Guest Post: Some Good News for the Cybersecurity Class Action Bar

John Reed Stark

As discussed in the following guest post from John Reed Stark, a recent development in the class action litigation arising out of the massive Marriott International data breach could have significant ramifications for other claimants asserting class action claims — including securities class action claims — based on data breaches or other cybersecurity incidents. Stark is President of John Reed Stark Consulting and former Chief of the SEC’s Office of Internet Enforcement. A version of this article originally appeared on Securities Docket. I would like to thank John for allowing me to publish his guest post on this site. I welcome guest post submissions from responsible authors on topics of interest to this blog’s readers. Please contact me directly if you would like to submit a guest post. Here is John’s article.


The cybersecurity class action bar might be celebrating the holidays a bit early this year.

The enthusiasm stems from a recent (but barely noticed) judicial letter from Judge Paul W. Grimm, of the United States Federal District Court for the District of Maryland, who oversees class action litigation arising out of last year’s data breach of Marriott’s Starwood guest reservation database. In his letter, which is essentially a judicial decree, Judge Grimm ordered Marriott to make public a crucial third-party report that will reveal key details about the data breach.

Known formally as a “Payment Card Industry Forensic Investigative Report,” or “PFI Report,” the report in question can be one of the most evidentiarily powerful documents for data breaches involving credit card information. With respect to Marriott-breach related pending multidistrict class actions filed by consumers, financial institutions and governments, the Marriott PFI Report has previously either been severely redacted or sealed off to the public entirely. But now, per Judge Grimm, the First Amendment mandates the Marriott PFI Report’s public release (perhaps lightly redacted).

On the surface, Judge Grimm’s order might look like part of one of the many inconsequential discovery-related squabbles that typically occur during class actions and other litigation. But Judge Grimm’s decision could have significant ramifications for plaintiffs filing securities-related and other class actions following data breaches at retail companies.

This article drills down into Judge Grimm’s ruling, and:

  • Explains, beginning with PCI-DSS compliance, why a PFI Report can be the most critical documentary evidence relating to a data breach;
  • Discusses the class actions related to the Marriott data breach and the ramifications of Judge Grimm’s ruling, not just for Marriot but for any company that handles credit cards; and
  • Offers some salient advice for retailers who wish to avoid, or at least mitigate, the potential costs and other problematic issues associated with Judge Grimm’s ruling.

Retailers and PCI-DSS Compliance

Payment Card Industry Data Security Standards (PCI-DSS) is a set of requirements created to help protect the security of electronic payment card transactions that include personal identifying information (PII) of cardholders, and operates as an industry standard for security for organizations utilizing credit card information. PCI-DSS applies to all organizations that hold, process or pass credit card holder information and imposes requirements upon those entities for security management, policies, procedures, network architecture, software design and other critical measures that help to protect customer credit and debit card account data.

The Payment Card Industry Security Standards Council (PCI SSC), an international organization founded by American Express, Discover Financial Services, JCB International, MasterCard Worldwide, and Visa Inc. in 2006, develops and manages certain credit card industry standards, including the PCI-DSS. In addition to promulgating PCI-DSS, the PCI SSC has developed a set of industry rules governing responses to payment card data breaches. These rules, known collectively as the Payment Card Industry Forensic Investigator (PFI) program, were intended to replace the programs established by the individual card brands.

In theory, PCI-DSS is good for retailers, establishing a minimum data security standard that all retailers must meet, discouraging competitors from cutting corners and allowing for some uniformity and stability. PCI-DSS not only protects the card brands but it also ensures that consumers feel safe when using credit and debit cards. However, adhering to PCI-DSS can become costly and onerous, especially for retail chains, and can subject retailers to the cybersecurity whims of the card brands, who enjoy a very strong bargaining position.

PCI-DSS and Data Breaches

When a cyber-attack targets electronically transmitted, collected or stored payment card information, whether the retailer has met PCI-DSS compliance quickly becomes an intense area of inquiry.

For instance, the card brands may levy significant fines and penalties on retailers that are not in compliance with PCI-DSS. Such penalties and fines, imposed separately by each card association, can include:

  • Hefty fines (in multiples of $100,000) for prohibited data retention;
  • Significant additional monthly fines (can be $100,000 or more per month depending on the nature of the data stored) assessed until confirmation is provided indicating that prohibited data is no longer stored;
  • Separate fines (in multiples of $10,000) for PCI-DSS non-compliance;
  • Additional monthly fines (likely $25,000 per month) assessed until confirmation from a qualified security assessor that the merchant is PCI-DSS compliant;
  • Payment of monitoring (can be as high as $25) and reissuing (up to $5) assessments for each card identified by the card association as potentially compromised; and
  • Reimbursement for any and all fraudulent activity the card association identifies as being tied to a security data breach.

The PFI Report

Once a data security incident occurs, in order to determine whether the retailer must incur any of the above penalties or pay for any system modifications required to achieve PCI-DSS compliance, the retailer is contractually obligated to hire a specially certified PCI-approved forensic investigative firm (also known as a “PFI”) from a small and exclusive list of card brand approved vendors (currently comprised of 22 companies).

The PFI team then performs a specified list of investigative work including writing a final report about the data security incident – the PFI Report — that is issued to both the retailer and the various credit card companies. The PFI Report then becomes the basis used by the card brand companies to calculate potential fines that will be levied against the acquiring banks. These fees are then passed along to the victim company in the form of indemnification.

More Art Than Science

Sometimes PFI Reports are the most thorough, comprehensive and authoritative analysis of a cyber-attack upon a retailer. But sometimes, albeit unintentionally, the PFI Report can be prejudiced, jaundiced, biased or otherwise flawed.

The findings and conclusions of PFI Reports typically derive from painstaking efforts of digital forensics and malware reverse engineering, which can consist of conjecture, hypothesizing, speculation, supposition and simple old-fashioned guesswork. In fact, both skill sets are more art than science, which can render PFI Reports overly subjective, skewed or even mistaken. Here’s why:

First off, while some data security incidents may provide key evidence early-on, most never do, or even worse, provide a series of false positives and other initial stumbling blocks. After a cyber-attack, there is rarely, if ever, a CSI-like evidentiary trail.

Indeed, digital forensic evidence of a data security incident is rarely in plain view; it can rest among disparate logs (if they even exist), volatile memory captures, server images, system registry entries, spoofed IP addresses, snarled network traffic, haphazard and uncorrelated timestamps, Internet addresses, computer tags, malicious file names, system registry data, user account names, network protocols and a range of other suspicious activity. Evidence can also become difficult to nail down — logs are destroyed or overwritten in the course of business; archives become corrupted; hardware is repurposed; and the list goes on.

Second, when a digital forensics investigator analyzes the virtual remnants, artifacts and fragments left within the attack vector of a company’s devices or systems such as “deleted recoverable files” residing in the more garbled sectors of a hard drive such as “unallocated and slack space” or the boot sector, facts and conclusions can be subject to interpretation and guided by the assumptions and experience of that investigator.

Consider for example the intricacies and complexities of malware-reverse engineering. “Malware” is oft defined as software designed to interfere with a computer’s normal functioning, such as viruses (which can wreak havoc on a system by deleting files or directory information); spyware (which can secretly gather data from a user’s system); worms (which can replicate themselves and spread to other computers); or Trojan horses (which upon execution, can cause loss or theft of data and system harm).

The definition of malware, however, is actually broader and a bit of a misnomer, and actually means any program or file used by attackers to infiltrate a computer system. Like the screwdriver that becomes harmful when a burglar uses it to gain unlawful entry into a company’s headquarters, legitimate software can actually be malware. Thus, malware reverse engineering, a crucial aspect of incident response, is also often the most challenging.

Finally, there also exists a massive cybersecurity labor shortage, with over three million cyber-related jobs remaining unfilled — which means there are quite a few inexperienced amateurs masquerading as incident response professionals, whose findings can be dubious.

This dearth of bona-fide data breach response experts should come as no surprise. The data breach response industry remains in its infancy – there are few academic degrees available in the realm of incident response and barely any incident response courses in college and graduate school curriculums. Many incident responders come from government, such as the Air Force’s Office of Special Investigations; the U.S. Computer Emergency Readiness Team (CERT) of the Department of Homeland Security; or the various cyber squads of the Federal Bureau of Investigation. Other incident response experts are simply self-taught from experience or from piecing together varying expertise of digital forensics, network engineering and security science.

The bottom line is that no matter where a data breach response worker starts out, it can take as much as a decade of apprentice work before becoming a bona-fide data breach response expert.

PFI Conflicts of Interest

Though the attacked retailer engages the PFI and is responsible for all fees and expenses associated with the PFI’s investigation, the PFI conducts the investigation on behalf of the third-party card brands and with their direct involvement. Thus, even the most trustworthy, conscientious and objective PFI team can have an inherent conflict of interest and be biased.

For instance, under PFI rules, each of the payment card brands is responsible for “Defining requirements regarding the use of PFIs and the disclosure, investigation and resolution of security issues” of the security incident. This supervisory role affords the card brands wide latitude in directing and controlling key aspects of the data breach response process.

In fact, PFI rules actually attempt to minimize involvement of the victim company in the response, stating outright that the company is not to control or direct the investigation. To ensure compromised entities fully understand this limitation, the PFI rules specifically require that the retailer acknowledge and agree in its contract with the PFI that “that the investigation is being carried out as part of the PFI Program, that all PFI Report information shall be shared with affected Participating Payment Brands throughout the investigation and that the investigation is not to be directed or controlled in any way by the Compromised Entity.”

To make matters even worse, if a retailer disagrees with any of the findings of the PFI, the retailer has limited, if any, recourse to dispute the PFI Report prior to the unfavorable facts being turned over to third parties. PFI rules require the contract to specify that the PFI has the authority to deliver all final and draft reports and PFI work papers to the card brands at the same time as the reports are sent to the victim retailer.

Retailers can comment on draft and final PFI reports but do not have “approval authority,” and any facts regarding the investigation with which the retailer fundamentally disagrees might not be part of the documentation that the PFI or the card brands provide to third parties.

Meanwhile, in stark contrast, the credit card brands enjoy unique input and control with respect to the documentation of a security incident, including approval rights over all PFI reports and the ability to reject any report that does not conform to all applicable requirements, such as templates and use of proper scoping methodology.

Dueling, Parallel Digital Forensic Investigations

Given the potential for bias, conflicts of interest and subjectivity (or even mistakes), retailers rarely stand-by quietly and simply accept the PFI’s findings on the data breach.

Instead, when hiring a PFI after a cyber-attack, most retailers engage a second “company-directed” forensic examiner to the investigation, one that is completely independent of the card brand approved PFI list. This second, company-directed forensic examiner typically reports to, and is formally engaged by, the retailer’s outside counsel or internal general counsel.

There can be tremendous advantages for a victim-retailer to engage their own forensic firm, in addition to the card brands PFI team. First, absolute technical accuracy and completeness of the report is of paramount importance given that this report may become the foundation for regulatory inquiry and litigation, and a victim company may need to challenge a PFI’s draft report’s findings.

Second, the involvement and direction of counsel in the context of the investigation will presumably apply to the work product produced by the digital forensic investigators, rendering their findings, conclusions and other communications protected by attorney-client confidentiality. The involvement of counsel also establishes a single point of coordination and a designated information collection point, enhancing visibility into the facts, improving the ability to pursue appropriate leads and, most importantly, ensuring the accuracy and completeness of information before it is communicated to external audiences.

Think of it this way: After experiencing a fire in a home, a homeowner may have concerns about the qualifications or credibility of the insurance adjuster or may believe the insurance adjuster’s report is biased or specious. So the homeowner hires their own expert to challenge the report of the insurance adjuster in order to receive a better insurance payout. The same principle holds true for PCI incident response.

However, there are also some disadvantages to this “dueling investigation” approach. Given the sanctity of the attorney-client privilege and work product doctrines, the retailer’s forensic firm and the PFI firm can rarely collaborate, or even be in the same room together, lest the retailer risk waiving attorney-client privilege.

The retailer may even go so far as to arrange for the PFI firm and the retailer’s firm to deploy different endpoint detection applications – thus paying for two almost identical software licenses. Thus, the retailer pays twice for a cyber-attack investigation and twice for each team’s expensive toolsets – which can add up to millions (or even tens of millions) of dollars. That’s like paying for an Uber car and a Lyft car to take one person home from a night out – it’s a bit maddening.

Welcome to the upside down world of data breaches: where actual perpetrators are rarely caught; where actual damages to specific customers are rarely identified; and where the retailer victimized by a cyber-attack must not only also pay the invoices of the PFI team (who reports solely to the card brands) but must also pay the invoices of the second external forensic expert (who reports solely to the retailer).

The Marriott Breach, the Resulting Class Actions and the Marriott PFI Report

Marriott International, Inc. (Marriott) is a multinational company that manages and franchises a broad portfolio of hotels and related lodging facilities around the world. On November 30, 2018, Marriott announced a data security incident involving unauthorized access to the Starwood guest reservation database containing information relating to as many as 500 million guests. Since then, Marriott claims that attackers who breached its Starwood Hotels unit’s guest reservation system stole personal data from up to 383 million guests — including more than five million unencrypted passport numbers.

Marriot also now asserts that attackers had unauthorized access to its Starwood network of reservations at W Hotels, Sheraton Hotels & Resorts and other properties dating back to 2014, prompting questions about Marriott’s cybersecurity governance and infrastructure as well as suspicion that Marriott negligently missed the breach during its due diligence process before acquiring Starwood in 2016 for $13.6 billion.

The class action frenzy since these events has been nothing short of astounding. A total of 176 plaintiffs from all 50 U.S. states have filed suit against Marriott relating to the Marriott breach. Meanwhile, consumers, financial institutions and governments in various states, such as California, Illinois, New York and Massachusetts have filed dozens more class actions, including a securities class action.

Given the vast scope and number of class actions relating to the Marriott data breach, the plaintiffs agreed to centralize the litigation at a hearing with the Judicial Panel on Multidistrict Litigation. The Judicial Panel: 1) determines whether civil actions pending in different federal districts involve one or more common questions of fact such that the actions should be transferred to one federal district for coordinated or consolidated pretrial proceedings; and 2) selects the judge or judges and court assigned to conduct such proceedings.

The Judicial Panel agreed that consolidating the class action lawsuits into multi-district litigation (MDL) was the best option, also noting that Marriott was headquartered in Maryland and most witnesses would be found in the area and ordering the MDL to reside before Judge Paul Grimm in the Federal District Court of Maryland. The Panel noted in its order:

“[W]e find that centralization…of all actions in the District of Maryland will serve the convenience of the parties and witnesses and promote the just and efficient conduct of this litigation . . . The factual overlap among these actions is substantial, as they all arise from the same data breach, and they all allege that Marriott failed to put in to place reasonable data protections. Many also allege that Marriott did not timely notify the public of the data breach.”

The Marriott Securities Class Actions

The securities class action lawsuit(s) against Marriott and certain of its senior executives assert claims under Sections 10(b) and 20(a) of the Securities Exchange Act of 1934, and SEC Rule 10b-5 promulgated thereunder, on behalf of all persons or entities who purchased or otherwise acquired Marriott common stock between November 9, 2016 through November 29, 2018.

In the first securities class action lawsuit involving Marriott, filed on December 1, 2018, less than one full day (!) after Marriott announced the data security incident, the complaint refers to statements in the company’s SEC filings about the importance of information technology security, alleging that certain statements in Marriott’s SEC filings were false and misleading because: “(1) Marriott’s and Starwood’s systems storing their customers’ personal data were not secure; (2) there had been unauthorized access on Starwood’s network since 2014; (3) consequently the personal data of approximately 500 million Starwood guests and sensitive personal information of approximately 327 million of those guests may have been exposed to unauthorized parties; and (4) as a result Marriott’s public statements were materially false and/or misleading at all relevant times.” Since its initial filing, the plaintiffs have amended their securities class action complaint, and added new and more complete allegations, with the most recent version found here.

Unlike more traditional securities class action lawsuits, the Marriott securities class action lawsuit does not involve allegations of financial or accounting misrepresentations. Instead, it involves allegations that Marriott suffered a significant reverse in its operations, alleging that the company failed to inform investors that the data security incident might occur and that if it did occur it would have a negative impact on the company.

A Brief Aside about the Disclosure of Cyber-Attacks by Public Companies

In particular, public company disclosures relating to cyber-attacks can provide ideal fodder for class action plaintiffs looking for negligent representations, insufficient assertions or misleading statements. There is confusion about not just when a public company should disclose a data security incident, but also what precisely the public company should say about the incident.

For example, per the U.S. Securities and Exchange Commission’s (SEC) February 26, 2018 interpretive guidance relating to disclosures about cybersecurity risks and incidents, when a company has learned of a cybersecurity incident or cyber-risk that is material to its investors, companies are expected to make appropriate disclosures, including filings on Form 8-K or Form 6-K as appropriate. Additionally, when a company experiences a data security incident, the 2018 SEC Guidance emphasizes the need to “refresh” previous disclosures during the process of investigating a cybersecurity incident or past events.

However, on the one hand, with respect to the actual content of a company’s data security incident’s disclosure, the 2018 SEC Guidance allows for a lack of specifics so as not to compromise a company’s security, stating:

“This guidance is not intended to suggest that a company should make detailed disclosures that could compromise its cybersecurity efforts – for example, by providing a “roadmap” for those who seek to penetrate a company’s security protections. We do not expect companies to publicly disclose specific, technical information about their cybersecurity systems, the related networks and devices, or potential system vulnerabilities in such detail as would make such systems, networks, and devices more susceptible to a cybersecurity incident.”

But on the other hand, the 2018 SEC Guidance cautions companies not to use any sort of generic “boilerplate” type of language in its disclosures, stating somewhat opaquely:

“We expect companies to provide disclosure that is tailored to their particular cybersecurity risks and incidents. As the Commission has previously stated, we ‘emphasize a company-by-company approach [to disclosure] that allows relevant and material information to be disseminated to investors without boilerplate language or static requirements while preserving completeness and comparability of information across companies.’ Companies should avoid generic cybersecurity-related disclosure and provide specific information that is useful to investors.”

Given the SEC’s schizophrenic approach to disclosing cybersecurity-related events, rather than serving as  safe harbor for public companies, the SEC’s 2018 Guidance ironically has become a beacon for class action plaintiffs.

PSLRA Discovery Stay and the Marriot Securities and Derivatives Tracks

Congress enacted The Private Securities Litigation Reform Act of 1995 (PSLRA) to address perceived abuses in securities fraud class actions. Among those concerns was that the high “cost of discovery often forces innocent parties to settle frivolous securities actions.” In addition, Congress sought to prevent private securities plaintiffs from using frivolous lawsuits as a vehicle “to conduct discovery in the hopes of finding a sustainable claim not alleged in the complaint.”

In furtherance of those goals, the PSLRA provides that “all discovery and other proceedings shall be stayed during the pendency of any motion to dismiss, unless the court finds, upon the motion of any party, that particularized discovery is necessary to preserve evidence or to prevent undue prejudice to that party.”

In the Marriot MDL, there are five case “tracks” (Government, Financial Institution, Consumer, Securities and Derivative). In accordance with the PSLRA, Judge Grimm ordered that all discovery for both the Securities and Derivative Tracks be stayed, until the resolution of Marriott’s pending motion to dismiss.

Judge Grimm also provisionally granted a motion to seal Marriott’s motion to dismiss the Government Track action, which included a copy of the Marriott PFI Report as an exhibit. Currently, redacted versions of these pleadings appear on the docket, although the Marriott PFI Report remains sealed in full.

Class Action Motions Concerning the Marriott PFI

Rather than captioned as traditional orders and motions, to keep costs down, Judge Grimm’s has implemented a case management system in the Marriott MDL, which includes a July 16, 2019 order that any party seeking to file a motion shall first submit a letter, no longer than three pages, stating the facts and bases supporting such relief. This way, the Judge might just rule on the three page letter and avoid the costs of lengthy memoranda, motions, affidavits, etc.

Once a letter is filed, Judge Grimm determines whether to schedule an expedited telephone conference to discuss the requested motion and whether the issues may be resolved or otherwise addressed without the need for formal briefing. This expedited motions procedure apparently meant that Gibson Dunn, the law firm representing Marriott in the class actions, had limited time and space to argue against the release of the Marriott PFI Report (e.g. no room for expert affidavits, documentation of particularities, witness declarations and the many other details and minutia typically presented in an important litigation motion.)

Based on the currently 438 entries in the Marriott MDL docket, the two primary letters seeking the unsealing of the Marriott PFI Report appear to be the following pleadings:

In opposition to the Silverman Letter and the Labaton Sucharow Letter, Marriott submitted the following pleadings:

The Silverman Letter specifically seeks production of the Marriott PFI Report before the deadline for amending its complaint, stating:

“Our position on these matters is consistent with this Court’s emphasis on efficiency and avoidance of unnecessary litigation effort. Requiring production of the PFI Report and other investigative reports related to the Data Breach prior to the deadline for amending complaints will promote efficiency by ensuring that the allegations conform to the available facts, thus eliminating unnecessary discovery and motion practice over allegations based on “information and belief” that may be inconsistent with facts already developed in the PFI and other investigations . . . Early production of the PFI Report, other investigative reports, and all materials provided to government regulators investigating the Data Breach at issue by Marriott will greatly facilitate all parties’ ability to frame the issues in the case for the Court.”

The Labaton Sucharow Letter notes that Marriott had already attached a copy of the PFI Report in their July 15, 2019 motion to dismiss in the Government Track, but had placed the Marriott PFI Report under seal and also argued that the First Amendment mandates that Judge Grimm unseal the Marriott PFI Report.

“It is settled law that the First Amendment and common law protect the public’s access to judicial records . . . Merely attempting to avoid embarrassment, legal liability, or a harm to future business prospects are insufficient reasons under either standard to justify keeping information in judicial records from the public. The party seeking the sealing must overcome the interest of the general public, which includes the financial markets as Marriott is a publicly traded company . . . As an initial matter, these materials are clearly a matter of public interest to investors, consumers, and the American public. . . . Defendants have articulated why they want the materials kept under seal – (1) danger from potential hacking of their systems, (2) competitive harm, and (3) that it would undermine current investigations . . . None of these reasons satisfy the high burden Defendants must meet to rebut the presumption of access and maintain these judicial records under seal.”

The Gibson Dunn Letter reiterates the arguments of Marriott’s July 16 Motion to place the Marriott PFI Report under seal and adds an additional argument relating to the PSLRA discovery stay, stating:

“Plaintiffs’ motion is an attempted end-run around the PSLRA’s discovery stay. The PSLRA, which governs the Securities and Derivative Tracks, imposes an automatic stay on all discovery pending resolution of motions to dismiss. Plaintiffs now seek to expose confidential discovery materials in public court filings, so that they can access discovery that federal law bars them from obtaining at this juncture. [In addition], 1) Sealing the information protects it from criminals that could use it to perpetrate “future cyberattacks.” Disclosure of the sealed information could, for instance, help hackers hone their strategies . . . 2) The compelling governmental interest in shielding ongoing investigations requires keeping certain information sealed; . . . and 3) Marriott’s concern about offering “competitors insight into certain aspects of Marriott’s internal business practices”

Judge Grimm’s Decision

In an August 30, 2019 “Letter Order,” Judge Grimm sided with the plaintiffs, and ordered the unsealing of the Marriott PFI Report, while assigning a magistrate judge to determine if it should contain any “narrowly tailored” redactions (e.g. if Marriott can show with definitive particularity that publication of any portions/sentences of the Marriott PFI Report would “threaten existing operational database systems.”)

With respect to Marriott’s PSLRA arguments, because the unsealing of the Marriott PFI Report was of no monetary cost to the Marriott defendants, Judge Grimm noted that the spirit of PSLRA remained intact and respected. Moreover, because Marriott had attached the Marriott PFI Report to their earlier pleading, Marriott had rendered the Marriott PFI Report a “pleading” and not “discovery material” which did not run “afoul with the PSLRA discovery stay.”

With respect to Marriott’s other arguments, Judge Grimm found that “there is a First Amendment right to access portions of the PFI report and pleadings that cannot be shown to constitute a particularly identified, non-speculative harm.” Judge Grimm writes:

“Defendants argue (without explaining how) that the information could help hackers attack systems Defendants currently use by studying “network infrastructure for handling cardholder data, systems and strategies for securing such information and thwarting attacks, encryption and decryption processes and protocols, and activity logging.” . . . This justification for continuing to seal the entirety of the report is both speculative and generalized. Under this reasoning, none the details of how the Starwood database was compromised could ever be revealed, which would prevent the public from understanding how the data breach occurred in the first place, and it would prevent other entities from learning how to better protect their networks from similar attack. This is hardly in the public interest . . . Second, Defendants’ assertion that unsealing the pleadings and PFI report would interfere with ongoing investigations is equally conclusory and speculative. While Defendants do claim that ongoing investigations would be jeopardized, it is unclear which investigations would be compromised, or how, and therefore this argument fails . . . Lastly, Defendants offer no particularized support for the proposition that sealing the entire PFI report and portions of the Pleadings is necessary to prevent disclosure of commercially sensitive data and internal business practices.”

Judge Grimm then ordered the parties to confer expeditiously with U.S. Magistrate Judge Facciola to determine what portions of the Marriott PFI Report, if any, should be redacted, noting that he “will not wait indefinitely to implement this order [and] should the parties disagree, Judge Facciola shall make a report and recommendations to me for my ultimate determination.”

Judge Grimm Hands Over the Brass Ring

It should come as no surprise that the plaintiffs in the Marriott securities class action lawsuits asked Judge Grimm to unseal the Marriott PFI Report. For a class action plaintiff, the PFI Report is the brass ring of documentary evidence, containing detailed, well-documented and potentially inculpatory opinions and findings relating to the Marriott data breach.

Conducted without any direction, interference or influence from Marriott, and presented without any of Marriott’s objections, disagreements, opposition, etc., the Marriott PFI Report also provides a timely, unique and wholly unfettered analysis of the data breach. Moreover, obtaining a PFI Report early on in a class action can save a plaintiff millions of dollars in discovery-related expenses while also delivering a mammoth strategical advantage.

But herein lies the rub. While the credit card brands may have the very best of intentions, as set forth above, the reality is that the PFI Report is not necessarily the most reliable or even accurate set of findings. In summary:

  • The PFI team is owned and operated by the credit card brands, and is not only be biased but also operates under the cloud of a significant conflict of interest;
  • A retailer has little opportunity to object to the findings of the PFI Report, and is contractually bound not to participate in the PFI’s investigation but rather must stand-down and cooperate fully. In fact, a retailers diminished role in the PFI Report process can become an unexpected and unfair obstacle in determining the true nature and scope of the data breach;
  • If the retailer does disagree with any of the findings of the PFI, it has little ability to dispute the facts documented by the PFI prior to unfavorable facts being turned over to third parties, including class action plaintiffs;
  • The PFI Report typically contains no company addendum or other place to present any of a retailer’s objections or other opposition, even when a retailer has spent millions (or even tens of millions) by engaging their own professional forensics firm who has significant objections to the PFI Report;
  • The intended purpose of a PFI investigation is not necessarily to mitigate damages or help a retailer with an incident response, but rather the PFI’s goal is to minimize potential fraud losses to exposed cards and determine compliance with industry rules related to data security. In other words, the PFI team is on the hunt for negligence, carelessness, recklessness, fraud and blame — not incident remediation and future data breach defense; and
  • The PFI team will not only be conducting an investigation to determine the risk of payment card exposure from a cyber-attack, but also assessing the company’s compliance with the PCI-DSS, which can open up an additional can of worms, perhaps more damaging to a retailer than the data breach itself.

Going Forward

Retailers who experience data security incidents must already deal with a class action blitzkrieg, and Judge Grimm’s recent love letter to the class action bar only adds fuel to that firestorm.

On the one hand, Marriott arguably put the Marriott PFI Report in “play” by attaching it to their motion to dismiss, thereby providing Judge Grimm with a convenient rationale to rule that its release did not violate the PLSRA discovery stay. Perhaps in future securities class actions, if a defendant does not file the PFI Report as part of any pleading, the PSLRA’s statutorily required discovery stay will prohibit any plaintiff from seeing the PFI Report before an opportunity for a dispositive motion, like a motion to dismiss.

But on the other hand, for securities class actions and all other class actions, Judge Grimm’s letter validates a class action plaintiff’s “First Amendment” right to see the PFI Report, which may prompt other judges to grant class action plaintiffs immediate access to it. Such prompt and early access could curtail defendants hopes of winning early pre-trial dispositive motions, while potentially arming class action plaintiffs with an evidentiarily powerful litigation weapon.

Clearly, retailers should take heed of Judge Grimm’s Letter Order and try to prepare for its consequences. One preemptive option for retailers is to conduct “table-top” exercises of a data security incidents at their company, and engage a “mock PFI Team,” comprised of former PFI investigators, to create a “mock PFI Report.”

Reviewing a mock PFI Report could then provide a retailer with a better understanding of what to expect from a PFI Team and enable the retailer to develop the kind of corporate governance and technological infrastructure that would typically result in a more favorable PFI Report. The mock PFI investigation would also provide unique training for IT personnel and others who will have to work with PFI Teams, preparing a company’s employees for what is typically an extremely awkward experience, replete with hazards and pitfalls.

Think of it this way: When opening a new restaurant what better way to obtain an “A” health department rating than to hire a former health department inspector to conduct a mock inspection. The same goes for PCI-DSS compliance.

Table-top exercises also enable organizations to analyze potential emergency situations in an informal environment and are designed to foster constructive discussions among participants as they examine existing operational plans and determine where they can make improvements. Indeed, table-top exercises are a natural fit for information security because they provide a forum for planning, preparation and coordination of resources during any kind of attack.

Retailers should also spend more time on the due diligence of selecting a PFI from the 22 digital forensic companies currently on the PCI SSC List. Retailers should study carefully the credentials and track record of PFI team members, ensuring that their selected PFI team is experienced, fair, objective, meticulous and open to discussions and disagreement.

Not to be too cynical but it would also probably help if the law firm managing a retailer’s data breach response has prior experience with the PFI team and that the PFI team is concerned about their reputation with the law firm (i.e. that the PFI team relies on the law firm for other business). When there exist competing, outside economic interests at issue, it is only human nature for the PFI team to put their best and most fair foot forward during the course of their engagement.

Given that trying to avert a cyber-attack is like trying to prevent a kindergartener from catching a cold during the school year, retailers should anticipate a securities class action lawsuit filing within 24 hours of the announcement of their next (inevitable) data security incident — and they should take steps now to help facilitate an exculpatory PFI Report.

Otherwise, a class action liability skirmish may be over before the retailer has even had a chance to enter the battlefield.


John Reed Stark is president of John Reed Stark Consulting LLC, a data breach response and digital compliance firm. Formerly, Mr. Stark served for almost 20 years in the Enforcement Division of the U.S. Securities and Exchange Commission, the last 11 of which as Chief of its Office of Internet Enforcement. He currently teaches a cyber-law course as a Senior Lecturing Fellow at Duke Law School. Mr. Stark also worked for 15 years as an Adjunct Professor of Law at the Georgetown University Law Center, where he taught several courses on the juxtaposition of law, technology and crime, and for five years as managing director of global data breach response firm, Stroz Friedberg, including three years heading its Washington, D.C. office. Mr. Stark is the author of “The Cybersecurity Due Diligence Handbook.”



The post Guest Post: Some Good News for the Cybersecurity Class Action Bar appeared first on The D&O Diary.

Guest Post: Some Good News for the Cybersecurity Class Action Bar syndicated from

Percentage of 2018 Deals Drawing Merger Objection Suits Held Steady

One of the most significant corporate litigation phenomena over recent years has been the rise of merger objection litigation, as result of which nearly every public company merger objection transaction has drawn at least one lawsuit. According to the latest study of merger litigation from Cornerstone Research, this phenomenon continued in 2018, with the same percentage of merger transactions as in 2017 attracting at least one lawsuit – in 2018, as in 2017, 82% of public company merger transaction valued over $100 million drew at least one lawsuit. The Cornerstone Research report, entitled “Shareholder Litigation Involving Acquisitions of Public Companies: Review of 2018 M&A Litigation,” can be found here. Cornerstone Research’s September 17, 2019 press release about the report can be found here.


The Cornerstone Research report draws on the firm’s merger transaction database, which contains 1,928 deals announced between November 19, 2006, through December 31, 2018.


Percentage of Deals Drawing a Lawsuit: According to the report, there were a total of 142 public company merger deals announced in 2018 that were challenged by lawsuits, compared with 115 in 2017.  However, in both 2017 and 2018, the deals that drew lawsuits represented 82% of all deals announced during the year. The percentage of deals hit with lawsuits had declined slightly during 2016 (the year in which the Delaware Chancery Court issued its Trulia decision, in which the court evinced its distaste for the type of disclosure-only settlement that typically resolved the merger objection lawsuits then), to around 71% of deals announced during the year. However, in 2017 and 2018, the percentage of deals challenged in lawsuits bounced back somewhat, although not all the way to 2009-2015 annual average of 90% of deals.


Number of Lawsuits Per Deal: The average number of lawsuits filed per deal rose slightly to 3.1 in 2018, compared to 2.9 lawsuits per deal in both 2016 and 2017. The number of lawsuits per deal in 2018 remained below the 2009-2015 average number of lawsuits per deal of 4.7. Several of the deals announced in 2018 drew notably more lawsuit filings; for example, both the Finisar Corp. and Pandora Media transactions drew nine lawsuits.


Percentage of Lawsuits Voluntarily Dismissed: One significant change in 2017 and 2018 compared to prior years was the increasing number of merger objection suits resolved through voluntarily dismissal. Thus, while the annual average percentage of merger objection suits voluntarily dismissed was only 17% during the period 2006 through 2015, the percentage rose to 72% in 2017 and stayed at roughly the same level (70%) in 2018. This increase in the number of voluntary dismissals is a result of the plaintiffs’ changing approach to resolving this litigation, in which the defendant voluntarily agrees to make changes to the deal –related proxy statement and agrees to pay the plaintiffs’ counsel a “mootness fee” in exchange for the plaintiff’s counsel’s agreement to dismiss the lawsuit.


Shift of Suit Filings from State Court to Federal Court: The Delaware Chancery court’s 2016 decision in the Trulia case has significantly affected the plaintiff’s counsel’s choice of the forum in which to file the merger objection lawsuits. Thus, during the period 2009 through 2015 (that is, the period before Trulia), the average annual percentage of all deals that were challenged in federal court was26 percent. However, in 2017, the number of deals challenged in federal court rose to 96 percent. In 2018, the number of deals challenged in federal court declined slightly compared to 2017, to 91 percent.


State Court Filings: In addition, in 2018, 34 percent of deals were challenged in state court, which represents a rebound from the 2017 percentage of 18 percent. The number of deals challenged in state court in 2018 also increased , with 49 deals challenged in state court, compared to only 21 in 2017.


Number of Jurisdictions in Which a Deal is Challenged: In 2018, only 45 percent of litigated deals faced challenges in only one jurisdiction, which represents the first time since 2013 that less than half of challenged deals faced litigation in only one jurisdiction. In 2018, 43 percent of deals were challenged in two jurisdictions, compared to 26 percent in 2017. In 2018, 12 percent of deals were challenged in three or more jurisdictions, compared to only four percent in 2017.

The post Percentage of 2018 Deals Drawing Merger Objection Suits Held Steady appeared first on The D&O Diary.

Percentage of 2018 Deals Drawing Merger Objection Suits Held Steady syndicated from

When Skiptracing + Autodialing = $267 Million

Last week, companies engaged in debt collection were not-so-gently reminded that making calls using an automated dialer to any number other than the one provided by the consumer is incredibly risky—and in Rash Curtis & Associates’ case, a $267 million risk.

Calls made to phone numbers with the consumer’s prior express consent are not prohibited by the TCPA. The FCC and courts have long considered phone numbers provided by consumers in a transaction (such as opening a credit card account) as “in bounds,” reasoning that consumers implicitly give consent to be reached on those telephone numbers in connection with the transaction or account. However, this does not extend to phone numbers obtained through other means, including “skip tracing,” commonly used by third-party collectors and debt buyers who often touch the accounts after many months or even years after the original transaction.

Following a May jury verdict in favor of the plaintiffs in a class action brought against a debt collection firm, a judge last week entered a judgment against the firm for $267 million ($500 per illegal call made).

I’ll leave it to my colleagues Dan Blynn and Stephen Freeland to opine on the TCPA and class action implications here, but as someone who advises debt collectors on regulatory issues, this case is a stark reminder that trying to get a hold of hard-to-reach consumers continues to be fraught with risk because of the multi-layered regulatory and statutory schemes governing debt collection. It also is a cautionary tale of how the use of technology to optimize collections must be carefully analyzed for first, second, and third order effects. And while the CFPB’s upcoming rulemaking, which is seven years in the making, should modernize the Fair Debt Collection Practices Act and provide some clarity on consumer contact, it will not supersede conflicting state laws and certainly will not address the 800-pound gorilla in the room, the TCPA. For that, we continue to look to the FCC with our fingers crossed.

When Skiptracing + Autodialing = $267 Million syndicated from

Cal. Sup. Ct.: Notice-Prejudice Rule Represents a Fundamental Public Policy

Under the so-called “notice-prejudice Rule” applicable in some jurisdictions, insurers can deny coverage for claims based on the policyholder’s late provision of notice of claim only in the event that the late notice materially prejudiced the insurer. In a recent decision, the California Supreme Court, ruling on questions certified to the Court from the Ninth Circuit, held that the notice-prejudice rule represents a “fundamental public policy” under California law potentially sufficient to override the choice of law provision in the parties’ insurance contract. The Court also held that the notice-prejudice rule also applies to the consent to incur expense provisions in first-party insurance policies. As discussed below, there are a number of interesting aspects to the court’s ruling. The California Supreme Court’s August 29, 2019 decision in Pitzer College v. Indian Harbor Insurance Company can be found here.



Pitzer College discovered contaminated soil on a location on which it had planned to build a dormitory. The College undertook site remediation work in March 2011, which it successfully completed one month later at a total cost of $2 million.


The College maintained an environmental remediation insurance policy. However, the College did not obtain the insurer’s consent before commencing remediation or paying the remediation costs. Indeed, the College did not inform the insurer of the remediation until July 2011, three months after the remediation was completed and six months after the College detected the contamination.


The insurer denied coverage for the college’s remediation costs based on the College’s failure to provide timely notice of claim and failure to obtain the insurer’s consent for the remediation costs. The College initiated an action for declaratory relief and for breach of contract. The insurer filed a motion for summary judgment, which the district court granted.


The district court, applying New York law in light of the choice of law provision in the college’s insurance policy, held that summary judgment was warranted because the College did not provide timely notice of claim. The district court held that under New York law the insurer did not have to show that it was prejudiced by the late notice. The district court also held that summary judgment was separately warranted because the college did not comply with the Policy’s consent provisions before incurring the remediation expenses. The College appealed the district court’s ruling.


On appeal, the College argued under relevant choice of law principles that because the notice-prejudice rule represents a “fundamental public policy” in California that the district court should have applied California law to the late notice issue, rather than New York law, notwithstanding the provision in the policy designating the law of New York law to be applied to policy interpretation.


The August 29, 2019 Opinion

In an August 29, 2019 Opinion written by Justice Ming Chin for a unanimous court, the California Supreme Court ruled, “in line with California’s strong preference to avoid technical forfeitures of insurance policy coverage,” that the state’s notice-prejudice rule is a “fundamental public policy,” and that the notice prejudice rule applies to consent provisions in the context of first party liability coverage.


In reaching these determinations, the Court first noted that under applicable choice of law principles, the parties’ contractual choice of law provision generally governs unless it conflicts with the state’s fundamental public policy and the state has a materially greater interest in the determination of the issue than the contractually chosen state.


The Court then noted that California’s notice prejudice rule requires an insurer to prove that the insured’s law notice of a claim “has substantially prejudiced the ability to investigation and negotiate payment of the insured’s claim.”


In considering the question of whether the notice prejudice rule represents a fundamental California public policy, the Court considered the three reasons for establishing the rule.


First, the rule overrules the parties express intentions in a defined notice term, “preventing a technical forfeiture of insurance benefits unless the insurer can show that it was prejudiced by the insured’s late notice.”


Second, the notice prejudice rule “protects insureds against inequitable results that are generated by insurers’ superior bargaining power.”


Third, the rule “promotes objectives that are in the general public’s interest because it protects the public from bearing the costs of harm that an insurance policy purports to cover.”


Based on these considerations, the Court concluded that California’s notice-prejudice rule is “a fundamental public policy of California,” because the notice requirement “serves to protect insurers from prejudice, not to shield them from their contractual obligations through a technical escape-hatch.”


But while the Court concluded that the notice-prejudice rule represents a fundamental California public policy, the question under applicable choice of law principles as to whether or not the California notice-prejudice rule applies depends on the determination of the further question of whether or not California has a “materially greater interest” than New York in determining the coverage issue. The California court left it to the Ninth Circuit (and presumably to the district court) to determine which state has the materially greater interest, in order to conclude whether California rather than New York law applied.



In determining, under the second question certified by the Ninth Circuit, whether the notice-prejudice rule applies to the policy’s consent provisions, the California court first noted that the same rationale for the application of the notice-prejudice rule to the policy’s notice provisions apply to the policy’s consent provisions. The Court observed that “at core,” the “purposes” of the consent provisions are the same as with respect to the notice provisions; they both “facilitate the insurer’s primary duties under the contract and speaking to minimizing prejudice in performing those duties.”


In considering these issues, the Court drew a distinction between first-party insurance policies and third-party insurance policies. The Court noted that because of third-party insurer’s right to control the defense and settlement of claims, California’s appellate courts have generally refused to find the notice-prejudice rule applicable to consent provisions in third-party policies. By contrast, in first party policies, the insurer’s duty to defend and settle claims is not crucial to the insurer’s coverage obligation, and the insurer does not exercise the same contractual control over the potential loss.


For these reasons, the Court said, “failure to obtain consent in the first party context is not inherently prejudicial, and the usual logic of the notice-prejudice rule should control.” The Court held that the notice-prejudice rule is applicable to a consent provision in a first-party policy “where the coverage does not depend on the existence of a third party claim or potential claim.”


However, the parties disagreed whether the policy involved in this dispute provides first-party coverage or third-party coverage. The Court said that the resolution of this question is beyond the scope of the questions certified by the Ninth Circuit, and therefor the Court left it to the Ninth Circuit to determine what type of policy is at issue.



While the California Supreme Court’s determinations on the certified questions unquestionably are beneficial to the interests of policyholders, it remains to be seen whether or not Pitzer College ultimately will benefit from the Court’s determinations.


On the late notice issue, the College will be able to rely on California’s notice-prejudice rule only if it is able to show in subsequent proceedings that California has a “materially greater interest” than New York in the determination of the issue.


On the consent to incur expenses issue, the College will be able to argue that the notice-prejudice rule applies only if it is able to establish in subsequent proceedings that the policy at issue is a first-party policy rather than a third-party policy.


And of course, even if the college establishes that the notice-prejudice rule applies to these issues, the college will only prevail if it is established that the late notice and failure to obtain consent did not prejudice the insurer’s interests.


Just the same, the California Supreme Court’s determinations will be useful to other policyholders. First and foremost, the California Court’s determination that the notice-prejudice rule represents a “fundamental public policy” of the state underscores the significance of notice-prejudice principles, which should add weight to the policyholder’s arguments opposing insurer’s efforts to try to deny coverage based on the alleged late provision of notice of claim.


The California Court’s determinations of the certified questions are also helpful for policyholders opposing late notice defenses because of what the Court said about the reasons for the notice-prejudice rule under California law. The rule, the Court said, is consistent with the state’s “strong preference to avoid technical forfeitures of insurance policy coverage.” This preference under state law to avoid forfeitures represents a substantial basis on which to oppose late notice defenses and other procedural defenses to policy coverage.


That said, there are also limitations on the usefulness to policyholders of the California Court’s determinations on the certified questions. For example, the California Court’s determination that the notice-prejudice rule applies to the policy’s consent provisions is limited with respect to first party policies only; this aspect of the Court’s determinations would not be helpful to policyholders seeking coverage under third-party liability policies.


There is a further aspect of the Court’s analysis that I think is worth further consideration. That is, that the Court’s determinations on the notice of claim issue in effect holds that the importance of the notice-prejudice rule under California law is sufficient that it could in effect override the choice of law provisions in the policy.


As a general matter, I am not a big fan of extra-contractual principles that negate bargained-for provisions in parties’ insurance contracts. On the other hand, I have also recognized that applicable legal principles are of course incorporated into all contracts. My concern about the application of these general principles is usually couched in terms that if these principles are going to be applied to override express policy provisions, the principles should be narrowly applied.


In that regard, I think it is noteworthy that the California Supreme Court ultimately did not determine that the fundamental California public policy regarding the notice prejudice rule overrode the choice of law provision in the parties’ contract; indeed, with respect to both certified questions, the Court said that there are still remaining issues of fact (or perhaps mixed issues of fact and law) that need to be determined in order to conclude whether or not the notice prejudice rule did or did not in fact apply to either the notice of claim issue or the consent issue.


There are two other considerations that are worth addressing whenever late notice and notice-prejudice issues come up. First, while there are considerations on which policyholders can seek to rely to try to argue that their late provision of notice should not preclude issue, the more important point is that well-advised policyholders will seek to implement procedures and practices to try to avoid the late provision of notice in the first place. Second, it is increasingly common at least in the D&O insurance context for provisions to be incorporated directly into the policy specifying that the insurer will not seek to deny coverage based on the late provision of notice unless the insurer can show that the late notices caused the insurer material prejudice. Both of these considerations represent important means by which policyholder can try to protect themselves from the kinds of conflicts that this insurance dispute represents.


I know for many readers, issues relating to choice of law principles can seem obscure. However, as I have noted in recent posts (for example, here), the court’s determination of which jurisdiction’s law applies can be outcome determinative. In addition, the authors of a recent guest post criticized the Delaware courts for asserting that their state’s laws apply to coverage disputes to which traditional choice of law principles arguably would have suggested that the laws of a different jurisdiction can apply. The fact is that while choice of law issues may seem obscure, they can prove to be very important in the context of insurance coverage disputes.


The obvious remedy to address the possibility of disputes over the choice of law applicable to insurance policy coverage questions is for the parties to the policy to include a choice of law provision in their policy. As this insurance coverage dispute shows, there may be limitations to how much parties may be able to accomplish by including a choice of law provision. As I alluded to above, there is a larger dispute here about whether, when, and to what extent extra-contractual legal principles should override expressly bargained-for policy provisions.

The post Cal. Sup. Ct.: Notice-Prejudice Rule Represents a Fundamental Public Policy appeared first on The D&O Diary.

Cal. Sup. Ct.: Notice-Prejudice Rule Represents a Fundamental Public Policy syndicated from

Eleventh Circuit Holds That A Single Text Message Does Not Satisfy Injury In Fact Requirement for Standing Under the TCPA

Many children, including myself, were taught the childhood mantra: “Sticks and stones may break my bones, but words will never hurt me.” The chant intended to be a retort to name calling—a declaration that you were above the insults. But what about text messages? Could a single text message hurt me in a way that could amount to the harm required to sustain a Telephone Consumer Protection Act (TCPA) claim? On August 28, 2019, the Eleventh Circuit answered this question in the negative with its decision in Salcedo v. Hanna, — F. 3d –, 2019 U.S. App. LEXIS 25967 (11th Cir. Aug. 28, 2019). With Salcedo, the Eleventh Circuit created a potential circuit split by finding that a plaintiff could not rely on a single text message to amount an injury in fact necessary to establish Article III standing for a TCPA action.

The plaintiff filed a TCPA suit after having received a single multimedia text message from his former attorney and that attorneys’ law firm offering a ten percent discount on future services. The Plaintiff alleged this lone message caused him harm by (1) wasting his time during which both he and his phone “were unavailable for otherwise legitimate pursuits,” and (2)”resulted in an invasion of [his] privacy and right to enjoy the full utility of his cellular device.” The Eleventh Circuit rejected both arguments.

The appellate court found that its Circuit precedent holding a single fax sufficient to establish injury in fact inapplicable, distinguishing the purported harms associated with receiving a single text message from that of receiving a single fax. Unlike a fax, the Eleventh Circuit found no “tangible costs such as the consumption of paper and ink or toner to establish injury in fact” associated with a text message. Further, the Court also held that while receiving a fax creates “intangible costs” of wasted time and lost opportunity, receipt of a text message creates no such intangible costs as it “consumes the device not at all.” And as to phone calls, the court found that “Congress’s legislative findings about telemarketing suggest that the receipt of a single text message is qualitatively different from the kinds of things Congress was concerned about when it enacted the TCPA. In particular, the findings in the TCPA show a concern for privacy within the sanctity of the home that do not necessarily apply to text messaging.” Indeed, “cell phones are often taken outside of the home and often have their ringers silenced, presenting less potential for nuisance and home intrusion.” Differentiating text messages from calls (even calls to cell phones), the court held “[o]n text messaging generally, then, the judgment of Congress is ambivalent at best; its privacy and nuisance concerns about residential telemarketing are less clearly applicable to text messaging.” “And congressional silence is a poor basis for extending federal jurisdiction to new types of harm. We take seriously the silence of that political branch best positioned to assess and articulate new harms from emerging technologies.”

At bottom, the court held that the receipt of a single unsolicited text message, without more, cannot constitute a sufficient injury in fact to confer Article III standing under the TCPA: “The chirp, buzz, or blink of a cell phone receiving a single text message is more akin to walking down a busy sidewalk and having a flyer briefly waived in one’s face. Annoying, perhaps, but not a basis for invoking the jurisdiction of the federal courts. All told, we conclude that [the plaintiff’s] allegations do not state a concrete harm that meets the injury-in-fact requirement of Article III.”

The Eleventh Circuit also directly addressed the Ninth Circuit’s decision in Van Patten v. Vertical Fitness Group, LLC, 847 F.3d 1037 (9th Cir. 2017), stating that it is a “broad overgeneralization” to conclude that an isolated text message constitutes “unsolicited contact” establishing “concrete harm.” (Although not mentioned by the Eleventh Circuit, in Van Patten, the plaintiff also received multiple text messages – not just one as in Salcedo.)

The Salcedo decision will create new challenges for class certification, certainly in the Eleventh Circuit and potentially elsewhere. It will be crucial that class members be able to identify specific harms caused by the receiving a text message. This will undoubtedly be a high hurdle for any class.

Now, repeat after me: “Sticks and stones may break my bones, but in the Eleventh Circuit a single text message might not hurt me.”

Eleventh Circuit Holds That A Single Text Message Does Not Satisfy Injury In Fact Requirement for Standing Under the TCPA syndicated from

11th Circ.: Florida Public Policy Precludes Coverage for Voluntary Settlement of Criminal Charges

D&O insurance typically defines the term “Claim” to include criminal charges after indictment. However, the coverage available under the policy for criminal proceedings is excluded in the event of a final adjudication determining that precluded misconduct actually took place. But what happens to the coverage if there is no final adjudication but rather the criminal charges are resolved through a negotiation that results in a monetary payment by the criminal defendants? In a recent decision, the Eleventh Circuit determined that the applicable D&O insurance policy’s coverage did not extend to amounts paid in negotiated resolution of criminal charges, despite the absence of a final adjudication – not by operation of the exclusion, but because of the nature of the payments. 



Sabal Insurance Group, an insurance agency, and its CEO, were criminally charged with grand theft in connection with the alleged overcharging of insurance premiums paid by certain governmental agencies. The criminal defendants ultimately settled the charges by stipulated settlement agreement in which the criminal defendants agreed to make three payments: (1) payment to the governmental agency of approximately $180,000 (“the Payment”); (2) a donation of $100,000 to a charitable organization (“the Donation”); and (3) a payment of costs of investigation to the governmental agency of $20,000 (“the Costs of Investigation”).


When Sabal received the first subpoena in connection with the premium overcharge investigation, it submitted the matter to its insurer, which accepted the subpoena as a Claim, subject to a reservation of rights. As the investigation unfolded and after the entry of the criminal information, the carrier issued updated reservations of its rights. After Sabal agreed to pay the various amounts in connection with the settlement, it sought indemnification for the payment amounts from its insurer. The insurer denied an obligation to indemnify the company for the amounts because, the insurer said, the amounts were restitutionary in nature and therefore not covered under the policy.


The insurer filed an action in federal court seeking a judicial declaration that its policy did not cover the amounts paid in the settlement. The parties filed cross-motions for summary judgment. The district court granted the insurer’s summary judgment motion, ruling that the insurer was not obligated to indemnify Sabal for the Payment and the Costs of Investigation because the amounts were restitutionary in nature, and because the Donation represented a criminal penalty. Sobel appealed the district court’s ruling to the Eleventh Circuit.


The August 26, 2019 Opinion

In an August 26, 2019 opinion marked “do not publish” and written for a unanimous three-judge panel by Judge Mark Walker, the Eleventh Circuit affirmed the district court’s holding. The appellate court agreed with the district court that the Payment and the Costs of Investigation amounts were restitutionary in nature, and that the Donation represented a criminal penalty, and therefore that coverage for all three amounts was precluded from coverage under the policy.


In reaching the conclusion that the policy provided no coverage for the Payment, the Court first agreed with the district court’s determination that as a matter of Florida law, an insurance contract precludes coverage for the restitution of ill-gotten gains. Public policy considerations under Florida law preclude coverage because “the restitution of ill-gotten gains could encourage commission of a wrongful act” and also because “excluding coverage would deter wrongdoing, while allowing coverage would only compensate the wrongdoer.”


Sabal tried to argue that coverage for the payment of ill-gotten gains is precluded only if the occurrence of wrongdoing has been determined by a final and non-appealable adjudication, as required by the policy’s conduct exclusions. The appellate court rejected this argument, agreeing with the district court that under Florida law, an exclusionary provision does not apply unless there is coverage in the first place.  The appellate court said that “because the policy does not provide coverage for the restitution of ill-gotten gains, there is no need to look to the exclusionary provision.”


The appellate court then agreed with the district court that the amount of the Payment represented the payment of ill-gotten gains. In arguing against this conclusion, Sabal relied on several statements in the settlement agreement that the amounts were being paid in resolution of disputed claims and that the payments were made “without there being any admission of guilt.”  The district court had rejected these arguments because, the appellate court said, the payments were clearly restitutionary in nature.  The appellate court said that the Payment was made to resolve a charge of grand theft, and the amount of the payment is equal to the amount of Sabal’s “ill-gotten gains” (or at least those within the statute of limitations). The provisions in the settlement agreement in which Sabal did not admit guilt “are irrelevant, because the admission of guilt is not required for a payment to be the return of ill-gotten gains.”


The appellate court also agreed that the amount of the Donation does not represent covered loss; while the Donation itself did not represent restitution, coverage for the amount nevertheless was excluded because the policy specifies that criminal or civil fines or losses are precluded from Loss covered under the policy. The amount, the court said, was agreed to between Sabal and the state of Florida to resolve criminal charges and “accepted and ratified” by the court, and therefore the Donation is a “penalty imposed by law” for which coverage is precluded under the Policy.


Finally, the court found that coverage for the Investigative Cost portion of the settlement was also precluded because the payment of the Investigative Cost was also restitutionary in nature.



Woven through this insurance coverage opinion is an underlying notion that wrongdoers should not be able to evade the consequences of their misconduct through the protection of insurance. Whatever the theoretical merits may be of this underlying assumption as a general matter, I think there is an argument that this principle is irrelevant in the context of this insurance coverage dispute.


To be sure, the insurance agency was accused of felony misconduct, and we can all agree that that is bad. However, there was never a point in this process where it was proven or established that the agency had actually engaged in the alleged misconduct. The settlement was expressly intended to resolve a contested matter, and the State of Florida expressly agreed to a document specifying that the criminal defendants denied any admission of guilt. At no point in the criminal proceeding did the matter move beyond the presumption of innocence which in our system of justice applies to anyone accused of a crime. Moreover, as far as I can tell, there was nothing in the criminal defendants’ settlement with the State of Florida that precluded them from seeking insurance for the payment amounts.


The court’s analysis of this coverage matter only makes sense if the agency was in fact guilty of the criminal misconduct of which it was accused. Indeed, the amounts the agency supposedly improperly gained are only “ill-gotten” if the agency actually violated the law. But there was never a determination by any finder of fact that the agency in fact that realized “ill-gotten” gains. All we have are mere allegations, which the parties resolved by mutual agreement of disputed matters.


For me, because there has been no finding of fact that the agency actually committed the criminal misconduct of which it was accused, and because there has been no actual factual determination that the amounts in question were in fact “ill-gotten,” it is not appropriate for the Court to disregard the after adjudication requirement of the conduct exclusions. The effect of the Court’s logic here, by which coverage is precluded based only on unproven charges, disregards and frustrates the purposes of the actual policy language to which the parties agreed, and substitutes coverage preclusive terms and effects that are found nowhere in the policy language. And while every contract incorporates the requirements of law, Florida’s law precluding coverage for restitutionary amounts only applies to “ill-gotten gains” – which is irrelevant if there has been no determination that the amounts are in fact “ill-gotten.”  All of these arguments to me apply equally to the agency’s agreement to pay the Costs of Investigation as well.


The appellate court’s conclusion that the Donation represents a “penalty” for which coverage is precluded under the policy arguably is also misplaced. The carve-out in the policy’s definition of Loss applies only to criminal or civil fines or penalties “imposed by law.” I think there is a good argument to be made that the agency’s agreement to make the Donation was a voluntarily undertaken made in order to resolve disputed allegations, and not a penalty imposed by law. Obviously the district court and the appellate court disagreed with this analysis.


The bottom line for me is that if coverage precluding principles are going to be inferred into bargained- for insurance contract, these extracontractual principles should be construed and applied very narrowly, so as not to frustrate the intended purposes of the parties’ contract. I think there is a good argument to be made here that the court has applied the extracontractual legal principles in an overly-broad way that undermines the intent and purpose of the insurance contract as reflected in the after adjudication language in the conduct exclusions.


I suspect that many readers may disagree with my analysis. I hope these readers will please provide their contrasting points of view using this site’s comment feature.


An August 29, 2019 post on the Squire Patton Boggs law firm’s Insurance and Reinsurance Disputes Blog about the Eleventh Circuit’s ruling can be found here.

The post 11th Circ.: Florida Public Policy Precludes Coverage for Voluntary Settlement of Criminal Charges appeared first on The D&O Diary.

11th Circ.: Florida Public Policy Precludes Coverage for Voluntary Settlement of Criminal Charges syndicated from

PLUS Singapore Symposium

The D&O Diary completed its overseas itinerary with a final stop earlier this week in the prosperous city state of Singapore, where I participated as a speaker and as a panelist at the 2019 PLUS Singapore Symposium.


The PLUS Singapore Symposium is annual event, now in its eighth year. It has been my pleasure to participate in the event several different times. I think the event gets better every year. My thanks to the Singapore Committee for inviting me to participate in this event, especially my good friends Ronak Shah of QBE, Shasi Nair of Berkley Asia, and Arati Varma of Marsh, who have done such a good job over the  years to ensure that this event is really the premier professional liability insurance event in Singapore.


Here’s a picture of the Singapore event committee, with Aruno Rajaratnam, the grandmother of D&O in Asia in the center of the picture. Dan Jenney of PLUS is on the far right side of the picture.


A picture of my fellow panelists for the panel on the topic of Key Coverage Decisions Affecting D&O, Cyber, and Professional Liability Insurance: Jessica Schappell of Beazley; me; Jenny Lim of Howden; John Goulios of DLA Piper; and Alex Morgan of Zurich.


A great turnout for the PLUS Singapore Symposium


In addition to participating on the panel, I also delivered a separate presentation on the Top D&O Claims Trends and Developments


It was great being back in Singapore again, to see old friends and to make new friends as well.


With Zi Lim of Marsh and Shasi Nair. Zi acted as the Master of Ceremonies at the event.


With Sam Jenks of Bakertilly; Shinichiro Sonoda and Si Wei of Berkley Re Asia.



With Ivan Kuan of Willis Towers Watson, and Sam Cheng of Capital Gateway Reinsurance (Taiwan)


With Adeline Lee of Berkley Insurance Asia and John Poon of Howden.

The post PLUS Singapore Symposium appeared first on The D&O Diary.

PLUS Singapore Symposium syndicated from