Tag Archives: d&o

Future of Securities Class Actions

Securities litigation has a culture defined by multiple elements: the types of cases filed, the plaintiffs’ lawyers who file them, the defense counsel who defend them, the characteristics of the insurance that covers them, the way insurance representatives approach coverage, the government’s investigative policies – and, of course, the attitude of public companies and their directors and officers toward disclosure and governance.

This culture has been largely stable over the nearly 20 years I’ve defended securities litigation matters full time. The array of private securities litigation matters (in the way I define securities litigation) remains the same – in order of virulence: securities class actions, shareholder derivative litigation matters (derivative actions, board demands and books-and-records inspections) and shareholder challenges to mergers. The world of disclosure-related SEC enforcement and internal corporate investigations is basically unchanged, as well. And the art of managing a disclosure crisis, involving the convergence of shareholder litigation, SEC enforcement and an internal investigation involves the same basic skills and instincts.

But I’ve noted significant changes to other characteristics of securities-litigation culture recently, which portend a paradigm shift. Over the past few years, smaller plaintiffs’ firms have initiated more securities class actions on behalf of individual, retail investors, largely against smaller companies that have suffered what I call “lawsuit blueprint” problems such as auditor resignations and short-seller reports. This trend – which has now become ingrained into the securities-litigation culture – will significantly influence the way securities cases are defended and by whom, and change the way that D&O insurance coverage and claims need to be handled.

Changes in the Plaintiffs’ Bar

Discussion of the history of securities plaintiffs’ counsel usually focuses on the impact of the departures of former giants Bill Lerach and Mel Weiss. But although the two of them did indeed cut a wide swath, the plaintiffs’ bar survived their departures just fine. Lerach’s former firm is thriving, and there are strong leaders there and at other prominent plaintiffs’ firms.

The more fundamental shifts in the plaintiffs’ bar concern changes to filing trends. Securities class action filings are down significantly over the past several years, but, as I have written, I’m confident they will remain the mainstay of securities litigation and won’t be replaced by merger cases or derivative actions. There is a large group of plaintiffs’ lawyers who specialize in securities class actions, and there are plenty of stock drops that give them good opportunities to file cases. Securities class action filings tend to come in waves, both in the number of cases and type. Filings have been down over the last several years for multiple reasons, including the lack of plaintiff-firm resources to file new cases as they continue to litigate stubborn and labor-intensive credit-crisis cases, the rising stock market and the lack of significant financial restatements.

Although I don’t think the downturn in filings is, in and of itself, very meaningful, it has created the opportunity for smaller plaintiffs’ firms to file more securities class actions. The Reform Act’s lead plaintiff process gives plaintiffs’ firms incentives to recruit institutional investors to serve as plaintiffs. For the most part, institutional investors, whether smaller unions or large funds, have retained the more prominent plaintiffs’ firms, and smaller plaintiffs’ firms have been left with individual investor clients who usually can’t beat out institutions for the lead-plaintiff role. At the same time, securities class action economics tightened in all but the largest cases. Dismissal rates under the Reform Act are pretty high, and defeating a motion to dismiss often requires significant investigative costs and intensive legal work. And the median settlement amount of cases that survive dismissal motions is fairly low. These dynamics placed a premium on experience, efficiency and scale. Larger firms filed most of the cases, and smaller plaintiffs’ firms were unable to compete effectively for the lead plaintiff role or make much money on their litigation investments.

This started to change with the wave of cases against Chinese issuers in 2010. Smaller plaintiffs’ firms initiated most of them, as the larger firms were swamped with credit-crisis cases and likely were deterred by the relatively small damages, potentially high discovery costs and uncertain insurance and company financial resources. Moreover, these cases fit smaller firms’ capabilities well; nearly all of the cases had “lawsuit blueprints” such as auditor resignations or short-seller reports, thereby reducing the smaller firms’ investigative costs and increasing their likelihood of surviving a motion to dismiss. The dismissal rate has indeed been low, and limited insurance and company resources have prompted early settlements in amounts that, while on the low side, appear to have yielded good outcomes for the smaller plaintiffs’ firms.

The smaller plaintiffs’ firms thus built up a head of steam that has kept them going, even after the wave of China cases subsided. For the last year or two, following almost every “lawsuit blueprint” announcement, a smaller firm has launched an “investigation” of the company, and smaller firms have initiated an increasing number of cases. Like the China cases, these tend to be against smaller companies. Thus, smaller plaintiffs’ firms have discovered a class of cases – cases against smaller companies that have suffered well-publicized problems that reduce the plaintiffs’ firms’ investigative costs – for which they can win the lead plaintiff role and that they can prosecute at a sufficient profit margin.

To be sure, the larger firms still mostly can and will beat out the smaller firms for the cases they want. But it increasingly seems clear that the larger firms don’t want to take the lead in initiating many of the cases against smaller companies and are content to focus on larger cases on behalf of their institutional investor clients.

These dynamics are confirmed by recent securities litigation filing statistics. Cornerstone Research’s “Securities Class Action Filings: 2014 Year in Review” concludes that (1) aggregate market capitalization loss of sued companies was at its lowest level since 1997 and (2) the percentage of S&P 500 companies sued in securities class actions “was the lowest on record.” Cornerstone’s “Securities Class Action Filings: 2015 Midyear Assessment” reports that two key measures of the size of cases filed in the first half of 2015 were 43% and 65% lower than the 1997-2014 semiannual historical averages. NERA Economic Consulting’s “Recent Trends in Securities Class Action Litigation: 2014 Full-Year Review” reports that 2013 and 2014 “aggregate investor losses” were far lower than in any of the prior eight years. And PricewaterhouseCoopers’ “Coming into Focus: 2014 Securities Litigation Study” reflects that, in 2013 and 2014, two-thirds of securities class actions were against small-cap companies (market capitalization less than $2 billion) and that one-quarter were against micro-cap companies (market capitalization less than $300 million). These numbers confirm the trend toward filing smaller cases against smaller companies, so that now, most securities class actions are relatively small cases.

Consequences for Securities Litigation Defense

Securities litigation defense must adjust to this change. Smaller securities class actions are still important and labor-intensive matters – a “small” securities class action is still a big deal for a small company and the individuals accused of fraud, and the number of hours of legal work to defend a small case is still significant. This is especially so for the “lawsuit blueprint” cases, which typically involve a difficult set of facts.

Yet most securities defense practices are in firms with high billing rates and high associate-to-partner ratios, which make it uneconomical for them to defend smaller litigation matters. It obviously makes no sense for a firm to charge $6 million to defend a case that can settle for $6 million. It is even worse for that same firm to attempt to defend the case for $3 million instead of $6 million by cutting corners – whether by under-staffing, over-delegation to junior lawyers or avoiding important tasks. It is worse still for a firm to charge $2 million through the motion to dismiss briefing and then, if it loses, to settle for more than $6 million just because it can’t defend the case economically past that point. And it is a strategic and ethical minefield for a firm to charge $6 million and then settle for a larger amount than necessary so that the fees appear to be in line with the size of the case.

Nor is the answer to hire general commercial litigators at lower rates. Securities class actions are specialized matters that demand expertise, consisting not just of knowledge of the law but of relationships with plaintiffs’ counsel, defense counsel, economists, mediators and D&O brokers and insurers.

Rather, what is necessary is genuine reform of the economics of securities litigation defense through the creation of a class of experienced securities litigators who charge lower rates and exhibit tighter economic control. Undoubtedly, that will be difficult to achieve for most securities defense lawyers, who practice at firms with supercharged economics. The lawyers who wish to remain securities litigation specialists will thus face a choice:

  1. Accept that the volume of their case load will be reduced, as they forego smaller matters and focus on the largest matters (which Biglaw firms are uniquely situated to handle well, on the whole);
  2. Rein in the economics of their practices, by lowering billing rates of all lawyers on securities litigation matters, and by reducing staffing and associate-to-partner ratios; or
  3. Move their practices to smaller, regional defense firms that naturally have more reasonable economics.

I’ve taken the third path, and I hope that a number of other securities litigation defense lawyers will also make that shift toward regional defense firms. A regional practice can handle cases around the country, because litigation matters can be effectively and efficiently handled by a firm based outside of the forum city. And they can be handled especially efficiently by regional firms outside of larger cities, which can offer a better quality of life for their associates and a more reasonable economic model for their clients.

Consequences for D&O Insurance

D&O insurance needs to change, as well. For public companies, D&O insurance is indemnity insurance, and the insurer doesn’t have the duty or right to defend the litigation. The insured selects counsel, and the insurer has a right to consent to the insured’s selection, but such consent can’t be unreasonably withheld. D&O insurers are in a bad spot in a great many cases. Because most experienced securities defense lawyers are from expensive firms, most insureds select an expensive firm. But in many cases that spells a highly uneconomical or prejudicial result, through higher than necessary defense costs or an early settlement that doesn’t reflect the merits but that is necessary to avoid using most or all of the policy limits on defense costs.

Given the economics, it certainly seems reasonable for an insurer to at least require an insured to look at less expensive (but just as experienced) defense counsel before consenting to the choice of counsel – if not outright withholding consent to a choice that does not make economic sense for a particular case. If that isn’t practical from an insurance law or commercial standpoint, insurers may well need to look at enhancing their contractual right to refuse consent or even to offer a set of experienced but lower-cost securities defense practices in exchange for a lower premium. It is my strong belief that a great many public company CFOs would choose a lower D&O insurance premium over an unfettered right to choose their own defense lawyers.

Because I’m not a D&O insurance lawyer, I obviously can’t say what is right for D&O insurers from a commercial or legal perspective. But it seems obvious to me that the economics of securities litigation must change, both in terms of defense costs and defense-counsel selection, to avoid increasingly irrational economic results.

Future of Securities Class Actions

Securities litigation has a culture defined by multiple elements: the types of cases filed, the plaintiffs’ lawyers who file them, the defense counsel who defend them, the characteristics of the insurance that covers them, the way insurance representatives approach coverage, the government’s investigative policies – and, of course, the attitude of public companies and their directors and officers toward disclosure and governance.

This culture has been largely stable over the nearly 20 years I’ve defended securities litigation matters full-time. The array of private securities litigation matters (in the way I define securities litigation) remains the same – in order of virulence: securities class actions, shareholder derivative litigation matters (derivative actions, board demands and books-and-records inspections) and shareholder challenges to mergers. The world of disclosure-related SEC enforcement and internal corporate investigations is basically unchanged, as well. And the art of managing a disclosure crisis, involving the convergence of shareholder litigation, SEC enforcement and an internal investigation, involves the same basic skills and instincts.

But I’ve noted significant changes to other characteristics of securities-litigation culture recently, which portend a paradigm shift. Over the past few years, smaller plaintiffs’ firms have initiated more securities class actions on behalf of individual, retail investors, largely against smaller companies that have suffered what I call “lawsuit blueprint” problems such as auditor resignations and short-seller reports. This trend – which has now become ingrained into the securities-litigation culture – will significantly influence the way securities cases are defended and by whom, and change the way that D&O insurance coverage and claims need to be handled.

Changes in the Plaintiffs’ Bar

Discussion of the history of securities plaintiffs’ counsel usually focuses on the impact of the departures of giants Bill Lerach and Mel Weiss. But although the two of them did indeed cut a wide swath, the plaintiffs’ bar survived their departures just fine. Lerach’s former firm is thriving, and there are strong leaders there and at other prominent plaintiffs’ firms.

The more fundamental shifts in the plaintiffs’ bar concern changes to filing trends. Securities class action filings are down significantly over the past several years, but I’m confident they will remain the mainstay of securities litigation and won’t be replaced by merger cases or derivative actions. There is a large group of plaintiffs’ lawyers who specialize in securities class actions, and there are plenty of stock drops that give them good opportunities to file cases. Securities class action filings tend to come in waves, both in the number of cases and type. Filings have been down over the last several years for multiple reasons, including the lack of plaintiff-firm resources to file new cases as they continue to litigate stubborn and labor-intensive credit-crisis cases, the rising stock market and the lack of significant financial-statement restatements.

Although I don’t think the downturn in filings is, in and of itself, very meaningful, it has created the opportunity for smaller plaintiffs’ firms to file more securities class actions. The Reform Act gave plaintiffs’ firms incentives to recruit institutional investors to serve as plaintiffs. For the most part, institutional investors, whether smaller unions or large funds, have retained the more prominent plaintiffs’ firms, and smaller plaintiffs’ firms have been left with individual investor clients who usually can’t beat out institutions for the lead-plaintiff role. At the same time, securities class action economics tightened in all but the largest cases. Dismissal rates under the Reform Act are pretty high, and defeating a motion to dismiss often requires significant investigative costs and intensive legal work. And the median settlement amount of cases that survive dismissal motions is fairly low. These dynamics placed a premium on experience, efficiency and scale. Larger firms filed most of the cases, and smaller plaintiffs’ firms were unable to compete effectively for the lead plaintiff role, or make much money on their litigation investments.

This started to change with the wave of cases against Chinese issuers in 2010. Smaller plaintiffs’ firms initiated most of them, as the larger firms were swamped with credit-crisis cases and likely were deterred by the relatively small damages, potentially high discovery costs and uncertain insurance and company financial resources. Moreover, these cases fit smaller firms’ capabilities well; nearly all of the cases had “lawsuit blueprints” such as auditor resignations or short-seller reports, thereby reducing the smaller firms’ investigative costs and increasing their likelihood of surviving a motion to dismiss. The dismissal rate has indeed been low, and limited insurance and company resources have prompted early settlements in amounts that, while on the low side, appear to have yielded good outcomes for the smaller plaintiffs’ firms.

The smaller plaintiffs’ firms thus built up a head of steam that has kept them going, even after the wave of China cases subsided. For the last year or two, following almost every “lawsuit blueprint” announcement, a smaller firm has launched an “investigation” of the company, and these firms have initiated an increasing number of cases. Like the China cases, these cases tend to be against smaller companies. Thus, smaller plaintiffs’ firms have discovered a class of cases – cases against smaller companies that have suffered well-publicized problems that reduce the plaintiffs’ firms’ investigative costs – for which they can win the lead plaintiff role and can prosecute at a sufficient profit margin.

To be sure, the larger firms still mostly will beat out the smaller firms for the cases they want. But it increasingly seems clear that the larger firms don’t want to take the lead in initiating many of the cases against smaller companies, and are content to focus on larger cases on behalf of their institutional investor clients.

These dynamics are confirmed by recent securities litigation filing statistics. Cornerstone Research’s “Securities Class Action Filings: 2014 Year in Review” concludes that (1) aggregate market capitalization loss of sued companies was at its lowest level since 1997, and (2) the percentage of S&P 500 companies sued in securities class actions “was the lowest on record.” Cornerstone’s “Securities Class Action Filings: 2015 Midyear Assessment” reports that two key measures of the size of cases filed in the first half of 2015 were 43% and 65% lower than the 1997-2014 semiannual historical averages. NERA Economic Consulting’s “Recent Trends in Securities Class Action Litigation: 2014 Full-Year Review” reports that 2013 and 2014 “aggregate investor losses” were far lower than in any of the prior eight years. And PricewaterhouseCoopers’ “Coming into Focus: 2014 Securities Litigation Study” reflects that in 2013 and 2014, two-thirds of securities class actions were against small-cap companies (market capitalization less than $2 billion), and one-quarter were against micro-cap companies (market capitalization less than $300 million). These numbers confirm the trend toward filing smaller cases against smaller companies, so that now most securities class actions are relatively small cases.

Consequences for Securities Litigation Defense

Securities litigation defense must adjust to this change. Smaller securities class actions are still important and labor-intensive matters – a “small” securities class action is still a big deal for a small company and the individuals accused of fraud, and the number of hours of legal work to defend a small case is still significant. This is especially so for the “lawsuit blueprint” cases, which typically involve a difficult set of facts.

Yet most securities defense practices are in firms with high billing rates and high associate-to-partner ratios, which make it uneconomical for them to defend smaller litigation matters. It obviously makes no sense for a firm to charge $6 million to defend a case that can settle for $6 million. It is even worse for that same firm to attempt to defend the case for $3 million instead of $6 million by cutting corners – whether by under-staffing, over-delegation to junior lawyers or avoiding important tasks. It is worse still for a firm to charge $2 million through the motion to dismiss briefing and then, if it loses, to settle for more than $6 million just because it can’t defend the case economically past that point. And it is a strategic and ethical minefield for a firm to charge $6 million and then settle for a larger amount than necessary so that the fees appear to be in line with the size of the case. .

Nor is the answer to hire general commercial litigators at lower rates. Securities class actions are specialized matters that demand expertise, consisting not just of knowledge of the law but of relationships with plaintiffs’ counsel, defense counsel, economists, mediators and D&O brokers and insurers.

Rather, what is necessary is genuine reform of the economics of securities litigation defense through the creation of a class of experienced securities litigators who charge lower rates and exhibit tighter economic control. Undoubtedly, that will be difficult to achieve for most securities defense lawyers, who practice at firms with supercharged economics. The lawyers who wish to remain securities litigation specialists will thus face a choice:

  1. Accept that the volume of their case load will be reduced, as they forego smaller matters and focus on the largest matters (which big law firms are uniquely situated to handle well, on the whole);
  2. Rein in the economics of their practices, by lowering billing rates of all lawyers on securities litigation matters and by reducing staffing and associate-to-partner ratios; or
  3. Move their practices to smaller, regional defense firms that naturally have more reasonable economics.

I’ve taken the third path, and I hope that a number of other securities litigation defense lawyers will also make that shift toward regional defense firms. A regional practice can handle cases around the country, because litigation matters can be effectively and efficiently handled by a firm based outside of the forum city. And they can be handled especially efficiently by regional firms outside of larger cities, which can offer a better quality of life for their associates and a more reasonable economic model for their clients.

Consequences for D&O Insurance

D&O insurance needs to change, as well. For public companies, D&O insurance is indemnity insurance, and the insurer doesn’t have the duty or right to defend the litigation. Thus, the insured selects counsel, and the insurer has a right to consent to the insured’s selection, but such consent can’t be unreasonably withheld. D&O insurers are in a bad spot in a great many cases. Because most experienced securities defense lawyers are from expensive firms, most insureds select an expensive firm. But in many cases, that spells a highly uneconomical or prejudicial result, through higher than necessary defense costs or an early settlement that doesn’t reflect the merits, but that is necessary to avoid using most or all of the policy limits on defense costs.

Given the economics, it certainly seems reasonable for an insurer to at least require an insured to look at less expensive (but just as experienced) defense counsel before consenting to the choice of counsel – if not outright withholding consent to a choice that does not make economic sense for a particular case. If that isn’t practical from an insurance law or commercial standpoint, insurers may well need to look at enhancing their contractual right to refuse consent, or even to offer a set of experienced but lower-cost securities defense practices in exchange for a lower premium. It is my strong belief that a great many public company CFOs would choose a lower D&O insurance premium over an unfettered right to choose their own defense lawyers.

Because I’m not a D&O insurance lawyer, I obviously can’t say what is right for D&O insurers from a commercial or legal perspective. But it seems obvious to me that the economics of securities litigation must change, both in terms of defense costs and defense-counsel selection, to avoid increasingly irrational economic results.

Untimely Notice Sustains Denial of Claim

The U.S. District Court for the Eastern District of Kentucky recently held that an insurer properly denied coverage to a hospital because the hospital gave untimely notice of the claim. In Ashland Hospital Corporation v. RLI Insurance Company, Civil Action No. 13-143-DLB-EBA (E.D. Ky. Mar. 17, 2015), the insurer avoided exposure on a $10 million directors and officers (D&O) excess policy claim by successfully arguing that the insured, a hospital association, failed to give timely notice of the claim as required under the terms of the policy.

Background
The hospital purchased $15 million in primary D&O liability insurance for Oct. 1, 2010, through Oct. 1, 2011. The hospital also purchased a $10 million excess policy from another insurer covering the same one-year period. Both policies were written on a “claims-made” as opposed to an “occurrence” basis. In July 2011, the U.S. Department of Justice issued a subpoena to the hospital as part of a Health Insurance Portability and Accountability Act (HIPAA) investigation into allegations that the hospital billed federal healthcare programs for heart procedures that were not medically necessary. Ultimately, the hospital agreed to pay $40.9 million to resolve the allegations.

The hospital notified the primary carrier of the HIPAA investigation in December 2011, which was within the 90-day notice period required by the primary policy. In June 2012, after being informed that the primary carrier’s policy covered the investigation, the hospital notified the excess insurer of the HIPAA investigation. The insurer denied coverage because the hospital failed to provide timely notice during the policy period or within the applicable 90-day extended reporting period after the policy terminated in October 2011. The insurer claimed that the notice requirement was a condition precedent to establishing coverage and that it did not have to show prejudice to deny coverage. The hospital sued for breach of the insurance contract.

Decision
The insurer argued that it correctly denied coverage because the hospital failed to provide notice within the 90-day extended reporting period after the excess policy expired. The insurer argued the excess policy followed form to the primary policy, thereby incorporating the notice provisions of the primary policy that required notice within 90 days of the end of the policy. The hospital admitted the excess policy did follow form to the primary policy but claimed that the presence of notice provisions in both policies made the primary policy’s notice provisions ambiguous.

The Ashland court rejected the hospital’s argument, holding that the notice provisions in the primary and excess policies did not conflict; to the contrary, they coexisted. Therefore, the insurer’s denial of coverage was proper because the hospital failed to provide timely notice as required by the terms of the primary policy.

The court also held that the hospital violated the notice provisions of the insurer’s excess policy, which required the insured to provide notice when specified events occurred. The hospital claimed that the notice provisions were ambiguous and did not require it to provide the insurer with notice every time an event specified in the notice provisions took place, but rather only when the most recent event occurred. The insurer countered that the terms of the policy were clear and that the hospital was required to provide notice when any event specified in the policy took place. The insurer contended that, because the hospital provided notice only when the most recent event occurred and not when previous events occurred, the hospital was not entitled to coverage. The Ashland court held that the provisions were not ambiguous and that adopting the hospital’s interpretation would effectively render the terms meaningless. The court agreed with the insurer that for coverage to exist, the hospital had to provide timely notice to the insurer when all of the events specified by the provision took place, not merely when the most recent event occurred. Because the hospital failed to do so, it forfeited its right to coverage under the terms of the excess policy.

The Ashland court also considered and rejected the hospital’s alternative argument that the insurer had to show substantial prejudice to deny coverage. In so arguing, the hospital relied on Jones v. Bituminous Casualty Corporation, 821 S.W.2d 798 (Ky. 1991), which held that absent a showing of substantial prejudice a workers’ compensation insurer could not deny coverage because of an insured’s untimely compliance with a notice provision. The Ashland court noted that Kentucky courts have not addressed whether Jones applied to claims-made insurance policies but predicted that the Kentucky Supreme Court would not extend Jones to a claims-made policy because to do so would effectively rewrite the policy without justification.

Takeaways
There are two principal takeaways from the Ashland decision:

  • First, in Kentucky, excess insurers desiring to “follow” a primary policy would be well-advised to use language that ensures neither policy conflicts. While not mentioned by the Ashland court, a simple way to accomplish this result would be for the excess policy to include language in the “following form” clause confirming that, in the event of any conflict between the primary and excess wording, the primary language should control. Failure to take these steps could render some terms of the policies ambiguous and unenforceable.
  • The second takeaway concerns the Ashland court’s sustaining the enforceability of the claims-made and reporting provisions of the policy. Earlier this year, the state supreme courts in Colorado and Wisconsin reaffirmed that the claims-made and reporting requirements in D&O and professional liability policies are conditions precedent to coverage that cannot be trumped by the notice prejudice rule applicable to occurrence-based policies. (See Craft v. Philadelphia Ins. Co., 2015 CO 11 (Colo. Feb. 17, 2015); Anderson, et al. v. Aul, et al., 2015 WI 19 (Feb. 25, 2015). Thus, Ashland is illustrative of a continuing trend of recent decisions that have reached this same conclusion.

Wilson Elser will continue to monitor this and other cases involving primary and excess policy coverage disputes.

NOTE: Patrick C. Walsh (Law Clerk-Louisville) assisted in researching and drafting this Alert.

5 Takeaways From First Cyber Case

On May 11, 2015, in a case that is being widely celebrated as one of the first coverage rulings involving a “cyber” insurance policy, a federal court ruled that Travelers has no duty to defend its insured in Travelers Property Casualty Company of America, et al. v. Federal Recovery Services, Inc., et al.

Although the Travelers case does not involve cyber-specific coverage issues, the case nonetheless carries some important takeaways for insureds, insurers and many other interested spectators.

Here is a brief summary of the ruling and five key takeaways:

The Facts

The insured, Federal Recovery, was in the business of providing processing, storage, transmission and other handling of electronic data for its customers, including Global Fitness. In particular, Federal Recovery agreed to process Global Fitness’s gym members’ payments under a servicing retail installment agreement.

Global Fitness sued Federal Recovery, alleging that Federal Recovery wrongfully refused to return member account data to Global Fitness, including member credit card and bank account information. Global Fitness asserted claims for tortious interference, promissory estoppel, conversion, breach of contract and breach of the implied covenant of good faith and fair dealing.

The Cyber Policy

The policy at issue was a “CyberFirst” policy issued by Travelers. The policy included a technology errors and omissions liability form, which stated that Travelers “will pay those sums that [Federal Recovery] must pay as ‘damages’ because of loss … caused by an ‘errors and omissions wrongful act’….” The key term “errors and omissions wrongful act” was defined to include “any error, omission or negligent act.” In addition to covering potential damages, the Travelers policy provided defense coverage, stating that Travelers “will have the right and duty to defend [Federal Recovery] against any claim or ‘suit’ seeking damages for loss to which the insurance provided under one or more of ‘your cyber liability forms’ applies.”

Federal Recovery tendered the defense of the underlying Global action to Travelers, which initiated litigation seeking a declaration that it wasn’t required to provide coverage. Travelers argued that it did “not have a duty to defend [Federal Recovery] against the original or amended complaints in the Global action because Global [Fitness] does not allege damages from an ‘error, omission or negligent act.’”

The Coverage Disputes: Scope of Coverage and Duty to Defend

Although Travelers involves underlying cyber-related facts and a “cyber” insurance policy, the coverage issues arising out of the facts and policy certainly are not cyber-specific. Travelers’ declaratory judgment action raises two coverage disputes concerning: (1) the scope of coverage afforded by the technology errors and omissions policy at issue, as shaped by its key “wrongful act” definition; and (2) the scope of an insurer’s duty to defend under Utah law. While arising in the context of “cyber”-related facts surrounding electronic account and payment data, and under a “cyber” insurance policy, the coverage disputes at issue in the Travelers case are precisely the types of disputes that we routinely see in the context of errors and omissions and other claims-made liability coverages.

(1) The Scope of Coverage

As to the scope of coverage, errors and omissions, D&O, professional liability and other claims-made policies, like the policy at issue in the Travelers case, typically cover “wrongful acts,” a term that typically in turn is defined as “any negligent act, error or omission,” or similar language. There are scores of cases addressing whether intentional and non-negligent acts fall within or outside the purview of a covered “wrongful act.”

Unfortunately, and in contrast to other decisions, the U.S. District Court for the District of Utah in the Travelers case took a narrow view of the key language, ruling that “[t]o trigger Travelers’ duty to defend, there must be allegations in the [underlying] action that sound in negligence.” The court further found that there were “no such allegations.”

In contrast, other courts have appropriately upheld coverage for various types of intentional and non-negligent conduct under errors and omissions and other claims-made policies. As one commentator has summarized: Claims-made policies typically afford coverage for claims by reason of any “negligent act, error or omission.” What if an insured is held liable for a non-negligent act? Most courts have held that the insured is still entitled to coverage. The strongest argument in favor of that conclusion is that (i) an “error” or “omission” encompasses more than negligent conduct, and (ii) if only negligent errors and negligent omissions were covered, the “error or omission” language would be rendered redundant.

To the extent some may wish to reference other cases addressing cyber-related fact patterns, those cases exist. For example, in 1995, the Supreme Judicial Court of Massachusetts in USM Corp. v. First State Ins. Co.10 upheld coverage under an errors and omissions policy for a breach of express warranty claim involving the insured’s failure to develop and deliver a turnkey computer system that would perform certain functional specifications. The errors and omissions policy at issue in the USM case, similar to the policy at issue in the Travelers case, covered claims against the insured “by reason of any negligent act, error or omission.” Also, the insurers in USM, like the insurers in Travelers, argued that the policy only covered the insured for negligent acts. The USM court rejected the insurers’ arguments, noting that courts have not limited coverage under errors and omissions policies to circumstances involving negligence:

Other courts have not limited liability under “errors and omissions” policies to circumstances involving negligence but have recognized certain non-negligent errors as being within the coverage afforded. Cases involving the words such as “negligent act, error or omission” (the crucial language of the policies before us) have not consistently determined that an error must be a negligent one if coverage is to be available.

***

Because some, but not all, judicial opinions have rejected the interpretation of errors and omissions policies for which the insurers contend, if it was the insurers’ intention, the crucial words of the policy should have been amended to eliminate the ambiguity and to make clear that coverage extended only to negligent errors. Potential policyholders could then have more accurately determined whether such coverage met their needs.
Because of the uncertainty about the scope of the word “error,” the insurers as authors of the policies must suffer the consequences of the ambiguity.

The New York Appellate Division’s decision in Volney Residence, Inc. v. Atlantic Mut. Ins. Co. is likewise instructive. In that case, the Appellate Division held that the insurer had a duty to defend a federal RICO action in which the insured defendants “were alleged intentionally to have committed acts of self-dealing and fraud.” Applying well-established rules of contract interpretation, the court ruled that there was a duty to defend:

The policy provision in question covers claims arising from “a negligent act, error or omission,” which term is defined as “any negligent act, error or omission or breach of duty of [the] directors or officers while acting in their capacity as such.” The definition is susceptible of more than one meaning and can be understood to cover any breach of duty of the directors or officers, not exclusively negligent breaches of duty. Ambiguities in an insurance policy are to be resolved against the insurer.

Other cases are to the same effect.

(2) Scope of the Duty to Defend

Turning to the separate issue of the duty to defend, it is well established that the duty to defend is very broad—broader than the duty to indemnify. The duty to defend is typically triggered if there is some potential for coverage, and, in many jurisdictions, it is appropriate to look outside the facts pled in the underlying complaint to determine whether there is a duty to defend. Again, unfortunately, the court in the Travelers case took a narrow view of the insurer’s duty to defend. Even assuming for the sake of argument that the policy covered only negligence, the underlying complaint alleged, among other things, that Federal Recovery “retained possession of member accounts data, including the billing data, which was the property of Global Fitness ….” Allegations surrounding improper retention of data, even if that retention ultimately was wrongful or not legally justifiable, clearly may arise out of negligence as opposed to intentional conduct.

Travelers Takeaways

Putting aside the ultimate merits of the court’s ruling, and whether this case addresses any coverage issues that are appropriately characterized as “cyber” issues, Travelers offers at least five key takeaways:

First, Travelers illustrates that decisions involving cyber insurance policies are coming and, considering all of the attention and buzz surrounding an otherwise seemingly mundane errors and omissions case, insureds and insurers alike are anxiously awaiting and anticipating the guidance those decisions may provide.

Second, Travelers underscores that the types of coverage disputes that we will see arise out of cyber-related facts and, under cyber insurance policies, often will involve, or at least will intertwine with, the types of disputes that routinely arise in connection with traditional insurance coverages, including errors and omissions coverage and general liability coverage. This is useful for insureds to appreciate toward the goal of being prepared for future potential coverage disputes under cyber policies.

Third, Travelers underscores the importance of securing a favorable choice of forum and choice of law in insurance coverage disputes. Until the governing law applicable to an insurance contract—cyber or otherwise—is established, the policy can be, in a figurative and yet a very real sense, a blank piece of paper.

Fourth, although its label as a first cyber case is debatable, Travelers at a minimum has spotlighted the approaching disputes under cyber liability policies, which should remind insureds of the need to be prepared for, in addition to the traditional types of coverage issues and disputes that can arise under those policies, the potential cyber-specific coverage issues and disputes that may arise, such as the scope of coverage for “cloud”- related exposures.

Fifth, Travelers illustrates the importance of obtaining the best possible policy cyber language at the initial coverage placement and renewal stage. Unlike some types of traditional insurance policies, cyber policies are extremely negotiable, and the insurer’s off-the-shelf language can often be significantly negotiated and improved—often for no increase in premium. It is important for the insured to understand its unique potential risk profile and exposure— and what to ask for from the insurer.

Often in coverage disputes, the issue of coverage comes down to a few words, the sequence of a few words or even the position of a comma or other punctuation. It is important to get the policy language right before a dispute. And while the Travelers case addresses coverage issues that are not cyber-specific, the fundamentals of successfully pursuing coverage under traditional insurance coverage are important to keep in mind as we enter a time and space in which coverage disputes based on underlying cyber-related factual scenarios, and under specialized cyber insurance coverages, are poised to become commonplace.

5 Steps for Covering Data Breaches

Target’s $19 million settlement with MasterCard[1] underscores very significant sources of potential exposure that often follow a data breach that involves payment cards. Retailers and other organizations that accept those cards are likely to face—in addition to a slew of claims from consumers and investors— claims from financial institutions that seek to recover losses associated with issuing replacement credit and debit cards, among other losses. The financial institution card issuers typically allege, among other things, negligence, breach of data-protection statutes and non-compliance with Payment Card Industry Data Security Standards (PCI DSS). Likewise, as Target’s recent settlement illustrates, organizations can expect to face claims from the payment brands, such as MasterCard, VISA and Discover, seeking substantial fines, penalties and assessments for purported PCI DSS non-compliance.

These potential sources of liability can eclipse others. While consumer lawsuits often get dismissed for lack of Article III standing,[2] for example, or may settle for relatively modest amounts,[3] the Target financial institution litigation survived a motion to dismiss[4] and involved a relatively high settlement amount as compared with the consumer litigation settlement. So did TJZ’s prior $24 million settlement with card issuers.[5] The current settlement involves only MasterCard,[6] moreover, and the Target financial institution litigation will proceed with any issuer of MasterCard-branded cards that declines to partake of the $19 million settlement offer. The amended class action in the Target cases alleges that the financial institutions’ losses “could eventually exceed $18 billion.”[7]

Organizations should be aware that these significant potential sources of data breach and payment brand liability may be covered by insurance, including commercial general liability insurance (CGL), which most companies have in place, and specialty cybersecurity/data privacy insurance.

Here are five steps for securing coverage for data breach and PCI DSS-related liability:

Step 1:            Look to CGL Coverage

                        Coverage A: “Property Damage” Coverage

Payment card issuers typically seek damages because of the necessity to replace cards and, often, also specifically allege damages because of the loss of use of those payment cards, including lost interest, transaction fees and the like. By way of illustration, the amended class action complaint in the Target litigation alleges:

The financial institutions that issued the debit and credit cards involved in Target’s data breach have suffered substantial losses as a result of Target’s failure to adequately protect its sensitive payment data. This includes sums associated with notifying customers of the data breach, reissuing debit and credit cards, reimbursing customers for fraudulent transactions, monitoring customer accounts to prevent fraudulent charges, addressing customer confusion and complaints, changing or canceling accounts and facing the decrease or suspension of their customers’ use of affected cards during the busiest shopping season of the year.[8]

The litigation further alleges that “plaintiffs and the FI [financial institution] class also lost interest and transaction fees (including interchange fees) as a result of decreased, or ceased, card usage in the wake of the Target data breach.”[9]

These allegations fall squarely within the standard-form definition of covered “property” damage under CGL Coverage A. Under Coverage A, the insurer commits to “pay those sums that the insured becomes legally obligated to pay as damages because of … ‘property damage’… caused by an ‘occurrence’”[10] that “occurs during the policy period.”[11] The insurer also has “the right and duty to defend the insured against any … civil proceeding in which damages because of … ‘property damage’ … are alleged.”[12]

Importantly, the key term “property damage” is defined to include not just “physical injury to tangible property” but also “loss of use of tangible property that is not physically injured.” The key definition in the current standard-form CGL insurance policy states as follows:

  1. “Property damage” means:
  2. Physical injury to tangible property, including all resulting loss of use of that property. All such loss of use shall be deemed to occur at the time of the physical injury that caused it; or
  3. Loss of use of tangible property that is not physically injured. All such loss of use shall be deemed to occur at the time of the “occurrence” that caused it.

For the purposes of this insurance, electronic data is not tangible property.

In this definition, “electronic data” means information, facts or programs stored as or on, created or used on or transmitted to or from computer software, including systems and applications software, hard or floppy disks, CD-ROMs, tapes, drives, cells, data processing devices or any other media that are used with electronically controlled equipment.[13]

Although the current definition states that “electronic data is not tangible property,” to the extent this standard-form language may be present in the specific policy at issue (coverage terms should not be assumed; rather the specific policy language at issue should always be carefully reviewed),[14] the limitation is largely, perhaps entirely, irrelevant in this context because card issuer complaints, like the amended class action complaint in the Target litigation, typically allege damages because of the need to replace physical, tangible payment cards.[15] The complaints further often expressly allege that the issuers have suffered damages because of a decrease or cessation in the card usage.

These types of allegations are squarely within the “property damage” coverage offered by CGL Coverage A, and courts have properly upheld coverage in privacy-related cases where allegations of loss of use of property are present.[16]

            Coverage B: “Personal and Advertising Injury” Coverage

There is significant potential coverage for data breach-related liability, including card issuer litigation, under CGL Coverage B. Under Coverage B, the insurer commits to “pay those sums that the insured becomes legally obligated to pay as damages because of ‘personal and advertising injury,’”[17] which is “caused by an offense arising out of [the insured’s] business … during the policy period.”[18] Similar to Coverage A, the policy further states that the insurer “will have the right and duty to defend the insured against any … civil proceeding in which damages because of … ‘personal and advertising injury’ to which this insurance applies are alleged.”[19]

The key term “personal and advertising injury” is defined to include a list of specifically enumerated offenses, which include “oral or written publication, in any manner, of material that violates a person’s right of privacy.”[20]

Considering this key language, courts have upheld coverage under CGL Coverage B for claims arising out of data breaches and for a wide variety of other claims alleging violations of privacy rights.[21] It warrants mention that, although the trial court in the Sony PlayStation data breach litigation recently ruled against coverage, the trial court’s decision — which turned on the court’s finding that, essentially, Coverage B is triggered only by purposeful actions by the insured (Sony) and not by the actions of the third parties who hacked into its network — that decision is currently on appeal to the New York Appellate Division and may soon be reversed. Nowhere in the insuring agreement or its key definition does the CGL policy require any action by the insured. As the coverage’s name “Commercial General Liability” indicates, the coverage does not require intentional action by the insured, as argued by the insurers in the Sony case, but rather is triggered by the insured’s liability, i.e., the insurer commits to pay sums that the insured “becomes legally obligated to pay” that “arise out of” the covered “offenses.” The broad insuring language, moreover, extends to the insured’s liability for publication “in any manner,” i.e., via a hacking attack or otherwise. The cases cited by the insurer in the Sony case are factually inapposite and interpret entirely different policy language. Indeed, Sony’s insurer, Zurich, itself acknowledged in 2009 that CGL policies may provide coverage for data breaches via hacking, which by definition involves third-party actions.[22]

Organizations also should be aware that the Insurance Services Office (ISO), the insurance industry organization responsible for drafting standard-form CGL language, recently promulgated a series of data breach exclusionary endorsements.[23] ISO acknowledged that there currently is data breach coverage for hacking activities under CGL policies. In particular, ISO stated that the new exclusions may be a “reduction in personal and advertising injury coverage”—the implication being that there is coverage in the absence of the new exclusions.

At the time the ISO CGL and CLU policies were developed, certain hacking activities or data breaches were not prevalent and, therefore, coverages related to the access to or disclosure of personal or confidential information and associated with such events were not necessarily contemplated under the policy. As the exposures to data breaches increased over time, stand-alone policies started to become available in the marketplace to provide certain coverage with respect to data breach and access to or disclosure of confidential or personal information.

To the extent that any access or disclosure of confidential or personal information results in an oral or written publication that violates a person’s right of privacy, this revision may be considered a reduction in personal and advertising injury coverage.[24]

Other than the trial court’s decision in the Sony case, no decision has held that an insured must itself publish information to obtain CGL Coverage B coverage, and a number of decisions have appropriately upheld coverage for liability that the insured has resulting from third-party publications.[25]

The bottom line: There may be very significant coverage under CGL policies, including for data breaches that result in the disclosure of personally identifiable information and other claims alleging violation of a right to privacy, including claims brought by card issuers.

Step 2:           Look to “Cyber” Coverage

Organizations are increasingly purchasing so-called “cyber” insurance, and a major component of the coverage offered under most “cyber” insurance policies is coverage for the spectrum of issues that an organization typically confronts in the wake of a data breach incident. This usually includes, not only defense and indemnity coverage in connection with consumer litigation and regulatory investigation, but also defense and indemnity coverage in connection with card issuer litigation. By way of example, one specimen policy insuring agreement states that the insurer will “pay … all loss” that the “insured is legally obligated to pay resulting from a claim alleging a security failure or a privacy event.” The key term “privacy event” includes “any failure to protect confidential information,” a term that is broadly defined to include “information from which an individual may be uniquely and reliably identified or contacted, including, without limitation, an individual’s name, address, telephone number, Social Security number, account relationships, account numbers, account balances, account histories and passwords.” “Loss” includes “compensatory damages, judgments, settlements, pre-judgment and post-judgment interest and defense costs.” Litigation brought by card issuers is squarely within the coverage afforded by the insuring agreement and its key definitions.

Importantly, a number of “cyber” insurance policies also expressly cover PCI DSS-related liability. By way of example, the specimen policy quoted above expressly defines covered “loss” to include “amounts payable in connection with a PCI-DSS Assessment,” which is defined as follows:

“PCI-DSS assessment” means any written demand received by an insured from a payment card association (e.g., MasterCard, Visa, American Express) or bank processing payment card transactions (i.e., an “acquiring bank”) for a monetary assessment (including a contractual fine or penalty) in connection with an insured’s non-compliance with PCI Data Security Standards that resulted in a security failure or privacy event.

This can be a very important coverage, given that, as the recent Target settlement illustrates, organizations face substantial liability arising out of the card brand and association claims for fines, penalties and assessments for purported non-compliance with PCI DSS. The payment card brands routinely claim that an organization was not PCI DSS-compliant and that the PCI forensic investigator assigned to investigate compliance routinely determines that the organization was not compliant at the time of a breach. As the payment industry has stated, “no compromised entity has yet been found to be in compliance with PCI DSS at the time of a breach.”[26]

The bottom line: “Cyber” insurance policies may provide broad, solid coverage for the costs and expenses that organizations may incur in connection with card-issuer litigation and payment brand claims alleging PCI non-compliance.

Step 3:            Look to Other Potential Coverage

It is important not to overlook other types of insurance policies that may respond to cover various types of exposure flowing from a breach. For example, there may be coverage under directors’ and officers’ (D&O) policies, professional liability or errors and omissions (E&O) policies and commercial crime policies. After a data breach, companies are advised to provide prompt notice under all potentially implicated policies, excepting in particular circumstances that may justify refraining to do so, and to carefully evaluate all potentially applicable coverages.

Step 4:            Don’t Take “No” For an Answer

Unfortunately, even where there is a legitimate claim for coverage under the policy language and applicable law, an insurer may deny a claim. Indeed, insurers can be expected to argue, as Sony’s insurers argued, that data breaches are not covered under CGL insurance policies. Nevertheless, insureds that refuse to take “no” for an answer may be able to secure valuable coverage.

If, for example, an insurer reflexively raises the “electronic data” exclusion in response to a claim under CGL Coverage A, which purports to exclude, under the standard form, “[d]amages arising out of the loss of, loss of use of, damage to, corruption of, inability to access or inability to manipulate electronic data,”[27] insureds are encouraged to point out that the damages alleged by card issuers for replacing physical cards and for lost interest and transaction fees, etc., resulting from loss of use of those cards, are clearly outside the purview of the exclusion. Likewise, if an insurer raises the standard “Recording And Distribution Of Material Or Information In Violation Of Law” exclusion, insureds are encouraged to point out that the exclusion has been narrowly interpreted, does not address common-law claims and has been held inapplicable where the law at issue fashions relief for common law rights.[28]

Importantly, exclusions and other limitations to coverage are construed narrowly against the insurer and in favor of coverage under well-established rules of insurance policy interpretation,[29] and the burden is on the insurer to demonstrate an exclusion’s applicability.[30]

Step 5:            Maximize Cover Across the Entire Insurance Portfolio

Various types of insurance policies may be triggered by a data breach, and the various triggered policies may carry different insurance limits, deductibles, retentions and other self-insurance features, together with various different and potentially conflicting provisions addressing, for example, other insurance, erosion of self-insurance and stacking of limits. For this reason, in addition to considering the scope of substantive coverage under an insured’s different policies, it is important to carefully consider the best strategy for pursing coverage in a manner that will maximize the potentially available coverage across the insured’s entire insurance portfolio. By way of example, if there is potentially overlapping CGL and “cyber” insurance coverage, remember that defense costs often do not erode CGL policy limits, and structure the coverage strategy accordingly.

When facing a data breach, companies should carefully consider the insurance coverage that may be available. Insurance is a valuable asset. Before a breach, companies should take the opportunity to carefully evaluate and address their risk profile, potential exposure, risk tolerance, sufficiency of their existing insurance coverage and the role of specialized cyber coverage. In considering that coverage, please note that there are many specialty “cyber” products on the market. Although many, if not most, of these policies purport to cover many of the same basic risks, including data breaches and other types of “cyber” and data privacy-related risk, the policies vary dramatically. It is important to carefully review policies for appropriate coverage prior to purchase and, in the event of a claim, to carefully review the scope of all potentially available coverage.

This article was first published in Law360.

 

[1] Target Strikes $19M Deal With MasterCard Over Data Breach, Law360 (April 15, 2015). The settlement is contingent upon at least 90% of the eligible MasterCard issuers accepting their alternative recovery offers by May 20.

[2] See, e.g., No Data Misuse? No Standing For Data Breach Plaintiffs, Law360 (April 24, 2014).

[3] Target Will Pay Consumers $10M To End Data Breach MDL, Law360, New York (March 19, 2015).

[4] See, e.g., Target Loses Bid to KO Banks’ Data Breach Litigation, Law360 (April 15, 2015).

[5] TJX Reaches $24M Deal With MasterCard Issuers, Law360 (April 2, 2008).

[6] The company is reported to be in similar negotiations with Visa.

[7] In re: Target Corporation Customer Data Security Breach Litigation, MDL No. 14-2522 (PAM/JJK) (D. Minn), at ¶ 87 (filed August 1, 2014).

[8] Id., ¶ 2 (emphasis added).

[9] Id., ¶ 86 (emphasis added).

[10] ISO Form CG 00 01 04 13 (2012), Section I, Coverage A, §1.a., §1.b.(1).

[11] Id., Section I, Coverage A, §1.b.(2).

[12] Id., Section I, Coverage A, §1.a.; Section V, §18.

[13] ISO Form CG 00 01 04 13 (2012), Section V, §17 (emphasis added).

[14] In the absence of such language, a number of courts have held that damaged or corrupted software or data is “tangible property” that can suffer “physical injury.” See, e.g., Retail Sys., Inc. v. CNA Ins. Co., 469 N.W.2d 735 (Minn. Ct. App. 1991); Centennial Ins. Co. v. Applied Health Care Sys., Inc., 710 F.2d 1288 (7th Cir. 1983) (California law); Computer Corner, Inc. v. Fireman’s Fund Ins. Co., No. CV97-10380 (2d Dist. Ct. N.M. May 24, 2000).

[15] See also Eyeblaster, Inc. v. Federal Ins. Co., 613 F.3d 797 (8th Cir. 2010).

[16] See, e.g., District of Illinois in Travelers Prop. Cas. Co. of America v DISH Network, LLC, 2014 WL 1217668 (C.D, Ill. Mar. 24, 2014); Columbia Cas. Co. v. HIAR Holding, L.L.C., 411 S.W.3d 258 (Mo. 2013).

[17] ISO Form CG 00 01 04 13 (2012), Section I, Coverage B, §1.a.

[18] Id., Section I, Coverage B, §1.b..

[19] Id.. Section I, Coverage B, §1.a.; Section V, §18.

[20] Id.. Section V, §14.e.

[21] See, e.g., Hartford Cas. Ins. Co. v. Corcino & Assocs,. 2013 WL 5687527 (C.D. Cal. Oct. 7, 2013).

[22] Zurich, Data security: A growing liability threat (2009), available at http://www.zurichna.com/NR/rdonlyres/23D619DB-AC59-42FF-9589-C0D6B160BE11/0/DOCold2DataSecurity082609.pdf (emphasis added).

[23] These new exclusions became effective in most states last May 2014. One of the exclusionary endorsements, titled “Exclusion – Access Or Disclosure Of Confidential Or Personal Information,” adds the following exclusion to the standard form policy:

This insurance does not apply to:

Access Or Disclosure Of Confidential Or Personal Information

“Personal and advertising injury” arising out of any access to or disclosure of any person’s or organization’s confidential or personal information, including patents, trade secrets, processing methods, customer lists, financial information, credit card information, health information or any other type of non public information.

CG 21 08 05 14 (2013). See also Coming To A CGL Policy Near You: Data Breach Exclusions, Law360 (April 23, 2014).

[24] ISO Commercial Lines Forms Filing CL-2013-0DBFR, at pp. 3, 7-8 (emphasis added).

[25] See, e.g., Hartford Cas. Ins. Co. v. Corcino & Assocs,. 2013 WL 5687527 (C.D. Cal. Oct. 7, 2013).

[26] Visa: Post-breach criticism of PCI standard misplaced (March 20, 2009), available at http://www.computerworld.com.au/article/296278/visa_post-breach_criticism_pci_standard_misplaced/

[27] CG 00 01 04 13 (2012), Section I, Coverage A, §2.p.

[28] See, e.g., Hartford Cas. Ins. Co. v. Corcino & Assocs,. 2013 WL 5687527 (C.D. Cal. Oct. 7, 2013). For example, in the Corcino case, the court upheld coverage for statutory damages arising out hospital data breach that compromised the confidential medical records of nearly 20,000 patients, notwithstanding an express exclusion for “personal and advertising Injury …. [a]rising out of the violation of a person’s right to privacy created by any state or federal act.” Corcino and numerous other decisions underscore that, notwithstanding a growing prevalence of exclusions purporting to limit coverage for data breach and other privacy related claims, there may yet be valuable privacy and data breach coverage under “traditional” or “legacy” policies that should not be overlooked.

[29] See, e.g., 2 Couch on Insurance § 22:31 (“the rule is that, such terms are strictly construed against the insurer where they are of uncertain import or reasonably susceptible of a double construction, or negate coverage provided elsewhere in the policy”).

[30] See, e.g., 17A Couch on Insurance § 254:12 (“The insurer bears the burden of proving the applicability of policy exclusions and limitations or other types of affirmative defenses”).