Skip To The Main Content

Publications

Publication Go Back

California Appellate Panel Holds FTC Civil Investigative Demand Does Not Constitute A Covered “Claim” Under Excess E&O Policy (Insurance Law Alert)

07.01.26

(Article from Insurance Law Alert, June 2026)

For more information, please visit the Insurance Law Alert Resource Center.

Holding

In an unpublished decision, the California Court of Appeal affirmed summary judgment in favor of an excess errors and omissions (“E&O”) insurer, holding that a Federal Trade Commission (“FTC”) civil investigative demand (“CID”) was neither a demand for “non-monetary relief” nor a covered “Regulatory Proceeding,” and therefore did not constitute a covered “Claim” under the policy. Zoom Video Commc’ns Inc. v. Underwriters at Lloyd’s, London, No. H052221, 2026 LX 297743 (Cal. Dist. Ct. App. May 27, 2026).

Background

In 2019, the FTC issued a CID to Zoom Video Communications, Inc. (“Zoom”) to investigate whether Zoom had engaged in unfair or deceptive practices in violation of Section 5 of the FTC Act. The CID included interrogatories and document requests concerning Zoom’s privacy and security practices. Zoom ultimately incurred more than $6.6 million in costs and fees responding to the CID and the ensuing FTC investigation, which culminated in a consent agreement and order requiring Zoom to implement and maintain a comprehensive information security program and related compliance measures.

While the FTC investigation was ongoing, Zoom also faced multiple lawsuits alleging that it had misrepresented its data security practices and improperly disclosed users’ personal identifying information to third parties. Zoom ultimately settled at least one class-action lawsuit for $85 million.

Zoom sought coverage from multiple primary and excess E&O policies for costs associated with the CID, the FTC investigation, and the related litigation. After settling with its primary insurers and all excess insurers except for Underwriters at Lloyd’s, London (“Underwriters”), Zoom pursued coverage litigation against Underwriters.

The parties disputed whether the FTC CID constituted a “Claim” under the policy. The policy defines “Claim” in relevant part to include a written demand for “non-monetary or injunctive relief” and a “Regulatory Proceeding” as “a suit, civil investigation or civil proceeding by or on behalf of a government agency . . . commenced by the service of a complaint, or similar pleading based on an alleged or potential violation of Privacy or Cyber Laws[.]” The policy further defines “Privacy or Cyber Laws” as “identity theft and privacy protection laws . . . or regulations that require commercial entities that collect Protected Information to . . . adopt specific privacy or security controls.”

The trial court held that the CID was not a “Claim” because it was neither a demand for non-monetary relief nor a “Regulatory Proceeding,” and entered judgment for Underwriters.

Decision

The California Court of Appeal affirmed.

First, the court held that the CID was not a covered “Claim” because it was not a demand for “non-monetary relief.” Looking to the ordinary meaning of the term, the court concluded that “non-monetary relief” refers to legal redress akin to what a party would seek from a court, distinct from monetary damages or injunctive relief. The CID sought only documents, information, and responses to interrogatories in connection with the FTC’s investigation and did not allege any wrongdoing or seek any form of legal redress. The court also emphasized that interpreting “non-monetary relief” broadly enough to encompass mere demands for documents or information would render the policy’s separate definition of “Regulatory Proceeding” largely superfluous, contrary to established principles of contract interpretation.

Second, the court held that the CID did not qualify as a covered “Regulatory Proceeding.” The policy limited that term to proceedings based on alleged or potential violations of “Privacy or Cyber Laws,” defined as identity theft protection laws or regulations requiring entities that collected protected information to adopt specific privacy or security controls. The court concluded that Section 5 of the FTC Act did not satisfy that definition. The court reasoned that although Section 5 broadly prohibits unfair or deceptive acts or practices and authorizes the FTC to police privacy- and cybersecurity-related conduct, it does not adopt specific privacy or security controls. Because Section 5 imposes no such affirmative obligations on regulated entities, the court concluded it was not a “Privacy or Cyber Law.” Accordingly, the CID was not a covered “Regulatory Proceeding” and therefore could not constitute a covered Claim.

Because the CID did not constitute a covered “Claim,” the court held that coverage under the excess policy was not triggered and affirmed judgment for Underwriters. Zoom’s coverage theory depended on treating the CID as the initial Claim to which the subsequent FTC proceedings and related consumer litigation could be tied through the policy’s interrelated claims provisions. Having concluded that the CID was not a covered Claim, the court found it unnecessary to address whether those later matters were interrelated claims.   

Comments

Although unpublished and therefore generally not citable as precedent under California Rules of Court, the Zoom decision provides support for insurers facing claims for regulatory investigation costs under policies that do not expressly cover subpoenas, civil investigative demands, or similar information-gathering requests. The court rejected authority treating investigative subpoenas as demands for “non-monetary relief” and instead held that the term refers to legal redress akin to what is sought from a court. Courts across the country continue to take diverging approaches on this issue, with the majority finding a subpoena or CID seeking the production of documents or testimony is a demand for “non-monetary relief.”

The decision also underscores the importance of policy-specific definitions. Rather than broadly characterizing the FTC Act as a privacy or cybersecurity law, the court focused on the particular policy’s definition of “Privacy or Cyber Laws” and concluded that Section 5 of the FTC Act did not qualify because it does not require entities to adopt specific privacy or security controls. The opinion therefore illustrates how investigation-coverage provisions may limit coverage for regulatory inquiries even where the underlying investigation concerns privacy or cybersecurity practices.