INSURANCE COVERAGE DEVELOPMENTS IN 2018

Cyber Coverage for Social Engineering Schemes Remains at Odds

Social engineering continued to be a major concern in 2018 as businesses continued to fall prey to such schemes and other cyber risks. 2018 also saw a trend in favor of coverage for these schemes, which is promising for retailers and other businesses. However, the varied results continue and should caution policyholders to obtain social engineering/ impersonation cyber fraud coverage by endorsement that is as specific as possible.

  • Am. Tooling Ctr., Inc. v. Travelers Cas. & Sur. Co. of Am., 895 F.3d 455 (6th Cir. 2018). The Sixth Circuit reversed a district court's decision finding coverage under a crime policy for a manufacturer's $800,000 loss, reasoning that the fraudulent email that prompted wire transfers to fraudsters was an immediate and proximate cause of the loss.
  • Medidata Sols. Inc. v. Fed. Ins. Co., 268 F.Supp.3d 471 (2d Cir. 2018). The Second Circuit affirmed a district court's ruling and found coverage under the computer fraud provision of the insured's crime policy for a cloudbased service provider's loss of $4.8 million resulting from an employee's being deceived into transferring the money as a result of an email disguised to look like it was from the company's president.
  • Aqua Star (USA) Corp. v. Travelers Cas. & Surety Co. of Am., No. 16-35614 (9th Cir. Apr. 17, 2018). The Ninth Circuit affirmed a district court's decision finding no coverage for a $700,000 loss resulting from hackers who, while posing as employees, directed other employees to change account information for a customer. The court found that an exclusion providing that the policy "will not apply to loss resulting directly or indirectly from the input of Electronic data by a natural person having the authority to enter the Insured's Computer System" applied and barred coverage.

Contrasting Results Introduce New Challenges for Policyholders Seeking Coverage for Credit Card Company Assessments and Penalties Resulting from Cyber Exposure

Businesses are increasingly purchasing insurance policies to address their cyber and data security exposures. Recently, courts have weighed in on coverage afforded to policyholders for credit card company assessments and penalties resulting from data exposure caused by third-party hackers. Many of the judicial decisions addressing insurance for cyber exposures have done so under traditional insurance policies, as opposed to under newer cyber insurance policies, resulting in negative results for policyholders. However, recent decisions demonstrate that policyholders should engage their insurers to ensure that their policies, whether traditional or not, are specifically designed to cover cybersecurity and data breach events. And, faced with a denial, policyholders should not assume that an insurer's efforts to deny coverage will necessarily prevail in all cases, as shown by recent decisions

  • Spec's Family Partners, Ltd. v. Hanover Ins. Co., No. 17-20263 (5th Cir. June 25, 2018). The Fifth Circuit found that Hanover Insurance Company had a duty to defend Spec in an action arising out of two data breaches of Spec's credit card payment system. The court held that the district court improperly found that an exclusion for contract-based claims barred coverage, finding that part of the alleged conduct did not fall within the exclusion for contract-based claims.
  • St. Paul Fire & Marine Insurance Co. v. Rosen Millennium Inc., 6:17-cv-540 (M.D. Fla. Sept. 28, 2018). A federal district court in Florida ruled that St. Paul Fire & Marine Insurance Co.'s commercial general liability policy did not cover fines and penalties assessed against its insured, Rosen Hotels, after hackers installed malware into the hotel's credit card payment network. The court reasoned that the policy required that the credit card information be "made known" by the insured's activities and not a third party's activities. Thus, because the credit card information was made known as a result of the hackers' activities, the court found there was no coverage.

Recall Insurance Continues to be Source of Coverage Disputes

The risk of product recalls has continued to increase in recent years due to tightened regulatory standards and the implementation of new safety rules. 2018 experienced a surge in coverage disputes involving the interpretation of recall insurance policies' terms. Varying court interpretations illustrate the need for policyholders to scrutinize recall insurance policies. Below we highlight some key cases.

  • Blessings, Inc. d/b/a Blessings Seafood v. Houston Casualty Co., No. 1:18-cv-00262-LTS (S.D.N.Y. filed Jan. 11, 2018). A seafood distributor, Blessings, sued its insurer seeking to recover losses associated with a product contamination claim involving Blessings' raw shrimp product. Blessings sought coverage under its contamination policy with Houston Casualty, which provided coverage for, among other things, the value of contaminated products up to $3 million per insured event. Houston Casualty issued partial payment for Blessings' direct losses associated with the value of the contaminated shrimp, but refused to pay the balance of the claim. On March 1, 2018, the court was notified that the parties had reached a settlement, pending execution of a final written agreement.
  • Hanover Ins. Group, Inc. v. Raw Seafoods, Inc., 91 Mass. App. Ct. 401 (2107). The Appeals Court of Massachusetts in Boston found that the trial judge erred when granting summary judgment in favor of the insurer relating to a coverage dispute regarding more than 57,000 pounds of spoiled scallops. RSI, a seafood processing company, was sued by its customer, Atlantic Capes Fisheries Inc., after receiving a batch of spoiled scallops for processing. RSI's insurer, Hanover, agreed to defend RSI in the action under a reservation of rights. Hanover also filed suit seeking a ruling that it owed no coverage because the damage to the products was not caused by an "occurrence" distinct from RSI's performance of its work. The trial court granted summary judgment in Hanover's favor, but the appellate court reversed, finding that the damaged scallops were caused by an "unexpected happening," and thus an "accident," rather than a foreseeable consequence of RSI's normal business operations.
  • Starr Surplus Lines Insurance Co. v. Mountaire Farms, Inc., No. 2:18-cv-67-JDL (D. Me. Aug. 02, 2018). A federal district court in Maine ruled against an insurer's effort to be reimbursed for $10 million it paid a policyholder in connection with salmonella-contaminated raw chicken. Starr Indemnity & Liability Co. Inc. brought an action against a chicken supplier, Mountaire Farms, asserting that Mountaire delivered contaminated chicken products to Starr's insured, AdvancePierre Foods, which resulted in a recall of more than 1,700,000 pounds of chicken products. Starr had paid the policy limits of $10 million for AdvancePierre's recall insurance claim. Mountaire moved to dismiss Starr's lawsuit, arguing, among other things, that Starr's claims failed because salmonella is an "inherent and recognized characteristic" of raw chicken and, therefore, could not be considered "defective," "unfit for its particular purpose" or "unreasonably dangerous," which are required elements of Starr's claims. Mountaire further argued that Starr's strict liability claim is barred by the economic loss doctrine. The court agreed with both arguments and dismissed the lawsuit.

#METOO BRINGS NEW CHALLENGES TO RETAILERS

In October 2017, The New York Times and The New Yorker published accusations of sexual harassment and abuse against Hollywood producer Harvey Weinstein. That watershed moment sparked what's been called a "national reckoning" over sexual harassment, driven heavily by the #MeToo movement going viral. In the year that has passed since then, this movement has only grown larger and louder. Other viral campaigns like #TimesUp and #BelieveWomen have pervaded the public consciousness. No industry has escaped untouched, including retail.

Business leaders and HR professionals are anecdotally reporting an increase in internal complaints about sexual harassment in the workplace. On the anniversary of the Weinstein scandal, the US Equal Opportunity Commission released early numbers confirming that trend: while overall discrimination complaints were down, the percentage of charges alleging sexual harassment increased by 12 percent, representing the first increase in the last 10 years. The EEOC itself brought 41 lawsuits in FY2018 alleging sexual harassment—a 50 percent increase over the previous year. Several of these were against retailers, big and small.

For retail companies that are publicly traded, there is another litigation risk bubbling from the sexual harassment reckoning: investor lawsuits brought by shareholders to hold companies accountable for sexual misconduct in the executive ranks. Two such high-profile suits have been brought against Wynn Resorts and CBS after their respective CEOs were accused of sexual misconduct and stock prices plummeted.

In addition to these increased risks, retailers must also ensure compliance with the ever-changing landscape of legislative responses to #MeToo.

Sexual Harassment Settlements

A number of laws enacted in the wake of #MeToo will affect how retailers may settle claims of sexual harassment.

At the federal level, the so-called "Weinstein Tax" was passed as a last-minute addition to the Tax Cuts & Jobs Act of 2017. A new section was added to the Internal Revenue Code to make settlements of sexual harassment and abuse claims subject to confidentiality agreements nondeductible. Due to ambiguous language in the provision and a dearth of guidance from the IRS, exactly how the IRS will treat these settlements is yet to be determined. Retailers should consider whether to allocate settlement payouts among claims, assign the settlement of sexual harassment or abuse claims nonmonetary consideration, or exclude altogether sexual harassment or abuse claims from nondisclosure provisions.

New state laws also prohibit or restrict the use of confidentiality or non-disclosure clauses in settlements of sexual harassment claims. Six states have passed such laws—Arizona, California, New York, Tennessee, Vermont and Washington—and at least three other states (Massachusetts, New Jersey and Pennsylvania) and the District of Columbia have proposed similar legislation. Retailers in Maryland should also be aware of a unique law that passed recently, requiring companies to report information about sexual harassment settlements for use in a survey.

Arbitration of Sexual Harassment Claims

Many of the laws proposed in response to #MeToo prohibit mandatory arbitration of sexual harassment claims. Maryland, New York, Vermont and Washington have all enacted such laws. Similar arbitration bans are pending in Congress and at least three other states (Massachusetts, New Jersey and South Carolina).

Anti-Sexual Harassment Policies and Training

Before #MeToo, it was rare for a state or local law to require anti-sexual harassment training or written policies by private employers. But after #MeToo, a wave of such laws has passed. California, one of the only states to have these requirements for private employers before #MeToo, expanded the reach of its training and policy requirement to even smaller employers. For retailers operating in New York and New York City, both have passed sweeping anti-sexual harassment laws that are not coterminous and require various combinations of training, policies and postings. In addition, Massachusetts, Pennsylvania, Vermont and Washington have also all proposed or passed laws that will require retailers to maintain written policies or conduct anti-sexual harassment training.

The #MeToo movement is a wake-up call to all retailers. Companies should take this opportunity to evaluate their policies regarding sexual harassment, train their employees and management on how to respond, consult with counsel regarding settlement and arbitration of these claims and promote a workplace culture that respects all employees.

ANTITRUST ENFORCEMENT STILL UNPREDICTABLE UNDER TRUMP

After a slow start in getting Senate-confirmed appointees in place, both the Department of Justice's Antitrust Division and Federal Trade Commission finally got their full complement of senior leadership in place in September 2018. Chairman Joe Simons and Commissioner Christine Wilson returned to the FTC as commissioners after years of private practice, and other major Commission roles have been filled by FTC alumni. Similarly, the Antitrust Division leadership has a number of attorneys with prior government experience.

This seasoned leadership, however, has not made antitrust enforcement more predictable. This uncertainty is even more pronounced in "vertical" deals involving companies that are at different levels of the supply chain. Both FTC and DOJ spoke out early in the Trump administration against behavioral remedies which have been used in the past to mitigate risk of harm to competition from vertical deals.1

Absent imposing behavioral remedies like those in Comcast/ NBCU, the Division, for example challenged the proposed vertical transaction involving AT&T and Time Warner. This uncertainty is also present in horizontal deals involving direct competitors: some deals are getting inquiries where none were expected and some are being cleared when we expected inquiries.

On a more positive note, both the FTC and Antitrust Division have focused on process improvements. In response to increasing time, expense and burden of government antitrust investigations, both agencies have announced initiatives to speed up the review process for proposed mergers.2

Several major retail mergers made headlines in 2018 and provide lessons for merging parties in 2019.

  • J.M. Smucker's attempted acquisition of the Wesson cooking oil brand from Conagra was abandoned by the parties after the FTC challenged the merger. The FTC alleged that the combined Smucker's, which already owns the Crisco brand, would control at least 70 percent of the market for branded canola and vegetable oils sold to grocery stores and other retailers. The FTC also alleged that Smucker's own documents showed that eliminating price competition between Wesson and Crisco was a central part of the rationale for the deal. Interestingly, the FTC did not include private label cooking oils in its relevant market definition despite the fact that private label products account for a majority of cooking oil sales to retail consumers. Three days after the FTC filed for a preliminary injunction, the parties abandoned the deal
  • AT&T's acquisition of Time Warner was challenged by the Department of Justice in late 2017. After a full trial on the merits of the proposed acquisition, federal district court Judge Richard Leon approved the deal in June 2018 and the parties closed on the transaction soon thereafter. After initially saying that it would not challenge Judge Leon's decision, the DOJ appealed to the DC Circuit. AT&T has agreed to hold the Turner Networks (such as CNN, TNT, TBS and HLN) separate from the rest of its operations until February 28, 2019, and the parties have sought expedited treatment for the appeals process.

With two major mergers now facing additional scrutiny, 2019 is sure to bring additional drama to the antitrust landscape in the retail sector.

FORMALDEHYDE CONTROVERSY RAISES CONCERNS FOR RETAILERS OVER EPA'S FUTURE REVIEW AND REGULATION OF CHEMICALS AND ASSOCIATED LITIGATION RISK

Companies in the retail industry may soon be grappling with new regulations and increased litigation risk involving formaldehyde, a common chemical found in consumer products like wood glue, foam insulation, paints, cosmetics and fragrances. In 2018, amid controversy over the chemical industry's alleged pressure on the Environmental Protection Agency (EPA) to withhold an updated human health risk assessment, which will reportedly link exposure to formaldehyde to leukemia and other cancers, consumer groups successfully compelled EPA to begin early enforcement of its new rule governing formaldehyde emissions from composite wood products. The tug-ofwar between consumer groups and industry groups on formaldehyde over the last year has potential consequences for companies impacted not only by the formaldehyde regulations, but who may also be impacted by regulations on the horizon as EPA moves forward with its new risk evaluations on 10 "high priority" and widely used chemicals.

EPA's Integrated Risk Information System Program (IRIS) first classified formaldehyde as a "probable human carcinogen" in 1991, linking exposure to the chemical as potentially causing nasal cancer. In 2010, the agency released a new draft risk assessment, proposing to revise formaldehyde's classification to "carcinogenic to humans" and linking formaldehyde exposure to leukemia for the first time. The scientific data and methodology underlying the revised risk assessment were met with sharp criticism. In response, EPA requested that the National Research Council (NRC), a committee of the National Academies of Sciences (NAS), perform a peer review of the draft risk assessment. The NRC reported in 2011 that EPA's conclusions regarding leukemia and related hematopoietic cancers suffered from serious "data gaps" and were not supported by any clear scientific framework. The NRC also issued specific recommendations for the revision of not only the draft risk assessment itself, but also the overall review process for future assessments. Congress then directed EPA to implement the NRC's recommendations, and EPA began the process of re-reviewing its risk assessment to take into account the NRC's recommendations.

IRIS completed the update to its formaldehyde risk assessment in late 2017, but to date EPA officials have declined to review the study or approve its release. The updated risk assessment reportedly still links exposure to formaldehyde and leukemia, despite the NRC's criticism of that conclusion in 2011. Industry groups have met with EPA and have publicly expressed concerns that the updated risk assessment will be merely a "restructuring" of the original draft and will still suffer from the same scientific and methodological defects previously identified by the NRC. Consumer groups and legislators have accused EPA of bowing to industry pressure to withhold the updated assessment and have continued to call for its release. Meanwhile, EPA has suggested that the agency is re-evaluating some of the science underlying the assessment and is currently facing a lawsuit filed by Public Employees for Environmental Responsibility (PEER) alleging that EPA failed to respond to the group's public records request.

As the debate over the release of the risk assessment heated up earlier this year, EPA was also forced to defend its decision to delay the effective date of a Final Rule implementing the Formaldehyde Emission Standards for Composite Wood Products Act of 2010 (Formaldehyde Final Rule), which amended the Toxic Substances Control Act (TSCA) to add TSCA Title VI. The Formaldehyde Final Rule sets forth emissions limits for formaldehyde in composite wood products (which are often used in furniture, flooring and construction) and imposes a number of testing and record-keeping requirements on companies in the supply chain. Although the Formaldehyde Final Rule was originally scheduled to take effect in December 2017, EPA announced a year-long delay in September 2017 in order to allow companies more time to prepare for compliance.

Consumer groups objected to EPA's decision, citing alleged immediate threats to public health from exposure to formaldehyde. After filing suit against EPA in California federal court, they reached an agreement with EPA that the agency would begin enforcement of the Formaldehyde Final Rule as of June 1, 2018—more than six months earlier than companies had planned. The new June 1 compliance date posed serious compliance challenges and came at great cost to furniture manufacturers, distributors and retailers, who were forced to act quickly to design and implement procedures that were not expected to be required until months later.

For companies in the retail industry, the controversy over formaldehyde has led to greater public scrutiny of the chemical and its alleged health effects, which often translates into increased litigation risk. Plaintiff's lawyers searching for the "next wave" of toxic tort and product liability litigation may look to get out ahead of EPA's formaldehyde risk assessment, filing lawsuits early and banking on the report's anticipated conclusions regarding leukemia. For their part, consumer groups may also put pressure on companies by conducting their own independent studies of popular consumer products and publicizing results that show traces of formaldehyde in those products in an effort to garner public support for new regulations.

The fallout from the formaldehyde controversy is also likely to affect EPA's review and regulation of chemicals in the future. Although TSCA was amended in 2016 by the Frank R. Lautenberg Chemical Safety for the 21st Century Act (Lautenberg Act) to give EPA new powers to review and regulate chemicals at the federal level, EPA does not always act with the expediency or methodology consumer advocacy groups may want. EPA is currently in the process of evaluating 10 "high priority" chemicals as mandated by the Lautenberg Act, and is already facing criticism from consumer groups who do not feel that EPA's framework for those analyses is comprehensive enough. And just as with the formaldehyde risk assessment, it is unlikely that industry groups will universally approve of the conclusions EPA reaches in connection with these new risk evaluations or the methodology it uses.

As EPA's new evaluations progress and are released, we expect to see challenges from both consumer groups and industry groups similar to those launched over formaldehyde. The uncertainty those challenges will create will pose compliance difficulties for even the most proactive companies while regulations are tied up in litigation with unpredictable outcomes. Likewise, the heightened public interest in chemical evaluations means that companies may find themselves facing lawsuits and defending their products in the court of public opinion—even if EPA concludes that certain chemicals pose no significant health risk to consumers.

CALIFORNIA CONSUMER PRIVACY ACT AND ITS IMPACT ON RETAILERS

The California Consumer Privacy Act of 2018 (CCPA), signed by California Governor Jerry Brown on June 28, 2018, with a compliance deadline of January 1, 2020, signals a shift in the data privacy regime in the US. The CCPA was passed quickly by California lawmakers in an effort to remove a ballot initiative of the same name from the November 6, 2018, statewide ballot. The CCPA likely will require businesses, including retailers, to make significant changes to their data protection programs, if the business has consumers or employees who are California residents.

Key provisions of the CCPA include:

  • Applicability. The CCPA will apply to any for-profit business that: (1) "does business in the state of California"; (2) "collects consumers' personal information, or on the behalf of which such information is collected and that alone, or jointly with others, determines the purposes and means of the processing of consumers' personal information"; and (3) satisfies one or more of the following thresholds: (a) has annual gross revenues in excess of $25 million; (b) alone or in combination, annually buys, receives for the business's commercial purposes, sells or shares for commercial purposes, the personal information of 50,000 or more consumers, households or devices; or (c) derives 50 percent or more of its annual revenues from selling consumers' personal information (collectively, Businesses).
  • Definition of Consumer. The CCPA defines "consumer" as a natural person who is a California resident.
  • Definition of Personal Information. Personal information is defined broadly as "information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household." The CCPA's definition of personal information also contains a list of enumerated examples of personal information, which includes, among other data elements, name, postal or email address, Social Security number, governmentissued identification number, biometric data, Internet activity information and geolocation data, as well as "inferences drawn from any of the information identified" in this definition.
  • Definition of Sale. The CCPA broadly defines sale as "selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer's personal information by the business to another business or a third party for monetary or other valuable consideration." The law provides several enumerated exceptions detailing activities that do not constitute a "sale" under the CCPA.
  • Privacy Policies. The CCPA will require certain disclosures in businesses' online privacy notices, including a description of consumers' rights under the CCPA (e.g., the right to opt out of the sale of their personal information). Businesses must also disclose certain data practices from the preceding 12 months about the categories of personal information collected about consumers, the categories of sources from which the personal information is collected, the business or commercial purpose for collecting or selling personal information and the categories of third parties with whom the business shares personal information. If the Business sells consumers' personal information or discloses it to third parties for a business purpose, the notice must also include lists of the categories of personal information sold or disclosed about consumers in the preceding 12 months.
  • Access Right. Upon a verifiable request from a consumer, a business must disclose: (1) the categories and specific pieces of personal information the business has collected about that consumer; (2) the categories of sources from which the personal information is collected; (3) the business or commercial purposes for collecting or selling personal information; and (4) the categories of third parties with whom the business shares personal information. A Business that sells a consumer's personal information or discloses it for a business purpose must also disclose: (1) the categories of personal information that the business sold about the consumer; (2) the categories of third parties to whom the personal information was sold (by category of personal information for each third party to whom the personal information was sold); and (3) the categories of personal information that the business disclosed about the consumer for a business purpose
  • Deletion Right. The CCPA will require a business, upon verifiable request from a consumer, to delete personal information about the consumer which the business has collected from the consumer and direct any service providers to delete the consumer's personal information. There are several enumerated exceptions to this requirement, two of which broadly state that compliance with a deletion request is not required when "it is necessary for the business or service provider to maintain the consumer's personal information" to: (1) "enable solely internal uses that are reasonably aligned with the expectations of the consumer based on the consumer's relationship with the business" or (2) "use the consumer's personal information, internally, in a lawful manner that is compatible with the context in which the consumer provided the information."
  • Opt-Out Right. Businesses must provide a clear and conspicuous link on their website that says "Do Not Sell My Personal Information" and provide consumers a mechanism to opt out of the sale of their personal information, a decision which the Business must respect.
  • Specific Rules for Minors. If a business has actual knowledge that a consumer is less than 16 years of age, the CCPA prohibits a business from selling that consumer's personal information unless: (1) the consumer is between 13-16 years of age and has affirmatively authorized the sale (i.e., they have opted in); or (2) the consumer is less than 13 years of age and the consumer's parent or guardian has affirmatively authorized the sale.
  • Non-Discrimination and Financial Incentives. Businesses cannot discriminate against consumers for exercising any of their rights under the CCPA. Businesses can, however, offer financial incentives for the collection, sale or deletion of personal information.
  • Enforcement.
    • The CCPA is enforceable by the California AG and authorizes a civil penalty up to $2,500 for each violation or $7,500 for each intentional violation.
    • The CCPA provides a private right of action only in connection with certain "unauthorized access and exfiltration, theft, or disclosure" of a consumer's nonencrypted or nonredacted personal information, as defined in the state's breach notification law, if the business failed "to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information." The consumer may bring an action to recover damages up to $750 per incident or actual damages, whichever is greater.

Due to the CCPA's likely effect on the data protection programs of many businesses that have California consumers or employees, it is imperative that retailers develop a CCPA compliance strategy to determine the extent to which the law applies to them, assess their current CCPA compliance posture and conduct any necessary remediation activities.

To read the full article click here



The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.