Specialty Podcast: Legal Developments Reshaping Risk - Kousisis v. U.S. and the Expanding Reach of the CCPA

Intro (00:00):
You are listening to the Alliant Specialty Podcast, dedicated to insurance and risk management solutions and trends shaping the market today.

Mike Radak (00:09):
Thanks everybody for joining us on this edition of Alliant Specialty’s Claims and Legal podcast. I am Mike Radak, a Senior Claims Attorney with Alliant. I'm joined again by my colleague and our resident cyber guru, David Finz. Today we're going to be discussing two important legal developments that have some relevance to our clients. Our team works extensively to keep apprised of new decisions and legal developments that impact our clients, and as always, we encourage those listening to read and subscribe to our monthly Executive Liability Insights newsletter, which contains these cases and lots of other good stuff. If you're not already on that distribution list, feel free to reach out to either one of us, and we would be happy to get you added to it. I am first going to talk about a Supreme Court decision that provides an important ruling for government contractors. The U.S. Supreme Court in May came down with a decision in a case called Kousisis v. United States that's likely going to have a significant impact on criminal and civil fraud cases against government contractors that misrepresent their qualifications for the contract. The Supreme Court essentially held that a defendant who induces a party, in this case that party's the government, to enter into a transaction under materially false pretenses may be convicted of federal fraud regardless of whether the defendant intended to cause or let alone caused any sort of economic loss with respect to the contract. The underlying matter in this case, it was a bridge repair contract.

The contracts were federally funded and conditioned on compliance with disadvantaged business enterprise participation requirements, essentially requiring a portion of the work to be subcontracted to a disadvantaged business. The defendant in this case represented that it was going to comply with that requirement, but instead subcontracted with a pass through entity that was essentially a fictitious entity that they had created just for the purposes of putting it on the bid and winning the contract. The defendants were convicted of wire fraud and conspiracy, and ultimately an appeal came up to the Supreme Court. The court ruled that a government contractor can commit criminal wire fraud by fraudulently misrepresenting its eligibility for an award and inducing the government into the contract, even if the contractor ultimately performs the work according to the contract specifications. What this ruling effectively did was it took out the element of any sort of monetary or pecuniary loss as a required element of fraud when the government's pursuing one of these fraud cases against a contractor that misrepresented what they were doing. There were some concurring opinions in this matter as well that some of the other justices wrote. Notably, within those opinions, they provided a roadmap for a defense to these claims. They held that there was still a materiality requirement in federal fraud statutes that will limit prosecutions and help distinguish what they quoted as everyday misstatements from actionable fraud. Those materiality disputes are defenses that we expect to see in these cases. Still need to make it up through the Supreme Court to determine how they're going to apply those standards, but typically for materiality arguments, the courts will look at whether the misrepresentation goes to the very essence of the bargain.

A couple takeaways from this decision. The Trump administration had previously stated that procurement fraud was a targeted area of enforcement by the DOJ. So, this decision clears a path for prosecutors to more aggressively pursue these fraud cases against contractors that knowingly make false statements in their bids. If you're contracting with the government in your line of work, you need to be extremely cautious about what representations you make in your bid, and you need to make sure that you comply with all of the representations that you make in the bid and ultimately the contract. We see this, certain areas where, reading my crystal ball, where I think that the DOJ may try to enforce this is with respect to diversity, equity and inclusion policies and procedures. Entities that are bidding on government contracts will need to confirm with whatever the current requirements are for DEI programs and provide evidence that they're complying with the current government requirements for those programs. I could see this arising also in instances of cyber controls. Businesses will need to make sure that they do have the adequate controls that they represent they have in certain contracts and bids. In the event that there is some sort of litigation that results from lack of cyber controls, we can see the government pursuing potential wire fraud claims based around that. With that said, I'm going to kick it over to David Finz. He's going to talk to us about an important ruling involving the California Consumer Privacy Act.

David Finz (05:00):
Thanks, Mike. We are keeping an eye on the courts in California, both state and federal and how they interpret the CCPA. Recently, a federal court denied a motion to dismiss a claim that was filed under the CCPA in a class action against a bank where the allegations were unlawful disclosure of customer's personal information to third parties through the use of tracking technology. Now, the court's ruling here could potentially expand the scope of cases in which the CCPA could be used by consumers for what is known as a private right of action. Historically, this has only been used when there's been an actual data breach, but here under the CCPA, we are now looking at a ruling where a federal court is allowing a case to proceed where there was no data breach, but consumers are questioning how their data was managed by the defendant. In last August, credit card users and applicants for credit cards who comprised the class here brought a proposed class action against this major financial institution alleging that it had violated the CCPA by allowing third parties to embed these tracking technologies that transmitted the user's personal data without their consent. There were other claims involved in the suit as well, but I'm focusing here specifically on what was alleged to have violated CCPA.

Now, for its part, the bank argued that dismissal was appropriate, and they moved on that basis because they said private actions under the CCPA were limited to data breaches where unauthorized third parties essentially steal or exfiltrate information. However, in this case, the court sided with the class, the plaintiff's, broadly interpreting the CCPA's reference to unauthorized access and exfiltration theft or disclosure of personal data to include unauthorized disclosure to third parties, even when there is no data breach. The court found that the class here had sufficiently alleged harm based on the fact that the website tracking led to the disclosure of their personal information. Now, this ruling is a departure from others that had limited the private right of action to data breaches, and this could allow for plaintiffs in future cases to bring these sorts of claims where their personal information may have been shared by the defendant without clear consent from the consumer. Now, it bears noting that many cyber policies out on the market now contain explicit exclusions for wrongful collection, practices or website tracking. However, we take the position that like a conduct exclusion, insurers should still have a duty to provide a defense up until a final adverse adjudication is reached and preferably a non-appealable adjudication. Now that isn't necessarily the position that the adjusters take in these claims, and that is where our advocacy comes into play. But philosophically, we approach this from the same standpoint of if you are going to accuse the defendant, the insured, of intentional misconduct, that they ought to be presumed innocent and they ought to be afforded a defense. Now, although this decision addresses the private right of action, it also highlights the importance of cyber policies having language that would trigger coverage for the defense that is not predicated solely on the occurrence of a data breach.

We certainly see this in the world of regulatory proceedings where a violation of a data privacy law, irrespective of whether there's been a breach, under most policies will trigger coverage for that regulatory proceeding. We believe that that is the appropriate response of the underwriters to these sorts of allegations of intentional misconduct around collection of data or website tracking. We will continue to keep an eye on these developments under CCPA. It is a bellwether of what many other states are beginning to implement to adapt around consumer privacy and what standards, what best practices companies ought to uphold around how they collect, manage, process and share consumer data. With that, I'll turn it back over to you, Mike.

Mike Radak (10:05):
Yes, thanks David. Interesting stuff and certainly a relevant topic for our space. We see plenty of consumer privacy actions, CCPA claims and tracking claims and regularly deal with the associated challenges that we see from the insurance carriers with respect to those claims. Definitely something we'll be keeping an eye on and likely talking about more in the future. Thanks, David. That's all we have for today. Thanks for listening, and we look forward to speaking with you again.