Covered Events

The parties disputed the manner in which the policies were exhausted.  Montrose argued in favor of vertical exhaustion, whereby it could access any excess policy once the limits of liability of the underlying policies within the same policy period were exhausted.  The insurers, however, advocated for horizontal exhaustion, pursuant to which Montrose was required to exhaust policies with lower attachment points for all policy periods before any excess policy was triggered.  The trial court agreed with the insurers, recognizing the “well-established” California rule that “horizontal exhaustion should apply in the absence of policy language specifically describing and limiting the underlying insurance.”  Id. at 1206.  In response, Montrose filed a petition for a writ of mandate, which the court of appeals denied.  The California Supreme Court, however, granted Montrose’s petition for review and transferred the case back to the Court of Appeals, along with an order to show cause as to why the court of appeals should not grant the relief Montrose sought.  Ultimately, the court of appeals affirmed the trial court’s holding on the basis that the “plain language of many of the excess policies purchased by Montrose provide that they ‘attach not upon exhaustion of lower layer policies within the same policy period, but rather upon exhaustion of all available insurance.’”  Id., quoting Montrose Chemical Corp v. Superior Court, 222 Cal. Rptr. 3d 748, 763 (Cal. Ct. App. 2017).

The California Supreme Court, however, held that based on the policy language and the doctrine of reasonable expectations, vertical exhaustion was appropriate, and thus, Montrose could access any excess policy once it had exhausted the limits of liability of the “directly underlying excess policies with lower attachment points.”  Id. at 1206.  The Montrose court noted that the excess insurer called upon to indemnify could seek contribution from other insurers that provided coverage during the same policy periods.

In so ruling, the Montrose court began its analysis by recognizing that with respect to continuous and progressive injuries or damages spanning multiple years, California courts apply the “continuous trigger” rule of coverage and the “all sums” allocation doctrine.  Id. at 1207.  Additionally, when the loss exceeds the limits of liability of any one policy, California courts have adopted an “all-sums-with-stacking indemnity principle,” pursuant to which the insured may seek indemnity under every policy that covered a portion of the loss, up to the limits of liability of each policy.  Id.  Effectively then, the limits of liability from different policy periods form “‘one giant ‘uber-policy’ with a coverage limit equal to the sum of all purchased insurance policies.’”  Id., quoting State of California v. Continental Ins. Co., 281 P.3d 1000, 1008 (Cal. 2012).  The Montrose Court considered the application of horizontal or vertical exhaustion a corollary issue to the “all-sums-with-stacking indemnity principle” and posed the following question: “Having adopted an all-sums-with-stacking approach to the coverage of long-tail injuries, we are now presented with a follow-on question: In what order may an insured access excess policies from different policy periods to cover liability arising from long-tail injuries?”  Id. at 1208.

In addressing this question, the Montrose court noted that the insurers’ interpretation of the “other insurance” provisions as evidencing a horizontal exhaustion requirement was “not an unreasonable one.”  Id. at 1210.  However, according to the Montrose court, the “other insurance” clauses did “not speak clearly to the question before us,” as such clauses did not specify that the insured needed to exhaust all policies with lower attachment points for different policy periods.  Id. at 1212.  There were, however, aspects of the excess policies that “strongly suggest[ed] that the exhaustion requirements were meant to apply to directly underlying insurance and not to insurance purchased for other policy periods.”  Id.  The “most obvious[ ]” aspect was the reference to the specific dollar amount of the underlying policies in the same policy period.  Id.  The Montrose court also pointed to the schedules of underlying insurance, which only listed policies in the same policy period.  Id.

Interestingly, the most important consideration for the Montrose court was not the policy language, but rather the “administrative burden” of spreading multiyear losses across policy periods.  According to the Montrose court, it was unfair for the insured to shoulder this burden as it would ostensibly be required to litigate coverage for every policy layer.  Id. at 1214.  But there was “no obvious unfairness” to excess insurers having them “bear this administrative burden” under vertical exhaustion.  Id.

Impact of Montrose

Montrose follows other recent decisions applying vertical exhaustion to long-tail claims, which arguably makes excess policies high up the “coverage tower” easier to access for multi-million-dollar losses.  For example, the New York Court of Appeals in In re Viking Pump, Inc., 52 N.E.3d 1144 (N.Y. 2016), ruled that all sums allocation and vertical exhaustion applied in a coverage dispute over numerous asbestos liability claims.  In that case, the court propounded that “vertical exhaustion is more consistent than horizontal exhaustion with [policy] language tying attachment of the excess policies specifically to identified policies that span the same policy period.”  Id. at 1156.  Though the court recognized that there was authority for the insurers’ position that the “other insurance” clauses compel application of horizontal exhaustion, the court ultimately held that such clauses are “not implicated in situations involving successive—as opposed to concurrent—insurance policies.”  Id.

In another coverage suit arising from the insured’s liability for asbestos exposure, William Powell Co. v. OneBeacon Insurance Co., 162 N.E.3d 927 (Ohio Ct. App. 2020), the Ohio Court of Appeals held that the schedule of underlying insurance supported the application of vertical exhaustion.  In so ruling, the appellate court reasoned that vertical exhaustion was consistent with the court’s application of exposure theory for trigger and all sums allocation methods.

These recent string of cases by no means implies that courts are unanimous in their application of vertical exhaustion.  See, e.g., Dow Corning Corp. v. Cont’l Cas. Co., Case No. 200143, 1999 WL 33435067 (Mich. Ct. App. Oct. 12, 1999) (applying horizontal exhaustion, as the “other insurance” clause “clearly supports defendants’ argument, since any triggered primary or lower-level excess policies constitute ‘other valid and collectible insurance ... covering a loss also covered by this policy.’”); Mayor & City Council of Baltimore v. Utica Mut. Ins. Co., 802 A.2d 1070 (Md. Ct. Spec. App. 2002) (applying horizontal exhaustion, as it was consistent with the court’s application of continuous trigger and pro-rata allocation).  Moreover, though one should be cognizant of Montrose and similar cases such as Viking and William Powell, they certainly do not adopt a bright line rule in favor of vertical exhaustion.  As always, it is best to evaluate each claim and policy on their own merits.

Tanya M. Murray is a member of Plunkett Cooney’s Insurance Coverage Law Practice Group who represents and counsels insurers in complex insurance coverage disputes involving liability policies.  Ms. Murray provides advice regarding coverage issues arising from product liability, construction defect, catastrophic injury, and environmental liability. She also litigates coverage disputes arising from a variety of claims, including environmental contamination and construction defect, as well as the defense of insurers in bad faith claims.

Essential Concepts

Some understanding of reinsurance vocabulary is essential to the discussion that follows.  Reinsurance is insurance for insurance companies.  The insurance company that buys reinsurance—the ceding carrier—is called the cedent.  The insurance company that sells reinsurance coverage is called the reinsurer.

The contracts between a cedent and its reinsurer can have different names.  At a very basic level, a facultative reinsurance contract (sometimes called a facultative certificate) reinsures specific insurance policies for a specified period of time.  A treaty reinsurance agreement (sometimes called a program) reinsures multiple policies, and can encompass several policy periods; the point is that the treaty automatically covers a defined class of underlying policies, and does not have to be renegotiated. 

In almost all cases, the cedent and its reinsurer owe one another a duty of uberrimae fidei, or “utmost good faith.” See, e.g., Compagnie de Reassurance d’Ile de France v. New England Reinsurance Corp., 944 F. Supp. 986, 992-93 (D. Mass. 1996).  Two doctrines, which are separate but related, spring from that duty and are a part of virtually every reinsurance relationship.  First, the “follow the fortunes” doctrine requires reinsurers to accept their cedent’s good-faith decisions about whether a particular loss is covered by the underlying policy.  Second, the “follow the settlements” doctrine requires reinsurers to abide by their cedents’ good-faith decisions to settle, rather than litigate, claims against those underlying policies. See, e.g., Commercial Union Ins. Co. v. Seven Provinces Ins. Co., 9 F. Supp. 2d 49, 66 (D. Mass. 1998).  These traditional obligations are sometimes expressly incorporated into the reinsurance agreement.

Right to Associate Clauses

The “follow the settlements” doctrine requires the reinsurer to cover settlements made by the cedent, so long as those settlements are not fraudulent, collusive, or made in bad faith. See id.  As a result, reinsurance contracts may contain language that grants the reinsurer rights about the handling of the underlying claim.  These clauses are more likely to appear in facultative contracts than in treaty programs.  In sum and substance, the “right to associate” is the right of a reinsurer to “consult with and advise the reinsured in its handling of a claim.” See Unigard Sec. Ins. Co. v. N. River Ins. Co., Inc., 594 N.E.2d 571, 575 (N.Y. 1992).

The scope of these clauses varies substantially, but they might take the following form:

Prompt notice shall be given by the reinsured to the reinsurer of any occurrence which appears likely to involve this reinsurance, and while the reinsurer does not undertake to investigate or defend claims or suits, it shall nevertheless have the right and be given the opportunity to associate with the reinsured at the reinsurer’s expense in the defense and control of any claim, suit, or proceeding which may involve this reinsurance, with the full cooperation of the reinsured.

B. Ostrager & M.K. Vyskocil, Modern Reinsurance Law and Practice § 6.02 (2000).

A “right to associate” is not the right to control the investigation and defense of a claim, and it does not necessarily give the reinsurer the right to control settlement. See Unigard, 594 N.E.2d at 574; see also British Ins. Co. of Cayman v. Safety Nat’l Cas., 335 F.3d 205, 214 (3d Cir. 2003).  Indeed, the purpose of most “association” clauses is to give the reinsurer information about the underlying claim, not to compel the reinsurer to undertake to investigate or defend claims or suits.

The cases tend to focus on two elements of the association clause.  First, they consider whether late notice by the cedent impairs the reinsurers’ contractual rights, such that performance under the reinsurance contract is excused.  The modern trend has been to require the reinsurer to demonstrate prejudice caused by its inability to exercise its right to associate.  New York’s courts, for example, adopted a notice-prejudice rule in the reinsurance relationship long before the notice-prejudice rule was applied to direct insurance policies by statute.  See Unigard Sec. Ins. Co. v. N. River Ins. Co., Inc., 594 N.E.2d 571, 574–75 (N.Y. 1992); Utica Mut. Ins. Co. v. Fireman's Fund Ins. Co., 287 F. Supp. 3d 163, 172 (N.D.N.Y 2018). See also British Int‘l Ins. Co. of Cayman v. Safety Nat. Cas. Corp., 335 F.3d 205 (3rd Cir. 2003)(The Third Circuit stated that it believed that the Supreme Court of New Jersey would follow the rule set forth in Unigard and would rule that, under New Jersey law, a reinsurer must show the likelihood of appreciable prejudice in order to prevail on a late notice defense asserted against its reinsured.:  “Since a reinsurer is not obligated to investigate, litigate, settle or defend claims, the failure to give the required prompt notice is of substantially less significance for a reinsurer than for a primary insurer.  Consequently, prompt notice is not as critical to a reinsurer as it is to a primary insurer, and ritualistic adherence to prompt notice clauses in reinsurance contracts in the absence of prejudice to the reinsurer does little more than provide the reinsurer with a convenient and inequitable avenue to escape from its obligations under its policy with its reinsured.”)(internal citations omitted.) There is a minority view, however, mainly in older decisions, holding that a cedent’s failure to abide strictly by a provision that expressly made timely notice a condition precedent to liability precluded coverage under the reinsurance agreement.  See, e.g., Liberty Mut. Ins. Co. v. Gibbs, 773 F.2d 15 (1st Cir. 1985).

Second, the cases consider whether the reinsurer’s exercise of its association rights exposes the reinsurer to bad-faith and other direct claims.  Courts in New York and Pennsylvania have articulated a rule that reinsurers cannot be subject to bad-faith claims, because the reinsurer is not responsible for providing a defense to the cedent’s policyholder and therefore has no ability to control settlements.  See, e.g., Unigard, 594 N.E.2d at 574; Reid v. Ruffin, 469 A.2d 1030 (Pa. 1983).  An older case from the Fourth Circuit, however, held that the cedent and the reinsurer were “unquestionably” engaged in a joint enterprise when the reinsurer had full knowledge of settlement negotiations with the underlying claimant, even though the reinsurer had never formally exercised its right of association, such that the reinsurer was liable for its proportionate share of an excess verdict.  See Peerless Ins. Co. v. Inland Mut. Ins. Co., 251 F.2d 696 (4th Cir. 1958). (The New York Appellate Division declined to follow Peerless in U.S. Fid. & Guaranty Co. v. American Re-Ins. Co., 93 AD 3d 14, 28 (N.Y. App. Div., 1st Dept. 2012).  The court stated that that there is no evidence before it that the reinsurer had participated in the handling of insured Western MacArthur's claim against USF&G, or acquiesced in USF&G's strategy to deny that the underlying policies provided coverage to Western MacArthur.  The court further stated that “[e]ven if defendants had participated, a ‘follow the fortunes’ clause does not serve to create coverage where there is none.”)

Claim Control Clauses

A “claim control” clause can be a part of a “right to associate” clause, as the example quoted above shows.  Sometimes called a “claim cooperation” clause, the effect is to give the reinsurer either the option, or the obligation, to exercise actual control over all or a portion of the claim handling process.  The clause may, depending on how it is written, give the reinsurer the right to consent to settlement, or the right or obligation to investigate, adjust, or resolve claims.  Because the clause gives the reinsurer the right to exercise actual control over the claim, the related notice provisions may specify a fairly short timeframe and a particular form of notice.  The clauses tend to appear more frequently in reinsurance agreements where the cedent has retained little or no risk.

For “claim control” clauses, as distinguished from “right to associate” clauses, timely notice of the claim can be critical.  The issue has received mixed treatment in the United Kingdom.  What case law exists in the United States has tended to apply the notice clauses strictly.  In La Reunion Francaise v. Martin, 101 F.3d 682 (2d Cir. 1996) (unpublished), for example, the Second Circuit affirmed an arbitration award ruling that a claims-control clause required only that the reinsurer indemnify its cedent for expenses incurred after the date on which the reinsurer instructed the cedent on how to handle the claim.

A reinsurer should carefully consider how and whether to exercise any right to control the underlying claim.  If it does, depending on the language in the reinsurance agreement, the reinsurer can expose itself to direct claims by the insured or by the underlying claimant—or even by third parties that, ordinarily, would not be in privity with the reinsurer.  One of the more lurid examples of such exposure was provided in the case of Law Offices of David J. Stern, P.A. v. SCOR Reinsurance Corp., 354 F. Supp. 2d 1338 (S.D. Fla. 2005).  In that case, a law firm purchased a lawyers’ professional liability insurance policy from Legion Insurance Company.  When the law firm sued for alleged breach of the policy, the Florida federal district court declined to dismiss the claim that the reinsurer was an undisclosed principal of Legion, which had become insolvent.  The reinsurer had the right to control the handling and resolution of claims, and the court held that that fact was sufficient to state a claim either that the reinsurer had breached the liability policy because it had induced Legion to refuse to indemnify the attorney, or that it had tortuously interfered with the insurer’s contractual obligations to the attorney.

Practical Pointers

Ceding insurers as well as reinsurers need to be aware of their association and claim-control rights, and the consequences of invoking them.  The more that the reinsurer injects itself into the claim-adjustment process and defense of the underlying claim, the more likely it is to find that its protections from liability have been waived.

Cedents, however, must take care to honor their duties to their reinsurers.  Impeding the gathering of information about a claim, particularly in response to direct requests for information from the reinsurer, can result in the loss of stop-loss coverage provided by the reinsurance agreement.  Arbitrators and courts alike tend to take a dim view of actions that breach the duty of utmost good faith.

Alexander G. Henlin is a partner in the firm of Sulloway & Hollis, P.L.L.C., in Concord, New Hampshire.  He is admitted to practice in Massachusetts, New Hampshire, New Jersey, and New York.

Robert A. Whitney is a partner in the firm of Sulloway & Hollis, P.L.L.C., in Boston, Massachusetts.  He is admitted to practice in Massachusetts.  He is also a Certified Arbitrator and member of ARIAS•U.S., a nonprofit corporation dedicated to improving the insurance and reinsurance arbitration process for the international and domestic markets.

First Circuit

In Katz v. Pershing, LLC, 672 F.3d 64, 69 (1st Cir. 2012), Katz alleged that Pershing failed to protect sensitive nonpublic personal information as required under contract and consumer protection laws and filed a class action lawsuit.  In finding that Katz lacked standing on a contract, the First Circuit found that Katz was not a party to the contract at issue and rejected her contention that she was a third-party beneficiary, based upon the express terms of the contract.  With respect to her data security claims, the court found that plaintiff had not shown that her data was actually accessed by an unauthorized user.  Thus, at least given the facts of that case, the First Circuit required actual injury to find standing in a data breach suit.

Second Circuit

In McMorris v. Carlos Lopez & Associates, LLC, 995 F.3d 295, the Second Circuit analyzed the factors relevant to evaluating whether a plaintiff has established injury-in-fact in a data breach case.  The factors considered by the court included (1) “whether the data at issue has been compromised as the result of a targeted attack intended to obtain the plaintiffs’ data;” (2) whether plaintiffs have established a substantial risk of future injury by showing that at least some part of the compromised dataset has been misused, even if plaintiffs’ particular data subject to the same disclosure incident has not yet been affected; and (3) the extent to which the compromised data is “likely to subject plaintiffs to a perpetual risk of identity theft or fraud once it has been exposed.”  Id. at 301-302.   Notably, the Second Circuit found that the costs a consumer incurs to protect himself after a data breach do not constitute an injury-in-fact.  Ultimately, after evaluating these factors, the Second Circuit held that the plaintiffs in McMorris had not established injury-in-fact.  

Third Circuit

In Kamal v. J. Crew Group,  918 F.3d 102, 110 (3d Cir. 2019), a plaintiff brought suit for violation of the Fair and Accurate Credit Transactions Act of 2003, after himself receiving three receipts from J. Crew Group, Inc. that included both the first six and last four digits of his credit card number.  In prior cases, the Third Circuit found that the injury-in-fact requirement was satisfied by procedural violations of data security statutes when the plaintiff had suffered actual harm.  However, the Third Circuit noted that, in order to constitute a concrete injury sufficient for Article III standing, an alleged procedural violation must either actually harm the plaintiff or present a material risk of harm.  Id. at 112.  In Katz, the mere printing of the first six digits of his credit card number on a receipt was insufficient to create standing, when the plaintiff failed to allege any actual disclosure of his data.

Fourth Circuit

In Beck v. McDonald, 848 F.3d 262, 267 (4th Cir. 2017), a laptop containing unencrypted personal information was likely stolen when the defendant failed to follow policies and used an unencrypted laptop to store patient information. The Fourth Circuit found that the plaintiffs lacked standing because they could not establish injury-in-fact.  The plaintiffs failed to allege that their data had been used or even that it was intentionally targeted.  Further, because only 33% of those affected by laptop theft have their identities stolen, there was no substantial risk of future harm.

Sixth Circuit

In Galaria v. Nationwide Mutual Insurance Co., 663 Fed. Appx. 384 (6th Cir. 2016), hackers breached the computer network of Nationwide Mutual Insurance Company and stole the plaintiffs’ personal information.  The plaintiffs brought claims for invasion of privacy, negligence, bailment, and violations of the Fair Credit Reporting Act (FCRA).  The Sixth Circuit held that “Plaintiffs’ allegations of a substantial risk of harm, coupled with reasonably incurred mitigation costs, are sufficient to establish a cognizable Article III injury at the pleading stage of the litigation. Plaintiffs allege that the theft of their personal data places them at a continuing, increased risk of fraud and identity theft beyond the speculative allegations of ‘possible future injury’ or ‘objectively reasonable likelihood’ of injury that the Supreme Court has explained are insufficient.”  Id. at 388.  The Sixth Circuit noted that Nationwide had acknowledged the risk by offering credit monitoring services and identity theft protection for a year. 

Seventh Circuit

In Bryant v. Compass Group USA, Inc., 958 F.3d 617, 619 (7th Cir. 2020), Bryant’s fingerprint was collected for use in vending machines in the cafeteria, which were owned and operated by Compass Group USA, Inc.  The fingerprints were considered biometric data and thus were subject to certain disclosure and collection requirements.  The Seventh Circuit found that Bryant lacked standing for claims arising out of a failure to make public disclosures regarding the retention and distribution of data, as those applied to the public generally.  However, the Seventh Circuit found that Bryant had standing to pursue a claim for the failure to make the requisite disclosures or obtain her informed written consent before collecting her fingerprints.  In so doing, the Seventh Circuit expressed some willingness to confer standing based upon an alleged procedural violation that directly affects the plaintiff.

Eighth Circuit

In In re SuperValu, Inc., 870 F.3d 763 (8th Cir. 2017), hackers obtained access to customer payment information.  Because the compromised data did not include Social Security numbers or birthdates, there was little risk of additional accounts being opened in the plaintiff’s names.  Thus, the Eighth Circuit found that the plaintiffs failed to allege a substantial risk of future identity theft, and “the time they spent protecting themselves against this speculative threat cannot create an injury.”  Id. at 771.  However, because one plaintiff had alleged misuse of his card, the plaintiffs had standing to pursue claims for present injury.   Id. at 773 (8th Cir. 2017)

Ninth Circuit

In In re Zappos.com, Inc., 888 F.3d 1020, 1029 n.13 (9th Cir. 2018), the Ninth Circuit found that plaintiffs whose data had been stolen but not yet misused had standing to pursue a claim against Zappos.  The Ninth Circuit noted that some of the plaintiffs who were not the subject of the appeal alleged that they suffered financial losses, which undermined any assertion that the data stolen in the breach could not be used for fraud or identity theft. 

Eleventh Circuit

In Tsao v. Captiva MVP Restaurant Partners, LLC, 986 F.3d 1332, 1340 (11th Cir. 2021), the Eleventh Circuit found that the plaintiffs lacked standing based upon the elevated risk of future injury from compromised data.  The Eleventh Circuit noted that that the plaintiff had made threadbare allegations of potential future injury and made only vague, conclusory allegations about actual misuse of their data.  Further, Tsao had cancelled his credit cards after the breach, substantially reducing risk of harm and making the risk of future harm speculative.  However, the Eleventh Circuit also noted that “[g]enerally speaking, the cases conferring standing after a data breach based on an increased risk of theft or misuse included at least some allegations of actual misuse or actual access to personal data.”  Id. at 1340.

D.C. Circuit

In In re: U.S. Office of Personnel Management Data Security Breach Litigation., 928 F.3d 42 (D.C. Cir. 2019), cyberattackers stole birth dates, Social Security numbers, addresses, and fingerprint records of plaintiffs.  Plaintiffs claimed that they had a constitutional right to informational privacy, which was violated when cyberattackers stole their personal information from OPM's deficiently secured databases.  The case involved two sets of plaintiffs.  The D.C. Circuit held that the first set of plaintiffs had standing because “the loss of a constitutionally protected privacy interest itself would qualify as a concrete, particularized, and actual injury-in-fact. And the ongoing and substantial threat to that privacy interest would be a concrete, particularized, and imminent injury-in-fact.” Id. at 55.  The second set of plaintiffs in that case had standing because they alleged that the “cyberattackers intentionally targeted their information and point out the subsequent misuse of that information.”  Id. at 58. 

In Jeffries v. Volume Services America, Inc., 928 F.3d 1059 (D.C. Cir. 2019), a seller printed all 16 digits of a credit card number, the expiration date, and the credit card type on the receipt.  The D.C. Circuit, citing the factual differences between Jeffries and Kamal, found that the procedural violation of the Fair and Accurate Credit Transactions Act’s truncation requirement was sufficient to create standing. 

Conclusion

Though certain circuits have thus far been more resistant to confer standing in data breach claims than others, the Second Circuit’s recent analysis in McMorris is instructive.  The McMorris decision saliently observes that the differences in the decisions among the Circuits can be explained, at least in part, by the differences in the cases themselves. Whether standing exists is a fact-intensive inquiry, which depends on the specific type of data that was compromised, the likelihood such data could result in future harm, and whether actual harm has occurred.  For instance, if only a credit card number were disclosed, the risk of future harm can be minimized by changing the credit card number.  In contrast, if Social Security numbers and birthdates have been disclosed, the risk of future harm is greater because the hackers could establish a new account, even if the affected account were closed or changed.  Further, if a class member can show actual harm or if the defendant concedes the risk of future harm in its response to the data breach, the plaintiff is more likely to be able to establish standing. 

Rebecca E. Strickland is a partner at Swift, Currie, McGhee & Hiers, LLP, defending insurance carriers, insured businesses and individuals in complex coverage disputes, automobile litigation, commercial litigation, premises liability and commercial transactions. A zealous advocate, she has defended insurers in coverage disputes from examination under oath through jury trial and tried multiple liability cases to verdict. Strickland has handled disputes valued over $1 million and matters involving claims ranging from $60,000 to over $2 million.