In latest the Weekly Wright Report:
Effect of COVID Shutdown Order on Restaurant’s Obligation to Pay Rent
With business interruptions and closures due to COVID-19, state courts can anticipate significant litigation surrounding “force majeure” clauses in contracts. This article illustrates one case decided on June 3, 2020, by a state court in Illinois.
On March 16, 2020 the Governor of Illinois issued an Executive Order requiring all businesses in the State of Illinois that offered food or beverages for on-premises consumption—including restaurants, bars, grocery stores, and food halls—to suspend on-premises consumption. The Executive Order did allow such businesses to serve food and beverages that were to be consumed off-premises. A restaurant in Illinois leased a location from which it operated its restaurant and bar business. The lease had a force majeure clause that provided in part:
Landlord and Tenant shall each be excused from performing its obligations or undertakings provided in this Lease, in the event, but only so long as the performance of any of its obligations are prevented or delayed, retarded or hindered by … laws, governmental action or inaction, orders of government…. Lack of money shall not be grounds for Force Majeure.
As a result of the Executive Order, the restaurant’s business revenue was severely impacted. The United States Bankruptcy Court for the Northern District of Illinois in In re Hitz Rest. Grp., No. BR 20 B 05012, 2020 WL 2924523, at *1–5 (Bankr. N.D. Ill. June 3, 2020) addressed the interplay between the COVID-19 shut-down order and the force majeure clause.
In the Hitz Rest. Grp. case the restaurant argued that because of the Executive Order it was forced to close its restaurant and bar was not able to pay its rent and that under the force majeure clause in its lease it was excused from the obligation to pay rent during the shut-down period. The landlord rejected this argument and sought payment and/or to evict the restaurant.
The Court concluded that the force majeure clause applied, at least in part, to the rental payments which became due after the Executive Order became effective. Under Illinois law, in order for the force majeure clause to be triggered, the triggering event must in fact be the proximate cause of the party’s inability to perform under the lease. The Court reasoned that the force majeure clause was unambiguously triggered by the Executive Order because the Executive Order unquestionably constituted both “governmental action” and issuance of an “order” as contemplated by the language of the force majeure clause. In addition, the Court noted that the Executive Order unquestionably hindered the restaurant’s ability to perform by prohibiting it from offering “on-premises” consumption of food and beverages. Finally, the Court stated that the Executive Order was unquestionably the proximate cause of the inability to pay rent, at least in part, because it prevented the restaurant from operating normally and restricted its business to take-out, curbside pick-up, and delivery.
However, the Court observed that it was significant to the analysis that the Executive Order did not prohibit all restaurant operations. Accordingly, the Court held that because a restaurant under the Executive Order could partially operate by providing carry-out, curbside pick-up, and delivery services, to the extent that the restaurant could have continued to perform those services, its obligation to pay rent was not excused by the force majeure clause. The Court further held that the restaurant’s obligation to pay rent was reduced in proportion to its reduced ability to generate revenue due to the Executive Order. Because 75% of the leased space was unusable for on-premises dinning and bar operations, the Court required 25% of the lease to be paid during the shut-down.
One interesting argument that the landlord made, but the Court rejected, was the argument that the restaurant could have obtained money to pay the rent by applying to receive a Small Business Administration loan. The Court noted that there was no language in the lease requiring obtaining a loan and no case-law authority to support such an argument. There was no real analysis of the requirement that a party must take reasonable steps to mitigate its damages and losses and the fact that under the Payroll Protection Program a restaurant could have obtained an essentially free loan to pay payroll and rent obligations.
This decision is one of the first reported opinions dealing with the interplay between force majeure clauses and COVID-19 shut-down orders. The language of each specific force majeure clause and the effect and impact of each shut-down order will be critical to any analysis of the issue. Further, the law in each jurisdiction must be consulted in the analysis of the issue as well. In the Hitz Rest. Grp. case the force majeure clause specifically referenced “governmental action or inaction, orders of government” and the Executive Order clearly qualified as such action and order. It remains to be seen if a force majeure clause without such specific language will be of benefit to a business owner in the wake of the COVID-19 impacts. If you need assistance with your restaurant or business lease as a result of the COVID-19 shut-down orders feel free to give any attorney in our Restaurant or Real Estate Practice Groups a call.
An Overview of Virginia’s New Insurance Data Security Act
by Thomas Moran
All insurers doing business in Virginia should be aware of a new law that went into effect on July 1, 2020. The Insurance Data Security Act, Va. Code §§ 38.2-621, et seq. (“Act”), imposes various monitoring, reporting and disclosure requirements relating to the personal information of insureds across the state.
This article summarizes the major points of the Act and the new requirements that will be imposed on insurers who do business with Virginians.
Protected Information
The Act is designed to protect what it refers to as “nonpublic information.” This term includes any information that is not publicly available and either (1) relates to the business operations of an insurer such that unauthorized disclosure or access would cause an adverse impact, (2) allows identification and correlation of a consumer’s name, number, or other identifier with that consumer’s social security number, driver’s license number, financial or credit card number, or (3) pertains to health or mental care (including payment records). It does not include age, gender, or any information that is available in public records or required disclosures.
Information Security Program
Every insurer doing business in Virginia will be required to maintain a written information security program (ISP). While the scope of the ISP will necessarily depend on the size and complexity of the insurer, the nature of its activities, and the sensitivity of the information it maintains, each ISP must provide for the following at a minimum:
- Protect the security and confidentiality of protected information;
- Protect against threats or hazards to the security or tampering of protected information;
- Protect against unauthorized access;
- Establish a schedule for retention of protected information and its destruction;
- Designate a person, affiliate, or third-party vendor responsible for the ISP;
- Mitigation of identified risks;
- Establish authentication controls;
- Restrict access in places where records are stored;
- Protect against fire, water and other disasters as well as technological failures;
- Secure disposal of protected information;
- Keep up to date on the latest threats and vulnerabilities;
- Cybersecurity awareness training for employees;
- Reporting to the board of directors;
- Regular monitoring, reevaluation and adjustment based on factors such as technological changes, emerging threats, and changes to the insurer’s business structure and arrangements;
- A written incident response plan designed to respond to and recover from any unauthorized access or other cybersecurity event (see Va. Code § 38.2-623(G) for the required elements of the response plan).
Investigations
The Act’s scope is not limited to preventative measures. It imposes an investigation requirement with respect to any event that results in unauthorized access, disruption, or misuse of the insurer’s information system or protected information. At a minimum, the investigation must determine whether such an event occurred, assess the nature and scope of the event, identify the compromised information, and oversee reasonable measures to restore system security.
Disclosure to Commissioner and Notice to Consumers
If an insurer learns that information has been compromised, it is required to give notice to the Insurance Commissioner within three days if it is a Virginia corporation, or if 250 or more Virginia residents are affected by the event. The notice must include information such as timing, a description of how the information was compromised, recovery efforts, and law enforcement involvement. A full list of the disclosure requirements is at Va. Code § 38.2-525(B). The insurer must update and supplement the notice as information is learned over the course of the investigation.
The insurer must also provide notice of any compromised information directly to consumers if the information is reasonably likely to be the subject of identity theft or fraud to those consumers. This notice must be provided “without unreasonable delay” after determining or receiving notice that information has been compromised. The notice must (1) narrate the incident in general terms, (2) provide the type of protected information that was compromised, (3) describe what the insurer is doing to protect from future unauthorized access, (4) give a telephone number for the consumer to call for information and assistance, and (5) advise the consumer to review account statements and monitor credit reports. The insurer must mail the notice, unless the cost of doing so exceeds $50,000 or over 100,000 consumers are affected, in which case electronic notice is acceptable.
Additionally, if notice is provided to more than 1,000 consumers, the insurer must provide a copy of the notice to national credit reporting agencies.
Use of Third-Party Service Providers
Many insurers will choose to outsource the creation and implementation of the ISP to a third-party vendor. On July 1, 2022, additional requirements will be phased in for insurers choosing this option. Insurers will be required to exercise “due diligence” in selecting the vendor, and the insurer retains the responsibility to oversee the vendor to ensure that it implements administrative, technical and physical measures to keep protected information secure.
Certification and Record Retention for Virginia-based insurers
On January 1, 2023, each insurer domiciled in Virginia will be required to certify its compliance with the Act to the Insurance Commissioner. All ISPs, investigation reports, and related documents must be retained for five years.
Insurance Commissioner Oversight and Confidentiality
The Insurance Commissioner has the power to examine and investigate the insurer to ensure compliance with the Act, and to take any action necessary to enforce its provisions. Forthcoming rules and regulations will likely add further duties and requirements.
Similarly to investigations involving insurance fraud, the information and documents uncovered by the Insurance Commissioner during an investigation into an insurer’s response to a compromise of protected information are protected from civil discovery and subpoenas. However, the Commissioner may use such documents and information in the furtherance of any regulatory or legal action, and share and receive documents from regulatory and law-enforcement authorities.
Exceptions
The Act does not apply to:
- Insurers already subject to and compliant with HIPAA or depository institution information security requirements; or
- Independently licensed employees, agents, representatives, or designees of an insurer, if they are covered by the insurer’s ISP, investigation and notification obligations.
Conclusion
With cyber-attacks, ransomware, and other nefarious technological threats menacing insurers and their customers, responsible cybersecurity practices are now not only good business sense; they’re the law. If you have questions regarding the Act and how to ensure compliance, please contact Tom Moran at (804) 362-9434 or tmoran@wcslaw.com.
Want more? Visit the Weekly Wright Report page to browse past issues.