Cyber Liability Insurance – Important Policy Provisions

Got Cyber Liability Coverage?  Does your business reside in a state where coverage for punitive damages are prohibited?  If so, make sure your policy contains a well-worded “most favorable jurisdiction” provision…

Coverage of Punitive Damages

Punitive damages are intended to punish a defendant (rather than compensate a plaintiff/claimant for a specific loss) and, in effect, are awarded to “send a message” that the defendant’s conduct in causing the claim was unusually objectionable or egregious. The ultimate intent of punitive damages is to deter such actions by this insured (and others) in the future. A significant minority of states, including California, New York, Pennsylvania, Florida, and Illinois, bar or restrict the extent to which punitive damages may be covered by insurance. Nevertheless, cyber and privacy policies generally include coverage of punitive damages except to the extent to which such coverage is prohibited (as in the aforementioned states).

Most Favorable Jurisdiction Provisions

Within the past decade, liability insurers of all kinds have attempted to sidestep the kinds of state-specific prohibitions against coverage of punitive damages noted above, by means of what are known as “most favorable jurisdiction” provisions. Such wording states that, with respect to the insurability of punitive damages (also sometimes called “multiplied” damages), the law of the jurisdiction most favorable to the insurability of punitive damages will apply, provided the jurisdiction meets one of the following criteria.

  • It is the jurisdiction where the punitive damages were awarded.
  • It is the jurisdiction where the act giving rise to the punitive damages award occurred.
  • It is the jurisdiction where the insured is incorporated or maintains its principal place of business.
  • It is the jurisdiction where the insurer is incorporated or maintains its principal place of business.
An Example

A company is incorporated and does most of its business in California, where coverage of punitive damages is prohibited. However, the company’s cyber and privacy policy form is written with a most favorable jurisdiction provision. Thus, as long as punitive damage coverage is not barred in the state where (1) punitive damages were awarded, or (2) the wrongful act giving rise to the punitive damages award took place, or (3) the cyber/privacy insurer is incorporated, coverage for punitive damages will be available under the policy.

When Most Favorable Jurisdiction Provisions Are Critical

Most favorable jurisdiction wording is especially important if, for example, a claim is brought in a state where coverage of punitive damages is prohibited by law despite the fact that the applicable cyber and privacy policy provides such coverage. Under these circumstances, in the absence of most favorable jurisdiction wording, coverage may not be available, even if the claim were made under a policy that affirmatively covered punitive damages.

Accordingly, most favorable jurisdiction wording is imperative when (a) purchasing a cyber and privacy policy in a state where punitive damages are not insurable and (b) for a corporation that has multistate operations and is therefore unable to predictwhere the claims seeking punitive damages will arise.

Two Limitations of Most Favorable Jurisdiction Provisions

First, it is important to recognize that most favorable jurisdiction wording merely modifies the existing level of coverage for punitive damages already provided by a cyber and privacy policy. It does not provide such coverage if punitive damages are otherwise excluded (although this is unusual under cyber and privacy forms). However, if such a policy is written with punitive damages coverage, an endorsement providing most favorable jurisdiction wording should, of course, be requested, if most favorable jurisdiction wording is not already incorporated within the policy form.

Second, the enforceability of most favorable jurisdiction wording has never been tested in court. As a result, it is recommended that insureds request such wording (if it is not already included within a cyber and privacy insurance policy) but should not be required to pay additional premium for a most favorable jurisdiction endorsement. This is because its legal enforceability has not yet been proven; therefore, an insurer’s liability for payment under such an endorsement remains uncertain.

About the Author: