The New York Supreme Court disposed of a longstanding dispute between J.P. Morgan and the insurers of the now defunct Bear Stearns, rejecting the insurers’ various arguments to avoid indemnity coverage for a $160 million payment made by Bear Stearns in connection to a 2006 settlement with the Securities and Exchange Commission (“SEC”) and New York Stock Exchange. As previously discussed in our August 2016 post about the prior motion for summary judgment order in this case, that settlement resulted from allegations that Bear Stearns, through its brokers, had facilitated late trading and deceptive market timing practices.
A version of this article originally appeared in Law360 on August 25, 2016.
Technology services and software companies frequently face insurance issues when negotiating their intellectual property license or other services agreements, particularly in this era of data breaches and cloud computing. Numerous questions present themselves. Which party bears the risk in the event of a data breach? Does the company providing the indemnities have insurance to stand behind them? Whether your company is providing a service, engaging a vendor or negotiating a license agreement, keeping these five insurance issues top of mind can help safeguard your continued success.
Insurance as an Indemnity Backstop
Indemnification provisions are standard in commercial agreements, and these provisions frequently include boilerplate language that may be overlooked by a party. While such a provision will serve as the primary risk transfer mechanism in the agreement, insurance can provide an important backstop. If your company is providing the indemnity, you will want to check your policies to see if they provide coverage for the potential liabilities at issue. Many policies, including commercial general liability (CGL) policies, exclude coverage for liabilities assumed under a contract. For example, the Insurance Services Office (ISO) standard CGL form includes an exclusion barring coverage for bodily injury or property damage the policyholder is obligated to pay “by reason of the assumption of liability in a contract or agreement.” The exceptions to this are if the policyholder has the liability absent the contract or if the contract was previously identified as a covered “insured contract.” Other policies, however, such as technology errors and omissions (tech E&O) policies, do not include this limitation. Some tech E&O policies state that a breach of contract exclusion does not apply (and thus the policy provides coverage for) liability “assumed in any hold harmless or indemnity agreement.” If your company is being indemnified by the counterparty party, you will want to know whether that company has the financial resources, including insurance coverage, to stand behind the indemnity.
A New York trial court recently recognized that insurers may not deny coverage for a claim, and then, if the denial was improper, object to a policyholder’s settlement without their consent. The July 11, 2016 decision was issued by Justice Ramos in J.P. Morgan Securities, Inc., v. Vigilant Insurance Company Co., a case in which the policyholder sought coverage for investigation demands issued by the Securities and Exchange Commission (SEC) and New York Stock Exchange (NYSE) as well as related class actions alleging that Bear Stearns facilitated deceptive market timing and late trading activities. The insurer denied coverage, contending that the investigative demands were not “claims” as defined in the professional liability policy, and that even if they were claims, they sought the uninsurable relief of disgorgement. After receiving the insurer’s denial of coverage, Bear Stearns then settled the claims against it. The insurer objected, asserting that Bear Stearns failed to obtain its consent to the settlement, and similarly failed to cooperate with the insurer.
Seeking summary judgment, Bear Stearns asserted that it was permitted to settle the underlying claims without first obtaining the insurer’s consent because the insurer had already denied coverage. The court agreed, holding that although the policy’s consent to settlement provision is a condition precedent to coverage, if the insurer denies coverage, a policyholder is excused from complying with the consent provision. The insurer here repeatedly asserted in its coverage correspondence that the investigations did not appear to be “claims” and that any resulting relief would be uninsurable as a matter of law. The court held that the insurer’s communications “effectively disclaimed” coverage—notwithstanding boilerplate reservation of rights language—relieving the policyholder, Bear Stearns, of its obligation to obtain the insurer’s prior consent to a reasonable settlement. Justice Ramos recognized that “[a]n insurer declines coverage at its own risk.”
The duty to defend is broad, as established, for example, in the California Supreme Court decision in Buss v. Superior Court, but is it possible to be even broader? The Alaska Supreme Court recently answered yes, handing a win to policyholders in that state.
The duty to defend—a promise by the insurer to pay for the policyholder’s defense against claims brought by a third party—appears in many liability policies and can be very helpful for a policyholder. Under the duty to defend, the insurer must defend both claims that are within the scope of the policy and those that may be covered by the policy—at least unless and until a court determines that those claims are not. Where there is a dispute between the insurer and policyholder as to whether certain claims are covered, to avoid a conflict of interest, a policyholder typically may choose to have the insurer pay for independent defense counsel.
Insurers that have paid for the defense of claims later determined not to be covered frequently demand repayment of their expenses. Of late, they have run into some difficulty trying to do so.
For example, as we previously reported, in recent years, several state and federal courts have rejected insurers’ attempts to recoup defense costs for non-covered claims absent express contractual language requiring the insured to repay those costs.
In answering questions posed by the Ninth Circuit, the Supreme Court of Alaska recently held that Alaska law goes further.
Last May, we told you that the “waiting has ended“ for courts to start weighing in on cyber insurance policies, as the District of Utah issued one of the first federal court decisions construing such a policy in Travelers Property Casualty, et al. v. Federal Recovery Services, Inc., et al., No. 2:14-CV-170. Although the claims at issue were not the sort of data breach and cybersecurity liability claims for which policyholders eagerly anticipate guidance, it was, as we noted, an important step in understanding how a court may approach these policies. In the first weeks of 2016, the Travelers court revisited the May 2015 decision, and affirmed its prior findings in favor of the insurer.
In the May decision, the court had found that under the cyber policy at issue, the insurer had no duty to defend its insured, a payment and account processing company, against tort claims alleging that the insured improperly—and intentionally—withheld customer payment and account data from the plaintiff, a gym network, the plaintiff had entrusted to it.
The policy at issue was a Travelers CyberFirst Technology Errors and Omissions Liability Form Policy. Under the policy, the duty to defend attaches when the plaintiff’s suit alleges an action by the insured that, if true, would constitute a covered claim under the policy. The insured sought coverage through an E&O module that provided coverage for “any error, omission, or negligent act.” The plaintiff alleged, however, that the insured acted with “knowledge, willfulness, and malice.” The court held that because the complaint alleged intentional, instead of negligent misconduct, the insurer did not have a duty to defend.
Professional services companies need to be extra-careful when placing Directors and Officers liability (“D&O”) coverage to ensure that their policies don’t take away with one hand what they appear to give with the other. A new district court ruling suggests that a professional services exclusion found in most D&O policies may erase most of the coverage such companies believe they’re purchasing.
Banks and other financial institutions, like most companies, usually carry D&O insurance to protect themselves and their decision-makers from claims of alleged ”Wrongful Acts,” including alleged negligence or misleading statements. They may also have Errors and Omissions or Professional Liability (“E&O”) coverage to respond to claims arising from the performance of services requiring special training or expertise. To avoid overlapping coverage for claims that may be covered under an E&O policy, D&O policies typically include a so-called “professional services” exclusion that draws a line between these two lines of coverage. When applied to a professional services company, however, this line becomes blurred. As demonstrated by a recent decision from the U.S. District Court for the Southern District of Florida, broadly applying this exclusion to services companies like financial institutions threatens to eviscerate the companies’ D&O coverage.
Your insurer wrongfully denies coverage—so you file a complaint in court, right? Not so fast! Many new insurance policies now include mandatory arbitration provisions. While at one time arbitration clauses were common only in policies issued by foreign insurers, they are now finding their way into policies issued by domestic insurers and in all types of coverages, including commercial liability insurance policies, D&O, E&O, employment liability, and cyber insurance. While the terms of these clauses vary, to the extent they are enforceable or cannot be negotiated out of the coverage, arbitration provisions close the courthouse doors to insurance disputes and force policyholders and their insurers to resolve disputed issues in private and free from judicial scrutiny.
When you, as a policyholder, give an insurance company notice of a claim, the insurance company often will send a “reservation of rights” letter—especially where there are complex liability claims—preserving its right to give you a coverage decision after it investigates the claim (that is, if it doesn’t accept or deny the claim outright). These letters usually include lengthy lists of coverage defenses the insurance company reserves the right to assert and questions that it wants you to answer. Many policyholders are naturally overwhelmed by the questions and have no idea how to respond. But respond you must. And how you respond has the potential to make or break your claim. Luckily, common sense and some simple rules are usually enough to make sure your claim survives this early hurdle.
The insurance company’s questions often pose three problems. First, they may seek information solely to enable the insurance company to deny coverage, often on grounds that the notice was late. Questions such as “When did you know that there was a problem” seek to gain information to enable the insurance company to deny coverage on the basis that you failed to notify them timely of the problem. But you must remember that you are under no obligation to give the insurance company information that it can use to defeat coverage. You should provide information adequate to describe the nature of the claim, but it is the insurance company’s obligation to figure out how to defeat coverage.
It seems like every business these days—from technology start-ups to hardware stores—is engaging its customers and clients through posts, tweets and hashtags (and blogs like this one). For example, last year, Duane Reade tweeted a photograph of actress Katherine Heigl carrying the drug store’s bag, and wrote: “Love a quick #DuaneReade run? Even @KatieHeigl can’t resist shopping #NYC’’s favorite drugstore[.]” As a result of the tweet, Ms. Heigl sued Duane Reade for false advertising and misappropriation of her likeness, and sought $6 million in damages. While the parties ultimately settled for an undisclosed sum, Duane Reade’s misstep is a prime example of the risks companies face when using social media.
While there have been a number of high-profile data breaches in recent years, there have been few coverage lawsuits arising out of these breaches, presumably because cyber insurers have been paying claims. A recent action, however, suggests how cyber insurers may be trying to fund this coverage position: by suing allegedly responsible third parties. In what appears to be a novel approach for insurers covering data breach claims, Travelers Casualty and Surety Co. of America has sued its insured’s website designer in the wake of a cyber attack. Travelers’ complaint alleges that its insured, Alpine Bank, hired Ignition Studio, Inc. to design and service the bank’s website. Travelers alleges that Ignition negligently designed and maintained the website, allowing hackers to access the site through the server on which it was hosted. Alpine spent over $150,000 complying with its data breach notification obligations, for which it was reimbursed by Travelers. Travelers, as Alpine Bank’s assignee and subrogee, now seeks to recover that amount from Ignition.