Darren Teshima, Co-Leader of Orrick's Complex Litigation and Dispute Resolution practice, litigates high stakes disputes on behalf of clients in the financial and technology
sectors and advises corporate policyholders on cyber and D&O insurance issues.
financial institutions and tech companies in a variety of commercial disputes, with
a focus on litigation arising out of residential mortgage-backed securities
(RMBS), Directors & Officers (D&O) coverage, and some of the largest data breaches in history. He has advised clients seeking insurance related to some of the largest data breaches in history. Darren also helps clients avoid potential
litigation with their insurers by counseling them on innovative insurance strategies, including
advising tech companies on issues facing their unique business models.
In 2012, Darren spent three months on loan to the San Francisco District Attorney’s Office as an Assistant District Attorney, where he first-chaired four criminal jury trials to verdict.
Darren is passionate about pro bono work. He has handled administrative trials and hearings on behalf of asylum seekers and low-income tenants, and has provided litigation advice to nonprofit organizations. Legal Services for Children twice has presented Darren with its Pro Bono Advocate Award.
Darren is active in Orrick’s recruiting and diversity initiatives, and is the
recipient of Orrick’s Diversity Award. He is the Vice Chair of the board of directors of Asian
Americans Advancing Justice | Asian Law Caucus, and serves on the boards of the
Center for Gender & Refugee Studies and Legal Services for
Children. In 2015, he was named one of the "Best Lawyers Under 40" by the National
Asian Pacific American Bar Association (NAPABA).
An editor of Orrick's insurance recovery blog, the Policyholder Insider, and of Orrick's Financial Industry Week in Review, Darren frequently speaks and writes on novel cyber and D&O insurance issues.
Before joining Orrick, Darren was an associate at Heller Ehrman LLP, and clerked for U.S. District Court
Judge David O. Carter in the Central District of California.
Darren's current clients include:
- Premera Blue Cross in a lawsuit related to defense coverage under a commercial general liability (CGL) policy following a data
breach affecting 11 million customers, an issue of first impression under Washington law.
- Credit Suisse in a dozen lawsuits brought by monoline insurers and trustees alleging claims related to
residential mortgage-backed securities (RMBS) transactions following the global financial crisis.
- Pacific Pulmonary Services in a
bad faith action against its D&O insurer in the Northern District of
California, where the Court recently granted summary judgment establishing the insurer's duty to advance defense costs.
- A mobile gaming company on tech E&O insurance coverage related to a trade secrets misappropriation claim.
Other notable recent representations include:
Sony Pictures, advising on insurance claims related to
the November 2014 cyber-attack on its network and IT infrastructure.
- Epson America, Inc., in a coverage action
in the Central District of California against its D&O insurer
seeking defense coverage for an underlying consumer class
action and employment case.
- A technology rideshare company advising about D&O,
E&O and media liability coverage issues affecting its unique business model.
On January 27, 2017, the Ninth Circuit affirmed a California district court’s rulings and jury findings that an insurer breached its duty to defend, recognizing that under California law, the expansive duty continues until the case clearly contains no potentially covered claims. The court rejected the insurer’s reliance on the policy’s prior noticed claims exclusion, and affirmed the finding that the insurer denied coverage in bad faith because the insurer anticipated denying the claims from the outset.
In Millennium Laboratories, Inc. v. Darwin Select Insurance Company, Millennium Labs sought personal and advertising injury coverage for underlying cases brought by two of its rivals, Ameritox and Calloway, alleging false advertising. Darwin denied coverage, refusing to provide a defense under its commercial general liability policy. Millennium sued Darwin for declaratory relief to establish Darwin’s duty to defend, breach of contract, and bad faith. The district court granted Millennium summary judgment on the duty to defend, and the jury found that Darwin’s denial of coverage was in bad faith.
Insurers’ recalcitrance to providing coverage for the “Business E-mail Compromise” (BEC) scam is a topic we’ve frequently discussed. On Monday, the Ninth Circuit heard oral argument in a BEC coverage action, Taylor & Lieberman v. Federal Insurance Company, a California case we’ve previously described.
The fraudster in that case sent spoofed e-mails in 2012 to an accounting firm purporting to be from one of the firm’s clients. At the “client’s” request, the accounting firm executed two wire transfers from the client’s bank account, over which the firm had power of attorney, in amounts just under $100,000 each to banks in Malaysia and Singapore. The firm finally detected the scheme when it called the client for confirmation after receiving a third e-mail requesting another transfer of $128,000 to Malaysia. The accounting firm was able to recover most of the first wire transfer but nothing from the second, resulting in a $100,000 loss to the client’s account, which the firm restored.
The vulnerability of America’s physical infrastructure has long been at the top of mind for national security officials, but the growing threat of cyberattacks, both state-sponsored and criminal, has led state and federal officialdom to take note. Their concern has been magnified by the increasing number of significant cyber targets in the nation, including key infrastructure. This has prompted the National Highway Traffic Safety Administration and industry stakeholders to work together to combat potential cyberattacks on automated vehicles. In a rapidly evolving and expanding internet of things environment, federal regulators must be flexible to accommodate change, and must resist the urge to ensconce autonomous vehicle cybersecurity guidance in law.
Please click here to read an overview of their strategy, which appeared in Bloomberg BNA, authored by Orrick’s Darren Teshima and Ian Adams.
Ransomware is one of the rising scourges of the business world, with approximately 50% of U.S. companies reporting being hit with a ransomware attack in the past year, according to a recent study. According to the FBI, a 2016 ransomware type that uses unbreakable key-based cryptography compromised an estimated 100,000 computers a day. New ransomware variants are appearing constantly, and companies need to prepare for the possibility of being victimized by this particular type of cyber-attack. The FBI, as well as other security professionals, has recommended a widely accepted, multifaceted preparation strategy—which includes having key insurance coverage in place—that reduces risks and decreases recovery time. Please click here to read an overview of this strategy that appeared in Law360, authored by Orrick’s Darren Teshima and Aravind Swaminathan.
The Ninth Circuit recently held in St. Paul Mercury Insurance Co. v. Federal Deposit Insurance Corp. that a D&O policy’s insured-versus-insured exclusion does not prevent the Federal Deposit Insurance Corporation (“FDIC”), as receiver of an insured failed bank, from obtaining coverage under such policy. In so doing, the Court of Appeals follows the Eleventh Circuit and other courts that have addressed this issue and sided with the policyholder. This decision, while unpublished, is a timely one for policyholders, as regulators including the FDIC litigate these claims arising out of the financial crisis. Just this week, a Georgia jury returned a verdict in favor of the FDIC that awarded almost $5 million in damages for claims relating to a bank’s negligent management by its former officers and directors.
The FDIC brought claims against the former directors and officers of Pacific Coast National Bank for negligence, gross negligence, and breaches of fiduciary duty. The FDIC alleged that the former directors’ pursued an aggressive lending strategy, failed to ensure that loan practices complied with the bank’s policies, and inadequately supervised subordinate officers, which led the bank to suffer millions of dollars in losses. The insurer, The Travelers Companies, Inc., which comprises appellant Saint Paul Mercury Insurance Company, filed a declaratory judgment action to establish that the policy does not cover the FDIC’s claims. Considering the parties’ cross-motions for summary judgment on the action, the district court rejected Travelers’ contention that the exclusion barred coverage, holding that the exclusion did not expressly bar claims by the FDIC.
On appeal, the key issue was whether the language of the exclusion, which barred coverage for claims brought “by or on behalf of any Insured or Company,” was ambiguous. The FDIC argued that the phrase “on behalf of,” as applied to its action against the directors, was ambiguous, relying on the facts that it initiated the underlying case almost three years after the bank’s failure and that no person from the bank had any involvement in bringing its claims.
A federal district court in the Eastern District of New York recently held that a D&O policy’s definition of “Loss” that includes amounts an insured is “legally obligated to pay” extends to consent judgments that forebear collection by the underlying plaintiffs. In Intelligent Digital Systems, LLC, v. Beazley Insurance Co., Inc., the court joined a majority of courts in other jurisdictions that have addressed the issue and rejected the insurer’s argument that because individual directors and officers had entered consent judgments in which the plaintiffs agreed not to collect against them, they had not suffered any “Loss” as defined by the policy. This ruling arose out of a series of stipulated agreements made in an underlying lawsuit by plaintiff Intelligent Systems, LLC against some former directors of the surveillance technology company, Visual Management Systems, Inc. In exchange for the directors’ assigning their coverage rights under their policy to Intelligent Systems, LLC, the underlying plaintiff agreed to “unconditionally forebear” its collection of the judgments against the insured directors. The agreement, however, expressly provided that the insured directors did not waive the right to assert a claim against the D&O insurer.
To reach this ruling, the Court considered a legal question of first impression under New York law: Does a consent judgment, with conditions effectively exculpating an insured from satisfying a judgment for which he might otherwise be personally liable, constitute an amount that the insured had become “legally obligated” to pay?
“Business E-mail Compromise” (BEC) scams, which we have previously discussed, are becoming an increasing concern. The FBI’s most recent report in June 2016 identified a 1,300% increase in reported incidents, reaching 22,000 victims targeted for $3.1 billion. Policyholders victimized by BEC scams should cheer the most recent decision addressing coverage for such scams. In Principle Solutions Group v. Ironshore Indemnity, a federal district court in Georgia ruled on summary judgment that a commercial crime policy covered a BEC scam in which a fraudster deceived a Principle Solutions employee into wiring $1.72 million to an account in China. The court rejected the insurer’s argument that the wire transfer was not directly caused by the BEC scam.
Principle Solutions suffered a hallmark BEC scam. The fraudster sent a spoofed email, purportedly from Principle Solutions’ CEO, to the company’s controller. The spoofed email instructed the controller to work with a specified attorney to wire funds that day for a highly confidential company acquisition. The controller then received an email from the named “attorney” with the wiring instructions. The “attorney” called the controller, representing that the CEO had approved execution of the wire and emphasizing the urgency of the funds transfer.
The controller initiated the necessary steps to execute the transfer that day. She logged into the company’s online account at its financial institution to enable the transfer approval, instructed another employee to create the wire instructions, and approved the wire transfer. The financial institution’s fraud prevention unit flagged the transaction and requested verification of the wire. The controller called the “attorney” to verify how he had received the wire instructions. The “attorney” told her he had received the instructions verbally from the CEO. The controller relayed this information to the financial institution, which then allowed the transaction to proceed.
The company discovered the fraud the next day when the controller told the CEO she had completed the wire transfer. The company immediately reported the fraud but unfortunately could not recover the funds.
A version of this article originally appeared in Law360 on August 25, 2016.
Technology services and software companies frequently face insurance issues when negotiating their intellectual property license or other services agreements, particularly in this era of data breaches and cloud computing. Numerous questions present themselves. Which party bears the risk in the event of a data breach? Does the company providing the indemnities have insurance to stand behind them? Whether your company is providing a service, engaging a vendor or negotiating a license agreement, keeping these five insurance issues top of mind can help safeguard your continued success.
Insurance as an Indemnity Backstop
Indemnification provisions are standard in commercial agreements, and these provisions frequently include boilerplate language that may be overlooked by a party. While such a provision will serve as the primary risk transfer mechanism in the agreement, insurance can provide an important backstop. If your company is providing the indemnity, you will want to check your policies to see if they provide coverage for the potential liabilities at issue. Many policies, including commercial general liability (CGL) policies, exclude coverage for liabilities assumed under a contract. For example, the Insurance Services Office (ISO) standard CGL form includes an exclusion barring coverage for bodily injury or property damage the policyholder is obligated to pay “by reason of the assumption of liability in a contract or agreement.” The exceptions to this are if the policyholder has the liability absent the contract or if the contract was previously identified as a covered “insured contract.” Other policies, however, such as technology errors and omissions (tech E&O) policies, do not include this limitation. Some tech E&O policies state that a breach of contract exclusion does not apply (and thus the policy provides coverage for) liability “assumed in any hold harmless or indemnity agreement.” If your company is being indemnified by the counterparty party, you will want to know whether that company has the financial resources, including insurance coverage, to stand behind the indemnity.
A New York trial court recently recognized that insurers may not deny coverage for a claim, and then, if the denial was improper, object to a policyholder’s settlement without their consent. The July 11, 2016 decision was issued by Justice Ramos in J.P. Morgan Securities, Inc., v. Vigilant Insurance Company Co., a case in which the policyholder sought coverage for investigation demands issued by the Securities and Exchange Commission (SEC) and New York Stock Exchange (NYSE) as well as related class actions alleging that Bear Stearns facilitated deceptive market timing and late trading activities. The insurer denied coverage, contending that the investigative demands were not “claims” as defined in the professional liability policy, and that even if they were claims, they sought the uninsurable relief of disgorgement. After receiving the insurer’s denial of coverage, Bear Stearns then settled the claims against it. The insurer objected, asserting that Bear Stearns failed to obtain its consent to the settlement, and similarly failed to cooperate with the insurer.
Seeking summary judgment, Bear Stearns asserted that it was permitted to settle the underlying claims without first obtaining the insurer’s consent because the insurer had already denied coverage. The court agreed, holding that although the policy’s consent to settlement provision is a condition precedent to coverage, if the insurer denies coverage, a policyholder is excused from complying with the consent provision. The insurer here repeatedly asserted in its coverage correspondence that the investigations did not appear to be “claims” and that any resulting relief would be uninsurable as a matter of law. The court held that the insurer’s communications “effectively disclaimed” coverage—notwithstanding boilerplate reservation of rights language—relieving the policyholder, Bear Stearns, of its obligation to obtain the insurer’s prior consent to a reasonable settlement. Justice Ramos recognized that “[a]n insurer declines coverage at its own risk.”
Many non-cyber policies include data breach exclusions, but few cases have addressed their scope. In a recent case, a federal district court rejected an insurer’s broad interpretation of the term “data” as it was used in data breach exclusions in a multimedia liability policy. In Ellicott City Cable, the insurer contended that satellite television programming was “data” within the meaning of the exclusions. The court found the term ambiguous, construed the ambiguity against the insurer, and ruled that the underlying lawsuit triggered the insurer’s duty to defend. While the case did not involve a data breach, the decision demonstrates that data breach exclusions should be narrowly construed and also offers helpful guidance about interpreting the term “data” if it is undefined in a policy.
The underlying case involved a distribution arrangement between Ellicott City Cable and DirecTV, whereby Ellicott City Cable distributed satellite television programming to its customers. Apparently Ellicott City Cable was overzealous in serving its customers and allegedly distributed DirecTV’s programming beyond the scope of the contracts. DirecTV sued Ellicott City Cable, alleging that Ellicott City Cable fraudulently obtained and distributed DirecTV’s programming.