“You keep using that word. I do not think it means what you think it means.”
– Inigo Montoya
In Part 2 of this series, we discussed the need to have (and understand) PCI DSS coverage as part of your cyber insurance program, especially if you conduct on-line business. In this installment, we’ll take a look at the wonderful world of legalese in cyber insurance contracts, containing mountains of vague and confusing language no doubt crafted by teams of lawyers incapable of writing in plain English.
For purposes of transparency, I am a lawyer and have been guilty of drafting complex commercial contracts and insurance provisions incorporating this awful language that rightly stereotypes us. The reason for this probably begins with the bloodless lobotomy that is called law school. During these three years, we endured a re-education leading to the magical ability to conceive of every possible outcome to a situation that could lead to loss. This ability was sharpened after clients began hiring us to prepare or revise contracts in order to help them get the best of the deal with their counterparts, leading to a competitive desire to “win” the drafting battle.
The result is contract language that can at times be overbroad, vague, ambiguous and confusing, especially to the lay reader. Under the law, such language in insurance contracts is typically interpreted in favor of the insured party and against the insurer depending on the circumstances. However, that doesn’t mean the insurer won’t attempt to steer such a provision in its own favor first, especially where there could be millions of dollars in insurance proceeds on the line. An unwary insured party would ultimately have to file a lawsuit against the insurer, and then hope the court agrees that the language was problematic such that it should be interpreted against the insurer. Those lawsuits cost a lot of money, take a lot of time, and many times lead to the opposite result.
Sit down and take a close look at your insurance policies if you dare. You will find a complex document containing numerous pages of legalese forms and small print understandable primarily by sophisticated lawyers. Failure to negotiate or clarify this language can be dangerous, especially in the Wild West of cyber insurance where there are numerous carriers providing varying coverage, and the cyber/legal landscapes are much less developed. Al Berman of the Disaster Recovery Institute was correct in stressing the need for legal counsel in selecting cyber insurance given the wording of policies.
Let’s say your insurance policy excludes “claims arising out of, based upon, or in any way related to any actual or alleged fraud against you.” This has multiple problems, which we’ll break down in order. First, the phrase “arising out of, based upon, or in any way related to” is overbroad and could expand far beyond the scope of what the insurer is really trying to exclude. For the sake of clarity, if an insurer is seeking to exclude coverage for claims of fraud against you, then it should just speak plain English and exclude “claims for fraud against you.”
The follow-up phrase “actual or alleged” is likewise overbroad. Good lawyers will craft a complaint asserting numerous alternative theories of liability, many times to leverage early settlement positions. For example, lawyers may include in such a list a claim that you engaged in fraud through your actions and they will be pursuing punitive damages as a result. Depending on your policy, that fraud allegation may have just lost you insurance coverage, even if such as claim is without merit. In order to avoid this problem, consider requesting that such claims can only be excluded upon “final non-appealable adjudication by a court of competent jurisdiction” (i.e., a court of law determines that you were in fact fraudulent). Then make sure there is language ensuring you still have coverage for the remaining non-fraud claims permitted under the policy.
Long story short, your policy language will have changed from excluding “claims arising out of, based upon, or in any way related to any actual or fraud” to “claims of fraud against you, pursuant to a final non-appealable adjudication by a court of competent jurisdiction.” In the end, a more level playing field with your insurer results.
This is just one example, and you’ll find these language issues in most types of insurance, not just cyber insurance. There are many other phrases (don’t even get me started on “reasonable and necessary expenses”) which can blindside you if you haven’t gone through your policy with counsel. Make sure to do this well in advance of signing on the dotted line and paying your premium, as there is much less incentive to negotiate language after receiving your funds.
KEEFER is your ounce of prevention.
