In Insuring Liability for Third-Party Claims
Seeking Lost Profits, we discussed the very important subject of insuring
third-party claims seeking lost profits—an issue with respect to which these
new policy forms vary, sometimes dramatically, from one insurer’s form to the
next. In this article, we discuss the equally important issue of how technology
errors and omissions (E&O), media liability, and eBusiness policies differ with
respect to "fraud/dishonesty" exclusions—exclusions for fraud, dishonesty, criminal
act, knowing violation of the law, etc.
Please note that we do not in this article discuss other types of "personal
conduct" exclusions used in some of these forms, such as the exclusion for personal
profit or advantage to which the insured is not legally entitled. And please
remember that the issues discussed in this series of articles touch on only
a few of the 40+ issues that should be considered whenever buying, or broking,
these newer policies. Many of those additional issues will be discussed at the Tech-eRisk 2006 Seminar series in March and
April 2006, just as they were during Tech-eRisk 2005 and Tech-eRisk 2004.
Reviewing the Fraud/Dishonesty Exclusion(s)
When reviewing (or negotiating) the wording in the fraud/dishonesty exclusion(s)
in these newer tech/media/eBusiness policies, at least three different issues
need to be addressed:
-
The description of excluded conduct;
-
How acts of one insured are imputed to acts of another insured (i.e.,
is there "severability" as between the insureds with respect to operation
of the exclusion?); and
-
How the exclusion applies (i.e., does the exclusion apply only if there
is a non-appealable judgment or other final adjudication that the excluded
conduct occurred, or by other means as well?).
We say fraud/dishonesty "exclusion(s)" in the policy for a reason. Some policies
have only one such exclusion, while others have two or more such exclusions,
separated by many other exclusions. For those policies, one needs to consider
(and where possible negotiate) all of such exclusions, not just the first one
that comes across in the policy.
"Intentional Acts" Are Not Supposed To Be Excluded
One of the frequent confusing statements made by the risk manager, broker,
underwriter, and insurance lawyer alike is that "fraud/dishonesty" exclusions
bar coverage for "intentional acts." That is a misleading description of the
exclusion. The intent of the exclusion is to bar coverage for acts committed
with the intent to cause harm or with knowledge that the act violates the law.
Intentional acts—that is, acts done intentionally, but without the intent
to cause harm, or without knowledge that the acts violate the law—are intended
to be covered by these policies, at least with respect to various of the coverages
provided by them. Indeed, many of the offenses expressly covered by such policies
(libel, slander, infringement of intellectual property rights, invasion of privacy,
etc.) are "intentional act" torts, where liability is based on intentional acts.
The issue of acting with the intent to cause harm, or in knowing violation of
the law, is relevant only to whether punitive, exemplary, and/or multiplied
damages will be awarded, not whether liability will be found in the first instance.
Given the intent of fraud/dishonesty exclusions, the first thing to consider
when reviewing such exclusions is use of terms that can encompass conduct that
is done without the intent to cause harm, or without knowledge that the act
will violate the law. Two words stick out on a regular basis when reviewing
such exclusions: "criminal" and "reckless."
In certain jurisdictions in the world, simple negligence can give rise to
"criminal" liability. That is, a certain type of conduct, whether negligent
or worse, violates a particular criminal code or statute, making the conduct
a criminal act. Accordingly, use of the unmodified word "criminal" in the fraud/dishonesty
exclusion is not technically correct. Instead, something like the phrase "deliberately
criminal" or "knowing violation of the law" should be used. For those readers
who know about wording issues in directors and officers (D&O) liability insurance
policies, it’s the same exact issue that is in play when negotiating the fraud/dishonesty
exclusion in a D&O policy, especially one that provides global coverage.
Dealing with the word "reckless" is even more important than dealing with
use of the unmodified term "criminal" in a fraud/dishonesty exclusion. That
is because use of the word "reckless" in such an exclusion can bar coverage
for so many types of claims that would otherwise be covered. By definition,
"reckless" means an act committed in disregard of its consequences, even though
the actor knows that his action might cause
harm. It’s a degree of conduct worse than negligent conduct, but less than willful
conduct (which means acting with the intent to cause harm).
So, how should one react if they see the word "reckless" in a fraud/dishonesty
exclusion? Given that so few forms use the word "reckless" in their fraud/dishonesty
exclusions, the better approach is to insist that the insurer remove the word
from their exclusion(s). If the insurer will not do so, the insured should give
serious consideration as to whether a different insurer’s policy would not be
better suited for them.
Imputation of Acts by One Insured; Severability between Insureds
Several years ago, most of these combined tech/media/eBusiness policies provided
full severability with respect to the "fraud/dishonesty" exclusion. That is,
the acts of one insured could not be imputed to another insured for purposes
of applying the exclusion. And, because natural person employees, as well as
management, were insureds, it made it fairly easy for corporate insureds to
avoid application of the exclusion—the evil employee lost out on coverage while
the corporate insured did not.
About 2 years ago, more and more insurers took a different approach with
respect to severability and the fraud/dishonesty exclusion. They created one
type of exclusion for the tech/media E&O part of the policy, and another for
the network security liability part of the policy. For the tech/media E&O part
of the policy, they eliminated severability. With this new exclusion, the corporate
insured loses out on coverage even if the excluded conduct is committed only
by a low-level employee.
However, it was recognized that such an exclusion virtually eviscerates meaningful
network security liability coverage (because the conduct causing such liability
can very easily be committed by a "rogue employee" who acts with the intent
to cause injury). So, a different exclusion was crafted for the network security
liability part of the policy. That exclusion does provide some severability
for the corporate insured who is liable because of excluded conduct committed
by one or more employees.
But not all insurers have adopted this two-tiered approach. There are still
some insurers that use policies that grant full severability as to the fraud/dishonesty
exclusion, for all liability coverages in their combined forms.
The "Trigger" Language
The third issue that must be addressed is the "trigger" language. This is
very much the same issue that plays out in the "fraud/dishonesty" exclusion
in a D&O policy, so those readers who are familiar with such D&O insurance should
see the parallels. Some forms expressly provide that the exclusion does not
apply until and unless it is adjudicated in the underlying claim, by final,
non-appealable judgment, or other adjudication, that the excluded conduct occurred.
Some call this "pure final adjudication" language. This language is very favorable
from an insured’s perspective, because it makes it hard for the insurer to apply
the exclusion, especially if the underlying claim is settled. So, this type
of language is not seen very often.
More and more insurers are moving away from the pure final adjudication approach.
Their fraud/dishonesty exclusions provide that the exclusion applies not only
if there is an adjudication of excluded conduct, but also if an insured admits
to having committed such conduct, or pleads nolo
contendere with respect to committing the conduct (meaning, "I’m not
contesting whether I committed certain acts"). This broader "trigger" language,
combined with lack of severability as to the exclusion, makes it much easier
for an insurer to apply the exclusion.
Concluding Remarks
The policy forms that have developed over the past several years to address
technology, media, Internet liability, and network security liability risk differ
greatly from one insurer’s form to the next. Insureds and brokers must therefore
take the time to review the policies carefully, understand the differences,
and make informed buying decisions where they cannot negotiate the wording,
and negotiate the wording where they can. This series of articles, and the Tech-eRisk
seminar series, hopefully helps educate insureds and brokers to do just that.