Oregon Court Rejects Insurer's "Trained Monkey" Defense

In order to avoid providing a defense to an insured, insurance companies often argue that the complaint or demand does not clearly allege covered damage.  I call this the "trained monkey" defense - essentially, the insurance company's position is that it is only required to do what a trained monkey might do, which is read the words printed on the page.  No analysis, no thinking, no investigation.  Oregon's courts have rejected this type of argument time and again, but insurance companies persist, because of the lack of downside risk to denying a defense under Oregon law.  A new decision from the Court of Appeals may help convince insurers that the "trained monkey" defense will simply not work.

In West Hills Development v. Chartis Claims, Inc. & Oregon Automobile Ins. Co., the "trained monkey" argument played itself out in the context of additional insured coverage.  West Hills was the general contractor on a residential development, and was an additional insured of one of its subcontractors, L&T.  When West Hills was sued by homeowners, it tendered to the defense to L&T's carrier, Oregon Auto.  Oregon Auto refused, and West Hills sued to recover a portion of its defense costs.  Oregon Auto argued, among other things, that the homeowners' complaint did not identify L&T as a subcontractor on the project.  The complaint alleged that West Hills was liable for not supervising subcontractors generally, but didn't identify any subcontractors by name.  Therefore, argued the insurer, how were they supposed to know that the tender from West Hills on the L&T policy was legitimate?

The problem for Oregon Auto was that the tender had been done carefully, by West Hills' counsel, and the tender told Oregon Auto that L&T was the subcontractor responsible for some of the deficiencies alleged in the complaint.  But Oregon Auto argued that under Oregon's "eight-corners" rule it wasn't required to investigate whether that statement in the tender letter (which Oregon Auto claimed was mere "argument") was true.  Instead it could pull the "trained monkey" routine and blithely deny coverage.

Nonsense, said the Court of Appeals.  Relying on the long line of Oregon cases requiring insurers to resolve any ambiguity in favor of coverage (including ambiguity about identification of insureds), and also on Fred Shearer & Sons v. Gemini Insurance, a 2010 decision, the court held that Oregon Auto had a duty to investigate the statement in the tender letter about L&T's role.  In the Fred Shearer case the court adopted a limited exception to the "eight corners" rule when the identity of a proposed insured is not clearly alleged in the complaint.  The West Hills court applied the logic of Fred Shearer to additional insured coverage.

The West Hills decision addressed several coverage issues; the "trained monkey" defense is only one.  However, its most lasting impact may be its clear statement that an insurance company has a duty to investigate facts tending to show that coverage is available, and analyze the allegations in a complaint, not just read the complaint for magic words.

Absolute Pollution Exclusions Are Not Absolute

Insurance is a crucial source of funding for most environmental cleanups. For the past 30 years, comprehensive general liability insurance policies have uniformly included an "absolute pollution exclusion" in some form or another. The earliest such exclusions appeared in the 1950's, but they became ubiquitous boilerplate in the mid-1980s. As a result, most applicable environmental coverage is found in policies pre-1985, and many policyholders incorrectly assume that their post-1985 policies provide no such coverage. This assumption stems from a string of court decisions finding that absolute pollution exclusions eliminate coverage for traditional industrial pollution under Oregon law. Martin v. State Farm Fire & Cas. Co., 146 Or. App. 270, 275-80, 932 P.2d 1207 (1997); Ind. Lumbermens Mut. Ins. Co. v. W. Or. Wood Prod., Inc., 268 F.3d 639 (9th Cir. 2001). While absolute pollution exclusions are broad, and often do exclude pollution from traditional sources, they do not eliminate all coverage for environmental claims, and policyholders should thoroughly review each of their policies to determine whether coverage exists.

Most absolute pollution exclusions are incorporated into standardized forms and use language originally written by the Insurance Services Office (the "ISO"). The ISO's pollution exclusion, which is widely referred to as the "absolute pollution exclusion," actually expressly creates coverage in certain circumstances. For example, the ISO's exclusion does not apply if contamination results from a "hostile fire" or from a failure of equipment used to heat, cool, or dehumidify a building. While the factual scenarios in which express coverage is created are limited, a policyholder should determine whether any such scenarios apply. Even if only part of the environmental claim falls within the scope of express coverage, the insurer may be required to provide a full defense under Oregon law. While the scenarios where coverage is expressly not excluded are few, it is important to review each such scenario at the outset to ensure that no coverage is missed.

Another important analysis is whether the environmental claim involves a pollutant as defined by the policy. If the contamination does not result from the release of a "pollutant," the exclusion typically will not bar coverage. The ISO exclusion includes a very broad definition of what constitutes a pollutant. While many courts have given the term "pollutant" a very broad interpretation, other courts have interpreted "pollutant" to include only traditional or inherently dangerous contaminants. MacKinnon v. Truck Ins. Exch., 31 Cal. 4th 635, 73 P.3d 1205, 3 Cal Rptr. 3d 228 (2003); In re Hub Recycling, Inc., 106 B.R. 372 (D.N.J. 1989). Determining whether a released substance is a pollutant often requires a review of how the substance was used and how it has impacted the property. While many courts have addressed whether commonly applied products, such as pesticides, can be considered pollutants, many of these questions remain unanswered under Oregon law. If contamination has resulted from something other than the accidental release of a regulated substance, a policyholder may have coverage despite the inclusion of an absolute pollution exclusion by showing that the substance is not a "pollutant."

Policyholders also need to be on the lookout for policies that include purported absolute pollution exclusions that do not utilize standardized ISO language. While most policies include standardized ISO exclusions, some insurers have used individualized exclusions that apply less broadly. For example, some of the early insurer-specific absolute pollution exclusions apply only to releases into waterbodies or to claims brought by government authorities. In these cases, coverage remains in place for releases onto land or claims brought by corporations. Insurer-specific absolute pollution exclusions are most commonly found in policies from the 1980s, but a policyholder may run into them at any time.

While absolute pollution exclusions often leave an insured without coverage, they are not as ironclad as their name suggests. The policyholder facing an environmental claim should retain coverage experts as soon as possible to determine which policies create coverage, including those policies that include purported absolute pollution exclusions.
           

Neiman Marcus Data Breach Decision Portends Greater Risk for NW Companies, Need for Cyber Coverage

Earlier this week the Seventh Circuit Court of Appeals, in Illinois, issued a momentous decision for those of us who keep tabs on data breach litigation nationwide.  The decision in Remijas v. Neiman Marcus reinstated class action claims by thousands of shoppers who had their credit card data stolen.  Reversing a trend in the case law driven by a 2013 Supreme Court decision (the Clapper decision), the Seventh Circuit held in effect that even if some class members had not yet experienced a loss of money due to their personal information being stolen, they still had standing to pursue claims for compensation, including for the time and aggravation of having to obtain replacement credit cards, put in place credit monitoring, and take other steps to protect themselves.  It did not matter, said the court, that all of the consumers who had experienced fraudulent charges on their cards had been reimbursed by their banks, that Neiman Marcus had agreed to pay for credit monitoring, or that the consumers could not conclusively rule out that their credit card account information had been stolen in a different hack (e.g. Target).

This decision is only binding in the federal districts within the Seventh Circuit, but as Kevin LaCroix has pointed out in his blog, as a first-in-the-nation decision from an appellate court in this exact scenario, it is likely to be influential.  That is even more true for claims brought in the Northwest, for two reasons.

First, the Seventh Circuit cited extensively to a decision from the Northern District of California in the Adobe Systems data breach case, In re Adobe Sys., Inc. Privacy Litig., No. 13–CV–05226–LHK, 2014 WL 4379916 (N.D. Cal. Sept. 4, 2014).  (That decision is available here.)  The Adobe decision relied on pre-Clapper case law from the Ninth Circuit, and has already been cited twice this year to support a finding of standing in a data breach/data privacy class action, the first brought by Sony employees, and the second by users of the Google Wallet.  Those cases had already established the Ninth Circuit (and therefore the Northwest) as a favorable venue for data breach class actions.

Second, the Premera Blue Cross class action complaints involving the massive data breach at that company, and involving claims under Oregon and Washington law, have all been consolidated in the federal court in Oregon, and have been assigned to Judge Michael Simon.  Judge Simon, a former Perkins Coie partner, is inclined toward issuing cerebral and thoroughly-reasoned decisions that often have a pro-consumer bent.  I would not be surprised to see a lengthy decision from Judge Simon in the near future along the lines of the Seventh Circuit's decision, giving plaintiff's lawyers a road map for obtaining standing in data breach cases and how to properly bring claims under Oregon and Washington law.

What does any of this have to do with insurance?  Well, if you are a non-Northwest company with operations in the Northwest looking at cyber insurance, and trying to assess company-wide risk, you cannot rely on decisions from courts in your "home" jurisdiction that have made it hard for these types of claims to go forward.  If you are a Northwest business that handles a lot of consumer data, the risk of a class action in the event of a breach just went up a little but.  Even if the claims are absolutely meritless, they will get past the motion to dismiss stage, which means that defense costs will be considerable.  All of that should be fodder for your next conversation with your insurance and legal advisers about your company's cyber-coverage, and particularly defense cost coverage and limits.

Update: As reported by my colleague Brian Sniffen in our blog IP Law Trends, Neiman Marcus has now requested en banc review of this decision.  En banc review is rarely granted.

Certain cases reprinted from WestlawNext with permission of Thomson Reuters.  If you wish to check the currency of this case by using KeyCite on WestlawNext, then you may do so by visiting www.next.westlaw.com.

Oregon Duty to Defend is Very Broad, as Shown in Two New Cases

Two new decisions from federal courts in Oregon demonstrate just how broad an insurance company's contractual duty to defend its insured truly is.  These decisions should be helpful to policyholders in fighting back against denials of coverage.  Wrongful denials of defense are unfortunately common in Oregon, due to the absence of a meaningful bad faith remedy for most breaches of the duty to defend.  But cases like these demonstrate that if an insured goes to court, more often than not the insured will win.  That may dissuade some insurers from making the wrong decision when it comes to defending.

In the first case, Portland General Electric v. Liberty Mutual Ins. Co., the issue was whether it was appropriate for the court to read an underlying complaint as implying a fact, even though the complaint did not allege the fact directly.  The court said "yes."

Portland General hired a contractor to work on some of its equipment.  The contractor was required to add Portland General as an "additional insured" on its liability policy.  When one of the contractor's employees was injured on the job, he sued Portland General.  (He could not sue his employer, the contractor, because of the workers-compensation exclusive-remedy bar).  Portland General demanded that the contractor's insurer, Liberty Mutual, provide it with a defense.  Liberty Mutual refused, citing Oregon's anti-indemnity statute.  To put it in simple terms, because of the anti-indemnity statute Liberty Mutual could not insure Portland General for Portland General's own negligence.  However, Liberty Mutual could provide coverage to the extent that Portland General were being held liable for the contractor's negligence.  But the employee's lawsuit didn't say anything about the contractor being negligent, making it appear (at least to Liberty Mutual) that Portland General was being sued only for its own negligence.

However, there were allegations in the complaint that some of the equipment chosen for the job was improper, and that clothing worn by the employee also contributed to the accident.  The complaint didn't say who provided the equipment or the clothing.  The court found that even though only Portland General was sued, and the complaint never mentioned the contractor, it was reasonable to infer that the contractor could have provided those items, and therefore that the contractor was at least somewhat negligent.  Because the complaint did not allege only negligence by Portland General, and alleged by implication some negligence by the contractor, the insurer had a duty to defend.

In the second case, Norgren v. Mutual of Enumclaw, District Court Judge Michael Simon took the unusual step of rejecting the recommendation of a Magistrate Judge (Judge Stacie Beckerman), who had ruled in favor of the insurer.  Judge Beckerman held that the insurer had no duty to defend a homeowner against a suit alleging that the homeowner's son assaulted another child, finding that the "intentional acts" exclusion applied to all of the claims against the insured, even to a claim entitled "negligent infliction of emotional distress," because the specific facts alleged all included some element of intent to act.  Judge Simon pointed out, however, that the complaint made other allegations that could be interpreted as alleging mere negligence - even though those allegations were conclusory, and more legal contention than statements of fact.  Judge Simon therefore found a duty to defend.

These two decisions take the famous phrase from Ledford v. Gutoski that in Oregon "any ambiguity in the complaint... is resolved in favor of coverage" and put it into action.  They exemplify the correct approach to Oregon duty to defend questions, which is to scour the complaint for potentially covered claims, rather than generalize about the allegations.  In each case the court rigorously analyzed every contention in the complaints, and resolved every ambiguity in favor of a defense obligation.  It can only be hoped that these two new rulings will help insurers understand that they take a considerable chance if they deny a defense, and that the better course, whenever there is any doubt, is to comply with their contractual defense obligations.

Ninth Circuit Hands Oregon Policyholders a Major Win on"Known Loss"

In a June 25, 2015, to-be-published decision in Kaady v. Mid-Continent Casualty Co. the Ninth Circuit adopted a decidedly pro-policyholder interpretation of the oft-contested "known loss" provision that is standard in commercial general liability (CGL) policies, holding that an insured's knowledge of damage to one part of a structure does not allow an insurer to deny coverage for  damage to other parts of the same structure or for a different type of damage to the structure.

Kaady, a masonry subcontractor, installed manufactured stone and masonry caps at a condominium project on Mount Hood.  After the project was complete Kaady was notified that there were cracks in the stone that he had installed.  Later that year Kaady bought a liability policy from Mid-Continent.  Kaady was then sued by the condo association, which alleged that his defective work had contributed to water damage to wood sheathing behind the manufactured stone, and to deck posts on which the masonry caps were sitting.

Mid-Continent denied coverage for those damages under its policy’s "known-loss" provision,  which stated that the policy “applies to . . . property damage only if . . . no insured . . . knew that the . . . property damage had occurred, in whole or in part.”  The policy also excluded coverage for property damage that is a "continuation, change or resumption" of "such [known] property damage."  The policy defined "property damage" in part as "physical injury to tangible property."

In the coverage lawsuit suit the insurer advanced two arguments to justify its denial:  1) that prior knowledge of  any damage to a structure means that any other damage to the same structure is a "known loss;" and 2) that the damage to the sheathing and posts was a "continuation change or resumption" of the cracking that the insured knew about.  The District Court granted summary judgment for Mid-Continent based on the known-loss provision.  The Ninth Circuit reversed.

The insurer argued that the policy's references to "property" and "tangible property" included all portions of that "property," and therefore that knowledge of damage to one portion of "the property" could be attributed to all later damage to that property.  The appeals court disagreed, pointing out that that interpretation conflicts with the way "property" is used throughout CGL policies.  Standard-form policies distinguish between different types of "property" and rely on those distinctions to exclude some kinds of "property" from coverage, such as the insured's own "work" while providing coverage to other kinds of "property."  Therefore, to be consistent, the known-loss provision must operate to allow coverage for damage to some "property" even if the insured knew about damage to other "property" within the same structure.  Moreover, because the known-loss provision talks about knowledge of "the property damage," any damage different in type than the damage about which the insured had knowledge is not excluded by the policy.  In Kaady the damage (deterioration) to the sheathing and deck posts was different in type from the cracking that the insured knew about before buying the policy.

The court also rejected the second argument, holding that Mid-Continent had the burden on summary judgment of proving, through evidence, that the damage to the sheathing and posts was caused by the same cracks that the insured knew about before he bought the policy.  The insurer had failed to put on such evidence, and so summary judgment should not have been granted.

In this decision the Ninth Circuit adopted arguments that have been advanced by policyholders for years, but had not been the subject of a published Oregon state court ruling, creating some uncertainty.  "Known-loss" disputes come up with some frequency, because Oregon law requires property owners to give notice to contractors of alleged defects and an opportunity to cure, and because "punch-list" provisions in standard construction contracts often require owners to give contractors an opportunity to fix problems that occur soon after construction.  This decision will therefore make it difficult for insurers that operate in good faith to deny claims based on "known loss."

Montana Case on Late Notice Calls Into Doubt Technical Coverage Defenses

In a new decision the Montana Supreme Court has confirmed that in order to avoid its coverage obligations based on a technical defense such as late notice, a liability insurer must show that it suffered "prejudice."  The case is a good illustration of courts' general skepticism toward "technical" coverage defenses asserted by insurers, but also of how the details of any particular lawsuit -- or settlement -- can complicate the coverage analysis. (I first wrote about this case in July of last year).

The decision in Atlantic Casualty v. Greytak  essentially restores the status quo about the "notice-prejudice rule" in Montana.  Under the notice-prejudice rule the insurer must show that its ability to defend the case and prevent a large judgment against the insured was materially harmed by the late notice.  The trial court in the Greytak case decided that a 2011 decision from the Montana Supreme court, Steadele v. Colony Insurance had overturned Montana law adopting the rule, making the prompt notice  provision in a standard liability policies a "condition of forfeiture," meaning that the insurance company did not need to prove prejudice.   On appeal, the Ninth Circuit certified that narrow legal question to the Montana Supreme Court.

In Greytak the insured was sued for negligence leading to property damage.  The claimant and the insured entered into an agreement whereby the insured would tender the claim to its liability carrier, and if the insurer did not pick up the defense or file a declaratory judgment action the claimant could enter a stipulated judgment against the insured, but agree to only pursue collection from the insured's insurance.  The insured tendered the claim and the carrier did not pick up, whereupon a stipulated judgment was entered in state court.  (The facts are disputed about whether the claimant was actually entitled to file the stipulated judgment, because the insurer had filed a declaratory judgment lawsuit before the state-court judgment).  The state-court judgment was set aside and the coverage action proceeded.

The Montana court clarified that Steadele did not reverse the law on the "notice-prejudice rule," pointing out that in Steadele the Court had found that the insurer was prejudiced as a matter of law, because the insured had stipulated to a monetary judgment before the insurer was given any notification.  In Greytak, by contrast, the parties' agreement allowed the insurer the chance to step in and defend, which it did not do.

The "notice-prejudice rule" is clearly established as the law in Oregon (Lusch v. Aetna), Washington (Canron v. Federal Insurance), and Alaska (Weaver Bros. v. Chappel). 

Interestingly, all of the Montana justices agreed about the notice-prejudice rule, but there were two dissenting opinions.   The dissents argued that the court should have gone beyond the narrow question certified by the Ninth Circuit to find that the insurer was prejudiced as a matter of law by the insured's and the claimant's conduct.  The insurer's briefs on appeal argued strenuously that it had indeed been prejudiced because the insured failed to cooperate with it after it attempted to appoint defense counsel, and because the claimant had filed the state-court judgment in violation of the settlement agreement.  The Montana Supreme Court's majority elected not to go beyond the certified question, however, leaving the issue of actual prejudice up to the federal trial court to resolve.  In light of what the trial court did below, I would say that things don't look good for the claimant on that score.

Lessons From CNA's Suit to Avoid Covering a Hospital Cyber-Breach

A few weeks ago the insurance-coverage community experienced a watershed event: the first publicized lawsuit by an insurer for a declaration of "no coverage" under a cyber-insurance policy.  The case is Columbia Casualty Company v. Cottage Health Systems, filed in the Central District of California, and the issue is the insured's compliance with a pledge that it would use "minimum required" data-security practices.  This case holds important lessons for those considering cyber coverage - chiefly, be careful what you say in your application, and don't think that your insurer is going to treat you with kid gloves just because cyber coverage is a new product.

(NB: although we wouldn't normally cover California litigation, this filing raises red-hot issues so we decided to make an exception.)

The Cottage Health data breach was caused by user error, which is reported to be the leading cause of data security incidents across all sectors of the economy.   Cottage is a three-hospital health system in the Santa Barbara area.  According to published reports, the hospital contracted with an IT firm, "InSync," to put medical records on a File Transfer Protocol ("FTP") server so that they could be accessed remotely, but no-one made sure that access to the records was locked-down to credentialed people only, or encrypted.  As a result the FTP files were available to Google's search "bots", and could be found by using a Google search.  Reportedly only after someone reported the issue to the hospital was the error caught.  A class-action suit against Insync and Cottage followed, alleging (among other things) violations of California's Confidentiality of Medical Information Act.  Apparently the state DOJ is also investigating possible HIPAA violations.

Cottage's cyber-liability insurer, Columbia Casualty (owned by mega-insurer CNA), picked up the defense, and even funded a $4.1 million settlement with the class, but under a reservation of rights.   In the new coverage lawsuit CNA is suing Cottage to get the settlement money -- and all of its defense costs -- back from Cottage.

CNA, like many insurers, required Cottage to fill out a detailed cyber coverage application and "self-assessment" which involved answering a host of questions about IT security practices.  Most of the questions were broadly worded, such as "Do you re-assess your exposure to information security and privacy threats at least yearly, and enhance your risk controls in response to changes?"  A few of the questions were more specific, however, such as whether Cottage routinely changed default software settings if required to make systems secure.  The application also addressed the use of vendors, including questions about whether Cottage required its third-party vendors to observe the same or stricter security practices as those used by Cottage, and whether Cottage required vendors to have cyber-liability insurance.  (Cottage of course answered "yes" to all questions.) 

The application and the policy itself contained several kinds of "warranties" about Cottage's compliance with security standards, and the policy contained an exclusion that coverage would not be provided for damages resulting from "[a]ny failure of an Insured to continuously implement the procedures and risk controls identified in the Insured’s application for this Insurance and all related information submitted to the Insurer in conjunction with such application whether orally or in writing . . ." (emphasis added).

CNA claims that Cottage's "yes" answers on the application were false or that if the answers were true when the application was made, Cottage subsequently failed to "maintain" those practices.  Although CNA's complaint does not specifically say what Cottage didn't do that it should have done, reading between the lines it appears that CNA is focusing on three contentions: first, that the breach occurred because the vendor, InSync, failed to change the default FTP setting on the server software from "open access" to password-only access; second, the medical data was not encrypted on the server; and third, that Cottage did not make sure that InSync had cyber insurance coverage of its own.

This is something of a nightmare scenario for those of us who advise policyholders on cyber liability and coverage.  There are several "weak links" when it comes to cyber, and this case appears to hit on several of them.

First, because there is so little claims history in the "cyber" world, and because the risks are so high, insurers are requiring applicants to answer lots of questions and go through unusually detailed "self-assessments."  That's not a problem if the folks filling out the application thoroughly vet the answers with IT, legal, and the contracts department. But any breakdown in communication among those players can result in coverage problems.

Second, because of the evolving nature of cyber risks (and because it is the nature of their approach to the business) insurance companies frequently use vague wording in application materials and in their policies.  Vague language allows the insurer to argue after the fact a particular meaning that favors them.  We can see that in action in this case, in the question asking whether Cottage did a yearly re-assessment of risks and "enhanced" its "risk controls in response to changes."  What does that mean?  Does that mean that if there is an increase in "spear-phishing" attacks the company must eliminate the use of email?  Or is it good enough to adopt published "best practices" - a rule of reasonableness?  Those are the kind of questions that may be litigated in this case - questions that could have been avoided if the insurer had not been able to get away with vague language that it could later use to its advantage.

Third, vendors.  Vendors, the cause of so many data security problems, create substantial problems when it comes to insurance.  What is a reasonable security precaution to a hospital may seem like overkill to an outsourced IT or cloud provider, or the reverse may be true, and there is often no practical way to monitor changes that a vendor makes in its security practices.  That makes it very difficult to accurately answer a question about whether a vendor uses the same security standards as the insurance applicant.  It is also particularly difficult to ensure, as the CNA application asked, that every vendor "maintain[s] enough insurance to cover their liability arising from a breach of privacy or confidentiality" when there are no standardized forms for cyber coverage that can be required in the vendor contract, and where the risks to the vendor may be dramatically different than those of the customer.

In this case it appears that CNA is trying to avoid coverage using Cottage's "warranty" to comply with vaguely-worded promises that Cottage made about its security practices in a case where negligent oversight of a vendor caused an accidental data breach.  That is, of course, exactly why a business buys liability insurance - to cover an accident caused through negligence.  The fact that CNA is relying on vague language against its customer, Cottage, rather than giving Cottage the benefit of the doubt, demonstrates that this insurer, at least, is willing to use the kind of sharp-elbow tactics to limit its loss payments that we see with other kinds of coverage.  In other words, cyber coverage is not going to be treated differently by the insurance industry and its lawyers.

To try to avoid this kind of situation, businesses would be well advised to treat cyber coverage applications very carefully, to try to negotiate "warranty" language that is less onerous and open-ended, and to exercise increased oversight of vendor contracts and compliance with contract terms, including actually reviewing the vendor's insurance policies and security practices.  Taking those steps will not of course eliminate coverage disputes of this sort, but in this area, every step is an important one.    

Premera Data-Breach Class Action Claims Illustrate Cyber Coverage Issues

The massive data breach at Washington health insurer Premera Blue Cross Blue Shield has spawned at last count fifteen class action lawsuits in Washington alone and least one suit in Oregon federal court.  The suits allege that over 11 million records were exposed in the hack, including not just personally identifiable information but also health treatment and medication histories.

Examining the allegations in these class action complaints, and the differences among them, is instructive for those of us advising clients on insuring against these kinds of risks, because this will not be the last time this kind of breach will occur.  This post will focus on only two of the many issues that these complaints raise.

I should emphasize that I know nothing about Premera's insurance situation, and that the discussion below is purely based on general observations. Also, the below comments should not be taken as commentary on the validity or any of the plaintiffs' claims (some of which -- like the "bailment" claim -- have been rejected in other class action suits).

Timing Issues & Known Loss.    One of the more striking things about the complaints against Premera is the contention that Premera knew that its systems were vulnerable, and  that it had been hacked, well before it disclosed the data breach to its customers.  Each of the complaints claim that the federal Officer of Personnel Management audited Premera's systems in early 2014 and that on April 18, 2014 Premera received a report from OPM that its systems were vulnerable to attack due to (among other things) failure to make updates to security software, and that the hackers infiltrated Premera's IT system almost immediately thereafter, in early May, 2014.   The complaints also allege that Premera knew that it had been hacked in January, 2015.  But Premera did not disclose the breach to customers until March, 2015.

This brings to mind common coverage defenses used by insurers who issue "claims made" policies, which most cyber coverage policies are: that the claim was known earlier than it was reported.  A claims-made policy provides liability coverage for claims made against the insured during the policy year, irrespective of when the incident happened.  That would mean that a complaint filed against Premera in April, 2015 would generally be covered by its policy in effect in April, 2015.  But what if Premera knew that it would very likely be sued before that policy period started, or before it even applied for the policy?  And what if it failed to disclose what it knew during the application process?  All of these are issues commonly raised by insurance carriers looking to get out of paying a loss.

Also, cyber coverage in particular is often tied not only to when a claim is made but also to when the "wrongful act" or "negligent act" that allowed the breach to happen took place.  Coverage is sometimes conditioned on the negligent act having occurred within a certain time span prior to the beginning date of the policy, referred to as the "retroactive date."  It is increasingly common to hear that a "hack" was accomplished months before the data breach was discovered.  If the hackers got in before the retroactive date, does that mean no coverage?

Claims Under State Data Breach Laws.   Most of the complaints contain a claim under Washington's "Data Disclosure Law," but not a direct claim under the Oregon analogue.  Why?  Because the Washington law expressly provides a private cause of action for damages if any Washington company fails to promptly notify consumers of a breach.  Oregon law ( http://www.oregonlaws.org/ors/646A.624) does not provide for a private cause of action.  The Washington statute, however, does not provide for any kind of minimal or statutory damages, and requires that the customer have been "injured" to maintain a suit.  That is both good for the defense of the claim (since the customers may have trouble establishing standing if their personal data has not actually been used, as discussed in this post), and good for coverage.  Cyber policies, like many similar kinds of policies, often provide coverage for "damages" but exclude coverage for "penalties and fines," leading to coverage disputes about whether statutory damages are in fact "damages."  Some states, like Arizona, provide civil penalties for violations of breach laws. And increasingly cyber policies are providing coverage for some kinds of regulatory fines or penalties, which is a good thing particularly given the recent news about large HIPAA fines.

In addition to the claim under the Washington statute, and in lieu of a direct claim under the Oregon statute, many of the complaints bring claims under the Washington and Oregon unfair trade practices or "consumer protection" statutes.   Potentially relevant to coverage are the claims under those statutes for treble damages.  Carriers routinely argue that the multiplied portions of awards are uninsurable punitive damages or are not covered as a penalty. 

There is no question that a large damages exposure will give an insurer incentive to take aggressive coverage positions. Data breach suits will be no exception. Savvy policyholder advisors will need to anticipate these defenses and plan accordingly.  So stay tuned for further reflections on the coverage issues that may arise from the Premera and similar suits.

Oregon District Court Provides Clarification on Environmental Coverage Issues

In the most recent opinion in the ongoing Marine Group litigation, Judge Acosta clarified two issues that recur in complex environmental insurance litigation: first, which party has the burden of proving that incurred defense costs were reasonable and necessary; and second, whether an insured can recover pre-tender defense costs.

Burden of Proving Reasonableness and Necessity

The issue of which party has the burden of proving, or disproving, that incurred defense costs were reasonable and necessary was addressed in Ash Grove Cement Co. v. Liberty Mut. Ins. Co. In that case, Judge Hernandez endorsed California's rule by holding that when" the insurer has breached its duty to defend, it is the insured that must carry the burden of proof on the existence and amount of the site investigation expenses, which are then presumed to be reasonable and necessary as defense costs, and it is the insurer that must carry the burden of proof that they are in fact unreasonable or unnecessary." Under the clear language of the Ash Grove opinion, a breaching insurer must prove the defense costs to be unreasonable and unnecessary, after the insured proves their existence and amount. Despite holding that this burden-shifting rule applies, Judge Hernandez's application of the rule was unclear, and several breaching insurers have questioned whether they do indeed have the burden of proving defense costs to be unreasonable and not necessary.

This question arose in Marine Group through a complicated motion to compel in which the relevancy of various documents was in question. In ruling on relevancy, Judge Acosta found that it was necessary to establish who has the burden on the issues of reasonableness and necessity. Judge Acosta endorsed the position taken by Judge Hernandez: that when a carrier has breached its duty to defend, the burden of proving the reasonableness and necessity of the fees shifts from the insured to the insurer. Thus, the insured's fees are presumed to be reasonable and necessary when an insurer has improperly breached its duty to defend. This is a win for policyholders, and should make it easier for insureds to recover fees when insurers have wrongfully refused to participate in a defense.

Another wrinkle in the Marine Group litigation is the presence of a paying insurer, Argonaut. Since early on in the defense, Argonaut has paid Marine Group's defense costs. Thus, most of the damages being sought are through a contribution action between insurers, and not a direct coverage claim. Marine Group, along with Argonaut, made the argument that since the claim is primarily a contribution action between insurers, the reasonableness and necessity of the fees was not at issue, but instead the issue is whether Argonaut acted as a reasonable insurer. Similarly, both parties made arguments under ORS 465.480(4)(d) that the common law of contribution was preempted and that the breaching insurers should be prohibited from questioning the defense costs incurred. Judge Acosta rejected this line of reasoning in holding that St. Paul could question the defense costs, but that it bore the burden of proving the fees to be unreasonable and not necessary.

Pre-Tender Defense Costs

While the Marine Group litigation primarily involves a contribution action between Argonaut and other insurers, Marine Group also has a direct contractual claim against its insurers for certain sums not paid by Argonaut. Some of these unpaid defense costs are pre-tender. In other words, they were incurred by Marine Group before it formally sent a letter to its insurers that detailed the claims faced and requested that a defense be provided.

Most states follow the rule that pre-tender defense costs cannot be recovered by an insurer; this underlines the importance of identifying, and tendering to, insurers at the earliest point of any litigation. Marine Group attempted to escape the strict application of the pre-tender rule by invoking the notice-prejudice rule, which does not allow an insurer to deny defense costs because of delayed notice, unless it can show that the delay caused prejudice to the insurer. Judge Acosta found the notice-prejudice rule to be inapplicable because the duty to defend did not arise until the tender occurred. Thus the court held that the notice-prejudice rule does not apply to pre-tender defense costs, because it applies only to covered claims.

Ultimately, Judge Acosta ruled that under Oregon law, pre-tender defense costs are not recoverable. This presents a particularly difficult situation for companies facing historic environmental liabilities. Typically, the only policies that cover historic pollution events were written before 1986. Many companies do not have readily available copies of these insurance contracts. Indeed, historic insurance archaeologists must often be retained to identify these policies. Judge Acosta's decision reinforces the rule that defense costs incurred while a party is looking for its insurance coverage are not recoverable, even to the extent that the delay does not meaningfully prejudice the insurers.

Cert Grant in FCRA Case Could Impact Cyber Coverage

News today that the Supreme Court has granted certiorari in Spokeo v. Robins, which tests whether Congress can confer "standing" by giving consumers a private right of action under a federal law, and entitlement to statutory damages, even if the consumer cannot prove any concrete damages.  The Court will review a decision by the Ninth Circuit that said, essentially, "yes" to that question.

In Robins, the plaintiff claimed to have been harmed when Spokeo, an online directory that aggregates publicly-available personal information, published inaccurate information about him on the site.  The plaintiff contended that in doing so Spokeo violated the Fair Credit Reporting Act (FCRA), but he could not prove specific damages tied to the inaccurate information.  Instead, he claimed entitlement under the FCRA to "statutory damages" (typically set at $1,000 per violation).  Robins sued on behalf of a class of people -- allegedly numbering in the thousands -- who were similarly aggrieved by Spokeo's failure to report accurate information. The trial court dismissed the suit based on the constitutional requirements that a plaintiff demonstrate "standing" based on "actual or imminent harm."  The Ninth Circuit, however, reversed, reasoning that Congress could create a statutory right and in essence create standing by providing a private right of action for violation of that right.  The Supreme Court has agreed to decide whether that view of Congress' power is correct.

What does this have to do with cyber-insurance?  Plenty. For one thing, the decision may undermine state laws that have fueled the market for robust first-party cyber coverage.  Many consumer advocates believe that data-breach notification laws will be ineffective at forcing businesses to "fess up" when a breach happens unless the breach law contains a private right of action with a small statutory damages component, modeled on FCRA.  Washington's data-breach law, recently amended, is just such a law.  The spread of such laws has driven the market for cyber policies that will cover not just the cost of  notifications but also for liability protection relating to breach notification.  And just as many predict that  legislation working its way through Congress allowing companies to confidentially share data on cyber breaches may eventually bring rates down, state legislation has had an impact on premiums that may be blunted by the Court's decision in Robins.

Beyond breach-notification laws, the way that the Supreme Court approaches the "actual or imminent harm" question could impact how courts handle data breach consumer lawsuits that do not rely on any federal statute but instead are based on common-law grounds, such as negligence or fiduciary duty.  Some courts have dismissed consumer lawsuits that fail to allege specific harm arising from a breach, while other courts have allowed those suits to proceed at least into the discovery phase.  The Supreme Court might take this opportunity to address "standing" more generally, leading to fewer consumer class actions, which could further result in lower premiums for cyber coverage.

Data Breaches at Franchisees Raise Cyber Insurance Issues

A recent article about a data breach at a Marriott franchise highlights an emerging cyber insurance issue for franchisors, and indeed all companies involved in contractual relationships that expose them to liability for cyber risks over which they may have little control.  

The article reports that a Marriott franchisee had a seven-month-long data breach relating to the food and beverage point-of-sale (POS) system at ten of its hotels.  Unfortunately, this kind of scenario is becoming commonplace - hackers exploiting weaknesses in POS security to obtain credit card numbers, often focusing on heavy users of POS systems like restaurants.  

But the franchise aspect of this incident clearly adds some wrinkles worth considering.  I reached out to my partner Shannon McCarthy, a member of our franchise & distribution practice group and frequent contributor to our firm's blog on franchise issues -- ZorBlog -- for some thoughts.

Shannon first confirmed that in the event of a consumer lawsuit over a data breach the franchisor will likely be sued along with the franchisee.  Franchisors are typically viewed as a "deep pocket" and so the plaintiff may seek to hold the franchisor directly or indirectly liable for the breach.  A franchisor might be liable if it controlled the consumer data, if it contractually required the franchisee to use a certain system or provided the system itself, or exercised control over the way that the franchisee collected or used the data.  As examples, Shannon pointed me to both this FTC suit against Wyndham Hotel Group and the consumer class action (and related FTC action) against the rent-to-own franchisor Aaron's, Inc.  

In the Wyndham case the FTC alleged that the hotelier, which operates through over 90 franchisees, itself was liable for data breaches at its franchise locations because the franchisor had made representations on its own website about data security, because it "allowed" franchisees to use improper software and lax security practices, and because its own data systems did not encrypt consumer information.  Wyndham has pushed back against the FTC's claims and has appealed an early ruling that the FTC has jurisdiction to pursue the claims, and recently defeated a related derivative action in federal court.  

In the Aaron's case, customers who rented laptops sued the franchisees and the franchisor alleging that spyware on the laptops captured keystrokes, browsing history, and screenshots, and took pictures of the customers using the computer's built-in camera, invading the customers' privacy.  (The customers' case was recently reinstated by the Third Circuit after having been dismissed on procedural grounds).  The customer suit follows on the heels of a consent decree that Aaron's reached with the FTC in which the franchisor essentially admitted that it not only knew about the practice but actively participated in providing the software to its franchisees.  (Given that settlement it may be difficult for Aaron's to deflect responsibility to its franchisees.)

Where does insurance fit into all of this?  First, franchisors (like all businesses) should assess whether they themselves are adequately covered for cyber losses, including whether their traditional insurance policies carry endorsements specifically excluding data-breach liability or first-party losses, and whether they should purchase specific "cyber insurance."  In making this assessment franchisors should take into account all of the potential risks that they face beyond just regulatory or class-action consumer lawsuits; for example, credit-card issuers and banks may file suit seeking to recover their costs for writing off fraudulent charges and issuing new cards.

Second, franchisors should consider the requirements that they impose on franchisees with regard to cyber-security practices.  For example, franchisors might incorporate into their franchise agreements some of the security standards and "best practices" being developed by cyber-security organizations.  Of course this brings into play the tension that has always existed between maintaining enough separation from the franchisee such that liability could be avoided altogether, wanting to protect the brand by ensuring that the franchise is run competently, not imposing unreasonable burdens on franchisees, and business interests that may require a certain amount of intermingling of operations.  (For example, one of the key advantages of owning a hotel franchise is the access to the unified reservations and loyalty-reward programs operated by the franchisor.)

Finally, because preventing data breaches or liability claims may be impossible, franchisors should evaluate whether to require their franchisees to carry cyber insurance, and whether those insurance policies can provide protection to the franchisor.  Much as general contractors require subcontractors to carry insurance providing "additional insured" protection if the general is sued because of the subs' negligence, some cyber insurance programs purchased by a franchisee could be made to assist a franchisor in the event of a data breach caused by a franchisee's error.  However, because cyber insurance is not being written on standardized forms, it is not possible to simply specify in a franchise contract that a specific ISO additional insured endorsement be used.  Instead, franchisors would be well served to work out requirements language with their franchisees that takes into account evolving norms in the insurance industry regarding language, sub-limits, and other aspects of cyber insurance.  What will likely be needed in this, as with almost all things in the cyber insurance world, is a team approach involving counsel, insurance broker, and business people.

Oregon Supreme Court Accepts Review of Two Important Insurance Disputes

The Oregon Supreme Court recently accepted for review two cases with potentially lasting implications for insurance coverage disputes in the state.

The first case is a mandamus ruling - the court decided to accept for review a trial court's ruling in Liberty Surplus Insurance v. Seabold Construction on a hot evidence issue important to bad-faith coverage litigation.  In Seabold the company and its liability insurer are locked in a dispute over Liberty's handling of Seabold's defense in a construction-defect matter; Seabold contends that Liberty acted in bad faith in connection with settlement of the dispute.  During the critical time period -- while settlement negotiations were going on in the underlying case -- Liberty was acting through coverage counsel, which is commonplace in such situations.  Once the coverage litigation got underway, however, Seabold demanded to see the communications with and work done by the insurer's "coverage counsel" on the theory that at least part of the time the attorney was acting as a claims adjuster.  Under the reasoning of Cedell v. Farmers, a Washington case (and its progeny, discussed in this blog post from 2013), Seabold argued -- successfully -- that there was no absolute attorney-client privilege when "coverage counsel" is performing some of the business functions of a liability carrier.  The trial court ordered Liberty Mutual to produce counsel's communications (initially directly to Seabold, amended to production for review by the court), and Liberty Mutual sought a writ of mandamus -- essentially, appellate review in the middle of a case -- to block enforcement of the trial court's order.

The issue that the court has identified for resolution is whether attorney-client privilege applies despite counsel's involvement in "investigating and adjusting" the claim.  This is the issue that Cedell and other courts outside of Oregon have decided in favor of policyholders, and one would think that this court would go the same way.  However, in the Crimson Trace discovery dispute (which did not involve insurance) the court proved itself very protective of the attorney-client privilege in an institutional context, so "all bets are off," as they say.

The second case accepted for review (back on March 31) is the 2014 Fountaincourt Homeowners Ass'n v. Fountaincourt Development decision from the Court of Appeals.  In that decision the Court of Appeals confirmed that a claimant who obtains a judgment against an insured after trial may pursue that insured's insurance assets in a garnishment proceeding as a judgment creditor, and that during resolution of the garnishment the insurer has the burden of proving that the judgment was not covered where there is prima facie evidence that at least some of the jury's award was for covered damages.  That decision was very beneficial for claimants concerned about being able to collect on a judgment.

The Supreme Court's statement of the issues on review is rather breathtaking, and will ensure that the case is closely watched.  Rather than try to summarize, set out below are the issues on review from the court's statement:

(1) If a general verdict is returned against an insured entity in a mixed coverage case (i.e., one involving some damage that is payable by an insurer and some damage that is not), and the insurer defended under a reservation of rights, can the insured establish coverage for the awarded damages based on the general verdict? (2) Does defective work by an insured contractor constitute "property damage" if that term is defined as "[p]hysical injury to tangible property"? (3) Can an insured establish a prima facie case for insurance coverage with evidence showing only the possibility that a judgment is for damages within the insuring agreement of a liability policy? (4) If a liability insurer's policy is garnished by a judgment creditor and a disputed question of fact must be resolved to determine if the insurer is obligated to pay the judgment, is the insurer entitled to a jury trial in the garnishment proceeding?

What is surprising here is the Court's indication that it will take up some questions that many had thought were largely settled and were not the most controversial of the Court of Appeals' decisions.  One can hope that the Court's indication that it will review those questions is only intended to settle any doubt.  However because so much is at stake if the Court has decided to revisit those issues, this case promises to attract a lot of attention and amicus participants, and its resolution could shape (or re-shape) Oregon coverage law for a long time.

Likely Changes to Oregon Data Breach Law Should Prompt Review of Cyber Coverage

This excellent post by my colleague Brian Sniffen in our firm's IP Law Trends blog reports on the efforts by Oregon's attorney to strengthen the state's data breach notification laws.   The proposed amendments to the Oregon Consumer Identity Theft Protection Act (ORS 646A.602 et seq.) are part of Senate Bill 601, which is making its way through the legislature right now.  You can follow the bill's progress here).

As Brian reports, among the proposed changes are a lowering of the threshold for notification to the Attorney General to 100 records; expansion of the definition of confidential data to include medical and biometric information; and giving enforcement power to the Attorney General under the Unfair Trade Practices Act.

As we observed last week in our post about the insurance implications of Washington's effort to toughen its data-breach notification laws, these proposed Oregon changes should prompt every business -- whether it handles loads of consumer data or not -- to review its cyber insurance coverage to get a comfort level with any sub-limits relating to notification costs, and liability coverage for regulatory claims.  Of course, both state-level efforts could be upended if the President's proposed data-breach bill becomes federal law, because the federal law will likely trump all state laws.  All the more reason to review your cyber coverage with an insurance professional today.

Update April 22: The Oregon bill has received a "do pass" recommendation, with some amendments, from the Senate Judiciary Committee, and is awaiting transfer to the floor for passage.

Why You Need More Than Just a Certificate of Insurance

It is common practice for entities such as owners, contractors and design professionals to contractually require another party to provide insurance. The most common method of providing information related to this requirement is through a certificate of insurance. A certificate is usually issued on a form copyrighted by an organization named ACORD (Association for Cooperative Operations Research and Development). Other forms can be used, but because the ACORD form is the most commonly used form today, this discussion will focus on the terms of that form of certificate.

Many individuals place too much significance on the certificate and are surprised to learn of its limitations. Here are the top five reasons to not rely on a certificate:

1. Information Only. The most important thing to remember is that a certificate is provided for information purposes only and is not part of the insurance policy. If you look carefully at the most recent ACORD form (Form 25, Certificate of Liability Insurance), you will see that it contains a disclaimer: “This certificate is issued as a matter of information only and confers no rights upon the certificate holder. This certificate does not affirmatively or negatively amend, extend or alter the coverage afforded by the policies below.” Practically, this means that even though a certificate states that certain insurance coverage exists, this does not mean that it does. Of course, brokers and agents have obligations to fill out certificates with accurate information, but if the information is incorrect, you likely won’t be able to rely on a certificate alone for coverage.

2. Additional Insured. Just because the certificate states that you are an additional insured doesn’t mean that you are. The only way that a party can be added as an additional insured is by endorsement. Therefore, even if the certificate states that you are an additional insured, you will not be afforded such a status unless the insurance carrier actually endorses the policy. A good business practice is to not rely on the certificate as evidence that you are an additional insured; request an actual copy of the additional-insured endorsement along with the certificate. This will also allow you to verify whether the endorsement matches the contract requirements.

3. Notice of Cancellation. Don’t be surprised if you are not provided with notice of a cancellation or nonrenewal. In 2009, ACORD changed its form language to state: “Should any of the above described policies be cancelled before the expiration date thereof, notice will be delivered in accordance with the policy provisions.” This statement reaffirms the general rule that an insurance carrier is under no obligation to provide notice unless the terms and conditions of the policy provide for the notice. In addition, notice is usually provided only to “named insureds” and not additional insureds. A good business practice is to specifically include notice requirements in the contract between you and the other party or consider requesting that the policy be endorsed to provide cancellation notices.

4. Not Matching Contractual Requirements. Many entities receive a certificate and assume that any contractual insurance requirements between the parties have been met. When a broker or agent completes a certificate, however, he or she may not compare the terms of the insurance policy with the contractual insurance requirements between the parties. Be sure to review the certificate against the contractual requirements and request additional evidence or explanation if needed.

5. Snapshot in Time. A certificate is limited to providing information about a policy at a given time. Because it is just a snapshot in time, the certificate will not reflect future changes in the policy, such as added exclusions or reduced coverages. Therefore, it is imperative that the insurance requirements be clearly articulated in the contract between you and the other party to protect your interests. Don’t rely on the certificate as proof that insurance coverage will continue and not change.

In sum, a certificate still provides a good starting point for obtaining information about another party’s insurance information and should be used. A certificate is especially important in identifying insurance carriers and policy numbers in the event of a claim. But be aware of its limitations and adjust your business practices accordingly. Remember to always review a certificate for any errors or information that conflicts with the contractual requirements.

Did the Ore Sup Ct Abolish Common Law Indemnity for Defense Costs?

"Frequent-fliers" in the world of construction-defect litigation know that defense costs are often the biggest exposure, particularly for subcontractors.  That is why securing a paid-for defense from an insurance carrier is such a hot topic on this blog (and elsewhere).  And whether there is insurance to cover defense costs or not, defendants in complex disputes (including insurers) often threaten to sue other co-defendants to recover part of their defense costs, which can drive settlement discussions.  So any development in the law relating to defense cost recovery has an impact on policyholders - and that's why I'm writing about this new case, which on its face has nothing to do with insurance.

On March 19, 2015 the Oregon Supreme Court issued a somewhat surprising decision in Eclectic Investment v. Patterson & Jackson County et al., in which the court appears to have changed some fundamental assumptions about whether one defendant can recover defense costs from another defendant.  In Eclectic a landowner sued a contractor that had done excavating work for him and the county that inspected and permitted the excavation, after the excavated hillside eroded and damaged commercial buildings on owner's property.  A jury found that the landowner was more than 50% at fault, meaning that under Oregon's comparative fault law neither the county nor the contractor had to pay any damages (both the county and the contractor were found to be slightly at fault).  The county had asserted a common-law indemnity claim against the contractor, and after the trial pursued that claim to recover its defense costs.

Common-law indemnity is an equitable theory used when there is no contractual relationship between the parties or the contract does not contain an indemnity provision.  Under one formulation of the legal standard for the claim, Defendant A will owe Defendant B indemnity if Defendant A's negligence was "active" or "primary" while Defendant B's negligence was "passive" or "secondary."  Another way of phrasing the test is whether in fairness, Defendant A "should" pay for Defendant B's costs in the suit.

The issue before the Oregon Supreme Court in Eclectic Investment was how to determine if the county was entitled to indemnity, since neither the county nor the contractor were liable for damages, and each was found to have played a minor role in the incident.  The court recounted the rather vague legal tests that Oregon courts had developed over the years to determine whether in equity one party owes another indemnity (see above).  The court observed, however, that Oregon law changed after common-law indemnity was adopted, replacing the older "joint liability" regime with the current comparative-fault regime in which each defendant is assessed only its percentage share of any damages by the jury using a questionnaire.  Therefore, according to the court, the rationale for common-law indemnity has disappeared, because under the new scheme one party will never be made to pay damages that were in fact attributable to the "active" fault of another party.

The problem, of course, is that the defense costs incurred by the defendants are not part of the jury's consideration.  (In reality, those costs can only be determined once the litigation is done.)  But the court made it clear, in a final footnote, that where the comparative fault rules apply, common-law indemnity cannot be used as the theory on which to recover even defense costs.  The court stated that it would countenance recovery of defense costs on some other theory, citing cases from other states that allowed such claims under a quasi-contract theory - but that such claims could only lie where the indemnitee incurred defense costs only because of the indemnitor's negligence.  Applying that concept to the facts of the case, the court stated that because plaintiff had sued the county and the contractor, it was clear that the county's involvement in the litigation was not solely because of the contractor's negligence, so the county would have been out of luck in recovering defense costs under an alternative theory.

The court's decision will change some of the leverage points in multi-defendant litigation where not all players have contractual indemnity claims.  It also emphasizes the importance of having Oregon courts enforce insurance contracts providing a paid-for defense.   If defendants cannot rely on common-law indemnity to recover defense costs when they are dragged into lawsuits in which they play a minor part, it is critical that insurers understand and heed their contractual obligation to cover those defense costs.

Washington Policyholders, Check Your Cyber Policy as Data BreachNotification Law Moves Forward

Washington has moved a step closer to bringing its data-breach notification law in line with the laws of many states (including Oregon) that require notification in the majority of scenarios, closing what some viewed as loopholes in the law and mandating notification within 45 days, rather than the prior "as soon as possible" requirement.  (Oregon law still lacks a specific presumptive deadline).  In particular, the new Washington bill removes the exemption for lost or stolen data that is "encrypted," in recognition of the fact that "encryption" can fail if the technology used was old or if the encryption key was also stolen.  The Washington bill has passed the House and it set for hearings in the Senate later this week, and is expected to pass.

What does this mean from an insurance standpoint?  Cyber insurance policies typically provide "first-party" coverage for the costs of data breach notification, but often contain very low sub-limits on that coverage.  In a state like Washington with a weak data breach notification law a business could in theory get away with a low sub-limit because only in a rare set circumstances would broad-based notification be required.  That will no longer be the case and so those sub-limits, and any other restrictions placed on notification coverage, need to be re-examined.  And of course if your business lacks cyber coverage entirely, it is time to explore your options.  The most recent data on the cost of data breaches indicates that the cost of notification is the fourth-biggest category of impact from a data breach (after lost reputation; lost time/productivity; cost of new technology).  By comparison the cost of regulatory fines and lawsuits was tenth in the ranking of impacts on businesses experiencing a breach.   The conventional wisdom is that a business should expect to spend at least $188 per record  on notification and similar first-party response-related costs.  With the number of records routinely stored by businesses, particularly those in the online retail or cloud computing sector, it is easy to see why low sub-limits could be a huge problem if a breach occurs.  So check your policies, and call your insurance advisers, to get ahead of these changes in the law in Washington.

ps.  Speaking of Washington, not 48 hours after news broke this week of a major data breach at Premera in Washington a class action was filed. But the cause of action -- breach of contract -- may cause coverage problems. The liability portions of cyber policies often exclude breach of contract actions. One more reason to check those policies.

Update April 22: The bill has passed and is now awaiting signature by the Governor.

Cyber Coverage No Longer a Novelty But Many Concerns Remain

That is the message that I took away from last week's annual conference of the ABA's Insurance Coverage Litigation Committee in Tucson, Arizona.  Gone was the "gee whiz" discussion of the technology and its risks, and most presenters avoided the scare tactics all too commonly used in the industry to drum up sales.  (Not that there isn't reason to be scared - but the horror stories are so widely reported it hardly seems necessary to dwell on them at a conference of insurance coverage pros).

One particularly useful panel  took a deep dive into problematic policy language and the limitations of the products currently offered.  This is critically important because although cyber coverage is no longer new, the language of the policies is not yet standardized.  A few of the many things to look out for are:

- long "waiting periods" for business interruption coverage.  Business interruption coverage is "time loss" cover in that the loss amount is calculated (generally speaking) as average sales per hour multiplied by the number of hours of downtime due the covered event.  However, some chunk of time (the "waiting period") is routinely excluded as a kind of deductible.  Some cyber insurers default to a 24 hour waiting period (an eternity for an many businesses and particularly online retailers) putting the burden on the policyholder to ask for a more reasonable period.  According to the panel (and my own experience has shown this to be true) carriers will agree to 12 hours or less - sometimes 8 hours.  If your business relies on closing sales around the clock, cutting down the waiting period could mean hundreds of thousands of dollars more in business interruption coverage.

-  liability coverage limited to liability for the insured's own wrongful acts. Because so much electronic data is now routinely hosted, handled or safeguarded in some manner by vendors, any kind of strict limitation with regard to who made the "oops" may result in no coverage, even though the insured may be held liable as the owner of the data. The panel discussed several recent data breach incidents in which the error that allowed confidential data to be stolen was committed by one entity, but liability was imposed on another entity (e.g. the Target hack, where intruders gained access through a "phishing" scam on Target's HVAC contractor).  Companies need to pay careful attention to the language of their policies and candidly assess their risks associated with vendors and consultants, particularly in the retail and healthcare sectors.

- coverage for fines and penalties.  The number of regulatory bodies (state and federal) that are being given authority to issues fines and penalties for data breach violations is growing at a fast clip.  Some policies strictly exclude coverage for any kind of fine or penalty, while some do not.  Policyholders should examine their current coverage and evaluate whether their current and future coverage needs are being met, depending on the regulatory environment in which they operate.

The upside of the fact that cyber coverage is still issued largely on a "manuscript" basis (that is, without relying on industry-wide forms) is that insurers are sometimes willing to negotiate on policy language even for relatively small accounts, and oftentimes mid-period if circumstances have changed.  Careful attention to  evolving risks from "cyber" events combined with close examination of your policy language  can lead to productive conversations with your broker and carrier and needn't wait until renewal.

* Update: This morning Apple is experiencing a major outage in its iTunes store, among other services.  Some are estimating that the six-hour outage has cost Apple $7 million - now that's a serious cyber-business interruption loss (if covered).

WA Fed Court: "Spin, Massage, Speculation and Sophistry" Do Not Create Duty to Defend

In Wargacki v. Western National Assurance Co. Judge Leighton of the Western District of Washington held that a homeowner's carrier had no duty to defend a civil suit where the insured shot his pregnant girlfriend, and then shot himself - despite the allegation in the complaint that the boyfriend acted "either negligently, intentionally or recklessly" and that the shooting was "at least negligent."

The court held that the allegation that the shooting was negligent and thus not barred by the intentional acts exclusion was not plausible, and characterized the girlfriend's estate's argument as "spin, massage, speculation or sophistry."  Although this decision appears rooted in common sense, it appears to be inconsistent with Washington law on the burden of proof in the duty-to-defend situation.  The court took the plaintiff to task for failing to allege any facts that would have supported the shooting being negligent, rather than intentional.  But that was not the plaintiff's burden.  Under Washington law, as under the law in most states, the duty to defend is based only on what is pled in the complaint.  If the complaint itself is compliant with court rules on factual pleading, it is simply not up to the judge in a coverage case to fault the plaintiff for not pleading more.  If the complaint could allow the presentation of evidence to support a covered loss (such as proof that the shooting was negligent), then there should be a duty to defend.

That is not to say that the decision was necessarily incorrect.  The plaintiff's complaint alleged not only negligence but also in the same claim the tort of outrage, which (according to the judge) requires intent.  If the decision had relied on that pleading, then the decision might be easier to reconcile with Washington law.  However, the decision only cites that fact as further evidence that there was no duty to defend.

This decision highlights the importance of careful analysis of coverage issues before embarking on any kind of litigation and when crafting an opening pleading, but also the importance of the burden of proof in coverage disputes.  It is not "sophistry" or "spin" to plead in the alternative where the facts are reasonably in dispute and as a result different legal theories may be implicated.  Forensic science and life experience teach us that our gut-level beliefs about such things as motive and causation are often incorrect.  Courts should recognize that and approach duty-to-defend questions accordingly.

Ore. Appeals Court Important Holding on Construction Indemnity Agreements

Just as the ball began to fall in New York to herald the New Year Oregon's Court of Appeals issued an important ruling on contractual indemnity agreements in construction contracts.  The decision isn't directly on insurance coverage, but is important because of the overlap between additional insured issues, contractual indemnity, and Oregon's "anti-indemnity" statute (ORS 30.140).  The progress of the case, Sunset Presbyterian Church v. Andersen Construction, has been closely watched because the trial court issued a written decision, one of the few on this subject.

Here is a bit of background: a  new addition to the church suffered from many problems, involving the work of several subcontractors (including one called "B&B"), as well as the general contractor, Andersen.  Andersen's form subcontract included a broad indemnity provision requiring all subcontractors to defend Andersen if suit was brought on the project.  Therefore, Andersen tendered the suit to its subcontractors.  B&B refused the tender.  Andersen settled with the owner, and assigned to the owner its claims against B&B for breach of the duty to defend.  The owner moved for summary judgment on the duty to defend, and prevailed.  However, the trial court awarded the church (as Andersen's assignee) no damages, because the church could not prove how much time Andersen's lawyers had spent dealing with the claims involving B&B's alleged negligence, as opposed to its own negligence or the negligence of other subcontractors.  The trial court relied on Oregon's anti-indemnity statute (ORS 30.140) -- which only applies to construction contracts -- as the basis for putting the burden on the church /Andersen to allocate the defense costs.  (I analyzed the trial court's ruling in more detail in an article for the June 2013 newsletter of the OSB Construction Law Section, available here,)

The church appealed, arguing that the statute did not require that kind of allocation for various reasons, including that the standard applied in the insurance "duty to defend" context should apply to the duty to defend in a contractual indemnity provision.  As a matter of insurance law, an insurer has a duty to defend all claims -- even claims that are not potentially covered -- if any one claim in a suit triggers the duty to defend.  The insurer may not allocate its defense costs based on covered versus uncovered claims.  The Court of Appeals rejected that argument as to ORS 30.140 (and all of the church's other arguments) based on the court's analysis of the legislative history.  However, the Court of Appeals did not reach many of the practical issues presented by the case, finding them moot because of the church's failure to even try to meet the burden of proof articulated by the trial court.  (See the Construction Law Section newsletter article mentioned above for an explanation of those issues).  The case was sent back to the trial court for additional proceedings including (potentially) an award to B&B of its attorney fees, since the Court of Appeals reversed the trial court as to who was the prevailing party.

The general take away is this: if a general contractor (or the GC's insurer) wants to recover its defense costs from a subcontractor that refuses to pick up the defense, it must require its law firm to write time descriptions in such a way that a court can later determine how much time was spent on the negligence of each subcontractor.  Of interest to readers of this blog, that requirement will likely lead to all kinds of issues between GC's and their insurers about management of the defense, and also may complicate additional insured claims on subcontractors, involving coverage counsel for the subcontractors.  Happy New Year!