Policy Wording Risks & Rising Data Breach Liability: D&O vs. E&O Coordination & Claims Trends

Intro (00:00):
You are listening to the Alliant Specialty Podcast, dedicated to insurance and risk management solutions and trends shaping the market today.

Mike Radak (00:09):
Hi folks, and thanks for tuning in for today's episode of Alliant Specialty's Claims and Legal podcast, where we discuss some of the latest legal developments in the financial lines, insurance world and claims space. I'm Mike Radak, I lead Alliant's Specialty Claims and Legal team. In addition to the guidance and advocacy that my team offers, we also work very hard to keep our finger on the pulse of relevant court decisions in this space. I'm going to discuss a Delaware case that addresses the interplay between E&O and D&O insurance. David Finz is also here with me, as always. He's going to speak to us a little bit about some recent developments in the cyber insurance world. If you'd like to read more about what we're talking about today, please check out our monthly Executive Liability Insights newsletter and ask us how to subscribe, if you don't already subscribe.

The case I'm talking about, as I mentioned, it's a Delaware case, really good example of the importance of coordination between coverage for directors and officers insurance and errors and omissions insurance or professional liability insurance, as we like to call it. The case stems from an enforcement action against a debt relief company and its founders. The allegations are pretty typical for what we normally see in that space. They alleged they were misleading consumers, promising loans that didn't materialize, charging fees for services that allegedly didn't comply with regulations. The company turned to its D&O insurer for coverage. The insurers said no, pointing to a professional services exclusion. That policy defined professional services, which we see in a lot of policies, as services which are performed for others for a fee. The insured argued that the allegations arose from improper managerial conduct, not from professional services and that they were merely tangentially related to the conducting of their business and not meaningfully linked. The court disagreed, determined that many of the allegations stemmed from their business model, which was providing services to others for a fee. In this case it was debt relief services.

The court held that the alleged violations would not have occurred but for the insureds conducting their business, and each is intrinsically linked with the provision of professional services. Here's where it gets interesting. The court didn't accept the blanket denial from the insurance carrier. Instead, it went appropriately in my opinion, claim by claim and allegation by allegation in the complaint and held that some of those allegations may actually trigger coverage. Specifically, the court identified a subset of allegations concerning false statements made to lure potential victims into the debt relief program and found that inducing an individual is not the performance, or lack thereof, of a professional service, as there's no meaningful linkage between the two. The court held that applying the exclusion to claims arising out of misleading marketing tactics, because they would inevitably lead to the insured's provision of service, impermissibly broadened the exclusion. Therefore, the court held that while the bulk of the allegations fit squarely within the professional services exclusion, the carrier did have a duty to defend the allegations related to the marketing of that program.

In my opinion, this case is really a practical lesson in where D&O coverage ends and where E&O coverage begins. The coordination of coverage between D&O and E&O is a critical issue here. If you're placing D&O for a client like the one in the case I just discussed, you can't treat it as a standalone policy. You have to coordinate with the E&O coverage to make sure that you're not leaving a hole right where the risk actually is. Second, and I say this all the time if you've listened to my prior podcasts, but policy wording really matters. In this case, the professional services exclusion applied broadly to the entire D&O coverage part, including Side A. That's a big deal because a lot of people assume Side A will always step in to protect the individuals. This case is an example of where that's not necessarily true. This is where our brokers really earn their keep in understanding how these coverages are drafted and how they apply, specifically with regard to the professional services exclusion here.

Lastly, I just thought it was worth pointing out that the court did the right thing here by parsing out the allegations and going count by count through the complaint. It didn't just say because this is a service company and there's allegations regarding services provided for a fee, everything's excluded and the carrier got it right. I'm a firm believer when analyzing a claim, you cannot let everything get lumped together. If you get a blanket denial from an insurance carrier, you need to break it down allegation by allegation, count by count, and don't accept a blanket denial when there may be a portion of the allegations or facts in the claim that let us get a hook into the insurance coverage here. The court also allowed in this case, which I think is worth pointing out, a potential bad faith claim to move forward against the insurance carrier. This tells you that overly broad denials also create exposure for insurance carriers.

Again, this is a great example of how a complaint needs to be evaluated on individual counts and allegations. Often, it's a great example of how you can find coverage when you were initially told by the insurance carrier that there is no coverage or coverage doesn't exist for a specific claim. It's something that my team and I work very hard at and we tend to excel at when we're finding coverage where insurance carriers might initially tell us no. With that being said, I'll kick it over to you, David, and you can talk to us a little bit about what's going on in the cyber space.

David Finz (05:52):
Thanks, Mike. Not surprisingly, with the situation in the Middle East, we are finding ourselves in an elevated risk in the geopolitical environment. Because of that, everyone's sort of on heightened alert for cyber attacks. There is one particular attack that is being attributed to an Iranian linked hacktivist group that was perpetrated on a medical device supplier. Now, I'm not going to go into too much detail about that incident itself. Alliant has put out a client alert on that attack, and you are welcome to visit our website at www.Alliant.com for the specifics around how the attack occurred, the impact it is having on hospitals and emergency systems and some immediate steps that organizations can take to safeguard against the impact of this attack and potential future attacks. What I really want to talk about here is the litigation that is now ensuing as a result of that attack. After all, this is a claims and legal podcast.

What I want to focus on is a complaint that was filed last week in the U.S. District Court for the Western District of Michigan. This is what we call a putative class action. This plaintiff is filing, hoping to get class action status. He's a former employee of this medical device manufacturer. He is alleging on his own behalf, as well as that of his fellow employees and customers, that their personal information was compromised due to, essentially, lax security measures on the part of his former employer. This information includes dates of birth, addresses, social security numbers, employment information and patient health information, or PHI, which he alleges was compromised, or he believes to have been compromised, as a part of this breach. He's alleging that his former employer failed to invest the resources necessary to protect the confidential information of the plaintiff, as well as other members of this potential class. He says the attack was entirely foreseeable and that the company's response to the data breach has been, in his words, woefully insufficient.

To date, the defendant in this matter has yet to even provide notice to the individual's impacted by the breach. He says that because they house sensitive information, they should have been at a heightened state of alert. Purchasers of that stolen information could use it to perpetrate a variety of crimes. Class members now must face what he calls a present substantial and imminent risk of fraud and identity theft, and they must deal with that threat forever, his words. He says the company's lack of security measures for storing and handling private information, as well as inadequate employee training, led to the harm that is now facing him and other potential class members. Now, for the longest time, companies could rely upon what is known as Article III standing as a defense in these actions. We've talked about this in prior episodes. Basically what Article III of the U.S. Constitution says is that courts are not going to entertain a complaint by a plaintiff unless the plaintiff can show actual harm that the court is capable of granting relief around. Otherwise, there's no point of them hearing the complaint. That's standing in a nutshell, to put it in layperson's terms.

Now for years, courts were reluctant to grant standing to individuals as a result of these data breaches. That however, is beginning to change. The case law is evolving. The inconvenience, the anxiety, the emotional distress that is caused around wondering whether your personal information has now been compromised, along with the actual cost in time and expense of monitoring and remediating, is now being recognized by some courts as a harm to the plaintiffs for which they, the courts, are capable of granting relief. What that means is that these cases are now sometimes getting past the pleading stage. Once you get into discovery, as any attorney will tell you, the legal fees can begin to mount very quickly. The pressure can build for the parties to come up with a settlement. This is all the more reason for companies to have the right cyber insurance in place that will pick up the defense and settlement of these matters and also to consult with privacy counsel to make sure that they have the right data privacy practices in place so that they're not violating the law, either before or after an incident occurs.

We here at Alliant enjoy solid working relationship with many, many law firms that practice in the area of data privacy. We are able to connect our clients to those resources to help them make sure that they have the right data privacy practices in place. With that, I'm going to turn it back over to you, Mike.

Mike Radak (10:42):
Thanks, David. I feel like we're talking about privacy litigation related to various breaches almost every month now. Definitely an area that's going to continue to evolve that we'll keep a close eye on. I certainly know we see dozens and dozens of claims related to these issues probably monthly, if not throughout the year. Interesting stuff. I was just going to touch on the war and terrorism exclusion, with regard to the Stryker incident as well. It'll be interesting to see how carriers and if carriers invoke that. I think there's a high threshold for them to meet if they do invoke it. Something to keep an eye on with respect to these ongoing hostilities in Iran.

David Finz (11:23):
Yeah, that's a good point, Mike. There's been a lot of talk about the war exclusion. However, while the policies are not uniform in their wording, a basic standard that we see, pretty much across the board here, is that the attack must rise to the level of compromising either the essential services or the security of the sovereign state that is being attacked. In this particular instance, while there may be some geopolitical considerations here and some hacktivism involved, I haven't seen evidence that this rises to that level. Based on what we know at this stage, I think the insurers would be hard pressed to apply that exclusion in this instance.

Mike Radak (12:06):
With that said, thanks everybody for spending a few minutes with us today to listen to us talk insurance. As always, if you'd like to get more information on some of the topics we discussed today, please reach out and subscribe to our Executive Liability Insights monthly newsletter. If you'd like more information about Alliant and a more rewarding way to manage risk, please reach out for more info or visit our website at www.Alliant.com. Thanks.