How Will An Insurance Exclusion Affect the Facilities Protection Initiative and the Risk Exposure of Your Clients?

Philip D. Kessack, J.D.

The impact of the terrorist attacks of Sept. 11, 2001 on the World Trade Center and the Pentagon continues to reverberate as government and private-sector utilities evaluate the potential ramifications of this newly identified threat to their operations. If such an attack were attempted and feasible, a successful terrorist attack on a major dam or other critical utility conceivably might result in even greater loss of life and property and would likely have a significant impact on the global economy.

In response to this evolving threat, the federal government has created the Facilities Protection Initiative - a major shift in federal spending that focuses on the vulnerabilities of the nation's utility infrastructure to future terrorist attack and an effort to reduce potential vulnerabilities. States and commercial utility owner/operators are also heavily involved in this initiative. From huge hydroelectric dams to natural gas pipelines to the electrical infrastructure, there is an increasing level of effort to conduct threat analyses and develop appropriate safeguards to minimize the potential impact of terrorist attacks on these critical utilities.

Unfortunately, the effectiveness of this effort is being increasingly hamstrung by the inability or unwillingness of the insurance industry to provide liability protection to the security consultants and other experts who are needed to address this threat. As a result, it is even more important for the legal counsel to carefully evaluate the risks associated with these expanding services - and the related risks associated with performing such services in the absence of insurance protection.

One of the industries hardest hit by the terrorist attack was the insurance industry. Several major insurance carriers have had to pay out billions of dollars in a relatively short period of time to families of the victims and owners of the destroyed/damaged properties. As a result, the insurance and re-insurance carriers have moved quickly to prevent future losses by expressly excluding losses associated with terrorist attacks from their coverage. Legal counsel for the insurance carriers are carefully evaluating this risk and preparing insurance exclusions and other limitations to protect the assets of the insurance carriers from massive potential claims associated with future attacks.

Just as the insurance industry created the "pollution exclusion" to avoid escalating environmental liabilities in the 1980s, the insurance industry now is routinely inserting a "terrorist exclusion" in its various forms of insurance coverage. As a result, the very entities that are being called upon to conduct the threat analyses and to propose steps to reduce these vulnerabilities to the water and power infrastructure are now finding themselves unable to obtain insurance to cover their risk exposures associated with such services. The potential impact of this lack of insurance protection is likely to have a significant impact on the effectiveness of the Facility Protection Initiative and is likely to ultimately result in a substantial reduction in the clarity and specificity of the resultant studies.

By way of example, assume that the owner of a large hydroelectric plant/dam hires consulting engineers, security analysts, intellectual technology professionals and others (Security Professionals) to conduct a threat analysis of the critical components of the facility and to develop a report on the recommended steps to minimize the identified vulnerabilities. The intent is to obtain a professional analysis of the critical components of the facility (e.g., mechanical, electrical and instrumentation systems, etc.), identify the vulnerabilities of those critical component, evaluate the potential ways in which those critical components could be attacked, and then develop procedures and other safeguards to minimize those risks. Although the context of these studies may be somewhat new, the Security Professionals routinely provide the bulk of these services in many other contexts. However, the injection of the terrorism exclusion in insurance policies radically alters the nature and scope of that risk. Activities deemed to be "routine" in a different context might now expose the Security Professional to substantial and uninsured liability.

This problem is compounded by the fact that the sudden and rapid growth in the demand for the facility protection services is resulting in a situation comparable to the environmental remediation industry in the 1970s-80s where there was a lack of generally-accepted methodologies/industrial standards, limited professional registrations, and everyone with a shovel could claim to be a "remediation expert." Those circumstances resulted in a widely varying level of professional competence and resulted in vague standards against which performance could subsequently be measured when legal claims subsequently arose.

The actual potential risk being assumed by the Security Professionals is difficult to quantify and raises several critical legal issues.

• In the absence of clearly defined industry standards, methodologies and practices, what is the standard of performance against which the Security Professional's performance to be measured?
• In view of the September 11 attacks, what is now "foreseeable?"
• Is the Security Professional at risk if it fails to address risks that were raised by other Security Professionals at comparable facilities, even though the Security Professional was not aware of the other often-confidential reports?
• What is the obligation of the Security Professional to consider the financial viability of their recommendations?
• What is the Security Professional's liability to its client and others if the terrorist applies a technique or approach that was not considered by the Security Professional?
• Can the Security Professional reasonably be expected to anticipate every conceivable threat inherent in a terrorist attack where a person may be willing to commit suicide in order to attack the target?
• Is such an approach even feasible or desirable in a relatively open democratic society?
• What is the duty of the Security Professional to those persons located downstream from the facility for which a threat analysis has been conducted?
• Is there a duty? If so, is negligence the appropriate standard of liability for the Security Professional or does the potential magnitude of the risk to downstream third parties create a standard of strict liability?

It is also important to evaluate the risk from the perspective of the government and other owners/operators of critical utilities. This perspective, in turn, raises several important legal issues:

• What is the potential liability of the utility if a terrorist wantonly damages or destroys the facility, resulting in substantial third-party personal, property or economic loss?
• What is the risk exposure of the utility if its consultant Security Professional cannot obtain insurance and has limited assets to protect the utility from potential claims related to the failure of the Security Professional to accurately anticipate the nature of the threat resulting in an actual loss?
• What is the duty of the utility to conduct a facility security review?
• What is the "standard industry practice" for having a facility security review conducted?
• What constitutes "due diligence?"
  
• What is the risk to the utility in not fully implementing all of the recommendations of the Security Professional without regard to the financial viability of such recommendations?
• What is the risk to the facility if it schedules implementation of protective procedures over time and a loss is incurred before the procedures or systems are fully in place?
  
• What is the viability of a defense of sovereign immunity where the governmental agency has failed to meet its duty to apply reasonably security protection for a critical utility? Is this a non-discretionary duty?
• What additional liability does the governmental agency assume if it grants indemnity to the Security Professional?
• Can the government "protect" the Security Professional by designating the Security Professional as an "agent" so as to qualify for the protection of sovereign immunity?
• What is the likely impact on the quality of the services if the lack of insurance or indemnity results in the most capable Security Professionals refusing to assume these risks?
• What is the duty of the legal advisors to elevate these issues to the senior management or board of directors of the company?

Although the probability of a claim may be relatively low, the cost of such a claim to the Security Professional could be catastrophic. As James Thurber once said "The chance of being eaten by a leopard on Main Street is probably one in a million B but it only takes once." The risk associated with performing the threat analysis and providing critical utilities with security-related recommendations to a facility that is subsequently successfully attacked by terrorists is relatively low, but the risk in the absence of either insurance or indemnification might prove catastrophic to the Security Professional's financial viability. Even if ultimately successful, the defendant could well be driven into bankruptcy by the financial cost of defending massive claims from those persons suffering loss as a result of a terrorist assault on a major dam or other critical utility.

If the absence of insurance becomes the status quo, the Security Professionals will have little choice but to carefully define their scope of work, qualify their recommendations and include substantial disclaimers limiting the ability of the utility to effectively use and apply their findings and recommendations. The legal advisor to the Security Professional will have to carefully review and craft such limitations to ensure that they are sufficient in scope and defensible in the event of a future claim. The legal advisors of the utilities, by contrast, will have a corresponding responsibility to evaluate the scope, reports and disclaimers to ensure that the scope, as proposed and as implemented, addresses the client's needs, the reports are reasonably specific and that the disclaimers are appropriate under the circumstances.

The role of the legal advisor will be a critical component in managing these undefined and potentially catastrophic risks. Defendant's counsel will need to carefully review the contractual and other protections available to the Security Professionals. Defendant's counsel will also need to carefully evaluate the risks to the nations utilities and their investors/owners. Plaintiff's counsel will need to carefully evaluate the roles of the Security Professionals and the utilities industry to help define the standard of care and to clarify the duty, if any, that the utilities owe to persons potentially impacted by a terrorist attach on critical utilities. They will also have to evaluate whether the resources of the defendants, in the absence of insurance, will be capable of providing adequate compensation for their clients. And those advising municipalities and other government institutions will need to evaluate how to best protect the public while still preserving the necessary resources to properly govern.

If the pollution exclusion imposed by the insurance industry is any indicator, the next few years should be interesting. There are already efforts in Congress to address the lack of insurance availability relating to terrorist attacks by providing some level of government protection above certain defined insurance caps. In the long run, it is likely that some form of specialized terrorist insurance will become available, just as the contractor's pollution liability insurance has evolved into a standard insurance product. Such insurance will in all probability be "claims-made" with significant deductibles and limited coverage. Until such time as that insurance becomes available, however, the legal advisor has a responsibility for carefully evaluating the risk and advising its clients of the legal risks inherent in performing potentially high-risk activities in the absence of such insurance.

Philip D. Kessack is an associate counsel at MWH Americas, Inc., an environmental engineering company. He can be contacted at Philip D.Kessack@mwhglobal.com.