1. Home
  2. |Insights
  3. |Court in Yahoo Email Scanning Litigation Finds Duty To Defend Under California Law

Court in Yahoo Email Scanning Litigation Finds Duty To Defend Under California Law

Client Alert | 5 min read | 10.31.18

On October 12, 2018, in an expansive ruling on the duty to defend under California law, Judge Edward J. Davila of the U.S. District Court for the Northern District of California, held that an insurer had breached its duty to defend a lawsuit that neither (a) alleged facts bringing the claims within policy coverage, nor (2) alleged facts from which coverage could be reasonably inferred. Rather, the Court found a defense obligation on the grounds that the lawsuit could be amended to allege facts that would implicate coverage. 

Yahoo! Inc. v. National Union Fire Ins. Co. of Pittsburgh, PA, Case No. 5:17-cv-00489-EJD (N.D. Cal. Oct. 12, 2018), arose from three separate class action lawsuits against Yahoo! Inc. alleging that the company had violated the California Invasion of Privacy Act (CIPA), a state penal statute. The actions all involved allegations that, without consent, Yahoo allegedly scanned emails sent from non-Yahoo accounts to Yahoo subscribers. In two of the litigations, the Sutton and Penkava Lawsuits, the claimants alleged that Yahoo intercepted emails sent by non-Yahoo subscribers as a matter of common practice before their intended delivery to Yahoo subscribers. The Penkava lawsuit further alleged that the insured “profited in California” from the alleged CIPA violations. Neither lawsuit specifically alleged that the insured disclosed the claimants’ private information to a third party or otherwise “published” the private information. In the third lawsuit, In re Yahoo Mail Litigation, a consolidated class action, the claimants again alleged CIPA violations, as well as violations of the California Constitution, and two federal statutes. In that litigation, the claimants alleged that Yahoo’s scanning activities were for the “purpose of deriving profits from, among other things, the marketing of their personal data and the sales of targeted advertising and content.” 

Yahoo tendered the Sutton and Penkava lawsuits to National Union Fire Insurance Company of Pittsburgh, PA (“insurer”) under a commercial general liability (CGL) policy which required the insurer to defend the insured and pay “sums that the insured becomes legally obligated to pay as damages” up to a limit of $1 million per occurrence. Under Coverage B of the policy, coverage was provided for “personal injury,” defined to include “[o]ral or written publication, in any manner, of material that violates a person’s right of privacy.” However, coverage was excluded for personal injury “arising out of a criminal act committed by or at the direction of the insured.” National Union declined coverage of the two lawsuits on the basis that the claims did not fall within the “personal injury” coverage of the policy because there was no allegation that personal information had been “published.” 

In the coverage action, the Court held that under California law an insurer must defend a lawsuit even if the precise causes of action asserted in the underlying complaint fall outside of policy coverage, “so long as under the facts alleged, reasonably inferable, or otherwise known, the complaint could be fairly amended to state a covered liability.” The Court determined first that “publication” – the disclosure of private information to a third party – was required for “personal injury” coverage to arise under the National Union policy at issue, and second, that neither the Sutton nor Penkava lawsuit alleged “publication.” However, the Penkava lawsuit alleged that Yahoo “profited in California” as a result of its CIPA violations, and that the company “derives a windfall” from its scanning activities. The Court concluded that the allegations of economic benefit were sufficient to create a “potential for coverage” for purposes of the duty to defend, explaining:

It is reasonably inferable from these profit allegations that Yahoo was disclosing to third-party customers of consumer data the private content it obtained from its alleged e-mail scanning practices, either through the direct sale of the information it intercepted or in the provision of services, such as targeted advertising.

Without setting forth a standard for making “reasonable inferences,” the Court then suggested that “reasonable inferences” from facts alleged in one case imposed a duty to defend a different lawsuit that alleged no such facts. Specifically, the Court recognized that the Sutton lawsuit did not contain allegations that Yahoo had profited from its activities. It nonetheless held that National Union had a duty to defend the Sutton action as well, stating that the insurer: “offers no reason why the [Sutton] pleading could not have been amended to include [such allegations].” The Court thus found a duty to defend a complaint that did not on its face fall within coverage on the grounds that it could potentially be amended to include allegations that would be covered. 

Further, the Court went on to reject National Union’s argument that coverage of the Sutton and Penkava lawsuits was precluded by the policy’s criminal acts exclusion based on a similar analysis. Although the claims in both actions alleged violations of only a criminal statute, the Court concluded that the additional allegations of profit in the Penkava suit raised the “possibility of a claim for civil damages.” Relying on the proposition that the “form of the claim is not controlling,” the Court reasoned that whether the criminal acts exclusion applied was uncertain at the time the lawsuits were commenced, and therefore, the insurer had a duty to defend. (The Court did not analyze whether the criminal acts exclusion would preclude a civil claim as well as the criminal violation based on the same allegations.)

In addition to its rulings on the duty to defend discussed above, the Court held that National Union also breached its duty to defend the In re Yahoo! Mail Litigation by relying on what turned out to be an incomplete version of the policy in reaching its initial coverage determination. The Court further found that National Union was required to indemnify the insured’s payment of the claimants’ attorneys’ fees pursuant to settlement of that litigation, reasoning that because the claimants sought their legal fees as private attorneys general to effectuate a fundamental public policy, the fees were covered “damages” within the plain meaning of the term and consistent with the “reasonable expectations” of the insured. 

Although the Court held that National Union had breached both its duty to defend and its duty to indemnify, it enforced the deductible provisions of the policy, a “fronting policy” under which Yahoo had retained the ultimate risk on any covered claim. The Court held that application of the deductible provision was consistent with the traditional measure of breach of contract damages, which seeks to put the insured in as good a position as it would have been if no breach had occurred. The Court observed: “the explicit terms of the policy show that Yahoo always knew it would be required to reimburse National Union, and Yahoo has not presented persuasive legal authority to support a windfall.”

In sum, insurers should carefully consider the implications of the Court’s rulings on the duty to defend. Under this Court’s approach, a duty to defend might exist if the facts alleged support an “inference” of the “potential” for coverage, with the onus on the insurer to consider whether the complaint could “reasonably be amended” to allege facts that would potentially bring the claim within coverage of the policy.

Insights

Client Alert | 6 min read | 03.26.24

California Office of Health Care Affordability Notice Requirement for Material Change Transactions Closing on or After April 1, 2024

Starting next week, on April 1st, health care entities in California closing “material change transactions” will be required to notify California’s new Office of Health Care Affordability (“OHCA”) and potentially undergo an extensive review process prior to closing. The new review process will impact a broad range of providers, payers, delivery systems, and pharmacy benefit managers with either a current California footprint or a plan to expand into the California market. While health care service plans in California are already subject to an extensive transaction approval process by the Department of Managed Health Care, other health care entities in California have not been required to file notices of transactions historically, and so the notice requirement will have a significant impact on how health care entities need to structure and close deals in California, and the timing on which closing is permitted to occur....