SteveK September 1st, 2011

In Magic Petroleum, Inc. v. Exxon Mobil, the New Jersey Appellate Division dismissed, without prejudice, Magic’s claim for contribution of remedial costs against Exxon due to NJDEP’s primary jurisdiction of the remedial investigation at the plaintiff’s property. Plaintiff had been the subject of an administrative consent order (ACO) to investigate and remediate contamination at its property resulting from leaking underground storage tanks.  Plaintiff contended that the majority of the contamination came from the neighboring Exxon station and refused to comply with its obligations under the ACO until the NJDEP required Exxon to participate in the investigation. Magic litigated its obligations under the ACO through administrative proceedings, and was required to follow the order. Magic, however,  continued to refuse to conduct the investigation, insisting that the investigation should be imposed upon and shared by Exxon. The NJDEP eventually took over the investigation of the plaintiff’s property. Magic then commenced a contribution action against Exxon.

Exxon filed a motion to stay or dismiss the proceedings, without prejudice, pending the NJDEP’s investigation and remediation of the Magic property, arguing that the NJDEP’s efforts must precede any decision by the court. The trial judge dismissed the case, deferring to the NJDEP’s primary jurisdiction. The Appellate Division affirmed.  The Appellate Court noted that under the doctrine of “primary jurisdiction” a court may defer to an agency where the resolution of an issue is within the special competence of the agency. The court further noted that private contribution rights under the Spill Act require the court to allocate responsibility for remediation costs, but that the initial determination of whether a party is responsible can be decided by the NJDEP, and that “only the DEP can define the contaminants, determine the extent of the discharge, identify the authorized forms of investigative testing, and permissive methodology of cleanup.” Furthermore, “to be entitled to reimbursement and contribution under the Spill Act, a party must obtain written approval under from the DEP of the investigation and proposed remedial action.”  Accordingly, the court concluded that these decisions were within the scope of the special expertise of the DEP and should be determined prior to the case being able to proceed.

This decision demonstrates that a responsible party under the Spill Act that does not conduct investigation and remediation, but allows it to be done by the State, does so at its peril. To do so may have a significant impact in the party’s ability to pursue a contribution claim against other responsible parties, as it allows the NJDEP to determine and define the scope of the investigation, remediation, and possibly to potentially influence any future contribution claim or allocation. It is interesting to consider the effect of the Site Remediation Reform Act (SRRA) on the statements by the court that the DEP will define the contaminants, the extent of the discharge, the forms of investigation and the method of cleanup. Under the SRRA these determinations can be made by a Licensed Site Remediation Professional (LSRP), in accordance with the regulations for site investigation and remediation, referred to the Tech. Regs.  Accordingly, it is may not be that the DEP has to make these decisions. This points, again, to the importance of the party seeking contribution to address and control the response to be able to develop the information, and assert and control the contribution claim.

DiFrancesco, Bateman, Coley, Yospin, Kunzman, Davis, Lehrer & Flaum, PC (www.dbnjlaw.com ) is a full service law firm in New Jersey which provides a broad range of legal services, including the representation of clients in environmental and defense of toxic exposure matters. For additional information about the matters in this bulletin or in the firm’s environmental practice, please contactSteven A. Kunzman, Esq. who heads our Environmental and Latent Injury Litigation Department.

Tags: Contamination, Environmental Law, Ground water, Groundwater, LSRP, New Jersey, NJ Spill Act, NJDEP, Primary Jurisdiction, Site Remediation Reform Act, Spill Act, SRRA

• Defense Litigation , Environmental Law , NJ Spill Act , Real Estate
• Comments Off

SteveK June 15th, 2011

On June 14, 2011 the New Jersey Supreme Court ruled that a claim for bad faith against an insurer for failure to settle a case within the limits of an insurance policy is to be decided by a jury.  Wood v. New Jersey Manufacturers Insurance Co. involved a claim by Karen Wood who was bitten by a dog when delivering mail in a condominium complex. New Jersey Manufacturers (NJM) insured the owner of the dog and defended the case under the policy. Prior to trial an arbitrator assessed the damages as $600,000, and apportioned the award 90% to the owner of the dog and 10% to the condominium association.  The arbitration award was rejected by the defendant’s insurer and the matter proceeded to trial. Prior to trial NJM offered to settle the case for $300,000; however, the offer was rejected. The plaintiff did agree to settle the case at or near the policy limits of $500,000. Prior to trial both defense counsel and NJM’s claims handler recommended payment of the policy limits, but NJM’s claims committee refused to increase the offer. In accordance with the Rova Farms decision, the plaintiff placed NJM on notice that the offer was in bad faith.  The matter went to trial and  the jury awared the plaintiff damages  in the amount of $2,422,000. The jury also assessed 51% of the liability to the dog owner. The trial court molded the verdict so that the dog owner was responsible for $1,408,320.33 of the judgment. NJM paid the $500,000 policy limits. The defendant assigned her claim for bad faith against NJM to the plaintiff so that plaintiff could pursue NJM for the judgment in excess of the policy limits. Plaintiff filed a motion for summary judgment which was granted. On appeal, the defendant, NJM, argued that summary judgment was improper for a variety of reasons, including that the matter should have been decided by a jury.  The Appellate Division remanded to the trial court for more specific findings of fact and for the trial court to determine if the matter should be decided by a jury. The N.J. Supreme Court granted certification on the sole issue of whether such claims should be decided by a jury. The Supreme Court decided that this was not an issue of whether or not there is coverage under the policy as is typically contained in a declaratory judgment action, but is a “garden variety” contract action based upon the covenant of good faith and fair dealing which is contained in all contracts.  The Court determined that the claim was legal in nature, not equitable, and was, therefore, to be decided by a jury. The Court was careful to note that not every Rova Farms-bad faith case must be tried to a jury, as the parties may elect to waive the jury either by not demanding it in the first instance, or where the parties agree that a bench trial would be more fitting.

Once a jury trial is demanded in a pleading in New Jersey, both parties must consent to waive the jury demand unless there is no right to a jury for the claims. It is interesting to note that only the plaintiff demanded a jury trial in the pleadings of this case, but that it was NJM that insisted on the jury trial. NJM’s position was joined by the amici curiae Insurance Council of New Jersey, and the Property Casualty Insurers Association of America.  Whether the decision to assert the jury right was a strategic maneuver to avoid an adverse decision and keep the matter open for further negotiation, or was truly an assertion of a substantive right, the decision reveals the importance of assessing whether a jury demand should be included in the initial complaint or answer as the demand may be a significant factor in the overall handling and final trial of a case.

DiFrancesco, Bateman, Coley, Yospin, Kunzman, Davis & Lehrer, PC ( www.dbnjlaw.com ) is a full service law firm in New Jersey which provides a broad range of legal services, including the representation of clients in insurance coverage. For additional information about the matters in this bulletin or in the firm’s insurance practice, please contact Steven A. Kunzman, Esq. who heads our Insurance Coverage Department.

Tags: Insurance, insurance law new jersey, insurance law NJ, New Jersey insurance law, NJ insurance law

• Defense Litigation , Insurance Law
• Comments Off

SteveK May 20th, 2011

In NJDEP v. Saint Gobain Plastics Corp. DiFrancesco, Bateman succeeded in having the State’s common law claims for natural resource damages (NRD) dismissed under New Jersey’s 10 year statute of limitations for the State’s assertion of claims: N.J.S.A. 2A:14A-1.2.  Contamination was discovered at defendant’s property in 1991. The defendant entered into an Administrative Consent Order and commenced site remediation immediately. The remedial efforts have continued to date.  The State was aware of the discharge in 1991, but did not institute a claim for NRD until 2005. Although defendant was previously held liable under the New Jersey Spill Act, the defendants sought summary judgment on the State’s common law claims for nuisance and trespass.  Judge LaConte of the Superior Court of Passaic County ruled in favor of defendant, holding that the common law claims for NRD do not constitute claims under the “State’s environmental laws” as defined in N.J.S.A.  58:10B-17.1.c., and therefore, the limitations period would not be extended for 5 years and 6 months from January 1, 2002 as provided for in section N.J.S.A.  58:10B-17.1.b. The Court concluded that since the statute extending the time for filing referred to nine specific statutes, and then referred to ,”… any other law or regulation by which the State may compel a person to perform remediation activities on contaminated property…” that the prior language demonstrated the intent of the legislature to limit the extended time period to statutes, not common law causes of action that may be used for purposes other than environmental protection.

Judge LaConte also rejected the State’s alternative theory that the continued presence and alleged migration of contaminants in the ground water constituted a continuing tort. The Court concluded that the “curative action” occurred when the seepage pit was removed in1991 and, as a result, no “new” contamination occurred. As a result, Judge LaConte ruled that “[a]lthough the effects of the discharge are still present…and may persist for decades, the alleged nuisance and trespass caused by the defendants no longer continued after 1991.” The Judge observed that if the tort was deemed to continue until the “end of remediation, long after the cause of the contamination had been removed, it would provide plaintiffs with an almost infinite amount of time to file common law causes of action.” In fact, he noted, this would even provide the State more time to file common law claims than had been extended by the legislature in N.J.S.A. 58:10B-17.1.

The decision is presently unreported. A copy can be obtained from Steven A. Kunzman, who represents Saint-Gobain in the matter.

DiFrancesco, Bateman, Coley, Yospin, Kunzman, Davis & Lehrer, PC (www.dbnjlaw.com ) is a full service law firm in New Jersey which provides a broad range of legal services, including the representation of clients in environmental and defense of toxic exposure matters. For additional information about the matters in this bulletin or in the firm’s environmental practice, please contactSteven A. Kunzman, Esq. who heads our Environmental and Latent Injury Litigation Department

Tags: Contamination, Environmental Law, Ground water, Natural Resource Damages, New Jersey, NJ Spill Act, Spill Act, Statute of Limitations

• Defense Litigation , Environmental Law , Natural Resource Damages , NJ Spill Act
• Comments Off

Todd Ruback May 5th, 2011

Privacy Concerns for the Risk Manager:

It’s Not Just About Private Litigation

 By Todd B. Ruback, Esq., CIPP, CIPP/IT

May 5, 2011

The FTC is stepping up enforcement actions of alleged privacy violations by companies.  Additionally, many State Attorneys Generals, seeing regulatory enforcement as a means to generate positive press as well as revenue, are also taking a more aggressive posture on alleged privacy violations.  This trend is important to the privacy risk manager because many insurance policies now cover the costs to respond to privacy regulatory actions.  It is extremely expensive and time consuming to go through such a regulatory investigation.  Many such investigations result in voluntary Consent Orders that often require the companies to implement and maintain comprehensive information security programs, and to obtain independent third party audits certifying compliance for a number of years, sometimes as many as twenty.   What isn’t clear is whether these subsequent costs to comply with the Consent Orders are an insurable event.

The FTC recently settled charges it had brought against two companies, Ceridian Corporation and Lookout Services, Inc, that allegedly failed to protect the sensitive information of employees of their business customers.  The FTC alleged that the companies failed to have reasonable and appropriate security measures in place to protect this sensitive information, and therefore violated certain provisions of the FTC Act.  In settling with the FTC, both companies agreed to not misrepresent claims about the privacy, confidentiality or the integrity of personal information in the future, to implement comprehensive information security programs and to obtain independent third party audits of the programs every other year for twenty years.  As anyone who has to comply with twenty year Consent Orders will attest, this new layer of compliance, results in added burdens and costs to management and can have a completely unnecessary and negative margin impact.

Ceridian is a provider of human resource services.  Businesses outsource certain human resource functions, such as the payroll, to Ceridian and therefore Ceridian will have access to a lot of personal information about the employees of its customers.  Ceridian held out that it offered “Worry-free Safety and Reliability” in protecting the personal information of the employees of its business customers.  It stated that its “…comprehensive security program is designed in accordance with ISO 27000 series standards, industry best practices and federal, state and local regulatory requirements.”  The FTC, in its complaint, alleged that Ceridian’s security of personal information was in fact inadequate. The FTC alleged, among other things, that Ceridian did not adequately protect its network from reasonably foreseeable attacks and that it also indefinitely stored personal information in a readable text on its network, without a business purpose or reason.  A data breach occurred in December 2009 via a web-based payroll application.  Approximately 28,000 employees of Ceridian business customers had their personal information compromised.   

Lookout Services, Inc. licenses a web-based product that gives employers the ability to comply with US immigration laws.  The product stores personal information such as names, addresses, dates of birth, and SSNs.  The FTC alleged that the company, despite claims to the contrary, did not provide adequate security to keep personal information reasonably secure from unauthorized access.  The FTC alleged, by way of example, that personal information could be accessed without using a user name or password, rather by simply entering a URL into a web browser.  Other examples of alleged inadequate security included the failure to require strong passwords, failure to require periodic changes to user passwords, and a lack of employee training on security of personal information.  As a result of these alleged poor privacy practices, a data breach occurred when an employee of one of the company’s business customers accessed personal information in the Lookout Services database, including the SSN of almost 37,000 people.

The privacy risk manager, in addition to being concerned about the private lawsuits resulting from these data breaches, also must think about the concordant regulatory investigations and responses to these same data breaches.  In essence, an insurer may be asked by an insured to cover the costs of the same transgression multiple times.  Many insurance companies are now requiring, as part of the underwriting process that the applicant companies go through a privacy assessment prior to coverage being approved, as well as an annual health check up.  Privacy assessments will help the risk manager identify areas of potential risk in an applicant’s security program so that remediation can be taken to meet the FTC’s standards for adequate and reasonable safeguards of personal information.  Further, once an event has happened, a risk manager may want to do a privacy assessment of the insured, often under the umbrella of privacy counsel, to help identify potential areas of concern for future litigation, as well as to identify areas of remediation to reduce the risk of future events.

DiFrancesco, Bateman, Coley, Yospin, Kunzman, Davis & Lehrer, PC (www.dbnjlaw.com ) is a full service law firm in New Jersey which provides a broad range of legal services, including the representation of clients in technology and privacy matters. We have affiliated offices in New York, Philadelphia, London, and Boca Raton.  For additional information about the matters in this bulletin or in the firm’s insurance practice, please contact Todd. R. Ruback, Esq., CIPP, CIPP/IT, who heads the Privacy and Technology Law Department, at truback@newjerseylaw.net or at 908-757-7800 x196.

Tags: deceptive trade practices, FTC Act, Insurance, privacy, unfair trade practices

• Defense Litigation , Insurance Law , Privacy Law
• Comments Off

SteveK July 17th, 2010

On July 13, 2010, in Commissioner of the Department of Planning and Natural Resources v. Century Alumina, LLC, et.al., the Federal District Court from the St. Croix division of the Virgin Islands, held that an action to recover natural resource damages (NRD) must be commenced within 3 years of the constructive knowledge of the injury by the trustee.

The plaintiff trustee brought the claim against a number of industrial entities for the release of contaminants onto a number of industrial tracts at various times which injured the land as well as groundwater and the Caribbean Sea.  The defendants moved for summary judgment seeking dismissal of the claims under CERCLA’s limitation of actions provision, which provides that an action for NRD must be commenced within 3 years following “the date of the discovery of the loss and its connection with the release in question.” Although the statute does not state what is meant by “discovery” the court relied upon numerous prior decisions as to other statutes and other aspects of CERCLA to conclude that it is based upon the constructive knowledge of the trustee. The court went on to clarify that the knowledge of the agency, including the knowledge of any prior trustee, would be imputed to the present trustee.  Accordingly, the determination of whether there was NRD related to the discharges would require an analysis of when the trustee knew or should have known that there was an injury to the natural resource related to the discharges, which would commence the running of the time for bringing an action. With this ruling in hand, the court analyzed the facts as to each site and each defendant, dismissing some claims and allowing others to continue.

This case demonstrates that there courts will take a rational approach in considering the relationship between knowledge of a discharge of contaminants and the commencement of NRD claims. The interests of the government to pursue recovery of NRD, while important, will not allow the government to be inattentive to their statutory obligation to act promptly to seek to enforce these rights.

DiFrancesco, Bateman, Coley, Yospin, Kunzman, Davis & Lehrer, PC ( www.dbnjlaw.com ) is a full service law firm in New Jersey which provides a broad range of legal services, including the representation of clients in environmental and defense of toxic exposure matters. For additional information about the matters in this bulletin or in the firm’s environmental practice, please contactSteven A. Kunzman, Esq. who heads our Environmental and Latent Injury Litigation Department.

Tags: CERCLA, Contamination, Environmental Law, Ground water, Groundwater, Natural Resource Damages, NRD, Pollution, Statute of Limitations

• Defense Litigation , Environmental Law , Natural Resource Damages
• Comments Off

SteveK July 16th, 2010

On June 12, 2010, in Mereno v. American Home Products, Inc., the New Jersey Appellate Division affirmed the dismissal of a claim by Mark Moreno and his mother of defectively manufactured oral polio vaccine (OPV) which had been administered to plaintiff resulting in a brain tumor and permanent disabilities. It was claimed that the vaccine used was defective because the manufacturer failed to screen for infective Simian Virus 40 (SV40).  Since plaintiffs were unable to identify the responsible manufacturer, they named all the companies licensed to manufacture OPV at the relevant time. The Court affirmed that summary judgment was appropriate even though discovery was not complete, because the plaintiff could not show that the outstanding discovery would supply information relevant either to lead to the identity of the manufacturer or to any theory of collective liability.

In analyzing the plaintiffs’ claims of collective liability, the court first considered whether the law of New Jersey or the law of New York applied as evidence indicated that the OPV was administered in New York; however, the plaintiffs have resided in New Jersey for over 35 years. The Court reviewed the various theories of collective liability and concluded that under the laws of both states, they could not be applied in this case.  The court distinguished a New York decision applying market-share liability to the manufacturers of another drug, DES, because the injury did not result from the defective design of the drug, as with DES, but was due to the failure of a manufacturer to comply with federal regulations relevant to screening and neutralization of SV40 and “and produced a defective or deviant vaccine.” The Appellate Court, therefore, concluded that the failure of a single manufacturer to comply with proper manufacturing processes and procedures did not warrant imposition of liability on all the manufacturers of the same product.

This decision continues to reinforce the requirement of proper product identification, and the need for the plaintiff to prove causation-in-fact, and further reviews the limited grounds where a court will shift the burden to defendants to distinguish their product or actions from that of other defendants.

DiFrancesco, Bateman, Coley, Yospin, Kunzman, Davis & Lehrer, PC ( www.dbnjlaw.com ) is a full service law firm in New Jersey which provides a broad range of legal services, including the representation of clients in environmental and defense of toxic exposure matters. For additional information about the matters in this bulletin or in the firm’s environmental practice, please contact Steven A. Kunzman, Esq. who heads our Environmental and Latent Injury Litigation Department.

Tags: collective liability, drug liability, Environmental Law, insurance law new jersey, OPV, oral polio vaccine, Products Liability Defense, SV40, Toxic Torts

• Bodily Injury Defense , Defense Litigation , Environmental Law , Toxic Torts
• Comments Off

SteveK April 12th, 2010

On April 5, 2010 the NJ in Buttitta v. Allied Signal, Inc. et.al. the Appellate Division affirmed the largest award in an asbestos/mesothelioma case in NJ. The jury awarded the plaintiff widow and family $8,000,000 for pain and suffering, $2,000,000 for loss of consortium, $9,281,660 for loss of earnings, $2,030,544 for loss of services and $3,000,000 to each of the three children for loss of parental care and guidance. The award against Borg-Warner and the Canadian mining company, Asbestos Corporation, Ltd. (ACL), was in addition to funds collected from settling parties, General Motors, Honeywell (for Bendix brake products) and C.L. Zimmerman a distributor of ACL asbestos. (This office represented Zimmerman, which settled during trial.) Borg-Warner and ACL challenged this significant award on numerous grounds, including causation, failure of the court to exclude testimony of numerous experts, and the failure of the court to allow the defendants to submit interrogatory responses of settled parties to the jury for the purpose of allocating responsibility to those settled parties, as well as the refusal of the court to include the settled parties on the verdict sheet, also for the purpose of allocating liability. ACL also challenged the striking of its defenses based upon their inability to produce certain documents required in discovery due to Canadian laws that prohibited production of the information requested.

The decedent, Mark Buttitta, had worked as a parts picker at a GM facility in summers while a student at Colgate University. His father had also worked at the same facility while Mark was growing up. It was claimed that Mark was exposed to asbestos from the parts and the accumulated dust in the GM parts warehouse, and also from the asbestos in the dust on his father’s clothing when Mark was growing up. Mark contracted mesothelioma in his early 50’s and died leaving a wife and three daughters in their teens and early 20s. Claims were asserted against the manufacturers and distributors of asbestos containing automotive parts including brakes and clutches, as well as the companies that mined and distributed asbestos to GM for the manufacture of brakes and clutches.

The Appellate Court affirmed all of the procedural and evidentiary decisions of the trial judge and the jury award. In doing so it concluded, based upon the uncontradicted expert testimony, that mesothelioma “is associated with the ‘the smallest’ exposure to asbestos and can develop from the cumulative effects of minimal and infrequent exposure.” The Court also affirmed the ruling that the responses to interrogatories of GM, which had settled before the start of trial, were not admissible by defendants under the rules of court, which permit use of interrogatories as statements of any party, since GM was no longer a party to the litigation. Borg-Warner, the court also held, “bore the burden of presenting a basis for allocation of percentages of fault in order to reduce its individual percentages of fault, which it failed to do.” In short, there was no evidence presented at trial to support the claims against the settled parties.  Accordingly, the Court concluded that it was correct that the settling parties were not included on the verdict sheet to permit the jury to allocate percentages of liability to any party other than the remaining defendants, Borg-Warner and ACL.

A significant question raised in this decision involves the ruling prohibiting the use of the interrogatories of settled parties to prove cross-claims so that the jury can assign liability to settled defendants.  This raises questions where joint defense groups are careful not to develop independent evidence to support cross-claims. This, of course, only present a question if parties settle during or immediately prior to trial when it is too late for the remaining parties to adequately develop the necessary evidence and expert testimony. In the usual case, independent settlement is always a possibility at any time. Accordingly, defendants will need to develop a manner to develop appropriate evidence to support cross-claims in the event they become the last party in a case.

DiFrancesco, Bateman, Coley, Yospin, Kunzman, Davis & Lehrer, PC ( www.dbnjlaw.com ) is a full service law firm in New Jersey which provides a broad range of legal services, including the representation of clients in environmental matters. For additional information about the matters in this bulletin or in the firm’s environmental practice, please contact Steven A. Kunzman, Esq. who heads our Environmental and Latent Injury Litigation Department.

Tags: Asbestos, Mesothelioma, Products Liability Defense, Toxic Torts

• Asbestos , Bodily Injury Defense , Defense Litigation , Environmental Law , Products Liability , Toxic Torts
• Comments Off

SteveK November 16th, 2009

By

Steven A. Kunzman, Esq.

And

Todd B. Ruback, Esq., CIPP

Privacy Overview

 The pervasive use of the Internet as a business platform and for the collection, use and transmission of personal information presents fertile ground for the growth in claims arising from data breaches and improper privacy practices. As these claims arise, they will undoubtedly be tendered to insurers for defense and indemnification under various commercial policy forms, including those recently developed to provide coverage for privacy claims.[1] Insurance companies must be cognizant of the changing winds on the privacy landscape.  Due to increasing regulatory compliance requirements and a spike in privacy related litigation flowing from record setting data breaches, organizations and insurance carriers will undoubtedly be faced with privacy as a significant risk component to business.  According to Verizon Business’s 2009 Data Breach Investigation Report, 2008 saw more reported data breaches than the previous four years combined, with 285 million records breached. [2]  The Poneman Institute estimated in its 2009 Annual Study that the average cost for a data breach exceeded $200 per record for organizations that were first time victims of a data breach.[3]  Numerous class action suits for privacy violations have been filed, the most famous of which is against Heartland Payment Systems, for a massive breach caused by external hackers.[4]  Additionally, the FTC and Attorneys General of states across the country appear to be stepping up enforcement actions against companies for improper privacy practices.

 The likelihood of an organization facing a privacy-related claim for liability or a regulatory enforcement action for improper privacy practices has increased significantly.  Concordantly, claims for coverage under insurance polices will increase significantly over the coming years. Although the present anticipated harm to any individual does not appear to be significant, these claims will have an impact on an insurer by increasing costs for claims processing, investigation, incident response management, complying with statutorily required breach notification processes, litigation defense and payment of claims, particularly the costs for any class action claims.

Privacy Litigation and its Impact Upon the Insurance Carrier

 Some background in privacy issues is helpful to put these potential claims into an understandable context. There are two components to privacy:  data protection and privacy practices.  Both components are governed in large part by either regulation or statute, and in some cases by common law. 

 Data Protection:            Data Protection encompasses the security of data that contains personal information.  There are generally three elements to security: technical, physical and administrative.  Industries such as financial services and healthcare have security standards as respectively enumerated in the Gramm-Leach-Bliley Act (GLBA) and Health Insurance Portability and Accountability Act (HIPAA).  Further, the payment card industry has created its own technically objective security standard, PCI-DSS, which applies to many organizations that accept payment cards.

 A security breach may take many forms, some of which include the unauthorized access to personal information by   an external source such as a hacker or an outsourced service provider, the unauthorized access to personal information by an internal source such as an employee or contractor, or something as simple as the theft of a company laptop that contains personal information 

Private party lawsuits against companies for failing to protect data due to deviation from certain standards are based upon a negligence theory.  To date plaintiffs have had difficulty prevailing on negligence claims, although there have been numerous and significant settlements.[5]  The challenge plaintiffs have faced is in proving actual damages that were proximately caused by the defendant’s failure to protect personal information.6  Some courts, however, are beginning to view data breach litigation in a similar light to toxic tort medical monitoring claims in that the threat of future harm may be sufficient to sustain a claim.7  If this “future risks” approach to data protection litigation gains traction, then insurance companies can look forward to more protracted and costly litigation, with the potential for significant jury awards under the class action umbrella.

 Privacy Practices:            Privacy practices that may be subject to claims include: improper collection, use, or transfer of personal information; the improper collection of information using unauthorized cookies, spiders, spy ware, or other technological means; failure to protect personal information according to a company’s posted online privacy statement; having a privacy statement that does not meet regulatory requirements8 spamming, improper faxing or telemarketing, and the commission of privacy torts such as the invasion of privacy.  For companies that transact online business in not only the United States, but also the European Union (EU) where the laws on privacy practices are greatly different, compliance become complex and risk of an improper privacy practice rises greatly.

 Companies committing improper privacy practices are often subject to multiple layers of penalties or fines not only in the EU but also in the United States.  For example, if a company fails to protect personal information according to its posted online privacy statement, it may be subject to an investigation and penalties from both the Federal Trade Commission (FTC) and state authorities for unfair/deceptive online trade practices,9 in addition to the potential private claims for violations of state consumer protection laws.  In essence, a company may pay three times for the same transgression in the US.  Although insurance policies generally exclude coverage for regulatory or enforcement actions by governmental bodies, the exposure is presented in private litigation, which may require aggressive defense of the regulatory claim.  It appears, however, that some of the new privacy insurance policies may offer coverage for regulatory matters. 

 Insurance Coverage:  Coverage Part B of a typical Comprehensive General Liability  (CGL) insurance policy generally includes coverage for damages cause by “personal injury” and “advertising injury.” Although those representing the insured often consider this section of the insurance policy to provide an expansive grant of coverage, this coverage is usually considered by the insurer to be limited to a number of specified claims such as personal injury, which is often defined in a CGL policy as “an injury arising out of…violation of an individual’s right of privacy.”  Part B of the policy states that the insurance applies to personal injury if “caused by an offense…[a]rising out of the conduct of your business, excluding advertising, publishing, broadcasting or telecasting done by or for you.” These policy forms were surely designed without any contemplation of the current risks since they have only come into existence with the pervasive use of computers and the Internet to transact business. In addition, there may be issues as to when the “injury” has taken place; at the time of the breach or the time when the personal injury is actually sustained.  In order to be able to properly evaluate and assume the risks some insurers have, therefore, developed policies to specifically address the risks presented. Undoubtedly if claims continue to rise and develop as anticipated, insurers may dispute coverage and/or respond to the claims being asserted based upon polices that, at the time of issuance, did not envision the present risk of injury caused by data breach.  Management of the risk therefore requires a thorough understanding of the nuances of the laws and requirements of   best of breed privacy practices

 Conclusion

The changing privacy landscape will have a tangible impact on an insurance carrier’s costs of responding to claims under the personal injury and advertising portions of the CGL policies and under specifically designed policies.  Foresight in addressing these

risks and an understanding of the landscape of privacy laws and issues will be an

essential component to underwriting the risks and defending the claims.

 End Notes

[1] Zurich North America Commercial Expands Security, Privacy Insurance Coverage, http://www.darkreading.com/security/vulnerabilities/showArticle.jhtml?articleID=218400572

2 Verizon Business 2009 Data Breach Investigations Report, By Wade Baker, April 15, 2009

3 Poneman Institute’s Fourth Annual US Cost of Data Breach Study, By Dr. Larry Poneman, January 2009

4 In Re: Heartland Payment Systems, Inc. (626 F. Supp 2d 1336; 2009 U.S. Dist. LEXIS 81493) (Order 

  granting consolidation of class action lawsuits.)

5 See, In re TJX Cos. Retail Sec. Breach Litig., 246 F.R.D. 389; 2007 U.S. Dist. LEXIS 87920 (over $40M settlement) and Department of Veterans Affairs Data Theft Litigation, No. 06-0506 (D.D.C. January 27, 2009) ($20M settlement)

6 See, Forbes v. Wells Fargo Bank, N.A., 420 F. Supp2d 1018, 1021 (D.Minn.2006); Giordano v. Wachovia Sec., LLC., 2006 2177036 (D.N.J. July 31, 2006) (unpublished); Guin v. Brazos Higher Educ. Serv. Corp., Inc. 2006 WL 288483 (D. Minn.) Feb 7, 2006 (unpublished); Hendricks v. DSW Shoe Warehouse, 444 F. Supp. 2d 775, 783 (W.D. Mich. 2006)

7 See, Pisciotta v. Old Nat. Bancorp, 499 F.3^rd 629 (7^th Cir. Aug. 21, 2007)

8 See, GLBA

9 See, Pinero v. Jackson Hewitt Tax Services, No. 08-3535 (E.D. La. Jan 7, 2009)

 Todd B. Ruback, Esq. is chair of the Privacy and Technology Practice at the law firm of DiFrancesco, Bateman, Coley, Yospin, Kunzman, Davis & Lehrer, P.C.  He is also a Certified Information Privacy Professional (CIPP) and thought leader in the area of privacy law.  He has authored or co-authored numerous publications on privacy and is also a lecturer at various privacy seminars and conferences.  He is a present nominee to be on the Board of Directors of the International Association of Privacy Professionals (IAPP) for the upcoming term of 2010-2015 and will be a speaker at the IAPP International Privacy Convention to be held in Washington, D.C. in April 2010, where he will lecture on trends and risk in privacy litigation. 

 Steven Kunzman, Esq. is the chair of the Insurance Coverage Practice of the law firm of DiFrancesco, Bateman, Coley, Yospin, Kunzman, Davis & Lehrer, P.C.  He has been providing counsel and representation to insurance companies on insurance coverage matters and defense to insurance company clients for over 25 years.  

Tags: insurance law new jersey, Privacy Law, Technology Law

• Corporate Law , Defense Litigation , Insurance Law , Privacy Law , Technology Law
• Comments Off

SteveK September 14th, 2009

In Kolokowski v. Crown Equipment, U.S. District Court in New Jersey recently confirmed that the duty to train employees rests with the employer, not the manufacturer.

The case involved a claim for injuries sustained by plaintiff while operating a walkie rider pallet truck.  In a decision granting summary judgment to the defendant, the Court first addressed whether the plaintiff’s expert was qualified to render an opinion on whether the product was defectively designed. The Court conducted a Daubert hearing, and after extensive analysis, concluded that the expert’s opinion did not satisfy the trilogy of restrictions on the admissibility of an expert: whether the expert is qualified, whether the methods employed in developing the opinion are reliable, and whether the proffered expert testimony fits with the facts of the case. The plaintiff, therefore, was unable to sustain its burden of proof on its design defect claim.

The plaintiffs also asserted a failure to warn claim, asserting that the defendant manufacturer had an obligation to provide training. The Court rejected this argument finding substantial support to the contrary in New Jersey. The Court relied upon Grier v. Cochran Western Corp. 308 N.J. Super 308 (App. Div. 1998) in which the obligation was placed squarely on the employer. The Court also noted that OSHA specifically places the duty to train operators of powered industrial trucks on the employer. 29 CFR Sec. 1910.178. The Court also countered the contention that employers lack the incentive to train employees by stating that the goals of an employer for increased productivity affecting the bottom line is a significant incentive and, further, that employers are better situated to conduct such training since they can discipline employees for failure to attend training coupled with the employers having more credibility with their employees than a “remote product manufacturer.” This, along with the plaintiff’s admissions that training would not have helped him avoid the accident, left no room for the claim of plaintiffs to be sustained. The Court therefore, dismissed all claims of plaintiffs.

DiFrancesco, Bateman, Coley, Yospin, Kunzman, Davis & Lehrer, PC ( www.dbnjlaw.com ) is a full service law firm in New Jersey which provides a broad range of legal services, including the representation of companies in defense of products liability claims. For additional information about the matters in this bulletin or in the firm’s Products Liability Practice, please contact Stephen O. Davis, Esq.

Tags: Products Liability Defense

• Bodily Injury Defense , Defense Litigation , Products Liability
• Comments Off