After the Fourth Circuit held that a commercial general liability (“CGL”) policy could cover a data incident in 2016, confusion arose as to whether CGL policies would continue to cover data breaches. A recent California lawsuit by the smart-TV maker Vizio against two of its insurance companies shows that this confusion also arises when an insured invokes CGL policies to cover litigation arising from alleged data misuse.
The smart-TV maker Vizio has faced multiple proposed class actions arising from the alleged sharing of its customers’ viewing data with third parties. Vizio recently reached a $17 million settlement to resolve multidistrict litigation (MDL) on behalf of 16 million Vizio owners alleging the sale of their data without their consent.
Vizio sought coverage from two insurance companies for defense costs associated with the MDL and the resulting settlement. According to Vizio’s complaint, Vizio had CGL policies with both insurers that provided coverage for defense costs and assessed damages. Vizio alleges that it timely submitted proofs of claims under both policies.
The complaint alleges that, during the pendency of the MDL, the insurers made various misstatements of law and fact in denying coverage. First, Vizio alleges that an insurer wrongly asserted an untimeliness defense to its claim, only to reverse course 10 months later, due to the insurer’s misunderstanding Vizio’s policy as providing claim-made-and-reported coverage rather than claims-made coverage. Vizio also alleges that an insurer denied coverage of its defense costs on the intentionally false ground that another insurer was providing defense. It also alleged that the insurers declined coverage on the ground that the policies excluded coverage for actual or alleged invasion of privacy and that Vizio’s alleged conduct fell within the excluded conduct.
In its complaint, Vizio alleged that, although the MDL litigation alleged “some facts which might support a claim for ‘invasion of privacy,’” (emphases in original) the MDL complaints also asserted acts that fell outside the “invasion of privacy” exclusion, including the alleged violations of various states’ unfair trade practices statutes. Therefore, the complaint alleges, the insurance companies should have provided coverage, and their failure to do so was a bad-faith breach of their insurance policies.
The complaint was filed recently, and the insurance companies have not yet responded. Nonetheless, the complaint’s filing alone provides several lessons.
First, a CGL policy that merely excludes acts constituting “invasion of privacy” or “data breaches” may not suffice to protect an insurance company from liability for its insureds’ alleged data incidents or misdeeds. To the contrary, if a CGL policy’s exclusion for cybersecurity-related incidents is not sufficiently broad and thorough, the insurance company risks a finding of coverage that it may not have anticipated. Likewise, a CGL policy that appears on first blush to exclude a claim such as the one underlying the MDL might leave room for an aggressive plaintiffs’ attorney in a coverage suit to credibly claim coverage. (A recent ransomware decision in which the court found coverage under a business owners’ policy for a ransomware attack similarly demonstrates this point.)
Second, experienced insurance litigators will recognize the complaint as the result of a carefully thought-out and executed process, as Vizio’s complaint provides a textbook example of careful planning and execution where coverage may be at stake, and the facts alleged provide a roadmap of potential missteps that insurers and their coverage counsel can make. For example, an insurer allegedly asserted, then withdrew as inaccurate, a denial of coverage based on untimeliness. Another insurer allegedly misapprehended the nature of Vizio’s policy. The complaint also alleges that an insurer falsely claimed that another company had assumed Vizio’s defense costs. Finally, Vizio alleges that its insurers missed the applicable deadlines to respond to its proofs of claims (which the insurers may or may not have immediately recognized as such). Vizio exploited these claimed missteps to paint its insurers as incompetent and dishonest, and this portrayal forms the backbone of Vizio’s bad-faith claims.
Moreover, this is not just a legal fight limited to the captioned parties; that these facts made it into a complaint may give the insurers’ other policyholders tips on how to maximize the success of their own future litigation. Very few insurance policies have unique coverage, endorsements, or exclusions; policies are by design standardized, marketable instruments. This raises the stakes when coverage disputes arise; if a court interprets language favorably to an insured, that could become the basis for future arguments by other insureds.
Vizio’s complaint illustrates the perils of current CGL policies and the damage an aggressive plaintiffs’ attorney can inflict upon an unwary insurer. Thus, the complaint demonstrates that, with each contact with an insured, coverage attorneys must remember that someone is always watching.
For more information regarding this article, please contact Sean Griffin.
For information regarding Dykema’s Privacy and Data Security Team, please contact Cindy Motley.
To sign up for Dykema’s Privacy and Data Security Blog e-mail updates, please click here.
As part of our service to you, we regularly compile short reports on new and interesting developments and the issues the developments raise. Please recognize that these reports do not constitute legal advice and that we do not attempt to cover all such developments. Rules of certain state supreme courts may consider this advertising and require us to advise you of such designation. Your comments are always welcome. ©2020 Dykema Gossett PLLC.