The Rutgers (N.J.) spying case and the Penn State abuse scandal, among others, highlight the liability risks of all types facing colleges and universities. From the other end of the risk spectrum, Tulane University’s (La.) long struggle to rebuild and recoup losses stemming from Hurricane Katrina illustrates the complexity of property damage risk management. In an era in which liability risks keep multiplying and natural disasters seem to have grown more intense, general counsels of colleges and universities should ensure that their existing liability policies cover the myriad complex liabilities and losses that they may face.
Below are three growing categories of claims colleges and universities should watch out for, the types of insurance that address them, and steps to maximize insurance recovery following a loss.
As the Penn State Jerry Sandusky scandal has highlighted, colleges and universities are susceptible to sexual transgression crimes and face civil liability from victims. Penn State faces enormous potential liability. It has been reported that the school spent $17 million on the Sandusky crisis as of June 2012, including $1.6 million on legal defense for others involved in the scandal. In the face of such costly exposure, a policyholder has a few insurance tools at their disposal.
As with all liability losses, when faced with a loss, think insurance. Faced with this kind of potential liability, a college or university counsel should turn to its internal insurance professionals, outside risk management consultants or to its brokers to provide proper notice and seek coverage from every potentially available insurance policy.
For example, certain claims against the institution or its officers may be covered by the Director’s and Officer’s (D&O) liability insurance policy. Further, claims for liability for injury or damage may be covered by general liability insurance policies, and claims related to professional negligence may be covered by professional liability insurance policies.
D&O policies often cover the cost of defending the directors and officers against lawsuits pending against them, and may cover the institution itself, as well. The broad coverage grant under D&O policies often represents an advantage for policyholders, as such policies generally provide coverage for “any wrongful acts.” However, beware of overly broad assertions of coverage defenses that insurance companies often express in the event of a claim. For instance, insurance companies routinely assert the “bad acts” exclusions, refusing to advance defense costs as the policy requires. In most policies, however, such exclusions are only enforceable after a “final adjudication” of wrongdoing—that is, a final non-appealable court judgment that the excluded conduct occurred and activates the exclusion. Settlements in which the defendant “neither admits nor denies” wrongdoing do not qualify as “final adjudication” in most policies. Further even if the exclusion is activated, there may be coverage for non-excluded claims.
General liability insurance and professional liability insurance should also potentially provide defense cost coverage. For example, allegations of bodily injury, personal injury or property damage may well trigger general liability insurance, and the concomitant duty to defend. Similarly, if any breach of professional standards or duty is alleged, a professional errors and omissions (E&O) liability insurance policy may provide a defense. Note that insurance companies sometimes engage in post-loss underwriting—meaning that they second-guess what the policyholder disclosed in the application, using the benefits of hindsight. One of Penn State’s insurance companies reportedly attempted to deny insurance on the grounds of a failure to disclose information Penn State allegedly had in its possession.
Privacy: Data Breach and Cyber Risk
Colleges and universities require and collect a good deal of sensitive information and as a result are tasked to safeguard health records, financial information, social security, and other sensitive information. But in a world where no institution, however sophisticated its computing systems may be, is immune from hackers and data breaches, colleges and universities will likely face this area of inevitable risk. Every year, many colleges and universities fall prey to hackers potentially compromising the information of thousands of students and employees. Colleges and universities face a number of sources of regulation regarding the data they handle, such as: (1) The Family Education Rights and Privacy Act (FERPA) 34 CFR Part 99; (2) The Health Insurance Portability and Accountability Act of 1996 (“HIPAA”); (3) other federal statutes or statutes of non-U.S. jurisdictions; and (4) many state data privacy laws. This increasing regulation leads to increasing potential liability exposure and the need for insurance risk transfer mechanisms.
Policyholders have been successful in obtaining coverage for losses arising from security breaches from traditional general liability policies, D&O and E&O, and commercial crime policies. A recent federal appeals court decision found that the Computer Fraud Coverage rider to a commercial crime policy covered a breach of data resulting from a hacking incident and the resulting costs incurred to remedy it.
Never an industry to avoid a chance to collect insurance premiums, insurance companies now frequently promote standalone cyber insurance policies to redress the perils of data security breaches. Typically, these standalone policies claim to cover the costs incurred following data breaches, including those incurred by notifying people whose information has been compromised, providing credit-monitoring services to those affected, hiring computer consultants to decipher the causes of the breach and to remedy them, and indemnity and defense against suits alleging online copyright or trademark infringement, among other measures. Whether you need such coverage depends on the particulars of your risk profile and the specific wording of relevant portions of your traditional policies. An excellent risk manager or broker can help determine if there is an insurance product that fits the needs of a college or university, but given the nascent state of the market for such coverage, a careful and skeptical view should be used.
However, no amount of cyber insurance can substitute for diligence in securing networks. In fact, due diligence failures can be fatal to coverage. Colleges often are required to warrant as part of the underwriting process for cyber insurance that security measures are in place before insurance companies will agree to sell a policy.
Just as technology keeps evolving, the area of cyber insurance, both under traditional policies and the new standalone policies, develops as well. Educated consumers will continue to reap better results than the ignorant.
Property Damage: Hurricanes and similar property losses
In the wake of Hurricane Katrina, most universities on the Gulf Coast either suspended classes or shut down for an extended period of time, which led many students to enroll at other colleges or sit out the year. The physical and financial damage to local universities was unprecedented—and as is often the case in unanticipated crises, insurance companies were quick to contest and deny claims.
In the aftermath of Hurricane Katrina, Tulane University’s campuses experienced extensive property damage, including the loss of research-related assets, fine arts materials, equipment, building contents, and valuable documents. According to a 2005-2006 financial report, the university incurred significant costs to replace, repair, and remediate damage to its property, demolish and remove damaged improvements and ruined contents, and reconstruct facilities and building premises. The hurricane caused an unavoidable interruption of Tulane’s business.
It has been reported that appraisal experts valued Tulane's business interruption losses, lost library and arts materials, and lost research in excess of $250 million. The university's insurance policies in effect at the time of the hurricane included all-risk property, casualty, library and fine arts, and specialized equipment. While it eventually recovered large sums under various policies, that recovery required a fight, and the university was even involved in litigation with the insurance company for library contents over the extent of coverage under that policy. Tulane also was involved in a protracted fight with an excess insurance company over whether flood and water damage were covered.
When faced with significant loss on account of property damage following a natural disaster, colleges and universities should look to their property policies and various other specialized policies. Again, working with your risk management professionals to identify all potentially applicable insurance policies that might provide coverage and then providing proper notice promptly are the first steps.
In the property insurance context, the “notice” issue has extra twists. Many property insurance policies—which also provide coverage for loss of income on account of an insured event—contain a so-called suit limitation provision, which purports to limit the ability to file an action against the insurance company to a relatively brief time frame after the loss. Further, the policies may require the submission of a “proof of loss” form and report. Complying with the terms of the policy and obtaining agreement from the insurance company on timing can ease the claims process.
Particularly important in these scenarios is the business interruption clause often contained in CGL policies, which purports to cover “the actual loss of business income you sustain due to the necessary suspension of your 'operations' during the “period of restoration.” Business income losses are usually calculated based on net profit expectancies as they existed prior to the loss. However, insurance companies may deny coverage based on your university not having to sustain a complete shutdown of operations, a position contradicted by the case law.
Five Tips for Maximizing Coverage
- Locate your insurance policies. Work with your insurance professionals to locate, categorize and safely store all insurance policies. For certain long-term claims, old insurance policies may apply, so include old “occurrence-based” policies that still are in force even though the policy period has ended.
- Give notice. Formal notice can take different forms. Is it a “notice of circumstance” potentially giving rise to a claim? Notice of a claim? Are there deadlines for a “proof of loss?” Develop a timetable for the claim and communications with the insurance company. Often, notice is given through the insurance broker.
- Use care on the application. At renewal time, do not help your insurance company with its future post-loss underwriting argument by not disclosing. Make proper disclosures and negotiate to avoid the need for applications, representations and warranties, if possible.
- Do not accept the initial denial. Claims departments are cost centers run to protect the profit of their insurance company parents. Remember to disagree with their denial. They know that for every 100 denial letters sent an appreciable proportion of claims “disappear” and their profit margin goes up. Let others with insurance claims support that increased profit, and instead press your valid claims to obtain full payment. It is why your institution spends valuable funds on insurance premiums which could otherwise be spent on educational needs instead.
- Properly value the insurance asset. Understanding your insurance asset is the first step to obtaining full value. Conduct a legal and factual analysis of your loss situation. The legal analysis will inform the claims process and potentially any litigation or settlement of the claim. It may also help your insurance professionals improve your insurance program at your next renewal.
You Still Have Time to Register for UBTech!
Join UBTech on June 12-14 in Orlando for “the Biggest Week in Campus AV & IT” which includes a fee pass to the InfoComm exhibit hall.
Register now for access to nationwide networking, new higher ed solutions, and sessions focused on active classroom, cybersecurity, and AV and IT strategy and implementation.