Specialty Podcast: Inside a $42M Data Breach and the Latest ICA & D&O Policy Rulings

Intro (00:00):
You are listening to the Alliant Specialty Podcast, dedicated to insurance and risk management solutions and trends shaping the market today.

Mike Radak (00:09):
Hi everybody, and thanks for tuning in again for the Alliant Claims and Legal podcast. I'm Mike Radak, a senior claims attorney with the Alliant Claims and Legal team. Joined again by my colleague and our resident cyber specialist, David Finz. At Alliant, we are focused on new and relevant legal decisions that impact the financial lines insurance industry that we work in, as well as our clients' industries. You can read about many of these decisions, including the ones that I'm going to be talking about today, in our September issue of the Executive Liability Insights Newsletter. If you don't subscribe to that and would like to, please reach out, and we will be happy to get you added to the distribution list on that. I'm going to first talk about two important cases that have made some headlines recently. The first case involves the Investment Company Act and whether it allows private causes of action. The second involves the prior notice exclusion, which we see carriers regularly invoking to deny claims. The first case that I'm going to talk about involving the Investment Company Act, it was FS Credit Opportunities v. Saba Capital Master Fund. The issue here is whether Section 47(b) of the Investment Company Act creates an implied private right of action for individuals to sue funds in order to enforce the act.

Now from what we've seen with the ICA in the past, the act imposes pretty strict requirements and restrictions on investment companies addressing everything from disclosure and governance to asset safekeeping and advertising. In this case, an activist filed suit against an investment company fund arguing that the investment company violated the ICA by preventing it from exercising its voting rights. The lower court in the second circuit ruled in favor of the activists stating that the fund impaired his ability to acquire ownership state of the funds, and the Second Circuit effectively upheld the decision, thereby contributing to the already existing circuit split. The fund appealed to the U.S. Supreme Court, arguing essentially that there is no private right of action under the Investment Company Act. Their argument basically is that it would create tremendous uncertainty for the funds that are plagued with the important task of managing retirement funds and financial stability of the country's population. Typically, the SEC has been the entity that enforces the Investment Company Act. The Supreme Court did agree to take up the case. There were multiple amicus briefs filed in support of the fund that is supporting the argument that there is no private right of action under the ICA. There's a multitude of arguments, as opposed to just the simple one that the ICA does not explicitly allow a private right of action. But the concern here is that individuals would bring suit in the second district, and they could seek rescission of a vast array of contracts involved in these investments. The Supreme Court, we don't know which way they're going to come out on this, but if I was to read the tea leaves, the current administration and the current court seems to be relatively pro-business. My guess would be that they are going to rule that there is no private right of action under the ICA, but it's something we're going to be monitoring closely and I suspect we will be talking about again on one of our future podcasts. The next case I wanted to talk about was Somerset Condo Association v. RC Somerset, LLC. I'll touch on this one briefly, but essentially the court determined that a D&O policy's prior notice exclusion applied only if potential liability in the underlying claim arose out of related prior wrongful acts. This was a Wisconsin case that spoke pretty extensively about the never-ending related issues that we are dealing with constantly on the claims and legal team. We often see the carriers denying claims based on these prior notice exclusions that this case discussed. It’s a long complicated factual scenario here. Essentially it involved a dispute between condo owners and the condo association. Initially there was a lawsuit filed involving breach of duty of good faith and tortious interference that was noticed to the association's D&O carrier, which provided a defense and the dispute remained ongoing.

Fast forward to the subsequent policy period, there's additional litigation filed, and there's new counterclaims filed against the association. The association again tenders that to its D&O carrier at the time that that counterclaim was filed, the D&O carrier comes back and says the prior notice exclusion applies because it bars coverage for any liability arising out of facts alleged or the same or related wrongful acts alleged, which had been noticed under a prior insurance policy. Coverage litigation ensues and the court ultimately rules against the insurance carrier here finding that the wrongful acts involved in the most recent litigation, while they had some similarities, they were not related to the alleged subsequent wrongful acts that occurred in the prior litigation that was noticed to the prior carrier. Notably the court held that while the prior notice exclusions language does not require identical parties in both lawsuits to bar coverage, the presence of different parties weighs against the determination of relatedness. There were some different parties involved here, so this is another example of why we need to notice all claims as soon as they come in. At Alliant, we say reach out to us early and often with any claim situations so we can address it and make sure it gets noticed under the proper policies because these coverage issues can be very novel, very nuanced, and we can help you get ahead of them before they arise. With that said, I'll turn it over to David who's going to talk to us about some recent cyber developments.

David Finz (06:09):
Thanks, Mike. I'm going to be talking today about a settlement of a proposed class action in a data breach suit. Customers of a payday lender and title loan company are going to be getting their share of a $42 million settlement of a proposed class action suit that arose out of a data breach affecting nearly 5 million customers. For their part, the plaintiff's attorneys are going to be receiving $5.75 million in fees and costs. Mike, it seems like you and I are definitely in the wrong line of work here. I don't know. A federal trial court judge awarded the plaintiff's attorney's fees and said that the sum was fair and reasonable for a team that had, in the judge's words, "adequately represented the settlement class and will continue to do so." Not too shabby for not even having to try the case. Let's talk about the hazards of litigation facing each of the parties here. Now, the plaintiffs acknowledged in a motion that they had filed previously, that as in any complex class action, they faced risks in establishing liability and damages on a class-wide basis in their pending certification of the class. Now to get a class action certified, the plaintiffs have to show that they are numerous enough and that their injuries are similar enough that they should be adjudicated on a class-wide basis. Now, 5 million customers would certainly seem to be numerous enough, but establishing what is known as standing to sue is frequently a challenge in data privacy lawsuits because the plaintiffs must show that they suffered an injury that the court is able to remedy. Counsel for the plaintiffs here also faced an uphill battle considering the defendant's motion to compel arbitration. Arbitration clauses are controversial because while they do ease the burden on our judicial system by keeping many disputes out of court, they also make it difficult for consumers to get relief in small matters where it doesn't always make sense to hire a lawyer. Now bundled together, millions of customers might be able to interest an attorney in taking the case, but certifying a class here would seem to be at odds with the arbitration clause in the agreements that the customers had signed with the company. Because a court cannot certify a class if the matter is required to go through arbitration.

Now by the same token, the defendants were facing the cost of litigating this case, which could easily have run into the millions of dollars, and that comes also with an uncertain outcome. Both parties were incentivized to settle this matter. This settlement highlights the importance of having a well-written cyber policy. First of all, you need to take a look at the definition of a claim under your policy. Many off-the-shelf policies do not define a claim as including a demand for arbitration or a request for mediation. You want to make sure that language is in the base form, and if it's not, you need to have it added by endorsement. Now not only does that pick up the cost of hiring the arbitrator or the mediator, but also the legal fees associated with preparing for and handling those sessions and potentially any settlement that could result from that process. Additionally, you need to look at the conduct exclusion. Not surprisingly, many plaintiffs allege that the conduct of the defendants was intentional. That they knew or should have known that they were collecting information and giving it to third parties. That they knew or should have known that their security controls were lax. They may even make misrepresentation claims around what controls the defendants said they had in place or what their stated privacy policies required them to do with customer data. Not surprisingly, insurance carriers don't want to cover the cost of judgements against their insureds around intentional misconduct. That would be what we lawyers call a moral hazard. They will, however, cover the cost of defending such claims because anyone can allege anything up to the point of a final adverse adjudication. We would even go further and insert language saying that the adverse adjudication must be non-appealable. That the defendants had exhausted all avenues of appeal. That allows the insured to get coverage for the cost of filing an appeal and posting bond, but here's the point that brokers often overlook. If I can get the cost of defending a claim covered, then I can at least have a conversation with the insurer around contributing that cost towards a settlement of the matter, which doesn't happen if the defense coverage isn't triggered. It's important to have the right policy wording and also ensure that the settlement contains no admission of wrongdoing on the part of the insured, which could cause that conduct exclusion to kick in. Once again as we often state here, the right policy wording can make all the difference. That is what we learned from this rather hefty settlement of this data breach litigation. And with that, I'll turn it back over to you, Mike.

Mike Radak (11:28):
Yes. Thanks, David. Super interesting stuff, and great point about even if you have defense-only coverage, we've had some good luck in using that cost of defense to resolve some matters that might not otherwise resolve. It’s definitely an argument that we always take up with the insurance carriers when it's appropriate. With that being said, thanks everybody for listening today. Again, if you have any questions or if you want to get subscribed to our newsletter, please reach out to David or myself. We look forward to talking with you again during the next month's Alliant Claims and Legal podcast. Thank you.