National Union Tail Coverage On Liability Policy Insufficient, New York Judge Finds

penalty2_5139_356

New York, Feb. 28 – A New York state judge has ruled that a 60-day Extended Reporting Period (ERP) Endorsement requiring that both the claim be made against the insured, and the insured’s report to the insurer take place only within the 60-day extended reporting period violates New York Insurance Regulations covering minimum ERP requirements.

The insured, New York Institute of Technology (NYIT)  sought defense and indemnity for an underlying defamation suit which was filed against it during the end of the  policy period. NYIT did not notify National Union of the claim, however, until after the polkcy expired but within the liability policy’s 60 day “tail” ERP.

National Union denied coverage on the ground that  the policy’s ERP provision only extended coverage for claims both made against the insured and reported within the 60-day tail period.   NYIT sued National Union in New York state court to compel defense and indemnity.   National Union then filed a motion to dismiss based on the language of the ERP.

New York State Trial Judge Barbara Jaffe denied the insurer’s dismissal motion, finding that National Union’s ERP provision was unenforceable, because it fell short of minimum requirements for extended reporting periods, also known as “tail coverage,” under applicable  New York insurance regulations.  She wrote:

“Pursuant to the applicable regulation, the policy should have afforded plaintiff an additional 60 days at the end of the policy term to provide defendant notice of the claim ‘for injury or damage that occurred,’ as it did here, ‘during the policy term,’ notwithstanding that plaintiff did not first receive notice of the claim against it during the ERP.”

Judge Jaffe found National Union policy’s ERP provision  was unambiguous.  She also found, however, that the ERP was invalid under New York Law.  Judge Jaffe found that as written, the National Union ERP imposed an “additional obstacle to coverage,”  and created a gap in coverage, excluding a class of claims for which the New York insurance regulations required coverage, i.e., claims made against the insured within the policy period, but not reported to the insurer until the tail period.

New York Institute of Technology vs. National Fire Union Ins. Co. of Pittsburgh, Inc. (New York County, New York, Feb. 23, 2017, Jaffe J.)

New York Rolls Out New Cybersecurity Requirements for Banks, Insurers

 

cyber-liability

Harrisburg, Feb. 22 –  According to the New York Department of Financial Services, new cybersecurity rules aimed at safeguarding consumer data go into effect on March 1, 2017.  The regulations  will require banks, insurers, and money services to strengthen their cybersecurity protocols by, in part, putting data security programs in place, and accepting greater responsibility for monitoring the vendors with whom they do business.  The rules also require reporting breaches within 72 hours.

The new rules impose obligations which could create liability from regulatory actions or consumer litigation. According to attorneys quoted in a recent article appearing on Law360.com,  the new guidelines will give enterprising  plaintiffs’ lawyers new claims against financial services firms, as well as firm directors and officers. Under the new DFS scheme, Company executives must certify compliance with the NY DFS regulations on an annual basis. Should those certifications prove incorrect, they could provide the basis for the DFS or consumers to make claims against banks, insurers and other financial services firms for breach of such certification.  Because of that, companies should devote considerable  attention and resources to two areas: 1.) implementation of cybersecurity programs and systems in compliance with DFS requirements; and 2.) making sure company executives have liability insurance coverage for cyber-related missteps, including coverage for both regulatory and consumer  claims.

With respect to adequately insuring cyber exposures, companies should undertake review of D&O policies to make sure any cyber-related liability is not excluded, and also that the insurance will cover the costs of defending against regulatory actions and any resulting penalties.  With respect to DFS requirements for the supervision of third-party vendors, the rules call for vendors to encrypt  nonpublic information and to set up robust protection systems.  Companies should require and review both vendor cybersecurity policies and related liability insurance products to make sure the vendors have technology errors and omissions coverage.  Companies may wish to secure additional insured protection in such policies as well.

A copy of the regulations may be found here:  nydfs-cybersecutiry-regs-03012017

 

 

NY: No Coverage For Negligent Handling of Electronic Data

edi-spotlight-banner

NEW YORK, Feb. 18 – A New York  intermediate appellate court ruled on Feb. 18 that claims against an insured for the alleged negligent handling of the electronic data of customers were  not covered.

In RVST Holdings v. Main Street America Assurance Co., the  liability policy in question provided for defense and indemnity to RVST for liability arising out of direct physical loss to tangible property.  The policy, however, excluded losses relating to electronic data.  The intermediate appellate court, giving the language in question its plain meaning, ruled that the insurer did not have a duty to defend or indemnify  RVST from claims relating to RVST’s alleged negligent handling of electronic data.

RVST Holdings, Inc. v. Main Street America Assurance Co.,(N.Y. App. 3rd Dept., Feb. 18, 2016)