2018 was a busy year for courts deciding insurance coverage disputes. Many of those decisions will shape the coverage landscape for years to come. Policyholders enjoyed their fair share of the wins, including substantial victories in areas involving social engineering to disgorgement of corporate gain. We take this opportunity to reflect on some of the year's most notable coverage decisions.
2018 was a banner year for decisions addressing losses resulting from social engineering phishing, spoofing and other schemes of trickery and deception.
2nd Cir. Affirms Medidata's Spoofing Loss is Covered Under Crime Policy's Computer Fraud Provision. Medidata Solutions, Inc. v. Federal Ins. Co., 17-cv-2492 (2d Cir. July 6, 2018).
In one of the most closely watched social engineering cases--we blogged about the early stages of this case in 2016 and 2017--the Second Circuit Court affirmed a district court's summary judgment award in favor of Medidata Solutions, Inc., finding that the $4.8 million loss Medidata suffered after it was tricked into wiring funds to a fraudulent overseas account triggered coverage under a commercial crime policy's computer fraud provision. The appellate court found that the entry of data into the computer system squarely satisfied the computer fraud provision, which affords coverage for loss stemming from any "entry of Data into" or "change to Data elements or program logic of" a computer system. The Second Circuit rejected the insurer's argument that Medidata's loss did not actually result directly from the spoofing attack, finding the actions of Medidata's employees "[in]sufficient to sever the casual relationship between the spoofing attack and the losses incurred." The Second Circuit declined Federal's request for reconsideration.
Second Major Policyholder Win For Social Engineering Schemes. American Tooling Center, Inc. v. Travelers Casualty and Surety Co. of America, No. 17-2014, 2018 WL 3404708 (6th Cir. July 13, 2018).
On the heels of the Second Circuit's decision in Medidata, the Sixth Circuit reversed the district court's grant of summary judgment in favor of the insurer in a dispute where American Tooling lost $800,000 after a fraudster's email tricked an American Tooling employee into wiring that amount to the fraudster. In rejecting the district court's finding that coverage under the insurance policy for computer fraud did not apply because the loss was not "directly caused" by computer fraud, the Sixth Circuit found that the loss was an immediate and proximate result of the fraud because American Tooling immediately sustained harm the moment it transferred the money as a result of the fraudulent email. Notably, the Sixth Circuit rejected Travelers's request for reconsideration of the ruling.
The Medidata and American Tooling cases continue to mark the breadth of coverage available to policyholders under commercial crime policies for social engineering and other computer-related fraudinduced losses. The decisions also help overcome the false distinction that insurers have tried to maintain between a computer hack-type event and a social engineering intrusion, both of which necessarily entail
2019 Hunton Andrews Kurth LLP
accessing the target's computer systems or data and manipulating those systems in a fraudulent manner.
Although the year ended positively for policyholders, 2018 did not start as well, with earlier decisions illustrating how some courts may read coverages narrowly to bar coverage for social engineering schemes.
Eleventh Circuit Computer Fraud Decision Highlights Policy Wording Pitfalls. Interactive Commc'ns Int'l, Inc. v. Great Am. Ins. Co., No. 17-11712, 2018 WL 2149769 (11th Cir. May 10, 2018).
In the Interactive Communications decision, the Eleventh Circuit Court of Appeals affirmed a Georgia federal court decision barring coverage for a loss claimed to arise under a "Computer Fraud" policy issued by Great American Insurance Company to Interactive Communications International, Inc., and HI Technology Corp. InComm, as Interactive Communications is known, lost $11.4 million when fraudsters manipulated a glitch in the system by placing multiple calls at the same time. The manipulation allowed consumers to redeem "chits," credits of specific monetary value redeemed by repeatedly transferring the chit's value to a customer's debit card. InComm sought coverage for the losses under its "Computer Fraud" policy, but Great American denied coverage. The Eleventh Circuit concluded that the fraud was accomplished through the "use" of a computer because the fraudsters engaged with the computerized voice system when they made their redemption call, but further found that because the loss did not "result directly" from the use of a computer it was not covered by the policy.
Ninth Circuit Finds Exclusion Bars Coverage For Social Engineering Scheme. Aqua Star (USA) Corp. v. Travelers Cas. & Surety Co. of Am., No. 16-35614 (9th Cir. Apr. 17, 2018).
There were also decisions in 2018 limiting coverage for social engineering losses due to exclusions. In the Aqua Star decision, the Ninth Circuit affirmed a district court's finding that an exclusion barred coverage for a $700,000 loss resulting from a social engineering scheme that involved fraudsters who, while posing as employees, directed other employees to change account information for a customer. The employees changed the account information and sent four payments to the fraudsters. The appellate court found that a broadly worded exclusion in the crime policy barring coverage for "loss resulting directly or indirectly from the input of Electronic Data by a natural person having the authority to enter the Insured's Computer System," squarely applied because the employees that changed the account information and sent the payments to the fraudulent accounts had authority to enter the policyholder's computer system.
St. Paul Fire & Marine Ins. Co. v. Rosen Millennium Inc., et al., 6:17-cv-00540, (M. Fla. Sept. 28, 2019)
In the Rosen Millennium case, a district court ruled that Rosen Millennium Inc. was not entitled to coverage from St. Paul Fire and Marine Insurance Company for costs to defend a claim of $1.4 million in damages. The claim related to a breach of the network where IT company Rosen Millennium's sister company, Rosen Hotel & Resorts Inc., was allegedly responsible for a hacking incident that exposed hotel customers' credit card data. The district court concluded that third-party hackers, not Rosen Millennium, were directly responsible for exposing the customers' credit card data, and there was no personal injury coverage in the St. Paul Fire and Marine policy.
Hunton insurance practice lead, Walter Andrews, commented to the Global Data Review that, despite the outcome, a readable takeaway from the Rosen Millennium case is that policyholders facing potential exposure from cyber events should consider purchasing very specific cyber insurance coverage given how strenuously insurers are fighting to deny coverage for data breach claims.
The Interactive Communications, Aqua Star and Rosen Millenium cases are reminders that policyholders should carefully consider whether their existing coverage will protect against losses from social engineering schemes, which continue to rise in prevalence--particularly given the narrow reading some
2019 Hunton Andrews Kurth LLP
courts may give to provisions that premise coverage on a loss "resulting directly" from some act or event, notwithstanding the contra proferentem policy interpretation rules that pertain in a majority of US jurisdictions.
Directors & Officers
2018 saw several intriguing decisions under directors and officers (D&O) insurance policies.
Delaware Court Rejects Insurer Public Policy Defense, Permits Bad Faith Counterclaim, Despite Allegations of Fraudulent and Intentional Conduct. Arch Insurance Co., et al. v. David H. Murdock, et al., N16C-01-104 EMD CCLD (Del. Mar. 1, 2018).
The Delaware Superior Court ruled that state law does not preclude D&O insurance coverage for fraudbased claims against two Dole Food Co. executives, who sought to force several excess insurers to help pay for $222 million in settlements they reached to resolve stockholder suits accusing them of driving down Dole's price before a 2013 take-private deal. An underlying action found Dole executives and an entity formed to carry out the 2013 take-private deal jointly and severally liable for fraud and misrepresentations related to the deal. As a result, six of Dole's excess insurers, in an attempt to foreclose D&O coverage for the ensuing settlements in that action and a second shareholder action, filed suit and sought the application of California law, which prohibits insurance for losses caused by an insured's willful acts. The Delaware Superior Court found that because Dole is a Delaware corporation Delaware law applies, which has no prohibition on losses caused by an insured's willful acts.
Hunton insurance recovery partner Syed Ahmad commented to Law360 that the Murdock ruling is likely to carry strong precedential effect due to the solid reasoning of the court's decision premised on the Delaware Supreme Court's 1986 decision in Whalen v. On-Deck Inc. that upheld the availability of coverage for punitive damages under Delaware law. The Murdock ruling serves as a reminder that policyholders should hold insurers to their burden of proving all coverage defenses and underscores the significant divergence on state law regarding the insurability of certain conduct at issue under many common insurer defenses for allegedly fraudulent or intentional acts.
Another Court Holds That Government Subpoenas Seeking Documents Constitute "Claims" Under Standard D&O Policy Language. Astellas US Holding, Inc. v. Starr Indemnity and Liability Co., 2018 WL 2431969, at *1 (N.D. Ill. May 30, 2018).
The Northern District of Illinois held that a US Department of Justice subpoena demanding documents relating to a government investigation constitutes a "Claim." The dispute centered on a subpoena the DOJ issued to two Astellas entities demanding production of documents relating to an industrywide investigation of pharmaceutical companies for alleged "Federal health care offenses." Failure to comply exposed Astellas to liability and punishment, thus Astellas notified its insurers. Starr denied coverage, asserting "there has been no written demand for relief made against any Insured[.] ... The Subpoena simply requests that certain documents be produced." In finding the subpoena satisfied a "Claim" under the D&O policy language, the district court held that the DOJ's allegations and issuance of the subpoena because of alleged unlawful acts satisfied the Starr policy's "Wrongful Act" requirement and was a written demand for nonmonetary relief.
Patriarch Partners Decision Confirms Government Subpoenas May Constitute a "Claim" Under D&O Policy; Warns Policyholders to Think Broadly When Representing Facts and Circumstances to Insurers. Patriarch Partners, LLC v. Axis Ins. Co., No. 17-3022, 2018 WL 6431024 (2d Cir. Dec. 6, 2018).
In Patriarch Partners, the Second Court confirmed that a warranty letter accompanying the policyholder's insurance application barred coverage for a lengthy SEC investigation. The decision left intact the lower court's finding that the SEC subpoena constituted a "demand for non-monetary relief" and thus qualified as a "Claim" under the directors and officers (D&O) insurance policy. The decision underscored the
2019 Hunton Andrews Kurth LLP
importance of understanding how a policy's language and definitions impact the scope of information that policyholders must consider when representing facts and circumstances in insurance applications. The Second Circuit rejected Patriarch's petition for rehearing.
The costs of responding to government subpoenas or civil investigative demands can be significant. Policyholders facing government subpoenas, civil investigative demands or other formal or informal government demands should not hesitate to seek coverage for such costs under their D&O insurance policies.
Although social engineering and D&O decisions appeared to steal the show in 2018, first-party property decisions also featured prominently. From cannabis operations to cryptocurrency, there were a number of noteworthy issues addressed.
Sixth Circuit Holds "Litany of Exclusions," Illegal Cannabis Operations, Dooms Property Coverage Claim. KVG Properties Inc. v. Westfield Ins. Co., 900 F.3d 818 (6th Cir. 2018).
In KVG Properties, the Sixth Circuit upheld dismissal of KVG Properties, Inc.'s claims under a first-party property policy arising from damage to KVG's office spaces due to tenants' use of cannabis-growing operations. The appellate court rejected KVG's position that the criminal acts exclusion applied only where the tenants had been "convicted" of a crime. The court explained that the Westfield policy says criminal "act," not "crime" or "conviction," and "[a] fugitive from justice may properly be deemed a criminal by the person he harms, even though the State cannot prove it beyond a reasonable doubt."
Although there was no coverage for KVG under the particular facts of this case, the Sixth Circuit's decision raised several important insurance issues for policyholders to consider and previews likely battlegrounds for future cannabis coverage disputes, many of which are precipitated by the variances in federal and state cannabis law.
"Crypto-Property": Ohio Court Says Cryptocurrency is Personal Property Under Homeowners' Policy. Kimmelman v. Wayne Ins. Group, No. 18-CV-1041 (Ohio Ct. C.P. Franklin Cnty. Sept. 25, 2018).
In a case of first impression, an Ohio trial court ruled that the cryptocurrency Bitcoin constitutes personal property in the context of a first-party homeowners' insurance policy and, therefore, its theft would not be subject to the policy's $200 sublimit for loss of "money." The claim arose from the theft of some $19,000 in Bitcoin from the insured's online account. The insured submitted the loss to his homeowners' insurer, who paid $200 in response to the claim and denied coverage for the balance, citing the policy's $200 sublimit for money losses. Citing Internal Revenue Service Notice 2014-21 as the only authoritative statement on point, the court concluded that the stolen cryptocurrency was "property" and not "money" for purposes of determining which sublimit would apply under the Wayne Mutual insurance policy.
Kimmelman undoubtedly marks the beginning, not the end, of the discussion concerning coverage for crypto-assets. The issues raised by Kimmelman underscore the importance that policyholders understand how their crypto-assets might be treated under their specific insurance portfolio.
Policyholders received mixed guidance from two decisions addressing allocation of long-tail liabilities. The cases demonstrated that resolution of the issue depends largely upon the policy language at issue.
2019 Hunton Andrews Kurth LLP
Allocation Under New York Law: The Contract Language and the Facts Rule. Keyspan Gas East Corp. v. Munich Reinsurance America, Inc., 2018 WL 1472635 (N.Y. Ct. App. Mar. 27, 2018).
The New York Court of Appeals held that, under New York law, "the method of allocation is covered for most by the particular language of the relevant insurance policy." In Keyspan, under eight excess liability insurance policies on the risk between 1953 and 1969, the policyholder sought to enforce its insurance coverage for environmental contamination at two manufactured gas plants operated by a predecessor company. The policyholder did not dispute that pro rata, time on the risk allocation was applicable under New York law and the relevant policy language, but argued that it should be held responsible for a pro rata share only in those years in which it had been able to purchase insurance in the marketplace. Keyspan argued, under the "unavailability exception," that it should not be assigned a share of loss for those periods because it could not find in the marketplace coverage for liability to environmental cleanup and contamination. The court of appeals disagreed and concluded that no language in the policies "justified" application of the "unavailability exception."
Allocation Under New York Law: The Contract Language and the Facts Rule. Hopeman Brothers, Inc. v. Cont'l Cas. Co., No. 16-cv-00187 (E.D. Va. Apr. 2, 2018).
In Hopeman, a Virginia district court reached a different result under New York law, applying "all sums" allocation and noting the New York Court of Appeals' caution that the policy language governs. Hopeman involved coverage for long-tail liabilities, for more than 123,000 asbestos bodily injury claims, under policies on the risk from 1971 through 1977. The court in Hopeman rejected the insurers' argument that pro rata allocation should apply in reliance on previous insurance settlements that had applied that method of allocation. Noting that the settlements were irrelevant to the contract-interpretation issues arising under insurance policies, the court relied, instead, on its reading of "the plain language" of the policies, and specifically their noncumulation clauses, following the New York Court of Appeals' "binding guidance" in Matter of Viking Pump, 33 N.Y.S.3d 118 (N.Y. 2016).
These cases confirm that contract language governs under New York law. New York does not adopt a strict pro rata allocation rule as some courts have done; instead, policyholders are well advised to review the policy language in their "legacy" CGL policies to ascertain whether it supports application of all sums allocation. In challenging insurers' denials of coverage for environmental damage and other long-tail claims, policyholders should dispute assumptions about environmental contamination as "continuous harms," and instead work to develop a factual record that supports a pro-coverage reading of the policy language.
Last year, several courts considered a question that has challenged courts nationwide: whether policyholders are entitled to defense and indemnity coverage for actions that seek the return of profits allegedly generated by their dishonest conduct.
In re: TIAA-CREF Ins. Appeals, Nos. 478, 2017; 479, 2017; 480, 2017; and 481, 2017 (Del. July 30, 2018).
Applying New York law, the Delaware Supreme Court affirmed a lower court's judgment requiring three insurance companies to cover TIAA's costs to defend and settle class actions alleging the retirement services giant profited from funds-transfer delays, rejecting the insurers' assertion that the deals constitute uninsurable disgorgement. Delaware's high court rejected the insurers' argument that settlement payments made in connection with Employee Retirement Income Security Act (ERISA) class actions were disgorgement payments uninsurable under New York law and public policy. In its ruling, the court noted that TIAA had consistently denied liability and defended itself in the civil class actions. TIAA had never conceded, and no court had found, that the gains were improper or unlawful.
2019 Hunton Andrews Kurth LLP
J.P. Morgan Sec. Inc., et al. v. Vigilant Ins. Co., et al., No. 600979/2009 (N.Y. App. Div. 1st Dep't Sept. 20, 2018).
A panel of judges at New York's Appellate Division reversed a trial judge's order requiring a group of insurers to pay J.P. Morgan Securities Inc. $286 million for settlement costs that Bear Stearns paid in a deal with the SEC. The trial court's ruling ordered primary insurer Vigilant and several of its excess carriers to pay J.P. Morgan $140 million to cover part of a settlement related to market-timing and latetrading claims, purportedly representing improper profits acquired by Bear Stearns' third-party hedge fund customers, and an additional $146 million in interest. Relying on the Supreme Court's landmark ruling in Kokesh v. SEC, 137 S. Ct. 1635 (2017), however, the First Department panel reversed the trial court and found the SEC-ordered disgorgement to be a penalty. Notably, the Bear Stearns' policies excluded "fines or penalties imposed by law" from their definition of covered loss.
Northrop Grumman Corp. v. AXIS Reinsurance Co., et al., No. 1:2017cv01738 (C.D. Cal. Nov. 21, 2018).
A California district court ordered Northrop Grumman Corporation to reimburse excess insurer AXIS Reinsurance Company for a portion of monies AXIS paid to settle an Employee Retirement Income Security Act (ERISA) lawsuit against Northrop. The district court held that a settlement between Northrop and the Department of Labor involved the disgorgement of money wrongfully obtained by Northrop and that AXIS was not required to provide coverage to Northrop based on the decisions of underlying primary insurers. In its ruling, the court equated the settlement agreement between the Department of Labor and Northrop as an order compelling Northrop to pay certain amounts of ill-gotten gains, although the record did not reflect that Northrop admitted any liability or wrongdoing.
These cases further shape the complicated landscape of coverage disputes over disgorgement issues. They are instructive in the sense that policyholders should continue to encourage courts to construe exclusions narrowly and look beyond the label of a payment or settlement to consider whether it actually represents ill-gotten gains realized by the insured, for which a D&O policy typically does not provide coverage, or profits realized by other third parties.
Other Noteworthy Decisions
Gilbane Bldg. Co./TDX Constr. Corp. v. St. Paul Fire & Marine Ins. Co., 97 N.E.3d 711 (N.Y. 2018).
In 2017, we flagged the Gilbane case as one of several pending insurance cases before the New York Court of Appeals to watch. In 2018, the state's high court--with two justices dissenting--reaffirmed that a party seeking coverage as an additional insured under a commercial general liability policy that extends additional insured coverage where required by contract must be in direct contractual privity with the insured. In the Gilbane case, a building owner sued a general contractor and architect for faulty foundation work. In turn, the general contractor and architect brought a claim against Gilbane Building Company/TDX Construction Corporation. The court rejected Gilbane/TDX's attempt to seek coverage under the general contractor's policy as an additional insured, finding that the general contractor contracted and was in privity with another entity, not Gilbane/TDX.
The Gilbane decision provides some clarity to what is often considered a muddled area of law, primarily because the policy language adding parties as additional insureds is often divorced from separate contracts requiring additional insured status.
2019 Hunton Andrews Kurth LLP
1st Cir. and Former SCOTUS Justice Find Ambiguous "Arising Out Of" Requires Cosby Defense. AIG Property Cas. Co. v. Cosby, 2018 WL 2730762 (1st Cir. June 7, 2018).
The First Circuit, with former US Supreme Court Justice David Souter sitting by designation, ruled that AIG Property and Casualty Co. had to defend Bill Cosby in suits brought by eight women alleging that Cosby defamed them after they accused him of sexual misconduct. Cosby held two insurance policies issued by AIG: a homeowner's policy and a personal excess liability policy. Both policies contained exclusions for "sexual misconduct" for liability or defense costs arising out of actual, alleged or threatened sexual molestation, misconduct or harassment or sexual, physical or mental abuse. The umbrella policy also excluded "sexual misconduct" that applied more broadly to claims for damages "[a]rising out of, or in any way involving, directly or indirectly, any alleged sexual misconduct." AIG contended that sexual misconduct exclusions barred coverage, but Cosby argued that the source of the women's claimed injuries was not any alleged sexual misconduct but, rather the allegedly defamatory statements; and that the causal link between the excluded conduct and the defamation claims was too attenuated to trigger the exclusions. The court agreed with Cosby and found the policies' exclusionary provisions to be ambiguous on the issue of causation.
The Cosby decision underscores the importance of carefully selecting policy wording, particularly in limiting or exclusionary policy provisions and the need to ensure concurrency in wording used across multiple lines of coverage.
Michael S. Levine mlevine@HuntonAK.com
Walter J. Andrews wandrews@HuntonAK.com
Syed S. Ahmad sahmad@HuntonAK.com
Lawrence J. Bracken II lbracken@HuntonAK.com
Latosha M. Ellis lellis@HuntonAK.com
John C. Eichman jeichman@HuntonAK.com
Lorelie S. Masters lmasters@HuntonAK.com
Sergio F. Oehninger soehninger@HuntonAK.com
2019 Hunton Andrews Kurth LLP. Attorney advertising materials. These materials have been prepared for informational purposes only and are not legal advice. This information is not intended to create an attorney-client or similar relationship. Please do not send us confidential information. Past successes cannot be an assurance of future success. Whether you need legal services
and which lawyer you select are important decisions that should not be based solely upon these materials.
2019 Hunton Andrews Kurth LLP