What does a D&O policy cover?

One of my agents just asked me for a brief overview of what a D&O policy is supposed to do. One of his clients has an attorney who is recommending they purchase the coverage (good attorney!!). But apparently, the attorney could not explain to the client's satisfaction *why* they should have the coverage.

Below is a copy of the very high level overview. Feel free to use it to educate your insureds.

D&O Coverage Overview

By law, directors and officers of corporations bear legal responsibility for certain actions pertaining to their management and oversight of the entity. This responsibility arises generally from the three common law duties of directors and officers. They are:

The Duty of Care

The Duty of Loyalty

The Duty of Obedience

When a director or officer violates one of these duties, claims can arise, brought by shareholders, customers, vendors, competitors, employees, or regulatory or governmental entities. Claims brought by shareholders can be made on their own behalf, or on behalf of the corporation (known as a “derivative” suit).

The corporation may or may not be able to indemnify directors and officers for their legal expenses and any settlements or judgments. Whether the entity is able to indemnify can be a matter of legality, parameters of the bylaws, or financial ability.

Directors and Officers liability policies are a common tool used to ensure that the entity will have the financial means to indemnify directors and officers for their expenses. The policy also removes some of the questions regarding legality or bylaws, because the entity is not forced into an adversarial position with the Ds & Os in order to protect its own assets.

Most directors and officers liability policies for privately-held entities have another coverage feature – the entity is also an insured. This is a recent coverage development, having begun in 1994.

This protection for the entity for claims brought against it for its own actions brings into coverage many causes of loss that used to be considered “business risk” and uninsurable.

Claims from competitors, vendors, and customers regarding business practices, competitive position, corporate conduct, and sometimes even contractual breaches can frequently be subject to coverage at least for defense, and sometimes for indemnity.

Incident Sensitivity, Part 1 (3/13/08 Knowledge Knugget)

What is "Incident Sensitivity"? The term "incident sensitive" is most common in medical malpractice, but the concept is universal in professional liability and critical in claims-made policies. In D&O policies and some other E&O forms, it's known as a "discovery provision" Incident sensitivity allows the insured to put its carrier on notice of potential claims, circumstances that the insured reasonably believes could arise in a claim, or an act that could be "wrongful" and result in a later claim. Once such an incident or circumstance is reported, the carrier will respond to a future claim arising therefrom as if that claim had been reported during the policy period. Why is this important? Tune in to next week's Knowledge Knugget to find out.

Intellectual Property Basics (3/6/08 Knowledge Knugget)

Did you know..... There are two types of intellectual property coverage? One protects your insured against allegations of infringement ("defense" coverage) The other provides your insured funds to protect their own intellectual property against an infringer ("abatement" or "enforcement" coverage) There are over 12,000 IP suits filed annually, with a median cost estimated at 5.5mm Being granted a patent does not mean that your insured is safe from infringing on others. The patent office uses different standards than competitors and courts IP coverage can extend to copyright, trademarks, and trade dress. It is not limited to patents

Tech Talk (2/28/08 Knowledge Knugget)

Insureds involved in Information Technology or those with Websites (especially sites which are more than content-only) have unique exposures.

The 2004 CGL form automatically excludes AI/PI for many of these insureds.

The following coverages can be found in technology or cyberliability forms:

• Intellectual property -- coverage for plagiarism; infringement of slogan, trademark, or copyright; unfair trade practices arising from same
• Unauthorized access -- unauthorized persons intruding into system, or authorized persons engaging in unauthorized acts
• Malicious coding or programming -- introduction of viruses or other harmful code

Other coverages may be available. Policies are manuscript, and coverage varies widely.

Information Risk -- a Mini White Paper

The below information is developed specifically to address the information risk in a continuum of care environment. For non-healthcare or non-residential exposures, some of the exposures are lessened or removed, such as HIPAA, or the heightened exposure when the potential victim of an identity theft is not competent to conduct their own affairs.

Background:

An insured may have control over three kinds of information, the misuse or loss of which can cause harm.

• Private information (social security numbers, drivers licenses, bank account, credit card, address, familial connections, etc.)
• Medical information (illnesses, prescriptions, physician relationships, prognoses, genetic predisposition)
• Mission critical information (client-specific data used to deliver care, billing information, information used to support credentialing and compliance)

Loss or impairment of the first two types of data can result in third party liability. Loss or impairment of the third type can result in business interruption.

From whence does liability arise?

Inherent in an insured’s relationship with its clientele is faith on the clientele’s part that it will be no worse for dealing with the insured than if it had not done so. When a client puts its private, sensitive information in the insured’s hands, it has a right to expect that information will not be intentionally, accidentally, or negligently used to harm the client.

This basic presumption has been bolstered by legislation in many states, and in some federal acts. Requirements for proper caretaking of private information are specifically codified for medical information, and are addressed in various legislative acts pertinent to certain industries, and in some cases, general business. These legislative acts require not only the proper securing of data, but also the notification of clients whose data has been compromised, among other actions.

Additionally, an insured may assume liability through commitments made in its contracts with clientele.

What kind of loss may occur?

A client whose data is compromised may become the victim of identity theft or other fraud. Fraud has long been an issue in an environment where the client may not be fully in charge of his or her faculties, or may be dependent upon others to take care of his or her estate or business and private affairs. This historical exposure has now been complicated by the rampant abuse of private information in establishing false identities, false accounts, false medical identities (to steal medical care), and false working credentials.

Any of these breaches of a client’s identity could cause not only financial harm to the client, but also to his or her estate and/or beneficiaries, as well as untold amounts of stress, emotional distress, mental anguish, time and money spent repairing damage and getting records corrected, and so on.

Loss or impairment of mission-critical information also can compromise the insured’s day-to-day operations and require costly data reconstruction or extra expense to operate emergency backup systems. As a side note, if the entity is not properly protected against loss of data, or does not have a plan to quickly replace lost data that is mission-critical, there could be liability to the directors and officers for failing to have such a plan, especially if the loss of the data impairs patient/client care in any way.

Impairment, loss or misuse of data can occur through malicious actions of intruders, or can be perpetrated by employees. It can also occur accidentally, such as through transmission of data to an unintended recipient, or failure to shred sensitive documentation.

In addition to third party liability and business interruption exposures, the insured is at risk for a reputational loss. Due to requirements to disclose data breaches, it is no longer possible to keep such an event completely quiet. Add to the required disclosure “word of mouth” publication of the event, and the insured can easily be harmed by common knowledge of its inability to safeguard sensitive information.

What coverages can be found?

Many policies today can provide coverage for third party liability for private and medical information. The scope of coverage can vary from web or network-based exposures to physical forms of data, and from solely outsider actions, to those perpetrated by an employee. Most policies will cover not only identify theft outcomes to data breaches, but also personal injury damages. Some will provide sublimits for notification costs, and for credit repair costs, as providing credit repair to breach clients mitigates the potential liability loss.

Some of these policies will also extend coverage to first party exposures. The causes of loss revolve around hacking, denial of service attacks, viruses, and other technology-driven actions. Many insureds rely upon their backup systems as protection from business interruption due to information loss. However, backup tapes may not be as current as expected, duplicate systems can be expensive, and technology-driven loss of data does not trigger an EDP policy or the business interruption provision of a property policy. Therefore, most insureds are bare on this exposure.

Identity Theft Basics (2/21/08 Knowledge Knugget)

Identity Theft incidents lead to 45 Billion dollars of loss in 2007 More than half of the thefts surveyed occurred via physical media versus electronic means Your insured can have liability for information breaches due to tort, contract or legislated obligations Network security/information policies can cover both third and first party liability exposures (legal liability and business interruption) Some policies cover losses perpetrated by employees Coverage can be purchased on a monoline basis, or as part of a professional liability or other type of package or executive protection policy

Sarbanes Oxley & Nonprofits (2/14/08 Knowledge Knugget)

Did you know that many nonprofit organizations are subject to provisions of Sarbanes-Oxley?

* Nonprofits with revenue greater than $1,000,000
* Nonprofits expending more than $500,000 of federal funds
* Must comply with certainSarbanes-Oxley provisions regarding audits.


Failure to comply can result in personal liability for the directors and officers. Check your nonprofits' D&O coverage to make sure it is up to date and limits are adequate.