Lessons learned from Tyco's victory in Eli Lilly drug heist lawsuit

May 17, 2016
Company absolved of liability in case which holds wider implications for the security industry

It’s believed to be the single largest pharmaceutical theft in U.S. history.  The loss has been pegged at over $42 million. (Some say as high as $78 million.) Following a recent three-week jury trial, a federal jury in Miami found that industry giants Tyco and ADT were not legally liable for the theft at a Eli Lilly warehouse where the security providers installed, serviced and monitored an alarm system. The verdict ended years of litigation by the pharmaceutical company’s insurer seeking recovery for the loss. It’s a fascinating case at multiple levels and provides a number of important lessons for electronic security providers. Before delving into the broader implications of the case for the security industry, let's take a quick look at the facts surrounding it, which I've culled from news reports and papers filed by the parties and the court in the litigation. 

The Parties

In 2004, pharmaceutical giant Eli Lilly (“Lilly”) entered into a commercial sales proposal agreement with ADT for the installation and monitoring of security equipment at Lilly’s facility in Enfield, Connecticut.  According to the court, ADT entered into the agreement with Lilly. For reasons that appear to be unrelated to the merits of the underlying case, Tyco Integrated Security, LLC ["Tyco"] was also named as a defendant in the lawsuit. For simplicity, I’ll follow the court’s convention and use "Tyco" to refer to both entities.

The Security Contract

The security contract consisted of multiple forms and riders entered into simultaneously. The agreement had an initial term of five years and renewed automatically for successive one-year periods. It required Lilly to pay Tyco $760 a month. The agreement included a lengthy risk allocation provision - too long to recite here - but it included many of the terms customarily found in industry risk allocation clauses. (Click here to view a copy of the provision which can be found on page 7, paragraph 10 of the court’s order on motions for summary judgement in the case). For example, the clause required Lilly to maintain adequate insurance and to look exclusively to its insurance for any loss. Another part of the clause specifically obligated Lilly to waive its insurers’ rights of recovery arising through subrogation. (More on subrogation below.)

Between 2004 and 2008, Tyco continued to modify the security system at the facility by adding and removing certain components. Tyco also performed security surveys at the facility in 2004 and 2009, using diagrams of the facility to assess the facility’s systems. In late 2009 or early 2010, Tyco generated a proposal highlighting potential improvements to security at the facility. (Keep your eyes on these surveys and proposals. They’ll prove to be important later.) The record did not indicate that goods and services Tyco provided after the 2004 contract were covered by that contract. That’s a provision that, in my opinion, should have been included.

The Burglary

Sometime during the early morning hours of March 14, 2010, two burglars entered the facility and made off with millions of dollars of prescription drugs. The two, brothers Amed and Amaury Villa, cut through the roof to gain entrance to the facility, then rappelled to the floor and, once inside, were able to avoid security sensors and disable the intrusion system designed and installed by Tyco at the premises. (a la Tom Cruise in Mission Impossible.) The brothers then used a forklift to load pallets of drugs into a truck and drive off. In disconnecting the intrusion alarm systems at the warehouse, the Tyco monitored fire alarm system sent a "com failure" signal to Tyco’s central station. Tyco did not notify Lilly or dispatch or take any other action, all in accordance with Tyco’s policy for such signals.

At the time of the burglary, National Union insured Lilly’s inventory.  It paid Lilly over $42 million as a result of the loss. The insurer then sued Tyco in a subrogation claim seeking recovery of the amounts paid to Lilly. Subrogation permits an insurer to pursue claims on an insured’s behalf where the loss is caused by a third-party. Essentially, the insurer "steps into the shoes" of the insured to pursue claims for monies paid to the insured.

The Story Behind the Burglary

Following the break-in, the FBI determined that five Miami-based burglars – including the two Villa brothers - participated in the heist. All five were charged and pled guilty to federal offenses connected with the burglary. In addition to the burglary at the Enfield facility, the FBI determined that the gang burglarized six different warehouses in six different states between December 2009 and March 2011. In each instance, the facility was protected by a security system monitored by Tyco. Tyco never alerted Lilly of this fact before the burglary at Lilly’s Enfield plant.

There was some evidence, the FBI concluded, that the burglars had access to inside information in order to by-pass each of the six security systems. One of the gang members was related to a former Tyco sales manager in South Florida. The record indicated the manager had access to and routinely used his Tyco-issued laptop and VPN account to remotely access Tyco’s systems, including Tyco’s Mastermind system and other systems that stored confidential and sensitive subscriber information. There also was some evidence that the manager was in financial distress in 2009. The manager voluntarily terminated his employment with Tyco in December 2009.

The manager’s exit documentation failed to reflect the return of his Tyco laptop. During his employment with Tyco, the manager accessed Tyco’s VPN only sporadically. After he left Tyco, someone using the manager’s credentials continued to access Tyco’s network and did so for several months continually resetting the manager’s password.

Tyco failed to identify or take action to address this security breach. Confidential information regarding the Enfield facility, including diagrams of the facility and Tyco’s security survey resided on Tyco’s Mastermind and other systems and could be accessed remotely (i.e., through the VPN). That said, the manager testified that his credentials would not have permitted access to Lilly’s confidential information.

Amaury Villa testified under oath in a deposition as part of discovery in the case. According to Amaury, his brother, Amed, selected the area on the roof where the two entered the Enfield facility. Amaury said there was nothing special about how the brothers entered the premises. According to Amaury, his brother peered into the warehouse through a hole in the roof and, once in, followed cables to determine where the alarm was located. Amaury also told his questioners that Amed disabled the alarm by using the expertise he gained practicing on his home alarm system. Finally, Amaury testified that the gang did not use confidential information to access the facility but admitted that his brother may have had some sort of unspecified "inside information" that helped the gang enter the facility.

The Legal Fight

This was no simple case. The parties exchanged hundreds of thousands of documents in discovery, including plenty of e-mails. (Remember – anything you say [or write] may be used against you in a court of law.) They took 20 depositions, which likely means 60 days of depo prep, travel and testimony, all at multiple hourly rates. At the close of discovery, both sides moved for judgment as a matter of law (called summary judgment). The court’s opinion on the summary judgment motions was nearly 70 pages. For the most part, the court denied the motions sending the matter to trial.  From an alarm company’s perspective, the best possible outcome is for the court to enforce the limitations in the alarm company’s service agreement. That didn’t happen here.

Based on the record, it appears National Union pursued the case solely on the theory that Tyco failed to adequately protect Lilly’s confidential information. In other words, unlike most catastrophic burglary loss cases, the parties did not focus on the adequacy of the design or installation of the system, the components or the security provider’s response (or failure to respond) following signals. Rather, National Union’s claim appeared to be solely that the burglars obtained information from Tyco’s network enabling them to by-pass the system at Enfield and make off with the loot.

Frankly, that was a fascinating gambit. I suspect National Union’s lawyers took that approach in order to avoid litigating the risk allocation clauses in the security contract. Based on the record, I suspect the court likely would have enforced the limitation clauses if the claim had to do with the goods and services covered by the contract.

Interestingly, Tyco appears to have done substantial work at the Enfield facility following the 2004 contract, including the preparation of at least one security survey, but the court was unwilling to hold as a matter of law that the work was covered by the 2004 contract. Instead, the court decided that the jury should decide if that was the case, not an outcome Tyco wanted I am sure.

News reports indicated the trial lasted three weeks. If you’ve ever tried a case (or been involved in a trial) that’s three weeks of daylong court sessions followed by non-stop late night prep sessions, interspersed with a few hours of restless sleep. I did not have the trial transcripts but suspect the jury concluded there was plenty of smoke surrounding the possible loss of confidential information but could not find any fire. The jury gave Tyco a complete victory.

One of the most interesting aspects of the case was how the court handled the waiver of subrogation clause in Tyco’s contract. The clause provided that Lilly waived National Union’s right to file a subrogation claim. The same paragraph of the contract required Lilly to maintain adequate insurance and to look solely to that insurance in the event of a loss. These sorts of clauses can be enforceable, especially against sophisticated parties in commercial transaction involving only the loss of property. Essentially, the subscriber agrees to insure the risk and limit its recovery to insurance proceeds while waiving the insurer’s right to sue the alarm company. Together, the clauses transfer recovery from the alarm services provider to the insurance company.

If enforced, the clause would have ended the litigation. Tyco filed two motions seeking to enforce the waiver. Neither was successful, a reminder that courts are reluctant to enforce clauses limiting an alarm provider’s liability.

In denying the second motion, the court admitted the waiver was broad but refused to apply the clause to National Union’s claims reasoning that the clause only limited subrogation claims for services under the 2004 contract, not services provided after the contract or claims that arose outside the contract. Whether the security survey was performed under the contract was a question for the jury, the court held. In addition, the court concluded that clause did not apply to claims that did not arise under the contract, such as the data breach claim.

I read the subrogation clause (page 7, paragraph 10) and think the court got it wrong. I don’t think you can reasonably read the clause and hold that the clause doesn’t apply to pretty much every sort of claim, even those that may arise outside the contract. For me, it’s a reminder that contracts aren’t always enforced, which is why we have liability insurance.

Another lesson here is to have cyber-liability insurance covering your company in the event of a data breach. There are two types of companies in the United States – those whose data networks have been breached and those who don’t know their data networks have been breached.

I think the biggest lesson here is for all of us – you and me – to double check our form services contracts and give ourselves a fighting chance to avoid the time and expense of a lawsuit. More on the lessons learned from this case in my upcoming column in the June edition of SD&I magazine.

About the Author

Eric Pritchard | Eric Pritchard

Eric Pritchard is a partner in FisherBroyles, a law firm with office throughout the United States and in London. He spends his days trying to make the world safer for the security industry. You can reach Eric at [email protected].