Blog on insurance coverage legal issues in the Pacific Northwest of the United States.
About The Northwest Policyholder
Friday, August 21, 2015
Oregon Court Rejects Insurer's "Trained Monkey" Defense
In West Hills Development v. Chartis Claims, Inc. & Oregon Automobile Ins. Co., the "trained monkey" argument played itself out in the context of additional insured coverage. West Hills was the general contractor on a residential development, and was an additional insured of one of its subcontractors, L&T. When West Hills was sued by homeowners, it tendered to the defense to L&T's carrier, Oregon Auto. Oregon Auto refused, and West Hills sued to recover a portion of its defense costs. Oregon Auto argued, among other things, that the homeowners' complaint did not identify L&T as a subcontractor on the project. The complaint alleged that West Hills was liable for not supervising subcontractors generally, but didn't identify any subcontractors by name. Therefore, argued the insurer, how were they supposed to know that the tender from West Hills on the L&T policy was legitimate?
The problem for Oregon Auto was that the tender had been done carefully, by West Hills' counsel, and the tender told Oregon Auto that L&T was the subcontractor responsible for some of the deficiencies alleged in the complaint. But Oregon Auto argued that under Oregon's "eight-corners" rule it wasn't required to investigate whether that statement in the tender letter (which Oregon Auto claimed was mere "argument") was true. Instead it could pull the "trained monkey" routine and blithely deny coverage.
Nonsense, said the Court of Appeals. Relying on the long line of Oregon cases requiring insurers to resolve any ambiguity in favor of coverage (including ambiguity about identification of insureds), and also on Fred Shearer & Sons v. Gemini Insurance, a 2010 decision, the court held that Oregon Auto had a duty to investigate the statement in the tender letter about L&T's role. In the Fred Shearer case the court adopted a limited exception to the "eight corners" rule when the identity of a proposed insured is not clearly alleged in the complaint. The West Hills court applied the logic of Fred Shearer to additional insured coverage.
The West Hills decision addressed several coverage issues; the "trained monkey" defense is only one. However, its most lasting impact may be its clear statement that an insurance company has a duty to investigate facts tending to show that coverage is available, and analyze the allegations in a complaint, not just read the complaint for magic words.
Tuesday, July 28, 2015
Absolute Pollution Exclusions Are Not Absolute
Most absolute pollution exclusions are incorporated into standardized forms and use language originally written by the Insurance Services Office (the "ISO"). The ISO's pollution exclusion, which is widely referred to as the "absolute pollution exclusion," actually expressly creates coverage in certain circumstances. For example, the ISO's exclusion does not apply if contamination results from a "hostile fire" or from a failure of equipment used to heat, cool, or dehumidify a building. While the factual scenarios in which express coverage is created are limited, a policyholder should determine whether any such scenarios apply. Even if only part of the environmental claim falls within the scope of express coverage, the insurer may be required to provide a full defense under Oregon law. While the scenarios where coverage is expressly not excluded are few, it is important to review each such scenario at the outset to ensure that no coverage is missed.
While absolute pollution exclusions often leave an insured without coverage, they are not as ironclad as their name suggests. The policyholder facing an environmental claim should retain coverage experts as soon as possible to determine which policies create coverage, including those policies that include purported absolute pollution exclusions.
Friday, July 24, 2015
Neiman Marcus Data Breach Decision Portends Greater Risk for NW Companies, Need for Cyber Coverage
This decision is only binding in the federal districts within the Seventh Circuit, but as Kevin LaCroix has pointed out in his blog, as a first-in-the-nation decision from an appellate court in this exact scenario, it is likely to be influential. That is even more true for claims brought in the Northwest, for two reasons.
First, the Seventh Circuit cited extensively to a decision from the Northern District of California in the Adobe Systems data breach case, In re Adobe Sys., Inc. Privacy Litig., No. 13–CV–05226–LHK, 2014 WL 4379916 (N.D. Cal. Sept. 4, 2014). (That decision is available here.) The Adobe decision relied on pre-Clapper case law from the Ninth Circuit, and has already been cited twice this year to support a finding of standing in a data breach/data privacy class action, the first brought by Sony employees, and the second by users of the Google Wallet. Those cases had already established the Ninth Circuit (and therefore the Northwest) as a favorable venue for data breach class actions.
Second, the Premera Blue Cross class action complaints involving the massive data breach at that company, and involving claims under Oregon and Washington law, have all been consolidated in the federal court in Oregon, and have been assigned to Judge Michael Simon. Judge Simon, a former Perkins Coie partner, is inclined toward issuing cerebral and thoroughly-reasoned decisions that often have a pro-consumer bent. I would not be surprised to see a lengthy decision from Judge Simon in the near future along the lines of the Seventh Circuit's decision, giving plaintiff's lawyers a road map for obtaining standing in data breach cases and how to properly bring claims under Oregon and Washington law.
What does any of this have to do with insurance? Well, if you are a non-Northwest company with operations in the Northwest looking at cyber insurance, and trying to assess company-wide risk, you cannot rely on decisions from courts in your "home" jurisdiction that have made it hard for these types of claims to go forward. If you are a Northwest business that handles a lot of consumer data, the risk of a class action in the event of a breach just went up a little but. Even if the claims are absolutely meritless, they will get past the motion to dismiss stage, which means that defense costs will be considerable. All of that should be fodder for your next conversation with your insurance and legal advisers about your company's cyber-coverage, and particularly defense cost coverage and limits.
Update: As reported by my colleague Brian Sniffen in our blog IP Law Trends, Neiman Marcus has now requested en banc review of this decision. En banc review is rarely granted.
Certain cases reprinted from WestlawNext with permission of Thomson Reuters. If you wish to check the currency of this case by using KeyCite on WestlawNext, then you may do so by visiting www.next.westlaw.com.
Tuesday, July 14, 2015
Oregon Duty to Defend is Very Broad, as Shown in Two New Cases
In the first case, Portland General Electric v. Liberty Mutual Ins. Co., the issue was whether it was appropriate for the court to read an underlying complaint as implying a fact, even though the complaint did not allege the fact directly. The court said "yes."
Portland General hired a contractor to work on some of its equipment. The contractor was required to add Portland General as an "additional insured" on its liability policy. When one of the contractor's employees was injured on the job, he sued Portland General. (He could not sue his employer, the contractor, because of the workers-compensation exclusive-remedy bar). Portland General demanded that the contractor's insurer, Liberty Mutual, provide it with a defense. Liberty Mutual refused, citing Oregon's anti-indemnity statute. To put it in simple terms, because of the anti-indemnity statute Liberty Mutual could not insure Portland General for Portland General's own negligence. However, Liberty Mutual could provide coverage to the extent that Portland General were being held liable for the contractor's negligence. But the employee's lawsuit didn't say anything about the contractor being negligent, making it appear (at least to Liberty Mutual) that Portland General was being sued only for its own negligence.
However, there were allegations in the complaint that some of the equipment chosen for the job was improper, and that clothing worn by the employee also contributed to the accident. The complaint didn't say who provided the equipment or the clothing. The court found that even though only Portland General was sued, and the complaint never mentioned the contractor, it was reasonable to infer that the contractor could have provided those items, and therefore that the contractor was at least somewhat negligent. Because the complaint did not allege only negligence by Portland General, and alleged by implication some negligence by the contractor, the insurer had a duty to defend.
In the second case, Norgren v. Mutual of Enumclaw, District Court Judge Michael Simon took the unusual step of rejecting the recommendation of a Magistrate Judge (Judge Stacie Beckerman), who had ruled in favor of the insurer. Judge Beckerman held that the insurer had no duty to defend a homeowner against a suit alleging that the homeowner's son assaulted another child, finding that the "intentional acts" exclusion applied to all of the claims against the insured, even to a claim entitled "negligent infliction of emotional distress," because the specific facts alleged all included some element of intent to act. Judge Simon pointed out, however, that the complaint made other allegations that could be interpreted as alleging mere negligence - even though those allegations were conclusory, and more legal contention than statements of fact. Judge Simon therefore found a duty to defend.
These two decisions take the famous phrase from Ledford v. Gutoski that in Oregon "any ambiguity in the complaint... is resolved in favor of coverage" and put it into action. They exemplify the correct approach to Oregon duty to defend questions, which is to scour the complaint for potentially covered claims, rather than generalize about the allegations. In each case the court rigorously analyzed every contention in the complaints, and resolved every ambiguity in favor of a defense obligation. It can only be hoped that these two new rulings will help insurers understand that they take a considerable chance if they deny a defense, and that the better course, whenever there is any doubt, is to comply with their contractual defense obligations.
Wednesday, July 1, 2015
Ninth Circuit Hands Oregon Policyholders a Major Win on"Known Loss"
Kaady, a masonry subcontractor, installed manufactured stone and masonry caps at a condominium project on Mount Hood. After the project was complete Kaady was notified that there were cracks in the stone that he had installed. Later that year Kaady bought a liability policy from Mid-Continent. Kaady was then sued by the condo association, which alleged that his defective work had contributed to water damage to wood sheathing behind the manufactured stone, and to deck posts on which the masonry caps were sitting.
Mid-Continent denied coverage for those damages under its policy’s "known-loss" provision, which stated that the policy “applies to . . . property damage only if . . . no insured . . . knew that the . . . property damage had occurred, in whole or in part.” The policy also excluded coverage for property damage that is a "continuation, change or resumption" of "such [known] property damage." The policy defined "property damage" in part as "physical injury to tangible property."
In the coverage lawsuit suit the insurer advanced two arguments to justify its denial: 1) that prior knowledge of any damage to a structure means that any other damage to the same structure is a "known loss;" and 2) that the damage to the sheathing and posts was a "continuation change or resumption" of the cracking that the insured knew about. The District Court granted summary judgment for Mid-Continent based on the known-loss provision. The Ninth Circuit reversed.
The insurer argued that the policy's references to "property" and "tangible property" included all portions of that "property," and therefore that knowledge of damage to one portion of "the property" could be attributed to all later damage to that property. The appeals court disagreed, pointing out that that interpretation conflicts with the way "property" is used throughout CGL policies. Standard-form policies distinguish between different types of "property" and rely on those distinctions to exclude some kinds of "property" from coverage, such as the insured's own "work" while providing coverage to other kinds of "property." Therefore, to be consistent, the known-loss provision must operate to allow coverage for damage to some "property" even if the insured knew about damage to other "property" within the same structure. Moreover, because the known-loss provision talks about knowledge of "the property damage," any damage different in type than the damage about which the insured had knowledge is not excluded by the policy. In Kaady the damage (deterioration) to the sheathing and deck posts was different in type from the cracking that the insured knew about before buying the policy.
The court also rejected the second argument, holding that Mid-Continent had the burden on summary judgment of proving, through evidence, that the damage to the sheathing and posts was caused by the same cracks that the insured knew about before he bought the policy. The insurer had failed to put on such evidence, and so summary judgment should not have been granted.
In this decision the Ninth Circuit adopted arguments that have been advanced by policyholders for years, but had not been the subject of a published Oregon state court ruling, creating some uncertainty. "Known-loss" disputes come up with some frequency, because Oregon law requires property owners to give notice to contractors of alleged defects and an opportunity to cure, and because "punch-list" provisions in standard construction contracts often require owners to give contractors an opportunity to fix problems that occur soon after construction. This decision will therefore make it difficult for insurers that operate in good faith to deny claims based on "known loss."
Tuesday, June 9, 2015
Montana Case on Late Notice Calls Into Doubt Technical Coverage Defenses
The decision in Atlantic Casualty v. Greytak essentially restores the status quo about the "notice-prejudice rule" in Montana. Under the notice-prejudice rule the insurer must show that its ability to defend the case and prevent a large judgment against the insured was materially harmed by the late notice. The trial court in the Greytak case decided that a 2011 decision from the Montana Supreme court, Steadele v. Colony Insurance had overturned Montana law adopting the rule, making the prompt notice provision in a standard liability policies a "condition of forfeiture," meaning that the insurance company did not need to prove prejudice. On appeal, the Ninth Circuit certified that narrow legal question to the Montana Supreme Court.
In Greytak the insured was sued for negligence leading to property damage. The claimant and the insured entered into an agreement whereby the insured would tender the claim to its liability carrier, and if the insurer did not pick up the defense or file a declaratory judgment action the claimant could enter a stipulated judgment against the insured, but agree to only pursue collection from the insured's insurance. The insured tendered the claim and the carrier did not pick up, whereupon a stipulated judgment was entered in state court. (The facts are disputed about whether the claimant was actually entitled to file the stipulated judgment, because the insurer had filed a declaratory judgment lawsuit before the state-court judgment). The state-court judgment was set aside and the coverage action proceeded.
The Montana court clarified that Steadele did not reverse the law on the "notice-prejudice rule," pointing out that in Steadele the Court had found that the insurer was prejudiced as a matter of law, because the insured had stipulated to a monetary judgment before the insurer was given any notification. In Greytak, by contrast, the parties' agreement allowed the insurer the chance to step in and defend, which it did not do.
The "notice-prejudice rule" is clearly established as the law in Oregon (Lusch v. Aetna), Washington (Canron v. Federal Insurance), and Alaska (Weaver Bros. v. Chappel).
Interestingly, all of the Montana justices agreed about the notice-prejudice rule, but there were two dissenting opinions. The dissents argued that the court should have gone beyond the narrow question certified by the Ninth Circuit to find that the insurer was prejudiced as a matter of law by the insured's and the claimant's conduct. The insurer's briefs on appeal argued strenuously that it had indeed been prejudiced because the insured failed to cooperate with it after it attempted to appoint defense counsel, and because the claimant had filed the state-court judgment in violation of the settlement agreement. The Montana Supreme Court's majority elected not to go beyond the certified question, however, leaving the issue of actual prejudice up to the federal trial court to resolve. In light of what the trial court did below, I would say that things don't look good for the claimant on that score.
Wednesday, May 27, 2015
Lessons From CNA's Suit to Avoid Covering a Hospital Cyber-Breach
(NB: although we wouldn't normally cover California litigation, this filing raises red-hot issues so we decided to make an exception.)
First, because there is so little claims history in the "cyber" world, and because the risks are so high, insurers are requiring applicants to answer lots of questions and go through unusually detailed "self-assessments." That's not a problem if the folks filling out the application thoroughly vet the answers with IT, legal, and the contracts department. But any breakdown in communication among those players can result in coverage problems.
Second, because of the evolving nature of cyber risks (and because it is the nature of their approach to the business) insurance companies frequently use vague wording in application materials and in their policies. Vague language allows the insurer to argue after the fact a particular meaning that favors them. We can see that in action in this case, in the question asking whether Cottage did a yearly re-assessment of risks and "enhanced" its "risk controls in response to changes." What does that mean? Does that mean that if there is an increase in "spear-phishing" attacks the company must eliminate the use of email? Or is it good enough to adopt published "best practices" - a rule of reasonableness? Those are the kind of questions that may be litigated in this case - questions that could have been avoided if the insurer had not been able to get away with vague language that it could later use to its advantage.
Third, vendors. Vendors, the cause of so many data security problems, create substantial problems when it comes to insurance. What is a reasonable security precaution to a hospital may seem like overkill to an outsourced IT or cloud provider, or the reverse may be true, and there is often no practical way to monitor changes that a vendor makes in its security practices. That makes it very difficult to accurately answer a question about whether a vendor uses the same security standards as the insurance applicant. It is also particularly difficult to ensure, as the CNA application asked, that every vendor "maintain[s] enough insurance to cover their liability arising from a breach of privacy or confidentiality" when there are no standardized forms for cyber coverage that can be required in the vendor contract, and where the risks to the vendor may be dramatically different than those of the customer.
In this case it appears that CNA is trying to avoid coverage using Cottage's "warranty" to comply with vaguely-worded promises that Cottage made about its security practices in a case where negligent oversight of a vendor caused an accidental data breach. That is, of course, exactly why a business buys liability insurance - to cover an accident caused through negligence. The fact that CNA is relying on vague language against its customer, Cottage, rather than giving Cottage the benefit of the doubt, demonstrates that this insurer, at least, is willing to use the kind of sharp-elbow tactics to limit its loss payments that we see with other kinds of coverage. In other words, cyber coverage is not going to be treated differently by the insurance industry and its lawyers.
To try to avoid this kind of situation, businesses would be well advised to treat cyber coverage applications very carefully, to try to negotiate "warranty" language that is less onerous and open-ended, and to exercise increased oversight of vendor contracts and compliance with contract terms, including actually reviewing the vendor's insurance policies and security practices. Taking those steps will not of course eliminate coverage disputes of this sort, but in this area, every step is an important one.
Tuesday, May 26, 2015
Premera Data-Breach Class Action Claims Illustrate Cyber Coverage Issues
Thursday, April 30, 2015
Oregon District Court Provides Clarification on Environmental Coverage Issues
Burden of Proving Reasonableness and Necessity
The issue of which party has the burden of proving, or disproving, that incurred defense costs were reasonable and necessary was addressed in Ash Grove Cement Co. v. Liberty Mut. Ins. Co. In that case, Judge Hernandez endorsed California's rule by holding that when" the insurer has breached its duty to defend, it is the insured that must carry the burden of proof on the existence and amount of the site investigation expenses, which are then presumed to be reasonable and necessary as defense costs, and it is the insurer that must carry the burden of proof that they are in fact unreasonable or unnecessary." Under the clear language of the Ash Grove opinion, a breaching insurer must prove the defense costs to be unreasonable and unnecessary, after the insured proves their existence and amount. Despite holding that this burden-shifting rule applies, Judge Hernandez's application of the rule was unclear, and several breaching insurers have questioned whether they do indeed have the burden of proving defense costs to be unreasonable and not necessary.
This question arose in Marine Group through a complicated motion to compel in which the relevancy of various documents was in question. In ruling on relevancy, Judge Acosta found that it was necessary to establish who has the burden on the issues of reasonableness and necessity. Judge Acosta endorsed the position taken by Judge Hernandez: that when a carrier has breached its duty to defend, the burden of proving the reasonableness and necessity of the fees shifts from the insured to the insurer. Thus, the insured's fees are presumed to be reasonable and necessary when an insurer has improperly breached its duty to defend. This is a win for policyholders, and should make it easier for insureds to recover fees when insurers have wrongfully refused to participate in a defense.
Another wrinkle in the Marine Group litigation is the presence of a paying insurer, Argonaut. Since early on in the defense, Argonaut has paid Marine Group's defense costs. Thus, most of the damages being sought are through a contribution action between insurers, and not a direct coverage claim. Marine Group, along with Argonaut, made the argument that since the claim is primarily a contribution action between insurers, the reasonableness and necessity of the fees was not at issue, but instead the issue is whether Argonaut acted as a reasonable insurer. Similarly, both parties made arguments under ORS 465.480(4)(d) that the common law of contribution was preempted and that the breaching insurers should be prohibited from questioning the defense costs incurred. Judge Acosta rejected this line of reasoning in holding that St. Paul could question the defense costs, but that it bore the burden of proving the fees to be unreasonable and not necessary.
Most states follow the rule that pre-tender defense costs cannot be recovered by an insurer; this underlines the importance of identifying, and tendering to, insurers at the earliest point of any litigation. Marine Group attempted to escape the strict application of the pre-tender rule by invoking the notice-prejudice rule, which does not allow an insurer to deny defense costs because of delayed notice, unless it can show that the delay caused prejudice to the insurer. Judge Acosta found the notice-prejudice rule to be inapplicable because the duty to defend did not arise until the tender occurred. Thus the court held that the notice-prejudice rule does not apply to pre-tender defense costs, because it applies only to covered claims.
Ultimately, Judge Acosta ruled that under Oregon law, pre-tender defense costs are not recoverable. This presents a particularly difficult situation for companies facing historic environmental liabilities. Typically, the only policies that cover historic pollution events were written before 1986. Many companies do not have readily available copies of these insurance contracts. Indeed, historic insurance archaeologists must often be retained to identify these policies. Judge Acosta's decision reinforces the rule that defense costs incurred while a party is looking for its insurance coverage are not recoverable, even to the extent that the delay does not meaningfully prejudice the insurers.
Monday, April 27, 2015
Cert Grant in FCRA Case Could Impact Cyber Coverage
In Robins, the plaintiff claimed to have been harmed when Spokeo, an online directory that aggregates publicly-available personal information, published inaccurate information about him on the site. The plaintiff contended that in doing so Spokeo violated the Fair Credit Reporting Act (FCRA), but he could not prove specific damages tied to the inaccurate information. Instead, he claimed entitlement under the FCRA to "statutory damages" (typically set at $1,000 per violation). Robins sued on behalf of a class of people -- allegedly numbering in the thousands -- who were similarly aggrieved by Spokeo's failure to report accurate information. The trial court dismissed the suit based on the constitutional requirements that a plaintiff demonstrate "standing" based on "actual or imminent harm." The Ninth Circuit, however, reversed, reasoning that Congress could create a statutory right and in essence create standing by providing a private right of action for violation of that right. The Supreme Court has agreed to decide whether that view of Congress' power is correct.
What does this have to do with cyber-insurance? Plenty. For one thing, the decision may undermine state laws that have fueled the market for robust first-party cyber coverage. Many consumer advocates believe that data-breach notification laws will be ineffective at forcing businesses to "fess up" when a breach happens unless the breach law contains a private right of action with a small statutory damages component, modeled on FCRA. Washington's data-breach law, recently amended, is just such a law. The spread of such laws has driven the market for cyber policies that will cover not just the cost of notifications but also for liability protection relating to breach notification. And just as many predict that legislation working its way through Congress allowing companies to confidentially share data on cyber breaches may eventually bring rates down, state legislation has had an impact on premiums that may be blunted by the Court's decision in Robins.
Beyond breach-notification laws, the way that the Supreme Court approaches the "actual or imminent harm" question could impact how courts handle data breach consumer lawsuits that do not rely on any federal statute but instead are based on common-law grounds, such as negligence or fiduciary duty. Some courts have dismissed consumer lawsuits that fail to allege specific harm arising from a breach, while other courts have allowed those suits to proceed at least into the discovery phase. The Supreme Court might take this opportunity to address "standing" more generally, leading to fewer consumer class actions, which could further result in lower premiums for cyber coverage.
Wednesday, April 22, 2015
Data Breaches at Franchisees Raise Cyber Insurance Issues
Monday, April 13, 2015
Oregon Supreme Court Accepts Review of Two Important Insurance Disputes
The first case is a mandamus ruling - the court decided to accept for review a trial court's ruling in Liberty Surplus Insurance v. Seabold Construction on a hot evidence issue important to bad-faith coverage litigation. In Seabold the company and its liability insurer are locked in a dispute over Liberty's handling of Seabold's defense in a construction-defect matter; Seabold contends that Liberty acted in bad faith in connection with settlement of the dispute. During the critical time period -- while settlement negotiations were going on in the underlying case -- Liberty was acting through coverage counsel, which is commonplace in such situations. Once the coverage litigation got underway, however, Seabold demanded to see the communications with and work done by the insurer's "coverage counsel" on the theory that at least part of the time the attorney was acting as a claims adjuster. Under the reasoning of Cedell v. Farmers, a Washington case (and its progeny, discussed in this blog post from 2013), Seabold argued -- successfully -- that there was no absolute attorney-client privilege when "coverage counsel" is performing some of the business functions of a liability carrier. The trial court ordered Liberty Mutual to produce counsel's communications (initially directly to Seabold, amended to production for review by the court), and Liberty Mutual sought a writ of mandamus -- essentially, appellate review in the middle of a case -- to block enforcement of the trial court's order.
The issue that the court has identified for resolution is whether attorney-client privilege applies despite counsel's involvement in "investigating and adjusting" the claim. This is the issue that Cedell and other courts outside of Oregon have decided in favor of policyholders, and one would think that this court would go the same way. However, in the Crimson Trace discovery dispute (which did not involve insurance) the court proved itself very protective of the attorney-client privilege in an institutional context, so "all bets are off," as they say.
The second case accepted for review (back on March 31) is the 2014 Fountaincourt Homeowners Ass'n v. Fountaincourt Development decision from the Court of Appeals. In that decision the Court of Appeals confirmed that a claimant who obtains a judgment against an insured after trial may pursue that insured's insurance assets in a garnishment proceeding as a judgment creditor, and that during resolution of the garnishment the insurer has the burden of proving that the judgment was not covered where there is prima facie evidence that at least some of the jury's award was for covered damages. That decision was very beneficial for claimants concerned about being able to collect on a judgment.
The Supreme Court's statement of the issues on review is rather breathtaking, and will ensure that the case is closely watched. Rather than try to summarize, set out below are the issues on review from the court's statement:
(1) If a general verdict is returned against an insured entity in a mixed coverage case (i.e., one involving some damage that is payable by an insurer and some damage that is not), and the insurer defended under a reservation of rights, can the insured establish coverage for the awarded damages based on the general verdict? (2) Does defective work by an insured contractor constitute "property damage" if that term is defined as "[p]hysical injury to tangible property"? (3) Can an insured establish a prima facie case for insurance coverage with evidence showing only the possibility that a judgment is for damages within the insuring agreement of a liability policy? (4) If a liability insurer's policy is garnished by a judgment creditor and a disputed question of fact must be resolved to determine if the insurer is obligated to pay the judgment, is the insurer entitled to a jury trial in the garnishment proceeding?
What is surprising here is the Court's indication that it will take up some questions that many had thought were largely settled and were not the most controversial of the Court of Appeals' decisions. One can hope that the Court's indication that it will review those questions is only intended to settle any doubt. However because so much is at stake if the Court has decided to revisit those issues, this case promises to attract a lot of attention and amicus participants, and its resolution could shape (or re-shape) Oregon coverage law for a long time.
Tuesday, April 7, 2015
Likely Changes to Oregon Data Breach Law Should Prompt Review of Cyber Coverage
This excellent post by my colleague Brian Sniffen in our firm's IP Law Trends blog reports on the efforts by Oregon's attorney to strengthen the state's data breach notification laws. The proposed amendments to the Oregon Consumer Identity Theft Protection Act (ORS 646A.602 et seq.) are part of Senate Bill 601, which is making its way through the legislature right now. You can follow the bill's progress here).
As Brian reports, among the proposed changes are a lowering of the threshold for notification to the Attorney General to 100 records; expansion of the definition of confidential data to include medical and biometric information; and giving enforcement power to the Attorney General under the Unfair Trade Practices Act.
As we observed last week in our post about the insurance implications of Washington's effort to toughen its data-breach notification laws, these proposed Oregon changes should prompt every business -- whether it handles loads of consumer data or not -- to review its cyber insurance coverage to get a comfort level with any sub-limits relating to notification costs, and liability coverage for regulatory claims. Of course, both state-level efforts could be upended if the President's proposed data-breach bill becomes federal law, because the federal law will likely trump all state laws. All the more reason to review your cyber coverage with an insurance professional today.
Update April 22: The Oregon bill has received a "do pass" recommendation, with some amendments, from the Senate Judiciary Committee, and is awaiting transfer to the floor for passage.
Monday, April 6, 2015
Why You Need More Than Just a Certificate of Insurance
Friday, April 3, 2015
Did the Ore Sup Ct Abolish Common Law Indemnity for Defense Costs?
On March 19, 2015 the Oregon Supreme Court issued a somewhat surprising decision in Eclectic Investment v. Patterson & Jackson County et al., in which the court appears to have changed some fundamental assumptions about whether one defendant can recover defense costs from another defendant. In Eclectic a landowner sued a contractor that had done excavating work for him and the county that inspected and permitted the excavation, after the excavated hillside eroded and damaged commercial buildings on owner's property. A jury found that the landowner was more than 50% at fault, meaning that under Oregon's comparative fault law neither the county nor the contractor had to pay any damages (both the county and the contractor were found to be slightly at fault). The county had asserted a common-law indemnity claim against the contractor, and after the trial pursued that claim to recover its defense costs.
Common-law indemnity is an equitable theory used when there is no contractual relationship between the parties or the contract does not contain an indemnity provision. Under one formulation of the legal standard for the claim, Defendant A will owe Defendant B indemnity if Defendant A's negligence was "active" or "primary" while Defendant B's negligence was "passive" or "secondary." Another way of phrasing the test is whether in fairness, Defendant A "should" pay for Defendant B's costs in the suit.
The issue before the Oregon Supreme Court in Eclectic Investment was how to determine if the county was entitled to indemnity, since neither the county nor the contractor were liable for damages, and each was found to have played a minor role in the incident. The court recounted the rather vague legal tests that Oregon courts had developed over the years to determine whether in equity one party owes another indemnity (see above). The court observed, however, that Oregon law changed after common-law indemnity was adopted, replacing the older "joint liability" regime with the current comparative-fault regime in which each defendant is assessed only its percentage share of any damages by the jury using a questionnaire. Therefore, according to the court, the rationale for common-law indemnity has disappeared, because under the new scheme one party will never be made to pay damages that were in fact attributable to the "active" fault of another party.
The problem, of course, is that the defense costs incurred by the defendants are not part of the jury's consideration. (In reality, those costs can only be determined once the litigation is done.) But the court made it clear, in a final footnote, that where the comparative fault rules apply, common-law indemnity cannot be used as the theory on which to recover even defense costs. The court stated that it would countenance recovery of defense costs on some other theory, citing cases from other states that allowed such claims under a quasi-contract theory - but that such claims could only lie where the indemnitee incurred defense costs only because of the indemnitor's negligence. Applying that concept to the facts of the case, the court stated that because plaintiff had sued the county and the contractor, it was clear that the county's involvement in the litigation was not solely because of the contractor's negligence, so the county would have been out of luck in recovering defense costs under an alternative theory.
The court's decision will change some of the leverage points in multi-defendant litigation where not all players have contractual indemnity claims. It also emphasizes the importance of having Oregon courts enforce insurance contracts providing a paid-for defense. If defendants cannot rely on common-law indemnity to recover defense costs when they are dragged into lawsuits in which they play a minor part, it is critical that insurers understand and heed their contractual obligation to cover those defense costs.
Tuesday, March 17, 2015
Washington Policyholders, Check Your Cyber Policy as Data BreachNotification Law Moves Forward
What does this mean from an insurance standpoint? Cyber insurance policies typically provide "first-party" coverage for the costs of data breach notification, but often contain very low sub-limits on that coverage. In a state like Washington with a weak data breach notification law a business could in theory get away with a low sub-limit because only in a rare set circumstances would broad-based notification be required. That will no longer be the case and so those sub-limits, and any other restrictions placed on notification coverage, need to be re-examined. And of course if your business lacks cyber coverage entirely, it is time to explore your options. The most recent data on the cost of data breaches indicates that the cost of notification is the fourth-biggest category of impact from a data breach (after lost reputation; lost time/productivity; cost of new technology). By comparison the cost of regulatory fines and lawsuits was tenth in the ranking of impacts on businesses experiencing a breach. The conventional wisdom is that a business should expect to spend at least $188 per record on notification and similar first-party response-related costs. With the number of records routinely stored by businesses, particularly those in the online retail or cloud computing sector, it is easy to see why low sub-limits could be a huge problem if a breach occurs. So check your policies, and call your insurance advisers, to get ahead of these changes in the law in Washington.
Update April 22: The bill has passed and is now awaiting signature by the Governor.
Wednesday, March 11, 2015
Cyber Coverage No Longer a Novelty But Many Concerns Remain
One particularly useful panel took a deep dive into problematic policy language and the limitations of the products currently offered. This is critically important because although cyber coverage is no longer new, the language of the policies is not yet standardized. A few of the many things to look out for are:
- long "waiting periods" for business interruption coverage. Business interruption coverage is "time loss" cover in that the loss amount is calculated (generally speaking) as average sales per hour multiplied by the number of hours of downtime due the covered event. However, some chunk of time (the "waiting period") is routinely excluded as a kind of deductible. Some cyber insurers default to a 24 hour waiting period (an eternity for an many businesses and particularly online retailers) putting the burden on the policyholder to ask for a more reasonable period. According to the panel (and my own experience has shown this to be true) carriers will agree to 12 hours or less - sometimes 8 hours. If your business relies on closing sales around the clock, cutting down the waiting period could mean hundreds of thousands of dollars more in business interruption coverage.
- liability coverage limited to liability for the insured's own wrongful acts. Because so much electronic data is now routinely hosted, handled or safeguarded in some manner by vendors, any kind of strict limitation with regard to who made the "oops" may result in no coverage, even though the insured may be held liable as the owner of the data. The panel discussed several recent data breach incidents in which the error that allowed confidential data to be stolen was committed by one entity, but liability was imposed on another entity (e.g. the Target hack, where intruders gained access through a "phishing" scam on Target's HVAC contractor). Companies need to pay careful attention to the language of their policies and candidly assess their risks associated with vendors and consultants, particularly in the retail and healthcare sectors.
- coverage for fines and penalties. The number of regulatory bodies (state and federal) that are being given authority to issues fines and penalties for data breach violations is growing at a fast clip. Some policies strictly exclude coverage for any kind of fine or penalty, while some do not. Policyholders should examine their current coverage and evaluate whether their current and future coverage needs are being met, depending on the regulatory environment in which they operate.
The upside of the fact that cyber coverage is still issued largely on a "manuscript" basis (that is, without relying on industry-wide forms) is that insurers are sometimes willing to negotiate on policy language even for relatively small accounts, and oftentimes mid-period if circumstances have changed. Careful attention to evolving risks from "cyber" events combined with close examination of your policy language can lead to productive conversations with your broker and carrier and needn't wait until renewal.
* Update: This morning Apple is experiencing a major outage in its iTunes store, among other services. Some are estimating that the six-hour outage has cost Apple $7 million - now that's a serious cyber-business interruption loss (if covered).
Wednesday, January 14, 2015
WA Fed Court: "Spin, Massage, Speculation and Sophistry" Do Not Create Duty to Defend
Monday, January 5, 2015
Ore. Appeals Court Important Holding on Construction Indemnity Agreements
Here is a bit of background: a new addition to the church suffered from many problems, involving the work of several subcontractors (including one called "B&B"), as well as the general contractor, Andersen. Andersen's form subcontract included a broad indemnity provision requiring all subcontractors to defend Andersen if suit was brought on the project. Therefore, Andersen tendered the suit to its subcontractors. B&B refused the tender. Andersen settled with the owner, and assigned to the owner its claims against B&B for breach of the duty to defend. The owner moved for summary judgment on the duty to defend, and prevailed. However, the trial court awarded the church (as Andersen's assignee) no damages, because the church could not prove how much time Andersen's lawyers had spent dealing with the claims involving B&B's alleged negligence, as opposed to its own negligence or the negligence of other subcontractors. The trial court relied on Oregon's anti-indemnity statute (ORS 30.140) -- which only applies to construction contracts -- as the basis for putting the burden on the church /Andersen to allocate the defense costs. (I analyzed the trial court's ruling in more detail in an article for the June 2013 newsletter of the OSB Construction Law Section, available here,)
The church appealed, arguing that the statute did not require that kind of allocation for various reasons, including that the standard applied in the insurance "duty to defend" context should apply to the duty to defend in a contractual indemnity provision. As a matter of insurance law, an insurer has a duty to defend all claims -- even claims that are not potentially covered -- if any one claim in a suit triggers the duty to defend. The insurer may not allocate its defense costs based on covered versus uncovered claims. The Court of Appeals rejected that argument as to ORS 30.140 (and all of the church's other arguments) based on the court's analysis of the legislative history. However, the Court of Appeals did not reach many of the practical issues presented by the case, finding them moot because of the church's failure to even try to meet the burden of proof articulated by the trial court. (See the Construction Law Section newsletter article mentioned above for an explanation of those issues). The case was sent back to the trial court for additional proceedings including (potentially) an award to B&B of its attorney fees, since the Court of Appeals reversed the trial court as to who was the prevailing party.
The general take away is this: if a general contractor (or the GC's insurer) wants to recover its defense costs from a subcontractor that refuses to pick up the defense, it must require its law firm to write time descriptions in such a way that a court can later determine how much time was spent on the negligence of each subcontractor. Of interest to readers of this blog, that requirement will likely lead to all kinds of issues between GC's and their insurers about management of the defense, and also may complicate additional insured claims on subcontractors, involving coverage counsel for the subcontractors. Happy New Year!