Could Your Insurance Cover the Latest Disability Claims?

insurance-12-26-16.pngAlthough Americans with Disabilities Act (ADA) claims have been in existence for several years, I have seen a dramatic increase in the frequency of demand letters against community and regional banks during the past couple of weeks. The typical demand letter states that the bank’s website is out of compliance with the ADA, as the site does not provide equal accessibility for visually impaired individuals who attempt to access the website. Often the letter will cite the Web Accessibility Initiative of the World Wide Web Consortium, referencing how many of the web pages fail to meet the Web Content Accessibility Guidelines.

Possible Insurance Response
Based on the allegations, the first places we would look for insurance coverage would be the cyber liability policy, as this is based on the bank’s website, or the employment practices liability insurance (EPLI) policy. And those are exactly the two coverages where we are seeing possible solutions, but that will be contingent on the insurance carrier’s approach and the language that may have been negotiated.

With regards to cyber liability, most policies will only be triggered after a breach of network security and/or the loss or theft of non-tangible property, specifically, personally identifiable information. In the case of these ADA infractions, neither of these triggers have been met. Additionally, many cyber policies will include a specific discrimination exclusion. With that said, several carriers have cyber policies with no such exclusion and have a very inclusive or broad language within the definition of Wrongful Electronic Banking Act or even the basic Cyber Liability Insuring Agreement.

With regards to the possibility of coverage within the EPLI placement, we compare this scenario with a similar scenario where a claimant demands that a handicapped ramp be built at a branch location. Both reference violations of ADA claiming an individual with a disability cannot access the bank’s services. Just as is the case in the building of the ramp scenario, there are several language obstacles that need to be overcome in the consideration of coverage:

  1. The definition of claim defines when claim coverage can begin. Your definition of claim should include non-monetary damages, just as it does for monetary damages. This will allow for coverage to be considered even if all that is requested is to fix the website.
  2. The bank should possess third-party discrimination coverage, which means that the bank is protected if a third-party, not an employee of the bank, is the claimant. Note that several versions of the third-party EPLI coverage extensions include only harassment exposures. Since these allegations relate to the scenario where a third party to the bank is alleging discrimination, it is critical that this extension includes discrimination as well as harassment.

One last comment relating to the possibility of claims coverage is that most insurance policies include some form of the following in the definition of loss:

… Loss shall not include costs to comply with any non-monetary or injunctive relief…

This means that while there could be coverage for defense costs and legal fees associated with defending the bank, as well as any actual financial settlement amounts, there will most likely not be any coverage for actually fixing the web site. Just as there was not insurance available to build the accessible ramp, fixing the web site would be a cost of doing business and typically is not insurable.

Steps You Can Take
If your institution wants to be proactive, the Department of Justice offers resources advising local governments on making web sites accessible. We also recommend the input of counsel prior to responding to any demand letters. Lastly, when considering if or how to respond to such a letter, I would like to reinforce an American Bankers Association report on the matter: “…unlike many other compliance obligations, there is much to be gained from making the world more accessible to the disabled. Not only is it the right thing to do, it is also potentially good for business as it expands the market for bank products and services to the broadest range of customers.”

What Does a Cyber Policy Cover?

7-29-19-AHT-Insurance.pngA recent report by Prolexic Technologies documents that cyber attacks, including denial of service attacks, have increased by as much as 20 percent during the second quarter of 2013 compared to the first quarter. Partly in response to these increased attacks, the Securities Industry and Financial Markets Association conducted a voluntary test of the security systems of various financial institutions. During the week of July 13th, 50 banks of all sizes were going through the exercise to see how they would respond to coordinated cyber attacks against them. Add to this the exponential rise of mobile devices, and it is no wonder that bank boards are discussing cyber risk at an ever increasing rate.

Board Level Discussions

More and more often, my board presentations include a cyber-risk component. I am no longer surprised to hear directors question the protection of the bank’s non-tangible assets (such as client personal information) as much as they do the money in their vaults. The most common question I get from the board room is, “What can we do to minimize these new risks?” The first discussion is regarding an implementation of a detailed and outlined response plan in the event of a breach of network security. This plan should incorporate all of the people who touch cyber security including the chief security officer, CFO, GC, IT director, and Insurance broker/carrier. We then discuss people, process, technology, and insurance. Remember that hiring a top-notch chief security officer, implementing iron-clad processes around breach avoidance/response and purchasing the newest network security solutions will definitely put the bank at decreased risk of attack. But there is no silver bullet that can guarantee that the cyber criminals will not find a way to access your network. And as it is with all risk management, the way to encapsulate and mitigate that slice of liability exposure is through insurance. In the case of cyber exposure, the insurance product is typically referred to as network security and privacy liability or simply: cyber liability.

What is Covered by a Cyber Liability Policy

Believe it or not, this is actually not an easy question to answer. Unlike many other insurance products which cover one exposure, the typical cyber liability policy is almost like a restaurant menu where an insured has a lot of options as to what modules they want included in their policy. At a summary level, a cyber policy can include some or all of the following coverage:

Third Party Coverage (i.e. a lawsuit by a customer or other third party). This policy covers defense costs and ultimate settlement or damages relating to:

  • Network Security: Covers customers bringing suit arising from a breach in network security.
  • Privacy Liability: Covers claims from clients that typically arise from a release of their personal information through a non-cyber breach (i.e. dumpster dive, lost laptop, exposed customer list).
  • Media Liability: Gets involved when a party brings suit alleging online copyright infringement.
  • Regulatory: Provides coverage for governmental or regulatory claims arising from a data breach.

First Party Coverage. This policy reimburses the insured to make the company whole:

  • Crisis Management: Covers public relations services needed in response to a breach.
  • Breach Remediation: Covers costs for credit monitoring, forensics and restoration of data.
  • Notification Costs: Covers costs to notify all customers (as dictated by most state laws) of a breach. This continues to be the single largest frequency of covered cyber claims. One carrier estimates an average notification cost of $30 per customer.
  • Cyber Extortion: Potentially covers the investigation and actual extortion of breach or credible threat of a breach.
  • E-business Interruption: Covers the loss of income and extra expense resulting from a computer attack (after a waiting period).

Each of these components has a cost associated with them. Based on the coverage selected and the size of the bank (often measured in revenue and/or number of records managed), we see premiums range from $5,000 to $20,000 per $1 million of coverage. So, we recommend a level of due diligence between the broker and the bank to best determine the appropriate cyber coverage for that institution.