While COVID-19 dominated the insurance coverage landscape in 2021, it was not the only subject of significant decisions in the insurance space. Directors and Officers coverage (“D&O”) and Cyber insurance continued to make headlines while other coverage lines left the industry questioning what is to come in 2022. We highlight a few of the most impactful trends and cases in this 2021 review, and we look forward to what 2022 may deliver in the world of insurance coverage.

State and Federal Courts Split over COVID-19 Business Interruption

This past year revealed a curious divergence between state and federal courts deciding COVID-19 coverage cases. Although insurers have chalked up more victories over the past year, the number of cases involving broad virus exclusions may distort the overall “score board.” As we await opinions from state courts of final review, state trial courts have ruled both ways on the issue. To date, lower state courts appear to be engaging with the merits of policyholder arguments and rejecting the physical or tangible alteration standard that federal courts have applied. However, coverage-friendly decisions from the high courts could also push federal judges in a similar direction. As Hunton partner Lorelie Masters noted,“[t]here is a stark disparity between the way state and federal courts are treating these claims in the Covid-19 context” as state courts apply substantive state law while federal courts rely on an untethered federal common law that does not similarly track. This Erie problem—a reference to the 1938 U.S. Supreme Court case requiring federal courts sitting in diversity to apply the substantive law of the state where they sit—suggests a disconnect between the state courts interpreting their own laws and the federal courts apparently misapplying the laws of those states. Masters, Michael Levine, and Rachel Hudgins prepared an article that addresses this disparity in greater detail and analyzes why federal courts may be getting it wrong.

  • State Courts Support Policyholder Position

While the legal arguments on coverage have been covered extensively on Hunton’s Insurance Recovery Blog throughout the year, a few cases deserve mention here. State courts in particular have given more thorough consideration to the arguments, applying the relevant law and issuing opinions on both sides of the issues. Some states have affirmatively held that the effect of COVID-19 triggered coverage under property policies for business interruption losses. Back in March, a Pennsylvania Court of Common Pleas judge held that government orders requiring closure due to COVID-19 caused a loss of use that “was both ‘direct’ and ‘physical.’” In rejecting the insurer’s argument, the court held that those “interpretations fail to give effect to all of the insurance contract’s terms and … render the phrase ‘direct physical loss of’ duplicative of the phrase ‘direct physical … damage to.’” Thus, the policyholder could recover under the policy.

Other state courts, such as those in New Hampshire and Oklahoma, have reached similar outcomes at summary judgment where policyholders allege the actual presence of COVID-19 on the premises. Although still in the earlier stages of litigation, some California state courts have denied insurers’ motions to dismiss COVID-19 recovery claims. While each case is a positive sign for the countless policyholders that have suffered losses because of COVID-19, all eyes in the upcoming year will be on the state high courts that take up these claims and set the standard for their respective jurisdictions.

  • Federal Appellate Courts Remain Unconvinced by Policyholder Arguments

Federal courts have been less receptive to policyholders’ arguments. In recent comments to Law360, Hunton partner Michael Levine suggested that “many federal judges have found an easy way to clear their dockets and defer the issue to another court for another day, recognizing that the issues will eventually be decided at the state level.” Although one case, K.C. Hopps Ltd. v. Cincinnati Insurance Co., No. 4:20-cv-437 (W.D. Mo. Oct. 28, 2021), reached a jury verdict. However, over the insured’s objection, the judge instructed the jury that the insurance company must win if the government shutdowns in any way affected the insured’s loss.

On July 2, the Eighth Circuit became the first federal appellate court to rule on COVID-19 coverage cases. In, Oral Surgeons, P.C. v. Cincinnati Ins. Co., 2 F.4th 1141 (8th Cir. 2021), the policyholder alleged that its business interruption coverage was triggered by direct physical loss or damage stemming solely from the governor’s shut-down orders. In other words, the policyholder did not allege the physical presence of COVID-19 on the premises, instead relying only on the inability to use its premises as intended as a means of triggering coverage. The court rejected that position and found that “there must be some physicality to the loss or damage of property,” a standard that the government orders alone did not satisfy. While the policyholder did not prevail here, the 8th Circuit left the door open for other COVID-19 business interruption claims that allege the presence of the virus on premises.

Subsequently, other circuits—Second Circuit, Sixth Circuit, Seventh Circuit, Ninth Circuit, and Eleventh Circuit—have primarily considered cases involving solely government orders or including some form of an exclusion that insurance companies have argued applies to COVID-19. Thus, wins for insurers in these cases have not specifically weighed the merits of how COVID-19 causes physical loss or damage to property. In fact, the Sixth Circuit preserved a “distinct theory” of coverage for later consideration when “the coronavirus was present in the [covered property] and materially altered specific property at the time.” Bridal Expressions LLC v. Owners Ins. Co., No. 21-3381, 2021 WL 5575753 (6th Cir. Nov. 30, 2021) (per curiam). We expect that the Sixth Circuits and its sister circuits will adhere to this distinct theory and dutifully apply the relevant state law that governs insurance coverage actions.

As mentioned above, and supported by these appellate rulings, policyholders will look to federal appellate courts and state high courts to deliver a clear interpretation of the governing state law and relevant policy language. Although insurance companies have tallied more victories, the vast majority of these outcomes fall within the government orders and virus exclusion categories. We look for the score level out as appellate courts begin engaging with the intersection of physical loss or damage and the presence of COVID-19.

Directors & Officers

As one might expect, Delaware courts stole the headlines concerning 2021’s most impactful D&O decisions. Opinions on case-determinative choice-of-law provisions, forum shopping and races to the courthouse, coverage for securities class actions, and interlocutory appeals on the issue of the duty to defend dominated the headlines. Each case answered important questions in the realm of D&O coverage, clarifying key issues for future disputes. New York likewise weighed in, allowing a policyholder to recover for a nine-figure settlement involving a disgorgement payment.

The Delaware Superior Court denied five insurers’ motion to dismiss or stay the Delaware coverage action filed after the insurers had filed suit preemptively in Texas, instead opting to keep the case in Delaware—the policyholder’s preferred forum. Although the insurers filed three days earlier, the court held that both suits were filed “contemporaneously” under Delaware law and the insurers demonstrated no “overwhelming hardship” necessary to dismiss the case.

While true that Delaware courts may defer to a case filed first-in-time in another forum if that earlier action involves substantially the same parties and issues, the traditional forum non conveniens analysis applies if two cases are filed contemporaneously. The court also explained that “merely using a timeline” to determine whether a prior action was filed first was inappropriate. To avoid a “race to the courthouse,” Delaware courts may treat cases filed within “the same general timeframe” as contemporaneous. Furthermore, declaratory judgment actions filed in anticipation of the “natural plaintiff” bringing its own suit are not afforded any deference to a first-filed suit.

Under the forum non conveniens framework, the insurers needed to demonstrate “overwhelming hardship” based on factors such as relative ease of access to proof, availability of compulsory process for witnesses, whether the controversy is dependent on Delaware law, and other practical problems that would make trial easy, expeditious, and inexpensive. The court did not need to perform that analysis, however, because the insurers ignored the balancing test completely in favor of the “first-filed” rule and did not try to meet their burden to dismiss the case. Even if the insurer had argued the appropriate issue, the court noted that the insurers were all licensed to do business in Delaware and therefore could not show overwhelming hardship.

Thus, the court kept the case in Delaware, even though that venue was technically the second-filed location. Hunton counsel Geoffrey Fehling commented that “even if an insurer races to the courthouse to force litigation of a coverage dispute in a more favorable forum, being first may not always be enough, especially in Delaware.”

The Delaware Superior Court denied coverage for a policyholder seeking to recover for a suit the court deemed “related” to an earlier lawsuit first made outside the policy’s coverage period. This was despite the insured facing two class action lawsuits filed by different plaintiffs, complaining of different allegedly wrongful conduct, asserting different causes of action subject to different burdens of proof, and seeking different relief based on different time periods for the alleged harm.

There are several interesting issues raised by the First Solar decision, the first of which is the way the court applied Delaware’s “fundamentally identical” standard for related claims. The court cited Northrop Grumman Innovation Systems, Inc. v. Zurich American Insurance Company, 2021 WL 347015 (Del. Super. Ct. Feb. 2, 2021), as the most recent “applicable analysis” to determining relatedness under Delaware law. That case, however, applied the “fundamentally identical” standard to hold that two sets of securities claims were unrelated based on “[v]ariations in timing, breed of securities violation, mens rea, motive, and burden of proof, under each regulation,” all of which suggested that the claims do not involve the “exact same subject.”

Nearly all of those factors—divergent time periods, causes of action, mens rea, and burdens of proof—also were present in First Solar: the class periods were based on different time periods for the alleged harm; the different sets of plaintiffs alleged different causes of action, including separate and distinct common law and statutory violations only present in one action; and those claims involved varying burdens of proof and mens rea. Even so, the court apparently relied on broad-stroke similarities about the alleged “fraudulent scheme” rather than focus on the concrete, material differences between the two lawsuits, which suggest that the two claims are, in fact, not fundamentally identical.

The decision demonstrates the inherent unpredictability of “related” claim disputes and need for careful analysis of the policy language against the factual and legal bases of the underlying claims. Analysis is highly fact-specific and, while related claims provisions can differ materially in scope, it is difficult to predict outcomes given the disparate standards applied and inconsistencies between outcomes. Case law is often mixed, and so policyholders and insurers will often locate separate legal authority supporting and undermining relatedness under a particular set of facts.

In a case that has stretched over several years already, the Delaware Superior Court denied a group of insurers’ application for certification of interlocutory appeal and prevented additional delay. The court previously ruled that Verizon could recover $24 million in legal fees defending against a fraudulent transfer lawsuit brought by a bankruptcy trustee, and the insurers’ sought an interlocutory appeal.

A merger and asset sale among the insureds Verizon, Spinco and FairPoint left the company, FairPoint, with considerable debt, resulting in FairPoint filing a Chapter 11 petition. The trustee filed suit for actual and fraudulent transfer, claims that settled after the insureds incurred approximately $24 million in defense costs. The insurers refused to reimburse any legal fees or otherwise indemnify the insureds on the grounds that the trustee’s fraudulent conveyance suit did not satisfy the policies’ definition of “Securities Claim.”

The trial court ultimately found that the plain language of the D&O policies afforded coverage for the trustee action as a “Securities Claim.” The insurers raised several arguments in seeking to appeal the ruling immediately, including that the lower court’s decision conflicted with other trial court decisions by finding that the trustee’s fraudulent transfer claims were derivative. The court disagreed, finding that the trial court’s decision did not conflict with other trial court decisions and followed established Third Circuit precedent and Bankruptcy Code provisions to evaluate whether a claim brought by a bankruptcy trustee on behalf of a debtor’s estate was derivative. Although limited to the context of the interlocutory appeal, the decision provides another example of pro-policyholder decisions upholding the rights of companies and their insured directors and officers seeking D&O coverage in Delaware courts.

The Delaware Supreme Court ruled that Delaware law applies in disputes over D&O liability insurance policies sold to companies incorporated in Delaware, even though the policy was purchased and issued in California to a company with California headquarters. The court also decided other important issues, finding that liability for alleged fraud is insurable under Delaware public policy. RSUI’s Profit/Fraud Exclusion did not bar coverage because there had been no “final adjudication” of fraud, and the “larger sums rule” governed allocation issues.

Under the most “significant relationship” test, the court considered these factors: (i) the place of contracting; (ii) the place of negotiation of the contract; (iii) the place of performance; (iv) the location of the subject matter of the contract; and (v) the domicile, residence, nationality, place of incorporation and place of business of the parties. Applying these factors, the court determined that Delaware law applies “‘[w]hen the insured risk is the directors’ and officers’ ‘honesty and fidelity’ to the corporation’—and we would add to its stockholders and investors—‘and the choice of law is between headquarters or the state of incorporation, the state of incorporation has the most significant interest.’”

This decision confirmed the superior court’s conclusion that under the “most significant relationship” test in the context of insurance-coverage disputes, Delaware courts may consider broader factors where the insurance policy insures risks that are not confined to one jurisdiction. The Delaware Supreme Court, one of the premier arbiters of corporate law disputes in the country, has confirmed that companies incorporated in Delaware, and their insured directors and officers, deserve the benefits of Delaware law.

Cyber

As the burgeoning world of cyber incidents, particularly ransomware attacks, continues to grow in frequency, severity, and complexity, industry-leading cases become all the more important in establishing precedent. Given the prevalence of cyberattacks and advancing sophistication of hostile actors, policyholders should keep a close eye on cases such as those we summarize below and the many more we can expect soon.

Policyholders scored a coverage victory in Ohio after a cyberattack left the insured, EMOI, with encrypted files that the employees could not access. EMOI paid the ransom in exchange for decryption, but some files and the automated phone system remained encrypted. Following this incident, EMOI switched to a new, more secure domain, although the transition caused various software issues.

EMOI argued that it was entitled to coverage under the Electronic Equipment endorsement its Owners Insurance property policy. The endorsement provided that “we will pay for direct physical loss of or damage to ‘media’ which you own.” Owners disputed that EMOI’s server suffered physical loss or damage. The court disagreed, finding that the “incursion” into the computer system did cause physical loss or damage. Citing testimony from EMOI’s IT manager describing the hack, the court explained that “encryption damaged EMOI’s data and software, and that the damage was not merely aesthetic or amounted to loss of use.” Owners cited several cases that, it said, showed that the policyholder must show some kind of structural damage to “tangible” property. But focusing, as required, on the specific policy language at issue, the court distinguished those cases on the grounds that the policy language at issue was not the same as that analyzed in the cases cited by Owners.

The court’s decision provides good news of relief for policyholders who suffer cyberattacks. Policyholders can bolster their claims by putting forward evidence showing exactly how their computer systems were damaged. There is more likely to be physical loss or damage if hackers changed the computer system to prevent the policyholder from accessing it, compared to merely stealing information.

The Illinois Supreme Court affirmed a lower court’s ruling that an insurer must supply a defense for its insured in a class-action lawsuit claiming violation of the Biometric Information Privacy Act (“BIPA”) under two business owners’ liability policies.

The plaintiffs alleged that, as part of the use of the salon’s services, the plaintiff was required to provide the salon with her fingerprints for use in the salon’s client registration system. The tanning salon then provided that information to its third-party vendor for hosting. According to the class, this violated Illinois statute 740 ILCS 14/15(b)(3).

The tanning salon sought coverage under two business owners’ liability policies under the “personal injury” coverage. The policies afforded coverage for “‘Personal injury’ caused by an offense arising out of your business, excluding advertising, publishing, broadcasting or telecasting done by or for you.” The policies defined “personal injury” as “injury, other than ‘bodily injury’, arising out of one or more of the following offenses: . . . . Oral or written publications of material that violates a person’s right of privacy.” In finding that the lawsuit triggered coverage, the Illinois Supreme Court relied on the general principles of insurance contract interpretation, which require that a policy’s terms are afforded their plain and ordinary meaning and interpreted in favor of the insured where susceptible to more than one reasonable meaning. The policies did not define the term “publication.” When looking to its plain and ordinary meaning, the court determined that publication could mean distribution of information to the public or a single party.

As a result, the court found that the class action lawsuit potentially alleged a personal or advertising injury, that there was potentially a publication of personal information, and finally that there were allegations that the insured violated the plaintiff’s right to privacy. As the use of biometric information and its corresponding technology continues to grow, so does the risk of liability of all who use or possess that information.

Note, however, that a North Carolina federal court reached a contrary decision and found no duty to defend a policyholder facing a lawsuit for alleged violations of the same Biometric Information Privacy Act, in Massachusetts Bay Insurance Co. v. Impact Fulfillment Services, LLC, 2021 WL 4392061 (M.D.N.C. Sept. 24, 2021). There, an information-recording exclusion avoided coverage for the illicit information collection and storage contemplated by BIPA. The exclusion applied to violations of “federal, state or local statute, ordinance or regulation … that addresses, prohibits, or limits the printing, dissemination, disposal, collecting, recording, sending, transmitting, communicating or distribution of material or information.” According to the court, the exclusion captured exactly the type of conduct alleged, allowing the insurance company to deny any duty to defend.

The decisions illustrate the varied conclusions that courts in different jurisdictions can reach under similar facts and circumstances, and how seemingly generic exclusions can work to preclude coverage when applied to even technical or narrow types of claims.

  • Landry’s Inc. v. Insurance Co. of the State of Pa., 4 F.4th 366 (5th Cir. 2021)

The Fifth Circuit held that an insurance company must provide a defense under Coverage B (personal and advertising injury) of a CGL policy for a claim arising out of a $20 million data-breach. The breach occurred because of the unauthorized installation of a program on payment-processing devices at several of the policyholder’s locations. The program collected information from customers’ credit cards, and some of that information was used to make unauthorized purchases.

The question under the policy was whether the potential liability resulting from this data breach arose from “an oral or written publication.” As the phrase was not defined in the policy, the court adopted a broad definition of publication, similar to the defamation context. Because the policy covered a “publication, in any manner,” it did not matter that a third party was responsible for sharing the information; the analysis focuses on whether anyone “expos[ed] or present[ed] [information] to view.” The court had no hesitation in holding that the third party “published [the policyholder’s] customers’ credit-card information—that is, exposed it to view.” Thus the insurer was obligated to provide a defense for its policyholder in the underlying litigation on liability. The court also rejected the insurer’s argument that the claim was not covered because it arose from the insured’s alleged breach of contract, and not a violation of privacy rights. The court focused on the phrase “arising out of” to hold that the policy “does not simply extend to violation of privacy rights; the Policy instead extends to all injuries that arise out of such violations.”

The Indiana Supreme Court rejected the lower courts’ narrow construal of cyber-crime coverage and impractical view of causation. The policyholder was locked out of its computer systems by a hacker following a social engineering fraud that was allegedly initiated by a targeted spear-phishing email. After consulting the FBI and other tech services, G&G Oil paid a Bitcoin ransom to regain access to its computer systems and operations.

G&G Oil then sought to recover these losses under a “Computer Crime Coverage” provision that covers “loss or damage . . . resulting directly from the use of any computer to fraudulently cause a transfer of that property.” The insurer denied the claim on the basis that the Bitcoin was voluntarily transferred and did not result directly from the use of a computer.

In remanding this case to the trial court, the Supreme Court treated the phrase “fraudulently cause a transfer” as ambiguous, instructing the lower court to consider whether the transfer was obtained by trick. The Supreme Court also adopted a broader view of the phrase “resulting directly form the use of any computer,” meaning that the loss must result “immediately or proximately without significant deviation from the use of a computer.” Justice David noted that the “interplay between computer fraud coverage and computer hacking is an emerging area of the law.” The uncertainty among courts and the increase in ransomware attacks and other computer-related crimes emphasize the need for policyholders to secure comprehensive coverage for cyber events.

Hunton Insurance Group Head Walter Andrews noted that policyholders will likely need to show the safety measures they have implemented to prevent these types of attacks, but “[i]t will be easy for such companies to establish that the cause of the transfer was fraudulent and not ‘unhindered.’”

  • Mississippi Silicon Holdings LLC v. AXIS Ins. Co., 843 Fed. App’x 581 (5th Cir. 2021)

The Fifth Circuit affirmed a district court ruling that a policyholder could not recover under a Computer Transfer Fraud provision. In that case, fraudsters intercepted correspondence between the policyholder and a vendor, then prepared materials on the vendor’s letterhead instructing future payments to a new account while referencing legitimate invoices. The policyholder complied with their three-step verification process for large transfers before sending payments totaling over $1 million to the fraudulent account. Although the insurance company granted coverage under the Social Engineering Fraud provision, that recovery was limited to $100,000 and Mississippi Silicon Holding (“MSH”) still sought coverage under the Computer Transfer Fraud provision.

While noting that a single fraudulent act could trigger multiple types of fraud coverage, the court highlighted that the Social Engineering Fraud provision specifically contemplated instances in which an employee relied on fraudulent instructions, but the Computer Transfer Fraud provision did not. The latter required a transfer to occur without the policyholder’s knowledge, but MSH knowingly—although, mistakenly—made this transfer to the fraudulent account. Thus, MSH could not recover its losses under the Computer Transfer Fraud provision.

Other Noteworthy Cases

Outside the COVID-19, D&O, and Cyber spheres, other insurance coverage cases garnered national attention this past year. We review a few of those cases here.

  • Adir International LLC, et al. v. Starr Indemnity and Liab. Co., 994 F.3d 1032 (9th Cir. 2021)

The Ninth Circuit faced the question of whether a California law that forbids insurance companies from providing coverage in specific consumer protection cases brought by the state was violative of the Due Process Clauses of the Fifth and Fourteenth Amendments by interfering with the policyholder’s right to fund and retain counsel of its choice. While conscious of the well-established right to generally fund and retain counsel, the court saw “no reason to enlarge the limited due process right to retain counsel to include a constitutional right to use insurance proceeds to pay for legal fees.” Because the statute “only ma[de] it harder, though not necessarily impossible, for a civil litigant to retain the counsel of their choice”—in fact, Adir retained competent counsel of its choice without using the insurance funds—the court ruled that the law did not violate the policyholder’s due process rights.

Here, a policyholder sought coverage under commercial liability policies for statutory damages for alleged Telephone Consumer Protection Act (“TCPA”) violations and a permanent injunction to prevent future TCPA violations. The Tenth Circuit affirmed the lower court’s ruling that TCPA statutory damages are “uninsurable penalties” as a matter of Colorado public policy, and the National Union policies did not cover claims for injunctive relief. On the penalty issue, the court relied on Colorado public policy outlined in a previous decision—ACE American Insurance Co. v. DISH Network, LLC, 883 F.3d 881 (10th Cir. 2018)—prohibiting insurance for intentional and willful wrongful acts and for punitive damages. Even though the Colorado precedent relied on in ACE interpreted TCPA statutory damages as a “penalty” used in Colorado’s survival statute outside the context of insurance coverage, the DISH court nonetheless followed the prediction from ACE that the Colorado Supreme Court would apply that same rationale in holding that TCPA damages are uninsurable penalties. As a result, DISH was unable to recover under this claim, and the court provided a reminder that the question of insurance coverage for alleged TCPA violations will vary based on the nature of the underlying allegations, the relevant policy language, and applicable state law.

  • Motorist Mut. Ins. Co. v. Quest Pharmaceuticals, Inc., No. 5:19-cv-00187-TBR, 2021 WL 1794754 (W.D. Ky. May 5, 2021)

In the face of 77 opioid lawsuits relating to the costs imposed on government and health agencies as a result of Quest’s alleged improper distribution of painkillers, the pharmaceutical company will not be permitted to recoup its duty to defend or losses under its general liability policies. These lawsuits stemmed from economic losses to localities and health clinics, not from bodily injuries to individuals who use opioids, so they did not trigger coverage under the policy provisions for “damages because of or for bodily injury.” In denying coverage, the court distinguished the Seventh Circuit case of Cincinnati Ins. Co. v. H.D. Smith, L.L.C., 829 F.3d 771 (2016), in which there was coverage for similar facts under the provision covering losses “because of” bodily injury, a broader scope than coverage “for” bodily injury as provided in this case. Quest was therefore unable to rely on its insurance to defend and indemnify in litigating these claims.