Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
On June 15, the U.S. Court of Appeals for the Seventh Circuit upheld a district court’s ruling requiring an insurance company to defend an Illinois-based IT company against two putative class actions alleging violations of the Illinois Biometric Information Privacy Act (BIPA). The insurance company sued for a declaration that, under its business liability insurance policy, it has no obligation to indemnify or defend the IT company in the two class actions. Class members alleged the IT company acted as a vendor for a company that “scraped” more than 3 billion facial scans and converted them into biometric facial recognition identifiers, which were then paired to images on the internet and sold via a database to the Chicago Police Department, in violation of BIPA.
The insurance company’s policy bars coverage for any distribution of material in violation of certain specific statutes or in violation of “[a]ny other laws, statutes, ordinances, or regulations” and asserted that this catch-all provision includes BIPA. The district court disagreed, ruling that the language of the policy’s statutory violations exclusion was “intractably ambiguous” and did not explicitly bar coverage of the underlying suits.
On appeal, the 7th Circuit agreed that the district court was correct in determining that a plain-text reading of the insurance policy’s “broad” and ambiguous catch-all coverage exclusion for “personal or advertising injury” would “swallow a substantial portion of the coverage that the policy otherwise explicitly purports to provide.” The 7th Circuit held that “the broad language of the catch-all exclusion purports to take away with one hand what the policy purports to give with the other in defining covered personal and advertising injuries.”
Although the 7th Circuit considered whether there was a “common element” related to privacy in the enumerated statutes that could be read to include BIPA, ultimately the appellate court determined that nothing in the exclusion language “points to privacy as the focus of the exclusion.”
On December 27, NYDFS announced actions to provide financial relief to New Yorkers in the Western and North Country regions in the aftermath of a historic winter storm. The relief is part of New York’s continuing and comprehensive efforts to address the historic winter storm that caused statewide devastation. According to the announcement, NYDFS requested that state-chartered banking organizations, federally-chartered banks, and credit unions operating in the area provide fee-free access services to nearby customers and non-customers while travel conditions remain dangerous. NYDFS will also issue temporary adjuster permits to qualified out-of-state independent insurance adjusters to expedite insurance claims in light of the winter storm. Expediting permits will increase the number of adjusters available to process claims and help New Yorkers get their claims paid faster. Insurers are encouraged to make any necessary applications on the NYDFS website. NYDFS urged the insurance industry to work towards a fair and speedy resolution of all claims and provide the necessary resources to do so.
On October 7, a national bank announced in a regulatory filing that it has agreed to pay $1.84 billion to settle claims brought by a bond insurer concerning policies provided on residential mortgage-backed securities before the 2008 financial crisis. According to the regulatory filing, the agreement will “resolve all pending [bond insurer] lawsuits” (containing damages claims of more than $3 billion) against the bank and its subsidiaries, will cause all pending litigation to be dismissed with prejudice, and will release the bank and its subsidiaries from “all outstanding claims” related to bond insurance policies for certain securitized pools of residential mortgage loans.
On October 7, the U.S. Treasury Department published its Annual Report on the Insurance Industry, as required by the Dodd-Frank Act. The report discussed the U.S. insurance industry’s financial performance and its financial condition for the year ending December 31, 2021, and provided a domestic outlook for the industry for 2022. The report also summarized the Federal Insurance Office’s (FIO) activities and addressed certain matters affecting the domestic and international insurance industry.
Earlier, Treasury issued a request for input in the Federal Register on a potential federal insurance response to catastrophic cyber incidents. According to Treasury, “the comments will inform FIO’s work in responding to a recommendation by the U.S. Government Accountability Office that FIO and the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency jointly assess the extent to which the risks to U.S. critical infrastructure from catastrophic cyberattacks warrant a federal insurance response.” The request stated that cyber insurance is a significant risk transfer mechanism, and that the insurance industry has an important role to play in strengthening cyber hygiene and building resiliency. Comments are due November 14.
On September 6, the U.S. Court of Appeals for the Eleventh Circuit upheld a district court’s decision to deny insurance coverage to a Florida title company under its Cyber Protection Insurance Policy after it was allegedly “fraudulently induced—by an unknown actor impersonating a mortgage lender—to wire funds to an incorrect account.” The insurance company denied coverage on the basis that the title company did not meet the policy’s requirements. The title company submitted a claim under the cybercrime endorsement of its insurance policy, which includes a deceptive transfer fraud insurance clause that grants coverage provided certain criteria are met, including that the loss resulted from intentionally misleading actions, was done by a person purporting to be an employee, customer, client or vendor, and the authenticity of the wire transfer instructions was verified according to the title company’s internal procedures. The insurance company denied coverage, claiming that: (i) the mortgage lender to whom the funds were intended was not an employee, customer, client or vendor of the title company; and (ii) that the title company failed to verify the transfer request according to its procedures. The district court granted summary judgment in favor of the insurance company, agreeing that coverage did not exist under the plain language of the policy.
On appeal, the 11th Circuit determined that the mortgage lender was not listed as an entity under the plain language of the policy. It further disagreed with the title company’s position that under Florida law, insurance coverage clauses must “be construed as broadly as possible to provide the greatest amount of coverage,” and that the deceptive transfer fraud clause should also include “persons and entities involved in the real estate transaction.” The appellate court noted that “[a]s attractive as that proposition may be, it is simply not what the clause provides,” adding that because the clause “limits coverage to misleading communications ‘sent by a person purporting to be an employee, customer, client or vendor’” it must interpret these terms according to their plain meaning and may not “alter the terms bargained to by parties to a contract.”
On August 29, the Washington State Superior Court entered a final order declaring that the Washington Insurance Commissioner exceeded his authority when he issued an emergency rule earlier this year banning the use of credit-based insurance scores in the rating and underwriting of insurance for a three-year period. As previously covered by InfoBytes, several industry groups led by the American Property Casualty Insurance Association (APCIA) sued to stop the rule from taking effect. The rule was intended to prevent discriminatory pricing in private auto, renters, and homeowners insurance in anticipation of the end of the CARES Act, and specifically prohibited insurers from “us[ing] credit history to place insurance coverage with a particular affiliated insurer or insurer within an overall group of affiliated insurance companies.” The rule applied to all new policies effective, and existing policies processed for renewal, on or after June 20, 2021. Industry groups countered that the rule would harm insured consumers in the state who pay less for auto, homeowners, and renters insurance because of the use of credit-based insurance scores to predict risk and set rates.
According to a press release issued by APCIA, earlier this year the superior court issued a bench decision granting the trade group’s petition for a declaratory judgment and invalidating the rule. The superior court “held that the Commissioner could not rely on the more general rating standard statute that prohibited “excessive, inadequate, or unfairly discriminatory” rates to “eliminate all meaning from the more specific credit history statutes by which the legislature had authorized its use.” Calling the final order “an important victory for Washington consumers, particularly lower risk senior policyholders who were forced to pay more to subsidize higher risk policyholders because the rule eliminated the use of credit,” the trade groups said they were pleased that the court agreed with their position that the Commissioner “exceeded his authority when he acted contrary to the longstanding statute that authorized the use of credit in the property and casualty insurance space.”
According to sources, some insurers are considering adding biometric exclusions to their insurance policies as privacy lawsuits increase. An article on the recent evolution of biometric privacy lawsuits noted an apparent increase in class actions claiming violations of the Illinois Biometric Information Privacy Act (BIPA), as “more courts began ruling that individuals need not show actual injury to allege BIPA violations.” The article explained that insurance carriers now “argue that general liability policies, with their lower premiums and face values, don’t insure data privacy lawsuits and can’t support potentially huge BIPA class action awards and settlements.” This issue is poised to become increasingly important to carriers and policyholders as additional states seek to regulate biometric privacy. The article noted that in the first quarter of 2022, seven states (California, Kentucky, Maine, Maryland, Massachusetts, Missouri, and New York) introduced biometric laws generally based on Illinois’ BIPA. Texas and Washington also have biometric laws, but without a private right of action.
On March 22, the U.S. District Court for the District of Minnesota ordered two insurance companies to cover a major retailer’s 2013 data breach settlement liability under commercial general liability policies. As previously covered by InfoBytes, in 2018 the retailer reached a $17 million class action settlement to resolve consumer claims related to a 2013 data breach, which resulted in the compromise of at least 40 million credit cards and theft of personal information of up to 110 million people. The banks that issued the payment cards compromised in the data breach sought compensation from the retailer for costs associated with the cancellation and replacement of the payment cards. The retailer settled the issuing banks’ claims and later sued the insurers in 2019 for refusing to cover the costs, arguing that under the general liability policies, the insurers are obligated to indemnify the retailer with respect to the settlements reached with the issuing banks. The retailer moved for partial summary judgment, seeking a declaration that the general liability policies (which “provide coverage for losses resulting from property damage, including ‘loss of use of tangible property that is not physically injured’”) covered the costs incurred by the retailer when settling the claims for replacing the payment cards. According to the retailer, the insurers’ “refusal to provide coverage for these claims lacked any basis in either the Policies’ language or Minnesota law.” The court reviewed whether the cancellation of the payment cards following the data breach counted as a “loss of use” under the general liability policies. Although the court had previously dismissed the retailer’s coverage claims, the court now determined that the “expense that [the retailer] incurred to settle claims brought by the [i]ssuing [b]anks for the costs of replacing the compromised payment cards was a cost incurred due to the loss of use of the payment cards” because being cancelled “rendered the payment cards inoperable.”
On February 17, the U.S. Treasury Department’s Federal Insurance Office (FIO) announced that it joined the Network of Central Banks and Supervisors for Greening the Financial System (NGFS). As previously covered by InfoBytes, Treasury announced in August 2021 a request for information seeking public comments on the FIO’s future work related to the insurance sector and climate-related financial risks. This was in response to an executive order issued by President Biden instructing financial regulators to mitigate climate-related risk related to the financial system (covered by InfoBytes here). According to the recent announcement, the FIO “intends to publish a climate report by the year’s end focusing on insurance supervision and regulation, with an assessment of climate-related issues or gaps in the supervision and regulation of insurers, including their potential impacts on U.S. financial stability.” The same day, the Federal Advisory Committee on Insurance (FACI), which provides advice and recommendations to assist the FIO in carrying out its statutory authorities, launched the Climate Related Financial Risk Subcommittee to support the FACI provision of information relevant to the FIO’s work on climate-related risks in the insurance sector.
On January 28, the Federal Reserve Board announced it is soliciting comments on proposed guidance, which would implement a framework for the supervision of certain insurance organizations overseen by the Board. According to the Fed, the proposed framework for depository institution holding companies significantly engaged in insurance activities would apply guidance and allocate supervisory resources based on the risk of a firm and would “formalize a supervisory rating system for these companies and describe how examiners work with state insurance regulators.” Comments are due 60 days after publication in the Federal Register.