Life After CADSI and Zurich — AG Equipment Company v AIG Life

Posted by Mitchell King July 2nd, 2009 in Consider The Risks.

In the 2004 CADSI case, followed by the 2005 Zurich case, two separate federal appeals courts held that where a stop loss policy incorporated a benefit Plan Document by reference, the stop loss insurer’s inquiry into the propriety of the claim for purposes of determining its obligations under the stop loss coverage was limited to the question of whether the Plan Administrator had abused its discretion.[1] Plan Administrators’ discretion can be extremely broad and stop loss insurers undoubtedly viewed the rulings as both startling and chilling. The obvious question in the wake of CADSI and Zurich was whether and how a viable challenge to coverage could be mounted under similar circumstances. That question was addressed this year in the case of AG Equipment Company v AIG Life[2], which was tried to a conclusion in the US District Court for the Northern District of Oklahoma.

AG Equipment Company (“AG”) purchased stop loss coverage from AIG for its self-funded Plan covering its full-time employees. The stop loss policy was effective May 1, 2003 through April 30, 2004, and it was renewed in May 2004, May 2005 and May 2006. Under the Plan, “[a]n employee [was] considered to be full-time if he or she normally work[ed] at least 30 hours per week and [was] on the regular payroll of the employer.” AG was the Plan Administrator.

During the May 2006-7 Plan Year, AG made a substantial claim under the stop loss related to expenses incurred on behalf of the ex-wife of the owner of AG, who was on the payroll as a salaried employee. Shortly thereafter, an AG employee informed the TPA that the ex-wife did not work as a full-time employee of AG and he provided written documents to support his allegation.  AIG investigated the allegation and requested that AG provide testimony and documentation to support AG’s claim. It refused and litigation followed.

Both parties filed claims and counter-claims, including a bad faith claim by AG against AIG. Following discovery, the parties filed summary judgment motions on their claims. Shortly before trial, the Court granted summary judgment to AIG, denying AG’s bad faith claim, but ruled that the remaining issues were appropriate for trial. Following a full trial, the jury returned a defense verdict in favor of AIG, finding not only that AIG was not required to reimburse AG for medical expenses because the employee did not satisfy the Plan’s full-time employee requirement, but also that AG had committed a fraud entitling AIG to a reimbursement of almost $280,000 in previously paid funds for the ex-wife’s treatment. The jury also awarded AIG damages on its own breach of contract counter-claim, awarding actual and compensatory damages of just under $160,000 to AIG.

The Oklahoma Court’s rulings on the pre-trial summary judgment motions are a good indication of both the reach and the limits of the Zurich rule. [3] At summary judgment AIG had argued that its case was distinguishable from Zurich in two ways. First, it argued that “[t]he AIG… Policy… beginning in the 2005-2006 Policy year specifically reserved to AIG… ‘the right to interpret the terms and condition [sic] of the Plan as it applies to the Policy.’” The new policy wording quoted by AIG appears to have been an express effort to limit the complete deference conferred to the Plan Administrator’s decisions under the CADSI and Zurich cases. Second, it argued that “The AG… Plan Administrator… made no reasoned determination with regard to the Plan’s language and the Policy,” going on to relate various shifting and inconsistent arguments regarding its interpretation of the 30-hour per week requirement for full-time employment.

The Court did not comment on the first argument regarding the revised wording and instead, acknowledged that the Zurich rule was applicable and that the Plan Administrator had been granted maximum discretion under the Plan Document. Nonetheless, the Court went on to hold that “there [was] nothing in the record to suggest that the Plan language was interpreted and a determination was made with respect to [the ex-wife’s] employment and eligibility.” As the Court went on to note:

In short, there is no indication that AG ever exercised its discretion to interpret the Plan language. While Zurich is directly on point, without more evidence, this Court cannot rely on Zurich to grant summary judgment. Accordingly, AG is not entitled to summary judgment on the grounds that AIG’s failure to defer to AG’s interpretation of the Plan constituted a breach of contract.”

In applying the rule from Zurich, the AG v AIG Court has helped define the limits of the rule. The evidence at trial showed that the determination that the ex-wife was “full-time” and thus covered under the Plan was by edict of the company owner, not by application of standard Plan processes and procedures. Under those circumstances, the legal rule found in Zurich granting deference to the Plan Administrator’s decisions simply did not apply. It should be noted that in this case the evidence showing the AG owner’s manipulation of his ex-wife’s employment status was fairly extreme, but the case was not without risks or exposure to AIG. The practical lesson here is that although insurers are often loath to bring cases to trial based upon the concern that juries are biased against them, juries are not stupid; they can follow a complex case and don’t like fraud.

[1] Computer Aided Design Systems, Inc. v. SAFECO Life Ins. Co., 358 F.3d 1011 (8th Cir. 2004), affirming, 235 F.Supp. 2d 1052 (S.D. Iowa. 2002); and Zurich North America v. Matrix Service, Inc., 426 F.3d 1281 (10th Cir. 2005).

[2] AG Equipment Company v AIG Life Insurance Company Inc., Case No. 07-CV-0556-CVE-PJC, USDC for the Northern District of Oklahoma (January 28, 2009).

[3] Oklahoma is located in the 10th Circuit and thus the Federal District Court was bound by the Zurich decision.

Comments

Ingenix and Ingenix Redux

Posted by Mitchell King July 1st, 2009 in Consider The Risks.

In 2007 and 2008 the New York Office of the Attorney General (OAG) investigated complaints by consumers regarding how certain health insurers set reimbursement rates for out-of-network services. The investigation focused on large databases gathered from various insurers and other entities by Ingenix, a wholly-owned subsidiary of UnitedHealth Group, to create schedules widely used by the country’s largest insurers, including UnitedHealth, Aetna, CIGNA and Wellpoint, as the benchmark for determining “usual and customary” charges for out-of-network medical services.

Following its investigation, the OAG made a number of findings, including that Ingenix had a conflict of interest in creating schedules used as a basis for reimbursing United Healthcare. The OAG also determined that health insures have an incentive to manipulate data submitted to Ingenix so as to depress reimbursement rates; there was no incentive for Ingenix to audit the data it received and pooled; and Ingenix databases intentionally skewed usual and customary rates downward through faulty data collection, poor pooling procedures and lack of audits. OAG stated that the industry had engaged in a “scheme to defraud consumers” by systematically underpaying for out-of-network services by hundreds of millions of dollars over the last decade, with rates understated by up to 28%. The results were underpayments to physicians and unpaid balances billed to consumers.

In a January 2009 settlement with the OAG, Ingenix agreed to pay $50 Million to set up an independent not-for-profit database to be run by a university which would be used as a tool for rate reimbursement and academic research. The database will be transparent and available to the public via a consumer website. In a series of additional settlements that followed, Aetna agreed to pay $20 Million, Cigna agreed to pay $10 million and Wellpoint agreed to pay $10 million, with all agreeing to participate in the new database. Up to a dozen other New York State healthcare plans and insurers have subsequently settled with the OAG, bringing the total settlements with the OAG from health plans and insurers to $94.6 million.

In related litigation, United Health Group agreed to pay $350 Million to settle a class-action lawsuit on behalf of physicians and patients alleging the company’s health plans used flawed Ingenix data to justify low reimbursements for out-of-network care. Similar American Medical Association Class-Actions were filed against Cigna and Aetna in February 2009 and against Wellpoint in March 2009.

In even more recent developments, on June 24, 2009, the Senate Committee on Commerce, Science and Transportation, chaired by Senator Jay Rockefeller, published a report essentially confirming the OAG’s conclusions that the practices and harm from those practices were pervasive throughout the healthcare industry, not just among the largest national insurers involved in the New York settlement. The Committee reports that 17 of the 18 insurance companies to which the Committee had sent inquiries had responded that they or their affiliates used Ingenix data to play claims for out-of-network services. The Committee indicates that these responses “suggest that the number of American consumers who were harmed by the under-reimbursements based on the Ingenix data may be substantially higher than previously estimated.”

Significant additional litigation by attorneys general in various states and through private class-actions is likely to follow. The Ingenix story is far from over.

Comments

The Privacy Risk Two Step: One State Step Forward, Two Federal Steps Back?

Posted by Joseph Sano May 18th, 2009 in Consider The Risks.

In prior posts I have discussed Massachusetts’ recent privacy statute, GL 93H and associated regulations, and the likely impact of such laws on the emerging privacy insurance market. Massachusetts is not alone in legislating in this area, more than forty other states have enacted similar legislation, although there are a number of substantive variations among such statutes. On April 29, 2009 a bill was introduced into the U.S. House of Representatives, H2221, the Data Accountability and Trust Act. which provides requirements which are similar to many of these statutes. Ordinarily, action by Congress in the area of interstate commerce can bring order to chaos among the states in areas where myriad state statutes create a compliance nightmare for businesses which operate in interstate commerce, and certainly this may be true when it comes to the protection of personal information. HR 2221, in its current form, however, seems flawed, may be anti-consumer, and is unlikely to promote uniformity in the area of privacy regulation. An additional potential down side is that it may impede uniformity in the privacy insurance market, and that may be bad for purchasers, sellers, and consumers as ultimate beneficiaries of privacy insurance products.

Who benefits by delay?

One glaring problem with HR 2221 is its timing. As prior posts and many news stories have noted, the privacy risk is now. Private data is everywhere and barely a week goes by without another headline documenting the release of private data by businesses, yet HR 2221 does not become effective until one year from the date of enactment, when federal regulations consistent with the act are due. Most states have already passed their acts, and many, including Massachusetts have issued their regulations, solicited comments and considered or postponed where necessary compliance deadlines. Similar time tables for regulations, comments and delayed compliance in connection with federal legislation will result in increased exposure for consumers to the release of private information. Coupled with the pre-emption problems noted below, this delay benefits no one. While businesses conceivably gain by postponing compliance costs, they remain exposed to the harm to their business that inadequate privacy protection can entail, and they remain potentially subject to competing state statutes.

Incomplete Preemption Compounds The Problem

Federal legislation provides uniformity not only because it establishes a uniform federal standard, but because it effectively replaces and precludes enforcement of inconsistent state statutes through the doctrine of preemption. In the case of HR 2221, we are dealing with express preemption.

Section 6 (EFFECT ON OTHER LAWS) of the bill provides:

(a) Preemption of State Information Security Laws- This Act supersedes any provision of a statute, regulation, or rule of a State or political subdivision of a State, with respect to those entities covered by the regulations issued pursuant to this Act, that expressly–

(1) requires information security practices and treatment of data in electronic form containing personal information similar to any of those required under section 2; and

(2) requires notification to individuals of a breach of security resulting in unauthorized acquisition of data in electronic form containing personal information.

(c) Protection of Certain State Laws- This Act shall not be construed to preempt the applicability of–

(1) State trespass, contract, or tort law; or

(2) other State laws to the extent that those laws relate to acts of fraud.

The Massachusetts statute applies to hard copy records as well as data in electronic form. If HR 2221 is enacted, only time and expensive litigation will determine whether the Massachusetts statute is preempted in part (only as to electronic records) or in its entirety under this language. Other arguments for incomplete preemption are possible. With anything less than complete preemption of state legislation, the benefits of uniform federal legislation are lost, and businesses must potentially comply with both standards to be in compliance.

What is the impact of HR 2221 on the emerging privacy insurance market?

It is difficult to project the impact that enactment of HR 2221 may have on the emerging market for privacy insurance. On the one hand, the risk of litigation over a privacy breach is likely to be the driving force in companies’ purchase of such insurance, and as noted above, HR 2221 expressly states that it does not supplant state law claims based on breach of contract, tort or fraud. On the other hand, the uncertainty reflected in incomplete preemption is likely to negatively impact uniformity in pricing and possibly terms of coverage. Other provisions may impact the market for smaller businesses. For example, Section 3 of HR 2221 (Notification of Information Security Breach) provides a substitute notification provision for entities who maintain private information on less than 1000 individuals. This substitued notification provision could impact first party notification coverages for such small entities, though companies who operate below the 1000 individuals threshold are likely to have minimal impact on the market for such coverage.

Conclusion

While timely enactment of comprehensive uniform federal privacy legislation and associated regulations would have been, and may yet be a positive development, there are many aspects of HR 2221 that are or may be flawed, including several of the points noted in this post.

Comments

The Private Data-Toxic Waste Analogy-A Key To Privacy Risk Management

Posted by Joseph Sano April 3rd, 2009 in Consider The Risks.

In several recent posts I have described the emerging privacy risk, detailed one state’s statutory and regulatory regimen for addressing this risk and discussed an insurance coverage case which demonstrated the need for specialized privacy insurance. This post will address the analogy between these new statutes and regulations which seek to regulate “Private Information” (e.g. Massachusetts General Laws Ch. 93H and 201 CMR 17 et seq), and statutes regulating toxic waste, such as the landmark federal Resource Conservation and Recovery Act (“RCRA”). Briefly stated, the new privacy regulations in Massachusetts and elsewhere require a new way of thinking about Personal Information, the same way that RCRA required a new way of thinking about hazardous waste- the so called “Cradle to Grave” approach. The private data-toxic waste analogy is helpful because it allows businesses to focus on the sources of privacy risk, which is the first step in risk management.

RCRA As A Risk Management Tool

Before RCRA, the hazardous waste risk was largely governed by a consequences mentality. Businesses did what they did-transform raw material into salable products without substantial interference, but they could be held responsible for the consequences of their production through civil suits for property damage, products liability, and nuisance. As a general matter it was believed that the costs of such consequences would influence corporate behavior to reduce the risk.

In the environmental context, however, the costs of such post production consequences were found to be inadequate or too remote to address the harm caused by toxic chemicals. Such chemicals once released could migrate, making it difficult to trace the source of the release and to identify the responsible parties. Once released, it may be difficult or impossible to contain or neutralize toxic substances. The time from release to discovery and clean up might be too long to influence corporate behavior which was focused on quarterly or yearly results.

In 1976 the passage of RCRA changed all that by requiring every business that used hazardous chemicals anywhere in its operations to identify, quantify, track, and report its use of such chemicals from “cradle to grave,” or more aptly, from input to output. This statute and its accompanying regulatory regime and the costs associated with it resulted in businesses taking a hard look at whether such toxic chemicals were necessary to the production of goods, how they were used and stored, and disposed of, and even the ability of the Company’s vendors, from suppliers to waste haulers, to properly handle and dispose of such substances. As a result, businesses reduced the quantities of such materials they used, upgraded their own storage, handling, disposal, tracking and reporting capabilities and insisted that their vendors do the same. With this regime in place, for the first time, insurers were willing to intentionally assume such risks and specialized environmental insurance products were created and became more affordable over time. RCRA compliance costs and the environmental insurance market are now well matured, and few would doubt their effectiveness in reducing and managing the risk of environmental harm.

Cradle to Grave Applied to Personal Information

The statutes enacted by Massachusetts and other states begin by defining “Personal Information,” and then require companies doing business in the state to develop a written information security plan (“WISP”) to identify and mitigate the risks of disclosure. If you think about it, such statutes, like RCRA, represent an effort to change from a consequences approach to a risk management approach, and it is helpful to think about Personal Information the same way RCRA forces companies to think about hazardous chemicals. Indeed the risks of release of Personal Information may in many respects be analogized with the release of hazardous waste. Once released, personal information can cause substantial harm, is difficult to contain and it may be difficult to trace the release back to its source.

The cradle to grave approach applied to Personal Information leads to several pertinent questions: How does Personal Information come in to the company? How is it used by the company? How is it stored by the company? What measures does the company take to prevent its release? What measures does the company require of its vendors? The answers to these questions, and indeed the requirements of a WISP and reporting under the Massachusetts statute and similar statutes impose costs and require action, and such costs may, like the costs associated with RCRA compliance, lead companies to ask the fundamental questions about the regulated substance (hazardous waste or Personal Information): Do I really need it for my business? How can I use less of it?

Beneficial Impacts Of The Cradle to Grave Privacy Risk Management Process

The change from a consequences mentality to a risk management mentality is not easy. Some may view the new requirements as an unnecessary expense, and a government mandated intrusion into an area previously occupied by self-regulation. Others may consider the new costs warranted by the risks of harm presented by the unauthorized release and mis-use of Personal Information. In any event, the new statutes and regulatory requirements are here, and companies will adapt. New opportunities will arise for service providers to assist companies in understanding and complying with the new requirements, and new insurance products covering the privacy risk will become more available and their cost will fall. Companies that consider Personal Information using the risk management approach embodied in the cradle to grave analogy will be able to adapt more efficiently than those that don’t. New ways of doing business while mitigating the risk of release will be developed, and indeed the business use Personal Information will likely be limited to essential functions. That result may be better for us all.

Comments

Massachusetts Superior Court Clarifies Advice of Counsel Defense

Posted by Adam.Doherty March 11th, 2009 in Consider The Risks.

A recent case decided by newly appointed Justice to the SJC, Ralph Gants, when he was sitting on the Superior Court, is illustrative of the caution insurers should take when relying on the advice of counsel and, more importantly, when attempting to establish a defense based on its counsel’s advice. In Hejinian v. General American Life Ins. Co., 2007 Mass. Super. LEXIS 267 (Mass. Super. Ct. 2007), the Plaintiff, a beneficiary of a $1,000,000 life insurance policy issued by General American, brought suit alleging that General American breached the insurance policy by denying Plaintiff’s claim on the basis that his wife, the insured under the policy, failed to disclose that she had been diagnosed with cancer at the time the policy was delivered. Although there was no evidence that the Plaintiff’s wife had any knowledge that she had cancer at the time she completed the life insurance application, she failed to advise General American of her cancer diagnosis at the inception of the policy.

In July 2007, Judge Gants held that, pursuant to M.G.L. c. 175, §124, a life insurance company could not void a policy it issued without a medical examination where the insured provides truthful answers on a life insurance application but is subsequently diagnosed with cancer before the inception of the policy. See M.G.L. c. 175, §124 (requiring life insurer to show “willfully false, fraudulent, or misleading” statements in the policy application in order to void the policy where no medical examination was required.) Because General American had not required a medical examination, it could not rely on the Plaintiff’s wife’s failure to notify it of her cancer diagnosis at the inception of the policy.

In January, Judge Gants ruled on the Plaintiff’s G.L.c. 93A and 176D claims which had been severed and stayed pending the resolution of the Plaintiff’s claims concerning coverage. See Hejinian v. General American Life Ins. Co., No. 05-3851 (Mass. Super. Ct. Jan. 9, 2009). Plaintiff alleged that, among other things, General American violated G.L.c. 93A and 176D by refusing to pay the death benefit on the policy. General American’s defense to the claim was partially based on the advice of its counsel. Specifically, General American claimed that, as a matter of law, its denial of coverage, notwithstanding §124, could not be found to be unreasonable because it relied on the advice of counsel. General American’s counsel advised it to make several meritless arguments, including that §186 applied even without a medical examination. See M.G.L. c. 175, §186 (allowing insurer to void policy where misrepresentation increases the risk of loss.)

Judge Gants held, however, that “the advice of counsel defense . . . does not give an insurance company a blank check to decline coverage as long as it finds an attorney willing to supports its declination.” Rather, an insurer’s reliance on the advice of its counsel must be reasonable and counsel’s evaluation of the case must be completed diligently and in good faith. Judge Gants determined that General American’s reliance on its counsel’s advice that §186 applied even without a medical examination was not reasonable where an insurer doing business in Massachusetts should be expected to know the Massachusetts statutes that govern the determination of coverage and where the Plaintiff’s attorney repeatedly referenced §124 in his demand letters to General American. As a result, Judge Gants held that General American violated GL. c. 93A and 176D and awarded the Plaintiff treble damages and attorneys’ fees.

In light of the Hejinian decisions, every insurer should not only ensure that it has policies in place to make its claims personnel aware of all relevant statutes in each state it conducts business but should also carefully consider the advice it receives from its counsel before relying on such advice.

Comments

Insurance Coverage for Madoff Claims Under E&O, D&O and CGL Policies

Posted by Thomas Elcock February 6th, 2009 in Consider The Risks.

On January 30, 2009, litigation relating Bernie Madoff’s alleged $50 billion Ponzi scheme made its way to Massachusetts via a class action complaint filed in the United States District Court by various investors in a so-called “feeder fund” that, allegedly unbeknownst to the plaintiffs, invested all or substantially all of the feeder fund’s assets in Madoff’s hedge fund. The class action complaint does not name Madoff or any other purported Madoff insider, but names Rye Select Broad Market Fund, L.P. and the entities that controlled and managed that fund including MassMutual and its subsidiaries Tremont Partners, Inc., Tremont Group Holdings, Inc., Oppenheimer Acquisition Corp. and various executives of the Tremont entities. The plaintiffs’ allege the defendants solicited investments through various offering materials and these materials made numerous misrepresentations and omissions regarding the feeder fund’s investment strategy and its due diligence. The Complaint asserts claims for Breach of Fiduciary Duty (Count I); Common Law Fraud (Count II); Breach of Contract (Count III); Negligent Misrepresentation (Count IV); Breach of Duty of Good Faith (Count V) and Unjust Enrichment (Count VI). This suit is almost certainly the first of many Madoff actions to be filed in Massachusetts, one of the hubs of the financial services industry.

The insurance industry’s professional liability lines, already facing significant exposure ($3.5 billion according to some sources) from the subprime crisis, now face potentially enormous exposures to Madoff’s fraud. On January 14, 2009, reinsurance intermediary Aon Benfield gave its current best estimate of the direct insured losses resulting from the alleged Madoff fraud at $1.8 billion. The obvious sources of the industries’ exposure are E&O and D&O claims. Madoff suits that allege breach of professional duties and seek damages for the negligent rendering of professional services will likely result in claims against E&O policies. Likewise, a Madoff suit that names a company or a company’s directors and officers for wrongful acts committed by the officers or directors may likely result in a demand for coverage under D&O policies. Because there is a high degree of variability among E&O and D&O policies, coverage issues under such policies for Madoff claims will be numerous and complex. Insurers may raise policy exclusions and seek declaratory judgments as to whether Madoff claims are covered. The most common exclusions in E&O and D&O policies that may bar coverage for such claims are exclusions for criminal, dishonest, or fraudulent acts; the insured gaining personal profit and known prior acts among others.

Although financial institutions facing Madoff claims will likely seek coverage under E&O and D&O policies, what is the possibility of Madoff claims triggering coverage, or at least a duty to defend, under CGL policies? Insureds may seek coverage under CGL policies because these policies may have significantly higher limits than E&O and D&O policies. The real drive, however, to trigger such coverage maybe defense costs. Under typical E&O and D&O policies, defense costs erode policy limits because liability coverage includes defense costs inside limits. In contrast, defense costs under CGL policies are usually in excess of limits. Thus, an insured facing defense costs eating away indemnity limits of its E&O and D&O coverage will have an incentive to seek coverage under CGL policies and obtain a defense that does not erode limits.

If a Madoff claim, such as the recent suit filed in Massachusetts, which is similar to others filed in New York and Florida, alleges negligent misrepresentations and omissions in a feeder fund’s solicitation materials an insured may seek advertising injury coverage under part 1.B of its CGL policy. Such a claim will likely fail. However, a demand for such coverage will force an insurer to decide whether to disclaim coverage outright or defend under a reservation of rights while litigation a declaratory judgment action.

The standard CGL policy provides coverage for “those sums that the insured becomes legally obligated to pay as damages because of personal and advertising injury to which this insurance applies.” The policy imposes a duty on the insurer to defend “the insured against any suit seeking those damages.” Advertising injury is defined in the CGL policy as comprising only certain limited offenses: Specifically, the policy defines advertising injury as follows:

Personal and advertising injury means injury…arising out of one or more of the following offenses:

(d) Oral or written publication, in any manner, of material that slanders or libels a person or organization or disparages a person’s or organization’s goods, products or services;

(e) Oral or written publication, in any manner, of material that violates a person’s right of privacy;

(f) The use of another’s advertising idea in your “advertisement”; or

(g) Infringing upon another’s copyright, trade dress or slogan in your “advertisement”.

A Madoff claim against a fund or the fund’s managers premised at least in part on misrepresentations or omissions in solicitation materials does not fall into any of the definitions of advertising injury.

If a feeder fund incorporated (either directly or by reference) Madoff’s investment methodology or strategies in its promotional and solicitation materials, it is possible that an insured may seek advertising injury coverage arising from the “use of another’s advertising idea in your advertisement.” Such a claim appears destined to fail because coverage in the CGL policy for advertising injury does not remotely appear to be applicable in such circumstances. While such an example may be extreme, the very real concern facing insurers is that attempts to trigger coverage under CGL policies for Madoff claims may only be constrained by the imagination of insured’s coverage counsel. Given the potentially enormous exposure for defense costs facing insureds and that defense costs erode limits in E&O and D&O policies, the pressure on insureds to try and trigger CGL coverage is likely to be immense. A claim against a Madoff feeder fund arising from misrepresentations and omissions in solicitation materials is a false advertising claim that does not trigger advertising injury coverage under a standard CGL policy. See, e.g., Superformance Int’l, Inc. v. Hartford Cas. Ins. Co., 203 F. Supp. 2d 587, 598 (E.D. Va. 2002)(a claim for false advertisement is not an “advertising injury” under the CGL Policy.

Even if such a claim could arguably be considered as coming within the definition of an advertising injury, such a claim would be excluded under the standard advertising injury exclusion that excludes coverage for an advertising injury “arising out of the failure of goods, products or services to conform with any statement of quality or performance made in [the insured’s] advertisement.” Skylink Techs., Inc. v. Assurance Co. of Am., 400 F.3d 982, 985 (7th Cir. Ill. 2005)(claim that advertised product failed to conform with the statement of performance on its package is excluded from coverage under advertising injury portion of CGL policy.); Am. W. Home Ins. Co. v. Lovedy, 2006 U.S. Dist. LEXIS 92118 (E.D. Tenn. Dec. 15, 2006)(insurer had no duty to defend or indemnify the insured regarding representations on website that do not fall within the definition of advertising injury and because the policy excludes advertising injury which arises “out of the failure of goods, products or services to conform with any statement of quality or performance.)

While insureds’ efforts to obtain CGL coverage for Madoff claims will, most likely, be unsuccessful, any demand for such for coverage will cause insurers a difficult choice. Any such demand for coverage will force insurers to choose between denying coverage outright (and the risk of attorneys fees in a suit for defense, an estoppel argument in connection with indemnity and possibly other extra contractual liability if the insurer is found to have owed duty to defend) or providing a defense subject to a reservation of rights and paying substantial defense costs to the insured’s choice of counsel while pursing a declaratory judgment action. While this is a risk that insurers confront every day, the magnitude of defense costs and indemnity exposure in such cases significantly raises the stakes.

Comments

One Example Of Treatment Of The Dissemination Risk Under E&O Coverage: Consideration of Finn v. National Union, 452 Mass. 690 (2008).

Posted by Joseph Sano January 22nd, 2009 in Consider The Risks.

In the modern world, anyone can easily transfer and publish information and this ability exposes many businesses to the risks associated with the unauthorized transfer and use of information.  Several words have been used to describe the dissemination risk applicable to information, including, “invasion of privacy,” “breach of the duty of confidentiality, ” and  even “misappropriation of trade secret.”   The courts are just coming to grips with these potentially overlapping concepts.  While trade secret law is fairly well developed in cases between competitors,  one recent decision by the Massachusetts Supreme Judicial Court (Finn v. National Union decided December 2, 2008) applied a “misappropriation of trade secrets” exclusion in an E&O policy in a case involving dissemination of information by a temporary worker of the insured to the “hacker community”  with no apparent financial benefit to the discloser. The ruling in Finn is both a cautionary tale for businesses facing a dissemination risk and a demonstration of the need for privacy insurance.  Finn is another in a long line of decisions broadly interpreting the phrase “claims arising out of”  and provides insurer’s with a road map for drafting effective exclusions.

The insured in Finn was a provider of document management services to a law firm.  The insurer issued errors and omissions (“E&O”) insurance to the document management company to insure against liability for wrongful acts in connection with “records management, document imaging, litigation support … and electronic printing services.”  The policy included an exclusionary endorsement described as an “intellectual property exclusion” which included a provision excluding coverage for “any claim arising out of any misappropriation of trade secret.”

The claim arose when the document management company was retained by a law firm to provide litigation support services in litigation involving the firm’s client, a satellite TV provider.  The document management firm’s employees were required to sign confidentiality agreements by the law firm and to conduct all of their work on the project at the law firm’s offices.  When the document management company’s employees had difficulty meeting a deadline, a supervisor allowed one of the employees to bring his nephew to work to assist in completing the job.  According to the SJC’s decision, the nephew “came across documents containing confidential trade secret information from the satellite TV provider and sent that information to a Web site to help the “hacker” community.”  The decision in Finn does not suggest that the disclosure involved competitors of the satellite TV provider or that the disclosure was made for personal gain.

The law firm subsequently notified the document management company of the disclosure, and according to the notice to the document management company’s insurer, the law firm had written off a substantial legal fee and may eventually look to the document management company for compensation.  The document management company’s E&O insurer disclaimed coverage due to the misappropriation of trade secrets language within the intellectual property exclusion and two other provisions.  After further demands by the law firm, the document management firm settled for more than $1 million payable over 5 years.

The insured’s assignee filed suit against the E&O insurer, and the insurer responded with a motion for judgment on the pleadings, which was in turn met with a motion for partial summary judgment seeking a declaration that defense and indemnity coverage was due.  The superior court determined that while neither of the other exclusionary provisions barred coverage, the intellectual property provision barred coverage for the law firm’s claims.  The SJC reviewed the matters as if the underlying motion practice involved cross motions for summary judgment and affirmed that the exclusion for misappropriation of trade secrets precluded coverage.

In reaching its decision, the SJC first reviewed its prior cases involving exclusions relating to third party conduct, and concluded that the use of the words “any claim arising out of” in the exclusion made it plan that coverage was excluded for third party conduct.  It is not clear from the court’s decision why third party conduct was relevant, as the nephew of the employee who made the disclosure was, with knowledge of the insured, working for the insured on a project, receiving payment (indirectly) from the insured, and the claim was asserted against the insured document management company.  In a footnote, the court noted that it “assumed without deciding that the nephew was not an insured.” Id. at  695 n. 8.

The court next turned to what it described as the “more difficult issue” whether the injury suffered by the law firm arose out of the nephew’s misappropriation of the law firm’s client’s trade secrets.  The court’s analysis however was limited to the nature of the damages claimed by the law firm (foregone legal fees), not whether the nephew’s conduct amounted to misappropriation of trade secrets.   Again the court turned to the “arising out of” language of the exclusion and determined that it required but for causation, and the absence of facts in the record regarding whether the law firm would have lost legal fees in the absence of the nephew’s “misappropriation” determined that the claim was excluded.  Id. at 698.

There are several significant issues presented by the Finn decision, though it is unclear from the decision itself whether certain of these issues were squarely presented to the court. The court’s ruling is based on a portion of the “intellectual property exclusion” which also excluded “claims arising out of misappropriation of trade secrets,” however, there is no detailed discussion in  Finn  as to whether the confidentiality breach by the nephew, or the negligent failure to prevent such a breach by the document management company was more properly described as a disclosure of private information or an invasion of privacy or some other wrongful act rather than a “misappropriation of trade secrets.”

In addition, there is no discussion of whether confidentiality breaches constituted wrongful acts that were otherwise within the scope of coverage.  We note that at least some errors and omissions policies expressly exclude claims arising out of “invasion of any right of privacy.”  It should also be noted that while CGL policies typically include “personal injury protection,” such coverage is frequently limited to invasion of an individual’s right of privacy or a person’s right of privacy, and at least one court has rejected such coverage as applied to invasions of corporations’ rights to privacy.  See Heritage Mutual Ins. Co v. Advanced Polymer Tech., 97 F. Supp. 2d 913, 935 n. 13 (S.D. IN 2000).

For these reasons, the outcome in Finn-that there is no coverage for a privacy breach under an errors and omissions policy issued to a litigation document management company, demonstrates the need for businesses with access to their customer’s (or their customer’s customer’s) private information to obtain privacy insurance and to ensure that such insurance  provides coverage for liabilities resulting from the disclosure by any worker of private or confidential customer information.

The decision in Finn is also another in a long line of cases (some of which were cited by the SJC in a foot note (Finn, supra at 697, n. 9 ) that give effect to exclusions applied to “claims arising out of” a described circumstance.  Insurers using such prefatory language are far more likely to have their exclusions interpreted in their favor.

Comments

Massachusetts Considers The Risk Of Security Breaches, Increases Liability Exposure, And Issues A Last Minute Postponement

Posted by Joseph Sano December 9th, 2008 in Consider The Risks.

At the end of 2007 Massachusetts joined a number of other states in enacting legislation aimed at protecting the security of “personal information.” (G.L. c. 93H)   In September, 2008 Massachusetts adopted regulations further implementing the statute.  (201 CMR 17)  Together these legal requirements create new duties for most if not all Massachusetts businesses, which originally had to be met by January 1, 2009 and require a comprehensive risk management approach to the protection of  such information.  A few weeks ago, regulators postponed implementation of most requirements until May 1, 2009. In any event, the changes in the law, and the impact on businesses are substantial, and may push more companies to consider comprehensive privacy insurance coverage.

While the statute and regulations make no specific mention of specialized privacy insurance as means of addressing these new duties, we believe the legal requirements will have a significant impact on such insurance.  The risk management approach of the regulations, and required implementation of a security plan will provide standards that insurers may want to adopt as an underwriting base line.  In addition, for businesses, specialized privacy insurance, either as a stand alone product, or as a rider to existing liability policies should bolster the Attorney General’s view of the insured’s compliance efforts because such insurance, which frequently includes payment for the costs of consumer breach notification and credit protection, supports the overall aim of the legislation which is clearly consumer protection.  Finally, while the statute itself contains no express consumer cause of action, and leaves actions for enforcement “and other appropriate relief” to the Attorney General  the state’s consumer protection statute, G.L. c. 93A  may well authorize such claims.  Specifically,  regulation 940 CMR 3.16 states that “an act or practice is a violation of [G.L. c.93A] if:  [i]t fails to comply with existing statutes, rules, regulations or laws, meant for the protection of the public’s health, safety, or welfare promulgated by the Commonwealth or any political subdivision thereof intended to provide the consumers of this Commonwealth protection.”  If a consumer or a business suffers harm by the release of private information by a business, which would not have been released but for the businesses failure to comply with G.L. c. 93H, the direct causal link required for G.L.c. 93A liability would appear to be established.  Since a G.L. c. 93A claim potentially includes a requirement to pay the plaintiff’s attorneys fees plus double or treble damages such a possibility is a substantial increase in exposure for businesses who ignore the privacy risk.

The Statute and Regulations

In the Massachusetts statute, personal information is defined as “a resident’s first name and last name or first initial and last name in combination with any 1 or more of the following data elements that relate to such resident: (a) Social Security number; (b) driver’s license number or state-issued identification card number; or (c) financial account number, or credit or debit card number, with or without any required security code, access code, personal identification number or password, that would permit access to a resident’s financial account.”   The statute applies to those who “own, license store or maintain personal information” about Massachusetts residents, and the regulations are intended to provide minimum standards for the protection of such information.

The regulations detail businesses new duties with respect to the protection of such information:

Every person that owns, licenses, stores or maintains personal information about a resident of the Commonwealth shall develop, implement, maintain and monitor a comprehensive, written information security program applicable to any records containing such personal information.  Such comprehensive information security program shall be reasonably consistent with industry standards, and shall contain administrative, technical, and physical safeguards to ensure the security and confidentiality of such records.

201 CMR 17.03

The regulations adopt a flexible compliance standard which considers the size and resources available to the business which utilizes such private information, the amount of private information maintained by such entity and the need for security with respect such information.  In addition, certain minimum requirements are established, including a risk management component which mandates: “Identifying and assessing reasonably foreseeable internal and external risks to the security, confidentiality, and/or integrity of any electronic, paper or other records containing personal information, and evaluating and improving, where necessary, the effectiveness of the current safeguards for  limiting such risks, including but not limited to: (i) ongoing employee (including temporary and contract employee) training; (ii) employee compliance with policies and procedures; and (iii) means for detecting and preventing security system failures.”  Additional requirements involve encryption of private information which resides on lap tops and portable devices.

This statutorily mandated risk management approach is good public policy, and is likely to further grow the burgeoning market for privacy insurance.

Comments

The Issue Preclusive Effect of UM Arbitration Awards

Posted by Adam.Doherty October 8th, 2008 in Consider The Risks.

 

 

The Massachusetts personal auto policy requires that arbitration be used to resolve disputes between insurers and their insureds over uninsured motorist benefits.  Earlier this year, Judge Kern of the Middlesex Superior Court held that such an arbitration should be treated the same as a court judgment with respect to the doctrine of issue preclusion.

 

In Fon v. Amica Mut. Ins. Co., 2008 Mass. Super. LEXIS 122 (Mass. Super. Ct. 2008), an insured filed suit seeking to compel her insurer to arbitrate her uninsured motorist benefits claim. In addition to answering the complaint, the insurer filed a counterclaim alleging breach of contract, deceit and bad faith and filed a motion to stay arbitration proceedings.  After the court granted the insured’s motion to compel and denied the insurer’s motion to stay, the parties proceeded to arbitration.  The arbitrator ultimately decided that the insurer established by a preponderance of the evidence that the insured had made material false statements which constituted a breach of the cooperation clause under the auto policy and held that the insured was not entitled to recover uninsured motorist benefits.  The arbitration award was subsequently confirmed by the Middlesex Superior Court and the insurer filed a Motion for Summary Judgment on its counterclaims, arguing that the arbitrator’s decision settled all issues of fact and that it was entitled to judgment as a matter of law.

 

Under Massachusetts law, issue preclusion is established where the party asserting the doctrine shows: (1) there was a final judgment on the merits in the prior adjudication; (2) the party against whom estoppel is asserted was a party (or in privity with a party) to the prior adjudication; (3) the issue decided was identical with the one presented in the action in question; and, (4) the issue decided was essential to the judgment in the prior adjudication.  See id.  Judge Kern held that the arbitration award should be given issue preclusive effect where both the insured and the insurer were able to present evidence to the arbitrator concerning the alleged material false statements made by the insured, the arbitrator issued a written decision holding that the insured made false misrepresentations, and the arbitration award was confirmed by the Middlesex Superior Court. As a result, the Judge concluded that the central issue in the summary judgment proceeding—statements made by the insured—was actually litigated and determined by a valid and final judgment.  Thus, the arbitrator’s award was given issue preclusive effect and the insurer’s motion for summary judgment was granted where no genuine issues of material fact remained after the arbitration proceeding.

 

Comments

Financial Crisis Fall Out, RTC Type Claims Against E&O and D&O Covers?

Posted by Joseph Sano September 22nd, 2008 in Consider The Risks.


This week, Congress will decide what the U.S. facility for purchasing troubled financial sector assets will look like, and a number of commentators have referenced the Resolution Trust Corp. (RTC) as a model for the new facility.  If this happens, the impact on specialty insurers of D&O and E&O may be significant.  Some of us who were involved in insurance coverage in those days will recall the flood of suits against law firms and S&L directors and officers by the RTC as super plaintiff and the coverage litigation which followed.  As was sometimes the case when coverage issues relating to claims against lawyers for and directors and officers of savings and loan associations were being addressed by the courts, and similarly, with respect to CGL coverage during the first decade and a half after passage of Superfund, insurers may be viewed as a relief valve for risk which would otherwise be born by taxpayers. 

While some may believe this use of insurance as a funding vehicle is an effective public policy tool, a better view may be to characterize this as “social engineering” which ultimately lessens our respect for the rule of law.  For example, in the pollution and asbestos context, early and conflicting decisions regarding trigger of coverage and the pollution exclusion were impossible to reconcile with well settled rules of contractual interpretation and construction, and it has taken more than a decade to return balance to this area of the law. 

Given the rapidity of the development of the current financial system crisis, it seems unlikely that there was full and fair disclosure to E&O and D&O carriers of the risks inherent in this aspect of the business models of investment banks or their counsel.  Insurers facing such claims should carefully examine insureds representations to underwriters and preserve any misrepresentation defenses which may be available.  “Claims made” coverage which is common in E&O and many D&O policies may limit the time lag between claims for financial losses and underwriting consideration of such claims for firms which survive.  Insurers should consider all of these new risks and take steps to protect their interests.

Comments

RSS

Contributors

Our Practice

Prince, Lobel, Glovsky & Tye is large enough to offer a full slate of services, yet small enough to be flexible and accessible, enabling our firm to occupy a unique niche in the region’s legal landscape.

Read More