For the answers to these questions and for information as to how some courts view the water exclusion, see Water Exclusion Clause.

Two New ISO Coverage Forms

I

n December 2004, the Insurance Services Office (ISO) revised many of the additional insured endorsements. In addition to this work on additional insured endorsements, ISO also began offering two new miscellaneous liability coverage forms: CG 00 65 12 04 and CG 00 66 12 04.

CG 00 65, electronic data liability coverage form, is a claims-made form that applies to sums that the insured becomes legally obligated to pay as damages because of loss of electronic data. Loss of electronic data means damage to, loss of, loss of use of, corruption of, inability to access, or inability to properly manipulate, electronic data. Since the revised CGL form specifically excludes coverage arising out of such loss, there was a clear need for CG 00 65.

CG 00 66, product withdrawal coverage form, provides two coverage insuring agreements.

Coverage A will reimburse the named insured for product withdrawal expenses incurred because of a product withdrawal from the market place or from use by any person or organization; this withdrawal can be due to the named insured taking the initiative or if an authorized government entity orders the withdrawal. The withdrawal expenses that are covered include: the cost of replacing the product or repairing the defect in the product; costs of notification; costs of stationery, envelopes, and production of announcements; costs of overtime paid to employees; costs of transportation, shipping, or packaging; costs of storage space; and costs of proper disposal of the products.

Coverage B applies to sums that the insured becomes legally obligated to pay as damages for product withdrawal expenses incurred because of a product withdrawal. This insurance applies to damages for product withdrawal expenses incurred because of a product withdrawal only if the product withdrawal is initiated in the coverage territory during the policy period, and if the product that is withdrawn was produced after the cut-off date designated in the declarations (that is, coverage is going to apply only to the products that are produced after the date noted in the declarations and not to those products produced prior to that date).

General Liability Policy Does Not Apply to Violation of Privacy Claim

The Telephone Consumer Protection Act (TCPA) provided for a private right of action against an entity charged with violation of one's privacy through the use of telephones, computers, or faxes to send an unsolicited advertisement to a fax machine. A Fourth Circuit court decision has found that the CGL form does not provide insurance coverage for such a claim. The case is Resource Bankshares Corporation v. St. Paul Mercury Insurance Company, No. 04-1946, No. 04-1962. 4th Cir. May 11, 2005.

The basis of this case was a class-action complaint alleging that Resource violated the TCPA by engaging in the mass transmission of unsolicited fax advertisements over a period of four years to an unknown class of recipients. Resource notified St. Paul of the lawsuit and claimed coverage under its general liability policy; St. Paul denied coverage. When this dispute over coverage ended up in court, a district court held that a claim for property damage under the CGL form was inapplicable because Resource's conduct was not an accident; but, the court went on, the advertising injury offense provision did apply because the faxes violated the recipients' right to privacy. Both Resource and St. Paul appealed.

The appeals court found that the TCPA prohibits all unsolicited advertisements sent by fax. In this instance, Resource offered no evidence that would cause a reasonable person to believe that Resource had received prior express consent to send its fax ads. Resource plainly intended to transmit unsolicited faxes; it failed to show that it had permission to send the faxes. Therefore, Resource's actions were definitely not an accident. The district court's view was upheld; the claim for property damage was not covered.

As for the advertising injury claim, the appeals court posed the question of whether, when read in context, a reasonable purchaser of insurance would believe that the sort of privacy interests protected by the policies overlap with the sort of privacy with which the TCPA is concerned. The court found that the St. Paul policy did not cover the sorts of privacy invasions envisioned by the TCPA's unsolicited fax prohibition. The policy focused on a victim of the advertising injury being harmed by the sharing of the content of the ad and not the mere receipt of the ad. In this instance, Resource's faxes merely violated the recipient's seclusion and did not cause damage due to the content of the faxes. Therefore, the advertising injury coverage did not apply. The lower court's opinion was reversed.

In sum, the appeals court held that the general liability policy did not compel St. Paul to defend Resource against violation of privacy claims.

There are two interesting items to note here. Several cases from around the country are cited in this decision, cases wherein insureds seeking coverage for defense of TCPA lawsuits have been supported by the courts. And, perhaps due to these cases, ISO has created an endorsement, CG 00 67 03 05, that excludes coverage for violation of statutes that govern e-mails, fax, phone calls, or other methods of sending material or information. The purpose of CG 00 67 is to exclude BI, PD, and personal and advertising injury arising out of any action or omission that violates (or is alleged to violate) the TCPA, the CAN-SPAM Act of 2003, or any other similar statute.

Worker's Injury Did Not Arise out of Employment

In February 2002, Blankenship was temporarily laid off work due to a decrease in business. During this time, the employer posted a notice at its facility that medical evaluations for upper body strength would be performed on those employees interested in applying for new jobs being created in the plant. These new jobs required the ability to lift twenty-five pounds and an occasional lifting of seventy pounds. Blankenship took the strength test on the employer's premises; she did not pass. Immediately upon completing the strength test, the employee began to experience weakness in her back. This led to back pain and leg pains. A doctor diagnosed her as suffering a bulging disc and she was given a permanent physical impairment rating of five percent to the whole body. She reported the injury to the employer and sought workers compensation. The claim was denied and a lawsuit resulted.

The trial court heard testimony that taking the strength test was voluntary and that the employees were not paid to take the test. Testimony was also given that employees on temporary layoff status (such as Blankenship) were still regarded as employees of the company. The trial court found that the injuries here did not arise out of employment. The court said that there was no element of compulsion to this taking of the test and that Blankenship was not paid for her efforts. An appeal was made to the Supreme Court of Tennessee prior to oral argument before the WC appeals panel.

The court said that to be eligible for workers compensation, an employee must be injured by accident arising out of and in the course of employment. And, the statutory requirements that the injury arise out of and occur in the course of employment are not synonymous. An injury occurs in the course of employment if it takes place while the employee was performing a duty he or she was employed to perform; this focuses on the time, place, and circumstances of the injury. In contrast, arising out of employment refers to causation. An injury arises out of employment when there is a causal connection between the conditions under which the work is required to be performed and the resulting injury; that is, mere presence at the place of injury is not enough.

In this case, the employer argued that the injury did not arise out of and occur in the course of employment because taking the test was strictly voluntary and the employee was not compensated. The employee argued that her injury was compensable because the employer paid for the strength test, scheduled and conducted the test on the employer's premises, and because the test was open only to employees, not the general public. The Supreme Court agreed with the employer and the trial court, and decided that the injury did not arise out of employment. This was because the record failed to establish a causal connection between the conditions of the job and the injury. The court said that the injuries did not result from a danger or hazard peculiar to the work and was not caused by a risk inherent in the nature of the employee's work. Indeed, the court said, the employee was injured while undertaking an unpaid voluntary test as part of the application process for a job that Blankenship did not have and may not have even gotten. This injury was merely coincidental, contemporaneous, and collateral with the employment and it was not compensable.

The case is Blankenship v. American Ordnance Systems, No. W2004-00866-SC-R3-CV, May 12, 2005.

Employee Traveling to New Duty Not Acting within Scope of Employment

Nationwide Mutual Insurance Company appealed a district court's summary judgment against it in an insurance coverage dispute involving an auto accident. The case is Nationwide Mutual Insurance Company v. Liberatore, No. 04-15744, D.C. No. CV-03-05903-LJO, May 12, 2005. This is a case from the Ninth Circuit Court of Appeals.

In this case, Liberatore was traveling from his permanent duty station (U.S. Navy) in Norfolk to a temporary additional detached duty in California . The travel orders did not impose specific restrictions on Liberatore's travel or activities. Indeed, Liberatore understood that he would have some free time during his trip. Before reporting for duty, Liberatore rented a car, picked up a friend, and was driving to Nevada to spend the night. During this trip to Nevada , there was an accident and Liberatore suffered minor injuries; his companion was seriously injured. Liberatore was arrested at the scene of the accident and charged with driving under the influence.

The accident spawned two related lawsuits: an underlying civil action filed by the companion alleging negligence against Liberatore, and a declaratory judgment action filed by Nationwide against Liberatore. Nationwide insured Liberatore under an auto policy at the time of the accident.

The central issue in both cases was the scope of employment. The U.S. government filed a motion arguing that Liberatore was not acting within the scope of his employment at the time of the accident; Nationwide argued that he was and so, its policy did not apply. The trial court concluded that Liberatore was not acting in the line of duty and Nationwide was the insurer of record. Nationwide appealed.

The court of appeals noted that whether a member of the armed forces of the U.S. was acting within the scope of his employment depends on whether the individual was acting in the line of duty. Since the accident happened in California, California provided the controlling law for the appeals court. California law held that an employee was acting within the scope of employment when the conduct is not so unusual or startling that it would seem unfair to include the loss resulting from that conduct among the costs of the employer's business. In other words, was the risk one that may fairly be regarded as typical of or broadly incidental to the enterprise undertaken by the employer? The court found that this test has been interpreted broadly to include within the scope of employment an employee's acts of personal convenience during working hours, as well as acts of the employee that combine personal business with the business of the employer.

The appeals court concluded that Liberatore was not acting within the scope of his employment by the government at the time of the accident. The court said Liberatore was on a frolic of his own in which he substantially deviated from his employer's purposes. The fact that the Navy had no objection to Liberatore's use of his free time and the car for personal purposes did not render his conduct in this case within the scope of his governmental employment. Liberatore's personal conduct was not so foreseeable by his employer that his employer could fairly be held accountable for damages resulting from an accident caused by that conduct. The district court's opinion was affirmed.

Identity Theft, Credit Cards, and Bears, Oh My!

OK, we made up the part about the bears. But lately, it seems, hardly a week goes by that we do not hear about another breach in a supposedly secure site, or a loss of personal data. So far, the estimated number of persons that had their personal data accessed are as follows: ChoicePoint, 145,000 (and possible more), DSW Shoe Warehouse, 1.4 million, LexisNexis, 310,000. Bank of American lost back-up tapes containing social security numbers for 1.2 million customers. Time Warner recently announced that back-up tapes with data of some 600,000 past and present employees were lost on the way to a data storage facility. Other, less publicized retail security breaches occurred at Polo Ralph Lauren, BJ's Wholesale Club, and Chipotle Mexican Grill.

The retailers pose a problem that might not respond to an easy fix. The magnetic strip of a credit card contains not only the number that appears on the front, but also a secret three-digit number encoded in the strip. This number can be used to create fake credit cards. The name on the front can therefore match the counterfeiter's name, while the card number (and the code) will match the unwary victim's. The check-out counter technology has been to blame for this—check-out systems are supposed to store the information only as long as it takes to transact the sale (or, if stored longer, protect the information). If the information is stored without some protection, such as encryption, it becomes a target for thieves. Currently, the check-out software vendors are working to secure the process. Visa and MasterCard, and other credit card associations bar storing the data at all beyond the sale transaction.

A recent article by Mitchell Pacelle in the Wall Street Journal (“How MasterCard Fights Against Identity Thieves,” May 9, 2005) might give some comfort. It seems the senior Vice President of MasterCard had his credit card information stolen by someone who knew his social security number, date of birth, and mother's maiden name, and who attempted to secure a new card. He was unaware of the theft until the next day when his bank called to ask if indeed, he had requested a new card. Luckily, he was able to shut down the account just before the thieves had begun to wire-transfer cash from his credit card. (MasterCard has a strong anti-phishing program in place. Consult the article for information, which incidentally includes information on how risk managers might protect their companies.)

A suggestion by Thomas F Chapman of Equifax, that consumers should regularly monitor their credit, on the surface is sensible were it not for the fact that consumers (after the annual free report) must pay for this service. Ordering credit reports, or paying a service to monitor unusual activity, appears to suggest that the focus be shifted to the victim rather than those responsible for not protecting consumer data in the first place.

Online banking is a well-known vulnerability in the United States . Europe is ahead of us in keeping this information secure. Here, frequently an account can be accessed with the user name and a password. But in many European banks, the process is different.

One British bank requires the on-line customer to enter his or her last name, a twelve-digit membership number (note, NOT an account number), a five-digit pass code, and two characters of another password. Another asks for birth date and PIN number, and then randomly changes the required information. Another bank issues customers a device that gives random codes as part of the log-in process. Remember, on-line banking is being encouraged here to save costs. Customers will not use the system if they feel their information can easily be compromised. On the other hand, the thief in the MasterCard executive's case turned out to be the girlfriend of a bank employee.