions, both of which are excluded from the definition of a transaction of interest or listed transaction. First, Captives for which the U.S. Department of Labor has issued a Prohibited Transaction exception and that provide insurance for employee compensation or benefits are excluded.
Second, “Seller’s Captives” are also excluded. A “Seller” is an entity that sells products or services to customers and also sells those customers insurance contracts connected to the goods or services. A “Seller’s Captive” is a Captive related to a Seller, a Seller’s owner, or parties related to a Seller or owners of Sellers. To qualify for the exception, the Seller’s Captive’s only business must be to issue or reinsure insurance contracts in connection with the sales made by the Seller or its related persons, and at least 95 percent of the Seller’s Captive’s business in a year must be in connection to contracts purchased by customers unrelated to the Seller. If those conditions are met, then the Seller’s Captive has not engaged in a listed transaction or a transaction of interest.
Reporting requirements for participants in the transaction
The Regulations place reporting requirements on parties involved in any transaction covered by the Regulations (a “reportable transaction”). These reporting requirements apply to participants in the transaction and to “material advisors” to the transaction, both for the current year and for all years where the statute of limitations for assessing tax has not yet expired. The Regulations do not by themselves require the filing of amended tax returns. [NTD: This question of amended returns came up at WCF and with RMA.]
Captives, Owners, Insureds, and any other parties to a reportable transaction must file Form 8886, Reportable Transaction Disclosure Statement, with the IRS Office of Tax Shelter Analysis (“OTSA”). The filing must describe the transaction in sufficient detail, including the party’s involvement in the transaction and how the party learned about the transaction.
Captives and Insureds have additional reporting burdens. For every year that a Captive participated in a reportable transaction, it must also disclose the types of policies it provided, how much it received in premiums, how much it paid in claims, the contact information of those who helped determine premiums, and the names and ownership interest of anyone who meets a 20% ownership threshold in the Captive. An Insured must describe how much it paid in premiums for coverage by a Captive.
Participants have 90 days from the date the regulations were published, January 14, 2025, to file their initial reports. The initial filing should include all applicable open tax years and must be sent to OTSA. A copy of the initial filing, and all subsequent filings, should be included with the applicable tax return.
There are two ways that a taxpayer can avoid filing under the Regulations. If a taxpayer has finalized a settlement with the IRS regarding a reportable transaction that was in examination or litigation, that taxpayer is treated as having made a disclosure for the years covered by the settlement. A taxpayer engaged in a transaction of interest who has been diligent in filing under the now-defunct Notice 2016-66 regime has a reduced filing burden. The taxpayer’s previous transaction of interest filings count under the Regulations, so the taxpayer does not have to refile for those past years.
There are also two “safe harbor” provisions which allow a taxpayer to not file a Form 8886. The first relates specifically to Owners who only participate in reportable transactions due to their ownership interests. In that case, the Owner does not have to file if the Insured complies with its own filing obligation, acknowledges the obligation in writing to the Owner, and identifies the Owner on its own Form 8886 as the recipient of the acknowledgement. The other safe harbor arises when a Captive revokes its Section 831(b) election. If a Captive revokes its election, then the transaction ceases to be a reportable transaction for any years that the revocation is effective and none of the participating taxpayers will have been party to a reportable transaction. To facilitate revocations, the IRS also released Revenue Procedure 2025-13 (Rev. Proc. 2025-13), which provides a streamlined procedure to revoke a taxpayer’s Section 831(b) election.
Reporting requirements for material advisors to the transaction
Material advisors to reportable transactions must also file with the IRS. A “material advisor” is a person who makes a tax statement to a party that needs or will need to disclose the transaction and the advisor derives gross income from it that surpasses a threshold. The advisor’s gross income can be based on almost anything the advisor does related to the transaction. The threshold for income on a listed transaction is $10,000 when most of the transaction’s benefits go to natural persons and $25,000 in other cases. For a transaction of interest, the threshold is higher, at $50,000 when the transaction mostly benefits natural persons and $250,000 otherwise.
Material advisors must file Form 8918, Material Advisor Disclosure Statement, with OTSA. Form 8918 must be filed with OTSA by the last day of the month following the end of the calendar quarter when one becomes a material advisor. In this case, that means by April 30, 2025.
Under these Regulations, material advisors are required to report for tax statements up to six years before the date of publication, or January 14, 2019. Additionally, there is no exception in the Regulations for material advisors who filed previously.
Differences between the proposed and final regulations
While the IRS continues to look unfavorably upon micro-captives, there are some positive signs in the Regulations. In particular, the IRS received comments from the regulated community, considered those comments, and adjusted its final position based on those comments.
The result is that the final regulations are less burdensome than the proposed regulations. The proposed regulations would have treated any related-party financing as a listed transaction. They also would have treated any Captive with a loss ratio of less than 65 percent over 10 years as a listed transaction. Finally, they would have treated a Captive with a loss ratio of less than 65 percent over the preceding nine years or the Captive’s lifetime, whichever was shorter, as engaging in a transaction of interest. The final regulations dramatically reduced the loss ratio needed to escape being considered a listed transaction, required a listed transaction to meet both the funding and loss ratio criteria, and slightly lowered the threshold to escape transaction of interest status.
Seek guidance for comprehensive compliance
The Regulations were issued with a lengthy background discussion and include many definitions and references to other laws. This article highlights the key provisions of the Regulations. Taxpayers that may be subject to the Regulations should consult (consider consulting?) professional advisors for detailed review and guidance on potential reporting requirements.
Los Angeles Wildfire Resources: What to do About Your Mortgage
Among the immediate economic impacts faced by those whose homes were destroyed or damaged by the fires in Los Angeles County will be the need to address their home mortgages. There are many issues that homeowners will need to consider, including whether to continue paying the mortgage; what to expect from your lender; how to coordinate with lenders and insurers in anticipation of payments for immediate support and in the longer term, funds for reconstruction; and what support to expect from various government agencies who provide oversight and economic support under these circumstances. As with the other matters that homeowners are facing, it is best to approach each issue with a basic understanding of the resources available and your rights and remedies. While it is not possible to provide a comprehensive listing of every issue to consider, this alert covers what we consider to be some of the fundamental issues and recommendations for proceeding.
1. Lender Communications and Initial Relief.
Reach out to your lender as soon as practicable to discuss the condition of your property and the status of your loan. Prompt and open communications with your lender will likely be met with offers of immediate relief in the form of a loan forbearance. As has been reported in the news, the major banks have already stated that they will be offering such forbearances to all affected borrowers. Note, while some lenders may approach you with offers of a loan modification, you should consider whether you have sufficient information to enter into any agreement beyond a forbearance agreement at this time. Before you can proceed with a loan modification, you will need to have a complete financial plan in place which takes into account the value of the property, the cost to rebuild or repair, sufficiency of insurance coverage, and availability of funding from the numerous government programs and those which may become available in the coming months.
2. Review Your Loan Agreements and Applicable Insurance Policies.
Before you can fully consider your longer-term approach to your mortgage, you will need to study both the loan documents and your insurance policies because the lender will be named as additional insureds on your policy and will have rights to proceeds otherwise payable to you. Again, while lenders have stated their intent to cooperate, you will want to be sure that your lender and you are on the same page as you and your insurance company regarding the use of funds provided for immediate needs (i.e., housing and expenses) as well as funds made available for design and repair or reconstruction of your home.
3. Insurance, Loan Repayment, and Reconstruction or Repair.
Many borrowers will be looking at the limits on their policies and be concerned that there will be insufficient insurance proceeds to reconstruct (or even repair) their homes. First, it is important to note that borrowers should not assume that they have inadequate coverage based on current information that has been published about building costs and timing of such construction. The adequacy of your limits needs to be addressed on a case-specific basis to determine how much it will cost to rebuild your home and whether your limits, including extended replacement cost coverage, if applicable, are adequate. Note, even if you find that you are underinsured, you will have options beyond the policy to address such shortfalls in the form of government loans and grants (i.e., See sources provided by FEMA and the California Department of Financial Protection and Innovation). At the same time, you will need to coordinate with your lender to be sure that both the lender and you are in agreement regarding the use of the insurance proceeds. The lender must allow you to use the insurance proceeds to reconstruct your home, as long as you can demonstrate that the value of the completed home will be sufficient to satisfy the debt. In other words, the lender’s interest in the collateral will not be impaired upon completion of the construction project.
Beware Broader Insurance Coverage Exclusions for Biometric Information Privacy Law Claims
It has been nearly two decades since Illinois introduced the first biometric information privacy law in the country in 2008, the Illinois Biometric Information Privacy Act (“BIPA”). Since then, litigation relating to biometric information privacy laws has mushroomed, and the insurance industry has responded with increasingly broad exclusions for claims stemming from the litigation. A recent Illinois Appellate Court decision in Ohio Security Ins. Co. and the Ohio Cas. Ins. Co. v. Wexford Home Corp., 2024 IL App (1st) 232311-U, demonstrates this ongoing evolution.
The plaintiff in a putative class action lawsuit sued Wexford Home Corporation (“Wexford”), alleging that Wexford violated BIPA by collecting, recording, storing, sharing and discussing its employees’ biometric information without complying with BIPA’s statutory disclosure limitations. Wexford tendered the putative class action lawsuit to its insurers, Ohio Security Insurance Company and Ohio Casualty Insurance Company, both of which denied coverage and filed a declaratory judgment action seeking a ruling that the insurers had no duty to defend or indemnify Wexford.
The insurers argued that there was no duty to defend or indemnify based on three exclusions: (1) the “Recording And Distribution Of Material Or Information In Violation Of Law” exclusion (“Recording and Distribution Exclusion”), (2) the “Exclusion-Access Or Disclosure Of Confidential And Data-Related Liability-With Limited Bodily Injury Exception,” and (3) the “Employment-Related Practices Exclusion.”
The parties cross-moved for judgment on the pleadings, and the trial court granted judgment for Wexford, finding that the insurers owed a defense. The trial court reasoned that publication of material that violates a person’s right to privacy met the policies’ definition of personal and advertising injury, and therefore no exclusions applied to bar coverage. The insurers appealed. Although the insurers did not challenge the trial court’s ruling that the alleged BIPA claims qualified as personal or advertising injury sufficient to trigger coverage, they maintained that the trial court erred by not applying the three exclusions.
On appeal, the court focused on the Recording and Distribution Exclusion, which purports to bar coverage where the personal or advertising injury arises from the violation of any of three enumerated statutes (TCPA, CAN-SPAM Act, and FCRA) or any other statute that falls within a broad “catch all” provision that expands the exclusion to include violations of “[a]ny federal, state or local statute, ordinance or regulations other than the [three enumerated statutes] that addresses, prohibits, or limits the printing, dissemination, disposal, collecting, recording, sending, transmitting, communicating or distribution of material or information.”
The court relied on its earlier decision, National Fire Ins. Co. of Hartford and Cont’l Ins. Co. v. Visual Park Co., Inc., 2023 IL App (1st) 221160, in which it found an identical Recording and Distribution Exclusion to bar coverage for BIPA claims. That decision, however, represented a departure from earlier decisions that found similar catchall provisions did not encompass BIPA claims. For example, in W. Bend Mut. Ins. Co. v. Krishna Schaumburg Tan, Inc., 2021 IL 125978, 183 N.E.3d 47 (May 20, 2021), the same appellate court that decided Visual Park explained that the interpretive canon of ejusdem generis (which requires that general words following an enumeration of specific persons or things are deemed to apply only to persons or things of the same general kind or class of the specifically enumerated persons or things) required a finding that a similar catchall exclusion would be afforded limited reach and not extend to BIPA claims. In the Visual Park case, on the other hand, the appellate court concluded that a catchall provision like the one in Wexford was materially different and broader than prior versions of the exclusion. According to the Visual Park court, the exclusion’s reference to “disposal,” “collecting,” or “recording” of material or information sufficiently encompassed BIPA violations, whereas prior versions apparently did not. The appellate court again applied the interpretive canon of ejusdem generis to reach conclusions about the exclusion’s intended reach. The court reasoned that because the specifically enumerated statutes in the Recording and Distribution Exclusion protected personal information and privacy, the general catchall must have been intended to do so as well.
As Wexford, Visual Park, and the pre-Visual Park decisions illustrate, insurers are broadening the scope of exclusions that potentially apply to BIPA-related claims. Policyholders should carefully review their policies annually to identify changes in wording that might have a material impact on the scope of coverage. Experienced brokers and coverage counsel can help to ensure that material changes are identified early and, where appropriate, modified or deleted by endorsement.
President Trump Signs Executive Order Establishing the Make America Healthy Again Commission
On February 13, 2025, President Donald J. Trump signed an Executive Order establishing the President’s Make America Healthy Again Commission. This initiative, chaired by the newly-confirmed U.S. Health and Human Services Secretary Robert F. Kennedy Jr., aims to tackle the root causes of chronic diseases that affect millions of Americans.
According to the order, six in ten Americans have at least one chronic disease, and four in ten have two or more. The commission aims to review the American diet, “absorption of toxic material,” and “food production techniques,” as part of its objectives.
The Commission has outlined four main policy directives to achieve its goals: (1) requiring federally funded research to be transparent; (2) prioritizing researching the root causes of illness; (3) working with farmers to ensure our food supply is healthy and abundant; and (4) increasing the flexibility of health insurance coverage to provide better support for disease prevention.
The composition of the Make America Healthy Again Commission will include the Secretary of Health and Human Services as Chair, and the Assistant to the President for Domestic Policy as Executive Director, and top officials across several federal agencies related to health, the environment, food and drugs, and others.
The EO requires that within 100 days of the order, the commission will provide a preliminary assessment identifying the causes of childhood chronic disease in America.
Navigating D&O Coverage for Cyber Fraud: Lessons from Alaska
An Alaska federal court recently dismissed a construction company’s lawsuit, accusing a D&O insurer of bad faith refusal to provide coverage for an email spoofing scheme that resulted in nearly $2 million in fraudulent wire transfers. Alaska Frontier Constructors, Inc., v. Travelers Cas. and Sur. Co. of Am., No. 3:24-cv-00259 (D. Alaska, Nov. 11, 2024). While the case was voluntarily dismissed before the D&O insurer responded to the complaint, the policyholder’s allegations tell a familiar story and highlight several areas of dispute that companies face when navigating the fallout from cyber incidents.
Background
Alaska Frontier Constructors, Inc. (AFC) experienced a 2023 cyber incident where an imposter tricked AFC into wiring $1.9 million into a fraudulent bank account via email. AFC’s CFO received an email that appeared to have been sent by the CFO of another company, Kuukpik, whom AFC worked closely with. The spoofed email asked when a payment would be made for money owed to Kuukpik by Nanuq, a wholly owned subsidiary of Kuukpik that AFC worked with closely on many projects.
This email was actually sent by a black hat hacker presenting to be Kuukpik’s CFO. Kuukpik and AFC provided cash payments to one another on a regular basis by an intercompany account shared by the two.
The spoofed email contained a similar email address to that of Kuukpik’s CFO, and the hacker later sent instructions via email to AFC’s CFO to send a wire to a bank in New Jersey. AFC’s controller initiated the automatic clearing house transfer to the New Jersey bank account as instructed by the hacker which caused Nanuq’s bank to transfer $1,915,448.32 into the fraudulent account. By the time AFC and Kuukpik realized the payment had been wired but not received by Kuukpik, the hacker and the money were gone.
Nanuq demanded that AFC compensate it for the money it lost and sent draft complaints with causes of action for negligence and negligent supervision and training. AFC sought coverage under its D&O policy for the fraudulent wire transfer that resulted from the spoofed email. AFC’s D&O insurer denied AFC’s claim under a “Data and Privacy Exclusion” endorsement that barred coverage all claims based upon or arising out of a list of cyber-related events that included “any unauthorized access to a computer system.”
The Coverage Lawsuit
AFC filed suit in Alaska, where AFC is incorporated and has its principal place of business. Its complaint alleged that the insurer breached the policy in refusing to defend and failing to indemnify AFC’s losses and acted in bad faith in adjusting and denying coverage for the $1.9 million in losses flowing from the fraudulent email scheme.
AFC asserted that, in denying coverage under the data and privacy exclusion, the insurer ignored the Alaska Change Endorsement, which states claims cannot be denied if an excluded cause of loss is secondary to a dominant covered cause of loss in an unbroken chain of events leading to the loss. The dominant cause of loss, AFC alleged, was AFC’s failure to use reasonable care when initiating the wire transfers and not the imposter CFO’s communication of wiring instructions. As a result, the Alaska Change Endorsement prevented the data and privacy exclusion from eliminating coverage.
AFC also contended that the insurer failed to account for the Data and Privacy Exclusion endorsement’s carveback for claims under Insuring Agreement A for non-indemnified losses of insured persons. The company asserted that this carveback applied to the company’s CFO and Controller. Having been “abandoned” by its insurer, AFC ultimately settled the case for nearly $1.7 million and then sought to recover those losses from the D&O insurer.
Before the insurer filed its answer, AFC voluntarily dismissed the lawsuit with prejudice.
Takeaways
The early dismissal likely was the result of an out-of-court confidential settlement or other negotiated resolution. Notwithstanding AFC’s voluntary dismissal, the dispute highlights several recurring coverage issues that can help or hinder the chances of recovery if a claim occurs.
Address cyber exclusions. Many D&O insurers routinely add “cyber” exclusions to D&O policies, usually through endorsement and usually covering a laundry list of underlying cyber events. The intent is to shift “cyber” risks to cyber insurance policies. But as with most insurance issues, the devil is in the details, and many times cyber exclusions are written so broadly that they can encompass D&O exposures with only attenuated connections to the enumerated cyber incidents.
The cyber exclusion endorsement in AFC’s policy was broad—it applied to “any claim based upon or arising out of,” among other things, loss or theft of, disclosure of, or unauthorized access to or use of personal private or confidential information, any unauthorized access to computer systems, any authorized access to cause intentional harm to a computer system, or any violation of law regarding the protection, use, collection, disclosure of, access to, or storage of personal private or confidential information. Policyholders should carefully assess whether their D&O policy has such an exclusion. If it cannot be eliminated entirely, consider limiting its scope by, for example, narrowing the broad causation language.
Policy coordination can avoid coverage gaps. While careful analysis and customization of D&O policy language can help prevent unexpected denials for cyber-related losses, focusing on a single line of coverage for significant loss events, especially cybersecurity incidents, may not be sufficient. D&O policies should be reviewed alongside other complementary coverages—like cyber policies—to ensure coverage grants and exclusions are working as intended and do not result in any unintended gaps.
The global cost of a data breach in the US now has reached $4.88 million on average in 2024, a double-digit percentage increase year to year and the highest total ever. Given those staggering costs, negotiating robust liability coverages with an eye towards cyber incidents is even more important because cyber policies may be quickly eroded and not available to respond to follow-on litigation, investigations, and other claims arising out of a cyber incident.
Understand governing law and its impact on coverage. The AFC dispute also showed how insurance outcomes can differ depending on governing law. Because AFC was an Alaskan company, its policy had an Alaska Change Endorsement that could intervene and preserve coverage based on dominant and secondary causes of loss. But that analysis could differ materially if a policy is governed by another state’s law or has a different state amendatory endorsement applying another rule. Policies may also have choice-of-law, choice-of-venue, and similar provisions that further impact what law governs the insurance claim and what coverage is available under a particular policy.
Evaluating these and other insurance issues in D&O and other liability policies proactively as part of regular insurance reviews can help place and renew stronger policies, maximize recovery, and prevent unexpected denials should a claim arise.
UK Appeal Court Provides Authoritative Guidance on Construction All Risks Insurance Policies
In the UK Court of Appeal decision in Sky UK Limited and Mace Limited v Riverstone, authoritative guidance has been provided on the key principles that apply to Construction All Risks (CAR) insurance policies.
The decision is of great importance to all those involved with the insurance of construction projects because it provides clarification on: (i) the meaning of “damage” under these policies, (ii) recovery of foreseeable damage occurring outside of the policy period, (iii) the recoverability of investigation costs, and (iv) the mechanics of aggregation and deductibles.
Background
From 2014 to 2016, Sky’s global headquarters (Sky Central) was constructed by Mace Limited (Mace) as the main contractor under a Design and Build Contract. For the purpose of the construction, Mace alongside Sky UK Limited (Sky) were insureds under a Construction All Risks (CAR) insurance policy, which ran from 1 February 2014 (commencement of the project) to 15 July 2017 (one-year post-completion).
Sky Central’s roof covers an area of about 16,000 square meters and is said to be the largest timber flat roof in Europe. The roof is made up of 472 individual wooden cassettes, which were installed between December 2014 and May 2015. Following installation, the cassettes were left waiting for permanent waterproofing and it later became apparent that rainwater had entered the cassettes from an early stage. By March 2015, standing water was found inside the gutter compartments of 27 cassettes which had entered these cassettes and remained there, leading to a wetting of internal timbers. The ingress of water mostly occurred during the construction and therefore within the policy period. The appeal concerned crucial issues under the CAR policy arising from of this extensive water damage.
Court of Appeal decision
The Meaning of “Damage” Within the Insuring Clause
The insuring clause in the CAR policy provided that insurers would “indemnify the Insured against physical loss or damage to Property Insured, occurring during the Period of Insurance, from any cause whatsoever…”1 The parties disagreed on whether the wetting of the internal timbers was itself “damage”. The insurers argued that, to constitute “damage”, the timbers needed to have reached a condition where they required immediate replacement or repair. They argued that wetting that could be cured by drying out was not “damage”.
The Court disagreed and determined that, in line with criminal law authorities, “damage” amounted to “any change to the physical nature of tangible property which impair[s] its value or usefulness to its owner or operator.”2 There was no reason to take a different approach—this was the natural and ordinary meaning of “damage”.
It followed that the insurers’ position—that “damage” required the cassettes to have reached a stage which impaired their structural performance and integrity—was rejected. The entry of moisture into the cassettes was a tangible physical change to the cassettes as long as the presence of water, if left unattended, would affect the structural stability, strength, functionality, or useable life of the cassettes (or would do so if left unremedied).
Recovery of Foreseeable Development and Deterioration Damage Occurring Outside the Policy Period
The Court noted that, by a well-established line of authority, a property insurance claim is a claim for unliquidated damages, which means the measure of recovery is based on the common law principles governing damages for breach of contract. The general objective of damages for breach of contract is to put the innocent party back in the position they would have been in had the breach not occurred. While it is open to the parties to the insurance contract to modify the measure of damages that the general law provides for, the exclusion of the usual remedies must be expressed in clear words. As a result, the cost of remedying the foreseeable deterioration and development damage—which occurred after the policy period but resulted from insured damage occurring during the policy period—was within the measure of recovery under the policy.
The Court also noted that this conclusion accords with business common sense. A businessperson in the shoes of the insured would “reasonably expect to be compensated for the consequences of the insured damage deteriorating or developing, absent a contract term excluding such recovery.”3 If this was not the case, there would be “serious and unacceptable adverse consequences” because it would make deterioration and development damage occurring after the policy period uninsurable under any subsequent insurance cover.4
Investigation Costs
Concerning the recoverability of investigation costs, the Court determined that, as a matter of principle, where insured damage has occurred for which damages are recoverable under the policy of insurance, the costs of investigating the extent and nature of the damage (including any development and deterioration damage) are recoverable if they are “reasonably incurred in order to determine how to remediate it”.4 Thus, the reasonable costs of investigation of what is reasonably necessary to remedy insured damage was “self-evidently” part of the “full cost of repairing or reinstating” insured damage.6
Aggregation / Deductibles
Lastly, the Court considered whether a deductible of £150,000 “any one event” (the Retained Liability Provision) applied once to the whole of the claim or applied separately in respect of damage to each individual cassette. At first instance, the judge had decided that one deductible of £150,000 applied to Sky’s claim because the proximate cause of the water ingress was the deficient design of the works that failed to provide for a temporary roof over the cassettes during construction. The decision not to provide this roof was therefore the “any one event” for the application of the deductible.
The insurers appealed on the basis that the judge had erred in his construction and application of the Retained Liability Provision by: (a) treating the relevant single “event” as the design decision not to use a temporary roof; and (b) in failing to identify each individual cassette as the “part” or “parts” of the property insured to which the Retained Liability Provision applied. The insurers argued that the term “event” applies to the damage suffered not the cause of the damage—meaning there were numerous “events” for the purposes of this deductible.
The Court dismissed the insurers’ appeal, noting that “any one event” is an expression used in aggregation clauses both for the purposes of deductibles and policy limits and, in this context, has a well-established meaning, which both parties were taken to have been aware of. “Event” refers to the cause of the damage, not the damage itself, and a decision (in this case not to provide a temporary roof) could amount to an “event” for these purposes. “Any one event” is a classic term for aggregation of losses by reference to the cause of the losses.
Conclusion
The key points for policyholders are:
Damage can involve any change to the physical nature of tangible property that impairs its value or usefulness. Property can be damaged even if such damage is capable of remedy.
Recovery is not necessarily confined to damage physically present at the time the policy expires. Unless the policy provides otherwise, the costs of remedying the foreseeable deterioration and development damage are recoverable under the contractual principles that govern common law damages, even if such damage extends beyond the policy period.
Once it is established that there is insured damage, reasonable investigation costs incurred in investigating the cause and extent of the damage should be recoverable.
Lastly, reference to “any one event” in the context of an aggregation clause determining the number of policy deductibles meant the event causing the damage—not the damage itself.
Footnotes
1 [2024] EWCA Civ 1567, [2].
2 [2024] EWCA Civ 1567, [107].
3 [2024] EWCA Civ 1567, [80].
4 [2024] EWCA Civ 1567, [81].
5 [2024] EWCA Civ 1567, [89].
6 [2024] EWCA Civ 1567, [90].