In the modern world, anyone can easily transfer and publish information and this ability exposes many businesses to the risks associated with the unauthorized transfer and use of information. Several words have been used to describe the dissemination risk applicable to information, including, “invasion of privacy,” “breach of the duty of confidentiality, ” and even “misappropriation of trade secret.”
The courts are just coming to grips with these potentially overlapping concepts. While trade secret law is fairly well developed in cases between competitors, one recent decision by the Massachusetts Supreme Judicial Court (Finn v. National Union decided December 2, 2008) applied a “misappropriation of trade secrets” exclusion in an E&O policy in a case involving dissemination of information by a temporary worker of the insured to the “hacker community” with no apparent financial benefit to the discloser. The ruling in Finn is both a cautionary tale for businesses facing a dissemination risk and a demonstration of the need for privacy insurance. Finn is another in a long line of decisions broadly interpreting the phrase “claims arising out of” and provides insurer’s with a road map for drafting effective exclusions.
The insured in Finn was a provider of document management services to a law firm. The insurer issued errors and omissions (“E&O”) insurance to the document management company to insure against liability for wrongful acts in connection with “records management, document imaging, litigation support … and electronic printing services.” The policy included an exclusionary endorsement described as an “intellectual property exclusion” which included a provision excluding coverage for “any claim arising out of any misappropriation of trade secret.”
The claim arose when the document management company was retained by a law firm to provide litigation support services in litigation involving the firm’s client, a satellite TV provider. The document management firm’s employees were required to sign confidentiality agreements by the law firm and to conduct all of their work on the project at the law firm’s offices. When the document management company’s employees had difficulty meeting a deadline, a supervisor allowed one of the employees to bring his nephew to work to assist in completing the job. According to the SJC’s decision, the nephew “came across documents containing confidential trade secret information from the satellite TV provider and sent that information to a Web site to help the “hacker” community.” The decision in Finn does not suggest that the disclosure involved competitors of the satellite TV provider or that the disclosure was made for personal gain.
The law firm subsequently notified the document management company of the disclosure, and according to the notice to the document management company’s insurer, the law firm had written off a substantial legal fee and may eventually look to the document management company for compensation. The document management company’s E&O insurer disclaimed coverage due to the misappropriation of trade secrets language within the intellectual property exclusion and two other provisions. After further demands by the law firm, the document management firm settled for more than $1 million payable over 5 years.
The insured’s assignee filed suit against the E&O insurer, and the insurer responded with a motion for judgment on the pleadings, which was in turn met with a motion for partial summary judgment seeking a declaration that defense and indemnity coverage was due. The superior court determined that while neither of the other exclusionary provisions barred coverage, the intellectual property provision barred coverage for the law firm’s claims. The SJC reviewed the matters as if the underlying motion practice involved cross motions for summary judgment and affirmed that the exclusion for misappropriation of trade secrets precluded coverage.
In reaching its decision, the SJC first reviewed its prior cases involving exclusions relating to third party conduct, and concluded that the use of the words “any claim arising out of” in the exclusion made it plan that coverage was excluded for third party conduct. It is not clear from the court’s decision why third party conduct was relevant, as the nephew of the employee who made the disclosure was, with knowledge of the insured, working for the insured on a project, receiving payment (indirectly) from the insured, and the claim was asserted against the insured document management company. In a footnote, the court noted that it “assumed without deciding that the nephew was not an insured.” Id. at 695 n. 8.
The court next turned to what it described as the “more difficult issue” whether the injury suffered by the law firm arose out of the nephew’s misappropriation of the law firm’s client’s trade secrets. The court’s analysis however was limited to the nature of the damages claimed by the law firm (foregone legal fees), not whether the nephew’s conduct amounted to misappropriation of trade secrets. Again the court turned to the “arising out of” language of the exclusion and determined that it required but for causation, and the absence of facts in the record regarding whether the law firm would have lost legal fees in the absence of the nephew’s “misappropriation” determined that the claim was excluded. Id. at 698.
There are several significant issues presented by the Finn decision, though it is unclear from the decision itself whether certain of these issues were squarely presented to the court. The court’s ruling is based on a portion of the “intellectual property exclusion” which also excluded “claims arising out of misappropriation of trade secrets,” however, there is no detailed discussion in Finn as to whether the confidentiality breach by the nephew, or the negligent failure to prevent such a breach by the document management company was more properly described as a disclosure of private information or an invasion of privacy or some other wrongful act rather than a “misappropriation of trade secrets.”
In addition, there is no discussion of whether confidentiality breaches constituted wrongful acts that were otherwise within the scope of coverage. We note that at least some errors and omissions policies expressly exclude claims arising out of “invasion of any right of privacy.” It should also be noted that while CGL policies typically include “personal injury protection,” such coverage is frequently limited to invasion of an individual’s right of privacy or a person’s right of privacy, and at least one court has rejected such coverage as applied to invasions of corporations’ rights to privacy. See Heritage Mutual Ins. Co v. Advanced Polymer Tech., 97 F. Supp. 2d 913, 935 n. 13 (S.D. IN 2000).
For these reasons, the outcome in Finn-that there is no coverage for a privacy breach under an errors and omissions policy issued to a litigation document management company, demonstrates the need for businesses with access to their customer’s (or their customer’s customer’s) private information to obtain privacy insurance and to ensure that such insurance provides coverage for liabilities resulting from the disclosure by any worker of private or confidential customer information.
The decision in Finn is also another in a long line of cases (some of which were cited by the SJC in a foot note (Finn, supra at 697, n. 9 ) that give effect to exclusions applied to “claims arising out of” a described circumstance. Insurers using such prefatory language are far more likely to have their exclusions interpreted in their favor.