Product Liability: An Update from the PLC
Group Pleading and Personal Jurisdiction: Strengthening the Defense in Mass Tort Cases
By P. Thomas DiStanislao
There are few rights more important to civil defendants—particularly corporate entities—than personal jurisdiction, which restricts “‘judicial power not as a matter of sovereignty, but as a matter of individual liberty,’” because “due process protects the individual’s right to be subject only to lawful power.” Id. (quoting Ins. Corp. of Ireland v. Campagnie des Bauxites de Guinee, 456 U.S. 694, 702 (1982)). In light of the Supreme Court’s recent decisions in Daimler AG v. Bauman Goodyear Dunlop Tires Ops., 571 U.S. 117 (2014)., S.A. v. Brown, 564 U.S. 915 (2011)., Walden v. Fiore, 571 U.S. 277 (2014)., and BNSF Railway Co. v. Tyrell, 137 S. Ct. 1549 (2017)., among others, this once tepid defense now has significant teeth.
When analyzing whether a plaintiff has sufficiently pleaded that the exercise of personal jurisdiction over a particular defendant is proper, courts must assess each defendant’s contacts with the forum separately. Calder v. Jones, 465 U.S. 783, 790 (1984); accord Rush v. Savchuk, 444 U.S. 320, 332 (1980) (“The requirements of International Shoe . . . must be met as to each defendant over whom a state court exercises jurisdiction.”) As the Supreme Court has emphasized, this is “a forum-by-forum, sovereign-by-sovereign analysis” that has to be satisfied for each claim against each defendant. J. McIntyre Machinery, Ltd. v. Nicastro, 564 U.S. 873, 884 (2011). In most cases, answering that question is a straightforward analysis: the plaintiff simply has to plead enough facts to tie the defendant to the forum State.
But in products liability cases against multiple parties—particularly in the mass tort or environmental context—this approach is often muddled by the sheer number of defendants being sued. More often than not, plaintiffs in those cases tend to err on the side of cursory jurisdictional allegations against each defendant, adopting a “group” or “aggregated” pleading approach where they lump all of the defendants together in a single allegation connected by multiple “and/or” clauses.
At first blush, this appears to be patently insufficient. After all, how can a court conduct a defendant-by-defendant analysis when all of the allegations are generic and indistinguishable among a large number of defendants? More to the point, how can defendants meaningfully challenge the court’s exercise of personal jurisdiction if boilerplate allegations are sufficient?
Nevertheless, some courts have found these types of pleadings sufficient to warrant jurisdictional discovery, if not the full exercise of personal jurisdiction altogether. A recent example comes from the United States District Court for the Eastern District of North Carolina, which reached that exact conclusion in its 2022 decision in Weaver v. 3M Co. No. 5:22-CV-116-FL, 2022 WL 17744491 (E.D.N.C. Dec. 16, 2022).
This approach is flawed for at least two reasons. For starters, it is a misapplication of governing principles of the personal jurisdiction analysis, effectively yielding any independent duty of the courts in protecting defendants’ due process rights to whatever allegations are in the plaintiff’s complaint, no matter how paltry they may be. Moreover, this approach is an outlier in the national trend disfavoring similarly deficient pleadings and finding they are not enough to satisfy the plaintiff’s burden of establishing personal jurisdiction.
In contrasting these approaches—and considering how courts ought to look at group pleadings generally for this purpose—this article first summarizes the court’s decision in Weaver. Then it highlights that decision’s analytical flaws and explains why it is an outlier.
The Weaver Approach: While Group Pleadings Aren’t Ideal, They May Be Enough
In Weaver, husband and wife plaintiffs brought suit against dozens of defendants alleging they were responsible for the husband’s lung cancer, which the plaintiffs suggest stemmed from cumulative exposure to asbestos.
In the operative Complaint, the plaintiffs broadly stated that the court
ha[d] personal jurisdiction over the Defendants because Plaintiffs [sic] claims arise from Defendants’ conduct in: (a) Transacting business in this State, including the sale, supply, purchase, and/or use of asbestos and/or asbestos-containing products, within this State; (b) Contracting to supply services or things in the State; (c) Commission of a tortious act in whole or in part in this State; (d) Having an interest in, using, or possessing real property in this State; and/or (e) Entering into a contract to be performed in whole or in part by either party in this State. Weaver v. 3M Co., No. 5:22-cv-116, Am. Compl. ¶ 2 (ECF No. 190) (emphases added).
The plaintiffs also alleged that their “claims . . . arise out of Defendants’ purposeful efforts to serve directly or indirectly the market for their asbestos and/or asbestos-containing products in this State, either through direct sales or through utilizing an established distribution channel with the expectation that their products would be purchased and/or used within North Carolina.” Id. ¶ 3 (emphases added). Finally, the plaintiffs claimed that “[a]ll of the named Defendants are foreign corporations whose substantial and/or systematic business in North Carolina caused injury to Plaintiffs in this State, which subjects them to the jurisdiction of the North Carolina courts pursuant to the North Carolina Long-Arm Statute and the United States Constitution.” Id. ¶ 4 (emphasis added).
One of the defendants, Eaton Hydraulics LLC (“Eaton”), moved to dismiss, arguing that the plaintiffs’ jurisdictional allegations were insufficient. In the Complaint, the only specific factual claim levied against Eaton was that it “developed, manufactured, marketed, distributed and/or sold products and/or equipment foreseeably designed to be used with asbestos-containing products and/or equipment, including, but not limited to, asbestos containing products, and hydraulic pumps.” Id. ¶ 29 (emphases added).
The crux of Eaton’s argument was that the plaintiffs had failed to allege any specific conduct that would subject it to personal jurisdiction in North Carolina courts. Emphasizing the “and/or” allegations, Eaton cited the Supreme Court’s decision in Bell Atlantic Corp. v. Twombly—a case establishing the standard for ruling on a motion to dismiss for failure to state a claim, not for lack of jurisdiction—for the proposition that plaintiffs have to include “more than labels and conclusions” in their allegations. 550 U.S. 544, 555 (2007). Thus, according to Eaton, the plaintiffs’ failure to allege distinct acts against it was patently deficient to establish personal jurisdiction.
The district court was not persuaded, holding instead that the plaintiffs “ha[d] alleged facts that could establish the requisite contacts with North Carolina to support specific personal jurisdiction,” which was enough at this stage of the litigation. 2022 WL 17744491, at *2. And despite the nebulous allegations, the court found that it could not “yet determine whether plaintiffs will meet their burden ultimately to prove the existence of a ground for jurisdiction by a preponderance of the evidence.” Id. (internal quotation marks and citation omitted).
As a result, the court denied Eaton’s motion without prejudice and ordered jurisdictional discovery. Plaintiffs entered a stipulation to dismiss Eaton less than two weeks later. Though this was undeniably a good result for Eaton, the court’s decision remains unchallenged, as the Fourth Circuit has now been deprived of an opportunity to weigh in.
The Majority Approach: Group Pleadings Cannot Establish Personal Jurisdiction as a Matter of Law
Fortunately, the Eastern District of North Carolina’s approach in Weaver appears to be the outlier. As a quick background, when conducting the personal jurisdiction analysis based on the contents of a complaint and supporting affidavits, courts agree that “the plaintiff has the burden of making a prima facie showing in support of its assertion of jurisdiction.” Universal Leather LLC v. Koro AR, S.A., 773 F.3d 553, 558 (4th Cir. 2014). And in deciding whether the plaintiff has done so, the court “must construe all relevant pleading allegations in the light most favorable to the plaintiff, assume credibility, and draw the most favorable inferences for the existence of jurisdiction.” Coombs v. Bakker, 886 F.2d 673, 676 (4th Cir. 1989). Still, the plaintiff must allege facts sufficient to establish the proper exercise of personal jurisdiction as to each claim against each defendant. See Fed. Ins. Co. v. Lake Shore Inc., 886 F.2d 654, 658 (4th Cir. 1989 (holding that courts should ask whether “the defendant’s conduct and connection with the forum [s]tate are such that he should reasonably anticipate being haled into court there.”).
Indeed, the Supreme Court made clear in its 1984 decision in Calder v. Jones that “[e]ach defendant’s contacts with the forum State must be assessed individually.” 465 U.S. at 790. To that end, in their 1980 decision in Rush v. Savchuk, the Justices held that a court errs when it considers the “‘defending parties’ together and aggregate[es] their forum contacts in determining whether it ha[s] jurisdiction.” Rush, 444 U.S. at 331. These decisions—neither of which was cited by Eaton or the Court in Weaver—appear to undercut the conclusion that group allegations are sufficient at the pleading stage so long as they “could” give rise to a finding of personal jurisdiction down the road.
Other district courts in the Fourth Circuit have rejected the same aggregated pleading accepted by the Weaver court as being sufficient for alleging personal jurisdiction. In its 2004 decision In re Royal Ahold N.B. Sec. & ERISA Litig., for example, the District of Maryland held that the plaintiffs’ inclusion of a defendant in their “broad group pleadings” without any allegation of “a single specific act taken by [him]” could not establish that the exercise of personal jurisdiction was proper. 3511 F. Supp. 2d 334, 354 (D. Md. 2004) (“The plaintiffs include Boonstra in their broad group pleadings and allege that he acted as a control person, but they fail to note a single specific act taken by Boonstra directed at the U.S. Consequently, this court lacks personal jurisdiction over defendant Boonstra and must dismiss all claims against him.”).
And the Seventh Circuit, Kinslow v. Pullara, 538 F.3d 687, 692–93 (7th Cir. 2008) (affirming dismissal where the plaintiff “fail[ed] throughout this litigation to look at each separate [defendant’s] contacts with Illinois and his assumption that the defendants could instead be treated as a group”), along with the United States District Courts for the Central District of California, Broidy Cap. Mgmt., LLC v. Qatar, No. CV 18-2421-JFW(Ex), 2018 WL 9943551, at *7 (C.D. Cal. Aug. 22, 2018) (holding that conclusory, “shotgun” allegations against “Defendants” are insufficient to establish personal jurisdiction); see also id. at *9 (denying request for jurisdictional discovery or leave to amend because the jurisdictional allegations were attenuated and based on bare assertions in the face of specific denials made by the defendants), District of Colorado, Goodwin v. Bruggeman-Hatch, No. 13-cv-02973-REB-MEH, 2014 WL 4243822, at *1 (D. Col. Aug. 27, 2014) (“Plaintiff’s sweeping, undifferentiated references to groups of defendant s(or even more globally to ‘defendants generally) are insufficient to . . . establish personal jurisdiction under this (or any) theory.” (citing Robbins v. Oklahoma, 519 F.3d 1242, 1250 (10th Cir. 2008) (“[t]he complaint [must] make clear exactly who is alleged to have done what to whom, to provide each individual with fair notice as to the basis of the claims against him or her, as distinguished from collective allegations[.]”)), District of Columbia, Elemary v. Philipp Holzmann A.G., 533 F. Supp. 2d 116, 122 (D.D.C. 2008) (holding that plaintiffs cannot “rely on conclusory allegations or “aggregate factual allegations concerning multiple defendants in order to demonstrate personal jurisdiction over any individual defendant” (internal quotation marks and citation omitted)); id. at 128–29 (granting motion because the “complaint asserts, in essence, that some defendants, somehow, concealed some facts from her, for some period of time”), District of Delaware, Truinject Corp. v. Nestlé Skin Health,, S.A., No. 19-592-LPS-JLH, 2020 WL 1270916, at *3 (D. Del. March 17, 2020) (“Truinject’s group pleading has resulted in a complaint that fails to meet its burden to allege sufficient facts to establish that this Court may properly exercise personal jurisdiction over Nestlé Skin Health, S.A.”), Northern District of Georgia, Peeples v. Carolina Container, LLC, No. 4:19-CV-00021-HLM, 2019 WL 12338070, at *6 n.3 (N.D. Ga. Apr. 3, 2019) (“It may be possible that this group of individuals included agents of [a defendant]. If that is true, however, Plaintiff needed to allege so specifically. Plaintiff’s ‘group pleading’ methods are not an acceptable way to establish personal jurisdiction over multiple defendants at once.”); Knieper v. Forest Grp. USA, Inc., No. 4:15-CV-0222-HLM, 2016 WL 9450454, at *5 (N.D. Ga. March 3, 2016) (finding the “use of group pleading” and merely listing out jurisdictional allegations against the defendants collectively was insufficient), Southern District of New York, Berdeaux v. OneCoin Ltd., 561 F. Supp. 3d 379 (S.D.N.Y. 2021) (“A plaintiff must carry his burden” of pleading personal jurisdiction “with respect to each defendant individually.”); In re Aegean Marine Petroleum Network, Inc. Sec. Litig., 529 F. Supp. 3d 111, 135 (S.D.N.Y. 2021) (“To allege personal jurisdiction over a defendant, group pleading is not permitted. Instead, the plaintiff is required to establish personal jurisdiction separately over each defendant.”); HSM Holdings, LLC v. Mantu I.M. Mobile Ltd., No. 20-CV-967, 2021 WL 918556, at *15 (S.D.N.Y. Mar. 10, 2021) (“In relying only on group pleadings, in which it conflates multiple parties and fails to provide specific allegations, plaintiff neglects its burden of establishing personal jurisdiction over each defendant.”); In re SSA Bonds Antitrust Litig., 420 F. Supp. 3d 219, 233 (S.D.N.Y. 2019) (“Allegations in the form of a group pleading are insufficient, even for affiliated corporate entities.”); Gerstle v. Nat’l Credit Adjusters, LLC, 76 F. Supp. 3d 503, 510 (S.D.N.Y. 2015) (rejecting conclusory allegations and finding lack of specificity is highlighted when plaintiffs use same boilerplate description for actions of multiple defendants), and Southern District of Texas, Head v. Las Vegas Sands, LLC, 298 F. Supp. 3d 963, 973 (S.D. Tex. 2018) (“[A] plaintiff must submit evidence supporting personal jurisdiction over each defendant, and cannot simply lump them all together.”), have all reached similar conclusions, finding group pleading insufficient.
Thus, it is clear that Weaver is an outlier, though it is not alone. Practitioners should be ready to confront either the majority or minority approaches. To that end, best practices in a Weaver-leaning court suggest that defense lawyers ought to cite jurisdictional cases—like those referenced here—in attempting to defeat group jurisdictional pleadings rather than Twombly or Iqbal, which do not apply in this context.
Conclusion
The majority approach makes the most sense both as a matter of practicality and to ensure all defendants’ fundamental rights are protected to a sufficient degree. For the personal jurisdiction defense to retain its bite—which the Supreme Court has shown a desire to sharpen over the last fifteen years—generic and indistinguishable allegations, alone, should never be enough to satisfy a plaintiff’s threshold burden.
P. Thomas DiStanislao is an attorney in Butler Snow’s Richmond, Virginia, office. He has extensive experience defending clients at both the trial and appellate stages of litigation. Before joining Butler Snow, Thomas spent three years clerking for Judge G. Steven Agee on the U.S. Court of Appeals for the Fourth Circuit and one year clerking for Judge Henry E. Hudson on the U.S. District Court for the Eastern District of Virginia. Thomas finished first in his class at the University of Richmond School of Law, where he served as Editor-in-Chief for the school’s Law Review.
Interested in joining the Product Liability Committee? Click here for more information.
Print this section
Print the newsletter
Cybersecurity and Data Privacy: Data and Security Dispatch
Emerging Class Action Risk: Does Use of Online Session Replay and Chat Features = Wiretapping?
By Laura Clark Fey and Will Davis
A wave of U.S. privacy litigation is targeting corporate usage of online session replay and chat features. The plaintiffs filing session replay and online chat class actions are alleging that use of such technologies violates wiretapping laws because users’ interactions and chat communications are being intercepted, used, and/or disclosed without their prior consent.
Session replay technologies can record website/mobile application users’ interactions with a website or mobile application. Data is often captured about a user’s clicks, mouse/screen scrolling, keystrokes, searches, and more. After the data is collected, a company and/or its third-party vendor can “replay” the user’s website/application “session” utilizing such data to better understand the user’s browsing behavior and habits on the company’s site.
Online/mobile chat features enable companies to communicate directly with their website/application users via chat boxes. It is common practice for companies to utilize chatbots to gather initial information from users and then to either connect users to a live customer service representative or have the chatbot answer users’ questions directly.
Plaintiffs’ lawyers have started to employ website “testers” to: (1) browse through targeted corporate websites/applications; and/or (2) communicate with a chat host via targeted corporate chat features. If a “tester” concludes that a company is allowing a third-party vendor to intercept, use, and/or disclose the tester’s website/application interactions or chat communications without the tester’s consent, plaintiffs’ lawyers file a lawsuit against the company and/or its third-party vendor alleging that users’ interactions with the website/application and/or the tester’s online chat communications are being intercepted, used, and/or disclosed in direct contravention of a wiretapping statute. Such violations can expose a company to both civil and criminal liability.
Overview of Wiretapping Law
There are wiretapping statutes at both the federal and state level. In 1967, the United States Supreme Court, in two separate decisions, found that a person’s Fourth Amendment right (i.e., the right against unreasonable searches and seizures) protects against the interception of a person’s communications when the person has a “reasonable expectation of privacy.” See Katz v. United States, 389 U.S. 347 (1967); Berger v. New York, 388 U.S. 41 (1967). In 1968, in direct response to these Supreme Court decisions and increased Congressional interest in the amount of wiretapping being performed by government agencies and private individuals, Title III of the Omnibus Crime Control and Safe Street Act (the “Wiretap Act”) was passed into law. The Wiretap Act originally protected against only “oral” and “written” communications. In 1986, Congress enacted the Electronic Communications Privacy Act (the “ECPA”) in order to supplement the Wiretap Act with additional protection against “electronic” wiretapping. The ECPA requires only one party to the communication to provide consent before the communication can be intercepted, used, and/or disclosed.
Many states began enacting wiretapping statutes around the same time or after the original Wiretap Act was enacted. Almost all states currently have wiretapping statutes in place. Most state statutes require the consent of only one party before a communication can be intercepted, used, and/or disclosed. However, there are states that require “all-party consent.”
Not surprisingly, the majority of session replay and chat technology cases filed to date are being filed in states with “all-party consent” wiretapping laws, including, but not limited to, laws in California (the California Invasion of Privacy Act (“CIPA”)), Pennsylvania (the Wiretapping and Electronic Surveillance Control Act (“WESCA”)), and Florida (the Florida Security and Communications Act). It is worth noting, however, that there have been some cases filed under one-party consent wiretapping laws (see e.g., Balanzar v. HP Inc., No. 3:22-cv-02030 (S.D. Cal. Dec. 22, 2022); Tucker v. Cabela’s, LLC, No. 6:22-cv-3288 (W.D. Mo. Nov. 9, 2022)).
Wiretapping statutes generally provide for a civil cause of action as a remedy against those who illegally intercept, use, and/or disclose a communication while in transit. Plaintiffs’ lawyers have been creative in using wiretapping laws as a vehicle for bringing claims falling well outside of the original purpose of such laws (i.e., protecting against unconstitutionally obtained criminal admissions). Because many of the wiretapping statutes have an “aiding and abetting” provision (or similar type of provision), plaintiffs’ lawyers have been suing not only the company’s third-party technology vendor (i.e., the interceptor), but also the company that owns the website/application (i.e., the abettor).
These cases are particularly attractive to plaintiffs’ lawyers because plaintiffs do not have to prove actual damages in order to recover damages. If a defendant intercepts, uses, and/or discloses a plaintiff’s communications without the plaintiffs’ consent, wiretapping statutes generally provide plaintiffs with a right to statutory damages (e.g., $5,000 per violation under CIPA).
A Brief History of Session Replay and Online Chat Feature Litigation
Beginning in 2018 and continuing into 2020, the first wave of session replay lawsuits were filed in California, Pennsylvania, and Florida courts. In this first wave, plaintiffs alleged that the use of session replay technology to track website users’ interaction behavior was a violation of applicable state wiretapping law. Many of the first wave cases were dismissed based on one or more of the following reasons: (1) website browsing is not a “communication” that can be intercepted, used, and/or disclosed; (2) third-party vendors cannot “intercept” a user’s “communication” from website browsing because the third-party vendor is an actual “party” to that “communication;” or (3) users do not have a reasonable expectation of privacy when browsing on a website. The total number of session replay lawsuits began to die down by the fall of 2021.
However, beginning in the spring of 2022, two United States Court of Appeals’ decisions opened the door for a new wave of session replay lawsuits. First, in May of 2022, Javier v. Assurance IQ, LLC, No. 21-16351, 2022 WL 1744107 (9th Cir. May 31, 2022) was decided. In this case, the United States Court of Appeals for the Ninth Circuit found that: (a) California’s wiretapping law, CIPA, is applicable to usage of session replay technologies; and (b) companies using session replay technologies must obtain a website users’ consent prior to recording the contents of any website user’s communications. Id. at *2.
Then, in August of 2022, the United States Court of Appeals for the Third Circuit followed Javier with a similar decision in the context of Pennsylvania’s WESCA. In this case, the Third Circuit vacated the district court’s granting of summary judgment in favor of the defendant. Popa v. Harriet Carter Gifts, Inc., 45 F.4th 687, 690-91 (3rd Cir. 2022). In overturning the district court, the Third Circuit found that: (a) WESCA applies to the usage of session replay technologies; and (b) third-party session replay vendors are deemed to be “intercepting” a plaintiff’s communications with a website under WESCA even if such communications are directly routed to a company’s third-party vendor’s own servers. Id. at 692-95. The Third Circuit rejected the Defendant’s argument that a third-party vendor intercepting a user’s interactions in live time is a “party” to the communication, and thus, there can be no liability for wiretapping. Id. at 695. The Third Circuit also re-enforced the decision in Javier that prior consent by a website user is required before any communications may be intercepted by a company’s third-party vendor. Id. at 698-99.
Status of Session Replay and Chat Communication Litigation
The Javier and Popa decisions resurrected the session replay cases. Opportunistic class action lawyers have also been filing lawsuits alleging that the interception, use, and/or disclosure of online chat communications without users’ prior consent violates wiretapping laws. A slew of additional session replay and new online chat communications lawsuits were filed in late 2022 and early 2023. Many of these newly filed cases are still pending, but they are in the early stages of litigation. It is noteworthy, however, that at least one court has denied a defendant’s motion to dismiss a CIPA claim in an online chat context (i.e., finding that plaintiff sufficiently pled a claim under CIPA alleging that defendant intercepted plaintiff’s online chat conversations in real time). See Byars v. Goodyear Tire and Rubber Co., 2023 WL 1788553 at *4 (C.D. Cal. Feb. 3, 2023). Because testers are continuing to check out corporate websites for potential new targets, it is important for corporate leaders to consider actions they could take now that would reduce the risk that their company will become the next target of session replay or online chat communication class action litigation.
Actions Corporations Can Take to Reduce their Risk of Becoming the Next Target
We are highlighting below actions you may want to take to minimize the risk of your company becoming the next target of a session replay and/or online chat communication class action lawsuit:
1. Develop a Thorough Understanding of Website/Application Technologies. Identify and analyze the technologies utilized on your corporate website[s] and application[s], including but not limited to session replay and online chat features. Consider potential class action risks posed by usage of such technologies, including risks of violating wiretapping laws or other laws that are currently being used as a vehicle for class action litigation targeting website and application technology practices, such as the Video Privacy Protection Act (VPPA).
2. Update Your Company’s Privacy Policy, as Necessary. Review your company’s privacy policy to confirm you are providing an accurate and complete privacy notice, in accordance with applicable laws, that covers, along with all other required information, all personal information collection, usage, disclosure, and storage practices, including, with respect to all website/application technologies. Update your company’s privacy policy as necessary.
3. Update Your Company’s Terms of Use, as Necessary. Review your company’s website and/or application terms of use. Identify opportunities to strengthen the terms of use, including but not limited to incorporating an arbitration clause and a class action waiver clause.
4. Obtain a Users’ Express Consent Prior to Their First Website/Application Interaction or Chat Communication. Obtain express consent from users before any personal information is collected for session replay purposes. If your company has an online/mobile chat feature, obtain separate express consent from users prior to permitting users to communicate with a chatbot or chat representative.
5. Properly Manage Consent. Manage consent processes. This includes not only obtaining and tracking the original collection of consent, but also permitting and tracking withdrawals of consent. Consider utilizing reliable consent management platforms to help manage consent. Retain consent records for the timeframe in which your company may be required to prove that a user’s consent was, in fact, received.
6. Enter into Appropriate Agreements with Third-Party Vendors. Enter into appropriate agreements with third-party vendors providing session replay and/or chat-related services. Confirm legal obligations are appropriately placed on the correct party. For example, consider whether it makes sense to place the obligation to obtain users’ consent on the third-party vendor. Also, confirm that liability and indemnity clauses are written in an appropriately protective manner.
7. Monitor Class Action Litigation Developments. Finally, as this latest wave of class action litigation moves forward, we recommend that you continue to monitor wiretapping case developments.
Laura Clark Fey, current chair of DRI’s Electronic Privacy Working Group and one of the first twenty-seven U.S. attorneys recognized as Privacy Law Specialists through the International Association of Privacy Professionals (IAPP), leads Fey LLC, a global data privacy and information governance law firm. She and her team help multinational and U.S. organizations develop and implement practical solutions to their unique data privacy and information governance challenges. Laura is the former Chair of DRI’s Cybersecurity and Data Privacy Committee. Laura also is a member of the inaugural class of IAPP Fellows of Information Privacy (FIP), a Certified U.S. and European Privacy Professional (CIPP US/E), and a Certified Information Privacy Manager (CIPM). The U.S. Department of Commerce and the European Commission selected her as an arbitrator in connection with the former E.U.-U.S. Privacy Shield Framework Binding Arbitration Program. Laura, who is also an IADC member, teaches Global Data Protection Law at the University of Kansas School of Law. She has also taught International Issues at Baylor Law School. Email: lfey@feyllc.com.
Will Davis is an associate attorney at Fey LLC. Will assists Fey LLC clients in addressing a wide variety of global privacy, information security, and information governance challenges. He is an IAPP certified U.S. and European Information Privacy Professional (CIPP/US/E) and an IAPP Certified Information Privacy Manager (CIPM). Will has also received the ACEDS eDiscovery Executive Certificate (eDEx). Email: wdavis@feyllc.com.
The authors would like to extend a special thank you to Blake Lines, Privacy Analyst at Fey LLC, for his contributions to this article.
Interested in joining the Cybersecurity and Data Privacy Committee? Click here for more information.
Insurance Law: Covered Events
Leadership Note - Advertising Injury and Personal Injury SLG
By Daniel I. Graham, Jr.
Edited by Allyson L. Moore, Associate at Sulloway & Hollis
The surreptitious recording of individuals. The posting of defamatory comments on social media. The unauthorized collection of biometric identifiers.As technology and communication methods advance, the question is asked: to what types of risks and exposures does a liability policy’s “personal and advertising injury” coverage apply? And each day, courts throughout the country are called upon to answer it.
The Advertising Injury and Personal Injury Subcommittee brings together practitioners throughout North America to share their experience with this developing body of case law. Our members offer their insights in DRI publications. We speak on cutting-edge topics at the Insurance Law Committee’s popular educational events, including the Insurance Coverage and Claims Institute and the Insurance Coverage and Practice Symposium.
If “personal and advertising injury” coverage issues pique your interest, come join the Advertising Injury and Personal Injury Subcommittee and get involved! For more information, reach out to me at dgraham@nicolaidesllp.com.
And if our subcommittee isn’t for you, please know that the Insurance Law Committee offers its members plenty of other subcommittees where they can learn, contribute, and participate. Come join us!
Daniel I. Graham, Jr. is a partner at Nicolaides Fink Thorpe Michaelides Sullivan. He is Chair of the Advertising Injury and Personal Injury Subcommittee.
Leadership Note - DRI’s Personal Lines Substantive Law Group
By Laurie C. Barbe
Edited by Allyson L. Moore, Associate at Sulloway & Hollis
DRI’s Personal Lines Substantive Law Group meets regularly throughout the year to discuss issues of importance to attorneys who handle personal lines claims arising under homeowners, flood, auto, renters, and other personal lines policies. We discuss court rulings, claim trends, upcoming DRI seminars and webinars of interest to the group, and publication opportunities. We are a fun and equal opportunity committee. Importantly, we get to see each other and catch up in person during DRI’s ILC seminars held throughout each year. Reach out if you have a fear of missing out!And the Academy Award Goes to. . .
By Laurie C. Barbe
Edited by Allyson L. Moore, Associate at Sulloway & Hollis
When insurance policies were first sold centuries ago (think London coffeehouses and meetings among merchants and ship owners), no one likely knew how much entertainment value they would later have. And while those early policies were designed to further the concept of beneficial risk spreading and personal protection, movies have sometimes portrayed insurance as something more sinister. This article will discuss a few of those movies and how insurance played a role, both big and small, and how the characters in them ranged from shysters to heroes. See Daniel Williams, 25 of the Best Insurance Movies, PropertyCasualty360 (Nov. 4, 2015), https://www.propertycasualty360.com/2015/11/04/25-of-the-best-insurance-movies/?slreturn=20 230215135543; https://www.insurdinary.ca/7-epic-movies-about-insurance.
Many are familiar with the box office hit movie The Rainmaker (1997), in which a very young Matt Damon (playing the role of a very young and very driven lawyer named Rudy) took on a corrupt insurance company (with a team of its own lawyers) after it refused to pay a medical claim. The insurance company could have been any business for that matter because Rudy was driven to right what he believed were several wrongs (the judicial system also took a hit) and perhaps save someone’s life. As the underdog, Rudy recognized and accepted the risks associated with challenging the insurance company and, in the end, carried the day. Oh, to be a fly on the wall if Rudy and Erin Brockovich were to ever meet. Contrast the storyline in The Rainmaker with the heartwarming romantic comedy Along Came Polly (2004), about a risk-averse life insurance salesman named Reuben (Ben Stiller). Unlike Rudy or the industry for which he worked, Reuben had to be convinced to take risks in order to win over a girl (Jennifer Aniston).
Going back a few years is a movie called Alias Jesse James (1959), about Jesse James and an insurance salesman (Bob Hope) who unknowingly sold a life insurance policy to Jesse. With all of the classic western movie features and a comic twist, this one takes you on the run with Jesse as the salesman tries to “protect” the insurer’s investment while avoiding Jesse’s underhanded attempts to fake his own death and collect on his investment. Courts may have been on Jesse’s side if doubts ever arose over the cause of his death. “[W]hen death happens under circumstances which make it doubtful whether it was caused by accident or suicide, the presumption is that it was accidental; and this presumption is sufficient, in the absence of evidence to the contrary, to sustain the burden of proof as to accidental death.” Jefferson Standard Life Ins. Co. v. Clemmer, 79 F.2d 724, 728 (4th Cir.1935). Keeping it in the way back machine is The Killers (1946), starring Burt Lancaster and Ava Gardner. This time an insurance investigator was tasked with tracking down a murdered man’s life insurance beneficiaries and, in the process, unraveled the dead man’s past that included hitmen, double-crossing mobsters, a set fire, lies, cheating, and a deathbed confession–– all in an effort to pay a $2,500 policy benefit!
Another movie with a similar storyline to The Rainmaker (in that it involved the denial of medical benefits) is John Q (2002), starring Denzel Washington. This movie delves deep into the health care system and follows a father’s desperate efforts to obtain life-saving heart surgery for his son. One can easily see the many sides of the antagonistic dispute between private insurance, federal plans, and personal finances that continues today. As an aside, New Line Cinema and Time Warner were sued, unsuccessfully, for copyright infringement by a man who claimed that he had written a screenplay “which derived from his experience with his sick child, who required serious heart surgery to avoid death at a time when [the man] did not have insurance to pay for it.” Tillman v. New Line Cinema Corp., 2008 WL 687222 (N.D. Ill. 2008), aff’d 295 Fed. Appx. 840 (7th Cir. 2008). Contrast that medical saga with The Fortune Cookie (1966), where Harry Hinkle (Jack Lemmon) and his attorney, Whiplash Willie Gingrich (Walter Matthau), concocted a fraudulent and deceptive plan to sue CBS, the NFL, and the Cleveland Browns for fake injuries so that Hinkle could obtain an insurance settlement and win back his ex-wife. Conflicting medical evidence, shots of Novocain, a crooked attorney, and misinformation were all part of Hinkle’s plan to pressure the insurance company into a settlement. Fortunately, a private detective hired to conduct surveillance and a guilt-ridden Hinkle eventually exposed the fraud.
Insurance is not just for the protection of cars, homes, merchants, businesses, and lives. It is what movies are made of and what makes people do just about anything for money, whether deservedly or not. So, grab your popcorn, turn on a movie, and read your insurance policies during the commercials. Those policies just might provide you with some context for your movie.
For a quick history lesson on insurance in America, take a look at “The History of Insurance in America” by Andrew Beattie at https://www.investopedia.com/articles/financial-theory/08/ american-insurance.asp
Laurie C. Barbe of Steptoe & Johnson PLLC represents insurance companies in response to first- and third-party insurance claims and defends individuals and businesses in claims involving personal injury, wrongful death, products liability and property damage. She has also been involved in appellate proceedings before the Supreme Court of Appeals of West Virginia and the United States Court of Appeals for the Fourth Circuit. She is co-leader of the firm's Insurance Company Team.
Interested in joining the Insurance Law Committee? Click here for more information.
Insurance Law: Covered Events (Cont.)
Lessons Learned from the Rust Shooting: What the Interpretation of the Term “Each” or “Per Occurrence” Means for the Defendants Named in the Numerous Rust-Related Lawsuits
By Taylor J. Kennedy
Edited by Allyson L. Moore, Associate at Sulloway & Hollis
On October 21, 2021, Alec Baldwin rehearsed a scene for the movie Rust in Santa Fe, New Mexico. The scene involved pointing what was believed to be a cold prop gun at the camera. Haley Yamada & Andrea Amiel, On-Set Prop Gun Supervisor Walks Through Safety Procedures, Industry Standards, ABC News (Oct. 26, 2021), https://abcnews.go.com/Entertainment/set-prop-gun-supervisor-walks-safety-procedures-industry/story?id=80780487 (a cold gun is an unloaded gun). While pointing the weapon at the camera, the gun discharged, striking cinematographer Halyna Hutchins and film director Joel Souza. Hutchins and Souza were taken to the hospital, where Hutchins succumbed to her injuries. Souza was released from the hospital the next day. What to Know About the Fatal Shooting on Alec Baldwin’s ‘Rust’ Movie Set, N.Y. Times (Feb 23, 2023), https://www.nytimes.com/article/alec-baldwin-shooting-investigation.html.
Within days of Hutchins’ passing, several news outlets began speculating on the legal ramifications of the shooting and the production company’s insurance coverage. Rust’s Certificate of Liability Insurance shows that the production company obtained one million dollars in coverage under its general liability policy and five million dollars in coverage under its umbrella policy. Accord Certificate of Liability Insurance for Rust Movie Productions LLC. Assuming what has been reported is correct and that, for the sake of this article, insurance policies from other production companies involved in Rust’s filming do not cover this incident, there is a total of six million dollars in coverage available for each occurrence.
Given the severity of the injuries associated with the shooting, news outlets predicted that there would be multiple lawsuits reaching a total in excess of the policy limits. See, e.g., Anthony McCartney, Stefanie Dazio & Lindsey Bahr, Legal, Insurance, Safety Issues Swirl Around ‘Rust’ Movie Set Shooting, Ins. J. (Oct. 28, 2021), https://www.insurancejournal.com/ news/national/2021/10/28/639522.htm; ‘Rust’ Movie Set Shooting Likely to Prompt Major Lawsuits, Experts Say, Burns & Wilcox (Nov. 10, 2021), https://www.burnsandwilcox.com/ insights/rust-movie-set-shooting-likely-to-prompt-major-lawsuits-experts-say/; ‘Rust’ Movie Set Shooting Will Cost Insurance Company Millions, Southern Md. Chronicle (Nov. 15, 2021), https://southernmarylandchronicle.com/2021/11/15/rust-movie-set-shooting-will-cost-insurance-company-millions/. It was further reported that the incident would cost the insurance company millions. ‘Rust’ Movie Set Shooting Will Cost Insurance Company Millions, supra.
The term/phrase “each/per occurrence” in the production company’s policies is particularly important because multiple injuries and claims are associated with the shooting. Marco Della Cava, Alec Baldwin Hit with Another ‘Rust’ Lawsuit: What we Know about all the Legal Challenges, USA Today (Feb. 28, 2023), https://www.usatoday.com/story/entertainment/movies/ 2023/02/28/alec-baldwin-rust-shooting-lawsuits-timeline/11367460002/. “Each” or “per occurrence” refers to a single “occurrence” or “accident.” What constitutes a single “occurrence” within the meaning of the policy differs depending on the facts and the jurisdiction.
Courts have defined a single occurrence or an accident in three different ways. The majority approach states “that to determine whether there is a single or multiple occurrence or accident within the meaning of the policy limits clause of a liability policy, one must look to the cause or causes of the accident or occurrence.” Michael P. Sullivan, What Constitutes Single Accident or Occurrence within Liability Policy Limiting Insurer’s Liability to a Specified Amount per Accident or Occurrence, 64 A.L.R. 4th. 688 (1988). This approach is commonly referred to as the cause theory.
Another approach courts use states “that the phrase ‘per occurrence’ in a limitation of liability clause in a liability policy refers, not to the cause of the occurrence nor to the effect of the occurrence, but to the event which triggered liability, that is, the act or acts of the insured which subjected it to liability.” Id. This approach is commonly referred to as the event theory.
At least two courts use the third approach, i.e., the effect theory. Under the effect theory approach, the term “per occurrence refers to the effect of the accident or occurrence, thus making the entire policy limits available to each injured or damaged party.” Id.
Six civil suits arising from the Rust shooting have been filed. Of the six suits filed, only one has been settled-- the wrongful death suit brought by Matthew Hutchins, and that suit resolved for an undisclosed amount. Marco Della Cava, Alec Baldwin Hit with Another ‘Rust’ Lawsuit: What we Know about all the Legal Challenges, USA Today (Feb. 28, 2023), https://www.usatoday.com/story/entertainment/movies/2023/02/28/alec-baldwin-rust-shooting-lawsuits-timeline/11367460002/. The six lawsuits have been filed in both New Mexico and California and there are nine plaintiffs. All nine plaintiffs claim that they have suffered personal injury as a result of the shooting and cite numerous acts of negligence.
California defines per occurrence under the majority approach––the cause theory. Westport Insurance Corporation v. California Casualty Management Co., 249 F. Supp. 3d 1164 (N.D. Cal. 2017), judgment corrected on other grounds, 2017 WL 2335374 (N.D. Cal. 2017) (applying California law) (Under California law, the term “occurrence” under an insurance policy is defined by the event or events that caused the injury rather than the injury itself. New Mexico appears not to have adopted an approach for determining what constitutes a single occurrence under an insurance policy). However, New Mexico courts have interpreted the term “single occurrence” under their Torts Claims Act. Folz v. State, 797 P.2d 246, 254 (N.M. 1990) (There is a single occurrence under the New Mexico Torts Claim Act when a series of acts and/or omissions contribute to a unitary risk and only one triggering event occurred giving rise to liability). That “single occurrence” interpretation aligns closely with the liability-triggering event theory approach.
Under California law, there is a single occurrence where there is one proximate, uninterrupted, and continuing cause that resulted in all the injuries and damages. State v. Continental Ins. Co., 169 Cal. App. 4th 1114, 88 Cal. Rptr. 3d 288 (4th Dist. 2009), as modified on denial of reh’g, 2009 WL 189551 (Cal. App. 4th Dist. 2009), review filed, (Feb. 13, 2009) (Pursuant to the cause test, there is a single occurrence under a liability policy when there is one proximate, uninterrupted, and continuing cause which resulted in all the injuries and damages). While the Rust shooting plaintiffs allege numerous acts and omissions caused the shooting, plaintiffs’ claimed injuries resulted from the single discharge of a loaded gun. Thus, there is likely only one occurrence in accordance with the cause theory approach.
Under the liability trigger event theory approach, which most closely aligns with New Mexico law, the numerous acts and omissions plaintiffs claim caused the shooting are not considered. There is only one liability-triggering event, the accidental discharge of a weapon on set. Under this approach, there is likely only one occurrence.
As stated previously, six million dollars is available under the production company’s two insurance policies for an “occurrence.” Assuming the five remaining suits result in judgments for the plaintiffs, the plaintiffs’ judgments may exceed the six-million-dollar policy limit. If that occurs, the named defendants found liable to the plaintiffs are at risk of being held financially responsible for any remaining uninsured damages.
Halyna Hutchins’ death highlights the importance of comprehensive coverage. As productions get larger and the stunts associated with them get riskier, the risk of injury or death on set continues to increase. Matt Stiles & Anousha Sakoui, Film Set Fatalities Rise in Last Decade as Production Booms, LA Times (Nov. 4, 2021), https://www.latimes.com/entertainment-arts/business/story/2021-11-04/film-set-fatalities-jump-in-last-decade-as-a-production-booms. Obtaining comprehensive insurance coverage for a film is essential to protect the film’s employees, independent contractors, producers, investors, and the production itself.
Insurance And Information Security Culture: Professional Liability Insurance Coverage Lacking for Social Engineering Attacks Committed by Third Parties
By Brian Bassett and Danielle Kegley
Edited by Allyson L. Moore, Associate at Sulloway & Hollis
It is widely reported that the frequency as well as the costs flowing from social engineering attacks on companies and other organizations are at an all-time high. Who bears these costs? Impacted policyholders that provide professional services may look to their professional liability insurers for coverage of these losses.
Professional liability policies, however, generally only provide coverage for those risks that are inherent in the practice of the insured’s professional services. In evaluating coverage for social engineering attacks, professional liability carriers should not only look to the language in their policies’ insuring agreements, but exclusions that are frequently found in such policies.
What Are Social Engineering Attacks?
Social engineering attacks typically involve third-party actors trying to “hack” the people within organizations using psychological manipulation and relying on human error to extract confidential information for a big payday. What is Social Engineering? Attacks and Prevention, Crowdstrike (Aug. 18, 2022), https://www.crowdstrike.com/cybersecurity-101/social-engineering-attacks/. Phishing, SMSishing, spear phishing, baiting, quid pro quo, pretexting, tailgating—these are all types of social engineering attacks committed by third parties.
These attacks use various media, such as emails, websites, SMS or video to induce individuals to act and disclose confidential information. These often appear to be from an outside entity, such as a bank, delivery or government agency, or from an internal department within the target’s own company, such as human resources, information technology or finance. Id.
Fraudsters then use confidential information obtained from the attack in order to divert funds from these companies and/or their clients. This article focuses on “phishing” attacks. One example of a “phishing” attack involves the situation wherein a third-party hacks an employee’s email account and then sends spoofed emails with fake invoices to the company’s clients to divert funds. Once the funds have been diverted, the victim companies are then exposed to claims by their clients, for example, with no opportunity for recovery against the fraudster.
Professional Liability Policies Should Not Cover the Diverted Funds and Associated Costs of Social Engineering Attacks
Professional liability carriers evaluating coverage for claims involving social engineering attacks, like the ones described above, should first consider whether these claims fall within the insuring agreements of the relevant policies by satisfying the definition of “professional services.” Insurers should then also evaluate whether such claims are also excluded by theft or misappropriation exclusions.
These Claims Do Not Involve an Insured’s “Professional Services”
Courts generally recognize that professional liability policies do not afford coverage where the alleged acts do not arise out of the rendering or failure to render covered professional services. See, e.g., 7A John Appleman, Insurance Law & Practice § 4504.01, at 310 (Bender rev. ed. 1979). Thus, the main question is whether there is a wrongful act arising out of the insured company’s covered “professional services.” In the example of a third-party sending spoofed emails with fake invoices to a company’s clients through a hijacked employee’s email account, the act at issue (i.e., sending fake invoices to the insured company’s clients) arose from an act of a third-party, such that it could not involve the insured company’s “professional services.”
Circumstances may arise, however, when an insured is sued and faces claims that it acted negligently in preventing the attack. In that scenario, the focus is on whether the negligent act of the insured involved the rendering of its “professional services.” See, e.g., Mut. Assurance Adm'rs v. United States Risk Underwriters, 993 P.2d 795 (Okla. Ct. App. 1999) (finding no coverage because the alleged acts were not of those wrongful acts contemplated by the professional liability policy). As discussed below, insurance companies have a strong argument that such acts do not, in fact, involve an insured’s rendering of “professional services.”
It is a generally accepted principle of professional liability coverage law that not every action professionals take in the course of providing professional services are “professional services.” Rather, an act will only constitute a “professional service” when the professional utilizes his or her professional knowledge, experience, and training in taking some action. See Gulf Coast Env't Sys., LLC v. Am. Safety Indem. Co., No. 4:13-CV-539, 2015 U.S. Dist. LEXIS 75551 (S.D. Tex. June 11, 2015); First Mercury Ins. Co. v. Shawmut Woodworking & Supply, Inc., 48 F. Supp. 3d 158, 174-75 (D. Conn. 2014); Gen. Ins. Co. of Am. v. City of New York, No. 04 CIV. 8946 (JCF), 2005 U.S. Dist. LEXIS 35864 (S.D.N.Y. Dec. 23, 2005); Food Pro Intl., Inc. v. Farmers Ins. Exch., 169 Cal. App. 4th 976, 991 (2008); S.T. Hudson Engineers, Inc. v. Pennsylvania Nat'l Mut. Cas. Co., 909 A.2d 1156, 1165–66 (N.J. Super. Ct. App. Div. 2006); Am. Nat’l Prop. & Cas. Co. v. Select Mgmt. Grp., LLC, 528 F. Supp. 3d 1188, 1198–99 (N.D. Okla. 2021); Penn. Nat’l Mut. Cas. Ins. Co. v. Roberts Bros., 550 F. Supp. 2d 1295, 1306–08 (S.D. Ala. 2008); St. Paul Fire & Marine Ins. Co. v. Era Oxford Realty Co. Greystone, LLC, 572 F.3d 893, 899 (11th Cir. 2009).
Consider, for instance, a law firm facing claims of negligence in failing to prevent an unknown third-party from hacking its email system and providing fraudulent wire transfer instructions to a client. Insureds generally have the burden of proving a policy provides coverage for a claim. Therefore, the law firm in this scenario would need to prove that the deficiencies in its internal security systems leading to the business email compromise involved the professional knowledge, experience, or training of lawyers. Finding that such actions constitute “professional services” would improperly expand professional liability coverage beyond its intended scope and provide coverage for all aspects of an insured’s business operations.
Next, contrast that situation to one where there is a physical break in into a law firm’s brick and mortar office. During the break in, the attacker replaced an authentic physical check to a client with a fraudulent one. After processing the fraudulent check, the law firm is then sued by a client for negligently permitting the theft to occur and negligently retaining a security company to protect its premises. Under this scenario, it seems a little clearer that the underlying loss would not arise from the performance of “professional services” as a lawyer. Rather, it would arise from the law firm’s failures in keeping its premises safe from intruders.
Professional liability policies only provide coverage for claims arising from an insured’s “professional services,” and are not meant to function as commercial crime or cyber policies, which are expressly designed to respond to such claims. Professional liability policies are also not underwritten to provide coverage for all aspects of an insured’s business. Insurance companies, therefore, have a strong argument that coverage does not exist for social engineering attacks under a professional liability policy.
Application of Theft or Misappropriation Exclusions
When evaluating coverage for social engineering claims, professional liability carriers should also consider the application of theft or misappropriation of funds exclusions. Such exclusions typically preclude coverage for claims arising out of the actual or alleged theft, stealing, conversion, commingling, embezzlement or misappropriation of funds or monies.
Recently, courts have enforced these types of exclusions and held that they preclude coverage for theft or misappropriation of funds caused by social engineering schemes or attacks. See Authentic Title Servs. v. Greenwich Ins. Co., No. 18-4131 (KSH) (CLW), 2020 U.S. Dist. LEXIS 215018, at *14–15 (D.N.J. Nov. 17, 2020) (exclusion for any claim “based upon or arising out of . . . the commingling, improper use, theft, stealing, conversion, embezzlement or misappropriation of funds or accounts” barred coverage for a title insurance agent’s loss of more than $480,000 after the agent was tricked into sending the funds to a fraudster posing as an employee of a mortgage lender); Attorneys Liab. Prot. Soc’y, Inc. v. Whittington Law Assocs. PLLC, 961 F. Supp. 2d 367 (D.N.H 2013) (exclusion for claims arising out of “[a]ny conversion, misappropriation or improper commingling by an person of client or trust account funds or property” precluded coverage for an underlying loss against an insured law firm due to a Nigerian check scam in which the insured was fraudulently induced to deposit a check into the insured’s bank account and then wire the majority of the funds to a foreign bank); Landmark Am. Ins. Co. v. Esters, No. 2:20-CV-1263, 2022 U.S. Dist. LEXIS 97119, at *14 (W.D. La. May 3, 2022) (exclusion for “commingling, conversion, misappropriation or defalcation of funds or other property, or the inability or failure to pay, collect, disburse, or safeguard any funds held by an Insured” applied to “theft claims” but not to “non-theft claims” alleged); Res. Real Estate Servs., LLC v. Evanston Ins. Co., No. CV GLR-16-168, 2017 WL 660800, at *1 (D. Md. Feb. 17, 2017) (exclusion for claims “arising out of any actual or alleged conversion, misappropriation, commingling, defalcation, theft, disappearance, [or] insufficiency in the amount of escrow funds, monies, monetary proceeds, funds or property, or any other assets, securities, negotiable instruments or any other thing of value” precluded coverage for a scheme perpetrated by a fraudster that hacked into the email account of the insured’s client).
It is important for insurers to review the specific language of theft exclusions. Some exclusions may only apply to theft committed by “an insured,” whereas other exclusions may apply to theft committed “by any person,” including third parties. Some provisions are silent as to who must have committed the theft for the exclusion to apply. See ABL Title Ins. Agency, LLC v. Maxum Indem. Co., No. 15-7534 (CCC), 2022 U.S. Dist. LEXIS 61391 (D.N.J. Mar. 31, 2022). Where the exclusion is silent as to the applicable actor, insurers have an argument that these exclusions include acts committed by both the insured and by third parties, based on other exclusions in the policies that include language confining their application to acts “by the insured.” See id.
For instance, in ABL Title Ins., the exclusion at issue provided that there was no coverage for claims based upon or arising out of commingling, conversion, misappropriation, or defalcation of funds or other property. Id. The court agreed with the insurer that the exclusion directly addressed the factual scenario where funds were wired to third-party scammers who had no entitlement or right to the funds, and therefore engaged in an act of conversion under New Jersey law when it defrauded the title agency. Id. at *12–13. The title agency sought coverage for claims made by the parties whose checks from the title agency had bounced or whose payments could not be made because the title agency had insufficient funds in its escrow account to cover the disbursements. Id. The court, therefore, held that the exclusion applied to preclude coverage, even though it was not the insured who committed the conversion. Id.
Insurers will have the burden to prove that these exclusions apply, such that they will need to establish a causal relationship between the claims asserted against their insureds and the alleged or actual theft or misappropriation of funds in order to disclaim coverage to their insureds on this basis.
As discussed above, the purpose of social engineering is to divert funds from a company or its clients through the extraction of confidential information. Thus, it would follow that theft or misappropriation exclusions exclude such claims from coverage under professional liability policies.
Practical Application
Professional liability policies are not designed to provide coverage to policyholders for social engineering schemes, as evidenced by the language in their insuring agreements and exclusions. That does not mean that professionals cannot procure insurance to cover these claims. There are many standalone polices or endorsements available to organization that are specifically tailored to respond to these kinds of social engineering matters. As social engineering schemes persist, courts will continue to address these issues in the context of professional liability policies and other liability policies. For now, courts have sided with professional liability carriers in denying coverage for these claims.
Brian Bassett is a partner and Danielle Kegley is an associate in Traub Lieberman’s Chicago office. Brian and Danielle focus their practice on litigating and managing insurance coverage disputes involving several lines of insurance across jurisdictions nationwide. Brian is the Vice Chair of the Professional Liability SLG of the DRI Insurance Law Committee. Danielle recently became a member of DRI and is excited to become more involved with the DRI community.
Interested in joining the Insurance Law Committee? Click here for more information.