Variations in "Fraud/Dishonesty" Exclusions in Tech/Media/eBusiness Policies

Reviewing the Fraud/Dishonesty Exclusion(s)

When reviewing (or negotiating) the wording in the fraud/dishonesty exclusion(s) in these newer tech/media/eBusiness policies, at least three different issues need to be addressed:

1. The description of excluded conduct;
2. How acts of one insured are imputed to acts of another insured (i.e., is there "severability" as between the insureds with respect to operation of the exclusion?); and
3. How the exclusion applies (i.e., does the exclusion apply only if there is a non-appealable judgment or other final adjudication that the excluded conduct occurred, or by other means as well?).

We say fraud/dishonesty "exclusion(s)" in the policy for a reason. Some policies have only one such exclusion, while others have two or more such exclusions, separated by many other exclusions. For those policies, one needs to consider (and where possible negotiate) all of such exclusions, not just the first one that comes across in the policy.

"Intentional Acts" Are Not Supposed to Be Excluded

One of the frequent confusing statements made by the risk manager, broker, underwriter, and insurance lawyer alike is that "fraud/dishonesty" exclusions bar coverage for "intentional acts." That is a misleading description of the exclusion. The intent of the exclusion is to bar coverage for acts committed with the intent to cause harm or with knowledge that the act violates the law.

Intentional acts—that is, acts done intentionally, but without the intent to cause harm, or without knowledge that the acts violate the law—are intended to be covered by these policies, at least with respect to various of the coverages provided by them. Indeed, many of the offenses expressly covered by such policies (libel, slander, infringement of intellectual property rights, invasion of privacy, etc.) are "intentional act" torts, where liability is based on intentional acts. The issue of acting with the intent to cause harm, or in knowing violation of the law, is relevant only to whether punitive, exemplary, and/or multiplied damages will be awarded, not whether liability will be found in the first instance.

Given the intent of fraud/dishonesty exclusions, the first thing to consider when reviewing such exclusions is use of terms that can encompass conduct that is done without the intent to cause harm, or without knowledge that the act will violate the law. Two words stick out on a regular basis when reviewing such exclusions: "criminal" and "reckless."

In certain jurisdictions in the world, simple negligence can give rise to "criminal" liability. That is, a certain type of conduct, whether negligent or worse, violates a particular criminal code or statute, making the conduct a criminal act. Accordingly, use of the unmodified word "criminal" in the fraud/dishonesty exclusion is not technically correct. Instead, something like the phrase "deliberately criminal" or "knowing violation of the law" should be used. For those readers who know about wording issues in directors and officers (D&O) liability insurance policies, it's the same exact issue that is in play when negotiating the fraud/dishonesty exclusion in a D&O policy, especially one that provides global coverage.

Dealing with the word "reckless" is even more important than dealing with use of the unmodified term "criminal" in a fraud/dishonesty exclusion. That is because use of the word "reckless" in such an exclusion can bar coverage for so many types of claims that would otherwise be covered. By definition, "reckless" means an act committed in disregard of its consequences, even though the actor knows that his action might cause harm. It's a degree of conduct worse than negligent conduct, but less than willful conduct (which means acting with the intent to cause harm).

So, how should one react if they see the word "reckless" in a fraud/dishonesty exclusion? Given that so few forms use the word "reckless" in their fraud/dishonesty exclusions, the better approach is to insist that the insurer remove the word from their exclusion(s). If the insurer will not do so, the insured should give serious consideration as to whether a different insurer's policy would not be better suited for them.

Imputation of Acts by One Insured; Severability between Insureds

Several years ago, most of these combined tech/media/eBusiness policies provided full severability with respect to the "fraud/dishonesty" exclusion. That is, the acts of one insured could not be imputed to another insured for purposes of applying the exclusion. And, because natural person employees, as well as management, were insureds, it made it fairly easy for corporate insureds to avoid application of the exclusion—the evil employee lost out on coverage while the corporate insured did not.

About 2 years ago, more and more insurers took a different approach with respect to severability and the fraud/dishonesty exclusion. They created one type of exclusion for the tech/media E&O part of the policy, and another for the network security liability part of the policy. For the tech/media E&O part of the policy, they eliminated severability. With this new exclusion, the corporate insured loses out on coverage even if the excluded conduct is committed only by a low-level employee.

However, it was recognized that such an exclusion virtually eviscerates meaningful network security liability coverage (because the conduct causing such liability can very easily be committed by a "rogue employee" who acts with the intent to cause injury). So, a different exclusion was crafted for the network security liability part of the policy. That exclusion does provide some severability for the corporate insured who is liable because of excluded conduct committed by one or more employees.

But not all insurers have adopted this two-tiered approach. There are still some insurers that use policies that grant full severability as to the fraud/dishonesty exclusion, for all liability coverages in their combined forms.

The "Trigger" Language

The third issue that must be addressed is the "trigger" language. This is very much the same issue that plays out in the "fraud/dishonesty" exclusion in a D&O policy, so those readers who are familiar with such D&O insurance should see the parallels. Some forms expressly provide that the exclusion does not apply until and unless it is adjudicated in the underlying claim, by final, non-appealable judgment, or other adjudication, that the excluded conduct occurred. Some call this "pure final adjudication" language. This language is very favorable from an insured's perspective, because it makes it hard for the insurer to apply the exclusion, especially if the underlying claim is settled. So, this type of language is not seen very often.

More and more insurers are moving away from the pure final adjudication approach. Their fraud/dishonesty exclusions provide that the exclusion applies not only if there is an adjudication of excluded conduct, but also if an insured admits to having committed such conduct, or pleads nolo contendere with respect to committing the conduct (meaning, "I'm not contesting whether I committed certain acts"). This broader "trigger" language, combined with lack of severability as to the exclusion, makes it much easier for an insurer to apply the exclusion.

Concluding Remarks

The policy forms that have developed over the past several years to address technology, media, Internet liability, and network security liability risk differ greatly from one insurer's form to the next. Insureds and brokers must therefore take the time to review the policies carefully, understand the differences, and make informed buying decisions where they cannot negotiate the wording, and negotiate the wording where they can. This series of articles, and the Tech-eRisk seminar series, hopefully helps educate insureds and brokers to do just that.