Policyholder Observer

by Orrick, Herrington & Sutcliffe LLP

Encryption Flaw "Heartbleed" Creates Data Risk: How Insurance Can Stanch the Bleeding

By Kristi Singleton and Richard Gallena

In early April, news broke of an encryption flaw named “Heartbleed” that exposed companies to data breaches for over two and one half years. Heartbleed is a vulnerability in OpenSSL, an open-source set of libraries for encrypting online services that nearly two-thirds of all websites use. The vulnerability allows hackers to steal personal information, such as bank account information, social security numbers, and passwords, from companies, with little risk of detection. Given the length of exposure and the ease of exploitation, Heartbleed has been described by cybersecurity professionals as one of the biggest flaws in Internet history. And the technology community has not been able to stop the bleeding. In June, researchers found additional vulnerabilities in OpenSSL that implicate many of the same data breach concerns triggered by Heartbleed.

While the ability to escape detection makes the extent to which hackers have exploited these vulnerabilities unclear, for many companies, costs and future liabilities related to Heartbleed may be very substantial. Insurance policies may be available to help stem the hemorrhaging of financial losses and liabilities. This article discusses the rise in cybersecurity attacks, and examines first- and third-party coverage potentially available under different types of insurance policies.

Please click here to continue reading the article.

Orrick Secures Favorable Verdict in Missouri Asbestos Coverage Trial

In a case involving complex questions of insurance coverage for asbestos claims, a team led by insurance recovery litigation partner David Elkind won a jury verdict last month in Missouri state court, obtaining substantial damages for Orrick’s client, a manufacturer of industrial equipment. (Our client has asked that its name not be used in this report.) The client was named in thousands of lawsuits alleging injury from exposure to asbestos the client manufactured. Before trial, three of the insurer defendants paid $4 million of the policyholder’s damages. Our client sought an additional $14 million from these defendants at trial, including attorney's fees of $5 million, which it sought as punitive damages. The jury awarded $8 million from the lead defendant, Evanston Insurance Company, including nearly half of our client’s attorney’s fees. During cross-examination and in closing argument, Orrick demonstrated that Evanston had failed to investigate the claims and provide the coverage it owed. Moreover, in testimony at trial, the president of the claims handling company for the other two insurers announced that they would make full payment to the client of its remaining damages.

Although the trial involved three defendants, the full action included eight insurance company defendants. Just before trial, Orrick obtained several favorable rulings on summary judgment, which resolved important questions of law that the jury did not have to decide. When the court issues its final judgment, it will include a declaratory judgment that will entitle Orrick’s client to some $300 million in coverage, which is expected to provide full protection against future asbestos claims.

Six Essential Insurance Questions for Emerging Companies

By Darren S. Teshima

Emerging companies combine energy and innovation with a focus on long-term growth and success. Given the stage of their development, they often face unique risks that do not confront large, public companies. At the same time, they often do not have a risk manager to help them assess their insurance issues. The risks they face nevertheless must be addressed to ensure the companies’ continued success. Below we discuss key insurance questions emerging companies frequently face.

1. When Do We Need Directors & Officers Coverage?

Directors and officers (D&O) coverage is not just for public companies; emerging companies can also benefit from D&O insurance. In addition to the coverage it provides, D&O insurance can help emerging companies attract new directors and may be required to obtain venture capital funding. As more private companies contemplate IPOs under the JOBS Act, obtaining D&O coverage while still private can help develop a relationship with a public-company insurer.

2. Do We Need Cyber Coverage?

If a company maintains any consumer or employee data, it should consider purchasing cyber insurance, which protects against losses and claims arising out of data breaches. For many companies, the question is when—not if—a data breach will occur. Traditional general liability policies are currently being written to exclude coverage for data breaches, so companies should consider a separate cyber policy, which provides coverage for a variety of damages and losses. Cyber policies are complicated, not standardized, and rapidly evolving, so they require careful analysis.

3. Are Intellectual Property Infringement Claims Insured?

Although most policies do not provide coverage for patent infringement claims, coverage for non-patent infringement claims, like trademark and copyright infringement, is available. Technology errors and omissions policies often provide media activities liability coverage for claims resulting from information on a company’s website or other distribution of information on the Internet.

4. What Should We Tell an Insurer When Renewing a Policy?

Emerging companies are dynamic and their businesses can grow and change quickly. Because insurers underwrite particular risks, if a company expands or changes its business model, insurers may argue that their insurance does not provide coverage. When obtaining a new or renewal policy, emerging companies should work closely with their broker to inform their insurer of new developments. Keeping the insurer informed will help protect against a later denial of a claim.

5. When Should We Notify an Insurer of a Claim?

If a company receives a claim—perhaps a complaint from a disgruntled employee or a cease-and-desist letter from a competitor—the company should consider promptly telling its insurer. Especially if the policy period is about to expire, prompt notification is critical, as policies often require notification of a claim within the policy period. Even if the claim is not a formal lawsuit, the company should provide notice to the insurer if it wants to seek coverage in the future.

6. How Do We Respond to an Insurer Who Refuses to Cover a Claim?

Because emerging companies face novel issues that an insurer may not have handled before, the insurer’s initial response may be to refuse coverage. If an insurer denies a claim, or refuses to immediately provide coverage and asks difficult questions, an emerging company should seek out experienced coverage counsel to analyze the potential for coverage. Insurers are always looking for ways to deny coverage, so the company needs to respond to their inquiries with care.


Excess Insurance Policies Triggered Once Primary Policies are Exhausted by Any Claims, Even Claims Not Covered by Excess Policies, Fifth Circuit Holds

On June 23, 2014, the Fifth Circuit held that four excess insurers’ policies were triggered even though the claims exhausting the underlying primary policies were not covered under the excess policies. Indem. Ins. Co. of N. Am. v. W & T Offshore, Inc., No. 13-20512 (5th Cir. June 23, 2014). In 2008, Hurricane Ike damaged the insured’s offshore drilling platforms in the Gulf of Mexico. The insured exhausted its underlying insurance policies with property damage and operators’ extra expenses claims, which were not covered by the excess policies. The insured planned to seek coverage from the excess insurers for its removal of debris claims, which both the underlying policies and the umbrella policies covered. The excess insurers filed for declaratory relief, arguing that the excess policies’ retained limit—the amount of underlying insurance that must be exhausted to trigger the excess coverage—could only be exhausted by the payment of claims that would be covered under their policies and thus could not be exhausted by the property damage and operators’ extra expenses claims. Reversing the lower court, the Fifth Circuit rejected the excess insurers’ argument and held that the plain text of the excess policies states that the retained limit must be exhausted but does not specify how it must be exhausted. The court found that the policy language as a whole was consistent with the interpretation that the retained limit could be exhausted by claims not covered by the excess policies.

California Supreme Court Narrowly Construes Advertising Injury Coverage

In Hartford Casualty Ins. Co. v. Swift Distribution, Inc., Case No. S207172 (June 12, 2014) , the California Supreme Court clarified an insurer’s duty to defend against advertising injury claims arising out of the “publication of material that . . . disparages a person’s or organization’s goods, products or services.” In Swift, the plaintiff alleged that defendant manufactured a specialized cart that infringed on plaintiff’s patents and trademarks, and engaged in unfair competition and misleading advertising. The complaint, however, did not allege any specific statements about the competitor’s goods. Affirming lower court rulings, the California Supreme Court found that an insurer’s defense obligation for disparagement is limited to a lawsuit alleging a false or misleading statement that “(1) specifically refers to plaintiff’s product or business and (2) clearly derogates that product or business.” Each requirement can be satisfied expressly, or if there is no mention of the competing product, by “clear implication.”  But the insurer has no duty to defend a product disparagement claim where the allegedly false statements are too general to be construed as derogatory to a specific product. Thus, Swift disapproved Travelers Property Casualty Co. of Am. v. Charlotte Russe Holding, Inc., 207 Cal.App.4th 969 (2012), which had found that a clothing distributor’s lawsuit against a retailer that alleged that the retailer had heavily discounted plaintiff’s clothing stated a claim for product disparagement that gave rise to the insurer’s duty to defend. 

Washington Appellate Court Adopts Broad Construction of “Suit” in CGL Policy but Finds No Duty to Defend Non-Coercive Agency Action

On June 2, 2014, a Washington Court of Appeals held that insurers’ duty to defend was not triggered where the policyholder did not receive any threat of an environmental clean-up action but instead undertook a voluntary remediation to comply with Washington’s Model Toxics Control Act (the “MTCA”). Gull Indus., Inc. v. State Farm Fire & Cas. Co., 69569-0-1, 2014 WL 2457236 (Wash. Ct. App. June 2, 2014). After discovering leaks from its underground storage tanks, the insured gas station owner undertook voluntary remediation efforts, including investigation and clean-up of soil and groundwater. The insured then notified the Washington Department of Ecology of the contamination, and DOE responded by sending a letter of acknowledgment, without any further clean-up instructions or demands. The insured tendered claims for defense and indemnification to its CGL insurers, whose policies provided that the insurers had the “duty to defend any suit against the Insured,” but did not define the term “suit.” The insurers denied coverage, asserting that no suit had triggered their duty to defend. The appellate court acknowledged that under Washington law, the term “suit” is ambiguous and may be broadly construed to include enforcement actions that are the “functional equivalent” of a lawsuit. But where DOE had not issued any letter on its own, and merely responded to the policyholder’s notification, the court held that there was no such functional equivalent, which must be “adversarial or coercive in nature.”   

D.C. Trial Court Holds That Securities Claims are Barred by Broadly Worded Professional Services Exclusion

Relying on a broadly worded professional services exclusion, the District of Columbia Superior Court recently held that a management liability policy did not cover defense costs arising out of securities lawsuits alleging various misrepresentations and investment mismanagement. Carlyle Investment Mgmt L.L.C. v. ACE Am. Ins. Co., No. 2013 CA 003190 B (D.C. Super. Ct. May 15, 2014). The underlying lawsuits alleged that the policyholders enticed investors into unsafe investments by falsely promising high returns with minimal risk, and then mismanaged investments in the face of deteriorating market conditions. The court held that each claim in the underlying complaints fit within the policy’s broad definition of excluded “professional services,” which included the rendering of investment management services. The policyholders argued that the exclusion was intended to only exclude coverage from services in the nature of those provided by lawyers and accountants, not “management liability” claims alleging acts, errors, or omissions in corporate governance.  The court rejected this argument, applying the so-called “eight corners rule” by focusing solely on the policy language and allegations pleaded in the complaint. The court concluded that each of the underlying claims arose from the provision of “professional services,” as defined in the policy.

New York State Appeals Court Rejects Insurer’s Notice Argument on Potentially “Interrelated” Claims

On May 29, 2014, a New York state appeals court denied an insurer’s motion to dismiss its policyholder’s breach of contract claim under a D&O policy. Sirius XM Radio Inc. v. XL Specialty Ins. Co. and U.S. Specialty Ins. Co., No. 650831/13 (N.Y. App. Div. May 29, 2014). The insurer argued that the policyholder failed to provide timely notice concerning underlying lawsuits that alleged wrongdoing by directors and officers in connection with a merger. The appellate court rejected the insurer’s argument, holding that the policy was ambiguous as to whether the policyholder had to issue separate notifications to the insurer with respect to claims that were “interrelated” with prior, reported claims. The court also found that triable issues were raised by language in the policyholder’s primary policy, which allowed the primary insurer to deny coverage if the policyholder had previously notified other insurance companies that provided coverage in prior policy years.

Sixth Circuit Rejects Property Insurer’s Attempt to Reduce Actual Cash Value Payout Based on Market Value Decline

The Sixth Circuit recently held that a property insurer could not reduce the amount of its insurance payout by the decreased market value of the policyholder’s condominium, which had been destroyed by a fire. Whitehouse Condo. Grp., LLC v. Cincinnati Ins. Co., No. 13-2376 (6th Cir. June 17, 2014). The insurance policy defined “actual cash value” as the “replacement cost less a deduction that reflects depreciation, age, condition and obsolescence.” The issue before the court was the meaning of the undefined term “obsolescence”. The insurer contended that the term extended beyond functional obsolescence to include “economic obsolescence,” which means a loss of value due to external market factors. In the court’s words, the dispute was over whether the insurer “gets the benefit of a decrease in market values in Flint, Michigan.” The court rejected this argument and affirmed the trial court, finding that (i) the term “obsolescence” did not have a special meaning under the policy, (ii) the common understanding of the term did not include market decline, and (iii) any ambiguity in the insurance policy must be strictly construed against the insurer.


DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Orrick, Herrington & Sutcliffe LLP | Attorney Advertising

Written by:

Orrick, Herrington & Sutcliffe LLP

Orrick, Herrington & Sutcliffe LLP on:

Readers' Choice 2017
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign up using*

Already signed up? Log in here

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
Privacy Policy (Updated: October 8, 2015):

JD Supra provides users with access to its legal industry publishing services (the "Service") through its website (the "Website") as well as through other sources. Our policies with regard to data collection and use of personal information of users of the Service, regardless of the manner in which users access the Service, and visitors to the Website are set forth in this statement ("Policy"). By using the Service, you signify your acceptance of this Policy.

Information Collection and Use by JD Supra

JD Supra collects users' names, companies, titles, e-mail address and industry. JD Supra also tracks the pages that users visit, logs IP addresses and aggregates non-personally identifiable user data and browser type. This data is gathered using cookies and other technologies.

The information and data collected is used to authenticate users and to send notifications relating to the Service, including email alerts to which users have subscribed; to manage the Service and Website, to improve the Service and to customize the user's experience. This information is also provided to the authors of the content to give them insight into their readership and help them to improve their content, so that it is most useful for our users.

JD Supra does not sell, rent or otherwise provide your details to third parties, other than to the authors of the content on JD Supra.

If you prefer not to enable cookies, you may change your browser settings to disable cookies; however, please note that rejecting cookies while visiting the Website may result in certain parts of the Website not operating correctly or as efficiently as if cookies were allowed.

Email Choice/Opt-out

Users who opt in to receive emails may choose to no longer receive e-mail updates and newsletters by selecting the "opt-out of future email" option in the email they receive from JD Supra or in their JD Supra account management screen.


JD Supra takes reasonable precautions to insure that user information is kept private. We restrict access to user information to those individuals who reasonably need access to perform their job functions, such as our third party email service, customer service personnel and technical staff. However, please note that no method of transmitting or storing data is completely secure and we cannot guarantee the security of user information. Unauthorized entry or use, hardware or software failure, and other factors may compromise the security of user information at any time.

If you have reason to believe that your interaction with us is no longer secure, you must immediately notify us of the problem by contacting us at info@jdsupra.com. In the unlikely event that we believe that the security of your user information in our possession or control may have been compromised, we may seek to notify you of that development and, if so, will endeavor to do so as promptly as practicable under the circumstances.

Sharing and Disclosure of Information JD Supra Collects

Except as otherwise described in this privacy statement, JD Supra will not disclose personal information to any third party unless we believe that disclosure is necessary to: (1) comply with applicable laws; (2) respond to governmental inquiries or requests; (3) comply with valid legal process; (4) protect the rights, privacy, safety or property of JD Supra, users of the Service, Website visitors or the public; (5) permit us to pursue available remedies or limit the damages that we may sustain; and (6) enforce our Terms & Conditions of Use.

In the event there is a change in the corporate structure of JD Supra such as, but not limited to, merger, consolidation, sale, liquidation or transfer of substantial assets, JD Supra may, in its sole discretion, transfer, sell or assign information collected on and through the Service to one or more affiliated or unaffiliated third parties.

Links to Other Websites

This Website and the Service may contain links to other websites. The operator of such other websites may collect information about you, including through cookies or other technologies. If you are using the Service through the Website and link to another site, you will leave the Website and this Policy will not apply to your use of and activity on those other sites. We encourage you to read the legal notices posted on those sites, including their privacy policies. We shall have no responsibility or liability for your visitation to, and the data collection and use practices of, such other sites. This Policy applies solely to the information collected in connection with your use of this Website and does not apply to any practices conducted offline or in connection with any other websites.

Changes in Our Privacy Policy

We reserve the right to change this Policy at any time. Please refer to the date at the top of this page to determine when this Policy was last revised. Any changes to our privacy policy will become effective upon posting of the revised policy on the Website. By continuing to use the Service or Website following such changes, you will be deemed to have agreed to such changes. If you do not agree with the terms of this Policy, as it may be amended from time to time, in whole or part, please do not continue using the Service or the Website.

Contacting JD Supra

If you have any questions about this privacy statement, the practices of this site, your dealings with this Web site, or if you would like to change any of the information you have provided to us, please contact us at: info@jdsupra.com.

- hide
*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.