2222222222

The Law

Legal Spotlight

A look at the latest court decisions impacting the insurance industry.
By: | April 9, 2018 • 5 min read

Marijuana ‘Modifications’ Not Covered

Kvg properties, inc. took westfield insurance company to court after the insurer refused to pay for damage done by former tenants.

The tenants had been growing marijuana inside KVG’s industrial business units, which the company rented out. The illegal farming “project” was revealed to KVG only after DEA agents executed a search warrant. Immediately, KVG filed eviction actions against the tenants in several units.

KVG also learned the marijuana growing operations seriously damaged its property: The tenants removed walls, cut holes in the roof, added HVAC ductwork and gas lines, and damaged the existing heaters and air conditioning units. The walls, floors and ceilings were damaged due to prolonged exposure to moisture.

KVG obtained eviction orders for the tenants. Then, the company contacted its property insurer, Westfield, with the extent of the damages: $18,183 for the electrical systems, $74,550 for the HVAC systems and $418,162 for replacing and repairing the units in general.

Westfield denied coverage. The policy, the insurer said, excluded coverage for illegal or dishonest acts. While marijuana may be legal at the state level, the insurer said, it’s still an illegal federal offense. Additionally, unauthorized construction was not covered under the policy; the tenants removed walls without permits.

In court, KVG conceded that illegal and dishonest activities were excluded in the policy, however, the company argued the tenants were actually vandalizers who destroyed the property without KVG’s knowledge. The policy included vandalism, KVG said, and therefore the damages should be covered by Westfield.

The court dismissed this theory. Instead it found that the Westfield policy was sound in excluding acts illegal or dishonest in nature. The tenants, while acting without authority or permission from KVG, were there under the guise they would be conducting “office and/or light industrial businesses.” Their operations fell under the dishonest act exclusion.

Advertisement




Further, the court said, the property policy excluded unauthorized construction. Again, KVG did not condone its tenants’ activities, however its property still went through unauthorized construction, with walls being removed and holes being drilled into the roof. The policy, the court concluded, held firm.

Scorecard: Westfield is not responsible for the property damages caused by illegal marijuana growers who rented out space from KVG Properties.

Takeaway: When renting out part of one’s business or property, be sure to review coverages surrounding the behavior and actions of tenants.

Adjustor Considered Part of Team

The owners of SO Apartments, LLC, learned a wind and hail storm caused damages to one of their rental properties in the state of Texas.

They contacted Everest Indemnity Insurance Company to issue a claim. Everest sent an adjustor to assess the damages, but the property owners were not happy with the results. They believed the adjustor failed to address all of the damages done to their property, and the insurer consequently chose not to act.

To make matters worse, the owners alleged, Everest ignored their “pleas for help,” instead acting unprofessionally.

In the owners’ eyes, their insurer had done the bare minimum. They failed to accept, deny or pay the claim in a timely manner, and they had sent an adjustor who “conducted an outcome-oriented investigation and under-scoped [the buildings’] damages.”

In court, the owners pointed to the policy, which stated that Everest would provide coverage for losses stemming from hailstorm damage. They cited breach of contract. They also named the adjustor as a defendant, citing civil conspiracy.

Everest brought the action to appeals court, because it did not see why the adjustor was included in the claim. It argued its adjustor was improperly joined into the court case because the owners had not brought a solid claim against him.

“The acts of the employees or agents are acts of the principal,” said Everest, and “employees and agents cannot conspire with one another unless they act outside the scope of their employment or for their own personal benefit.”

The owners did not allege the adjustor and Everest conspired outside the scope of employment, the insurer argued. The adjustor should not be included.

The court, however, did not agree with Everest’s logic. The adjustor was not improperly joined, the court confirmed, because he was hired by Everest in the first place. The claim — and the actions that were taken afterwards — stemmed from the adjustor’s decisions. The case, the court said, would move to state court for further investigation.

Scorecard: An adjustor is equally liable for the suit brought against their employer. Everest and the adjustor will both be called as defendants.

Takeaway: Employees of one’s company, whether directly working for the company or hired by contract, represent the company at the time of employment, making them liable for any lawsuits that may arise from their actions.

No Wages Lost Due to ‘Occupational Disease’

Following the terrorist attacks on september 11, 2001, many clean-up crews were called to the World Trade Center site. Zdzislaw Usewicz worked as an asbestos handler during recovery. Later, however, he began to feel sick. A treating physician found Usewicz suffered from depression, asthma, rhinitis, gastroesophageal reflux disease and post-traumatic stress disorder, all stemming from his time spent on site.

Usewicz filed for workers’ comp with his employer Nozbestos Construction Corporation, who accepted the claim. Usewicz was cleared to work under the condition he avoid lead exposure.

Then, on July 28, 2012, Usewicz was let go from his job. Nozbestos said Usewicz could not continue working if he couldn’t wear a mask. Due to excessive coughing, Usewicz was unable to keep the mask on during a full day of work.

Usewicz filed an occupational disease claim, asserting he had been working in a continuously lead-contaminated environment during his employment.

A workers’ comp judge found Usewicz was last exposed to lead in November 2011 while working for Nozbestos. The judge also concluded that the occupational disease claim should be viewed as together with the original workers’ comp claim from Usewicz’s time spent at the World Trade Center.

As of July 28, 2012, Usewicz had no causally-related loss of earning, said the judge. His cessation of employment was related to his initial workers’ comp claim, not lead exposure or occupational disease like he alleged.

Advertisement




In appeals court, physicians testified that while Usewicz was exposed to lead toxicity throughout his career, the coughing could be linked back to medical conditions from his work at the World Trade Center. Being an asbestos handler was also a principal cause of his disability. The appellate court upheld the judge’s decision.

Scorecard: The court determined that Zdzislaw Usewicz’s disabilities most likely stemmed from a workers’ comp claim from 2001 and not lead exposure. He will not receive benefits for his occupational disease claim.

Takeaway: Working with hazardous waste can lead to various worker health and safety issues. Employer best practice is to have safety at the forefront to avoid claims from even happening.

Autumn Heisler is digital producer and staff writer at Risk & Insurance. She can be reached at [email protected]

More from Risk & Insurance

More from Risk & Insurance

Cyber Resilience

No, Seriously. You Need a Comprehensive Cyber Incident Response Plan Before It’s Too Late.

Awareness of cyber risk is increasing, but some companies may be neglecting to prepare adequate response plans that could save them millions. 
By: | June 1, 2018 • 7 min read

To minimize the financial and reputational damage from a cyber attack, it is absolutely critical that businesses have a cyber incident response plan.

“Sadly, not all yet do,” said David Legassick, head of life sciences, tech and cyber, CNA Hardy.

Advertisement




In the event of a breach, a company must be able to quickly identify and contain the problem, assess the level of impact, communicate internally and externally, recover where possible any lost data or functionality needed to resume business operations and act quickly to manage potential reputational risk.

This can only be achieved with help from the right external experts and the design and practice of a well-honed internal response.

The first step a company must take, said Legassick, is to understand its cyber exposures through asset identification, classification, risk assessment and protection measures, both technological and human.

According to Raf Sanchez, international breach response manager, Beazley, cyber-response plans should be flexible and applicable to a wide range of incidents, “not just a list of consecutive steps.”

They also should bring together key stakeholders and specify end goals.

Jason J. Hogg, CEO, Aon Cyber Solutions

With bad actors becoming increasingly sophisticated and often acting in groups, attack vectors can hit companies from multiple angles simultaneously, meaning a holistic approach is essential, agreed Jason J. Hogg, CEO, Aon Cyber Solutions.

“Collaboration is key — you have to take silos down and work in a cross-functional manner.”

This means assembling a response team including individuals from IT, legal, operations, risk management, HR, finance and the board — each of whom must be well drilled in their responsibilities in the event of a breach.

“You can’t pick your players on the day of the game,” said Hogg. “Response times are critical, so speed and timing are of the essence. You should also have a very clear communication plan to keep the CEO and board of directors informed of recommended courses of action and timing expectations.”

People on the incident response team must have sufficient technical skills and access to critical third parties to be able to make decisions and move to contain incidents fast. Knowledge of the company’s data and network topology is also key, said Legassick.

“Perhaps most important of all,” he added, “is to capture in detail how, when, where and why an incident occurred so there is a feedback loop that ensures each threat makes the cyber defense stronger.”

Cyber insurance can play a key role by providing a range of experts such as forensic analysts to help manage a cyber breach quickly and effectively (as well as PR and legal help). However, the learning process should begin before a breach occurs.

Practice Makes Perfect

“Any incident response plan is only as strong as the practice that goes into it,” explained Mike Peters, vice president, IT, RIMS — who also conducts stress testing through his firm Sentinel Cyber Defense Advisors.

Advertisement




Unless companies have an ethical hacker or certified information security officer on board who can conduct sophisticated simulated attacks, Peters recommended they hire third-party experts to test their networks for weaknesses, remediate these issues and retest again for vulnerabilities that haven’t been patched or have newly appeared.

“You need to plan for every type of threat that’s out there,” he added.

Hogg agreed that bringing third parties in to conduct tests brings “fresh thinking, best practice and cross-pollination of learnings from testing plans across a multitude of industries and enterprises.”

“Collaboration is key — you have to take silos down and work in a cross-functional manner.” — Jason J. Hogg, CEO, Aon Cyber Solutions

Legassick added that companies should test their plans at least annually, updating procedures whenever there is a significant change in business activity, technology or location.

“As companies expand, cyber security is not always front of mind, but new operations and territories all expose a company to new risks.”

For smaller companies that might not have the resources or the expertise to develop an internal cyber response plan from whole cloth, some carriers offer their own cyber risk resources online.

Evan Fenaroli, an underwriting product manager with the Philadelphia Insurance Companies (PHLY), said his company hosts an eRiskHub, which gives PHLY clients a place to start looking for cyber event response answers.

That includes access to a pool of attorneys who can guide company executives in creating a plan.

“It’s something at the highest level that needs to be a priority,” Fenaroli said. For those just getting started, Fenaroli provided a checklist for consideration:

  • Purchase cyber insurance, read the policy and understand its notice requirements.
  • Work with an attorney to develop a cyber event response plan that you can customize to your business.
  • Identify stakeholders within the company who will own the plan and its execution.
  • Find outside forensics experts that the company can call in an emergency.
  • Identify a public relations expert who can be called in the case of an event that could be leaked to the press or otherwise become newsworthy.

“When all of these things fall into place, the outcome is far better in that there isn’t a panic,” said Fenaroli, who, like others, recommends the plan be tested at least annually.

Cyber’s Physical Threat

With the digital and physical worlds converging due to the rise of the Internet of Things, Hogg reminded companies: “You can’t just test in the virtual world — testing physical end-point security is critical too.”

Advertisement




How that testing is communicated to underwriters should also be a key focus, said Rich DePiero, head of cyber, North America, Swiss Re Corporate Solutions.

Don’t just report on what went well; it’s far more believable for an underwriter to hear what didn’t go well, he said.

“If I hear a client say it is perfect and then I look at some of the results of the responses to breaches last year, there is a disconnect. Help us understand what you learned and what you worked out. You want things to fail during these incident response tests, because that is how we learn,” he explained.

“Bringing in these outside firms, detailing what they learned and defining roles and responsibilities in the event of an incident is really the best practice, and we are seeing more and more companies do that.”

Support from the Board

Good cyber protection is built around a combination of process, technology, learning and people. While not every cyber incident needs to be reported to the boardroom, senior management has a key role in creating a culture of planning and risk awareness.

David Legassick, head of life sciences, tech and cyber, CNA Hardy

“Cyber is a boardroom risk. If it is not taken seriously at boardroom level, you are more than likely to suffer a network breach,” Legassick said.

However, getting board buy-in or buy-in from the C-suite is not always easy.

“C-suite executives often put off testing crisis plans as they get in the way of the day job. The irony here is obvious given how disruptive an incident can be,” said Sanchez.

“The C-suite must demonstrate its support for incident response planning and that it expects staff at all levels of the organization to play their part in recovering from serious incidents.”

“What these people need from the board is support,” said Jill Salmon, New York-based vice president, head of cyber/tech/MPL, Berkshire Hathaway Specialty Insurance.

“I don’t know that the information security folks are looking for direction from the board as much as they are looking for support from a resources standpoint and a visibility standpoint.

“They’ve got to be aware of what they need and they need to have the money to be able to build it up to that level,” she said.

Without that support, according to Legassick, failure to empower and encourage the IT team to manage cyber threats holistically through integration with the rest of the organization, particularly risk managers, becomes a common mistake.

He also warned that “blame culture” can prevent staff from escalating problems to management in a timely manner.

Collaboration and Communication

Given that cyber incident response truly is a team effort, it is therefore essential that a culture of collaboration, preparation and practice is embedded from the top down.

Advertisement




One of the biggest tripping points for companies — and an area that has done the most damage from a reputational perspective — is in how quickly and effectively the company communicates to the public in the aftermath of a cyber event.

Salmon said of all the cyber incident response plans she has seen, the companies that have impressed her most are those that have written mock press releases and rehearsed how they are going to respond to the media in the aftermath of an event.

“We have seen so many companies trip up in that regard,” she said. “There have been examples of companies taking too long and then not explaining why it took them so long. It’s like any other crisis — the way that you are communicating it to the public is really important.” &

Antony Ireland is a London-based financial journalist. He can be reached at [email protected] Dan Reynolds is editor-in-chief of Risk & Insurance. He can be reached at [email protected]