Arbitration and Mediation Can Solve Cyber Insurance Disputes

Published in Law360 by Daniel Garrie, Howard Miller, Yoav Griver

As the number of attempted and successful cyber-attacks increase, interest in cyber liability insurance increases as well.  This is unsurprising.  Cyber claims are increasing every year,[1] and even one successful cyber-attack could cause the exposure of millions of confidential records and concomitant dollar losses.  Many of these cyber policies contain alternative dispute resolution (ADR) provisions mandating that the parties participate in binding or non-binding mediation and/or arbitration in place of, or prefatory to, litigation.[2]   So, the question should be asked: when it comes to cyber insurance claims, does ADR work?  Should policyholders object to or fight the inclusion of ADR clauses in policies of insurance covering cyber risks?

Litigation over ADR clauses in cyber policies is already happening, as policyholders try to elide pre-dispute ADR requirements contained in their cyber liability policies.[3]  Since such litigation may itself defeat the ADR goal of efficient resolution of the dispute, it is useful to step back and consider some of the basic policyholder objections to ADR provisions.  In general, ADR features (i) confidentiality protections that screen out media coverage; (ii) no trial by jury; and (iii) restricted grounds for appeal.[4]  Though often objected to by cyber policyholders, these three factors may benefit them.

Consider for example, ADR’s confidentiality protections.  Policyholders often think that publicity benefits them, as negative publicity could spur settlement by the insurance company.  In cyber situations, however, this potential benefit will likely be far outweighed by the many and varied disadvantages of a public airing of the dispute between policyholder and insurance company.  Cyber coverage disputes often involve an exchange of sensitive or confidential information of the policyholder,[5] including weaknesses in its systems and cyber-defenses[6] and alleged failure of due diligence in choosing what systems to implement and maintain.[7]  Indeed, depending on the type of coverage defense asserted, discovery could lead to the exchange of damaging information about internal processes and procedures and cyber defenses, adequacy of funding for cyber-defense, quality of decision-making processes, and existence of other system vulnerabilities.  A prudent policyholder may not want these facts, and coverage about the extent of its available insurance, publicly available as it deals with the civil litigations, regulatory scrutiny, and second-guessing that often accompanies a cyber breach.[8]  Likewise, a policyholder may not want to risk a public and precedential court ruling that its defenses are inadequate, or misrepresented, or not properly thought through.

In a court proceeding these various publicity risks can be mitigated (but not eliminated) by entry of a customary protective/confidentiality order and, in certain narrow situations involving particularly sensitive information, by sealing orders.  However, such ad hoc confidentiality protections are left to the court’s discretion and remain subject to the overarching default principle that court proceedings should be open to the public.  By contrast, the parties to an ADR procedure can contract at the beginning for an entirely confidential arbitration process that will be completely opaque to any non-party.

The second potential policyholder concern concerns the replacement of a jury by a mediator or arbitration panel.  Many policyholders fight arbitration clauses hoping to be in front of a jury when disputing with an insurance company.  But cyber insurance disputes may be an area for policyholders and their counsel to reconsider this long-standing preference.  In the cybersecurity context, the use of a pool of technically-knowledgeable fact-finders, instead of a jury, may be beneficial to the policyholder.  The standard arbitration clause in AIG’s Cyber Edge plan already requires that all members of the three-person arbitration panel must have at least ten years of related industrial experience, and that the arbitration process will be conducted using ARIAS•U.S. Arbitration Rules.[9]  In negotiating a cyber policy, a broker or prospective policyholder may have the opportunity to further sharpen and refine the arbitrator’s qualifications from the standard[10] and, for example, insist on one or more arbitrators or mediators with corporate experience that put them in a position to deal with cyber-related exposures and understand the “cost versus protection” trade-offs that often must be made.[11]

Such pre-qualified ADR fact-finders will likely be more sophisticated than most judges and juries about the nature of cyber risks and the challenges policyholders face in securing appropriate cyber coverage and dealing reasonably and comprehensively with cyber risk, including the feasibility of preventing a cyber incident based on technology and relevant standard of care as it existed at the time of the incident.  And, as here, where cyber policy language is not yet standardized in the market, it may help to have decision makers who read policies frequently and can compare how the language in a specific cyber policy matches up to policies that have endured more testing and been modified to adjust for lessons learned.   Hence, a policyholder may benefit from, and arguably should prefer, ADR decision-makers that offer a level of expertise with both policy language and technical cyber issues that may be missing from judges and jurors at this time.

Finally, the restricted grounds for appeal in ADR, together with the more limited discovery and other ADR limitations, seek to make ADR more efficient and cost-effective for all parties to the process, including the policyholder.  As part of this attempt at efficiency, in evaluating ADR provisions, it is important for a policyholder who is party to an insurance tower to be able to have efficient, consolidated proceedings that resolve coverage issues for the entire tower and avoid the very great cost and complexity of multiple ADR (or a mix of ADR and litigation) proceedings to resolve one event.[12]

Many policyholders instinctively oppose the inclusion of ADR clauses in their insurance policies and related agreements, preferring the comfort and familiarity of a court and jury.  As discussed, however, given the complexity of the issues in cyber coverage disputes, this may be an area for policyholders to reconsider their concerns and proceed to the benefits of confidential and cost-effective ADR process that features qualified decision-makers.

 

[1] See, e.g., New Hotel Monteleone, LLC v. Certain Underwriters at Lloyd’s of London, No. 2015-11711 (Civ. Dist. Ct. for Orleans Parish, Louisiana) (declaratory judgment action regarding whether policy bound to sublimit or entitled to full limit of liability in Ascent Policy No. ASC14C000944 as result of cyber incident in which consumer payment card numbers were allegedly compromised).

[2] ADR provisions are a creature of contract and are to be strictly enforced according to their plain language.  See, e.g., Stolt-Nielsen S.A. v. Animal Feeds International Corp., No. 08-1198, 2010 WL 1655826 (U.S. Apr. 27, 2010) (holding that where an arbitration agreement is silent on the question of whether class arbitration is authorized, the parties’ consent to class arbitration may not be inferred absent evidence of the parties’ intent or a governing rule of law authorizing that inference); Green Tree Fin. Corp. v Bazzle, 539 U.S. 444 (2003) (remanding to arbitration panel question of whether class action arbitration authorized where arbitration agreement is silent).  Accordingly, it is important that every policyholder and broker read the provision carefully, as they will be held to its terms.

[3] See, e.g., Columbia Cas. Co. v. Cottage Health Sys., 2015 US Dist. LEXIS 93456 (C.D. Cal. July 17, 2015) (dismissing action where insurance policy required that a mediation take place before any lawsuit initiated).

[4] Amway Global v Woodward, 744 F Supp 2d 657 (E.D. Mich. 2010) (discussing arbitration features in the course of upholding arbitration panel’s merits decision).

[5] See, e.g., Music Grp. Macao Commer. Offshore, Ltd. v Foote, No. 14-cv-03078-JSC, 2015 US Dist. LEXIS 81415 (N.D. Cal. June 22, 2015) (extensive, sensitive documentation regarding cybersecurity policies disclosed).

[6] See In re Anthem Data Breach Litig., 162 F. Supp. 3d 953 (N.D. Cal. 2016) (alleging insufficient security measures).

[7] See In re Heartland Payment Sys., Customer Data Sec. Breach Litig., 834 F. Supp. 2d 566 (S.D. Tex. 2011).

[8] See In re Heartland Payment Sys., 851 F. Supp. 2d 1040 (S.D. Tex. 2012) (disclosure of data security breach followed directly by putative class action comprising over one-hundred million plaintiffs)

[9] See American International Group, Inc. (AIG) Cyber Edge Cyber Liability Insurance, a copy of which may be found online or by contacting the authors of this article.  ARIAS•U.S. is a nonprofit corporation dedicated to improving the insurance and reinsurance arbitration process for the international and domestic markets. In this regard, ARIAS•U.S. certifies a pool of qualified arbitrators that parties involved in a dispute can use in resolving insurance-related disputes.

[10] The selection of arbitrators can even go so far as to include religious qualifications in religion based arbitrated disputes, although this is not recommended for commercial disputes. See generally, Spivey v. Teen Challenge of Florida Inc., 122 So. 3d 986 (Fl. 1st Dist. Ct. App. 2013); Liebermann v. Liebermann, 566 N.Y.S.2d 490 (N.Y. Sup. Ct., Kings County 1991).

[11] See, for example, AMERICAN ARBITRATION ASSOCIATION, COMMERCIAL ARBITRATION RULES Rule 12 (2016) (providing for how an arbitration panel will be appointed “unless the parties agree otherwise”).

[12] CONSOLIDATION OF ARBITRATIONS, 2 AMERICAN ARBITRATION ASSOCIATION, LAWYERS’ ARBITRATION LETTERS, 1970-1979, 200 (1981); see, e.g.. Compania Espanola de Petroleos, S.A. v. Nereus Shipping, S.A., 527 F.2d 966, 975 (2d Cir. 1975), cert. denied, 426 U.S. 936 (1976) (allowing consolidation under the FAA); Garden Grove Community Church v. Pittsburgh-Des Moines Steel Co., 140 Cal. App. 3d 251, 262, 191 Cal. Rptr. 15, 19-20 (1983) (allowing consolidation under California state law).

Why is cybersecurity important?