Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
On September 6, the U.S. Court of Appeals for the Eleventh Circuit upheld a district court’s decision to deny insurance coverage to a Florida title company under its Cyber Protection Insurance Policy after it was allegedly “fraudulently induced—by an unknown actor impersonating a mortgage lender—to wire funds to an incorrect account.” The insurance company denied coverage on the basis that the title company did not meet the policy’s requirements. The title company submitted a claim under the cybercrime endorsement of its insurance policy, which includes a deceptive transfer fraud insurance clause that grants coverage provided certain criteria are met, including that the loss resulted from intentionally misleading actions, was done by a person purporting to be an employee, customer, client or vendor, and the authenticity of the wire transfer instructions was verified according to the title company’s internal procedures. The insurance company denied coverage, claiming that: (i) the mortgage lender to whom the funds were intended was not an employee, customer, client or vendor of the title company; and (ii) that the title company failed to verify the transfer request according to its procedures. The district court granted summary judgment in favor of the insurance company, agreeing that coverage did not exist under the plain language of the policy.
On appeal, the 11th Circuit determined that the mortgage lender was not listed as an entity under the plain language of the policy. It further disagreed with the title company’s position that under Florida law, insurance coverage clauses must “be construed as broadly as possible to provide the greatest amount of coverage,” and that the deceptive transfer fraud clause should also include “persons and entities involved in the real estate transaction.” The appellate court noted that “[a]s attractive as that proposition may be, it is simply not what the clause provides,” adding that because the clause “limits coverage to misleading communications ‘sent by a person purporting to be an employee, customer, client or vendor’” it must interpret these terms according to their plain meaning and may not “alter the terms bargained to by parties to a contract.”
On August 29, the Washington State Superior Court entered a final order declaring that the Washington Insurance Commissioner exceeded his authority when he issued an emergency rule earlier this year banning the use of credit-based insurance scores in the rating and underwriting of insurance for a three-year period. As previously covered by InfoBytes, several industry groups led by the American Property Casualty Insurance Association (APCIA) sued to stop the rule from taking effect. The rule was intended to prevent discriminatory pricing in private auto, renters, and homeowners insurance in anticipation of the end of the CARES Act, and specifically prohibited insurers from “us[ing] credit history to place insurance coverage with a particular affiliated insurer or insurer within an overall group of affiliated insurance companies.” The rule applied to all new policies effective, and existing policies processed for renewal, on or after June 20, 2021. Industry groups countered that the rule would harm insured consumers in the state who pay less for auto, homeowners, and renters insurance because of the use of credit-based insurance scores to predict risk and set rates.
According to a press release issued by APCIA, earlier this year the superior court issued a bench decision granting the trade group’s petition for a declaratory judgment and invalidating the rule. The superior court “held that the Commissioner could not rely on the more general rating standard statute that prohibited “excessive, inadequate, or unfairly discriminatory” rates to “eliminate all meaning from the more specific credit history statutes by which the legislature had authorized its use.” Calling the final order “an important victory for Washington consumers, particularly lower risk senior policyholders who were forced to pay more to subsidize higher risk policyholders because the rule eliminated the use of credit,” the trade groups said they were pleased that the court agreed with their position that the Commissioner “exceeded his authority when he acted contrary to the longstanding statute that authorized the use of credit in the property and casualty insurance space.”
According to sources, some insurers are considering adding biometric exclusions to their insurance policies as privacy lawsuits increase. An article on the recent evolution of biometric privacy lawsuits noted an apparent increase in class actions claiming violations of the Illinois Biometric Information Privacy Act (BIPA), as “more courts began ruling that individuals need not show actual injury to allege BIPA violations.” The article explained that insurance carriers now “argue that general liability policies, with their lower premiums and face values, don’t insure data privacy lawsuits and can’t support potentially huge BIPA class action awards and settlements.” This issue is poised to become increasingly important to carriers and policyholders as additional states seek to regulate biometric privacy. The article noted that in the first quarter of 2022, seven states (California, Kentucky, Maine, Maryland, Massachusetts, Missouri, and New York) introduced biometric laws generally based on Illinois’ BIPA. Texas and Washington also have biometric laws, but without a private right of action.
On March 22, the U.S. District Court for the District of Minnesota ordered two insurance companies to cover a major retailer’s 2013 data breach settlement liability under commercial general liability policies. As previously covered by InfoBytes, in 2018 the retailer reached a $17 million class action settlement to resolve consumer claims related to a 2013 data breach, which resulted in the compromise of at least 40 million credit cards and theft of personal information of up to 110 million people. The banks that issued the payment cards compromised in the data breach sought compensation from the retailer for costs associated with the cancellation and replacement of the payment cards. The retailer settled the issuing banks’ claims and later sued the insurers in 2019 for refusing to cover the costs, arguing that under the general liability policies, the insurers are obligated to indemnify the retailer with respect to the settlements reached with the issuing banks. The retailer moved for partial summary judgment, seeking a declaration that the general liability policies (which “provide coverage for losses resulting from property damage, including ‘loss of use of tangible property that is not physically injured’”) covered the costs incurred by the retailer when settling the claims for replacing the payment cards. According to the retailer, the insurers’ “refusal to provide coverage for these claims lacked any basis in either the Policies’ language or Minnesota law.” The court reviewed whether the cancellation of the payment cards following the data breach counted as a “loss of use” under the general liability policies. Although the court had previously dismissed the retailer’s coverage claims, the court now determined that the “expense that [the retailer] incurred to settle claims brought by the [i]ssuing [b]anks for the costs of replacing the compromised payment cards was a cost incurred due to the loss of use of the payment cards” because being cancelled “rendered the payment cards inoperable.”
On February 17, the U.S. Treasury Department’s Federal Insurance Office (FIO) announced that it joined the Network of Central Banks and Supervisors for Greening the Financial System (NGFS). As previously covered by InfoBytes, Treasury announced in August 2021 a request for information seeking public comments on the FIO’s future work related to the insurance sector and climate-related financial risks. This was in response to an executive order issued by President Biden instructing financial regulators to mitigate climate-related risk related to the financial system (covered by InfoBytes here). According to the recent announcement, the FIO “intends to publish a climate report by the year’s end focusing on insurance supervision and regulation, with an assessment of climate-related issues or gaps in the supervision and regulation of insurers, including their potential impacts on U.S. financial stability.” The same day, the Federal Advisory Committee on Insurance (FACI), which provides advice and recommendations to assist the FIO in carrying out its statutory authorities, launched the Climate Related Financial Risk Subcommittee to support the FACI provision of information relevant to the FIO’s work on climate-related risks in the insurance sector.
On January 28, the Federal Reserve Board announced it is soliciting comments on proposed guidance, which would implement a framework for the supervision of certain insurance organizations overseen by the Board. According to the Fed, the proposed framework for depository institution holding companies significantly engaged in insurance activities would apply guidance and allocate supervisory resources based on the risk of a firm and would “formalize a supervisory rating system for these companies and describe how examiners work with state insurance regulators.” Comments are due 60 days after publication in the Federal Register.
On November 15, NYDFS issued final guidance to New York regulated-domestic insurers on managing climate change-related financial risks. The final guidance reflects the agency’s consideration of stakeholder comments from proposed guidance issued in March, and was informed by NYDFS’s collaboration with the insurance industry and international regulators. Building on a 2020 insurance circular letter addressing climate change and financial risks, the final guidance outlines expectations that insurers begin “integrating the consideration of the financial risks from climate change into their governance frameworks, business strategies, risk management processes and scenario analysis, and developing their approach to climate-related financial disclosure.” Specifically, an insurer should (i) incorporate into its governance structure, at either “the group or insurer entity level,” climate-risk considerations; (ii) consider current and forward-looking climate-related implications on its operations through “time horizons” appropriately tailored to the insurer’s activities and decisions; (iii) incorporate in its current financial risk management framework analyses of the effect of climate risks on existing risk factors; (iv) employ scenario analysis to inform business strategy decisions, risk assessments, and identification; and (v) disclose its climate risks and engage with NYDFS’s Task Force on Climate-related Financial Disclosures when developing climate disclosure approaches. NYDFS will monitor insurers’ progress in implementing these expectations with respect to organizational structures, which insurers must have in place by August 15, 2022. The NYDFS noted it will provide further guidance on timing for implementing “the more complex expectations outlined in the guidance.”
On November 2, the U.S. Court of Appeals for the 10th Circuit affirmed a district court’s decision that under Colorado law, an insurance company (plaintiff) had no duty to indemnify and defend its insured against TCPA claims seeking statutory damages and injunctive relief. According to the appellate opinion, the states of California, Illinois, North Carolina, and Ohio sued a satellite television company for telemarketing violations of the TCPA (TCPA lawsuit). The TCPA lawsuit sought statutory damages of up to $1,500 per alleged violation and injunctive relief. The satellite company submitted a claim to its insurer for defense and indemnity of the TCPA claims pursuant to existing policies. The plaintiff filed a complaint seeking a declaratory judgment that it need not defend or indemnify the satellite company in the TCPA lawsuit. The district court, relying on ACE American Insurance Co. v. DISH Network (covered by InfoBytes here), determined that, under ACE, the claim for statutory damages in the telemarketing complaint sought a penalty and therefore was “uninsurable as a matter of Colorado public policy,” and that the policies did not cover the complaint’s claim for injunctive relief because, as in ACE, they did not cover the costs of preventing future violations. Additionally, the district court determined that “the allegations did not potentially fall within the Policies’ definitions of ‘Bodily Injury’ or ‘Property Damage.’” The 10th Circuit affirmed the district court’s rulings, concluding that no coverage existed.
On September 2, NYDFS advised regulated insurers to expedite Tropical Depression Ida-related insurance claims. Emphasizing the severity of damage experienced by homeowners and businesses, NYDFS urged insurers to work towards a fair and speedy resolution of claims. In addition to outlining expectations related to the claims process, NYDFS noted that it will also “expedite the issuance of temporary adjustor permits as necessary to qualified out-of-state independent insurance adjusters pursuant to New York Insurance Law” to increase the number of available adjusters to process claims.
On August 31, the U.S. Treasury Department announced a request for information (RFI) seeking public comments on the Federal Insurance Office’s (FIO) future work related to the insurance sector and climate-related financial risks. The RFI is in response to an executive order issued by President Biden in May, which instructed financial regulators to take steps to mitigate, among other things, climate-related risk related to the financial system (covered by InfoBytes here). Among other things, the FIO will focus on the following initial climate-related priorities: (i) “assessing climate-related issues or gaps in the supervision and regulation of insurers, including their potential impacts on U.S. financial stability”; (ii) “assessing the potential for major disruptions of private insurance coverage in U.S. markets that are particularly vulnerable to climate change impacts, as well as facilitating mitigation and resilience for disasters”; and (iii) “increasing FIO’s engagement on climate-related issues and leveraging the insurance sector’s ability to help achieve climate-related goals.” Responses will help FIO monitor and assess the implications of climate-related financial risks for the insurance sector, and help FIO better understand how to collect “high-quality, reliable, and consistent data” required to accomplish FIO’s objectives.
- Benjamin W. Hutten to discuss “Ongoing CDD: Operational considerations” at NAFCU’s Regulatory Compliance & BSA Seminar
- James C. Chou to discuss ransomware at NAFCU’s Regulatory Compliance & BSA seminar
- Jedd R. Bellman to provide an “Attorney exemption/medical debt update” at the North American Collection Agency Regulatory Association annual conference
- Kathryn L. Ryan to discuss “What should crypto regulation look like: Legislation, regulation and consumer issues” at WCL's First Annual Virtual Currency Law Institute
- Elizabeth E. McGinn to discuss “How to mitigate and manage third-party risks: Leveraging tools and best practices” at The Knowledge Group’s webcast
- Elizabeth E. McGinn, Benjamin W. Hutten, and James C. Chou to discuss “The evolving regulatory landscape: Third-party and cyber risk management” at the 2022 mWISE Conference
- Sherry-Maria Safchuk to discuss “For your eyes only: Privacy updates for 2022-2023” at CCFL’s Annual Consumer Financial Services Conference
- James T. Parkinson to present a “Global anti-corruption update” at IBA’s annual conference