Zoom Video Communications v. Underwriters at Lloyd's London CA6

• Court: California Court of Appeal
• Decided: May 27, 2026
• Docket: H052221
• Status: Unpublished

Opinion

Filed 5/27/26 Zoom Video Communications v. Underwriters at Lloyd’s London CA6 NOT TO BE PUBLISHED IN OFFICIAL REPORTS California Rules of Court, rule 8.1115(a), prohibits courts and parties from citing or relying on opinions not certified for publication or ordered published, except as specified by rule 8.1115(b). This opinion has not been certified for publication or ordered published for purposes of rule 8.1115.

IN THE COURT OF APPEAL OF THE STATE OF CALIFORNIA

SIXTH APPELLATE DISTRICT

ZOOM VIDEO COMMUNICATIONS, H052221 INC., (Santa Clara County Super. Ct. No. 22CV398878) Plaintiff and Appellant,

v. REDACTED OPINION FOR PUBLIC VIEW* UNDERWRITERS AT LLOYD’S, LONDON, et al.,

Defendant and Respondent.

In this insurance coverage dispute, we interpret a policy issued by defendant Certain Underwriters at Lloyd’s, London, et al. (Underwriters) to plaintiff Zoom Video Communications, Inc. (Zoom), to determine whether it provided coverage for particular claims related to Zoom’s privacy and security practices. In September 2019, the Federal Trade Commission (FTC) issued a civil investigative demand (CID) to Zoom regarding possible unfair or deceptive practices in violation of section 5 of the FTC Act (15 U.S.C. § 45). Responding to the CID and resolving the subsequent FTC investigation ultimately cost Zoom more than $6.6 million and resulted in an agreement and consent order in January 2021, requiring Zoom to

* This case involves material from a sealed record. In accordance with California Rules of Court, rule 2.550(d), this court has prepared both public (redacted) and sealed (unredacted) versions of this opinion. We order the unredacted version of this opinion sealed. implement an information security program and measures to address security and confidentiality risks. While the FTC investigation was proceeding, Zoom also faced multiple civil lawsuits filed in 2020, alleging that Zoom had made false and deceptive representations to consumers about its data security practices, and had provided customers’ personal identifying information to unauthorized third parties without consent. Zoom eventually settled the lawsuits for $85 million. Zoom then sought coverage from seven different insurance policies—split between the 2018–2019 and 2019–2020 policy periods—for expenses incurred in the FTC investigation process and civil lawsuits. After receiving coverage from its two primary insurers via settlement, Zoom filed suit in May 2022 against the five excess insurers from both policy periods for breach of contract and related claims when they declined coverage. The matter proceeded to cross-motions for summary judgment and summary adjudication, after which Zoom settled with every excess insurer except Underwriters. The chief dispute between Zoom and Underwriters was whether the CID constitutes a “Claim,” and whether the subsequent FTC investigation and civil lawsuits relate back to the CID because they arose out of the same “Incident” or “Interrelated Incidents,” as defined by the applicable policy. In May 2024, the trial court ruled in Underwriters’ favor, finding that the CID did not constitute a “Claim” because it was neither a demand for non-monetary relief nor a “Regulatory Proceeding” under the terms of the policy; for that reason, the FTC investigation and civil lawsuits could not relate back to the CID. As a result, the court held, Underwriters’ denial of coverage for those actions could not be a breach of contract, and it entered judgment in its favor. On appeal, Zoom argues that the CID was a “Claim” because it was both a demand for non-monetary relief and a “Regulatory Proceeding,” and that the subsequent

2 FTC investigation and civil lawsuits were “Interrelated Incidents,” thereby triggering coverage under the policy. Exercising our independent judgment, we conclude that the CID was neither a demand for non-monetary relief nor a “Regulatory Proceeding” under the policy—and thus was not a “Claim”—so coverage was not triggered, and summary judgment in Underwriters’ favor was appropriate. Accordingly, we affirm. I. FACTUAL AND PROCEDURAL BACKGROUND1 A. The parties and insurance policies Zoom is a communications technology company that provides a unified platform for videoconferencing, phone, chat, and content sharing, to millions of users worldwide. Relevant to this appeal, Zoom obtained multiple primary and excess errors and omissions insurance policies providing coverage generally from 2018 to 2020. The policies fell into two distinct policy periods: (1) the 2018–2019 policy period, which spanned from October 31, 2018, to October 31, 2019, and (2) the 2019–2020 policy period, which spanned from October 31, 2019, to December 1, 2020. The policies also included specified retroactive dates, providing coverage for certain incidents that occurred before the policy period commenced. Each policy period included multiple policies, including a primary policy and two or three excess policies.2 The 2018–2019 policy period consisted of three policies: (1) the primary policy issued by Westchester Surplus Lines Insurance Company for $10

1 We take our facts largely from the parties’ joint appendix filed in the trial court in connection with the cross-motions for summary judgment and summary adjudication. As will be shown, the key facts in this case are essentially undisputed. 2 “Primary insurance provides immediate coverage upon the happening of an occurrence that gives rise to liability.” (Haering v. Topa Insurance Co. (2016) 244 Cal.App.4th 725, 734–735, citing Century Surety Co. v. United Pacific Ins. Co. (2003) 109 Cal.App.4th 1246, 1255.) “Excess insurance provides coverage after a predetermined amount of primary coverage has been exhausted.” (Ibid.)

3 million (Westchester policy); (2) an excess policy issued by Underwriters for $10 million (Underwriters policy); and (3) an excess policy issued by Evanston Insurance Company for $5 million (Evanston policy). The 2019–2020 policy period consisted of four policies: (1) the primary policy issued by ACE American Insurance Company for $10 million (ACE policy); (2) an excess policy issued by Continental Casualty Company for $8.33 million (Continental policy); (3) an excess policy issued by Allied World Specialty Insurance for $8.33 million (Allied World policy); and (4) an excess policy issued by Endurance Risk Solutions Assurance Company for $8.33 million (Endurance policy). Excess insurance policies provide coverage after the limit of the primary insurance has been exhausted. (City of Oxnard v. Twin City Fire Insurance Company (1995) 37 Cal.App.4th 1072, 1077.) The excess policies for both policy periods here were so-called “following form” policies, meaning they provided coverage for the same acts or occurrences as the underlying policy, and incorporate by reference the terms and conditions of the underlying primary policy, except where otherwise stated. (See, e.g., Energy Ins. Mutual Limited v. Ace American Ins. Co. (2017) 14 Cal.App.5th 281, 286, fn. 2; Deere & Co. v. Allstate Ins. Co. (2019) 32 Cal.App.5th 499, 514 [following form policy “incorporates the terms and conditions of another carrier’s policy and provides the same scope of coverage as the underlying policy”].) All of the policies in both policy periods were so-called “claims-made policies,” meaning the insurers assumed liability for any errors, including those made prior to the inception of the policy, as long as the claim is made against the insured during the policy period itself. (See, e.g., Feldman v. Illinois Union Ins. Co. (2011) 198 Cal.App.4th 1495,

4 1501, fn. 6, citing Pacific Employers Ins. Co. v. Superior Court (1990) 221 Cal.App.3d 1348, 1356–1357.)3 B. Scope of coverage The primary policies—and the excess policies as well, through incorporation by reference—provided coverage pursuant to certain “insuring agreements” specified in the policies. Both the Westchester policy and the ACE policy included the following insuring agreements: (1) insuring agreement T, for technology errors and omissions; (2) insuring agreement A, for a cyber incident response fund; (3) insuring agreement B, for business interruption and extra expenses; (4) insuring agreement C, for digital data recovery; (5) insuring agreement D, for network extortion; (6) insuring agreement E, for cyber, privacy and network security liability; and (7) insuring agreement F, for electronic, social and printed media liability. Each insuring agreement further specified the scope of coverage based on certain defined terms. For instance, insuring agreement T, the technology errors and omissions agreement, provided: “The Insurer will pay Damages and Claim Expenses by reason of a Claim first made against an Insured during the Policy Period for a Technology Incident which first occurs on or after the Retroactive Date and prior to the end of the Policy Period.”4 Defined terms are discussed further below, as relevant to the issues in this appeal.

3 By contrast, an “occurrence” policy provides coverage for damages that occur during the policy period, even if the claim is made after the policy has expired. (Guastello v. AIG Specialty Ins. Co. (2021) 61 Cal.App.5th 97, 102–103.) 4 Bold and capitalized words as used in the policies are defined terms. When not quoting directly from the policies, this opinion references capitalized defined terms from the policies in quotes, without bold font, as in: “Claim” or “Regulatory Proceeding.”

5 C. Key defined terms The parties’ dispute centers largely on certain defined terms set forth in the policies, including “Claim,” “Regulatory Proceeding,” “Cyber or Privacy Laws,” and “Interrelated Incidents.” We provide a brief summary of those terms as defined in the policies, before applying them to the facts of this case below. 1. “Claim” A “Claim” is defined as any: (1) “written demand against any Insured for monetary damages or non-monetary or injunctive relief; (2) civil proceeding against any Insured seeking monetary damages or non-monetary or injunctive relief, commenced by the service of a complaint or similar pleading; (3) arbitration or mediation proceeding against any Insured seeking monetary damages or non-monetary or injunctive relief, commenced by the receipt of a written demand, or service of a complaint or similar pleading; (4) criminal proceeding against an Insured commenced by: (a) an arrest, or (b) a return of an indictment, information or similar document; (5) written request directed at an Insured to toll or waive a statute of limitations applicable to a Claim referenced in paragraphs 1–4 immediately above; or (6) Regulatory Proceeding, including, where applicable, any appeal therefrom.” 2. “Regulatory Proceeding” A “Regulatory Proceeding” is defined as: “a suit, civil investigation or civil proceeding by or on behalf of a government agency, government licensing entity, or regulatory authority, commenced by the service of a complaint, or similar pleading based on an alleged or potential violation of Privacy or Cyber Laws as a result of a Cyber Incident, and which may reasonably be expected to give rise to a Claim under Insuring Agreement E.” 3. “Privacy or Cyber Laws” “Privacy or Cyber Laws” are defined as: “any local, state, federal, and foreign identity theft and privacy protection laws, legislation, statutes, or regulations that require

6 commercial entities that collect Protected Information to post privacy policies, adopt specific privacy or security controls, or notify individuals in the event that Protected Information has potentially been compromised.” 4. “Interrelated Incidents” “Interrelated Incidents” are defined as: “all Incidents that have as a common nexus any act, fact, circumstance, situation, event, transaction, cause or series of related acts, facts, circumstances, situations, events, transactions or causes.” As discussed further below, the parties chiefly dispute whether the CID was a demand for non-monetary relief or a “Regulatory Proceeding”—and therefore a “Claim”—and whether the FTC investigation and complaints that followed the CID, as well as the civil lawsuits filed in 2020, were “Interrelated Incidents,” and therefore part of the same “Claim.” D. CID and continuing FTC investigation The FTC issued the CID on September 16, 2019, pursuant to its authority under section 20 of the FTC Act (15 U.S.C. § 57b-1). By its own terms, the purpose of the CID was to determine whether Zoom had engaged in certain unfair or deceptive practices in violation of section 5 of the FTC Act (15 U.S.C. § 45). Toward that end, the CID included dozens of interrogatories and document requests relating to four specific categories of potential violations. First, the CID inquired about [REDACTED]. Specifically, the CID queried whether [REDACTED]. Second, the CID inquired about [REDACTED]. Specifically, the CID asked [REDACTED]. Zoom was also [REDACTED]. Third, the CID inquired about [REDACTED]. Fourth, the CID inquired about [REDACTED]. Zoom initially responded to the CID in early October 2019. Between then and February 2020, Zoom provided rolling responses and exchanged further information with

7 the FTC. The FTC’s investigation then continued and expanded, including additional requests for documents and information over the course of 2020. The expanded investigation focused in part on Zoom’s representations regarding end-to-end encryption used to secure users’ meetings. E. FTC complaints The FTC’s investigation ultimately resulted in a series of complaints issued against Zoom: (1) a draft administrative complaint on June 25, 2020; (2) a draft federal court complaint on August 13, 2020; and (3) a final administrative complaint on January 19, 2021. In general, the complaints alleged that Zoom made “numerous, prominent representations touting the strength of the privacy and security measures it employs to protect users’ personal information.” F. Consent agreement and order On October 19, 2020, Zoom and the FTC entered into an “Agreement Containing Consent Order” to resolve the CID and subsequent investigation, subject to final FTC approval (consent agreement). The FTC approved the consent agreement and entered a “Decision and Order” on January 19, 2021 (FTC order). The FTC order required Zoom, among other things, to (1) refrain from making certain misrepresentations regarding its security and privacy features; (2) establish and monitor a comprehensive information security program; (3) provide incident and compliance reports and notices to the FTC; and (4) create and maintain certain records. Although the FTC order did not impose any monetary penalties, Zoom contends that it incurred over $6.6 million in fees and costs to resolve the FTC investigation. G. Civil lawsuits Before the FTC investigation was resolved, Zoom also faced multiple civil lawsuits filed in 2020. First, Zoom was sued in September 2020 in federal court in the District of Columbia by Consumer Watchdog, a non-profit corporation “dedicated to representing

8 the interests of taxpayers and consumers through advocating and fighting false advertising and corporate deception, and protecting consumers’ online data security and privacy” (Consumer Watchdog lawsuit). Consumer Watchdog chiefly alleged that Zoom had committed unlawful and deceptive trade practices by promising consumers end-to-end encryption of video calls but not actually providing it, in violation of the Washington, D.C., Consumer Protection Procedures Act. Zoom settled the Consumer Watchdog lawsuit on July 29, 2021, incurring fees and costs in the process. Second, Zoom faced a series of class-action lawsuits filed by individual Zoom users in the northern and central districts of California beginning in March 2020. These lawsuits were eventually consolidated into a single class-action lawsuit in the northern district on May 28, 2020 (class-action lawsuit). The operative complaint in the class-action lawsuit alleged, among other things, that: (1) Zoom claimed it was utilizing end-to-end encryption for desktop and mobile devices, when in fact its video conferences and other audio and video functionality did not support end-to-end encryption; (2) Zoom’s use of “transport encryption,” as opposed to end-to-end encryption, could result in user data being intercepted by a hacker who could infiltrate the company’s systems; (3) Zoom suffers security breaches by unauthorized bad actors who hijack Zoom videoconferences; (4) Zoom could have, but did not, provide adequate meeting security to limit or prevent “Zoombombing,” or unauthorized meeting access and intrusions; (5) Zoom could have implemented numerous other technical solutions to limit or prevent Zoombombing; (6) Zoom collected and sent users’ information to third parties; (7) third parties could use that information to create a “fingerprint” of the user’s identity, and then track and advertise to users across multiple digital services. Zoom ultimately settled the class-action lawsuit for $85 million. H. Requests for insurance coverage

9 Zoom sought coverage from its primary and excess insurers for the CID and the resulting FTC investigation and FTC complaints, as well as for the Consumer Watchdog and class-action lawsuits, between 2019 and 2022. 1. Primary insurers Shortly after the CID was issued in September 2019, Zoom initially sought coverage from Westchester, its primary insurer for the 2018–2019 policy period. Westchester responded in November 2019 by reserving its rights, but accepting coverage for the CID as a “Regulatory Proceeding” and agreeing to pay for independent counsel to defend Zoom, subject to the reservation. As the FTC investigation continued, and the Consumer Watchdog and class-action lawsuits commenced, Zoom also sought coverage for those incidents from both Westchester and ACE under its primary policies for the 2018–2019 and 2019–2020 policy periods. After providing initial responses to Zoom’s requests, Westchester and ACE—through their joint counsel—provided a joint amended response in November 2020, which set forth their position regarding coverage under the policies. The primary insurers took the position that the “various actions recently noticed under the above-referenced policies are interrelated and constitute a single Claim first made under the 18–19 Policy.” According to the primary insurers, the various actions against Zoom all focused on “(1) technology vulnerabilities only; (2) unauthorized disclosure of personal information only; and (3) both technology vulnerabilities and unauthorized disclosure of personal information.” The primary insurers therefore amended their initial position, and concluded that all the incidents shared a “common nexus of any act, fact, circumstance, situation, event, transaction, cause or series of related acts, facts, circumstances, situations, events, transactions or causes.” Accordingly, the primary insurers would limit their coverage to the $10 million limit for a “Claim” under the Westchester policy for the 2018–2019

10 policy period, and not deem the ACE policy for the 2019–2020 policy period to have been triggered. Zoom and the primary insurers continued to negotiate the scope of coverage, and reached a settlement in May 2022. 2. Excess insurers Zoom also sought coverage from its excess insurers in both the 2018–2019 and 2019–2020 policy periods. The excess insurers all denied coverage on various grounds, in essence pointing the finger at the excess insurers in the other policy period. Underwriters and Evanston, for instance, took the position that the CID—the only matter noticed within the 2018–2019 policy period—was not a “Claim” in the first place, and that the CID and class-action lawsuit were not “Interrelated Incidents.” Meanwhile, the excess insurers for the 2019–2020 policy period—Continental, Allied World, and Endurance—argued that the CID was a “Claim,” thereby triggering the policies in the 2018–2019 period, and that the subsequent incidents were “Interrelated,” so they also fell within the 2018–2019 policy period, rather than the 2019–2020 policy period. I. Complaint Zoom filed the complaint in this action on May 25, 2022, naming all the excess insurers as defendants—Underwriters, Evanston, Continental, Allied World, and Endurance (complaint). The complaint alleged causes of action for breach of contract and breach of the implied covenant of good faith and fair dealing. In general, Zoom alleged that the excess insurers owed it money due under the insurance policies for coverage of the incidents described above, but refused to pay. According to Zoom, the excess insurers had “consistently pointed their fingers at each other, leaving Zoom stuck in the middle without the insurance protection it purchased— and with mounting legal fees and costs from pursuing coverage.”

11 J. Summary judgment and summary adjudication motions In October 2023, the parties stipulated to a briefing schedule for cross-motions for summary judgment and/or summary adjudication on certain specified issues. The parties agreed to address the following two issues only: (1) whether the CID and/or the FTC investigation into Zoom referenced in the CID constituted a “Claim” as defined in the primary policies and, if so, when such “Claim” was first made, as between the 2018– 2019 or 2019–2020 policy period; and (2) whether the CID, the FTC investigation into Zoom referenced in the CID, the FTC complaints, the Consumer Watchdog lawsuit, and the class-action lawsuits, arose out of the same “Incident” or “Interrelated Incidents,” as defined in the primary policies. The parties defined the first issue as the “FTC claim” issue, and the second issue as the “interrelatedness issue.” The parties also stipulated that Zoom, and the excess insurers for the 2018–2019 policy period only, could address an additional issue: whether the “Claim” or “Claims” for which Zoom seeks coverage are for “Incident(s)” that first occurred before the relevant retroactive dates in the 2018–2019 policies, which they defined as the “Retroactivity Issue.”5 1. FTC claim issue With respect to the FTC claim issue, Zoom argued—in a motion for summary adjudication—that the CID and FTC investigation constituted a “Claim” as defined in the

5 The stipulation also provided that the parties would make a good-faith effort to prepare and submit a joint appendix, “consisting of documents that may be cited to in support of a Motion and whose authenticity is undisputed.” The parties further agreed that their motions would “only cite to evidence included in the Joint Appendix, unless a Party establishes good cause for citing to other evidence.” Consistent with that, the parties submitted a 16-volume joint appendix in connection with their opening briefs in support of their motions. Consequently, the parties’ separate statements of undisputed material facts in support of their motions cited only to the documents in the joint appendix, and are largely undisputed.

12 policies because they were a “Regulatory Proceeding”—defined as “a suit, civil investigation or civil proceeding by or on behalf of a government agency, government licensing entity, or regulatory authority, commenced by the service of a complaint or similar pleading based on an alleged or potential violation of Privacy or Cyber Laws as a result of a Cyber Incident, and which may reasonably be expected to give rise to a Claim”—and because they constituted a “written demand for non-monetary relief.” Underwriters6 argued, in a motion for summary judgment, that the CID was not a “Regulatory Proceeding”—and therefore was not a “Claim”—because it lacked two essential elements of the definition. First, they argued, the CID was not based on an alleged or potential violation of “Cyber or Privacy Laws,” but rather was “essentially an administrative subpoena that seeks documents and information to determine whether Zoom violated the law.” Second, they argued, the CID was not a “complaint, notice or similar pleading” as required to be a “Regulatory Proceeding,” but was rather an administrative subpoena, and not akin to a pleading, which is generally a “formal allegation[] by the parties of their respective claims and defenses, for the judgment of the Court.” Underwriters also argued that the CID was not a written demand for non-monetary relief—and therefore not a “Claim”—because, under California law, a civil investigative demand is not a written demand for damages, services or other non-monetary relief. Instead, they contended, the CID sought only “documents and responses to interrogatories from Zoom.”

6 Although Underwriters and Evanston submitted joint briefs in the trial court, we refer only to Underwriters because Evanston reached a settlement with Zoom prior to the hearing on the parties’ motions, as did the excess insurers in the 2019–2020 policy period.

13 2. Interrelatedness issue With respect to the interrelatedness issue, Zoom argued that the allegations regarding Zoom’s security and technological vulnerabilities arose out of “Interrelated Incidents”—that is, the FTC Investigation, Consumer Watchdog lawsuit, and portions of the class-action lawsuit—while the allegations in the class-action lawsuit that Zoom shared users’ information with third parties like Facebook and Google arose out of separate “Incidents.” Zoom further argued that the test for interrelatedness under California law is whether a claim is logically or causally related to another claim, by looking at the gravamen of the claims in the underlying actions. Applied here, it argued, the security and technological vulnerability allegations in the underlying actions—the CID, FTC investigation, FTC complaints, Consumer Watchdog lawsuit, and portions of the class- action lawsuits—are interrelated and “comprise a single ‘Claim’ that arose during the [2018–2019] policy period.” By contrast, Zoom argued, the privacy claims in the class-action lawsuit concerning sharing of users’ information with third parties are not interrelated to the FTC investigation or Consumer Watchdog lawsuit, and constitute “a separate ‘Claim’ that arose during the [2019–2020] policy period.” Underwriters argued that interrelatedness was lacking because the CID and the class-action lawsuit had no common factual nexus. According to Underwriters, the CID focused on four discrete issues—[REDACTED]. 3. Retroactivity issue Zoom did not address the retroactivity issue in its initial brief in support of its motion. Underwriters, however, submitted a separate brief on the issue, in which they argued that the purportedly interrelated incidents first occurred in 2015, which was before the January 17, 2018, retroactive date specified in the Westchester policy, to which the

14 Underwriters policy followed form. According to Underwriters, Zoom’s alleged misrepresentations regarding its end-to-end encryption began in 2015, when Zoom published a HIPAA Compliance Guide “which makes representations regarding its HIPAA compliance status, including representations that Zoom complied with all HIPAA encryption standards,” and that it “employ[ed] industry-standard end-to-end Advanced Encryption Standard (AES) encryption using 128-bit keys to protect meetings.” Thus, even if the incidents were interrelated, because they began in 2015, they are not covered by the Underwriters policy for the 2018–2019 policy period. In its subsequent opposition brief, Zoom argued that the Westchester policy—and the Underwriters policy as well—provide that “Interrelated Incidents” are deemed first discovered on the date the first incident is discovered, not the date the first incident occurred. In addition, Zoom argued, the January 17, 2018, retroactive date only applies to Insuring Agreement T for technology errors and omissions liability, where in contrast, the policies provide “Full Prior Acts” coverage for Insuring Agreement E for Cyber, Privacy, and Network Security Liability, which governs here. K. Order and judgment Following a hearing, the trial court issued its order on May 9, 2024 (order). The court agreed with Underwriters that the CID did not constitute a “Claim” under the Westchester policy because it was not a written demand for non-monetary relief, or a “Regulatory Proceeding.” According to the trial court, the CID did not demand non- monetary relief, but instead was merely a “mechanism for requesting various forms of information.” The court determined the CID was an administrative or investigative subpoena, and not a demand for relief itself. The court also determined that the CID was not a “Regulatory Proceeding” because the investigation was not based on an alleged or potential violation of “Privacy or Cyber Laws.” It rejected Zoom’s argument that the FTC investigation was based on potential violations of Section 5 of the FTC Act—noting that Zoom had not identified

15 any provision in the FTC Act that requires it to adopt specific privacy or security controls—and instead accepted Underwriters’ argument that “Section 5 of the FTC generally prohibits entities from engaging in ‘unfair or deceptive’ acts [or] practices.” For that reason, the court concluded, Zoom could not prevail on its causes of action against Underwriters for breach of contract or breach of the implied covenant of good faith and fair dealing. The court did not reach the alternative arguments regarding the interrelatedness issue or the retroactivity issue. The trial court granted Underwriters’ motion for summary judgment and denied Zoom’s motion for summary adjudication. Judgment was then entered in Underwriters’ favor on May 21, 2024. Zoom timely appealed. II. DISCUSSION Zoom argues on appeal, as it did in the trial court, that the CID was a “Claim” within the meaning of the Westchester policy, because it was both a “Regulatory Proceeding” and a “demand for non-monetary relief.” Zoom requests that this court vacate the judgment and remand for further proceedings. Underwriters argue that the CID was not a “Claim,” as it was neither a “Regulatory Proceeding” brought under a “Privacy or Cyber Law,” nor a demand for non-monetary relief. Further, they argue that, even if the CID were a “Claim,” this court should nevertheless affirm the judgment on either of two grounds that the trial court did not reach: (1) the CID is not “Interrelated” with the class-action lawsuit, and (2) the Underwriters policy does not cover the class-action lawsuit because it was based on conduct that began before the “Retroactive Date.” A. Adequacy of appellant’s appendix As a threshold matter, we address the adequacy of Zoom’s appellant’s appendix and the extent to which it limits or precludes our review in this appeal.

16 It is well settled that an appellant bears the burden of providing an adequate record on appeal. (Maria P. v. Riles (1987) 43 Cal.3d 1281, 1295; Calhoun v. Hildebrandt (1964) 230 Cal.App.2d 70, 72.) An inadequate record “will frequently be fatal to a litigant’s ability to have his or her claims of trial court error resolved on the merits by an appellate court.” (Jameson v. Desta (2018) 5 Cal.5th 594, 608.) Consistent with that general principle, California Rules of Court, rule 8.124(b)(1)(B), mandates that an appellant’s appendix include “[a]ny item listed in rule 8.122(b)(3) that is necessary for proper consideration of the issues, including, for an appellant’s appendix, any item that the appellant should reasonably assume the respondent will rely on.” In the specific context of challenging a trial court’s grant of summary judgment— and in light of the summary judgment principles set forth below—an appellant must either demonstrate that the other party’s motion did not establish facts justifying judgment in its favor, or otherwise establish the existence of a triable issue of material fact. (Kim v. County of Monterey (2019) 43 Cal.App.5th 312, 323 (Kim).) To carry that burden, the appellant must cite the evidence that was presented to the trial court in opposition to the successful motion. (Hampton v. County of San Diego (2015) 62 Cal.4th 340, 347 (Hampton); Aguilar v. Atlantic Richfield Co. (2001) 25 Cal.4th 826, 843 (Aguilar) [court must consider all of the evidence and all of the inferences reasonably drawn therefrom and must view such evidence and inferences in the light most favorable to the opposing party].) Here, though, Zoom’s appellant’s appendix did not include any of the summary judgment materials submitted to the trial court. It omitted the parties’ motions, oppositions, reply briefs, separate statements, and the parties’ joint appendix. Underwriters elected to proceed in an abundance of caution and include the omitted documents in its respondent’s appendix, thereby enabling this court to review Zoom’s arguments on appeal.

17 In these circumstances—notwithstanding that Underwriters provided the complete record—we could affirm the judgment based solely upon Zoom’s failure to adequately raise any reviewable issue. (City of Burbank v. Burbank-Glendale-Pasadena Airport Authority (1999) 72 Cal.App.4th 366, 373.) Underwriters argue that we should do so: “The fact that Underwriters have taken protective measures by supplying their own appendix cannot cure Zoom’s failure.” Notwithstanding Zoom’s failure in this regard, we decline to decide the appeal on this issue, in light of the strong policy of the law in favor of resolving appeals on their merits. (Larrus v. First National Bank (1954) 122 Cal.App.2d 884, 886; People v. Bear (2018) 25 Cal.App.5th 490, 499 [“policy in favor of doing justice by resolving litigation on the merits”].) We caution Zoom’s counsel, though, that it is not the respondent’s responsibility to correct an appellant’s failure to provide an adequate record. B. Summary judgment principles and standard of review Where a defendant has prevailed on summary judgment, “ ‘ “we review the record de novo to determine whether [it has] conclusively negated a necessary element of the plaintiff’s case or demonstrated that under no hypothesis is there a material issue of fact that requires the process of trial.” ’ ” (Saelzler v. Advanced Group 400 (2001) 25 Cal.4th 763, 767; Code Civ. Proc., § 437c, subd. (c)].) The moving defendant “bears the burden of persuasion that there is no triable issue of material fact and that [it] is entitled to judgment as a matter of law.” (Aguilar, supra, 25 Cal.4th at p. 850.) Upon a defendant’s prima facie showing of the nonexistence of such an element, the plaintiff “is then subjected to a burden of production of [its] own to make a prima facie showing of the existence of a triable issue of material fact.” (Ibid.) In undertaking our independent review, “ ‘[w]e examine (1) the pleadings to determine the elements of the claim, (2) the motion to determine if it establishes facts justifying judgment in the moving party’s favor, and (3) the opposition—assuming

18 movant has met its initial burden—to “decide whether the opposing party has demonstrated the existence of a triable, material fact issue.” ’ ” (Kim, supra, 43 Cal.App.5th at p. 323.) “ ‘ “We liberally construe the evidence in support of the party opposing summary judgment and resolve doubts concerning the evidence in favor of that party.” ’ ” (Hampton, supra, 62 Cal.4th at p. 347.) Where resolution of summary judgment hinges on the interpretation of a contract, the reviewing court is not bound by the trial court’s construction of the contract “where that construction was not based on the credibility of conflicting extrinsic evidence as to which the trial court was in a better position to form a judgment.” (Milazo v. Gulf Ins. Co. (1990) 224 Cal.App.3d 1528, 1534.) “Thus, where there is no extrinsic evidence, where the extrinsic evidence is not conflicting or where the conflicting evidence is of a written nature only, the reviewing court is not bound by the rulings of the trial court but rather must make an independent interpretation of the written contract.” (Ibid.) Summary judgment regarding a contract is appropriate only if the language is unambiguous, allowing for just one interpretation, or the language is ambiguous, but undisputed evidence shows the moving party’s interpretation is correct. (Niederer v. Ferreira (1987) 189 Cal.App.3d 1485, 1499–1500; Scheenstra v. California Dairies, Inc. (2013) 213 Cal.App.4th 370, 391.) Where there are two equally plausible interpretations of a contract, it presents a question of fact precluding summary judgment if the evidence is contradictory. (Wolf v. Superior Court (2004) 114 Cal.App.4th 1343, 1351.) C. Principles of insurance contract interpretation “When interpreting a contract, courts give effect to the parties’ mutual intentions, first examining the contract’s plain language.” (Estate of Jones (2022) 82 Cal.App.5th 948, 952–953 (Estate of Jones); Civ. Code, § 1636 [“contract must be so interpreted as to give effect to the mutual intention of the parties as it existed at the time of contracting, so far as the same is ascertainable and lawful”].) “The language governs if it is clear,

19 explicit, and does not involve absurdity.” (Estate of Jones, supra, at p. 953, citing Jamieson v. City Council of the City of Carpinteria (2012) 204 Cal.App.4th 755, 761.) “The whole of a contract is to be taken together, so as to give effect to every part, if reasonably practicable, each clause helping to interpret the other.” (Civil Code, § 1641; Boghos v. Certain Underwriters at Lloyd’s of London (2005) 36 Cal.4th 495, 503 (Boghos).) Courts must interpret contract language in a manner that gives force and effect to every provision “and not in a way which renders some clauses nugatory, inoperative or meaningless.” (City of Atascadero v. Merrill Lynch, Pierce, Fenner & Smith, Inc. (1998) 68 Cal.App.4th 445, 473.) In reviewing a trial court’s interpretation of a written contract, we begin “with the threshold question of whether the writing is ambiguous—that is, reasonably susceptible to more than one interpretation.” (Adams v. MHC Colony Park, L.P. (2014) 224 Cal.App.4th 601, 619, citing Winet v. Price (1992) 4 Cal.App.4th 1159, 1165–1166.) “An ambiguity exists when a party can identify an alternative, semantically reasonable, candidate of meaning of a writing.” (Solis v. Kirkwood Resort Co. (2001) 94 Cal.App.4th 354, 360.) “An ambiguity can be patent, arising from the face of the writing, or latent, based on extrinsic evidence.” (Pacific Gas & Electric Co. v. G.W. Thomas Drayage & Rigging Co., Inc. (1968) 69 Cal.2d 33, 39–40.) Interpretation of an insurance policy in particular is also a question of law and follows the general rules of contract interpretation. (Haering v. Topa Ins. Co. (2016) 244 Cal.App.4th 725, 732–733.) “While insurance contracts have special features, they are still contracts to which the ordinary rules of contractual interpretation apply.” (Bank of the West v. Superior Court (1992) 2 Cal.4th 1254, 1264, citing AIU Ins. Co. v. Superior Court (1990) 51 Cal.3d 807, 822 (AIU Insurance).) Only where the standard rules of contract interpretation do not resolve an ambiguity in the language of an insurance policy, will a court interpret it to resolve it

20 against the insurer. (Yahoo Inc. v. National Union Fire Ins. Co. etc. (2022) 14 Cal.5th 58, 71–72 [citations omitted].) D. Analysis We begin with Zoom’s argument that the CID was a “Claim” under the terms of the Westchester policy.7 As set forth above, the Westchester policy—and therefore the Underwriters policy—defines “Claim” as any of six distinct categories: (1) a written demand against any “Insured” for monetary damages or non-monetary or injunctive relief; (2) a civil proceeding against any “Insured” seeking monetary damages or non-monetary or injunctive relief, commenced by the service of a complaint or similar pleading; (3) an arbitration or mediation proceeding against any “Insured” seeking monetary damages or non-monetary or injunctive relief, commenced by the receipt of a written demand, or service of a complaint or similar pleading; (4) a criminal proceeding against an “Insured” commenced by an arrest or the return of an indictment, information or similar document; (5) a written request directed at an “Insured” to toll or waive a statute of limitations applicable to a “Claim” referenced in paragraphs 1–4 immediately above; or (6) a “Regulatory Proceeding.” Zoom argues the CID satisfied two distinct categories of this definition: a written demand against any “Insured” for monetary damages or non-monetary or injunctive relief, and a “Regulatory Proceeding.”

7 Our analysis is limited to the CID, and does not include the subsequent FTC investigation or the FTC complaints. Although the parties’ stipulation in the trial court defined the FTC claim issue as whether the CID and/or the FTC investigation into Zoom referenced in the CID constituted a “Claim,” Underwriters’ policy was limited to the 2018–2019 policy period, which ended before the FTC investigation and FTC complaints were issued, and Zoom has limited its argument on appeal to the CID.

21 1. The CID was not a demand for non-monetary relief The parties agree that the CID was a written demand against an “Insured” and that it did not seek monetary damages. The only dispute is whether the CID demanded non- monetary relief. Because the Westchester policy does not define “non-monetary relief,” we look to the “ ‘ordinary and popular’ definition” of the term. (AIU Insurance, supra, 51 Cal.3d at p. 825; Civ. Code, § 1644; Westrec Marina Management, Inc. v. Arrowood Indemnity Co. (2008) 163 Cal.App.4th 1387, 1392.)8 In general, there is no “universal definition or plain meaning of ‘relief.’ ” (Simke, Chodos, Silberfeld & Anteau, Inc. v. Athans (2011) 195 Cal.App.4th 1275, 1286.) However, Black’s Law dictionary defines “relief” as “[t]he redress or benefit, esp. equitable in nature (such as an injunction or specific performance), that a party asks of a court.” (Black’s Law Dict. (9th ed. 2009) p. 1404, col 2.) Relatedly, it defines “prayer for relief,” as a “request addressed to the court and appearing at the end of a pleading; esp., a request for specific relief or damages.” (Id. at p. 1294, col. 2; see also, Webster’s New Internat. Dict. (2002 ed.) p. 1918, col. 1 [defining “relief” as a “legal remedy or redress”].) The plain language of the Westchester policy—taking the whole of the contract together, and giving effect to every part—is consistent with this ordinary definition of “relief” as a form legal redress akin to a court-ordered benefit. (Estate of Jones, supra, 82 Cal.App.5th at pp. 952–953; Civ. Code, §§ 1636, 1641; Boghos, supra, 36 Cal.4th at p. 503; see also, Palmer v. Truck Ins. Exchange (1999) 21 Cal.4th 1109, 1115 [assessing plain meaning of term by reference to the context in which it is used in the contract].)

8 The parties have not cited any California authority construing the terms “non- monetary relief” or “relief” in the context of a claims-based insurance policy, and we are not aware of any.

22 First, the operative phrase in the Westchester policy identifies three distinct categories of relief which may be demanded to qualify as a “Claim”: monetary damages, non-monetary relief, or injunctive relief. All three categories are forms of redress or benefit that a party asks of a court. Second, the definition of “Claim” includes six distinct categories, all of which are also grounded in, or akin to, a litigation context where a party seeks redress from a court. In addition to the “written demand” category, a “Claim” includes: a civil proceeding seeking monetary damages or non-monetary or injunctive relief; an arbitration or mediation proceeding seeking the same; a criminal proceeding; a written request to toll or waive a statute of limitations; or a “Regulatory Proceeding.” Third, the definition of “Regulatory Proceeding” demonstrates that the phrase “non-monetary relief” cannot be construed to include mere demands for information or documents sought by a civil investigation or administrative subpoena. As set forth above, a “Regulatory Proceeding” is defined as “a suit, civil investigation or civil proceeding by or on behalf of a government agency, government licensing entity, or regulatory authority, commenced by the service of a complaint or similar pleading based on an alleged or potential violation of Privacy or Cyber Laws as a result of a Cyber Incident, and which may reasonably be expected to give rise to a Claim under Insuring Agreement E.” A “Regulatory Proceeding” therefore circumscribes the type of civil investigations that qualify as a “Claim” by requiring, among other things, that they be based on an alleged or potential violation of “Privacy or Cyber Laws.” If a civil investigative demand constituted a “Claim” when it only seeks documents and information, there would be no need for the policy to separately define “Regulatory Proceeding” to include civil investigations by government agencies based on violations of “Privacy or Cyber Laws,” because they would already be subsumed within the former category. An interpretation

23 that renders part of the policy to be surplusage “should be avoided.” (Quantification Settlement Agreement Cases (2011) 201 Cal.App.4th 758, 799.) Finally, viewing the Westchester policy as a whole also demonstrates that the definition of a “Claim” that triggers coverage necessarily includes an allegation of wrongdoing. Not only are all six categories included in the definition of “Claim” predicated on such an allegation, but coverage under the policy is only triggered by a “Claim” made for an “Incident” as specified within one of the particular insuring agreements. For instance, the policy provides that “[c]overage is afforded pursuant to those Insuring Agreements purchased,” which, as summarized above, includes insuring agreements T, A, B, C, D, E, and F. For insuring agreement T, the policy states that “[t]he Insurer will pay Damages and Claim Expenses by reason of a Claim first made against an Insured during the Policy Period for a Technology Incident which first occurs on or after the Retroactive Date and prior to the end of the Policy Period.” Thus, coverage is only triggered by a “Claim” made for a “Technology Incident,” which itself is defined as: “any error, misstatement, misleading statement, act, omission, neglect or breach of duty, including Personal Injury, actually or allegedly committed or attempted by any Insured, or by any person or entity for whom the Insured is legally liable, in the: (i) rendering or failure to render Technology Services to others, or (ii) the failure of Technology Products to perform the function or serve the purpose intended.” It would make no sense for the policy to define “Claim” so broadly as to include demands for information, absent any allegation of wrongdoing, only to exclude such a “Claim” from coverage because it was not predicated on an allegation of wrongdoing. In sum, we construe “non-monetary relief,” as used in the Westchester policy, to mean legal redress that a party asks of a court, but which is distinct from monetary or injunctive relief. The policy is unambiguous in this respect. Applying that definition here, we also conclude that the CID is not a “Claim” by virtue of demanding such relief. Instead, it demanded only that Zoom provide documents

24 and information and respond to interrogatories. As summarized above, the purpose of the CID was to determine whether Zoom had engaged in certain unfair or deceptive practices in violation of the FTC Act. To make that determination, the CID included interrogatories and document requests relating to specific categories of potential violations. Yet the CID did not allege any wrongdoing or seek non-monetary relief in the form of redress that a party would ask of a court. Zoom argues that a demand for documents and information, such as the CID, is a demand for non-monetary relief, and hence a “Claim” under the Westchester policy. Specifically, it relies on cases which held that, under the particular insurance policies at issue, a demand for “relief” is a “broad enough term to include a demand for something due, including a demand to produce documents or appear to testify,” citing Minuteman International, Inc. v. Great American Ins. Co. (N.D. Ill. Mar. 22, 2004) 2004 WL 603482 (Minuteman), and Patriarch Partners, LLC v. Axis Insurance Co. (S.D.N.Y., Sept. 22, 2017) 2017 WL 4233078 (Patriarch). In Minuteman, a district court in Illinois assessed whether an order and investigative subpoenas issued by the Securities and Exchange Commission (SEC) constituted a claim under the applicable insurance policy, the definition of which included “a written demand for monetary or nonmonetary relief made against any Insured.” (Minuteman, supra, 2004 WL 603482 at pp. *3, *7.) The order and subpoenas required the insured to produce documents and provide testimony. (Id. at p. *7.) The district court held that a “demand for ‘relief’ is a broad enough term to include a demand for something due, including a demand to produce documents or appear to testify.” (Ibid.) Further, it held that “an SEC subpoena is not a mere request for information, but a substantial demand for compliance by a federal agency with the ability to enforce its demand” by filing suit. (Ibid.) For that reason, the court held, the subpoena was a claim under the policy.

25 Similarly, in Patriarch, a district court in New York considered whether an SEC investigation, including an order and subpoena, constituted a “claim” under the terms of the applicable policy. (Patriarch, supra, 2017 WL 4233078 at p. *4.) Relying in part on Minuteman, the court held that the subpoena sought non-monetary relief “in the form of the documents that were to be produced.” (Ibid.) We find reference to these decisions unpersuasive. First, they are based on different insurance policies with different operative language and definitions of a “claim.” Second, even if the terms of the policy were identical, we would decline to follow these decisions because, as explained above, we conclude that “non-monetary relief” here means a type of legal redress akin to that which a party would seek from a court. Moreover, we find other authority in other jurisdictions more persuasive than the authority cited by Zoom. (See, e.g., BioChemics, Inc. v. AXIS Reinsurance Co. (1st Cir. 2019) 924 F.3d 633, 640 [finding SEC subpoenas were requests for information, not “requests made of a court for equitable redress or benefit,” and not non-monetary relief]; St. Paul Mercury Ins. Co. v. RMG Capital Corp. (C.D. Cal. June 7, 2012) 2012 WL 2069677, at *4 [“claim” only includes a demand for non-monetary relief “in the form of a court-ordered benefit”]; NWHW Holdings, Inc. v. National Union Fire Insurance Co. of Pittsburgh, P.A. (C.D. Cal. Dec. 22, 2023, No. SACV 22-01030-CJC (KESX)), 2023 WL 9375862, at * 7 [CID from U.S. attorney’s office seeking documents and testimony was not a demand for nonmonetary relief].) Zoom also argues that “[i]t makes no sense, given the purposes underlying the policy, to conclude that the FTC CID is not a demand for ‘relief,’ but the FTC’s enforcement of that same CID in court is a demand for ‘relief.’ ” Stated differently, Zoom argues that it “could have obtained coverage for effectively the same costs if, instead of complying with the FTC’s CID, Zoom had refused to comply and forced FTC to obtain a court order under 15 U.S.C. § 57b-1(e).” However, as we have explained,

26 coverage under the Westchester policy is triggered only by a “Claim” made for an “Incident” as specified within one of the particular insuring agreements. Although we need not address this hypothetical situation here, it is not clear that refusing to comply with a CID’s request for information would constitute an “Incident” as defined in the policy. 2. The CID was not a “Regulatory Proceeding” Zoom also argues that the CID constitutes a “Claim” because it qualifies as a “Regulatory Proceeding.” The parties dispute two specific elements of the definition of “Regulatory Proceeding”: (1) whether the CID was commenced by the service of a complaint, notice, or similar pleading, and (2) whether the CID was based on an alleged or potential violation of a “Privacy or Cyber Law.” We begin with the second of those, because it is dispositive of the issue. The Westchester policy defines “Privacy or Cyber Laws” as: “any local, state, federal, and foreign identity theft and privacy protection laws, legislation, statutes, or regulations that require commercial entities that collect Protected Information to post privacy policies, adopt specific privacy or security controls, or notify individuals in the event that Protected Information has potentially been compromised.” Here, the dispute centers on whether section 5 of the FTC Act is a “Privacy or Cyber Law” because it requires such entities to (1) post privacy policies, (2) adopt specific privacy or security controls, or (3) notify individuals in the event that “Protected Information” has potentially been compromised. More specifically, the dispute requires us to focus on the second of those requirements—whether section 5 of the FTC Act requires a company like Zoom to adopt specific privacy or security controls.9

9 Underwriters argued in support of its motion for summary judgment that the FTC Act “contains no requirement that entities post privacy policies, adopt specific privacy or (continued)

27 In answering this question, we are asked to interpret a federal statute. “We review statutory interpretation issues de novo.” (Kader v. Southern California Medical Center, Inc. (2024) 99 Cal.App.5th 214, 221 [interpreting federal “Ending Forced Arbitration of Sexual Assault and Sexual Harassment Act of 2021,” (9 U.S.C. §§ 401, 402)].) “The objective of statutory interpretation is to ascertain and effectuate legislative intent. To accomplish that objective, courts must look first to the words of the statute, giving effect to their plain meaning. If those words are clear, we may not alter them to accomplish a purpose that does not appear on the face of the statute or from its legislative history. [Citation.] Whenever possible, we must give effect to every word in a statute and avoid a construction making a statutory term surplusage or meaningless. [Citations.]” (Ibid., quoting In re Jerry R. (1994) 29 Cal.App.4th 1432, 1437.) “When interpreting federal statutes, no less than when interpreting state statutes, our foremost duty is to discern and give effect to the legislative body’s intent, beginning with the text.” (City of Los Angeles v. County of Kern (2014) 59 Cal.4th 618, 624, abrogated on other grounds as stated in Artis v. D.C., 583 U.S. 71; citing Dole v. United Steelworkers of America (1990) 494 U.S. 26, 35; Wells Fargo Bank v. Superior Court (1991) 53 Cal.3d 1082, 1095.) When construing a federal statute, we must apply and interpret federal law. (McLaughlin v. Walnut Properties, Inc. (2004) 119 Cal.App.4th 293, 297.) We are bound by decisions of the United States Supreme Court, while lower federal court

security protocols, or notify individuals in the event Protected Information has been compromised.” On appeal, Zoom argues only that section 5 of the FTC Act “authorizes the FTC to require the adoption of privacy and security measures,” but does not separately argue that section 5 of the FTC Act requires certain commercial entities to post privacy policies or notify individuals in the event “Protected Information” has been compromised. Accordingly, we consider arguments regarding those two elements forfeited. (Delta Stewardship Council Cases (2020) 48 Cal.App.5th 1014, 1075 [“[w]hen an appellant fails to raise a point … we treat the point as forfeited”].) .

28 decisions are persuasive, but not binding. (Raven v. Deukmejian (1990) 52 Cal.3d 336, 352, Marhsall v. County of San Diego (2015) 238 Cal.App.4th 1095, 1113–1114.) Section 5 of the FTC Act provides that “[u]nfair methods of competition in or affecting commerce, and unfair or deceptive acts or practices in or affecting commerce, are hereby declared unlawful.” (15 U.S.C. § 45(a)(1).) It further provides that the FTC is empowered to prevent specified entities from “using unfair methods of competition in or affecting commerce and unfair or deceptive acts or practices in or affecting commerce.” (15 U.S.C. § 45(a)(2).) Section 5 also empowers the FTC to issue a complaint to specified entities when it has reason to believe they have been “using any unfair method of competition or unfair or deceptive act or practice in or affecting commerce, and if it shall appear to the Commission that a proceeding by it in respect thereof would be to the interest of the public. …” (15 U.S.C. § 45(b).) If, after a hearing, the FTC believes that an entity’s “method of competition or the act or practice in question is prohibited by this subchapter,” it must, among other things, issue an order requiring it to “cease and desist from using such method of competition or such act or practice.” (15 U.S.C. § 45(c).) As the parties note, Congress intentionally left section 5 of the FTC Act vague: “When Congress created the Federal Trade Commission in 1914 and charted its power and responsibility under [section] 5, it explicitly considered, and rejected, the notion that it reduce the ambiguity of the phrase ‘unfair methods of competition’ by tying the concept of unfairness to a common-law or statutory standard or by enumerating the particular practices to which it was intended to apply.” (F.T.C. v. Sperry & Hutchinson Co. (1972) 405 U.S. 233, 239–240.) A Senate report set forth the reasoning: “ ‘The committee gave careful consideration to the question as to whether it would attempt to define the many and variable unfair practices which prevail in commerce and to forbid their continuance or whether it would, by a general declaration condemning unfair practices, leave it to the commission to determine what practices were unfair. It

29 concluded that the latter course would be the better, for the reason…that there were too many unfair practices to define, and after writing 20 of them into the law it would be quite possible to invent others.’ ” (Id. at p. 240, quoting Senate Report No. 597, 63d Cong., 2d Sess., 13 (1914).) The plain text of section 5 of the FTC Act, and the United States Supreme Court’s interpretation of it, demonstrate that the statute prohibits unfair methods of competition, and unfair or deceptive acts or practices, affecting commerce. It also gives the FTC broad discretion to determine what constitutes such unfair or deceptive acts or practices. By contrast, though, section 5 of the FTC Act does not impose any requirements on commercial entities to “adopt specific privacy or security controls.” Indeed, the statute imposes no specific obligations on regulated commercial entities, other than not engaging in unfair or deceptive acts or practices. Therefore, section 5 of the FTC Act is not a “Privacy or Cyber Law” as defined in the Westchester Policy, and the CID is not a “Claim” by virtue of being a “Regulatory Proceeding.” Zoom argues that section 5 of the FTC Act “authorizes the FTC to require the adoption of privacy and security measures,” which it has “consistently” done. However, nothing in the language of section 5 of the FTC Act provides such authorization. In fact, the only specific remedy available to the FTC in section 5—other than preventing unfair or deceptive practices—is to issue cease and desist orders to violators. (15 U.S.C. § 45(c).) Consistent with that, the FTC’s draft administrative complaint issued to Zoom did not identify any specific privacy and security controls that Zoom had failed to implement—instead, it listed seven counts, each constituting a deceptive representation and an unfair or deceptive practice in violation of section 5 of the FTC Act. The FTC’s draft federal complaint listed similar alleged violations, and the prayer for relief only asked the court to enjoin Zoom from future violations of section 5 of the FTC Act, and “award such relief as the court finds necessary to redress injury to

30 consumers… including rescission or reformation of contracts, restitution, the refund of monies paid, and the disgorgement of ill-gotten monies. …” Zoom does not cite any authority that supports its assertion that section 5 of the FTC Act authorizes the FTC to require the adoption of privacy and security measures. Instead, it cites an FTC order, an on-line article by the FTC, and Congressional hearing testimony by the FTC Commissioner and Director of the FTC Bureau of Consumer Protection. Setting aside the precedential value of such authorities—which Zoom does not address—they do not support Zoom’s position. Rather, they merely recite the general maxims that the FTC: has “been involved in addressing online privacy issues for almost as long as there has been an online marketplace”; has the “authority to challenge unreasonable data security measures as ‘unfair … acts or practices’ in violation of Section 5”; has jurisdiction over allegedly unfair data security practices; and enforces section 5 of the FTC Act’s proscription against unfair or deceptive practices where a business’s failure to employ reasonable security measures causes substantial consumer injury. While those maxims may be true, it does not follow that section 5 of the FTC Act is a law that affirmatively requires commercial entities to adopt specific privacy or security controls. Zoom also cites published federal cases as examples of FTC investigations that have “culminated in an order requiring a company to adopt specific privacy and security controls.” (See, e.g., United States v. Facebook, Inc. (D.D.C. 2020) 456 F.Supp.3d 115; Elec. Privacy Info. Ctr. v. FTC (D.D.C. 2012) 844 F.Supp.2d 98.) But in the cited cases, the parties entered into consent decrees and stipulated to the proposed orders, which the courts then granted. (Ibid.) They do not in any way demonstrate that section 5 of the FTC Act requires commercial entities to adopt specific privacy or security controls. Similarly, Zoom argues at length that “[c]ourts have affirmed the FTC’s authority to order companies to adopt privacy and security practices.” Again, though, the authority Zoom relies on does not support the assertion. Instead, it simply confirms that the “FTC

31 has authority to regulate cybersecurity under the unfairness prong of § 45(a)” (FTC v. Wyndham Worldwide Corp. (3d Cir. 2015) 799 F.3d 236, 240), or that the FTC has the general authority to regulate data security practices. (FTC v. D-Link Systems, Inc. (N.D. Cal. Sept. 29, 2017, No. 3:17-CV-00039-JD), 2017 WL 4150873, at *3.) Finally, Zoom argues that the FTC order here demonstrates that section 5 of the FTC Act requires companies to adopt privacy and security controls. As summarized above, the FTC order required Zoom to (1) refrain from making certain misrepresentations regarding its security and privacy features; (2) establish and monitor a comprehensive information security program; (3) provide incident and compliance reports and notices to the FTC; and (4) create and maintain certain records. However, the FTC order resulted from a consent agreement between the parties. The fact section 5 of the FTC Act empowers the FTC to issue a complaint when it believes a commercial entity has used unfair or deceptive practices—and that Zoom entered into the consent agreement to resolve the allegations in the FTC’s draft administrative complaint—does not demonstrate that section 5 of the FTC Act requires companies to adopt specific privacy and security controls. In sum, the fact that FTC orders resulting from consent agreements may include the adoption of specific privacy and security controls does not mean that section 5 of the FTC Act requires commercial entities such as Zoom to adopt them. Section 5, therefore, is not a “Privacy or Cyber Law,” as defined in the Westchester policy, and the CID was not a “Regulatory Proceeding” because it was not based on an alleged or potential violation of a “Privacy or Cyber Law.” We must “give effect to the parties’ mutual intentions, first examining the contract’s plain language.” (Estate of Jones, supra, 82 Cal.App.5th at pp. 952–953; Civ. Code, § 1636.) Here, the parties expressly agreed to define “Privacy and Cyber Laws” as those that require certain commercial entities to “adopt specific privacy and security controls.” Had the parties intended to define “Privacy and Cyber Laws” as those that

32 prohibit unfair or deceptive practices, including privacy and security measures, they could have done so. (Dameron Hospital Assn. v. AAA Northern California, Nevada & Utah Ins. Exchange (2014) 229 Cal.App.4th 549, 569 [“ ‘Courts will not add a term about which a contract is silent.’ ”]; Vons Companies, Inc. v. United States Fire Ins. Co. (2000) 78 Cal.App.4th 52, 59 [“We do not have the power to create for the parties a contract that they did not make and cannot insert language that one party now wishes were there.”].) 3. The judgment must be affirmed Underwriters’ motion for summary judgment addressed Zoom’s remaining causes of action against it—the first cause of action for breach of contract and the third cause of action for breach of implied covenant of good faith and fair dealing. Both causes of action were predicated on Underwriters’ alleged obligation under its policy to provide coverage for the CID, the FTC investigation and FTC complaints, the Consumer Watchdog lawsuit, and certain portions of the class-action lawsuits, under the theory that they should be treated as a single “Claim” that arose during the 2018– 2019 policy period. Because coverage under the policy was only triggered by a “Claim,” and the CID was not a “Claim,” there are no triable issues in the remaining causes of action. III. DISPOSITION The judgment is affirmed. Underwriters may recover their costs on appeal.

33 ___________________________________ Wilson, J.

WE CONCUR:

__________________________________________ Grover, Acting P. J.

______________________________________ Lie, J.

Zoom Video Communications, Inc. v. Certain Underwriters at Lloyd’s, London, et al. H052221