SJC Addresses the Enforceability of Settlements Entered Without Insurers’ Consent

by Austin Moody

Case Analysis

The Massachusetts Supreme Judicial Court (SJC) recently issued an important decision addressing three issues that can arise in the fairly common scenario in which an insurer recognizes its duty to defend its insured, does so under a reservation of rights, and then brings a separate action seeking a declaratory judgment that it owes no duty to indemnify its insureds.

In Commerce Ins. Co. v. Szafarowicz, 483 Mass. 247 (2019) the court addressed 1) whether the lower court properly denied the insurer’s motion to stay the underlying action until the question of its duty to indemnify had been determined in a declaratory judgment action, 2) whether the lower court properly denied the insurer’s motion to deposit its policy limit with the court – which would prevent the accrual of postjudgment interest, and 3) whether the insurer was bound by the settlement/assignment agreement the insured reached in the underlying matter.

The underlying case involved a wrongful death suit brought by the estate of David M. Szafarowicz.  On August 3, 2013, shortly after a verbal altercation at a bar, Mr. Szafarowicz was struck and killed by a vehicle operated by Matthew Padovano.  The vehicle was owned by Matthew’s father, Stephen Padovano, who had purchased an automobile insurance policy from Commerce Insurance Company (Commerce). Id. at 249 – 50.

Commerce agreed to defend the Padovanos in the underlying case.  In addition, Commerce agreed to pay the $20,000 in compulsory insurance offered by the policy.  However, it issued a reservation of rights regarding $480,000 in optional insurance based on the fact that the policy did not cover intentional acts and there was substantial evidence that Matthew Padovano struck the decedent intentionally.  Commerce subsequently brought a declaratory judgment action seeking to establish that it had no duty to indemnify the Padovanos. Id. at 250 – 51.

Less than three weeks before the trial of the underlying action, Commerce filed a motion to intervene in the case based on its claim that both plaintiff and defendants were presenting Mr. Szafarowicz’s death as arising out of negligence rather than an intentional act – ostensibly to maximize the available insurance coverage.  The judge denied the motion but held that Commerce would be allowed to challenge the fairness of the underlying litigation in the future.  Id. at 252 -53.  After the denial of its motion to intervene, Commerce moved to stay the wrongful death trial until after the question of insurance coverage was resolved in the declaratory judgment action.  Again, Commerce’s motion was denied. Id. at 253.

Shortly before trial, the wrongful death action was settled.  Matthew Padovano agreed that he was grossly negligent, the estate agreed not to enforce any judgment beyond the amounts payable by the insurance policy, and the Padovanos agreed to assign all rights under the Policy to the estate.  Commence objected to the settlement, but again, its motion was denied.  Judgment ultimately entered in the amount of $7,669,254.41 – $5,467,510 in damages plus prejudgment interest in the amount of $2,201,744.41. Id. at 254.

Commerce appealed, challenging the denial of its motions to stay the wrongful death action so that the declaratory judgment action could be adjudicated first, and the overruling of its objections to the settlement.  In addition, it sought to deposit the policy limits plus accrued postjudgment interest with the court.  Commerce’s objective was to limit its liability for future postjudgment interest under a policy provision stating “[w]e will not pay interest that accrues after we have offered to pay up to the limits you selected.”  Commerce’s motion to deposit the funds was denied and Commerce filed an interlocutory appeal.  On its own motion, the SJC transferred both appeals to its court. Id. at 254 – 56.

During the pendency of the appeal, Commerce prevailed in its declaratory judgment action in which the trial court held that the death was caused by Michael Padovano’s intentional conduct. The SJC therefore found that Commerce had no duty to contribute to the judgment above the $20,000 in compulsory insurance it had already paid.  However, under the terms of the policy, Commerce still had an obligation to pay postjudgment interest on the entire judgment

In its decision, the SJC addressed three issues.  First, the SJC found that the lower court did not abuse its discretion by denying Commerce’s motion to stay.  The Court found that Commerce did not suffer prejudice when the judge refused to stay the wrongful death action pending a resolution of the coverage dispute.  Commerce was protected from prejudice based on the fact that it was subsequently permitted to challenge any underlying findings of negligence in the wrongful death action and was not bound by that court’s findings.  In fact, Commerce had successfully done so and prevailed in the coverage litigation.  Additionally, the Court found that it would be unfair to the claimant to delay the wrongful death action pending the resolution of the coverage case. Id. at 257 -58.

Second, the SJC found that the court did not abuse its discretion by denying Commerce’s motion to deposit the policy limits and accrued interest. Commerce was not permitted to prevent the accrual of postjudgment interest by conditionally depositing the policy limits plus accrued postjudgment interest with the court.  The Court held that in order to prevent the accrual of postjudgment interest, Commerce would have to agree to pay its limits without conditions or qualifications.  However, Commerce was actively seeking a declaratory judgment that it did not owe indemnity due to the intentional acts exclusion and, if successful, it planned to seek the return of the policy limits.  Therefore, Commerce could not prevent the accrual of postjudgment interest. Id. at 259.

Finally, the Court found that Commerce was only bound by the underlying settlement/assignment agreements to the extent that they were found to be reasonable by the trial court.  The SJC ruled that reasonableness should be considered based upon the “totality of the circumstances” including the facts bearing on the liability and damage aspects of plaintiff’s claim, as well as the risks of going to trial.  Id. at 265.  Because no reasonableness hearing was conducted by the trial court in this case, the SJC remanded for a hearing on the reasonableness of the settlement/assignment agreements. Id. at 267.

The SJC declined to consider an alternative inquiry into whether the settlement was collusive, because it opined that all settlement agreements of this nature – in which only the insurer is at risk of paying the plaintiff’s damages – can be characterized as somewhat collusive. It held that any concern an insurer may have that the plaintiff and the insured defendant have colluded to improperly inflate a settlement or stipulated judgment may be addressed as part of a reasonableness hearing.  Id. at 266 – 67.  Presumably, any settlement that was reached as the result of improper collusion would be determined to be unreasonable.  The Court also declined to join a minority of states that in all circumstances, “because of the risk of collusion, declare such settlement/assignment agreements to be unenforceable where an insurer has honored its duty to defend.”  Id. at 264.

The SJC noted that “the procedure we direct on remand is different from what we expect to happen in the future where an insurer successfully challenges a settlement/assignment agreement before judgment.” Id. at 267. In that event, the trial court “may decline to enter judgement in that amount and invite the parties to renegotiate “an agreement that might prove reasonable in amount”.  Id. at 267 – 68.

Ultimately, the SJC’s opinion provides helpful guidance as to how an insurer offering an insured a defense under a reservation of rights in Massachusetts should proceed.  It recognizes that the insurer will not always be bound by the findings of fact in an underlying case and preserves an insurer’s ability to challenge unreasonable settlements.

Austin Moody is an associate with White and Williams LLP in Boston, where he represents insurance carriers in complex coverage disputes.


Cyber/Privacy Insurance: A Very Brief Primer

Reisch_Alanby Alan M. Reisch

Practice Tips

“If you don’t know where you are going, you might wind up someplace else.”
Attributed to Yogi Berra

Massachusetts has one of the country’s most stringent statutory and regulatory schemes relating to data privacy and security. The complexity and scope of available insurance products dealing with “cyber” exposures, in Massachusetts and throughout the business world, has dramatically increased over the past several years and is now as fractured and complicated as is the law, which differs from state to state and from country to country. Insurance underwriters, insurance brokers, technologists, security professionals, pundits and others offer conflicting advice about how to best move through this maze of insurance policies, technology, and the many potentially applicable state and federal regulations that often conflict. Imagine that there is growing apprehension that a company is at risk. At some point, a lawyer is called to advise on insurance protection. What is that lawyer to do?

The first step is to establish a team of professionals and client representatives who will, together, work through the issues that will allow the development of a meaningful strategy. The team should include the lawyer, an insurance professional, a technology resource (internal to the client’s business operations or external), and a representative of the client who is sufficiently vested with authority so that access to required information will be facilitated. Once the team is in place, the following should happen, in more or less this sequence:

1. The team should develop a realistic understanding of the client’s cyber/privacy and data risk profile. It is important to analyze not just electronic exposures, but traditional paper-based exposures as well. Among the many factors to consider are the following:

A.  The type and location of protected information that is procured, handled, managed and stored by the client. Protected information includes, but is not limited to, private personal information (which is defined differently in various jurisdictions and under different regulatory schemes but often consists of an individual’s first name, last name, and either a social security number, bank account number or other similar data point), and confidential business information.

B.  The federal, state, and local statutory and regulatory schemes that impact the client’s obligations with respect to protected information. Most states have adopted data privacy regimes that are grounded in statutes (in Massachusetts the applicable statute is Mass. Gen. Laws ch. 93H) and implemented through a series of regulations. Several federal agencies, including the FTC and the SEC, are focused in meaningful ways on the security of personal and other confidential information that is handled by businesses. Courts are, in most instances, finding statutory and regulatory support for robust enforcement actions by these agencies. It is important to keep in mind that many states, Massachusetts among them, have taken the position that their privacy schemes are meant to be protective of their citizens wherever those citizens conduct commerce.

C.  The commercial obligations that have been assumed by the client by contract or otherwise in connection with data security and privacy. These should be charted, and compliance measured.

D.  The security of non-electronic records that contain protected information.

E.  The client’s network and electronic information storage infrastructure. As with non-electronic records, this infrastructure should be assessed by qualified professionals, and a plan should be established for correction of deficiencies.

2.  Next, insurance coverage that is already in place should be reviewed. Among the policies to be reviewed are:

A.  General Liability policies

B.  Directors and Officers Liability policies

C.  Errors and Omissions policies

D.  Fiduciary policies

E.  Crime policies

F.  Professional Liability policies

G.  Commercial Property policies

The risk profile that has been developed should be reviewed in the context of the insurance coverage that is present in these policies (there are no true “standard forms” and careful, term-specific analysis is required). The insurance professional who is part of the team should assist in identifying potential exposures that are not within the scope of the existing coverage.

3.  Having established a risk profile, assessed the protection afforded by the insurance coverage in place and begun the process of correcting deficiencies, the team should next consider whether existing coverage should be supplemented, including whether stand-alone cyber/privacy coverage should be procured. The policy wordings that might be employed to supplement existing policies, and the policy forms that are available as stand-alone products, are not standard forms of insurance. Nearly all wordings can and should be specially negotiated.

As the stand-alone cyber/privacy insurance market has evolved, these general coverage types have become “standard” in most offerings (with the caveat that while the coverage “type” may be standard, the implementation varies from insurer to insurer, and from product to product, in meaningful ways):

A.  Third party coverage against claims asserting a “data privacy wrongful act,” a “network security wrongful act,” or other similar coverage grant. This coverage affords the cyber/privacy equivalent of general liability coverage. A client purchases this coverage to protect against third party claims alleging damages due to the client’s handling of protected information.

B.  Third party coverage for claims relating to violation of intellectual property rights or copyright.

C.  Various types of first party coverages (coverage that will pay an insured for loss that the insured suffers itself, rather than indemnifying an insured for claims asserted by others), such as:

1.  Notification and related expense coverage;

2.  Coverage for regulatory fines and penalties;

3.  Coverage for the expense of recreating information that is damaged, compromised or destroyed as the result of a data security incident, or other covered occurrence;

4.  Coverage for the expense resulting from the inability to use a network or other asset as the result of a covered event; and

5.  Coverage for fines and penalties payable as the result of a failure to maintain appropriate levels of Payment Card Industry compliance in connection with credit or payment card exposures (this is not as generally available).

There are, of course, additional issues that will arise in the course of developing an appropriate mitigation strategy and insurance structure. For example, it may be necessary to allow an insurer, or several insurers, to independently audit a client’s infrastructure. It may be that an insurer adds exclusions to a policy that render otherwise appropriate coverage difficult to accept – for example, adding an exclusion that would allow an insurer to avoid payment obligations in the event that there is a change in network structure, levels of security protection, or the like. These types of potentially devastating exclusions, sometimes based on ambiguous terms that are difficult to either understand in an operational sense or manage, can make otherwise meaningful protection unacceptable.

So, dealing with the structure of an effective cyber/privacy insurance program requires knowing what you’ve got, knowing what’s lacking, and filling gaps in a targeted way. Know where you’re starting, understand the potential end points, and you’ll get where you’re going and not someplace unexpected.

Alan M. Reisch is a Director in the Litigation Group at Goulston & Storrs, as well as a Founder of the firm’s risk management affiliate Fort Hill Risk Management, and counsels clients in connection with insurance coverage and portfolio analysis, risk assessment and management, fraud, data privacy and other related issues.