5 Insurance Issues To Consider In Tech Transactions

A version of this article originally appeared in Law360 on August 25, 2016.

Technology services and software companies frequently face insurance issues when negotiating their intellectual property license or other services agreements, particularly in this era of data breaches and cloud computing. Numerous questions present themselves. Which party bears the risk in the event of a data breach? Does the company providing the indemnities have insurance to stand behind them? Whether your company is providing a service, engaging a vendor or negotiating a license agreement, keeping these five insurance issues top of mind can help safeguard your continued success.

Insurance as an Indemnity Backstop

Indemnification provisions are standard in commercial agreements, and these provisions frequently include boilerplate language that may be overlooked by a party. While such a provision will serve as the primary risk transfer mechanism in the agreement, insurance can provide an important backstop. If your company is providing the indemnity, you will want to check your policies to see if they provide coverage for the potential liabilities at issue. Many policies, including commercial general liability (CGL) policies, exclude coverage for liabilities assumed under a contract. For example, the Insurance Services Office (ISO) standard CGL form includes an exclusion barring coverage for bodily injury or property damage the policyholder is obligated to pay “by reason of the assumption of liability in a contract or agreement.” The exceptions to this are if the policyholder has the liability absent the contract or if the contract was previously identified as a covered “insured contract.” Other policies, however, such as technology errors and omissions (tech E&O) policies, do not include this limitation. Some tech E&O policies state that a breach of contract exclusion does not apply (and thus the policy provides coverage for) liability “assumed in any hold harmless or indemnity agreement.” If your company is being indemnified by the counterparty party, you will want to know whether that company has the financial resources, including insurance coverage, to stand behind the indemnity.


Insurer Denies Coverage for Regulatory Investigations at Its Own Risk and Gives Up Right to Consent to Settlement

A New York trial court recently recognized that insurers may not deny coverage for a claim, and then, if the denial was improper, object to a policyholder’s settlement without their consent. The July 11, 2016 decision was issued by Justice Ramos in J.P. Morgan Securities, Inc., v. Vigilant Insurance Company Co., a case in which the policyholder sought coverage for investigation demands issued by the Securities and Exchange Commission (SEC) and New York Stock Exchange (NYSE) as well as related class actions alleging that Bear Stearns facilitated deceptive market timing and late trading activities.  The insurer denied coverage, contending that the investigative demands were not “claims” as defined in the professional liability policy, and that even if they were claims, they sought the uninsurable relief of disgorgement.  After receiving the insurer’s denial of coverage, Bear Stearns then settled the claims against it.  The insurer objected, asserting that Bear Stearns failed to obtain its consent to the settlement, and similarly failed to cooperate with the insurer.

Seeking summary judgment, Bear Stearns asserted that it was permitted to settle the underlying claims without first obtaining the insurer’s consent because the insurer had already denied coverage. The court agreed, holding that although the policy’s consent to settlement provision is a condition precedent to coverage, if the insurer denies coverage, a policyholder is excused from complying with the consent provision.  The insurer here repeatedly asserted in its coverage correspondence that the investigations did not appear to be “claims” and that any resulting relief would be uninsurable as a matter of law.  The court held that the insurer’s communications “effectively disclaimed” coverage—notwithstanding boilerplate reservation of rights language—relieving the policyholder, Bear Stearns, of its obligation to obtain the insurer’s prior consent to a reasonable settlement.  Justice Ramos recognized that “[a]n insurer declines coverage at its own risk.”


Court Rejects Insurer’s Expansive Reading of Data Breach Exclusion and Undefined Term “Data”

Many non-cyber policies include data breach exclusions, but few cases have addressed their scope.  In a recent case, a federal district court rejected an insurer’s broad interpretation of the term “data” as it was used in data breach exclusions in a multimedia liability policy. In Ellicott City Cable, the insurer contended that satellite television programming was “data” within the meaning of the exclusions.  The court found the term ambiguous, construed the ambiguity against the insurer, and ruled that the underlying lawsuit triggered the insurer’s duty to defend.  While the case did not involve a data breach, the decision demonstrates that data breach exclusions should be narrowly construed and also offers helpful guidance about interpreting the term “data” if it is undefined in a policy.

The underlying case involved a distribution arrangement between Ellicott City Cable and DirecTV, whereby Ellicott City Cable distributed satellite television programming to its customers. Apparently Ellicott City Cable was overzealous in serving its customers and allegedly distributed DirecTV’s programming beyond the scope of the contracts.  DirecTV sued Ellicott City Cable, alleging that Ellicott City Cable fraudulently obtained and distributed DirecTV’s programming.


Renowned Intellectual Property Jurist Restricts Applicability of IP Exclusion

A company facing IP-related claims might not look to its CGL policy (or other policies) for coverage. However, a recent decision from a leading voice on intellectual property suggests taking a closer look at the allegations and the policy. Last week, U.S. District Court Judge Ronald M. Whyte of the Northern District of California ruled that an intellectual property exclusion in a CGL policy does not apply to claims of breach of a patent license or patent misuse, or to allegations of harm resulting from false accusations of patent infringement. Judge Whyte’s order finding a duty to defend is an initial victory for Tessera, a developer of semiconductor technologies, in an ongoing battle with its insurer over coverage for a lawsuit brought against Tessera by Powertech Technology (PTI) in 2011.

In the underlying lawsuit, PTI alleged that Tessera had breached a patent licensing contract between the parties by initiating an investigation by the U.S. International Trade Commission (ITC). In that ITC investigation, Tessera allegedly falsely accused PTI’s products of infringing on Tessera’s patents and thereby disrupted PTI’s relationships with its customers. PTI also alleged a damages claim for patent misuse, but that claim was dismissed. Tessera and PTI settled the suit in 2014.

Tessera sought defense and indemnity against PTI’s claims under the personal injury coverage in its CGL policy. According to Tessera, PTI’s allegations supported covered claims for defamation, disparagement, malicious prosecution, and abuse of process under the policy. In response, the insurer sought a declaratory judgment that it had no duty to defend Tessera. Initially, the court agreed with the insurer. The Court found that PTI would be barred from bringing a defamation or disparagement claim under California’s statutory litigation privilege and that PTI could not bring a malicious prosecution or abuse of process claim because it was not a named party in the ITC proceeding. The court did not reach the applicability of the intellectual property exclusion.

On appeal, however, the Ninth Circuit reversed, finding that PTI had alleged facts that would have supported a potential claim for product disparagement. This was sufficient to trigger the insurer’s duty to defend under the policy’s personal injury coverage. (We recently covered a similar decision in Illinois in which a potential disparagement claim triggered the duty to defend.) The panel disagreed with the district court on the significance of California’s litigation privilege, explaining that even a “slam-dunk” privilege or defense does not affect an insurer’s duty to defend. The Ninth Circuit remanded for the district court to consider the applicability of the intellectual property exclusion in the first instance.


Laces Are Tied Tight on Arbitration Clauses When an Insurer Stands In the Shoes of Its Insured

Try as it might, Mitsui Sumitomo Seguros S.A. (“Mitsui”) could not kick an arbitration award that potentially freed its insured’s suppliers from liability for a 2007 incident at a Brazilian aluminum plant insured by Mitsui. Mitsui’s argument that it was not a party to the arbitration agreement between its insured—Alumina de Norte do Brasil S.A. (Alunorte), and the insured’s suppliers, Alstom Power, Inc. and Alstom Brasil Energia e Transporte Ltda—failed because the Mitsui-Alunorte insurance contract gave Mitsui a clear subrogation right and “an insurer-subrogee stands in the shoes of its insured.”

On Monday, June 20, 2016, Judge Hellerstein of the Southern District of New York held that Mitsui Sumitomo Seguros S.A. is bound by an arbitration clause between Alunorte and the insured’s suppliers, Alstom Power, Inc. and Alstom Brasil Energia e Transporte Ltda. Alunorte, a Brazilian aluminum refiner entered into a supply contract with Alstom Power and Alstom Brasil, a Brazilian power-generation service and equipment provider. The contract contained a clause stipulating that upon failure of good faith negotiations between the parties the disagreement would be arbitrated in New York under International Chamber of Commerce rules.

This case arises from an ICC ruling regarding two separate incidents involving products supplied by Alstom at the Alunorte facility, which resulted in lost property and profits. Mitsui sued Alstom in Brazilian courts for the indemnity payment it made to Alunorte following the incidents, alleging that Alstom was the cause of the damage. Alstom sought to have the claim dismissed in Brazil, and moved to the ICC in New York, per the arbitration clause in the supply contract. Mitsui entered a special appearance before the ICC, asserting that the ICC lacked jurisdiction in the matter. The ICC court claimed jurisdiction over the dispute and ultimately dismissed Mitsui’s indemnity claim against Alstom, finding that Alstom was not at fault for the incidents occurring in Alunorte’s facility and holding that Mitsui was bound to the arbitration agreement between Alunorte and Alstom as a subrogee of Alunorte.

Alstom sought to confirm the arbitration award in New York state court and Mitsui removed the case to the Southern District of New York. Mitsui filed a motion to dismiss Alstom’s petition, arguing that it was not bound by the arbitration clause provided in the supply contract, that the district court of New York lacked personal jurisdiction, and that dismissal was appropriate on forum non conveniens grounds. Judge Hellerstein found for Alstom and confirmed the award.


Federal District Court Finds No Cyber Insurance Coverage For Costly Credit Card Fraud Assessments

In one of the first court decisions to consider the scope of cyber insurance and whether it covers credit card brand fraud recovery assessments, the policyholder, PF Chang’s, came up short. Following a 2014 data breach in which hackers accessed and posted online 60,000 credit card numbers belonging to PF Chang’s customers, MasterCard levied a $1.9 million fraud recovery charge against the restaurant chain. PF Chang’s tendered those charges to its cyber insurer but Federal refused to provide coverage. Coverage litigation followed and last week a federal judge in Arizona handed down a decision in favor of Federal. For a discussion of the case and its implication for cyber insurance policyholders—or those considering it—you can read the full article by Russell Cohen and Darren Teshima at Orrick’s Trust Anchor blog.   

Eighth Circuit Affirms Coverage for Fraudulent Wire Transfer Despite Employee Negligence

The Eighth Circuit’s decision last Friday in State Bank of Bellingham v. BancInsure, holding that computer systems fraud insurance indeed insures against such fraud, even where employee negligence was a contributing factor, was a positive development for financial institutions as well as any crime insurance policyholder. The Eighth Circuit agreed with the district court that under Minnesota’s concurrent-causation doctrine, the insured could recover under a standard Computer Systems Fraud insuring agreement regardless of whether any excluded peril, i.e., employee negligence, contributed to the loss because the covered peril of computer systems fraud was the “efficient and proximate cause” of the loss.

The case involved a small Minnesota bank that was the victim of a computer fraud attack. It began with a bank employee, who initiated a legitimate wire transfer through a bank computer using a security USB token issued to her by the Federal Reserve, the password provided by the security token, and her personal passphrase. The employee inappropriately verified the wire transfer using another employee’s security token, password, and passphrase. She then improperly left both security tokens in the computer and the computer running when she left the bank for the day.

Unbeknownst to anyone at the bank, a hacker had previously infected the computer with a Trojan horse virus. The next morning, the hacker accessed the bank computer through the malware delivered via the virus. The hacker used the security tokens that had been left in the computer, along with the passwords and passphrases of the two bank employees, to complete two fraudulent wire transfers to bank accounts in Poland totaling $940,000. The bank employee discovered the fraudulent transfers within an hour. The bank was able to recover the funds from one of the wire transfers, but could not recover the funds from the other wire transfer.

The bank sought coverage for the loss of these bank funds under its financial institution bond, which provides coverage similar to a crime insurance policy. The policy had a Computer Systems Fraud insuring agreement, which covered loss resulting directly from a fraudulent entry or change of electronic data or computer program on the bank’s computer systems. The issuer of the policy apparently conceded that the Computer Systems Fraud insuring agreement would cover the loss but argued that several exclusions operated to preclude coverage: exclusions for loss caused by an employee, for loss resulting from theft of confidential information, and for loss resulting from mechanical failure or gradual deterioration of a computer system.


New York’s Highest Court Finds Policy Language Controls Allocation and Exhaustion Methods for Excess Coverage

In a major victory for policyholders, the New York Court of Appeals held on May 3, 2016 that manufacturers Viking Pump, Inc. and Warren Pumps, LLC are entitled to coverage under excess insurance policies for liability resulting from asbestos claims, and that the manufacturers are not required to exhaust the available primary policies before accessing the excess coverage.  This far-reaching ruling reaffirms the Court’s prior holdings that policy language is controlling in coverage disputes.


FIFA Official Beats the Offside Trap: Court Orders Insurers to Advance Defense Costs

Last week, in a coverage match hosted by the Eastern District of New York, the referee ordered insurers to advance defense costs to Eduardo Li, a former president of the Costa Rican soccer federation and a former official of the Federation Internationale de Football Association (FIFA), the governing body of international soccer. In 2015, the United States red-carded Li along with twenty-nine other figures in international soccer, charging them with participation in an international racketeering conspiracy. The prosecutors alleged more than twenty years of rampant corruption at the highest levels of FIFA, smearing the beautiful game with tales of bribery and money laundering as marketing and broadcast contracts were illicitly awarded for briefcases of cash passed under the table or financed through murky transactions.

Li tendered his request for advancement of defense costs under FIFA’s $50 million D&O policy while he was detained in Switzerland pending extradition to the United States. The insurers quickly denied coverage based on a so-called “RICO exclusion” in the policy—an argument they later dropped—and their position that Li’s indictment did not constitute an “investigative proceeding.” They also disputed whether Li was an insured under the policy.

In his coverage action against the insurers Li kept a clean sheet before Judge Raymond J. Dearie, the same judge presiding over the criminal racketeering case, who denied the insurers’ motion to dismiss and granted Li’s request for a preliminary injunction requiring the insurers to advance his criminal defense costs. In granting the preliminary injunction, Judge Dearie explained that a policyholder’s inability to timely receive defense costs under a professional liability policy constitutes irreparable harm. The Court also determined that Li made a sufficient showing that he would be entitled to advancement of costs under the policy’s broad, world-wide coverage for defense, investigation, and extradition costs. The Court inferred the duty to contemporaneously advance costs from a policy provision stating that “[s]hould the question of any wrongful intent be at issue, cover shall be granted for the defence costs” but an insured person “found guilty of wrongful intent . . . will be obliged to reimburse the Insurer for all payments made on his or her behalf.”


Fourth Circuit Finds Potential Coverage For Data Leak As Publication Under CGL Policy

shutterstock_72943936_400x300This week, a Fourth Circuit panel in an unpublished decision validated arguments long made by policyholders: that commercial general liability policies may provide coverage for certain data breach liabilities. In this case, Travelers Indemnity Company v. Portal Healthcare Solutions, the appellate court affirmed the district court’s 2014 ruling that an insurer had the duty to defend a company that provides electronic medical record management services in a class action alleging that the company made patients’ confidential records publicly accessible by posting the records to an unsecured public website.

The policyholder, Portal Healthcare Solutions, under a contract with a New York hospital for the storage and maintenance of its patients’ confidential medical records, arranged to store the records electronically. The records were allegedly not stored in a secure manner. Two patients discovered that their hospital records were publicly viewable through the first link returned by a Google search on their names. In 2013, the patients brought a class action suit in New York against Portal for negligent storage of confidential medical records.

Portal had coverage under the personal or advertising injury provisions of its commercial general liability policy for damages arising from “the electronic publication of material” that “gives unreasonable publicity to a person’s private life” or that “discloses information about a person’s private life.” In a declaratory judgment action initiated by the insurer, the Eastern District of Virginia granted summary judgment to Portal, holding that the insurer had a duty to defend Portal against the class action.

The Fourth Circuit affirmed the district court’s judgment on its reasoning.  Portal’s alleged conduct of exposing medical records to online searching of a patient’s name fell within the plain meaning of “publication”: “to place before the public.” The court rejected the insurer’s arguments that (i) there was no publication, because Portal never intended to expose the records and (ii) there was no allegation that any unauthorized person actually accessed any of the records.

This week’s decision contrasts with an earlier decision of the Connecticut Supreme Court in Recall Total Information Management v. Federal Insurance Company, which we discussed last year. In that case, the Connecticut high court found no CGL coverage for claims arising from computer tapes containing employees’ personal information that fell off a van and were apparently taken by an unknown person. The district court in Portal Healthcare Solutions distinguished a single thief’s accessing the tapes in Recall from the posting of information on the internet before three billion people in Portal.

We have long asserted that there is coverage for certain data breach claims under the personal and advertising injury provisions of CGL policies. And while the Fourth Circuit’s decision validates that view, its impact may be limited. First, insurers will certainly argue that the facts of this unpublished decision—the posting of unsecured information on the internet—is different from situations in which hackers gain unauthorized entry to protected information. And, second, fewer and fewer policyholders are relying on CGL policies for coverage of data breach and cyber risks. For years now, insurers have marketed specialized cyber policies, in part by persuading policyholders that their CGL policies did not cover such risks, and by adding cyber exclusions to CGL policies. But even so, Portal may make a meaningful difference for insureds who do not have a cyber exclusion on their CGL policy if they don’t have any cyber insurance at all or if data breach litigation exhausts their cyber policy limits.