Monthly Archives: April 2015


This entry was posted by on .

As reported in news outlets, including Law360, Sony and its insurers have settled their data breach coverage litigation, two months after the New York appellate division heard oral argument.

Sony had sought coverage for numerous data breach class action lawsuits filed against it following the 2011 data breach into its PlayStation network.  Its general liability policies provided personal and advertising injury coverage for oral or written publication, in any manner, of material that violates a person’s right to privacy.  The trial court held that the insurers had no duty to defend because coverage applied only for violations of privacy committed by Sony, as the policyholder, and not by third parties who hacked into Sony’s network and stole personally identifiable information (“PII”).

The decision had other important aspects, often overlooked.  Analogizing the issue to the opening of Pandora’s Box, the trial court held that there mere accessing of information by the hackers constituted a “publication” under general liability policies.  The trial court also held that the phrase “in any manner” does not alter the meaning of the term “publication.”  Finally, the court held that in order for the “Insureds in Media and Internet Type of Business” exclusion to apply, the insured in question must solely be a content or service provider and not engage in other forms of business.  Here, because Sony engaged in other forms of business, the exclusion did not apply.

A more detailed discussion of the Sony decision may be found in an earlier Coverage Inkwell post located at:

My take is that the affect of the Sony settlement will be measured. For one thing, looking long term, the new personal data exclusions in CGL policies should shut the door on data breach coverage, to the extent it ever existed in the first place.  Second, Sony is a trial court decision without a written opinion, and the market already is shifting to cyber insurance.

Sony’s true legacy lay in the case’s publicity.  Sony showed that companies cannot look to general liability policies to cover data breaches.  They need to get cyber insurance.  The case was a Super Bowl ad for cyber liability insurance. That, and perhaps Target, showed companies that they have to get it.

Looking back, people will see Sony as the first big data breach coverage case.  It won’t be the last.

This entry was posted in Data Breach Insurance Coverage, Privacy Rights and tagged , .


This entry was posted by on .

On the heels of the Target settlement, another security data breach class action has been dismissed for lack of standing under Article III.  In the lawsuit In re Horizon Healthcare Servs., Inc. Data Breach Litig., 2015 WL 1472483 (D.N.J. Mar. 31, 2015), a federal district court held that class plaintiffs alleged neither sufficient injury nor causation to establish standing.

In that case, an unknown thief stole from the company’s headquarters two password-protected laptop computers containing personal information of company members.  Id. at *1.  The company reported the theft to law enforcement the next day.  A month later, it notified potentially affected members of the theft by letter and press release.  Id.  In its notification, the company informed members that “[d]ue to the way the stolen laptops were configured, we are not certain that all of the member information contained on the laptops is accessible.”  It also offered credit-monitoring protection.  Id.

Plaintiffs filed a putative class action on behalf of themselves and other company members whose information was housed in the stolen laptops.  Plaintiffs alleged they were “placed at an imminent, immediate, and continuing increased risk of harm from identity theft, identity fraud, and medical fraud, requiring them to take the time and effort to mitigate the actual and potential impact of the Data Breach on their lives.”  Id.  The company moved to dismiss on the basis that plaintiffs had not alleged injury or causation to satisfy standing under Article III of the United States Constitution.

To establish standing , a plaintiff must show:

(1) an ‘injury in fact,’ i.e., an actual or imminently threatened injury that is ‘concrete and particularized’ to the plaintiff; (2) causation, i.e., traceability of the injury to the actions of the defendant; and (3) redressability of the injury by a favorable decision by the Court.

Id. at *2.  While all three elements are constitutionally required for standing, the injury-in-fact requirement is perhaps the one litigated most often in data breach cases.

An alleged future injury must be “imminent” and “certainly impending” to constitute an injury-in-fact.  Allegations of possible future injury are insufficient.  E.g., Clapper v. Amnesty Int’l USA, — U.S. –, 133 S. Ct. 1138 (2013).  A plaintiff must also show a “causal connection” between the injury and the alleged wrongful conduct.  The standard for this criterion is less than that of proximate causation in tort law, but requires more than mere speculation.  Id. at *3.  “[T]he injury has to be fairly traceable to the challenged action of the defendant, and not the result of the independent action of some third party not before the court.”  Id. (emphasis added).

The case involved four named plaintiffs, three of whom alleged injury based on economic injury, violation of statutory law, and imminent risk of future harm (i.e., increased risk of fraud and identity theft).  The company argued that because these plaintiffs did not allege that their personal information had been accessed or misused, or that they had suffered unauthorized withdrawals from bank accounts, or identity theft, they failed to allege concrete and particularized harm to satisfy standing.  Id. at *4.  The Court agreed.

The Court, comparing the claims before it with another case in which plaintiffs suffered identity theft, and in which fraudulent bank accounts and credit cards had been opened and charged, concluded that plaintiffs’ generalized allegations did not show particularized injury.  Because plaintiffs did not allege they had carefully guarded their information, or suffered monetary loss, or injuries like identity theft or medical fraud, they did not allege “economic injury” to satisfy standing.  Id. at *5.  The Court also held that violations of statute or common law do not create standing.  The Court explained:

Standing does not merely require a showing that the law has been violated, or that a statute will reward litigants in general upon showing of a violation.  Rather, standing demands some form of injury—some showing that the legal violation harmed you in particular, and that you are therefore an appropriate advocate in federal court. [Brackets and quotation marks in text omitted.]

Id.  Simply put, a  plaintiff cannot rely upon legal violations to bootstrap standing.

Finally, the Court determined that allegations of increased risk of identity theft do not confer standing – an issue that is perhaps the most hotly-disputed area of Article III standing in data breach cases.  Many courts have held that allegations of increased risk of identity theft, and accompanying claims of economic injury from subscriptions to credit-monitoring services, do not allege imminent, “certainly impending” injury necessary to confer standing.  E.g., In re Science Applications Int’l Corp. (SAIC), — F. Supp. 2d –, (D.D.C. May 9, 2014); Galaria v. Nationwide Mut. Ins. Co., 998 F. Supp. 2d 646 (S.D. Ohio 2014).  However, other federal courts have held differently.  E.g., In re Adobe Sys. Inc. Privacy Litig., (N.D. Cal. Sept. 4, 2014).   The critical factor appears to be whether the stolen data was targeted by data thieves in a manner that would suggest the data’s later use.

Horizon did not depart from this evolving line of jurisprudence, holding that the absence of evidence indicating that the laptop thief would or could use plaintiffs’ information foreclosed any standing from mere allegations of increased risk.  The Court guided its conclusion under the Third Circuit’s decision in Reilly v. Ceridian Corp., 664 F.3d 38 (3d Cir. 2011), a network breach case, and also by Polanco v. Omnicell, Inc., 988 F. Supp. 2d 451 (D.N.J. 2013), a stolen laptop case.

Reilly involved an unknown hacker who infiltrated a payroll processing firm’s computer system, potentially gaining access to the information of approximately 27,000 employees.  Id. at * 5.  In Reilly, as in the present case, the company worked with law enforcement and investigators to identify the information the hacker may have accessed, notified affected persons, and offered free credit-monitoring protection.  Id.  In the ensuing data breach litigation, the Reilly court held that “an increased risk of identity theft resulting from a security breach was insufficient to secure standing” because there was no indication that the hacker had read and understood the stolen personal information, intended to misuse it, or even had the ability to do so.  Id.  To suggest otherwise without proof was speculation.  Id.  In the present case, the Court held that the same circumstance was in the case before it:

With respect to “an imminent risk of future harm”, Plaintiffs contend that, despite their lack of injury thus far, “identity theft could occur at moment”. (Pls.’ Opp’n at 15.) The Third Circuit’s decision in Reilly is both squarely on point and binding on this Court.


In so holding, the Court also rejected plaintiffs’ argument that “[t]he imminence of future harm in data breach cases depends upon two factors:  (1) whether any of the compromised data was misused post-breach, causing injury, and (2) whether the facts surrounding the data breach indicate that the data theft was sophisticated, intentional, or malicious.”  Id. at *6.  Even assuming that such a standard were applicable, the Court held that plaintiffs failed to satisfy it.  Plaintiffs had not alleged post-breach misuse of compromised data.  Id.  They also failed to allege a sophisticated breach:

With respect to the “sophisticated, intentional, or malicious” nature of the data breach—a factor supported only by oblique dicta in Reilly—the Court fails to see how the theft of Horizon laptops here is any more “sophisticated, intentional, or malicious” than the taking of a laptop from a locked car in Polanco or the hacking of a computer system in Reilly.  If anything, hacking a computer seems to require more planning, savvy, and sophistication than the simple theft of two laptops.

Id. at *6.

Finally, the Court reasoned that plaintiffs’ claims of increased risk ultimately rested on the same conjecture rejected in Reilly:

Additionally, compared to hypothetical string of events identified in Reilly, Plaintiff’s injury is even more attenuated: (1) the crook must gain access to the information on the password-protected laptops, (2) he or she must read, copy, and understand the personal information; (3) he or she must intend to commit future criminal acts by misusing the information; and (4) the perpetrator must then be able to use such information to the detriment of Plaintiffs by making unauthorized transactions in Plaintiffs’ names.  See Reilly, 664 F.3d at 42.  As in Reilly and other data breach cases, Plaintiffs’ future injuries stem from the conjectural conduct of a third party bandit and are therefore inadequate to confer standing.

Id.  For these reasons, the claims of increased risk did not satisfy standing.

The lawsuit’s fourth named plaintiff alleged fraudulent charges to his credit card and that the laptop thief had filed a fraudulent joint tax return under his and his wife’s names.  However, these allegations failed to show causation.  There was no evidence that the filed tax return had any connection to the stolen laptops.  Underscoring this conclusion was (1) personal information belonging to plaintiff’s wife was not on either stolen laptop and (2) no other putative class member alleged identity theft.  Id.  In addition, plaintiff admitted to receiving his tax refund.  Id. at *8.  Therefore, even if there were a casual connection, there was no injury.

Similarly, because plaintiff’s credit card information had not been on the laptops, any alleged injury from fraudulent charges to the card were not “fairly traceable” to the laptops’ theft.  The Court explained:

Defendant points out, and Rindner does not contest, that current credit card information (as opposed to a new credit card, which can be fraudulently obtained using a stolen Social Security number) was not on the stolen laptops. (Def.’s Reply at 2.) Thus, any harm stemming from the fraudulent use of Rindner’s current credit card is not “fairly traceable” to Defendant.

Id. at *9.

What This Case Means.  Most data breach class actions assert some form of injury from increased risk of identity theft.  A few also allege fraudulent financial charges.  Realistically, however, not every data breach results in actual injury.  Nor is every fraudulent charge on a credit card the result of a headlined data breach.  For this reason, Article III standing has become a golden defense in the relatively early stages of data breach litigation.  For more information, see Mooney, J., “Standing In Data Breach Litigation: Lessons From 2014,” Law360 Privacy, 1/6/2015.

This case continues the emerging line of case law that holds, in the absence of evidence indicating imminent use of stolen data, claims of increased risk of identity theft do not meet the imminent and certainly impending injury requirement for standing.  The case also shows that allegations of fraudulent charges and actual identity theft are not enough – a plaintiff still must plead enough evidence to show a causal connection between the injury and the data breach.

This entry was posted in Uncategorized and tagged .


This entry was posted by on .

Last week saw two separate Telephone Consumer Protection Act (“TCPA”) decisions in which federal district courts, one for the Eastern District of Pennsylvania, the other for the Northern District of Illinois, held no coverage existed for underlying TCPA litigation.  The decisions’ results were not surprising, as TCPA coverage claims have been wilting like Wisconsin’s lead over Duke in last night’s final.  What is interesting in the cases, Auto-Owners Ins. Co. v. Stevens & Ricci, Inc., No. 12-7228, 2015 WL 1456085 (E.D. Pa. Mar. 31, 2015) and Addison Automatics, Inc. v. Hartford Cas. Ins. Co., No. 13-1922, slip op. (N.D. Ill. Mar. 31, 2015), is that the courts reached their decisions on different bases.  The reasoning behind each basis can apply to other privacy litigation.

In Stevens & Ricci, the insured was sued in a class action for faxing over 18,000 unsolicited fax advertisements in violation of the TCPA, 47 U.S.C. § 227.  The underlying litigation alleged, among other claims, that the unsolicited faxes violated the privacy rights of class members who received them.  Id. at *1.  The insured’s policy defined “personal injury” and “advertising injury” in part as “oral or written publication of material that violates a person’s right of privacy.”  Id. at *2-3.

The insurer argued that because the underlying complaint did not plead a cause of action for invasion of privacy, there was no coverage because the policy provided coverage only for the tort.   In the alternative, the insurer argued that even if the tort were alleged, the underlying action did not implicate coverage.  Although the invasion of privacy claim entails four separate torts, the privacy right covered under insurance policies contemplates the right to secrecy only.  Id. at *8.  Because TCPA litigation implicated the privacy right of seclusion, and not the right of secrecy, there was no coverage.  Id.

The trial court agreed with the second argument and explained:

No coverage exists for “advertising injury,” as determined by the Third Circuit, this District Court, and the Pennsylvania courts which have so held because the type of privacy violation covered by insurance policies such as the Auto–Owners Policy—privacy interests in secrecy—are not violated by “junk” faxes.

* * *

In this case, Stevens & Ricci hired a third party to send out the faxes. Each court that concluded that privacy interests in secrecy are not violated by junk faxes holds that such violations are violative of the right of seclusion, even when it is alleged that a policyholder hired a third-party vendor, and the third-party vendor was responsible for sending the problematic faxes.  [Citations omitted.]  Accordingly, there is no coverage under the Auto–Owners Policy because the privacy interests in secrecy are not violated by the junk faxes sent out by Hymed.

Id. at *8-9.

In Addison Automatics, the insured was sued in a class action for violation of the TCPA, the Illinois Consumer Fraud Act and Deceptive Business Practices Act, and common law conversion following its involvement in a blast-faxing campaign.  The underlying action settled and the class pursued claims under assignment against the insured’s insurance carrier.  Addison Automatics, slip op., at 1, 3.

Two different policies were at issue, each containing a “Violation of Statutes That Govern E-Mails, Fax, Phone Calls or Other Methods of Sending Material or Information” exclusion.  Id. at 5, 7.  The exclusions barred coverage for claims “arising directly or indirectly out of any action or omission that violates or is alleged to violate . . . . the Telephone Consumer Protection Act.”  Id.  The claimants argued that the exclusions did not bar coverage because many of their claims did not involve the TCPA or any other statute that prohibited a method of sending material or information.   Id. at 14-15.  In particular, the claimants argued that because their conversion claims had nothing to do with any statute, the exclusions could not apply.  Id.

I encounter this argument often in the context that such exclusions do not apply to common law claims for invasion of privacy.  The argument has a fatal flaw – it ignores the “arising out of” language contained in the exclusion.  Here, the Addison Automatics court recognized that flaw.  Explaining that a court must focus upon the language of the policies, and not “peer[] myopically at the elements of” underlying causes of action, the court held that the exclusions barred coverage because the common law conversion claims involved injuries from conduct that violated the TCPA:

A close reading of the exclusionary provisions reveal that their focus is not on the legal elements of a particular claim asserted by the underling plaintiff, but the factual cause of the “bodily injury” and “property damage” that is alleged in the underlying complaint.  So long as the injury and damage alleged in the operative complaint “arises directly or indirectly out of any action or omission that violates or is alleged to violate” the TCPA, the claims asserting the injury (whatever the particular legal theory may be) falls within the purview of the exclusions.  This is what the language of the exclusionary provisions require.

Id. at 14-15.

What Do These Cases Mean?  The real value in these cases is found in the reasoning behind the decisions.  Stevens & Ricci shows that “privacy” is more than a buzz word to guarantee coverage.  Some jurisdictions assign a limited meaning to the phrase “right of privacy” found in business and general liability policies, and a court should examine the factual allegations of an underlying complaint to ascertain exactly what privacy interests are implicated in the case.  Sometimes those interests are not covered.  In Addison Automatics, the court correctly focused on the broad language of the exclusions at issue and the underlying factual allegations, not the elements of the causes of action pleaded in the underlying complaint.

The reasoning on both these cases can apply to coverage actions involving privacy rights, including ZIP code lawsuits, the collection and use of consumer data, unauthorized surveillance, and cyber/data breach cases.  Feel free to email me with any questions.

This entry was posted in Privacy Rights and tagged .