Insurance policies covering data breach liability began appearing roughly ten years ago. We noted then a troublesome provision in some forms that seemed to exclude coverage for the insured’s failure to maintain data security – in other words, the very risk the insured was seeking to insure. We’ll call it the “Mistake Exclusion.” One AIG form from 2006, for example, excluded coverage arising out of “your failure to take reasonable steps to use, design, maintain and upgrade your security.” A 2009 Darwin form excluded coverage for any claim arising out of “any failure of an Insured to continuously implement the procedures and risk controls identified in the Application for this insurance.” But isn’t liability insurance supposed to do just that – protect against the insured’s mistakes, innocent or negligent? We hoped and expected that as the market for these policies matured, savvy brokers and risk managers would insist that these Mistake Exclusions be removed or substantially narrowed. But that has not happened.
We now have the first case we are aware of by an insurer seeking to enforce a Mistake Exclusion. In Columbia Casualty Company v. Cottage Health Systems, filed May 7, 2015 in the U.S. District Court in Los Angeles, Columbia seeks to enforce an exclusion barring coverage for a data breach claim arising out of any “failure of an Insured to continuously implement the procedures and risk controls identified in the Insured’s application for this Insurance and all related information submitted to the Insurer in conjunction with such application whether orally or in writing.” Columbia’s complaint arises out of a class action suit against Cottage alleging that, for a period of two months in 2013, 32,500 patient records were accessible via the Internet. Cottage had hired a third-party vendor to store Cottage’s records electronically and that vendor mistakenly set the File Transfer Protocol settings to allow public access. Columbia funded Cottage’s defense and settlement, but is suing to recover all of its payments from Cottage.
by John Green
Companies often monitor or record conversations between their employees and customers for training or quality control purposes. California law prohibits monitoring or recording unless both parties consent. Class actions have been brought against a number of companies alleging that calls were routinely recorded without customer consent. These claims may be covered by a company’s general liability (CGL) policy.
CGL policies generally provide coverage for “personal injury” offenses, which are defined to include “oral or written publication of material that violates a person’s right of privacy.” Call recording is prohibited by California’s Invasion of Privacy Act, which was enacted to protect “the right of privacy of the people of this state.” Cal. Penal Code § 630. Thus, call recording claims fall within the Personal Injury coverage for “privacy” claims.
Recently, the California Court of Appeal decided County of Los Angeles Board of Supervisors v. Superior Court, 235 Cal. App. 4th 1154 (2015), a case considering whether the Los Angeles County Sheriff's Department could be required to produce legal defense bills in response to a California Public Records Act request. While not an insurance case, the case could have implications for a common practice in the insurance context: submitting defense bills to the insurer.
The Board of Supervisors court held that attorney billing statements are “confidential communications” within the meaning of California Evidence Code Section 952, and therefore their production could not be compelled. Significantly, the court held that the LA County Sheriff could not be required to simply redact portions of the attorney time descriptions that reflected attorney opinions or advice. Indeed, the court concluded that a communication between attorney and client, arising in the course of representation for which the client sought legal advice, need not include “legal opinion or advice” at all in order to qualify as a privileged communication. Because the bills were, by definition, an attorney-client communication, they were privileged in their entirety.
This new ruling presents a conundrum for California insureds. An insurance company that is footing the bill for the defense of a lawsuit will of course demand to see the bills, and as a practical matter it is unrealistic to expect that the insurer will pay them without being able to review the descriptions. In situations where the insurer is defending without a reservation of rights, the insured's and the insurer's interests are completely aligned and the two are effectively joint clients. But by providing the defense bills to an insurer who has reserved its right to deny coverage – or who has not yet taken a coverage position at all – is the insured waiving privilege? If the plaintiff in the underlying lawsuit demands that the insured produce “all communications with its insurer,” could the insured then be required to produce its legal bills to plaintiff?
On Wednesday June 3, from 12:00 to 1:15 p.m., I’ll be co-presenting "Lawyers in the Cross-Hairs: Recent Trends in Claims Against Attorneys, Related Ethical and Insurance Issues, and Defense Strategies" at the Bar Association of San Francisco (301 Battery Street, Third Floor, San Francisco, CA).
Presenting with me will be John B. Sullivan of Long & Levit, LLP and Matthew S. Kahn of Gibson, Dunn & Crutcher LLP. We will focus on recent trends in claims against lawyers arising out of business transactions, and related defense strategies and insurance coverage issues.
Please see the event flyer for more details:
Lawyers in the Cross-Hairs
We hope you will join us.
Policyholders seeking insurance funds to settle a case often face an insurer’s demand that some amount should be allocated to uncovered claims or parties. The issue arises often under directors and officers liability (D&O) policies, when settlements resolve the liability of covered directors and the uncovered company. But general liability insurers also demand to “allocate” settlements, suggesting, for example, that half of the settlement is uncovered because the complaint alleges both negligent and intentional conduct. Surprisingly, California courts have not clearly addressed the issue outside of the D&O context. How should you respond?
For D&O policies, courts first recognized the “larger settlement rule” in Harbor Ins. Co. v. Cont’l Bank Corp., 922 F.2d 357, 368 (7th Cir. 1990). The question there was how to allocate a settlement between the potential liability of the covered directors and officers, and of the uncovered company. The court held that the insurer is liable for the entire settlement, except for the amount, if any, by which the settlement was made larger because of claims against uninsured parties. In other words, if the same dollars were paid to settle the potential liability of both, those dollars must be allocated to the covered claims against the directors and officers.
The Ninth Circuit affirmed the larger settlement rule in Nordstrom, Inc. v. Chubb & Sons, Inc., 54 F.3d 1424, 1433 (9th Cir. 1995) (Washington law); and Safeway Stores, Inc. v. Nat’l Union Fire Ins. Co., 64 F.3d 1282, 1287 88 (9th Cir. 1995) (California law).
On May 5, the California Supreme Court will hear argument in a case that has the potential to profoundly change the relationship between the insurer, its insured and the insured’s independent defense counsel under Civil Code section 2860. The case is Hartford Casualty Insurance Company v. J.R. Marketing, LLC, Case No. S211645. If Hartford convinces the Supreme Court to reverse the dismissal of its case, independent defense counsel may be exposed to claims for reimbursement of defense costs they’ve been paid by their client’s insurers. This would be a very unfortunate outcome, both for law firms and Section 2860’s independent counsel regime.
In J.R. Marketing, Hartford refused to defend its insureds against several lawsuits. The insureds hired their own defense counsel and sued Hartford for breaching its duty to defend. Hartford then agreed to defend, albeit partially, and continued to insist that certain defense costs were not covered and that it was not required to provide independent counsel under Section 2860. The court ruled that Hartford was wrong on both scores and indicated that, after the underlying litigation concluded, Hartford could seek reimbursement of any defense costs it paid that it believed were solely attributable to uncovered claims or parties. Helpful to insureds, the trial court and Court of Appeal added to a growing line of cases holding that an insurer, after having breached its duty to defend, is not entitled to the billing rate limitations of Section 2860.
After paying $15 million in defense costs through the conclusion of the underlying litigation, Hartford sued for reimbursement. And Hartford took a very unusual step. In addition to suing the insured, Hartford also sued its insured’s defense counsel for reimbursement, alleging a novel quasi-contractual theory. According to Hartford, the law firm that the insured hired (after Hartford initially refused to defend) was unjustly enriched by Hartford’s court-ordered defense cost payments relating to uncovered claims, so the law firm naturally should pay it back.
I will be speaking tomorrow at BASF (301 Battery Street, 3rd Floor, San Francisco) about insurance coverage issues arising out of legal malpractice claims. The presentation is “Don’t Be the Scapegoat for a Failed Investment or Business Strategy.” I will be co-presenting with John B. Sullivan of Long & Levit, LLP and Matthew S. Kahn of Gibson, Dunn & Crutcher LLP. A link to the flyer for the presentation is here. Please join us tomorrow for an engaging discussion about legal malpractice and related insurance coverage issues.
No one insurance policy covers all liability risks. Risk managers expect to purchase several types or layers of insurance to cover different types of insurance liabilities, to provide sufficient limits for a catastrophe loss, or to provide coverage over multiple policy years. They may be surprised to learn however, that what they thought was a comprehensive and seamless program in fact contains glaring but avoidable gaps.
Consider the following:
- A social networking site for minors purchases an insurance policy which contains a “Technology, Media and Professional Services” component defining “Professional Services” as “providing advertising services for others, for a fee.” The same policy also includes a D&O component which excludes coverage for any claim “based upon, arising out of, attributable to, directly or indirectly resulting from, in consequence of, or in any way involving the rendering or failing to render professional services.” “Professional services” is not defined in the D&O component. Consumers complain that the site contains inappropriate content, and the State Attorney General sues the site for false advertising, alleging it misrepresented its efforts to protect minors from inappropriate content. The insurer denies coverage under the Technology, Media, Professional and Services component of the policy because the claim does not relate to the site’s “paid provision of advertising to others,” i.e., the claims do not allege covered “Professional Services” (the defined term). It also denies coverage under the D&O component on the grounds that the “professional services” (the undefined term) exclusion extends to all services involved in operating the website. Surprisingly, the liability does not fall under either policy because the coverage grant in the professional services coverage was not broad enough to pick up the services the court found were excluded under the D&O coverage.
A law firm asked us for advice a few months into a fast-moving intellectual property lawsuit. The complaint alleged trademark and copyright infringement claims against the company and two of its officers. They noted that while the defense was being provided under the D&O policy based on the allegations against the individual officers, plaintiff had only served the company. The judge was now putting pressure on plaintiffs to “clean up the pleadings” and either serve the individuals or dismiss them.
We immediately told defense counsel to call plaintiffs and offer to accept service on behalf of the individuals. Why? Because private company D&O policies provide broad coverage for the individuals, including for intellectual property claims. For these claims, individuals are covered but the company is not. A dismissal of the individuals would give the insurer an excuse to withdraw the defense. Unfortunately, plaintiffs that same day had already filed a dismissal of the individuals without prejudice. As expected, the insurer withdrew its defense over our protests.
CA Court of Appeals Confirms that Insured Need Not Accept 2860 Rate Caps For Work Done After Tender, But Before Insurer Accepts Defense
A recent unpublished decision from California’s Second Appellate Division highlights one of the most common mistakes lawyers make when obtaining insurance coverage for the defense of a lawsuit: accepting the insurer’s ultra-low hourly rate caps for charges incurred before the date on which the insurer actually acknowledged its defense obligation and began defending.
The case is City Arts, Inc. v. Superior Court (Travelers Property Casualty Company of America), B256132 (issued Dec. 9, 2014). There, Travelers agreed that its obligation to defend an underlying lawsuit against City Arts was triggered no later than April 2009. However, Travelers did not actually agree to begin reimbursing defense costs until February 2010. (In the intervening 10 months, Travelers and City Arts exchanged a series of letters arguing about whether Travelers had a duty to defend, before Travelers finally relented in February 2010.) Nevertheless, Travelers claimed that it could impose its hourly rate caps on all charges incurred from April 2009 forward.