Category: Insurance Concepts & Scope
Home / All /

Does the 10 year longstop still apply?

Not so long ago, in our Communique article “How long to keep records”  we said

“The warm fuzzies induced by the 10 year longstop on liability under the Building Act have been under threat from cases brought to Court.  So far, so good.  But it would be unwise to biff out everything related to a project as soon as the longstop is reached” 

Alas, in May 2021 the decision on the October 2020 hearing of BNZ Branch Properties Limited v Wellington City Council [2021] NZHC 1058  has made good on that threat.  There may be the possibility of an Appeal, but currently, the position is that if (for example) the owner makes a claim on the contractor at 9 years and 364 days, that contractor would have another two years to seek a contribution from you as a “third party”.

The case arises out of the BNZ building on the waterfront in Wellington, which was damaged in the 2016 Kaikoura earthquake and later demolished. 

In August 2019, BNZ sued the Wellington City Council for negligence in respect of granting the building consent, inspecting during construction, and issuing a CCC.  A month later, Council sued the engineers, Beca, as a negligent third party, seeking a contribution in accordance with s17 of the Law Reform Act.  Beca argued that it had provided its engineering services in March 2008, more than 10 years before Council filed its claim, and thus the claim was time-barred by s393(2) of the Building Act. 

The issue before the court was not whether or not Beca was negligent, but whether – in consideration of the limitation issues – they were liable.

The Building Act s393(2) states

“….no relief may be granted in respect of civil proceedings relating to building work if those proceedings are brought against a person after 10 years or more from the date of the act or omission on which the proceedings are based.”

In simplistic terms, the understanding has been that you are not liable for your actions (as a building designer) beyond 10 years from the date on which your actions may have given rise to the alleged problems. 

NZ case law has confirmed that in respect of primary claims between plaintiffs and defendants;  but the position has not been so clear in relation to third party claims.  This was a test case for that issue, with about $100 million at stake.

Beca argued that the use of the words “civil proceeding” in s393(2) of the Building Act was intended to include “every form of civil proceeding regardless of its source or makeup”.

The High Court, after a detailed consideration of the relationship between s393 of the Building Act, s17 of the Law Reform Act, and s34 of the Limitation Act 2010, held that the term “civil proceeding” in s393 of the Building Act refers only to a primary claim between a plaintiff and defendant, and does not include a claim for contribution.

Third party claims – such as the Council’s claim against Beca – must be initiated within a two-year period provided for in the Limitation Act 2010.  This judgement establishes that so long as a claim is made on a party within the Building Act 10 year longstop, that party would then have two years in which to make a claim against third parties.

NZACS has previously suggested that the WHRS timelines justify keeping your documents 12 years, not just 10:  such things may (almost) be in the past, but this new case reinstates that recommendation.  Those “warm fuzzies” are now facing the reality of winter.

Selecting Professional Indemnity Cover

Selecting Professional Indemnity Cover

When deciding what limit to take, you should consider:

• Type of work undertaken. Commercial, Residential, Govt
• Size of client and ability to fund litigation against you.
• Value of the projects undertaken.
• Complexity of the projects undertaken.
• Size of your practice – the number of staff and the amount of project work.
• Contractual obligations that specify a limit of indemnity and period of time

Remember that you could be the subject of more than one claim during a policy year and the potential accumulation of claims losses should be part of your consideration when selecting an indemnity limit, not just the limitation of liability under a single project engagement.

Quotations for higher levels of indemnity beyond your existing limit can be provided at any time during the insurance period. The pricing difference to increase your cover may not be as much as you think, so we encourage you to get a quote for a higher limit.

The policy provides one reinstatement of the Limit of Indemnity i.e. the indemnity limit you choose is for any one claim and twice that limit will be available for all claims in the insurance year (subject to any sub limits and policy conditions). Example: $1,000,000 any one claim during the period of insurance up to $2,000,000 in total for all claims during the period of insurance.

Cyber Liability & Risks

Cyber Liability & Risks

As a result of COVID-19, many of you are managing the transition to new working arrangements, which include working remotely from home. Hackers often exploit large scale events, such as COVID-19 to strike, seizing opportunities that are potentially more stressful, busy, or when staff are away.

Hackers look for all kinds of ways to access employee credentials and data. Once they have access to computer systems, they will cause havoc, both in downtime and expense (extortion and ongoing money transfers).

An example of an increasing trend in Cyber-attack is unauthorised access to valid purchase order invoices and email addresses (often very subtle changes to the address are common). They will amend the invoice bank accounts to their own. You then receive this email from your ‘supplier’ and the result is a mis-payment to the hacker rather than your supplier. It may be days or weeks until this theft is known, at this time it is then too late for your bank to recall funds from the incorrect account.

Another example is receiving an email from a supplier advising you that they have changed their bank account for invoice payment. How do you know if this email is legitimate? The key difference is that with this kind of circumstance, your supplier should communicate with you well in advance. If you receive this kind of email and are ever in doubt, ensure you speak with the ‘sender’ before clicking on any links or changing any bank account details.

Here some steps you can take to reduce cyber risk.

• Ensure all bank account changes require a second means of verification – this being a phone call or text to your verified contact at the business to ensure the change is valid.
• Where applicable, a minimum of two internal persons within the organisation to verify the change is valid, this includes the above process and to contact your own bank if required to acknowledge the change. Large one off transactions should have this in place already.
• Record all changes, dates and signatories involved.
• Have the above processes documented including staff training, to ensure that in the event of annual leave or a staff member being away from their duties, this doesn’t provide an opportunity for the process to be missed.
• Be extra diligent, take a bit of extra time to consider the request and its legitimacy.

Covid-19 for cyber criminals is like the holiday period for burglars – their business model is thriving! Aon has seen a rise in phishing-style attacks and Cyber liability claims targeting all businesses, even the small ones. Some ‘digital hygiene’ is prudent:

• ‘Bring Your Own Device’ and remote/agile working have the potential to create situations where claims will arise.
• Stay alert for phishing emails and websites – be on the lookout for emails or websites that ask you to click on suspicious links or request sensitive information. Criminals are skilfully crafting communications which can be very difficult to identify as a phishing email or website.
• Test remote working capabilities and policies: this should be part of a regular Business Continuity Plan. Ensure that all staff understand the protocols they must adhere to when working remotely.
• WiFi may be your enemy: public and personal WiFi networks may be compromised in certain circumstances. Delete WiFi credentials from your device as soon as you disconnect and enforce a strong password to your router and, where possible, operate within a VPN.