The URL can be used to link to this page

2017/18 Cyber Liability Program - Memorandum of CoverageMemorandum of Coverage – Cyber Liability Issued to the «Agency» Effective July 1, 2017 – July 1, 2018 Administered by the California Joint Powers Insurance Authority Effective July 1, 2017 – July 1, 2018, as a joint protection program authorized pursuant to Article 11(a) of the California JPIA joint powers agreement COVER PAGE MEMORANDUM OF CYBER LIABILITY COVERAGE FOR THE CALIFORNIA JOINT POWERS INSURANCE AUTHORITY MEMBER: <<member>> MAILING ADDRESS: <<address 1>> <<address 2>> PROTECTION LIMITS: $1,000,000 Per Occurrence Limit of Coverage $1,000,000 Aggregate Limit of Coverage per Policy Period per Member for all categories of Coverage combined including Claims Expenses $10,000,000 Aggregate Limit of Coverage for all Members per Policy Period for all categories of Coverage combined including Claims Expenses RETENTION: $50,000 (including Claims Expenses) PROTECTION PERIOD: From July 1, 2017 12:01 a.m. Pacific Time until July 1, 2018 at 12:01 a.m. Pacific Time. This Memorandum is a description of the terms and conditions of the Program through which certain specified and limited self-insured risks of liability are administered by the Authority and shared by its Members. This Memorandum is not an insurance policy. As provided in Section 990.8 of the California Government Code and appellate court cases of Orange County Water District v. Association of California Water Agencies JPIA (1997) and City of South El Monte v. Southern California Joint Powers Insurance Authority (1995), the pooling of self-insured claims or losses among the Members of the Authority shall not be considered insurance nor be subject to regulation under the Insurance Code. California JPIA President MEMORANDUM OF CYBER LIABILITY COVERAGE for the CALIFORNIA JOINT POWERS INSURANCE AUTHORITY 1. INTRODUCTION This Memorandum is a description of the terms and conditions of the Program through which certain self-insured risks of liability are administered by the Authority and shared by its Members pursuant to the Joint Powers Agreement creating the Authority under the provisions of Section 6500 et seq. of the Government Code. As provided in Section 990.8 of the Government Code, pooling of losses in this Program is not insurance. The sole duty of the Authority is to administer the Program adopted by the Members. The Authority can indemnify only Claims or losses, which are pooled under the terms of this Memorandum and the Joint Powers Agreement. There is no transfer of risk from the Member or any Protected Party to the Authority, nor assumption of risk by the Authority. The provisions of the Program are subject to and subordinated to the Joint Powers Agreement or any action taken by the Executive Committee or the Board of Directors in connection with the Program. This Program has been adopted pursuant to action taken by the Executive Committee, and is subject to any amendment, modification or extension by the Executive Committee or the Board of Directors. The terms of this Memorandum shall be construed in an evenhanded fashion in accordance with the principles of California contract law. If the language of this Memorandum is alleged to be ambiguous or unclear, the issue of how the protection should apply shall be resolved in a manner most consistent with the relevant terms of this Memorandum without regard to authorship of the language and without any presumption of arbitrary interpretation or construction in favor of either the Protected Party or the Authority. Any controversy or dispute arising out of or related to an interpretation or breach of this Memorandum shall be settled in accordance with the appeals procedures as set forth in this Memorandum. 2. PROTECTION PROVIDED Subject to all provisions of this Memorandum, the Authority will cause the Program to pay on behalf of the Protected Party all sums for which coverage is provided within the terms of the attached “Policy Form.” As used in the Policy Form, the term “you” or “your” or “your organization” shall refer to the Protected Party, which is a Member of the Authority and participant in the Program. The term “we” shall refer to the Authority. 3. Non-Concurrent Conditions Section IX – Terms and Conditions of the attached Policy Form are hereby amended as follows: Section D, “Other Insurance”, Section E, “Action Against Us”, Section I, “Cancellation”, and Section M, “Service of Suit Clause” are deleted. They are replaced with the following: The terms of the Authority’s Memorandum of Liability Coverage are incorporated here by reference as through fully set forth herein, at Section 5, Conditions and Responsibilities, Sections D “Other Protection,” E “Termination or Amendment,” F “Changes”, I “Joint Powers Agreement”, J “Appeal of Disputes”, and K “Arbitration.” These provisions of the Memorandum of Liability Coverage shall apply to coverage furnished under this Memorandum of Privacy Protection Coverage as well. Policy Form Notice: this policy contains one or more coverages. Certain coverages are limited to liability for claims that are first made against You and notified to Us during the Policy Period as required. Claim Expenses shall reduce the applicable limits of liability and are subject to the applicable retention(s). Terms that appear in bold face type have special meanings. See the definitions for more information. Please read this policy carefully. In consideration of the payment of the premium and reliance upon the statements m ade by You in the application and subject to the Limit of Liability, exclusions, conditions and other terms of this Policy, it is agreed as follows: A. Privacy liability (including employee privacy) We shall pa y on Your behalf Damages and Claim Expenses that You become legally obligated to pay in excess of the applicable retention resulting from a Claim first m ade against You and reported to Us during the policy period or extended reporting period arising out of a Privacy Wrongful Act on or after the retroactive date and before the end of the policy period, harming any third party or employee. B. Privacy Regulatory Claims coverage We shall pa y on Your behalf Regulatory Fines, Consumer Redress Funds and Claim Expenses that You become legally obligated to pay in excess of the applicable retention resulting from a Regulatory Claim first m ade against You and reported to Us during the policy period or extended reporting period arising out of a Privacy Wrongful Act on or after the retroactive date and before the end of the policy period. C. Security Breach response coverage We shall reimburse Your Organization for Crisis Management Costs and Breach Response Costs in excess of the applicable retention that Your Organization incurs in the event of a Security Breach with respect to personal, non-public information of Your customers or employees. We will not m ake any pa ym ent under this Coverage unless the Security Breach first occurs on or after the retroactive date and before the end of the policy period and You first learn of the Security Breach within the policy period and report the Security Breach to Us as soon as practicable within the policy period. D. Security liability We shall pay on Your behalf Damages and Claim Expenses that You become legally obligated to pay in excess of the applicable retention resulting from a Claim first m ade against You and reported to Us during the policy period or extended reporting period arising out of a Security Wrongful Act on or after the retroactive date and before the end of the policy period. E. Multimedia liability We shall pa y on Your behalf Damages and Claim Expenses that You become legally obligated to pay in excess of the applicable retention resulting from a Claim first made against You and reported to Us during the policy period or extended reporting period arising out of a Multimedia Wrongful Act on or after the retroactive date and before the end of the policy period. Privacy Protection Insurance 4 A. We shall have the right and duty to defend, subject to the applicable policy aggregate lim it and applicable sublimits of liability, exclusions and other terms and conditions of this Policy, any Claim against You seeking Damages which are payable under the terms of this Policy, even if any of the allegations of the Claim are groundless, false, or fraudulent and We shall have the right to appoint defense counsel. We agree that You m ay settle an y Claim where the Damages and Claim Exp enses do not exceed 50% of the Retention, provided the entire Claim is resolved and You receive a full release from all claimants. We shall have the right to make any investigation We deem necessary, including, without limitation, any investigation with respect to the application and statements made in the application and with respect to coverage. The applicable policy aggregate limit and sublimits of liability available to pay Damages shall be reduced and may be completely exhausted by payment of Claim Expenses. Damages and Claim Expenses shall be applied against the applicable retention You pay. B. If You refuse to consent to a settlem ent or compromise We recommend and acceptable to the claimant and elect to contest the Claim, then: 1. Subject to the applicable limit of liability, Our liability for any Damages and Claim Expenses shall not exceed: a. the am ount for which the Claim could have been settled, plus the Claim Expenses incurred prior to the date of such refusal; and b. fifty percent (50%) of the Damages and Claim Expenses in excess of the am ount in a. above incurred in such Claim; provided that You bear the remaining 50% of the Damages and Claim Expenses in excess of the amount in a. above incurred in such Claim uninsured and at Your own risk; and 2. We shall have the right to withdraw f rom the further defense of such Claim by tendering control of the defense to You. This clause shall not apply to any settlement where the total of the proposed settlem ent and incurred Claim Expenses do not exceed all applicable retentions. C. We shall not be obligated to pay any Damages or Claim Expenses, or to undertake or continue defense of any Claim, after the applicable policy aggregate limit or applicable sublimits of liability has been exhausted by paym ent of Damages and/or Claim Expenses or after deposit of the applicable limit of liability in a court of com petent jurisdiction, and that upon such payment or deposit, We shall have the right to withdraw from the further defense thereof by tendering c ontrol of said defense to You. This insurance applies to Claims m ade and acts, errors or omissions committed or alleged to have been committed anywhere in the world. 5 Privacy Protection Insurance The coverage under this Policy shall not apply to an y Damages or Claim Expenses incurred with respect to any Claim, or any Crisis Management Costs, Breach Response Costs or other amounts, arising out of or resulting, directly or indirectly, from: A. Bodily injury or prop erty damage; B. Your employment practices or any alleged or actual discrimination against any person or entity on any basis, including without lim itation, race, creed, color, religion, ethnic background, national origin, age, handicap, disability, sex, sexual orientation, or pregnancy; C. The failure, malfunction or inadequac y of an y satellite; any electrical or mechanica l failure and/or interruption, including but not limited to electrical disturbance, spike, brownout or blackout; or any outage to gas, water, telephone, cable, telecomm unications or other infrastructure, unless such infrastructure is under Your operational control; D. Fire, smoke, explosion, lightning, wind, water, flood, earthquake, volcanic eruption, tidal wave, landslide, hail, an act of God or any other ph ysical event, however caused; E. Any alleged or actual defects in any goods, services or products sold, supplied, repaired, altered, m anufactured, installed or m aintained by You or by any person, persons, partnership, firm, or company acting for You or on Your behalf; F. Breach of any express, implied, actual or constructive contract, agreement, warranty, gu arantee or promise, provided, however, this exclusion shall not apply to: 1. any liability or obligation You would have in the absence of such contract or agreement; 2. any breach of Your privacy statem ent; or 3. any indemnity by You in a written contract or agreement with Your client regarding any Privacy Wrongful Act or Security Wrongful Act b y You in failing to preserve the confidentiality or privacy of personal information of customers of Your client; G. An y of the following: 1. An y presence of pollutants or contam ination of any kind; 2. An y actual, alleged or threatened discharge, dispersal, release, or escape of pollutants or contam ination of any kind; 3. An y direction or request to test for, m onitor, clean up, rem ove, contain, treat, detoxif y, or neutralize pollutants or in any way respond to or assess the effects of pollutants or contam ination of any kind; or 4. Manufacturing, mining, use, sale, installation, removal, distribution of or exposure to asbestos, m aterials, or products containing asbestos , asbestos fibers or dust; 5. Ionizing radiation or contamination by radioactivity from any nuclear fuel or any nuclear waste from the com bustion of nuclear fuel; 6. Actual, potential or alleged presence of mold, mildew or fungi of an y kind; 7. The radioactive, toxic, or explosive or other hazardous properties of an y explosive nuclear assembly or nuclear component thereof; or 8. The existence, emission or discharge of any electrom agnetic field, electromagnetic radiation or electrom agnetism that actually or allegedly affects the health, safety or condition of any person or the environment or that affects the value, marketability, condition or use of an y property; H. Any of the following: 1. Purchase, sale, offer of or solicitation of an offer to purchase or sell securities, or alleged or actual violation of any securities law, including but not lim ited to the provisions of the Securities Act of 1933, or the Securities Exchange Act of 1934, as amended, the Sarbanes -Oxley Act of 2002, or any regulation promulgated under the foregoing statutes, or any federal, state, local or Privacy Protection Insurance 6 foreign laws similar to the foregoing statutes (including “Blue Sk y” laws), whether such law is statutory, regulatory or comm on law; 2. Alleged or actual violation of the Organized Crime Control Act of 1970 (commonly known as “Racketeer Influenced And Corrupt Organizations Act” or “RICO”), as amended, or any regulation prom ulgated thereunder, or any federal, state, local or foreign law similar to the foregoing statute, whether such law is statutory, regulatory or common law; 3. Alleged or actual violation of the responsibilities, obligations or duties imposed upon fiduciaries by the Employee Retirement Incom e Security Act of 1974, as amended; 4. Alleged or actual anti-trust violations, restraint of trade or unfair competition, including without limitation, violations of the Sherman Act, the Cla yton Act or the Robinson-Patm an Act, or any other federal, state, local, or foreign laws regulating the same or similar conduct; provided, however, this exclusion H.4 shall not apply to a Claim for a M ultimedia Wrongful Act. I. Any act of terrorism ; strike or similar labor action, war, invasion, act of foreign enemy, hostilities or warlike operations (whether declared or not), civil war, mutiny, civil com motion assuming the proportions of or amounting to a popular rising, military rising, insurrection, rebellion, revolution, military or usurped power, or any action taken to hinder or defend against these actions; including all am ounts, Damages, or Claim Expenses of whatsoever nature directly or indirectly caused by, resulting from or in connection with any action taken in controlling, preventing, suppressing, or in any way relating to the above; however, if We allege that by reason of this exclusion any Dam ages or Claim Expenses are not covered by this Policy, the burden of proving the contrary shall be upon You. J. Any of the following: 1. Any circum stance occurring, or act, error, or omission comm itted, prior to the inception date of this Policy, if on or before the inception date of this Policy, You knew or could reasonably have foreseen such circumstance, act, error, or omission would be the basis of a Claim; 2. Any Claim or circumstance previously notified to a prior insurer that could reasonably be expected to be the type of Claim or loss covered by this Policy; or K. Any criminal, dishonest, intentional violation of the law, unfair or deceptive business practice, fraudulent or malicious act, error or omission comm itted by You with actual crim inal, dishonest, fraudulent or malicious purpose or intent; provided, however, this exclusion shall not apply to: 1. Claim Expenses incurred in defending an y such Claim until there is a final adjudication, judgment, binding arbitration decision or conviction against You in such Claim or an adm ission by You establishing such conduct, or a plea of nolo contendere or no contest b y You regarding such conduct, in which event You shall reimburse Us for all Claim Expenses that We have paid and We shall have no further liability for Claim Expenses from such Claim; and 2. any of You who did not personally commit or personally participate in committing or personally acquiesce in such conduct, except that the exclusion shall apply with respect to Your Organization if an adm ission, final adjudication, or finding in a proceeding separate or collateral to the Claim establishes that a current principal, partner, director, or officer of Your Organization in fact engaged in such conduct; L. Any Claim m ade by or on behalf of: 1. Any person or entity within the definition of You against any other Insured person or entity within the definition of You provided this exclusion shall not apply to an otherwise covered Claim under Coverage A made by a current or former employee of Your Organization; or 2. Any entity which: a. Is operated, managed, or controlled b y You or in which You have an ownership interest in excess of 15% or in which You are an officer or director; or b. Operates, controls, or m anages Your Organization, or has an ownership interest of m ore than 15% in Your O rganization; M. Your activities as a trustee, partner, officer, director, or employee of any employee trust, charitable organization, corporation, com pany or business other than Your Organization; 7 Privacy Protection Insurance N. Any alleged or actual infringement or violation of patent rights or m isappropriation, theft, copying, display or publication of any trade secret by, or with active cooperation, participation, or assistance of, You, any of Your former employees, subsidiaries, directors, officers, partners, trustees, or any of Your successors or assignees; or O. An y trading losses or trading liabilities; the monetary value of any electronic fund transfers or transactions b y or on behalf of You which is lost, diminished, or damaged during transfer from , into or between accounts; or the face value of coupons, price discounts, prizes, awards, or any other valuable consideration given in excess of the total contracted or expected am ount. P. Any fine or penalty imposed by a payment card com pany, m erchant bank o r payment processor under any agreement by You to comply with or follow the Payment Card Industry Data Security Standard, as am ended, or any paym ent card company programs, rules, bylaws, policies, procedures, regulations or requirements, or to im plem ent, m aintain or comply with security m easures or standards concerning payment card data. Privacy Protection Insurance 8 A. Act of terrorism means: 1. any act certified an act of terrorism pursuant to the federal Terrorism Risk Insurance Act of 2002 or otherwise declared an act of terrorism by any government; 2. any act comm itted by any person or group of persons designated b y any governm ent as a terrorist or terrorist group or any act committed by any person or group of persons acting on behalf of or in connection with an y organization designated by any governm ent as a terrorist organization; or 3. the use of force or violence and/or the threat thereof by any person or group of persons, whether acting alone or on behalf of or in connection with an y organization or governm ent, committed for political, religious, ideological, or similar purposes, including the intention to influence any governm ent and/or put the public, or any section of the public, in fear. B. Application means all applications, inclu ding any attachm ents thereto, and all other inform ation and materials submitted by You or on Your behalf to Us in connection with the underwriting of this Policy. All such applications, attachments, inform ation and materials are deem ed attached to and incorporated into this Polic y. C. Bodily Injury means injury to the body, sickness, or disease sustained by any person, and where resulting from such injuries, m ental anguish, m ental injury, shock, humiliation, emotional distress, loss of consortium, or death. D. Breach Response Costs m eans the following fees, costs, charges or expenses, if reasonable and necessary, that You incur in responding to a Security Breach during the period of twelve (12) m onths after You first learn of such Security Breach: 1. com puter forensic professional fees and expenses to determine the cause and extent of such Security Breach; 2. costs to notify customers or employees affected or reasonably believed to be affected by such Security Breach, including printing costs, publishing costs, postage expenses, call center costs or costs of notification via phone or e -mail; 3. legal fees and expenses to determine whether You are obligated under applicable Privacy Regulations to notify applicable regulatory agencies or customers or employees affected or reasonably believed to be affected by such Security Breach, effect compliance with any applicable Privacy Regulations, draft the text of privacy notifications to customers or employees affected or reasonably believed to be affected by such Security Breach, and coordinate the investigation of such Security Breach; or 4. credit monitoring expenses, but only if ordered by a court or if You provide reasonable evidence that the disclosure of personal inform ation from such Security Breach has resulted, or is likely to result, in the unauthorized opening of a line of credit or other financial account; Provided, however, We shall have no obligation to reimburse You for such Breach Response Costs unless: (a)You provide an opinion from legal counsel that You were obligated under applicable Privacy Regulations to notify applicable regulatory agencies or custom ers or employees affected or reasonably believed to be affected by such Security Breach of such Security Breach; or (b)You voluntarily incur with Our prior written consent such Breach Response Costs (including credit monitoring expen ses), such as in a jurisdiction where You have no obligation to notify applicable regulatory agencies or customers or employees affected or reasonably believed to be affected by such Security Breach of such Security Breach. Breach Response Costs do not include Your overhead expenses or any salaries, wages, fees, or benefits of Your employees. 9 Privacy Protection Insurance E. Claim means: 1. A written demand received by You for money or services, including the service of a civil suit or institution of arbitration proceedings; 2. Initiation of a civil suit against You seeking injunctive relief (meaning a temporary restraining order or a preliminary or permanent injunction); or 3. Solely with respect to Coverage B., a Regulatory Claim made against You. Multiple Claims arising from the sam e or a series of related or repeated acts, errors, or omissions or from any continuing acts, errors, or omissions shall be considered a single Claim for the purposes of this polic y, irrespective of the number of claimants or You involved in the Claim. All such Claims shall be deemed to have been made at the tim e of the first such Claim was made or deem ed made under Section IX.A. F. Claim Expenses m eans: 1. reasonable and necessary fees charged in the defense or settlem ent of a Claim by an attorney whom We designate or whom You designate with Ou r prior written consent, such consent not to be unreasonably withheld; and 2. all other legal costs and expenses resulting from the investigation, adjustment, defense and appeal of a Claim, if incurred b y Us or by You with Our prior written consent; however, Claim Expenses do not include Your overhead expenses or any salaries, wages, fees, or benefits of Your employees for an y time spent in cooperating in the defense or investigation of any Claim or circumstance that m ight lead to a Claim. G. Computer system m eans electronic, wireless, web or similar system s (including all hardware and software) used to process data or inform ation in an a nalog, digital, electronic or wireless format, including computer program s, electronic data, operating systems, and com ponents thereof, including but not limited to laptops, personal digital assistants, cellular phones, m edia storage and peripheral devices, media libraries, associated input and output devices, networking equipm ent, and electronic backup equipm ent. H. Consumer Redress Funds means any sums of money You are legally required to deposit in a fund for the payment of consumer Claims due to a settlem ent of, or an adverse judgment in, a Regulatory Claim. I. Credit monitoring expenses m eans the reasonable and necessary expense of providing free credit reports, identity theft protection services, credit monitoring services, credit freezes or fraud alerts for customers affected or reasonably believed to be affected by a Security Breach; provided, however, We shall not be obligated to reimburse You for more than one (1) year of credit monitoring services or identity theft protection services for custom ers who are at least eighteen (18) years old, unless there is a rule, regulation, or statutory requirement requiring otherwise. J. Crisis M anagement Costs means any reasonable and necessary fees and expenses You incur with Our prior written consent to employ a public relations consultant to avert or mitigate any m aterial damage to any of Your brands due to a Newsworthy Event that has arisen due to a Security Breach or a Claim or Regulatory Claim for a Privacy Wrongful Act, regardless of whether the expenses are incurred prior or subsequent to any such Claim or Regulatory Claim being made against You. K. Damages m eans: 1. Solely with respect to Coverages A, D and E, a monetary judgment, award or settlement, including: a. b. Pre-judgm ent interest; Post-judgment interest that accrues after entry of the judgment or award and before We have paid, offered to pay or deposited in court that part of the judgm ent or award within the applicable lim it of liability; and subject to this Policy’s terms, conditions, and exclusions, punitive or exemplary dam ages (where insurable by the applicable law that most favors coverage for such damages); and c. Privacy Protection Insurance 10 2. Solely with respect to Coverage B, Regulatory Fines and Consumer Redress Funds. Damages shall not include or mean: 1. Your future profits, restitution, or disgorgement of profits; or Your cost to comply with any order granting injunctive or non-monetary relief, including specific performance, or any agreem ent to provide such relief; 2. Your return or offset of fees, charges, royalties, or commis sions for goods or services already provided or contracted to be provided; 3. Fines or penalties of any nature (except as covered under Coverage B); 4. Any am ount You are not financially or legally obligated to pay; 5. Multiple damages; 6. Any donations or contributions to any charitable organization; or 7. Matters that m ay be deemed uninsurable under the law pursuant to which this Policy m ay be construed. L. Employee m eans any individual in Your Organization’s service, including any part-time, seasonal, and tem porary employee, who is com pensated by salary, wages, fees or commissions and over whom You have the right to direct and control, but excluding any partner or director of Your Organization. M. Extended Reporting Perio d means the period of tim e after the end of the policy period for reporting Claims as provided in Section VIII. of this Polic y. N. Intranet means a private computer network inside a com pany or organization that uses the same kinds of software found on the Internet, but only for internal use. O. Internet means the worldwide public network of computer networks which enables the transmission of electronic data between different users, commonly referred to as the internet, including a private communications network existing within a shared or public network platform . P. Malicious code m eans any unauthorized and corrupting or harmful computer code, including but not limited to computer viruses, spyware, Trojan horses, worms, logic bombs, and mutations of any of the proceeding. Q. Media content m eans data, digital code, images, graphics, sounds, text or any other similar m aterial. R. Multimedia Wrongful Act m eans any of the following acts committed in the ordinary course of Your Organization’s business in gathering, communicating, reproducing, publishing, disseminating, displaying, releasing, transmitting or disclosing media content via any computer system that You own or operate or is operated on Your behalf by a third party, including an y web-based social m edia authorized or operated by Your Organization or an y internet or intranet website, or via any non-electronic m edia: 1. defamation, libel, slander, product disparagement, trade libel, infliction of emotional distress, outrage, outrageous conduct, or other tort related to disparagement or harm to the rep utation or character of any person or organization; 2. invasion of or interference with the right to privacy or publicity; 3. false arrest, detention or im prisonment or m alicious prosecution; 4. infringement of any right to private occupancy, including tre spass, wrongful entry, eviction or eavesdropping; 5. infringement of copyright, domain name, trade dress, title or slogan, or the dilution or infringem ent of trademark, service mark, service name or trade nam e; 6. plagiarism, piracy or misappropriation of ideas; or 7. liability regarding any media content for which You are responsible; 11 Privacy Protection Insurance provided always that any Multimedia Wrongful Act was committed or alleged to have been committed by You, or any person for whom or entity for which You are legally responsible, including an independent contractor or outsourcing organization. S. Newsworthy Event means an event that has been caused by a Claim or Security Breach within one of the coverages which You have purchased, that has been publicized through any media channel, including television, print m edia, radio or electronic networks, the internet, and/or electronic mail. T. Policy period m eans the period of time from the effective date to the expiration date specified in Item 2 of the Declarations, or any earlier cancellation date. U. Privacy Breach m eans a comm on law breach of confidence, infringem ent, or violation of any rights to privacy, including but not limited to breach of Your privacy statem ent, breach of a person’s right of publicity, false light, intrusion upon a person’s seclusion, public disclosure of a person’s private inform ation, or misappropriation of a person’s picture or name for commercial gain. V. Privacy Regulations m eans any federal, state, local or foreign statute or regulation requiring You to limit or control the collection, use of, or access to, personally identifiable, non -public information in Your possession or under Your control, or obligating You to inform customers of the unauthorized access to or disclosure of such personally identifiable, non-public inform ation, including the following statutes and regulations: 1. The Health Insurance Portability and Accountability Act of 1996 (Public Law 104 -191), including Title II requiring protection of confidentiality and security of electronic protected health inform ation, and as am ended by the Health Information Technology for Economic and Clinical Health Act (HITECH), any rules and regulations promulgated thereunder as the y currently exist and as am ended, and any related state m edical privacy laws as t hey currently exist and as am ended; 2. The Gramm-Leach-Bliley Act of 1999, also known as the Financial Services Modernization Act of 1999, including sections concerning security protection and standards for customer records maintained by financial services companies, and the rules and regulations prom ulgated thereunder as they currently exist and as amended; 3. Section 5(a) of the Federal T rade Commission Act, 15 U.S.C. 45(a), but solely with respect to alleged unfair or deceptive acts or practices in or affecting commerce; 4. Federal, state or local privacy protection regulations or laws, such as the California Database Protection Act of 2003 (previously called SB 1386), as they currently exist now or m ay be amended, associated with the control and use of, or lim iting unauthorized access to, personal inform ation, including but not limited to requirements to post privacy policies, adopt specific privacy controls, or inform custom ers of breaches of security that has or m ay im pact their personal information; 5. Federal, state or local data breach regulations or laws, as the y currently exist now or in the future, imposing liability for failure to take reasonable care to guard against unauthorized access to credit or debit account information that is in Your possession or under Your control; 6. Identity Theft Red Flags under the Fair and Accurate Credit Transactions Act of 2003; 7. Federal and state consum er credit reporting laws, such as the Federal Fair Credit Reporting Act (FCRA) and the California Consumer Credit Reporting Agencies Act (CCCRAA); 8. the Children’s Online Privacy Protection Act of 1998;; or 9. Privacy protection regulations or laws adopted by countries outside of the United States, such as the EU Data Protection Directive and the Canadian Personal Inform ation Protection and Electronic Documents Act, as they currently exist now or m ay be amended, associated with the collection, control and use of, or limiting unauthorized access to, personal information. W .Privacy Wrongful Act means an y Privacy Breach or breach of Privacy Regulations committed by You or b y any person or entity for which You are legally responsible, including an independent contractor or outsourcing organization. Privacy Protection Insurance 12 X. Property damage m eans physical injury to or destruction of any tangible property, including the loss thereof. Data is not considered tangible property. Y. Regulatory Claim m eans: 1. any formal investigation of You by an adm inistrative or regulatory agenc y or sim ilar governmental bod y concerning a Privacy Breach or possible breach of Privacy Regulations; or 2. any adm inistrative adjudicative proceeding against You by an adm inistrative or regulatory agenc y or sim ilar governmental body for a breach of Privacy Regulations. Z. Regulatory Fines means fines, penalties, or sanctions a warded for a violation of any Privacy Regulation(s). AA. Retroactive date m eans the date specified in Item 5 of the Declarations. BB. Security Breach m eans: 1. the loss or disclosure of personal, non-public inform ation of custom ers or employees in Your care, custody or control, including such information stored on paper or on a computer system operated by You or on Your behalf; or 2. Theft of data, unauthorized access to or unauthorized use of personal, non-public information of customers or employees in Your care, custody or control, including such information stored on paper or on a computer system operated by You or on Your behalf; that results in or m ay result in the compromise of the privac y or confidentiality of such personal, non-public information. More than one Security Breach arising from the same or a series of continuous, repeated or related acts, errors, or omissions shall be considered a single Security Breach, which shall be deem ed to have first occurred at the time of the first such Security Breach. CC. Security Wrongful Act m eans any act, error, or omission committed by You or a person or entity for which You are legally responsible, including an independent contractor or outsourcing organization, in the conduct of computer systems security and the protection of the security and confidentiality of Your customer records or information, that results in: 1. The inability of a third party, who is authorized to do so, to gain access to Your computer system s; 2. The failure to prevent or hinder unauthorized access to or unauthorized use of a computer system operated by You or on Your behalf, the failure to prevent physical theft of hardware or firm ware You control, the failure to prevent people or processes security failures, or the failure to prevent false communications designed to trick the user into surrendering personal inform ation (such as “phishing”, “pharm ing” or “vishing”), any of which results in: a. The alteration, copying, corruption, destruction or deletion of, or dam age to, electronic data on a computer system operated by You or on Your behalf; b. c. d. Unauthorized disclosure of comm ercial, personal or private inform ation; Theft of data (including identity theft); or Denial of service attacks against internet sites or computer systems of a third party; or 3. The failure to prevent transmission of malicious code from a computer system operated by You or on Your behalf to a third party’s computer system. DD. Subsidiary means an y corporation where more than 50% of the outstanding securities representing the present right to vote for the election of such corporation’s directors are owned by the Named Assured directly or indirectly, if such corporation was so owned on the inception date of this Policy; or 13 Privacy Protection Insurance 1. becomes so owned after the inception date of this Policy, provided the revenues of the newly acquired corporation do not exceed 15% of Your Organization’s annual revenues as set forth in its m ost recent audited financial statem ent; or 2. becomes so owned after the inception date of this Policy, provided that if the revenues of the newly acquired corporation exceed 15% of Your Organization’s annual revenues as set forth in its m ost recent audited financial statem ent, the provisions of Section IX. G. m ust be fulfilled. EE. Theft of data means the unauthorized taking, misuse or disclosure of information on computer systems, including but not lim ited to charge, debit, or credit inform ation, banking, financial and investm ent services account inform ation, proprietary information, and personal, private or confidential inform ation. FF. Unauthorized access means the gaining of access to a computer system by an unauthorized person or an authorized person in an unauthorized m anner. GG. Unauthorized use means the use of a computer system by an unauthorized person or persons or an authorized person in an unauthorized manner. HH. We, Us or Our means the underwriters providing this insurance. II. You or Your or Yours m eans: 1. the entity nam ed in Item 1 of the Declarations (“Named Assured”) and its subsidiaries (together “Your Organization”); 2. Any present or future director, officer, or trustee of Your Organization, but only with respect to the performance of his or her duties as such on behalf of Your Organization; 3. An y present or future employee of Your Organization but only with respect to work done while acting within the scope of his or her employment and related to the conduct of Your Organization’s business; 4. In the event that the Named Assured is a partnership, limited liability partnership, or lim ited liability com pany, then an y general or m anaging partner, principal, or owner thereof, but only while acting within the scope of his or her duties as such; 5. Any person who previously qualified as You under 2, 3, or 4 above prior to the term ination of the required relationship with Your Organization, but only with respect to the performance of his or her duties as such on behalf of Your Organization; and 6. The estate, heirs, executors, administrators, assigns and legal representatives of any of You in the event of Your death, incapacity, insolvency or bankruptcy, but only to the extent that You would otherwise be provided coverage under this insurance. Privacy Protection Insurance 14 A. The am ount indicated in Item 3.A. of the Declarations (herein the “policy aggregate limit”) is the most We will pay in the aggregate under this Policy, under all coverages combined, for: 1. all Damages, including Regulatory Fines, Consumer Redress Funds and all Claim Expenses from all Claims; and 2. all Crisis M anagement Costs and Breach Response Costs from all Security Breaches; regardless of the num ber of acts, errors, or om issions, persons or entities covered by this Policy, claim ants, Claims or Security Breaches, or Coverages triggered. B. When purchased as indicated in Item 3.B. of the Declarations: 1. the amount indicated as the Per Claim/Breach Sub-Limit of Liability applicable to Coverage A. is the m ost We will pay for all Damages and Claim Expenses from each Claim arising out of a Privacy Wrongful Act, subject to the amount indicated as the Aggregate Sub -Limit of Liability under Coverage A. for all Damages and Claim Expenses from all such Claims; 2. the amount indicated as the Per Claim /Breach Sub-Limit of Liability applicable to Coverage B. is the m ost We will pay for all Regulatory Fines, Consumer Redress Funds and Claim Expenses from each Regulatory Claim arising out of a Privacy Wrongful Act, subject to the am ount indicated as the Aggregate Sub-Lim it of Liability under Coverage B. for all Regulatory Fines and Claim Expenses from all such Claims; 3. the amount indicated as the Per Claim/Breach Sub-Limit of Liability applicable to Coverage C. is the m ost We will pay for all Crisis Management Costs and Breach Response Costs from each Security Breach, subject to the amount indicated as the Aggregate Sub-Limit of Liability under Coverage C. for all Crisis Management Costs and Breach Response Costs from all Security Breaches; 4. the amount indicated as the Per Claim /Breach Sub-Limit of Liability applicable to Coverage D. is the m ost We will pay for all Damages and Claim Expenses from each Claim arising out of a Security Wrongful Act, subject to the am ount indicated as the Aggregate Sub -Lim it of Liability under Coverage D. for all Damages and Claim Expenses from all such Claims; and 5. the amount indicated as the Per Claim /Breach Sub-Limit of Liability applicable to Coverage E. is the m ost We will pay for all Damages and Claim Expenses from each Claim arising out of a Multimedia Wrongful Act, subject to the amount indicated as the Aggregate Sub-Limit of Liability under Coverage E. for all Damages and Claim Expenses from all such Claims; and such Per Claim/Breach Sub-Lim its of Liability and Aggregate Sub-Limits of Liability being referred to herein as the “sublimits of liability”, each of which is part of, and not in addition to the, policy aggregate limit. C. If any Claim or an y single Claim is covered under m ore than one Coverage, the highest applicable sublimit of liability shall be the most We shall pay as to such Claim or single Claim and such Claim or single Claim shall be subject to the highest applicable retention. The retention for each Coverage is stated in Item 4 of the Declarations. The applicable retention shall be first applied to Damages, Claim Expenses, Crisis Management Costs and Breach Response Costs covered by this Policy and You shall m ake direct payments within the retention to appropriate other parties designated by Us. We shall be liable only for the am ounts in excess of the retention, not to exceed the applicable sublimit of liability or policy aggregate limit. W ith respect to Coverages A, B, D and E, the retention shall be satisfied by Your payments of Damages and Claim Expenses resulting from Claims first made and reported to Us during the policy period or extended reporting period. One retention shall apply to each single Claim under such Coverages. 15 Privacy Protection Insurance W ith respect to Coverage C, the retention shall be satisfied b y Your payments of Crisis Management Costs and Breach Response Costs resulting from a Security Breach that occurred during the policy period and is reported by You to Us during the policy period or extended reporting period. One retention shall apply to each single Security Breach under such Coverage. A. Basic Extended Reporting Period: In the event of cancellation or non-renewal of this Polic y b y You or Us, an extended reporting period of thirty (30) days imm ediately following such cancellation or non-renewal shall be autom atically granted hereunder at no additional prem ium . Such extended reporting period shall cover Claim s first made and reported to Us during such thirty (30) day extended reporting period but only in respect of an y act, error, or om ission committed prior to the date of cancellation or non-renewal, and subject to all other term s, conditions, and exclusions of this Polic y. No Claim in such thirty (30) da y extended reporting period shall be covered under this Polic y if You are entitled to indem nity under any other insurance or would have been entitled to indemnity under such insurance but for the exhaustion thereof. B. Optional Extended Reporting Period: In the event of cancellation or non-renewal of this policy by You or Us, You shall have the right, upon payment in full and not proportionally or otherwise in part, of 100% of the annual prem ium shown in Item 6 of the Declar ations, to have issued an endorsement providing a twelve (12) month optional extended reporting period from the cancellation or non-renewal date. 1. Such optional extended reporting period shall cover Claims made and reported to Us during this optional extended reporting period, but only in respect of any Claim arising out of any act, error, or omission committed prior to the date of cancellation or non -renewal, and subject to all other term s, conditions, and exclusions of the Policy. 2. In order for You to invoke the optional extended reporting period, the payment of additional premium as stated in this provision m ust be paid to Us within thirty (30) days of the non- renewal or cancellation. 3. At the comm encement of the optional extended reporting period, the entire prem ium shall be deemed fully earned, and in the event You term inate the optional extended reporting period for whatever reason prior to its natural expiration, We will not be liable to return any premium paid for the optional extended reporting period. C. Terms and conditions of basic and optional extended reporting period 1. At renewal of this policy, Our quotation of different premium, retention or lim it of indem nity or changes in policy language shall not constitute non -renewal by Us for the purposes of granting the optional extended reporting period. 2. The right to the extended reporting period shall not be available to You where We cancel or non-renew due to non-payment of premium . 3. The limit of liability for the extended reporting period shall be part of, and not in addition to, the limit of liability for the policy period. 4. All notices and premium paym ents with respect to the extended reporting period shall be directed to Us through the entity named in the Declarations. Privacy Protection Insurance 16 A. Notice of Claim or circumstance that might lead to a Claim 1. If any Claim is made against You during the policy period, then as soon as practicable after Your risk m anager, general counsel, senior officer or director first becomes aware of such Claim, You m ust forward to Us through persons nam ed in Item 7 of the Declarations every dem and, notice, summons or other process You or Your representative receive. 2. If during the policy period, Your risk m anager, general counsel or any of Your senior officers or directors first becomes aware of any act, error or om ission that m ight reasonably give rise to a Claim, You must give written notice to Us through persons nam ed in Item 7 of the Declarations as soon as practicable during the policy period of: a. b. c. d. The specific details of the act, error or om ission that might reasonably give rise to a Claim; The possible Damages which may result or has resulted from the act, error or omission; The facts by which You first becam e aware of the act, error, or omission; and Any computer system security and event logs which provide evidence of the act, error or omission. Any subsequent Claim m ade against You arising out of such act, error or omission which is the subject of the written notice will be deem ed to have been made at the tim e written notice com plying with the above requirements was first given to Us. 3. A Claim shall be considered to be reported to Us when notice is first given to Us through persons nam ed in Item 7 of the Declarations or when notice of a wro ngful act which might reasonably give rise to a Claim is first provided in compliance with IX.A.2 above.. 4. If You report any Claim or request any payment under this Policy knowing such Claim or request to be false or fraudulent, as regards amounts or otherwise, this Policy shall becom e null and void and all coverage hereunder shall be forfeited. 5. W henever coverage under this Policy would be lost because of non-compliance of Section IX.A.1. relating to the giving of notice of Claim to Us with respect to which any other of You shall be in default solely because of the failure to give such notice or concealment of such failure b y one or m ore You responsible for the loss or damage otherwise insured hereunder, then We agree that such insurance as would other wise be afforded under this Policy shall cover and be paid with respect to those of You who did not personally commit or personally participate in committing or personally acquiesce in such failure to give notice, provided that those of You entitled to the benefit of this provision under Section IX.A.1. have com plied with such condition prom ptly after obtaining knowledge of the failure of any others of You to comply therewith, and any such Claim was reported during the policy period or extended reporting period, if applicable. However, such insurance as afforded by this provision shall not cover a Claim against Your Organization if a current principal, partner, director, or officer failed to give notice as required by Section IX.A.1. for a Claim against Your Organization arising from acts, errors, or omissions that were known to a current principal, partner, director, or officer. B. Assistance and cooperation 1. You shall cooperate with Us in all investigations. You shall execute or cause to be executed all papers and render all assistance as requested by Us. Part of this assistance m ay require You to provide soft copies of their system security and event logs. 2. Upon Our request, You shall assist in m aking settlem ents, in the conduct of suits and in enforcing any right of contribution or indemnity against any person or organization who may be liable to You because of acts, errors, or omissions with respect to which insurance is afforded under this Policy; and You shall attend hearings and trials and assist in securing and giving evidence and obtaining the attendance of witnesses. 3. You shall not admit liability, m ake any pa ym ent, assume any obligation, incur any expense, enter into any settlement, stipulate to an y judgment or award or dispose of an y Claim without Our written consent, unless otherwise provided under Section II . 17 Privacy Protection Insurance 4. As soon as practicable after You give U s notice of any Claim, circumstance, or Security Breach, You must also give Us copies of reports, photographs, investigations, pleadings and all other papers in connection therewith, including allowing Us to question You under oath at such times as m ay be reasonably required regarding Your Organization’s books, records, and any other matters relating to such Security Breach or Claim. 5. In the event of a Security Breach, You must take all reasonable steps to protect computer systems and personally identifiable, non-public information from further access, disclosure, loss or damage. C. Subrogation In the event of any paym ent under this Polic y, You agree to give Us the right to any subrogation and recovery to the extent of Our payments. You agree to execute all papers required and will do everything that is reasonably necessary to secure these rights to enable Us to bring suit in Your nam e. You agree to fully cooperate in Our prosecution of that suit. You agree not to take any action that could impair Our right of subrogation without Our written consent whether or not You have incurred any un-reim bursed loss. Any recoveries shall be applie d first to subrogation expenses, second to Damages and Claim Expenses paid b y Us, and third to the Retention. Any additional amounts recovered shall be paid to You. D. Other insurance This insurance shall apply in excess of any other valid and collectible insurance available to You, including any retention or deductible portion thereof, unless such other insurance is written only as specific excess insurance over the Lim it of Liability of this Policy. E. Action against Us No action shall lie against Us or Our representatives unless, as a condition precedent thereto: (1) there shall have been full com pliance with all terms of this insurance; and (2) until the am ount of Your obligation to pay shall have been finally determined either by judgment or award agains t You after trial, regulatory proceeding, arbitration or by written agreem ent between You, the claimant, and Us. Any person or organization or the legal representative thereof who has secured such judgm ent, award, or written agreement shall thereafter be entitled to m ake a Claim under this Policy to the extent of the insurance afforded by this Policy. No person or organization shall have the right under this Policy to join Us as a party to an action or other proceeding against You to determ ine Your liability, nor shall We be im pleaded by You or Your legal representative. Your bankruptcy or insolvency shall not relieve Us of Our obligations hereunder. F. Entire agreement By acceptance of the polic y, You agree that this Policy em bodies all agreem ents between You and Us relating to this insurance. Notice to any agent or knowledge possessed by any agent or by an y other person shall not effect a waiver or a change in any part of this Policy or stop Us from asserting any right under the term s of this Polic y; nor shall the term s of this Policy be waived or changed, except by endorsem ent issued to form a part of this Policy signed by Us. G. New subsidiaries/changes in nam ed assured or Your Organization 1. During the policy period, if You acquire another corporation whose annual revenues are m ore than fifteen percent (15%) of Your Organization’s annual revenues as set forth in its m ost recent audited financial statements there shall be no coverage under this Policy for acts, errors, or omissions comm itted or allegedly committed by the newly acquired subsidiary unless You give Us written notice of the acquisition containing full details thereof, and We have agreed to add coverage for the newly acquired subsidiary upon such term s, conditions, and limitations of coverage and such additional premium as We, in Our sole discretion, m ay require. 2. During the policy period, if the Named Assured consolidates or m erges with or is acquired by another entity, or sells substantially all of its assets to another entity, or a receiver, conservator, trustee, liquidator, or rehabilitator, or any similar official is appointed for or with respect to the Named Assured, then all coverage under this Polic y shall continue to the expiration of the Privacy Protection Insurance 18 policy period but only for losses, acts, errors, or om issions that occurred prior to the date of such consolidation, merger or appointm ent. 3. Should a corporation cease to be a subsidiary after the inception date of this policy, coverage with respect to such corporation shall continue as if it was still a subsidiary until the expiration date of this policy, but only with respect to a Claim that arises out of any act, error, or omission comm itted such corporation prior to the date that it ceased to be a subsidiary. 4. All notices and prem ium payments made under this paragraph shall be directed to Us through the entity nam ed in Item 8 of the Declarations. H. Assignment Your interest under this Policy m ay not be assigned to any other person or organization, whether by operation of law or otherwise, without Our written consent. If You shall die or be adjudged incompetent, such insurance shall cover Your legal representative as You as would be covered under this Policy. I. Cancellation 1. This Policy may be cancelled by You, by surrender thereof to Us or by m ailing to Us through the entity nam ed in Item 8 of the Declarations, written notice stating when the cancellation shall be effective. 2. This Policy may be cancelled by Us by mailing to You at the address shown in the Declarations written notice stating when, not less than sixty (60) days thereafter, such cancellation shall be effective. However, if We cancel this Policy because You have failed to pay a prem ium when due, this Policy m ay be cancelled by Us by m ailing a written notice of cancellation to You at the address shown in the Declarations stating when, not less than ten (10) da ys thereafter, such cancellation shall be effective. Mailing of notice shall be sufficient proof of notice. The tim e of surrender or the effective date and hour of cancellation stated in the notice shall becom e the end of the policy period. Delivery (where permitted by law) of such written notice either by You or b y Us shall be equivalent of m ailing. 3. If You cancel this Policy, the earned premium shall be computed in accordance with the Lloyd’s short rate table and procedure, provided that the premium shall be deem ed fully earned if any Claim has been notified to Us under this Policy. In that event, We agree that the Policy will not be cancelled midterm solely on the basis of any valid Claim notified to Us. 4. If We cancel this Policy prior to an y Claim or Security Breach being reported under this Policy, the earned premium shall be computed pro rata. The premium shall be deem ed fully earned if any Claim or Security Breach under this Policy is reported to Us on or before the date of cancellation. 5. Premium adjustment may be m ade either at the tim e cancellation is effected or as soon as practicable after cancellation becom es effective, but payment or tender of unearned premium is not a condition of cancellation. J. Words and titles of paragraphs The titles of paragraphs, section, provisions, or endorsem ents of or to this Policy are intended solely for convenience and reference, and are not deem ed in any way to limit or expand the provisions to which they relate and are not part of the Policy. W henever the singular form of a word is used herein, the same shall include the plural when required by context. K. Nam ed assured authorization The Nam ed Assured first specified in Item 1. of the Declarations has the right and duty to act on Your behalf for: 1. The giving and receiving of notice of cancellation; 2. The payment of premiums, including additional prem iums; 3. The receiving of any return premiums; 4. The acceptance of any endorsements added after the effective date of coverage; 5. The payment of an y deductibles; 6. The receiving of any loss payments; and 7. Otherwise corresponding with Us. 19 Privacy Protection Insurance L. W arranty by You By acceptance of this Policy, You agree that the statements contained in the application, any application for coverage of which this Polic y is a renewal, and any supplemental m aterials submitted therewith, are Your agreem ents and representations, that the y shall be deem ed m aterial to the risk assumed b y Us, and that this Policy is issued in reliance upon the truth thereof. The misrepresentation or non-disclosure of any matter by You or Your agent in the application, any application for coverage of which this Policy is a renewal, or any supplemental m ate rials submitted therewith will render the Policy null and void and relieve Us from all liability under the Policy. The application and any application for coverage of which this Policy is a renewal, and an y supplem ental materials submitted therewith, are deemed incorporated into and made a part of this Policy. M. Service of suit clause (U.S.A.) 1. It is agreed that in the event of Our failure to pay any amount claimed to be due under this Policy, at Your request We will submit to the jurisdiction of a court of competent jurisdiction within the United States. Nothing in this clause constitutes or should be understood to constitute a waiver of Our rights to commence an action in any court of com petent jurisdiction in the United States, to rem ove an action to a United States District Court, or seek a transfer of a case to another court as perm itted by the laws of the United States or any state in the United States. It is further agreed that service of process in such suit may be made upon Our representative, designated in Item 9 of the Declarations, and that in any suit instituted against any one of Us upon this contract; We will abide by the final decision of such court or of any appellate court, in the event of an appeal. 2. Our representative designated in Item 9 of the Declarations is authorized and directed to accept service of process on Our behalf in any such suit and/or upon Your request to give a written undertaking to You that they will enter a general appearance upon Our behalf in the event such a suit shall be instituted. 3. Pursuant to any statute of any state, territor y, or district of the United States which makes provision therefore, We hereby designate the Superintendent, Commissioner, or Director of Insurance or other officer specified for that purpose in the statute, or his successor in office, as Our true and lawful attorney upon whom m ay be served any lawful process in any action, suit, or proceeding instituted by or on behalf of You or any beneficiary hereunder arising out of this Policy, and hereby designate Our representative listed in Item 9 of the Declarations as the person to whom the said officer is authorized to mail such process or a true copy thereof. N. Choice of law Any disputes involving this Policy shall be resolved applying the la w designated in Item 10. of the Declarations Privacy Protection Insurance 20 ADDENDUM In consideration of the payment of the premium and reliance upon the statements made by You in the Application and subject to the Limit of Liability, exclusions, conditions and other terms of this Policy, it is agreed as follows: I. COVERAGES A. Business Income Loss We shall pay the Business Income Loss that Your Organization sustains during a Period of Restoration resulting directly from a Network Disruption that commences during the Policy Period, but only if the duration of such P eriod of Restoration exceeds the waiting period set forth in Item 7 of the Declarations and such Network Disruption results solely and directly from a Security Compromise that commenced on or after the Retroactive Date. B. Dependent Business Income Loss We shall pay the Business Income Loss that Your Organization sustains during a Period of Restoration resulting directly from a Network Disruption sustained by a Dependent Business that commences during the Policy Period, but only if the duration of such Period of Restoration exceeds the waiting period set forth in Item 7 of the Declarations and such Network Disruption results solely and directly from a Security Compromise that would have been covered if such Dependent Business had been part of Your Organization and commenced on or after the Retroactive Date. C. Digital Asset Restoration Costs We shall reimburse Your Organization for the Restoration Costs that Your Organization incurs because of the alteration, destruction, damage or loss of Digital Assets that commences during the Policy Period resulting solely and directly from a Security Compromise, but only if such Security Compromise commenced on or after the Retroactive Date. D. Cyber-extortion Threat We shall reimburse Your Organization for the Cyber-extortion expenses and Cyber-extortion payments that Your Organizations actually pays directly resulting from a Cyber-extortion threat that Your Organization first receives and reports to Us during the Policy Period. II. TERRITORY This Policy applies to Losses anywhere in the world. III. EXCLUSIONS The coverage under this Policy does not apply to any Loss arising out of, or resulting, directly or indirectly, from: A. Any costs of updating, upgrading or remediation of Your Computer Systems or Your Digital Assets; provided, however, this exclusion shall not apply to Restoration Costs otherwise covered under Coverage C.; B. Any criminal, di shonest, fraudulent or intentional act committed by You or on Your behalf; provided, however, if the criminal, dishonest, fraudulent or intentional act is committed by any employee who is not aprincipal, partner, officer, director, trustee or manager and without the knowledge or direction of any of Your principals, partners, officers, directors, trustees or managers, then this exclusion will not apply to Your Organization; C. Any failure of: 1. Telephone lines; 2. Data transmission lines or wireless communications connection; or 2 POLICY FORM 3. Other telecommunications equipment, facilities or electronic infrastructure, including equipment, facilities or infrastructure that supports the operation of computer networks, including the internet, which are used to transmit or receive voice or data com munications and which are not under Your direct operational control or, if applicable, not under the direct operational control of Your Service Provider; D. The failure, malfunction, or inadequacy of any satellite; any electrical or mechanical failure and/or interruption, including but not limited to electrical disturbance, spike, brownout or blackout; or any outage to gas, water, telephone, cable, telecommunications or other infrastructure, unless such infrastructure is under Your operational control; E. Fire, smoke, explosion, lightning, wind, water, flood, earthquake, volcanic eruption, tidal wave, landslide, hail, an act of God or any other physical event, however caused; F . Any seizure, confiscation, nationalization, or destruction of, or damage to or loss of use of any digital asset or Your Computer Systems by order of any governmental authority; G. Any act or circumstance occurring prior to the inception date of this Policy, if on or before such date, You knew or reasonably could have foreseen that the act or circumstance could lead to a Loss; provided, however, the knowledge of employees, other than officers, shall not be used to determine the applicability of this exclusion; H. Any of the following: 1. 2. Any presence of pollutants or contamination of any kind; Any actual, alleged or threatened discharge, dispersal, r elease, or escape of pollutants or contamination of any kind; Any direction or request to test for, monitor, clean up, remove, contain, treat, detoxify, or neutralize pollutants or in any way respond to or assess the effects of pollutants or contamination of any kind; Manufacturing, mining, use, sale, installation, removal, distribution of or exposure to asbestos, materials, or products containing asbestos, asbestos fibers or dust; Ionizing radiation or contamination by radioactivity from any nuclear fuel o r any nuclear waste from the combustion of nuclear fuel; Actual, potential or alleged presence of mold, mildew or fungi of any kind; The radioactive, toxic, or explosive or other hazardous properties of any explosive nuclear assembly or nuclear component thereof; or The existence, emission or discharge of any electromagnetic field, electromagnetic radiation or electromagnetism that actually or allegedly affects the health, safety or condition of any person or the environment or that affects the value, marke tability, condition or use of any property; 3. 4. 5. 6. 7. 8. I. Any act of terrorism; strike or similar labor action, war, invasion, act of foreign enemy, hostilities or warlike operations (whether declared or not), civil war, mutiny, civil commotion assuming the proporti ons of or amounting to a popular rising, military rising, insurrection, rebellion, revolution, military or usurped power, or any action taken to hinder or defend against these actions; including all amounts of whatsoever nature directly or indirectly caused by, resulting from or in connection with any action taken in controlling, preventing, suppressing, or in any way relating to the above; J. Ordinary wear and tear, gradual deterioration of or failure to maintain Digital Assets or Computer Systems on which D igital Assets are processed or stored, whether owned by You or others; K. The physical loss of, damage to or destruction of tangible property, including the loss of use thereof; provided, however, “tangible property” does not include Digital Assets, but does include all computer hardware; L. Any Loss notified to a previous policy or any pending Loss or any litigation, demand, arbitration, administrative or regulatory proceeding or investigation commenced prior to the inception date of this Policy, or any other policy of which this Policy is a renewal, replacement or succeeds in time; M. Any Loss arising from any Malicious Code that was not directly and specifically targeted at Your Computer Systems. 3 N. Any form of third party liability or other legal liability, including but not limited to, any lawsuits, claims or demands by any third party, employee, officer, director or partner;. IV. DEFINITIONS A. Act of terrorism means: 1. any act certified an act of terrorism pursuant to the federal Terrorism Ris k Insurance Act of 2002 or otherwise declared an act of terrorism by any government; any act committed by any person or group of persons designated by any government as a terrorist or terrorist group or an y act committed by any person or group of person s acting on behalf of or in connection with any organization designated by any government as a terrorist organization; or the use of force or violence and/or the threat thereof by any person or group of persons, whether acting alone or on behalf of or i n connection with any organization or government, committed for political, religious, ideological, or similar purposes, including the intention to influence any government and/or put the public, or any section of the public, in fear. 2. 3. B. Application means all applications, including any attachments thereto, and all other information and materials submitted by You or on Your behalf to Us in connection with the underwriting of this Policy. All such applications, attachments, information and materials are deem ed attached to and incorporated into this Policy. C. Business Income Loss means: 1. Earnings Loss; and/or 2. Expenses Loss. Business Income Loss does not include: (1) any contractual penalties; (2) any costs or expenses incurred to update, upgrade, replace, restore or otherwise improve any Computer System to a level beyond that which existed prior to a Network Disruption; (3) any costs or expenses incurred to identify, remove or remediate computer program errors or vulnerabilities, or costs to update, upgrade, replace, restore, maintain or otherwise improve any Computer System; or (4) any legal costs or expenses or loss arising out liability to any third party; (5) any loss incurred as a result of unfavorable business conditions; or (6) any other consequential loss or damage. D. Computer Systems means electronic, wireless, web or similar systems (including all hardware and software) used to process data or information in an analog, digital, electronic or wireless format including computer programs, electronic data, operating systems, and components thereof, including but not limited to, laptops, personal digital assistants, media storage and peripheral devices, media libraries, associated input and output devices, networking equipment, and electronic backup equipment. Your Computer System means a Computer System, over which You have direct operational control or that is under the direct operational control of a Service Provider, used to process, maintain or store Your Digital Assets. E. Cyber-extortion threat means a credible threat or connected series of threats made by someone other than a director, trustee or partner of Your Organization: 1. 2. to introduce Malicious Code into Your Computer System ; to interrupt Your Computer System or interrupt access to Your Computer System, such as through a denial of service attack; to corrupt, damage or destroy Your Computer System; or to disseminate, divulge, or improperly utilize any personal or confidential corporate information residing on Your Computer Systems taken as a result of a Network Disruption. 3. 4. F. Cyber-extortion payment means any sum paid to or at the direction of any third party that You reasonably believe to be responsible for a Cyber-extortion threat; provided that: 4 1. 2. 3. You obtain Our written consent prior to making such Cyber-extortion payment; You make such Cyber-extortion payment to terminate the Cyber-extortion Threat; and the Cyber-extortion payment does not exceed the amount We reasonably believe would have been incurred had such Cyber-extortion payment not been made. G. Cyber-extortion expenses means the reasonable and necessary expenses You incur with Our approval in evaluating and responding to a Cyber-extortion threat. However, Cyber-extortion expenses do not include Your overhead expenses or any salaries, wages, fees, or benefits of Your employees. H. Dependent Business means any third party, other than a Service Provider, on whom You depend for products and/or services required to conduct Your business. I. Denial of Service Attack means inability of a third party to gain access to Your Computer Systems through the Internet due to unauthorized attacks or deliberate overloading of bandwith connections and/or web servers by means of the sending of substantial quantities of repeat or irrelevant communication or data with the intent of blocking access to the Computer System by third parties J . Digital Assets means any electronic data, including personally identifiable, non-public information, or computer software over which You have direct control or for which such control has been contractually assigned by Your Organization to a Service Provider. Digital Assets do not include computer hardware of any kind. K. Earnings Loss means the difference between the revenue that Your Organization would have earned, based on reasonable projections and the variable costs that would have been incurred, but which Your Organization would have saved as a result of not earning that revenue. L. Employee means any individual in Your Organization’s service, including any part-time, seasonal, or temporary employee, who is compensated by salary, wages, fees or commissions and who You have the right to direct and control, but excluding any partner or director of Your Organization. M. Expenses Loss means the additional expenses Your Organization incurred to minimize the suspension of business and to continue operations during the Period of Restoration that are over and above the cost that Your Organization reasonably and necessarily would have incurred to conduct Your business had no Network Disruption occurred. These additional expenses do not include any Restoration Costs or any actual, reasonable and necessary expenses You incur in response to a Network D isruption in order to prevent, minimize or mitigate any further damage to Your Digital Assets, minimize the duration of a Network Disruption or preserve critical evidence of any wrongdoing. N. Loss(es) means: 1. 2. 3. Business Income Loss; Restoration Costs; and Cyber-extortion payments and Cyber-extortion expenses. All Losses arising from the same or related underlying facts, circumstances, situations, transactions or events or related Security Compromises shall be deemed a single Loss. O. Malicious Code means any unauthorized and corrupting or harmful computer code, including but not limited to computer viruses, spyware, Trojan horses, worms, logic bombs, and mutations of any of the preceding. P. Network Disruption means any of the following events: 1. A detectable failure, interruption or degradation of the operation of Your Computer System; or 2. The denial, restriction or hindrance of access to or use of Your Computer System or Your Digital Assets by any party who is otherwise authorized to have access. More than one such event that results from the same or related underlying facts, circumstances, situations, transactions or Security Compromises shall be considered a single Network Disruption which commences on 5 the date of the earliest of s uch events. Period of Restoration means the time period from the commencement of a Network Disruption to the earlier of: Q. 1. the date that Your Computer System is, or with reasonable diligence could have been, restored to the condition and functionality that existed immediately prior to the Network Disruption; or 2. sixty (60) consecutive days after the termination of the Network Disruption. R. Policy Period means the period of time from the effective date to the expiration date specified in Item 2 of the Declarations, or any earlier cancellation date. S. Restoration Costs means the actual, reasonable and necessary costs You incur to replace, restore, or re-create Your Digital Assets to the level or condition at which they existed prior to sustaining any Loss. If such Digital Assets cannot be replaced, restored or recreated, then Restoration Costs will be limited to the actual, reasonable and necessary costs You incur to reach this determination. Restoration Costs do not include: 1. any costs You incur to replace, restore or recreate any of Your Digital Assets that were not subject to regular network back-up procedures at the time of the Loss; any costs or expenses incurred to update, upgrade, replace, restore or otherwise improve Your Digital Assets to a level beyond that which existed prior to sustaining any Loss; any costs or expenses incurred to identify, remove or remediate computer program errors or vulnerabilities, or costs to update, upgrade, replace, restore, maintain or otherwise improve any Computer System; or the economic or market value of any Digital Assets, including trade secrets. 2. 3. 4. T. Retroactive Date means the date specified in Item 5 of the Declarations. U. Security Compromise means: 1. 2. The unauthorized access or use of Y our Computer System or Your Digital Assets; The unauthorized transmission of computer code into Your Computer System that causes loss or damage to Your Digital Assets; or A Denial of Service Attack on Your Computer System that causes loss or damage to Your Digital Assets. 3. V. Service Provider means any third party that is responsible for the processing, maintenance, protection or storage of Your Digital Assets pursuant to a written contract directly with Your Organization . A Service Provider does not include any provider of telecommunications services, including internet access, to You. W. Subsidiary means any corporation where more than 50% of the outstanding securities representing the present right to vote for the election of such corporation's directors are owned by the Named Assured, directly or indirectly, if such corporation: 1. 2. was so owned on the inception date of this Policy; becomes so owned after the inception date of this Policy, provided the revenues of such corporation do not exceed 15% of Your Organization’s annual revenues as set forth in its most recent audited financial statement; or becomes so owned after the inception date of this Policy, provided that if the revenues of such corporation exceed 15% of Your Organization’s annual revenues as set forth in its most recent audited financial statement, the provisions of Section VII.L. must be fulfilled. 3. X. We, Us or Our means the underwriters providing this insurance. Y. You or Your or Yours means: 1. the entity named in Item 1 of the Declarations (“Named Assured”) and its subsidiaries (together “Your Organization”); 6 2. Any present or future director, officer, or trustee of Your Organization, but only with respect to the performance of his or her duties as such on behalf of Your Organiza tion; Any present or future employee, including any temporary, part-time or leased employee, of Your Organization but only with respect to work done while acting within the scope of his or her employment and related to the conduct of Your Organization’s business; In the event that the Named Assured is a partnership, limited liability partnership, or limited liability company, then any general or managing partner, principal, or owner thereof, but only while acting within the scope of his or her duties as such; Any person who previously qualified as You under 2., 3., or 4. above prior to the termination of the required relationship with Your Organization, but only with respect to the performance of his or her duties as such on behalf of Your Organization; The estate, heirs, executors, administrators, assigns and legal representatives of any of You in the event of Your death, incapacity, insolvency or bankruptcy, but only to the extent that You would otherwise be provided coverage under this insurance; and Any agent or independent contractor, including any distributor, licensee or sub-licensee, but only while acting on Your behalf, at Your direction, and under Your control. 3. 4. 5. 6. 7. V. LIMITS OF LIABILITY A. The amount indicated in Item 3.A. of the Declarations (herein the “policy aggregate limit”) is the most We will pay in the aggregate under this Policy, under all Coverages combined, for all Losses regardless of the number of You, the number of Losses or the number of persons or entities who are affected by such Losses, or the number of Coverages triggered. B. When purchased as indicated in Item 3.B. of the Declarations: 1. the amount indicated as the Sub-Limit of Liability applicable to Coverage A. is the most We will pay for all Business Income Loss from each Security Compromise and all Security Compromises in the aggregate; the amount indicated as the Sub -Limit of Liability applicable to Coverage B. is the most We will pay for all Dependent Business Income Loss from each Security Compromise and all Security Compromises in the aggregate; the amount indicated as the Sub-Limit of Liability applicable to Coverage C. is the most We will pay for all Restoration Costs from each Security Compromise and all Security Compromises in the aggregate; and the amount indicated as the Sub -Limit of Liability applicable to Coverage D. is the most We will pay for all Cyber-extortion payments and Cyber-extortion expenses from each Cyber-extortion threat and all Cyber-extortion threats in the aggregate; and 2. 3. 4. such Sub-Limits of Liability being referred to herein as the “Sublimits of liability”, each of which is part of, and not in addition to the, policy aggregate limit. C. Regarding Coverage A., the Earnings Loss Hourly Limit (Valued) stated in Item 3.C. of the Declarations is the amount we will pay for Earnings Loss per hour during the Period of Restoration. The Earnings Loss Hourly Limit (Valued) is part of, and not in addition to, the Coverage A. Sublimit of liability as stated in Item 3.B. of the Declarations. If You determine that the actual Earnings Loss exceeds the Earnings Loss Hourly Limit (Valued) during the Period of Restoration, You have the option to prove the actual amount of Your Earnings Loss. If You opt to prove the actual amount of Your Earnings Loss, the actual Earnings Loss shall be proven, at Your expense, and calculated on an hourly basis based upon Your actual loss of gross margin during the Period of Restoration. In determining the amount of gross margin covered hereunder for the purpose of ascertaining the amount of Earnings Loss sustained under Coverage A., due consideration shall be given to the experience of Your business during the Period of Restoration, and to the probable business You could have performed had no Network Disruption occurred. 7 Earnings Loss shall be reduced to the extent You are able to, or should have been able to with the exercise of due diligence and dispatch, in whole or in part, end, reduce or limit the Period of Restoration, or conduct Your business by means other than through the use of Your Computer System or the affected portion thereof. VI. DEDUCTIBLES A. We will only pay Loss in excess of any applicable deductible amount set forth in Item 4. of the Declarations. B. With respect to Coverage A., the applicable deductible amount set forth in Item 4. of the Declarations applies once the Period of Restoration resulting from a Network Disruption has exceeded the Waiting Period in hours set forth in Item 7 . of the Declarations; then the Business Income Loss applicable to the deductible amount set forth in Item 4. of the Declarations shall be computed as of the commencement of such Network Disruption. With respect to Coverage B., the applicable deductible amount set forth in Item 4. of the Declarations applies once the Period of Restoration resulting from a Network Disruption has exceeded the Waiting Period in hours set forth in Item 7. of the Declarations; then the Dependent Business Income Loss applicable to the deductible amount set forth in Item 4. of the Declarations shall be computed as of the commencement of such Network Disruption. C. D. At our sole and absolute discretion, we may pay all or part of the applicable deductible, in which case You agree to repay us immediately after we notify You of the payment. The applicable deductible shall first be appli ed to any Loss covered by this policy that is paid by us, or by You with our prior written consent. E. The applicable deductibles as outlined in Item 4. of the Declarations apply separately to each single Loss. VII. POLICY CONDITIONS A. Named Assured Authorization The Named Assured first specified in Item 1. of the Declarations has the right and duty to act on Your behalf for: 1. 2. 3. 4. 5. 6. 7. The giving and receiving of notice of cancellation; The payment of premiums, including additional premiums; The receiving of any return premiums; The acceptance of any endorsements added after the effective date of coverage; The payment of any deductibles; The receiving of any Loss payments; and Otherwise corresponding with us. B. Warranty by You By acceptance of this Policy, You agree that the statements contained in the Application, any Application for coverage of which this Policy is a renewal, and any supplemental materials submitted therewith, are Your agreements and representations, that they shall be deemed material to the risk assumed by Us, and that this Policy is issued in reliance upon the truth thereof. The misrepresentation or non-disclosure of any matter by You or Your agent in the Application, any Application for coverage of which this Policy is a renewal, or any supplem ental materials submitted therewith, will render the Policy null and void a nd relieve Us from all liability under the Policy. The Application and any Application for coverage of which this Policy is a renewal, and any supplemental materials submitted therewith, are deemed incorporated into and made a part of this Policy. C. Inspections and Surveys We may choose to perform inspections or surveys of Your operations, conduct interviews and review documents 8 as part of our underwriting, our decision whether to provide continued or modified coverage, or our processing of any Loss. If we make recommendations as a result of these inspections, You should not assume that every possible recommendation has been made or that Your implementation of a recommendation will prevent a Loss. We do not indicate by making an inspection or by providing You with a report that You are complying with or violating any laws, regulations, codes or standards. D. Changes in Operations You agree to notify us of any significant changes to Your operations and activities. If these changes in operations or activities result in a substantial change to Your exposure, then we have the right to modify the coverage provided or make adjustments to the premium or rates charged for any coverage provided hereunder. E. Standard of Security You agree to protect and maintain Your Computer System and Your Digital Assets to the level or standard at which they existed at the time of, and w ere represented to Us in the Application and confirmed by Us during any subsequent inspections or assessments made as a condition of the agreement by Us to provide such coverage. F. Bankruptcy Bankruptcy or insolvency of any of you shall not relieve us of our obligations under this Policy. G. Assignment Your interest under this Policy may not be assigned to any other person or organization, whether by operation of law or otherwise, without our written consent. H. Words and Titles of Paragraphs The titles of paragraphs, section, provisions, or endorsements of or to t his policy are intended solely for convenience and reference, and are not deemed in any way to limit or expand the provisions to which they relate and are not part of the policy. Whenever the singular form of a word is used herein, the same shall include the plural when required by context. I. Other Insurance This insurance shall apply in excess of any other valid and collectible insurance available to You, including any retention or deductible portion thereof, unless such other insurance is written only as specific excess insurance over the policy aggregate limit as stated in Item 3.A of the Declarations. J. Waiver In the event we do not insist on strict compliance with any of the terms, provisions or conditions of coverage under this Policy, or if we do not exercise our rights or privileges thereto, our actions shall neither operate nor be construed as a waiver of our right to enforce any term, provision, or condition of coverage. K. Cancellation 1. This Policy may be cancelled by You, by surrender thereof to Us or by mailing to Us through the entity named in Item 8 of the Declarations, written notice stating when the cancellation shall be effective. 2. This Policy may be cancelled by Us by mailing to You at the address shown in the Declarations wri tten notice stating when not less than thirty (30) days thereafter, such cancellation shall be effective. However, if We cancel this Policy because You have failed to pay a premium when due, this Policy may be cancelled by Us by mailing a written notice of cancellation to You at the address show n in the Declarations stating when not less than ten (10) days thereafter, such cancellation shall be effective. Mailing of notice shall be sufficient proof of notice. The time of surrender or the effective date a nd hour of cancellation stated in the notice shall 9 become the end of the Policy Period. Delivery (where permitted by law) of such written notice either by You or by Us shall be the equivalent of mailing. 3. If You cancel this Policy, fifteen percent (15%) of the premium shall be deemed earned upon inception of this Policy, and we shall retain the remaining earned premium computed on a customary short rate basis. 4. If We cancel this Policy, we shall retain the earned premium on a pro rata basis. 5. Premium adjustment may be made either at the time cancellation is effected or as soon as practicable after cancellation becomes effective, but payment or tender of unearned premium is not a condition of cancellation. L. New Subsidiaries/Changes in Named Assured or Your Organization 1. During the policy period, if You acquire another corporation whose annual revenues are more than fifteen percent (15%) of Your Organization’s annual revenues as set forth in its most recent audited financial statements, then for a period of ninety (90) days after the effective date of the acquisition, the newly acquired subsidiary will be included within the definition of Your Organization but only for any Security Compromise involving such subsidiary that commenced or any Cyber-extortion threat involving such subsidiary received after the effective date of the acquisition. Upon expiration of the ninety (90) day period, there shall be no coverage under this Policy for a ny Security Compromise or Cyber-extortion threat involving the newly acquired subsidiary unless You give Us written notice of the acquisition containing full details thereof, and We have agreed to add coverage for the newly acquired subsidiary upon such terms, conditions, and limitations of coverage and such a dditional premium as We, in Our sole discretion, may require. 2. During the policy period, if the Named Assured consolidates or merges with or is acquired by another entity, or sells substantially all of its assets to another entity , or a receiver, conservator, trustee, liquidator, or rehabilitator, or any similar official is appointed for or with respect to the Named Assured, then all coverage under this Policy shall continue to the expiration of the Policy Period but only for any Security Compromise that commenced, or any Cyber-extortion threat received, prior to the date of such consolidation, merger or appointment. 3. Should a corporation cease to be a subsidiary after the inception date of this P olicy, coverage with respect to such corporation shall continue as if it was still a subsidiary until the expiration date of this Policy, but only with respect to any Security Compromise involving such corporation that commenced, or any Cyber- extortion threat involving such corporation received, prior to the date that it ceased to be a subsidiary. 4. All notices and premium payments made under this paragraph shall be directed to Us through the entity named in Item 8 of the Declarations. VIII. LOSS CONDITIONS A. Notice of Loss If during the Policy Period You become aware of a Loss, then You agree to promptly notify us in writing of such a Loss (a “Loss Notification”). All Loss Notifications shall be sent to persons named in Item 8. of the Declarations. If the initial Loss Notification is sent by e-mail, then a copy shall also be sent by regular mail. We shall have no obligation to pay any Losses incurred by You, nor shall any applicable deductible amounts set forth in Item 4. of the Declarations be eroded by any Losses incurred by You before a Loss Notification is received by the persons named in Item 8. of the Declarations. B. Notice of Circumstance If during the Policy Period You become aware of a circumstance from which a Loss is reasonably anticipated, 10 and if You promptly notify us in writing (a “Notice of Circumstance”) of the following: 1. 2. 3. 4. the identity of each of you involved in the circumstance; a detailed description of the circumstance; the Loss which resulted or may result from the circumstance; the manner by which You first became aware of the circumstance then any Loss reported by You arising out of such circumstance shall be deemed for the purpose of this Policy to have been made or reported on the date which the Notice of Circumstance was mailed to us. Any Notice of Circumstance shall be sent to Our Representative at the address shown in Item 8. of the Declarations. If the initial Notice of Circumstance is sent by e-mail, then a copy shall also be sent by regular mail. We shall have no obligation to pay Losses incurred by You, nor shall any applicable deductible amounts set forth in Item 4. of the Declarations be eroded by any Losses incurred by You before a Notice of Circumstance is received by the persons named in Item 8. of the Declarations. C. Duties in the Event of a Loss You must see that the following are done if You send us a Loss Notification: 1. At our request, notify the police, FBI, CERT or other applicable law enforcement authority, central reporting or investigative organization that we may designate, if it appears that a law may have been broken; Immediately take all reasonable steps and measures necessary to limit or mitigate the Loss; Send us copies of every demand, notice, summons, or any other applicable information You receive; If requested, permit us to question You under oath at such times and places as may be reasonably required about matters relating to this insurance, including Your books and records; Send us a sworn statement of Loss containing the information we request to resolve, settle or otherwise handle the Loss. We will provide You with the necessary form s; Cooperate with us and counsel we may appoint in the investigation of any Loss covered by this Policy; Assist us and counsel we may appoint in the investigation or settlement of Losses; Assist us in protecting and enforcing any right of subrogation, contribution or indemnity against any person, organization or other entity that may be liable to You, including attending depositions, hearings and trials; and Otherwise assist in securing and giving documentation and evidence, and obtaining the attendance of witnesses. 2. 3. 4. 5. 6. 7. 8. 9. D. Legal Action 1. Prerequisites to Legal Action. We and You agree that in the event of a dispute regarding a Loss under this Policy, no lawsuit will be filed against the other party unless: a. You have fully complied with all the terms and conditions of this Section D.; and b. Twenty (20) business da ys have elapsed from the decision on the mini-trial pursuant to Section E. below. 2. Jurisdiction We and You agree to submit to the jurisdiction of a Court of competent jurisdiction within the United States. However, this doe s not waive Your or our right to remove a lawsuit to a United States District Court, or to seek a transfer of a case to another Court as permitted by the laws of the United States or of any State in the United States. 3. Choice of Law Any disputes involving this Policy shall be resolved applying the law designated in Item 9. of the Declarations. 11 M. Service of Suit Clause (U.S.A.) It is agreed that in the event of our failure to pay any amount claimed to be due under this Policy, at Your request we will submit to the jurisdiction of a court of competent jurisdiction within the United States. Nothing in this clause constitutes or should be understood to constitute a waiver of our rights to commence an action in any court of competent jurisdiction in the United States, to remove an action to a United States District Court, or seek a transfer of a case to another court as permitted by the laws of the United States or any state in the United States. It is further agreed that service of process in such suit may be made upon our representative, designated in Item 8 of the Declarations, and that in any suit instituted against any one of us upon this contract; we will abide by the final decision of such court or of any appellate court, in the event of an appeal. Our representative designated in Item 8 of the Declarations is authorized and directed to accept service of process on our behalf in any such suit and/or upon your request to give a written undertaking to You that they will enter a general appearance upon our behalf in the event such a suit shall be instituted. Pursuant to any statute of any state, territory, or district of the Unit ed States which makes provision therefore, we hereby designate the Superintendent, Commissioner, or Director of Insurance or other officer specified for that purpose in the statute, or his successor in office, as our true and lawful attorney upon whom may be served any lawful process in any action, suit, or proceeding instituted by or on behalf of You or any beneficiary hereunder arising out of this Policy, and hereby designate our representative listed in Item 8 of the Declarations as the person to whom the said officer is authorized to mail such process or a true copy thereof. E. Dispute Resolution We and You agree to attempt in good faith to resolve any dispute arising out of or relating to this Policy promptly by negotiation in accordance with the following schedule: 1. If the dispute has not been resolved by negotiation within thirty (30) days of the disputing party’s notice, either party may demand that the dispute be submitted for non-binding resolution by mini-trial. 2. The parties shall have ten (10) business days to agree on a mini-trial neutral. 3. If the parties are unable to agree on a mini-trial neutral, no more than three (3) business days after the expiration of the ten (10) day period set forth in subpart 2. above, each party shall submit to the other party the name of a single proposed mini-trial neutral who is available and able to comply with the requirements set forth herein. 4. If the parties are unable to agree after such disclosure, the mini-trial neutral will be determined as follows: Your proposed mini-trial neutral will be selected if the first digit to the left of the decimal point of the Dow Jones Industrial Average’s closing number two (2) business days after the expiration of the period set forth in 3. above is an even number. Our proposed mini-trial neutral will be selected if that digit is an odd number. The parties must submit confidential briefs no longer than twenty-five (25) double-spaced pages, along with no more than five exhibits, to the mini-trial neutral within twenty (20) business days of the selection of the neutral. 5. 6. The meeting with the mini-trial neutral must take place within fourteen (14) business days of the submission of the brie fs set forth in 5. above. 7. The mini-trial neutral shall submit a written decision to the parties within ten (10) business days of the meeting set forth in 6. above. No person or organization will have any right under this policy to join us as a party to any action against You to determine Your liability. F. Subrogation 12 In the event of any payment under this Policy, You agree to give us the right to any subrogation and recovery to the extent of our payments. You agree to execute all papers required and will do everything that is reasonably necessary to secure these rights to enable us to bring suit in Your name. You agree to fully cooperate in our prosecution of that suit. You agree not to take any action that could impair our right of subrogation without our written consent, whether or not You have incurred any un-reimbursed Loss. 13