Federal Court Enters Powerful Duty to Defend Order in MaineIn addition to being a great place to find lobster, Maine may also be one of the country’s best jurisdictions for a policyholder seeking defense from its commercial general liability carrier.

In Zurich American Ins. Co. v. Electricity Maine LLC, the U.S. District Court for the District of Maine found against Zurich and in favor of Electricity Maine LLC, one of several defendants in an underlying class action lawsuit alleging pricing violations against the power company. Most notably, the court confirmed that Maine has a particularly low threshold for triggering an insurer’s duty to defend. The court found an “occurrence” despite Zurich’s argument that all the underlying allegations involved intentional conduct. And perhaps most shockingly, the court found the possibility of “bodily injury” based solely on the underlying complaint’s request for “actual damages in an amount to be proven at trial.” There is no mention in the complaint of emotional distress or mental anguish, but the court found an allegation of “bodily injury” anyway, relying on Maine’s broad duty to defend rules.

Based on this decision, a CGL policy can be triggered in Maine by virtually any general allegation of damage caused by negligence. Maine follows what it calls the “comparison test” and seems to allow for a duty to defend unless there is absolutely no chance of an eventual judgment that would fall within the scope of coverage provided by the policy.

Once again, we have an important reminder on two fronts. First, the duty to defend should be broadly construed, and some courts are willing to give the policyholder every benefit of the doubt, particularly in the face of ambiguous underlying allegations. Second, never forget choice of law. If you can go to Maine to resolve a duty to defend dispute (or to eat lobster), do it.

Can You Hear Me Now? Tenth Circuit Rejects Coverage for Telephone Consumer Protection Act ClaimsA recent Tenth Circuit decision undercut policyholder arguments that Telephone Consumer Protection Act (TCPA) claims are insurable under a standard CGL policy. Policyholders should take note of this decision but should not assume that all TCPA claims are necessarily uncovered.

On February 21, the Tenth Circuit affirmed a finding of no coverage on appeal from the District of Colorado. In Ace American Insurance Company v. Dish Network, LLC, the Tenth Circuit held there was no duty to defend Dish in a lawsuit alleging various violations of state and federal laws relating to telemarketing phone calls. The court held that statutory damages and injunctive relief sought under the TCPA were uninsurable penalties instead of insurable “damages” under the relevant liabilities policies. The court also rejected Dish’s argument that the TCPA’s provisions governing actual monetary loss qualified as a remedial provision that could be insured under Colorado law. Finally, the court rejected Dish’s argument that the underlying claims for equitable relief could constitute insurable damages.

Policyholders should take note of this case for several reasons:

  1. Rising TCPA Claims. TCPA claims continue to gain popularity on court dockets across the country. Insurers will undoubtedly lean on this case as a basis for denial of coverage in similar cases. That said, TCPA policyholders should not simply assume that all hope is lost. For example, the Tenth Circuit’s decision relies heavily on aspects of Colorado law that may not be controlling in other jurisdictions.
  2. Claims for Equitable Relief May Still Trigger Duty To Defend. This case is a good reminder of the importance of a detailed analysis relating to the particular damage allegations in an underlying lawsuit when considering the duty to defend. The Tenth Circuit did not shut the door on the possibility of a duty to defend claim seeking equitable relief. Instead, the decision is limited to the particular allegations in the underlying complaint.
  3. TCPA Exclusions Becoming More Common. The court noted that several later policies contained specific exclusion endorsements for TCPA claims. Policyholders that may face TCPA allegations should consider whether their current liability policies contain such exclusions and, if so, whether additional coverage may be necessary to protect against such future allegations.
  4. Some Coverage Arguments Not Fully Addressed. Unfortunately, the Tenth Circuit did not reach some of the other interesting coverage questions that could have played a role. For example, I would have been interested to see the court’s analysis of whether “bodily injury” or “property damage” was alleged in the underlying litigation.

This case is not the death knell for coverage for TCPA defendants, but it may prove a hurdle even in jurisdictions beyond Colorado. Companies that face this risk should consider their current coverage portfolio, particularly with respect to any exclusions that may expressly or implicitly apply to TCPA claims. In the event of a claim, companies should analyze each case independently, including consideration of choice of law and the particular policy provisions and allegations at issue.

Insurance Purchasers Beware: Florida Court Finds No Duty to Defend Data Breach Claim Under CGL Personal & Advertising Injury CoverageOn November 17, 2017, a U.S. district court in Florida narrowly construed personal and advertising injury coverage for data-breach claims under a commercial general liability policy. In Innovak International, Inc., v. The Hanover Insurance Company, the court held that The Hanover Insurance Company (the insurer) has no duty to defend Innovak International, Inc. (the insured), against a putative class action arising from a data breach that compromised users’ personal private information (“PPI”).

The court narrowly construed the policy’s definition of “personal and advertising injury” that included “[o]ral or written publication in any manner of material that violates a person’s right of privacy.” Despite the absence of a requirement that the insured publish that material, the court held that the policy only extended coverage to publication by the insured.

The court held that “[t]he act that violates the claimants’ right of privacy is the publication of their PPI, and the Underlying Claimants have not alleged that Innovak directly or indirectly committed that act.” The court rejected Innovak’s arguments that the phrase “in any manner” includes both “direct publication of PPI and negligent failure to prevent third parties from obtaining the PPI.” Following a New York state court decision (Zurich American Insurance v. Sony Corporation of America), the Florida court construed the phrase “in any manner” to refer to the medium rather that the sender of the information.

The court also rejected Innovak’s argument that the putative class action complaint alleged that Innovak indirectly published the PPI. The court held that the complaint clearly alleged that Innovak failed to protect the users’ PPI by failing to implement sufficient data security measures – which is not an allegation of publication at all. The court distinguished a California case, Hartford Casualty Insurance Co. v. Corcino & Associates, et al., because that complaint alleged that the insured posted private information on a public website, and the court did not address the same legal issues.

Finally, the court made short shrift of Innovak’s argument that Hanover waived its defense by omitting it from its denial letter, because the particular defense was included within the letter.

This case serves as a reminder that organizations should not assume that their commercial general liability policies will cover losses from data breaches – even if the organization purchases a data breach enhancement, as Innovak did. The policy’s Data Breach Form provided only data breach services and paid only data breach expenses and expressly excluded “fees, costs, settlements, judgments or liability of any kind” arising out of a data breach. The lack of coverage under the Data Breach Form left Innovak with only the personal and advertising injury coverage, which, in this instance, did not extend to the putative class action against Innovak.

As often mentioned on this blog, prudent insureds should purchase dedicated cyber insurance coverage if at all possible. Smaller organizations may rely on coverage enhancements to their existing insurance programs but should recognize the risk of this strategy. Under either a traditional or specialized cyber insurance program, all insureds should scrutinize policy language to understand the scope of coverage and –more importantly – the limitations of that coverage for data breach and other cyber-related exposures.