Court in Yahoo Email Scanning Litigation Finds Duty To Defend Under California Law
Client Alert | 5 min read | 10.31.18
On October 12, 2018, in an expansive ruling on the duty to defend under California law, Judge Edward J. Davila of the U.S. District Court for the Northern District of California, held that an insurer had breached its duty to defend a lawsuit that neither (a) alleged facts bringing the claims within policy coverage, nor (2) alleged facts from which coverage could be reasonably inferred. Rather, the Court found a defense obligation on the grounds that the lawsuit could be amended to allege facts that would implicate coverage.
Yahoo! Inc. v. National Union Fire Ins. Co. of Pittsburgh, PA, Case No. 5:17-cv-00489-EJD (N.D. Cal. Oct. 12, 2018), arose from three separate class action lawsuits against Yahoo! Inc. alleging that the company had violated the California Invasion of Privacy Act (CIPA), a state penal statute. The actions all involved allegations that, without consent, Yahoo allegedly scanned emails sent from non-Yahoo accounts to Yahoo subscribers. In two of the litigations, the Sutton and Penkava Lawsuits, the claimants alleged that Yahoo intercepted emails sent by non-Yahoo subscribers as a matter of common practice before their intended delivery to Yahoo subscribers. The Penkava lawsuit further alleged that the insured “profited in California” from the alleged CIPA violations. Neither lawsuit specifically alleged that the insured disclosed the claimants’ private information to a third party or otherwise “published” the private information. In the third lawsuit, In re Yahoo Mail Litigation, a consolidated class action, the claimants again alleged CIPA violations, as well as violations of the California Constitution, and two federal statutes. In that litigation, the claimants alleged that Yahoo’s scanning activities were for the “purpose of deriving profits from, among other things, the marketing of their personal data and the sales of targeted advertising and content.”
Yahoo tendered the Sutton and Penkava lawsuits to National Union Fire Insurance Company of Pittsburgh, PA (“insurer”) under a commercial general liability (CGL) policy which required the insurer to defend the insured and pay “sums that the insured becomes legally obligated to pay as damages” up to a limit of $1 million per occurrence. Under Coverage B of the policy, coverage was provided for “personal injury,” defined to include “[o]ral or written publication, in any manner, of material that violates a person’s right of privacy.” However, coverage was excluded for personal injury “arising out of a criminal act committed by or at the direction of the insured.” National Union declined coverage of the two lawsuits on the basis that the claims did not fall within the “personal injury” coverage of the policy because there was no allegation that personal information had been “published.”
In the coverage action, the Court held that under California law an insurer must defend a lawsuit even if the precise causes of action asserted in the underlying complaint fall outside of policy coverage, “so long as under the facts alleged, reasonably inferable, or otherwise known, the complaint could be fairly amended to state a covered liability.” The Court determined first that “publication” – the disclosure of private information to a third party – was required for “personal injury” coverage to arise under the National Union policy at issue, and second, that neither the Sutton nor Penkava lawsuit alleged “publication.” However, the Penkava lawsuit alleged that Yahoo “profited in California” as a result of its CIPA violations, and that the company “derives a windfall” from its scanning activities. The Court concluded that the allegations of economic benefit were sufficient to create a “potential for coverage” for purposes of the duty to defend, explaining:
It is reasonably inferable from these profit allegations that Yahoo was disclosing to third-party customers of consumer data the private content it obtained from its alleged e-mail scanning practices, either through the direct sale of the information it intercepted or in the provision of services, such as targeted advertising.
Without setting forth a standard for making “reasonable inferences,” the Court then suggested that “reasonable inferences” from facts alleged in one case imposed a duty to defend a different lawsuit that alleged no such facts. Specifically, the Court recognized that the Sutton lawsuit did not contain allegations that Yahoo had profited from its activities. It nonetheless held that National Union had a duty to defend the Sutton action as well, stating that the insurer: “offers no reason why the [Sutton] pleading could not have been amended to include [such allegations].” The Court thus found a duty to defend a complaint that did not on its face fall within coverage on the grounds that it could potentially be amended to include allegations that would be covered.
Further, the Court went on to reject National Union’s argument that coverage of the Sutton and Penkava lawsuits was precluded by the policy’s criminal acts exclusion based on a similar analysis. Although the claims in both actions alleged violations of only a criminal statute, the Court concluded that the additional allegations of profit in the Penkava suit raised the “possibility of a claim for civil damages.” Relying on the proposition that the “form of the claim is not controlling,” the Court reasoned that whether the criminal acts exclusion applied was uncertain at the time the lawsuits were commenced, and therefore, the insurer had a duty to defend. (The Court did not analyze whether the criminal acts exclusion would preclude a civil claim as well as the criminal violation based on the same allegations.)
In addition to its rulings on the duty to defend discussed above, the Court held that National Union also breached its duty to defend the In re Yahoo! Mail Litigation by relying on what turned out to be an incomplete version of the policy in reaching its initial coverage determination. The Court further found that National Union was required to indemnify the insured’s payment of the claimants’ attorneys’ fees pursuant to settlement of that litigation, reasoning that because the claimants sought their legal fees as private attorneys general to effectuate a fundamental public policy, the fees were covered “damages” within the plain meaning of the term and consistent with the “reasonable expectations” of the insured.
Although the Court held that National Union had breached both its duty to defend and its duty to indemnify, it enforced the deductible provisions of the policy, a “fronting policy” under which Yahoo had retained the ultimate risk on any covered claim. The Court held that application of the deductible provision was consistent with the traditional measure of breach of contract damages, which seeks to put the insured in as good a position as it would have been if no breach had occurred. The Court observed: “the explicit terms of the policy show that Yahoo always knew it would be required to reimburse National Union, and Yahoo has not presented persuasive legal authority to support a windfall.”
In sum, insurers should carefully consider the implications of the Court’s rulings on the duty to defend. Under this Court’s approach, a duty to defend might exist if the facts alleged support an “inference” of the “potential” for coverage, with the onus on the insurer to consider whether the complaint could “reasonably be amended” to allege facts that would potentially bring the claim within coverage of the policy.
Contacts
Insights
Client Alert | 2 min read | 11.14.24
SEC ESG Enforcement Is Still Alive
On November 8, 2024 the SEC announced a settled enforcement action against Invesco Advisers, Inc. for making misleading statements about its integration of environmental, social, and governance (ESG) factors into the firm’s investment decisions. Invesco agreed to pay a $17.5 million civil penalty to settle the matter. This enforcement action makes it clear that, even though the SEC dissolved its ESG Task Force, the Commission continues to monitor firms’ statements and representations for misleading statements about ESG.
Client Alert | 8 min read | 11.12.24
Client Alert | 3 min read | 11.11.24
Allegations of a Litany of Lyin’: Penn State Settles Claims of Cybersecurity Noncompliance
Client Alert | 1 min read | 11.08.24
A Common-Sense Change to the Continuous SAM Registration Requirement at FAR 52.204 7