Oregon District Court Provides Clarification on Environmental Coverage Issues

In the most recent opinion in the ongoing Marine Group litigation, Judge Acosta clarified two issues that recur in complex environmental insurance litigation: first, which party has the burden of proving that incurred defense costs were reasonable and necessary; and second, whether an insured can recover pre-tender defense costs.

Burden of Proving Reasonableness and Necessity

The issue of which party has the burden of proving, or disproving, that incurred defense costs were reasonable and necessary was addressed in Ash Grove Cement Co. v. Liberty Mut. Ins. Co. In that case, Judge Hernandez endorsed California's rule by holding that when" the insurer has breached its duty to defend, it is the insured that must carry the burden of proof on the existence and amount of the site investigation expenses, which are then presumed to be reasonable and necessary as defense costs, and it is the insurer that must carry the burden of proof that they are in fact unreasonable or unnecessary." Under the clear language of the Ash Grove opinion, a breaching insurer must prove the defense costs to be unreasonable and unnecessary, after the insured proves their existence and amount. Despite holding that this burden-shifting rule applies, Judge Hernandez's application of the rule was unclear, and several breaching insurers have questioned whether they do indeed have the burden of proving defense costs to be unreasonable and not necessary.

This question arose in Marine Group through a complicated motion to compel in which the relevancy of various documents was in question. In ruling on relevancy, Judge Acosta found that it was necessary to establish who has the burden on the issues of reasonableness and necessity. Judge Acosta endorsed the position taken by Judge Hernandez: that when a carrier has breached its duty to defend, the burden of proving the reasonableness and necessity of the fees shifts from the insured to the insurer. Thus, the insured's fees are presumed to be reasonable and necessary when an insurer has improperly breached its duty to defend. This is a win for policyholders, and should make it easier for insureds to recover fees when insurers have wrongfully refused to participate in a defense.

Another wrinkle in the Marine Group litigation is the presence of a paying insurer, Argonaut. Since early on in the defense, Argonaut has paid Marine Group's defense costs. Thus, most of the damages being sought are through a contribution action between insurers, and not a direct coverage claim. Marine Group, along with Argonaut, made the argument that since the claim is primarily a contribution action between insurers, the reasonableness and necessity of the fees was not at issue, but instead the issue is whether Argonaut acted as a reasonable insurer. Similarly, both parties made arguments under ORS 465.480(4)(d) that the common law of contribution was preempted and that the breaching insurers should be prohibited from questioning the defense costs incurred. Judge Acosta rejected this line of reasoning in holding that St. Paul could question the defense costs, but that it bore the burden of proving the fees to be unreasonable and not necessary.

Pre-Tender Defense Costs

While the Marine Group litigation primarily involves a contribution action between Argonaut and other insurers, Marine Group also has a direct contractual claim against its insurers for certain sums not paid by Argonaut. Some of these unpaid defense costs are pre-tender. In other words, they were incurred by Marine Group before it formally sent a letter to its insurers that detailed the claims faced and requested that a defense be provided.

Most states follow the rule that pre-tender defense costs cannot be recovered by an insurer; this underlines the importance of identifying, and tendering to, insurers at the earliest point of any litigation. Marine Group attempted to escape the strict application of the pre-tender rule by invoking the notice-prejudice rule, which does not allow an insurer to deny defense costs because of delayed notice, unless it can show that the delay caused prejudice to the insurer. Judge Acosta found the notice-prejudice rule to be inapplicable because the duty to defend did not arise until the tender occurred. Thus the court held that the notice-prejudice rule does not apply to pre-tender defense costs, because it applies only to covered claims.

Ultimately, Judge Acosta ruled that under Oregon law, pre-tender defense costs are not recoverable. This presents a particularly difficult situation for companies facing historic environmental liabilities. Typically, the only policies that cover historic pollution events were written before 1986. Many companies do not have readily available copies of these insurance contracts. Indeed, historic insurance archaeologists must often be retained to identify these policies. Judge Acosta's decision reinforces the rule that defense costs incurred while a party is looking for its insurance coverage are not recoverable, even to the extent that the delay does not meaningfully prejudice the insurers.

Cert Grant in FCRA Case Could Impact Cyber Coverage

News today that the Supreme Court has granted certiorari in Spokeo v. Robins, which tests whether Congress can confer "standing" by giving consumers a private right of action under a federal law, and entitlement to statutory damages, even if the consumer cannot prove any concrete damages.  The Court will review a decision by the Ninth Circuit that said, essentially, "yes" to that question.

In Robins, the plaintiff claimed to have been harmed when Spokeo, an online directory that aggregates publicly-available personal information, published inaccurate information about him on the site.  The plaintiff contended that in doing so Spokeo violated the Fair Credit Reporting Act (FCRA), but he could not prove specific damages tied to the inaccurate information.  Instead, he claimed entitlement under the FCRA to "statutory damages" (typically set at $1,000 per violation).  Robins sued on behalf of a class of people -- allegedly numbering in the thousands -- who were similarly aggrieved by Spokeo's failure to report accurate information. The trial court dismissed the suit based on the constitutional requirements that a plaintiff demonstrate "standing" based on "actual or imminent harm."  The Ninth Circuit, however, reversed, reasoning that Congress could create a statutory right and in essence create standing by providing a private right of action for violation of that right.  The Supreme Court has agreed to decide whether that view of Congress' power is correct.

What does this have to do with cyber-insurance?  Plenty. For one thing, the decision may undermine state laws that have fueled the market for robust first-party cyber coverage.  Many consumer advocates believe that data-breach notification laws will be ineffective at forcing businesses to "fess up" when a breach happens unless the breach law contains a private right of action with a small statutory damages component, modeled on FCRA.  Washington's data-breach law, recently amended, is just such a law.  The spread of such laws has driven the market for cyber policies that will cover not just the cost of  notifications but also for liability protection relating to breach notification.  And just as many predict that  legislation working its way through Congress allowing companies to confidentially share data on cyber breaches may eventually bring rates down, state legislation has had an impact on premiums that may be blunted by the Court's decision in Robins.

Beyond breach-notification laws, the way that the Supreme Court approaches the "actual or imminent harm" question could impact how courts handle data breach consumer lawsuits that do not rely on any federal statute but instead are based on common-law grounds, such as negligence or fiduciary duty.  Some courts have dismissed consumer lawsuits that fail to allege specific harm arising from a breach, while other courts have allowed those suits to proceed at least into the discovery phase.  The Supreme Court might take this opportunity to address "standing" more generally, leading to fewer consumer class actions, which could further result in lower premiums for cyber coverage.

Data Breaches at Franchisees Raise Cyber Insurance Issues

A recent article about a data breach at a Marriott franchise highlights an emerging cyber insurance issue for franchisors, and indeed all companies involved in contractual relationships that expose them to liability for cyber risks over which they may have little control.  

The article reports that a Marriott franchisee had a seven-month-long data breach relating to the food and beverage point-of-sale (POS) system at ten of its hotels.  Unfortunately, this kind of scenario is becoming commonplace - hackers exploiting weaknesses in POS security to obtain credit card numbers, often focusing on heavy users of POS systems like restaurants.  

But the franchise aspect of this incident clearly adds some wrinkles worth considering.  I reached out to my partner Shannon McCarthy, a member of our franchise & distribution practice group and frequent contributor to our firm's blog on franchise issues -- ZorBlog -- for some thoughts.

Shannon first confirmed that in the event of a consumer lawsuit over a data breach the franchisor will likely be sued along with the franchisee.  Franchisors are typically viewed as a "deep pocket" and so the plaintiff may seek to hold the franchisor directly or indirectly liable for the breach.  A franchisor might be liable if it controlled the consumer data, if it contractually required the franchisee to use a certain system or provided the system itself, or exercised control over the way that the franchisee collected or used the data.  As examples, Shannon pointed me to both this FTC suit against Wyndham Hotel Group and the consumer class action (and related FTC action) against the rent-to-own franchisor Aaron's, Inc.  

In the Wyndham case the FTC alleged that the hotelier, which operates through over 90 franchisees, itself was liable for data breaches at its franchise locations because the franchisor had made representations on its own website about data security, because it "allowed" franchisees to use improper software and lax security practices, and because its own data systems did not encrypt consumer information.  Wyndham has pushed back against the FTC's claims and has appealed an early ruling that the FTC has jurisdiction to pursue the claims, and recently defeated a related derivative action in federal court.  

In the Aaron's case, customers who rented laptops sued the franchisees and the franchisor alleging that spyware on the laptops captured keystrokes, browsing history, and screenshots, and took pictures of the customers using the computer's built-in camera, invading the customers' privacy.  (The customers' case was recently reinstated by the Third Circuit after having been dismissed on procedural grounds).  The customer suit follows on the heels of a consent decree that Aaron's reached with the FTC in which the franchisor essentially admitted that it not only knew about the practice but actively participated in providing the software to its franchisees.  (Given that settlement it may be difficult for Aaron's to deflect responsibility to its franchisees.)

Where does insurance fit into all of this?  First, franchisors (like all businesses) should assess whether they themselves are adequately covered for cyber losses, including whether their traditional insurance policies carry endorsements specifically excluding data-breach liability or first-party losses, and whether they should purchase specific "cyber insurance."  In making this assessment franchisors should take into account all of the potential risks that they face beyond just regulatory or class-action consumer lawsuits; for example, credit-card issuers and banks may file suit seeking to recover their costs for writing off fraudulent charges and issuing new cards.

Second, franchisors should consider the requirements that they impose on franchisees with regard to cyber-security practices.  For example, franchisors might incorporate into their franchise agreements some of the security standards and "best practices" being developed by cyber-security organizations.  Of course this brings into play the tension that has always existed between maintaining enough separation from the franchisee such that liability could be avoided altogether, wanting to protect the brand by ensuring that the franchise is run competently, not imposing unreasonable burdens on franchisees, and business interests that may require a certain amount of intermingling of operations.  (For example, one of the key advantages of owning a hotel franchise is the access to the unified reservations and loyalty-reward programs operated by the franchisor.)

Finally, because preventing data breaches or liability claims may be impossible, franchisors should evaluate whether to require their franchisees to carry cyber insurance, and whether those insurance policies can provide protection to the franchisor.  Much as general contractors require subcontractors to carry insurance providing "additional insured" protection if the general is sued because of the subs' negligence, some cyber insurance programs purchased by a franchisee could be made to assist a franchisor in the event of a data breach caused by a franchisee's error.  However, because cyber insurance is not being written on standardized forms, it is not possible to simply specify in a franchise contract that a specific ISO additional insured endorsement be used.  Instead, franchisors would be well served to work out requirements language with their franchisees that takes into account evolving norms in the insurance industry regarding language, sub-limits, and other aspects of cyber insurance.  What will likely be needed in this, as with almost all things in the cyber insurance world, is a team approach involving counsel, insurance broker, and business people.

Oregon Supreme Court Accepts Review of Two Important Insurance Disputes

The Oregon Supreme Court recently accepted for review two cases with potentially lasting implications for insurance coverage disputes in the state.

The first case is a mandamus ruling - the court decided to accept for review a trial court's ruling in Liberty Surplus Insurance v. Seabold Construction on a hot evidence issue important to bad-faith coverage litigation.  In Seabold the company and its liability insurer are locked in a dispute over Liberty's handling of Seabold's defense in a construction-defect matter; Seabold contends that Liberty acted in bad faith in connection with settlement of the dispute.  During the critical time period -- while settlement negotiations were going on in the underlying case -- Liberty was acting through coverage counsel, which is commonplace in such situations.  Once the coverage litigation got underway, however, Seabold demanded to see the communications with and work done by the insurer's "coverage counsel" on the theory that at least part of the time the attorney was acting as a claims adjuster.  Under the reasoning of Cedell v. Farmers, a Washington case (and its progeny, discussed in this blog post from 2013), Seabold argued -- successfully -- that there was no absolute attorney-client privilege when "coverage counsel" is performing some of the business functions of a liability carrier.  The trial court ordered Liberty Mutual to produce counsel's communications (initially directly to Seabold, amended to production for review by the court), and Liberty Mutual sought a writ of mandamus -- essentially, appellate review in the middle of a case -- to block enforcement of the trial court's order.

The issue that the court has identified for resolution is whether attorney-client privilege applies despite counsel's involvement in "investigating and adjusting" the claim.  This is the issue that Cedell and other courts outside of Oregon have decided in favor of policyholders, and one would think that this court would go the same way.  However, in the Crimson Trace discovery dispute (which did not involve insurance) the court proved itself very protective of the attorney-client privilege in an institutional context, so "all bets are off," as they say.

The second case accepted for review (back on March 31) is the 2014 Fountaincourt Homeowners Ass'n v. Fountaincourt Development decision from the Court of Appeals.  In that decision the Court of Appeals confirmed that a claimant who obtains a judgment against an insured after trial may pursue that insured's insurance assets in a garnishment proceeding as a judgment creditor, and that during resolution of the garnishment the insurer has the burden of proving that the judgment was not covered where there is prima facie evidence that at least some of the jury's award was for covered damages.  That decision was very beneficial for claimants concerned about being able to collect on a judgment.

The Supreme Court's statement of the issues on review is rather breathtaking, and will ensure that the case is closely watched.  Rather than try to summarize, set out below are the issues on review from the court's statement:

(1) If a general verdict is returned against an insured entity in a mixed coverage case (i.e., one involving some damage that is payable by an insurer and some damage that is not), and the insurer defended under a reservation of rights, can the insured establish coverage for the awarded damages based on the general verdict? (2) Does defective work by an insured contractor constitute "property damage" if that term is defined as "[p]hysical injury to tangible property"? (3) Can an insured establish a prima facie case for insurance coverage with evidence showing only the possibility that a judgment is for damages within the insuring agreement of a liability policy? (4) If a liability insurer's policy is garnished by a judgment creditor and a disputed question of fact must be resolved to determine if the insurer is obligated to pay the judgment, is the insurer entitled to a jury trial in the garnishment proceeding?

What is surprising here is the Court's indication that it will take up some questions that many had thought were largely settled and were not the most controversial of the Court of Appeals' decisions.  One can hope that the Court's indication that it will review those questions is only intended to settle any doubt.  However because so much is at stake if the Court has decided to revisit those issues, this case promises to attract a lot of attention and amicus participants, and its resolution could shape (or re-shape) Oregon coverage law for a long time.

Likely Changes to Oregon Data Breach Law Should Prompt Review of Cyber Coverage

This excellent post by my colleague Brian Sniffen in our firm's IP Law Trends blog reports on the efforts by Oregon's attorney to strengthen the state's data breach notification laws.   The proposed amendments to the Oregon Consumer Identity Theft Protection Act (ORS 646A.602 et seq.) are part of Senate Bill 601, which is making its way through the legislature right now.  You can follow the bill's progress here).

As Brian reports, among the proposed changes are a lowering of the threshold for notification to the Attorney General to 100 records; expansion of the definition of confidential data to include medical and biometric information; and giving enforcement power to the Attorney General under the Unfair Trade Practices Act.

As we observed last week in our post about the insurance implications of Washington's effort to toughen its data-breach notification laws, these proposed Oregon changes should prompt every business -- whether it handles loads of consumer data or not -- to review its cyber insurance coverage to get a comfort level with any sub-limits relating to notification costs, and liability coverage for regulatory claims.  Of course, both state-level efforts could be upended if the President's proposed data-breach bill becomes federal law, because the federal law will likely trump all state laws.  All the more reason to review your cyber coverage with an insurance professional today.

Update April 22: The Oregon bill has received a "do pass" recommendation, with some amendments, from the Senate Judiciary Committee, and is awaiting transfer to the floor for passage.

Why You Need More Than Just a Certificate of Insurance

It is common practice for entities such as owners, contractors and design professionals to contractually require another party to provide insurance. The most common method of providing information related to this requirement is through a certificate of insurance. A certificate is usually issued on a form copyrighted by an organization named ACORD (Association for Cooperative Operations Research and Development). Other forms can be used, but because the ACORD form is the most commonly used form today, this discussion will focus on the terms of that form of certificate.

Many individuals place too much significance on the certificate and are surprised to learn of its limitations. Here are the top five reasons to not rely on a certificate:

1. Information Only. The most important thing to remember is that a certificate is provided for information purposes only and is not part of the insurance policy. If you look carefully at the most recent ACORD form (Form 25, Certificate of Liability Insurance), you will see that it contains a disclaimer: “This certificate is issued as a matter of information only and confers no rights upon the certificate holder. This certificate does not affirmatively or negatively amend, extend or alter the coverage afforded by the policies below.” Practically, this means that even though a certificate states that certain insurance coverage exists, this does not mean that it does. Of course, brokers and agents have obligations to fill out certificates with accurate information, but if the information is incorrect, you likely won’t be able to rely on a certificate alone for coverage.

2. Additional Insured. Just because the certificate states that you are an additional insured doesn’t mean that you are. The only way that a party can be added as an additional insured is by endorsement. Therefore, even if the certificate states that you are an additional insured, you will not be afforded such a status unless the insurance carrier actually endorses the policy. A good business practice is to not rely on the certificate as evidence that you are an additional insured; request an actual copy of the additional-insured endorsement along with the certificate. This will also allow you to verify whether the endorsement matches the contract requirements.

3. Notice of Cancellation. Don’t be surprised if you are not provided with notice of a cancellation or nonrenewal. In 2009, ACORD changed its form language to state: “Should any of the above described policies be cancelled before the expiration date thereof, notice will be delivered in accordance with the policy provisions.” This statement reaffirms the general rule that an insurance carrier is under no obligation to provide notice unless the terms and conditions of the policy provide for the notice. In addition, notice is usually provided only to “named insureds” and not additional insureds. A good business practice is to specifically include notice requirements in the contract between you and the other party or consider requesting that the policy be endorsed to provide cancellation notices.

4. Not Matching Contractual Requirements. Many entities receive a certificate and assume that any contractual insurance requirements between the parties have been met. When a broker or agent completes a certificate, however, he or she may not compare the terms of the insurance policy with the contractual insurance requirements between the parties. Be sure to review the certificate against the contractual requirements and request additional evidence or explanation if needed.

5. Snapshot in Time. A certificate is limited to providing information about a policy at a given time. Because it is just a snapshot in time, the certificate will not reflect future changes in the policy, such as added exclusions or reduced coverages. Therefore, it is imperative that the insurance requirements be clearly articulated in the contract between you and the other party to protect your interests. Don’t rely on the certificate as proof that insurance coverage will continue and not change.

In sum, a certificate still provides a good starting point for obtaining information about another party’s insurance information and should be used. A certificate is especially important in identifying insurance carriers and policy numbers in the event of a claim. But be aware of its limitations and adjust your business practices accordingly. Remember to always review a certificate for any errors or information that conflicts with the contractual requirements.

Did the Ore Sup Ct Abolish Common Law Indemnity for Defense Costs?

"Frequent-fliers" in the world of construction-defect litigation know that defense costs are often the biggest exposure, particularly for subcontractors.  That is why securing a paid-for defense from an insurance carrier is such a hot topic on this blog (and elsewhere).  And whether there is insurance to cover defense costs or not, defendants in complex disputes (including insurers) often threaten to sue other co-defendants to recover part of their defense costs, which can drive settlement discussions.  So any development in the law relating to defense cost recovery has an impact on policyholders - and that's why I'm writing about this new case, which on its face has nothing to do with insurance.

On March 19, 2015 the Oregon Supreme Court issued a somewhat surprising decision in Eclectic Investment v. Patterson & Jackson County et al., in which the court appears to have changed some fundamental assumptions about whether one defendant can recover defense costs from another defendant.  In Eclectic a landowner sued a contractor that had done excavating work for him and the county that inspected and permitted the excavation, after the excavated hillside eroded and damaged commercial buildings on owner's property.  A jury found that the landowner was more than 50% at fault, meaning that under Oregon's comparative fault law neither the county nor the contractor had to pay any damages (both the county and the contractor were found to be slightly at fault).  The county had asserted a common-law indemnity claim against the contractor, and after the trial pursued that claim to recover its defense costs.

Common-law indemnity is an equitable theory used when there is no contractual relationship between the parties or the contract does not contain an indemnity provision.  Under one formulation of the legal standard for the claim, Defendant A will owe Defendant B indemnity if Defendant A's negligence was "active" or "primary" while Defendant B's negligence was "passive" or "secondary."  Another way of phrasing the test is whether in fairness, Defendant A "should" pay for Defendant B's costs in the suit.

The issue before the Oregon Supreme Court in Eclectic Investment was how to determine if the county was entitled to indemnity, since neither the county nor the contractor were liable for damages, and each was found to have played a minor role in the incident.  The court recounted the rather vague legal tests that Oregon courts had developed over the years to determine whether in equity one party owes another indemnity (see above).  The court observed, however, that Oregon law changed after common-law indemnity was adopted, replacing the older "joint liability" regime with the current comparative-fault regime in which each defendant is assessed only its percentage share of any damages by the jury using a questionnaire.  Therefore, according to the court, the rationale for common-law indemnity has disappeared, because under the new scheme one party will never be made to pay damages that were in fact attributable to the "active" fault of another party.

The problem, of course, is that the defense costs incurred by the defendants are not part of the jury's consideration.  (In reality, those costs can only be determined once the litigation is done.)  But the court made it clear, in a final footnote, that where the comparative fault rules apply, common-law indemnity cannot be used as the theory on which to recover even defense costs.  The court stated that it would countenance recovery of defense costs on some other theory, citing cases from other states that allowed such claims under a quasi-contract theory - but that such claims could only lie where the indemnitee incurred defense costs only because of the indemnitor's negligence.  Applying that concept to the facts of the case, the court stated that because plaintiff had sued the county and the contractor, it was clear that the county's involvement in the litigation was not solely because of the contractor's negligence, so the county would have been out of luck in recovering defense costs under an alternative theory.

The court's decision will change some of the leverage points in multi-defendant litigation where not all players have contractual indemnity claims.  It also emphasizes the importance of having Oregon courts enforce insurance contracts providing a paid-for defense.   If defendants cannot rely on common-law indemnity to recover defense costs when they are dragged into lawsuits in which they play a minor part, it is critical that insurers understand and heed their contractual obligation to cover those defense costs.