Listen to this post

The United States District Court for the Middle District of Florida recently granted summary judgment for an insurer on a pollution liability policy for lack of timely notice. The court agreed with the insurer that the insured gas station operator had knowledge of “pollution conditions” in 2017 and 2018, yet failed to provide notice to its insurer until 2019 (L. Squared Indus., Inc. v. Nautilus Ins. Co., — F. Supp. 3d. —, 2023 WL 4227568 (granting summary judgment for insurer), 2023 WL 6194226 (M.D. Fla. Aug. 29, 2023) (denying insured’s motion for reconsideration)).

Nautilus Insurance Company issued the claims made policy for the July 18, 2018, to July 18, 2019, policy period covering “storage tank systems cleanup costs, third-party bodily injury, property damage liability, and defense.” The issue before the court was whether Nautilus owed a duty to cover clean-up and defenses costs associated with the accidental release of petroleum from an underground storage tank (UST). The insured L. Squared Industries, Inc. is a Florida corporation that operates gas stations.

On May 2, 2017, the Florida Department of Environmental Protection (FDEP) inspected L. Squared’s gas station in St. Augustine. This FDEP inspection identified two violations involving cracked boot gaskets and directed L. Squared to take corrective action, including hydrotesting to determine whether any discharge could have occurred. L. Squared hired a contractor to repair the cracked boot gaskets and to conduct the hydrotesting, which failed, necessitating sampling of the surrounding soil.  Following the sampling, L. Squared submitted a Discharge Report Form (DRF) to the FDEP on March 18, 2018, stating a release was discovered in July 2017. The DRF also stated discharged or released gasoline and diesel were affecting the soil and groundwater.

 In 2018, L. Squared replaced a dispenser sump. In connection with that replacement activity, L. Squared hired an environmental consultant who identified some groundwater contamination in a 2018 report. This same consultant conducted further sampling on April 5, 2019, and found what appeared to a be a petroleum release. L. Squared provided a notice of occurrence/claim to Nautilus on April 19, 2019. Nautilus denied coverage and litigation ensued.  Both parties moved for summary judgment.

In deciding whether the insured’s notice was timely, the court focused on the Reporting of a Pollution, Condition, Claim or Suit provision of the policy, which requires the insured to provide notice to the insurer within seven days after the insured “first became aware of, or should have become aware of, a pollution condition.” Nautilus argued L. Squared was aware of a pollution condition in May 2017, when the FDEP notified L. Squared of violations and directed L. Squared to take corrective actions, or at the latest in July 2017, the date L. Squared identified in its DRF report that a release had been discovered. 

L. Squared argued, however, that the 2017 notice and DRF report were related to a pre-existing 1985 release or discharge, and that it was not until 2019 that L. Squared had any knowledge of a new release, and that this new release was “first discovered” through April 2019 correspondence from the FDEP and promptly reported to Nautilus. In rejecting this position, the court noted that within the April 2019 correspondence, the FDEP specifically referenced the 2018 consulting report associated with the dispenser sump replacement, the contents of which L. Squared was aware of in 2018. 

In granting summary judgment for the insurer, the court found the plain language of the policy required L. Squared to notify Nautilus within seven days of the 2018 consultant report, which L. Squared failed to do. The court subsequently denied L. Squared’s motion for reconsideration, which L. Squared has appealed to the United States Court of Appeals for the Eleventh Circuit.

Regardless of the outcome of the appeal, the case highlights the significance of prompt reporting of claims, or even circumstances that may lead to a claim, to insurers – and particularly the repercussions of failing to do so. To avoid waiver of any available insurance coverage, it is critical that companies have a claims management system in place to ensure insurance carriers are timely notified when appropriate. Policyholder attorneys can review notice requirements of existing policies and assist in creating claims management systems to minimize the possibility of late notice of potentially covered claims.

*Andy Tao is a co-author of this post. Andy Tao is not yet a licensed attorney.

Listen to this post

Any company, particularly if conducting business is a highly regulated industry, risks being served with a subpoena or a civil investigative demand (collectively, “CID”) from a governmental agency or entity. As set forth below, the company may have insurance coverage available to cover the costs associated with responding to the CID. More importantly, however, failure to provide prompt notice to insurance carriers could preclude coverage for any subsequent litigation or enforcement proceeding related to the CID. Prompt notice of the CID to the company’s directors and officers’ (D&O) insurer is critical.

D&O Policies and CID

D&O policies provide financial protection through liability coverage, including both defense and indemnity, to the directors and officers of a company for claims asserted against those directors and officers arising from the management of the company. Unlike other forms of insurance, such as property or general liability policies, in which insurers utilize standardized forms, D&O coverage can vary significantly from one insurer to another. 

The typical D&O policy provides insurance coverage under three different insuring agreements, commonly known as Side A, Side B, and Side C coverage. Side A provides “direct” or personal liability coverage for individual directors and officers where the company cannot legally provide a defense or indemnify loss (where such indemnity is prohibited by state law) or where the company is financially unable to do so. Side B indirectly covers the individual directors and officers of the company by reimbursing the company for defense or indemnity payments that the company has made or is required to make on behalf of its directors and officers. Side C, which is also known as “entity coverage,” provides coverage for claims against the company itself. 

The insuring agreement of most D&O policies will provide coverage for “loss” that is incurred as a result of a “claim” made for a “wrongful act.” While the specific language of D&O policies varies from one insurer to another, the term “claim” typically refers to an assertion of a legal right, a demand for payment by a third party against the insured, or even a demand for non-monetary relief. The term “claim” could also be defined to include administrative and regulatory proceedings, criminal investigations, or civil investigative demands by regulators. In short, depending on the language of the CID itself, as well as the definition of “claim” in a D&O policy, a CID could constitute a claim.

Delayed Notification Risks Denial of Coverage

If a CID could constitute a claim as defined in the D&O policy, prompt notice is critical because failure to provide notice timely could defeat coverage. D&O policies are typically written on a claims-made basis. Claims-made policies, sometimes called claims made and reported policies, provide coverage for claims that occur (and are reported) to the insurer while the policy is in force.  Failure to report a claim to the carrier during the policy period, or any applicable extended reporting period, could be an absolute bar to coverage.

Another reason for prompt notice to a D&O carrier of any CID, even if the insured does not think the CID qualifies as a claim or the anticipated costs to the insured in responding to the CID does not require insurance proceeds, is a concept within D&O policies of “related claims.” Most D&O policies also contain “related claims” or “interrelated wrongful acts” provisions. These provisions are broadly worded and will provide that all related wrongful acts will be considered a single claim.  For example, the policy definition of “related claims” or “related wrongful acts” could be “claims that have as a common nexus any fact, circumstance, situation, event, transaction or series of related facts, circumstances, situations, events or transactions.” Where two or more claims satisfy this “related claims” definition, then they are usually deemed to be a single claim first made at the time of the earlier claim.

For example, assume a company has a D&O policy for successive one-year policy periods beginning June 1, 2020.  The company receives a CID on December 1, 2020, responds to the CID and does not provide notice to its D&O insurer. The D&O policy renews on June 1, 2021, for one year and then again on June 1, 2022, for another year. In September 2022, the insured company is named as a defendant in an enforcement action and is then named as a defendant in civil lawsuit in March 2023 – both actions involving the same conduct that was at issue in the CID. The company tenders both the enforcement action and the civil lawsuit to its insurer, which denies the claims.

The insurer asserts that under the definition of “claim” in the hypothetical D&O policy, the CID constituted a claim, which should have been reported but was not reported to the carrier during the June 1, 2020, to June 1, 2021, policy. Because the claim was not made and reported during that policy period, there was no coverage for the CID. Furthermore, under the “related claims” provision of this hypothetical D&O policy, the CID, enforcement action, and civil lawsuit were “related claims” that were deemed to be a single claim first made at the time of the CID. Since there was no coverage for the CID – because it was never reported – the insurer asserts the “related claims” provision precludes coverage for both the enforcement action and the civil lawsuit.

When any company receives a CID or government-issued subpoena, the company should consult with insurance coverage counsel and an experienced broker to evaluate potential coverage under any D&O policy and provide prompt notice of the CID to the D&O insurer.

Listen to this post

Some policyholders mistakenly assume that all cyber insurance policies provide coverage for much the same type of losses. But unlike many other types of commercial insurance, cyber has not become standardized in the years since its inception. Instead, the cyber insurance market offers policyholders a menu of coverage options, from which the organization must purchase specific insuring agreements that match its risk profile. Cyber losses can result from cyber extortion (including the use of ransomware), theft, denial of service attacks, network disruption, and a host of other causes, and can lead to different types of losses, including ransom payments, business interruption, third-party liability due to unauthorized disclosure of confidential information, and regulatory defense and penalties – to name just a few. A given insurance policy may cover any combination of these losses, and some coverages may be optional. It is incumbent on the policyholder to know the risks it needs insured and work with its broker and coverage counsel to find the right policy. 

A decision last month by a federal court in Oregon highlights the risk of litigation when coverage is not clear. In Yoshida Foods International, LLC v. Federal Insurance Company, the policyholder suffered a ransomware attack demanding payment of $107,074.20 in cryptocurrency to recover encrypted data. Because Yoshida lacked access to cryptocurrency, one of its executives paid the ransom from his personal cryptocurrency account and was later reimbursed by the company. The policy did not explicitly provide coverage for extortion, ransomware, or encryption, but did cover a “direct loss” caused by “Computer Fraud,” which included unlawful taking of money resulting from unauthorized entry into a computer system. Federal refused to cover the ransomware payment, arguing among other things that the payment was not a “direct loss” insured by the computer fraud coverage grant because the company’s reimbursement to its executive was an indirect or consequential loss, and because the transfer of funds represented the company’s conscious decision instead of direct theft by the criminals. Over Federal’s objections, the district court found the policy language was broad enough to encompass the ransomware attack, obligating the insurer to indemnify Yoshida for its loss. The policyholder prevailed – but only after litigating the scope of the insurance policy that it purchased.

The Yoshida Foods decision is not binding on other courts, and another jurisdiction could reach a different interpretation of similar policy language. But the coverage dispute might have been avoided if the policy included a specific coverage grant for extortion and ransomware. Amid the assortment of options in the cyber insurance market, policyholders are well advised to shop for policies that clearly identify the risks the organization intends to cover, while also paying attention to limits, definitions, conditions, and exclusions.