Zoom-Bombing Leads to Securities Suit: Assessing D&O Coverage for Event-Driven Securities Class Action Suits in the Wake of COVID-19

COVID-19 has impacted businesses large and small across the country. Some companies predict that their services or products will be in higher demand, and anticipate marked financial success in the coming months, while others brace for collapse. Either scenario creates a potential liability: the risk of misrepresentation or improper disclosure to investors about the company’s outlook, financial health, capabilities, or any information that influences investor decisions.

Zoom, the now-ubiquitous cloud-based audio and video conferencing platform, was one of those companies with a more positive outlook. It forecasted growth but has been dogged by privacy issues with the dramatic increase in usage as shelter-in-place orders went into effect nationwide. Where there is an event (here, the COVID-19 pandemic) coupled with a drop in a company’s stock price, it is common for an event-driven securities class action suit to follow. Such was the case for Zoom.

On April 7, 2020, Michael Drieu filed a complaint on behalf of himself and similarly situated shareholders (the “Plaintiffs”) in the Northern District of California against Zoom Video Communications, Inc., its CEO, and its CFO (collectively, “Zoom”). The class of shareholders includes those who purchased or acquired Zoom securities from April 18, 2019 (the date of Zoom’s initial public offering) to April 6, 2020. The basis of the complaint is that Zoom overstated the degree to which its software was encrypted. These securities-related deficiencies came to light with the surge in usage of the service during March and April of 2020 correlated to COVID-19-related work from home/shelter-in-place orders. When news of “Zoom-bombing”1 and other privacy concerns about the platform began to make headlines,2 organizations started prohibiting Zoom usage and the company’s stock price plummeted, causing damage to the Plaintiffs. Plaintiffs allege that Zoom is in violation of Sections 10(b) and 20(a) of the Securities and Exchange Act of 1934. Section 10(B) prohibits fraud in connection with the purchase or sale of a security and Section 20(a) governs insider trading and provides a right of action against persons in positions of control and authority who induced the violator to make a misleading statement.

Specifically, the complaint alleges that Zoom:

made false and/or misleading statements and/or failed to disclose that: (i) Zoom had inadequate data privacy and security measures; (ii) contrary to Zoom’s assertions, the Company’s video communications service was not end-to-end encrypted; (iii) as a result of all the foregoing, users of Zoom’s communications services were at an increased risk of having their personal information accessed by unauthorized parties, including Facebook; (iv) usage of the Company’s video communications services was foreseeably likely to decline when the foregoing facts came to light; and (v) as a result, the Company’s public statements were materially false and misleading at all relevant times.3

On April 8, 2020, another complaint was filed against Zoom by a shareholder also alleging that Zoom made false and misleading statements regarding privacy measures.4

Other recently filed shareholder class action suits, like those filed against Inovio Pharmaceuticals and Norwegian Cruise Lines, are similarly predicated on false and misleading statements to investors. The shareholder who filed suit against Inovio Pharmaceuticals alleges that the company made false and misleading statements regarding a COVID-19 vaccine supposedly being developed by the company.5 The securities class action suit filed against Norwegian Cruise Lines alleges that the cruise line employed sales tactics of providing customers with blatantly false statements about COVID-19 with the intent of enticing them to purchase cruises.6 All of these shareholder filed cases are still in their early stages, and will likely be litigated for years to come.

Will public companies, like Zoom, be entitled to D&O coverage for securities class action suits?

The answer is probably yes, but, like most claims involving insurance, it depends heavily on the policy’s particular language. The types of claims brought, as well as the particular language of the insured’s policy, will be determinative. Typically, Side C of a directors and officers (“D&O”) policy issued to a public company provides coverage for securities suits brought against the company. In Zoom’s case, the suit was brought against not only the company but also its individual CEO and CFO. Those directors and officers would seek coverage under Side A or B of the policy, depending on whether the company is financially able or obligated to indemnify them. In the event that a securities suit is brought against both the company and its officers and directors, which is typical, the inclusion of Side C coverage is critical because it not only provides coverage for the entity, but also avoids a costly argument with the insurer over allocation of the defense fees and indemnification between the insured directors and officers and the potentially uninsured company.

The Side C insuring agreement typically covers “loss” resulting from a “claim” (including a “securities claim”) against the insured during the policy period for a “wrongful act.” If a suit has been filed, there has been a claim within the meaning of the policy. The requirement for a “wrongful act” is satisfied by allegations that the company made misrepresentations and misleading statements, such as those levied in the Zoom suit. For Side C coverage, “wrongful act” is typically defined to mean “any actual or alleged act, error, omission, neglect, statement, misstatement or breach of fiduciary duty or other duty committed, or allegedly committed or attempted, by the Company.” The allegations of the Zoom suit fall squarely within that definition, since the plaintiffs allege that Zoom misrepresented its data privacy and security measures.

Although D&O policies typically afford broad coverage for securities claims, given these defined terms, a recent decision from the Delaware Supreme Court illustrates that the coverage does have its limits. In In re Verizon Ins. Coverage Appeals,7 the Delaware Supreme Court narrowed prior court interpretations of what constituted a securities claim, and found that claims for breach of fiduciary duty, promoter liability, unlawful distribution of dividends, fraudulent transfer and avoidance claims did not satisfy the policy definitions. Thus, the Court determined that the definition of a securities claim “[a]lleging a violation of any federal, state, local or foreign regulation, rule or statute regulating securities” including “purchase or sale or offer or solicitation of an offer to purchase or sell securities” does not encompass common law or other statutes outside the securities regulation area.8 Put simply, the claim must arise from “a purchase or sale of securities or be brought by a security holder” in order to qualify for D&O coverage.9 The Verizon decision illustrates that the nature of the claims at issue are important when assessing coverage. However, because the claims at issue in the Zoom suit are undoubtedly “securities claims,” they will satisfy most policies’ definitions.

Assuming that the insuring agreement is satisfied and that the claims constitute “securities claims,” the next step is to analyze any potentially applicable exclusions. Generally, there are three exclusions that insureds should be paying attention to within their policy when assessing coverage for a COVID-19-related claim: (1) the bodily injury exclusion; (2) any conduct exclusions; and (3) the pollution exclusion.

First, to maximize chances of coverage, the bodily injury exclusion within the policy should be narrowly drawn. For example, “for” prefatory language to “bodily injury” is more favorable than “based upon, arising out of.” While it is unlikely that a D&O insurer could successfully argue that a securities action is “for bodily injury,” the insurer may try to use broader bodily injury wording to deny coverage for a suit on the basis that it “arose out of” COVID-19, a virus which causes bodily injury. “Arising out of” language has traditionally been interpreted by courts in other coverage situations as extremely broad language; thus, similar language in an exclusion could post a real challenge for policyholders seeking coverage for COVID-19-related claims. Bodily injury exclusions with carve backs for securities claims are preferable in this situation to clarify the intent of the exclusion.

Second, many D&O policies contain exclusions for intentional or dishonest conduct. Securities claims filed under Section 10(b) of the Securities Exchange Act of 1934 require proof of “scienter,” a legal concept referring to someone’s mental state characterized by an intent to defraud, mislead or manipulate.10 Since intentionality is required, conduct exclusions in D&O policies could be implicated. Therefore, it is important to ensure that a final, non-appealable adjudication is required in order for the conduct exclusion to apply. In addition, a careful analysis of the language may reveal carve backs for certain securities claims. There is also some support in case law that conduct exclusions for fraud are inapplicable to securities claims.11

Third, like most lines of insurance coverage, D&O policies typically contain pollution exclusions which bar coverage for losses related to “pollutants.” The definition of “pollutants” is critical in determining whether it might impact coverage for a COVID-19- related claim. Some exclusions define pollutants as “contaminants” and/or “irritants,” and do not clearly refer to or encompass viruses like COVID-19. In these instances, state law will be critical: does the state take a broad view of what constitutes a pollutant, contaminant, or irritant, or have pollution exclusions been limited to more traditional environmental pollution scenarios?12

Beyond reviewing exclusions, there are other steps that policyholders should be taking to maximize any available coverage for event-driven securities claims. Notification of claims is crucial under claims-made policies, as discussed in further detail in a prior article, here. When coverage is renewing, insureds should pay careful attention to representations made on policy applications. Due to recent events, it is expected that underwriters will add additional inquiries to their questionnaires.

Therefore, to avoid a potential argument for recession of the policy because of a material misrepresentation in the application, carefully crafted, honest responses to these inquiries are crucial. At renewal time, review your policy to ensure that exclusions for claims arising from losses due to viruses, pandemics, etc., have not been added. Finally, to further protect against event-driven claims, insureds should evaluate their programs and consider whether adding public relations-type coverage would be helpful. This add-on provides coverage for public relations expenses to assist the insured with handling a crisis event and, hopefully, mitigating its effects in order to avoid future claims.

Conclusion

Coverage for COVID-19-related suits may come in many different varieties, and whether D&O policies will respond will depend on the policy language as well as the type of claims being brought against the company. Insureds should take this opportunity to evaluate their insurance programs and be aware that if the number of securities class action suits related to COVID-19 continues to grow as anticipated, it will result in a hardening market and the likelihood of increased premiums.


1“Zoom-bombing” is the term used to describe the scenario in which a stranger is able to access another group’s meeting on Zoom and potentially wreak havoc.
2See Danny Hakim and Natasha Singer, New York Attorney General Looks Into Zoom’s Privacy Practices, N.Y. Times, Mar. 30, 2020, available at: https://www.nytimes.com/2020/03/30/technology/new-york-attorney-general-zoom-privacy.html (last visited: April 11, 2020).
3See Drieu v. Zoom Video Cmcs., Inc., pending in the United States District Court for the Northern District of California, case no. 5:20-cv-02353, at ¶7.
4See Bran v. Zoom Video Cmcs., Inc., pending in the United States District Court for the Northern District of California, case no. 3:20-cv-02396.
5The complaint, McDermid v. Inovio Pharmaceuticals, Case 2:20-cv-01402-GJP, was filed in the United States District Court for the Eastern District of Pennsylvania on March 12, 2020.
6The complaint, Douglas v. Norwegian Cruise Lines, Case 1:20-cv-21107, was filed in the United States District Court for the Southern District of Florida on March 12, 2020.
7222 A.3d 566 (Del. 2019), reh’g denied (Nov. 18, 2019).
8See id., at 574.
9Id. at 575 (internal quotation marks omitted).
10See Ernst & Ernst v. Hochfelder, 425 U.S. 185, 197, 96 S. Ct. 1375, 1382, 47 L. Ed. 2d 668 (1976) (finding that scienter is a necessary element of a cause of action brought pursuant to Section 10(b)).
11See Alstrin v. St. Paul Mercury Ins. Co., 179 F. Supp. 2d 376, 398 (D. Del. 2002) (“If the deliberate fraud exclusion applied to securities claims, there would be little or nothing left to that coverage. Particularly, in a D & O insurance policy, where securities fraud claims are among the most common claims filed against directors and officers, the effect of such an exclusion would be particularly devastating.”)
12See SDV’s State-by-State Survey on Court Interpretations of the Pollution Exclusion in CGL Policies