Author Archives: Joshua Mooney

ELECTRONIC DATA AND DISTRIBUTION OF MATERIAL EXCLUSION DOES NOT BAR COVERAGE FOR DISCLOSURE OF GENETIC DATA


This entry was posted by on .

Last week, the United States District Court for the Southern District of Texas held that an Electronic Data and Distribution of Material in Violation of Statutes exclusion, a variant of the Telephone Consumer Protection Act (“TCPA”) exclusion, did not prohibit coverage for an insured’s wrongful, online publication of genetic data in violation of a statute.  Evanston Ins. Co. v. Gene By Gene, Ltd., 2016 WL 102294 (S.D. Texas, Jan. 6, 2016).  In so holding, the court construed the exclusion to address solely intrusion upon seclusion claims.  The facts of the case are straightforward.

The insured, Gene by Gene Ltd. (“GBG”), owned and operated a genealogy website whereby users of the site were offered the opportunity to take DNA tests and then use their genetic information from the tests to learn more about their ancestry and connect with other users whose results matched their own results in varying degrees.  Gene By Gene, 2016 WL 102294 at *1.  An underlying plaintiff sued GBG in Alaska federal court, alleging that GBG improperly published his DNA test results on its website without his consent and in violation of Alaska’s Genetic Privacy Act.  Id.  The Genetic Privacy Act prohibits disclosure of a person’s DNA analysis without written and informed consent.  See AS §18.13.010.

GBG tendered its defense to its insurer, which issued four professional liability policies providing coverage for “personal injury,” defined therein as injury arising out of “oral or written publication of material that violates a person’s right of privacy.”  Id. at *1, *3.  The insurer, however, denied coverage based on an “Electronic Data and Distribution of Material in Violation of Statutes” exclusion.  Id. at *1.  Coverage litigation ensued and GBG moved for summary judgment.

GBG contended that defense coverage existed because the underlying action alleged injury that arises out of the written publication of material that violates a person’s right of privacy.  The insurer contended that Distribution of Material exclusion applied because the exclusion prohibited coverage for violation of “any other statute, law, rule, ordinance, or regulation that prohibits or limits the sending, transmitting, communication or distribution of information or other material.”  Id. *2.  Specifically, the insurer argued that the exclusion applied because the underlying action was brought pursuant to a statute (the Genetic Privacy Act), which prohibits the transmission, communication, or distribution of information or other material, namely, the public disclosure of a person’s DNA analysis on Gene by Gene’s website.  Id. at *4.  The court held that the underlying action alleged “personal injury” because the action asserted “the publication of material—the DNA analysis—that allegedly violates a person’s right to privacy.”  Id. at *3.  It then held that the Distribution of Material exclusion did not apply.

The court concluded that the insurer’s reading of the exclusion was too broad and would render the policies’ advertising injury and personal injury coverage illusory.  Id. at *4-5.  The exclusion prohibited both statutory and common law violations.  Because both advertising injury (libel and defamation) and personal injury (invasion of privacy) inherently involved communications in violation of law, the court reasoned that, under the insurer’s reading of the Distribution of Material exclusion, the exclusion would preclude coverage for all instances advertising injury and personal injury.  Id. at *5.  The court further noted that in some states, such as Texas, “traditional defamation” injuries, like libel and disparagement of goods and services, are regulated by statute.  Id.  The court concluded that the exclusion was not intended to preclude such claims.

Yet, perhaps most compelling to the court was its conclusion that the intent and protected interests behind the Distribution of Material exclusion and the Genetic Privacy Act differed.  The court held that the Distribution of Material exclusion, another variant of the TCPA exclusion, was intended to address intrusion upon seclusion claims, a protection that was not contemplated by the Genetic Privacy Act:

The Genetic Privacy Act does not concern unsolicited communication to consumers, but instead regulates the disclosure of a person’s DNA analysis.  The facts upon which the claim is based deal solely with Gene by Gene’s alleged improper disclosure of DNA test results on its public website and to third-parties.  The facts alleged in the complaint do not address the type of unsolicited seclusion invasion contemplated by the Exclusion.  Accordingly, the Underlying Lawsuit is not excluded from Gene by Gene’s policy coverage.  [Emphasis added.]

Id. at *6.  Because of this mismatch, the exclusion did not apply.

What this case means.  This case is interesting because it addresses a new twist on the TCPA exclusions.  Are cybersecurity claims next?  Some might herald this decision as a defeat for insurers and a scaling back of the exclusion.  My thought – not really.  The court construed the exclusion to address solely intrusion upon seclusion claims, which is not that remarkable – although, maybe unwarranted.  Yet, it is important remember that by including violations of mere “law” within its scope, the form of the exclusion at issue was very broad – indeed, broader than many variants of the TCPA exclusion.  That distinction was not lost on the court, which believed (and perhaps rightly so) that the fundamental logic for applying the exclusion in the case before it would have eviscerated coverage under the policy’s “advertising injury and personal injury” insuring agreement.  The court also recognized a potential mismatch between the exclusion and the Genetic Privacy Act.  It’s an interesting observation.  However, by then, the Court already had made its decision.

This entry was posted in Data Breach Insurance Coverage, Privacy Rights.

THE NINTH CIRCUIT HOLDS THERE IS NO COVERAGE FOR VIOLATION OF THE SONG-BEVERLY ACT


This entry was posted by on .

This week, the United States Court of Appeals affirmed Big 5 Sporting Goods Corporation, a case in which the trial court had held that “personal and advertising injury” coverage did not exist for violation of California’s Song-Beverly Act, even where common law allegations of invasion of privacy were alleged in connection with the unlawful collection of ZIP Codes.  See Big 5 Sporting Goods Corporation v. Zurich American Ins. Co., No. 13-6249 (9th Cir. Dec. 7, 2015), affirming Big 5 Sporting Goods Corporation v. Zurich American Ins. Co., 957 F. Supp. 2d 1135 (C.D. Cal. 2013). 

In Big 5, the insured was sued in multiple underlying class action lawsuits alleging invasion of privacy and violation of the Song-Beverly Act from the practice of requesting ZIP Code information during credit card transactions.  See Big 5 Sporting Goods, 957 F. Supp. 2d at 1138.  Some of the class actions alleged both violation of the Song-Beverly Act as well as common law negligence and invasion of privacy claims.  Id.  The insured sought coverage under “personal and advertising injury,” defined in part as injury arising out of “[o]ral or written publication, in any manner, of material that violates a person’s right of privacy.”  Id. at 1140. 

The insurers argued that defense and indemnity coverage for the underlying actions was barred by the  statutory violation exclusion, one of which barred coverage for “personal and advertising injury” “arising directly or indirectly out of” any act or omission that violates or is alleged to violate:

c. Any statute, ordinance or regulation, other than the TCPA or CAN–SPAM Act of 2003, that prohibits or limits the sending, transmitting, communicating or distribution of material or information. 

Id. at 1149.  The trial court agreed, and now, the Ninth Circuit has affirmed.

Perhaps the most significant component of the Ninth Circuit’s decision was that the allegations of common law claims, which were not accounted for in the statutory violation exclusion, nevertheless did not preclude application of the exclusion because the factual allegations did not assert actionable causes of action. 

Specifically, the insured argued that because some of the lawsuits alleged common law claims for invasion of privacy, for purposes of the duty to defend, the statutory violation exclusion could not apply.  Big 5, slip op., at 4.  The Ninth Circuit disagreed.  Holding that because “California does not recognize any common law or constitutional privacy causes of action for requesting, sending, transmitting, communicating, distributing, or commercially using ZIP Codes,” the Court concluded that the only possible claim for recovery was for penalties, not damages, under the Song-Beverly Act.  Id. at 45, citing Fogelstrom v. Lamps Plus, Inc., 195 Cal. App. 4th 986, 992 (2d Dist. 2011).  In Fogelstrom, the California Court of Appeal held that requesting ZIP Codes during credit card transactions does not assert an actionable claim for invasion of privacy, concluding that the action of “obtaining plaintiff’s address without his knowledge or permission, and using it to mail him coupons and other advertisements … is not an egregious breach of social norms, but routine commercial behavior.”  Fogelstrom, 195 Cal. App. 4th at 992. 

The Ninth Circuit also rejected the insured’s argument that the invasion of privacy and negligence claims were merely frivolous, and thus could not be discounted for purposes of the duty to defend because an insurance carrier has the duty to defend both meritorious and frivolous claims.  The Ninth Circuit distinguished frivolous claims form those that are not actionable, explaining that the privacy claims did not merely lack merit, they were not recognized under the law:

Under settled California law, they are not even recognized as cognizable causes of action, a status one step below “unmeritorious.”  Allowing Big 5’s fact pattern to rise to the level of a claim would require an insurance company to insure and defend against non-existent risks.

Id. at 6. 

Borrowing from Shakespeare, the Court similarly dispensed with the underlying negligence claims as mere “artful” pleading that could not circumvent an unambiguous policy exclusion:

Big 5’s negligence theory fares no better.  Just as a rose by another name is still a rose, so a ZIP Code case under any other label remains a ZIP Code case.  See Swain v. Cal. Cas. Ins. Co., 99 Cal. App. 4th 1, 8-9 (2002) (“A general boilerplate pleading of ‘negligence’ adds nothing to a complaint otherwise devoid of facts giving rise to a potential for covered liability.”).  As the district court recognized, the California Court of Appeal has discouraged the “artful drafting” of alleging superfluous negligence claims, saying to allow such a practice would inappropriately “erase exclusions in any policy.”  Fire Ins. Exch. v. Jimenez, 184 Cal. App. 3d 437, 443 n.2 (1986).

Id.

What does this case mean?  Like the Third Circuit in Urban Outfitters (also discussed in The Coverage Inkwell), a second United States Court of Appeals now has held that “personal and advertising injury” does not exist for underlying allegations of unlawful ZIP Code collection.  A unique aspect to this decision, however, is that where an underlying action alleges a cause of action that is not recognized under the law, that cause of action cannot be used to implicate a duty to defend. 

This entry was posted in Privacy Rights and tagged , , , .

THIRD CIRCUIT HOLDS “PRIVACY” MEANS SECRECY, “PUBLICATION” MEANS DISSEMINATION TO PUBLIC, AND “IN ANY MANNER” DOES NOT CHANGE MEANING OF “PUBLICATION”


This entry was posted by on .

In OneBeacon Amer. Ins. Co. v. Urban Outfitters, 2015 WL 5333845 (3d. Cir. Sept. 15, 2015), the United States Court of Appeals for the Third Circuit held that three underlying class action lawsuits filed against Urban Outfitters and Anthropologie, Inc. did not allege “personal and advertising injury.”  The Third Circuit held that for Coverage B “oral or written publication, in any manner, of material that violates  person’s right of privacy,” (1)“privacy” refers only to the right of secrecy, not the right of seclusion; (2) “publication” requires dissemination of information to the public at large, and (3) “in any manner” does not modify or change the meaning of “publication” to a lesser standard.

In the spirit of full disclosure, I represented OneBeacon America in the litigation with my colleagues at White and Williams LLP.  The facts of the matter are straightforward.

Urban Outfitters and Anthropologie (collectively, “Urban Outfitters”) were sued in three separate class actions filed in California, Massachusetts, and the District of Columbia.  (The California class action was actually a consolidation of multiple class actions.)  In each action, plaintiffs alleged that that Urban Outfitters wrongfully collected and used consumers’ ZIP codes and other data for marketing and purchase-tracking in violation of state statutes and privacy rights.  Urban Outfitters sought defense coverage for each lawsuit under “personal and advertising injury,” defined in part as “oral or written publication, in any manner, of material that violations a person’s right of privacy.”

In the first lawsuit, Hancock, the underlying complaint alleged that Urban Outfitters unlawfully collected consumers’ ZIP code information during credit card transactions in violation of District of Columbia statute.  Id. at *1.  By obtaining the consumers’ ZIP codes, Urban Outfitters was then able to obtain the consumers’ home and business addresses to use for marketing.  Id.  Urban Outfitters contended the exchange of data between the retailer and the consumers constituted a “publication” for purposes of “personal and advertising injury” coverage.  The Third Circuit disagreed and accepted the insurers’ arguments that “‘publication’ requires dissemination to the public.”  Id. at *2.  The court rejected the contention that the failure to define the term “publication” in the policy made the term ambiguous:

Although neither the policies nor the Pennsylvania Supreme Court have defined “publication,” that does not render the term ambiguous.  Rather, “[w]ords of common usage in an insurance policy are to be construed in their natural, plain, and ordinary sense, and we may inform our understanding of these terms by considering their dictionary definitions.”  Madison Constr. Co. v. Harleysville Mut. Ins. Co., 735 A.2d 100, 106 (PA. 1999).  The District Court cited three separate dictionary definitions of “publication,” all of which support the conclusion that “publication” requires dissemination to the public. [Emphasis added.]

Id.

Significantly, the Court also rejected the contention that the phrase “in any manner” changed the meaning of “publication”:

The fact that the policies specify that “publication” may be made “in any manner” does not alter the analysis; as the Eleventh Circuit correctly noted, the phrase “in any manner” “merely expands the categories of publication (such as e-mail, handwritten letters, and, perhaps, ‘blast-faxes’) covered by the [p]olicy,” but “cannot change the plain meaning of the underlying term ‘publication.’”  Creative Hosp. Ventures, Inc. v. U.S. Liab. Ins. Co., 444 F. App’x 370, 375 (11th Cir. 2011).  [Emphasis added.]

Id.

In the second lawsuit, Miller, the underlying complaint alleged that Urban Outfitters unlawfully collected consumers’ ZIP code information to use for marketing purposes, including to send unsolicited promotional materials and “junk mail.”  Id. at *3.  Noting that the Pennsylvania Superior Court has recognized that the privacy right contemplated in “personal and advertising injury” is the right to secrecy, not the right to seclusion, the Third Circuit concluded that Miller did not allege a violation of a person’s “right of privacy.”  Importantly, in reaching its conclusion, the Third Circuit ejected the contention that the consumers had a right of privacy in their ZIP codes, or that the lawsuit alleged violation of consumers’ rights to keep their addresses secret from the retailers:

[T]he factual allegations of the Miller complaint evince a concern with seclusion, and not secrecy. The complaint asserts that plaintiffs “have suffered an injury as a result of Defendant’s unlawful conduct by receiving unsolicited marketing and promotional materials, or ‘junk mail,’ from Defendant.” [Record citation omitted.] Although the complaint asserts that Urban Outfitters did collect plaintiffs’ ZIP code information, that information was collected allegedly “to identify the customer’s address and/or telephone number … to send unsolicited marketing and promotional materials.” . . .  Put simply, the complaint does not assert harms based on the plaintiffs’ interests in keeping their ZIP codes secret. Accordingly, it does not allege publication of material that violates a person’s “right to privacy” under the policies . . . .

Id.  at *4.

For the final lawsuit, Dremak, the Court held that the Recording and Distribution of Material of Information In Violation of Law exclusion barred coverage, because the lawsuit was brought under California’s Song-Beverly Credit Card Act.  Id. at *3. The lawsuit originally had alleged common law claims, but those causes of action were dismissed without prejudice while the coverage litigation was pending in the Pennsylvania federal district court.  Urban Outfitters argued that the dismissal of those claims was not dispositive because the factual allegations supporting the common law claims remained in the complaint, and Pennsylvania law required that the factual allegations, not the causes of action, determined an insurer’s duty to defend.  Id.  The Court rejected the argument because the same alleged facts that gave rise to common law claims also alleged the statutory violations.

[T]he Court looked to the factual allegations of the complaint in determining that the complaint alleged “action[s] or omission[s]” that were alleged to violate the Song–Beverly Credit Card Act.  The fact that those same “action[s] or omission[s]” were also alleged to give rise to common law claims (claims that were dismissed) is irrelevant to the analysis.  [Emphasis added.]

Id.

What does this case mean?  This decision is a significant one.  It is one of only a few appellate-level decisions holding that (1) “publication” requires dissemination to the public at large, and (2) that “right of privacy” means the right of secrecy, not the right of seclusion.  The decision is the only the second to address and debunk the myth that the phrase “in any manner” changes the meaning of “publication” in Coverage B.

This entry was posted in Privacy Rights and tagged , .

NEW YORK’S HIGHEST COURTS SAYS COVERAGE FOR LOSS FROM “FRAUDULENT ENTRY” INTO COMPUTER SYSTEM LIMITED TO HACKING


This entry was posted by on .

A source of computer fraud is the rogue employee or authorized user whose abuses access into a network system for unlawful purposes.  Readers of The Coverage Inkwell will know that the Inkwell has addressed the meaning of unauthorized access in the context of cyber insurance for a few years.

In the context of the Computer Fraud and Abuse Act, 18 U.S.C. §1030, the United States Court of Appeals for the Ninth Circuit, in U.S. v. Nosal, 676 F.3d 854 (9th Cir. 2012), in essence limited the meaning “exceeds authorized access” to hackers, not inside corporate personnel accessing a computer network for unauthorized (i.e., illegal) purposes.  Yesterday, the New York Court of Appeals, in Universal American Corp. v. National Union Fire Ins. Co. of Pittsburgh, PA, 2015 N.Y. Slip Op. 05516, 2015 WL 3885816 (N.Y. June 25, 2015) held that the phrase “fraudulent entry” into a computer system was limited to instances of outside hackers, not fraudulent content submitted by authorized users.

In the case, the insured Universal American Corp. (“Universal”) was a health insurance company that offers a choice of federal government-regulated alternatives to Medicare, known as medical advantage plans.  (Please note, because the decision was published only yesterday, page references currently are unavailable.)  Universal had a computerized billing system that allowed health care providers to submit bills for the medical advantage plans directly into the system.  A majority of such claims were approved and paid by Universal automatically and without manual review.  Universal ultimately suffered over $18 million in losses for payments of fraudulent claims for services that were never performed under the plans.

Universal sought coverage under had an insurance, which provided coverage by endorsement for computer systems fraud.  The endorsement stated as follows:

COMPUTER SYSTEMS

It is agreed that:

  1. the attached bond is amended by adding an Insuring Agreement as follows:

COMPUTER SYSTEMS FRAUD

Loss resulting directly from a fraudulent

(1) entry of Electronic Data or Computer Program into, or

(2) change of Electronic Data or Computer Program within the Insured’s proprietary Computer System

provided that the entry or change causes

(a) Property to be transferred, paid or delivered,

(b) an account of the insured, or of its customer, to be added, deleted, debited or credited, or

(c) an unauthorized account or a fictitious account to be debited or credited[.]  (Emphasis added)

The insurer denied coverage on the ground that the endorsement did not cover Medicare fraud, i.e., losses from payment for fraudulent claims submitted by authorized health care providers.

In the ensuring coverage litigation, the trial court granted the insurer summary judgment.  Focusing on the words “fraudulent” “entry,” and “change,” the court concluded that coverage did not extend to fraudulent claims entered into Universal’s system by authorized users; instead, coverage extended only to unauthorized entries into the computer system by a hacker or through a computer virus.  The New York Appellate Division affirmed, stating that the policy did not cover fraudulent content entered by authorized users, but instead covered “wrongful acts in manipulation of the computer system, i.e., by hackers.”

The New York Court of Appeals affirmed, holding that the policy endorsement was clear and unambiguous.  The Court held that the policy “unambiguously applies to losses incurred from unauthorized access to Universal’s computer system, and not to losses resulting from fraudulent content submitted to the computer system by authorized users.”  The Court based its conclusion on the fact that the term “fraudulent” modified the terms “entry” or “change” to mean that coverage applied to a dishonest entry or change of electronic data or computer program by “hacking” into the computer system:

The term “fraudulent” is not defined in the Rider, but it refers to deceit and dishonesty (see Merriam Webster’s Collegiate Dictionary [10th ed. 1993] ).  While the Rider also does not define the terms “entry” and “change,” the common definition of the former includes “the act of entering” or “the right or privilege of entering, access,” and the latter means “to make different, alter” (id.).  In the Rider, “fraudulent” modifies “entry” or “change” of electronic data or computer program, meaning it qualifies the act of entering or changing data or a computer program.  Thus, the Rider covers losses resulting from a dishonest entry or change of electronic data or computer program, constituting what the parties agree would be “hacking” of the computer system.  The Rider’s reference to “fraudulent” does not also qualify what is actually acted upon, namely the “electronic data” or “computer program” itself.  [Emphasis added.]

According to the Court, “[t]he intentional word placement of ‘fraudulent’ before ‘entry’ and ‘change’ manifests the parties’ intent to provide coverage for a violation of the integrity of the computer system through deceitful and dishonest access.”

In so holding, the Court rejected Universal’s argument that “‘fraudulent entry’ means ‘fraudulent input’ because a loss due to a fraudulent entry by necessity can only result from the input of fraudulent information.”  The Court reasoned that such a conclusion would render the words “a” and “of” in the sentence “a fraudulent (1) entry of Electronic Data or Computer Program into” superfluous:

This would render superfluous the word “a” before “fraudulent,” and the word “of” before “electronic data or computer program.” Universal’s proposed interpretation is easily achieved by providing coverage for a “loss resulting directly from fraudulent data.”  Of course, that is not what the [endorsement] says.

Because the losses suffered by Universal were not the result of hacking, there was no coverage under the policy.

Questions are welcome.

This entry was posted in Data Breach Insurance Coverage, Privacy Rights and tagged .

PENNSYLVANIA COURT REFUSES TO IMPOSE NEW DUTY ON EMPLOYERS TO PROTECT PII FROM DATA BREACHES


This entry was posted by on .

A common allegation in cyber security data breach litigation is that the data breach victim breached its duty of care in failing to adequately protect  plaintiffs’ personal identification information (“PII”) from a data breach.  Very recently, the Pennsylvania Court of Common Pleas of Allegheny County in Dutton v. UPMC, No. GD-14-003285 (May 28, 2015), dismissed such a claim, refusing requests to create a new duty of care on an employer who suffered a data breach resulting in the compromise of its employees’ PII.  In so holding, the court reasoned that to create such a duty would place too heavy of a burden on corporate entities already incentivized to protect PII.  It also would inundate the judiciary with a flood of litigation.  The court instead looked to the state legislature to determine whether to impose this obligation.

In the case, the plaintiffs filed a putative class action of current and former The University of Pittsburgh Medical Center (“UPMC” )employees whose PII had been stolen from UPMC’s computer systems.  Plaintiffs’ alleged that UPMC owed a duty to protect their PII and had breached that duty under theories of negligence and breach of contract.  Dutton v. UPMC, No. GD-14-003285, slip op., at 1-2.  Duties allegedly owed by UPMC included:

  • The duty to design, maintain, and test its security systems to protect against data breaches;
  • The duty to implement processes to detect security breaches “in a timely manner”;
  • The duty “to adopt, implement, and maintain adequate security measures”; and
  • The duty to satisfy “widespread industry standards relating to data security.”

Id. at 2-3.

Addressing the negligence claim first, the court concluded that because the alleged damages were economic only, under the economic loss doctrine, no cause of action based on negligence could exist.  Id. at 4.  Therefore, the claim was dismissed.  (The court also dismissed the breach of contract claim based on the lack of evidence that a contract existed, id. at 11-12, but the court’s discussion of the negligence claim is where the real interesting read is found.)

To save their case, Plaintiffs contended that a special duty should be imposed upon UPMC to protect employees’ PII.  Id. at 5.  The court refused to do so, concluding that to impose such a duty as means to combat the widespread problem of data breaches could overwhelm the judiciary and ill-serve public interest:

Plaintiffs’ proposed solution is the creation of a private negligence cause of action to recover actual damages, including damages for increased risks, upon a showing that the plaintiffs confidential information was made available to third persons through a data breach.

The public interest is not furthered by this proposed solution.  Data breaches are widespread. They frequently occur because of sophisticated criminal activity of third persons.  There is not a safe harbor for entities storing confidential information.  The creation of a private cause of action could result within Pennsylvania alone of the filing each year of possibly hundreds of thousands of lawsuits by persons whose confidential information may be in the hands of third persons.  Clearly, the judicial system is not equipped to handle this increased caseload of negligence actions.  Courts will not adopt a proposed solution that will overwhelm Pennsylvania’s judicial system.

Id. at 6.

The court also expressed concern over the lack of consensus standards for defining “adequate” security.  Id.  Litigation and “expert” testimony, the court observed, “is not a viable method for resolving the difficult issue of the minimum requirements of care that should be imposed in data breach litigation, assuming that any minimum requirements should be imposed.”  Id.  The court also worried that to create a new duty could place too heavy of a burden on companies already incentivized to combat data breaches:

Under plaintiffs’ proposed solution, in Pennsylvania alone, perhaps hundreds of profit and nonprofit entities would be required to expend substantial resources responding to the resulting lawsuits.  These entities are victims of the same criminal activity as the plaintiffs.  The courts should not, without guidance from the Legislature, create a body of law that does not allow entities that are victims of criminal activity to get on with their businesses.

Id. at 6-7.

Finally, the court concluded that the issue was best left to the legislative branch, not a single jurist:

I cannot say with reasonable certainty that the best interests of society would be served through the recognition of new affirmative duties of care imposing liability on health care providers and other entities electronically storing confidential information, the financial impact of which could even put these entities out of business.  Entities storing confidential information already have an incentive to protect confidential information because any breach will affect their operations. An “improved” system for storing confidential information will not necessarily prevent a breach of the system.  These entities are also victims of criminal activity.

It is appropriate for courts to consider the creation of a new duty where what the court is considering is sufficiently narrow that it is not on the radar screen of the Legislature. . . . However, where the Legislature is already considering what courts are being asked to consider, in the absence of constitutional issues, courts must defer to the Legislature.

Id. at 7-8.

Because “[t]he only duty that the General Assembly has chosen to impose as of today is notification of a data breach,” the court concluded that it should not create a new, additional duty on employers.  Id. at 10.  Quoting from the Illinois Court of appeals in Cooney v. Chicago Pub. Sch., 934 N.E.2d 23, 28-29 (Ill. Ct. App. 2010), the court stated:

While we do not minimize the importance of protecting this information, we do not believe that the creation of a new legal duty beyond legislative requirements already in place is part of our role on appellate review.  As noted, the legislature has specifically addressed the issue and only required the [defendant] to provide notice of the disclosure.

Id. at 10 (emphasis in original).

Thus, according to the Pennsylvania Court of Common Pleas, Allegheny County, the ball is in the court of the Pennsylvania General Assembly to determine whether the duty to protect employees’ PII form data breaches should be placed on employers.

What this case means.  Where should the responsibility (burden?) of protecting personal identification information from data breaches lay, and what are the standards by which to measure compliance with that responsibility?  These are straightforward questions that Judge Wettick asked and had no definitive answers for to convince him to recognize a legal duty assigning the responsibility of protecting employee PII to employers.

Should the  Pennsylvania General Assembly enact legislation creating an affirmative duty on employers to protect employees’ PII from data breaches, the duty would be state-specific, much like current data breach notification standards across the country.  Other jurisdictions may address the issue differently.  Courts in other states, for instance, may recognize a duty on employers outright in lieu of deferring to the legislative branch, or merely recognize a duty on employers to protect PII as an inherent component in a preexisting statute.  This area of law continues to develop rapidly.

I’d like to thank Laura Schmidt, an associate at White and Williams, for her invaluable assistance with this piece.

This entry was posted in Data Breach Insurance Coverage, Privacy Rights and tagged , .

IN IBM DATA BREACH CASE, THERE CAN BE NO PUBLICATION WITHOUT ACCESS


This entry was posted by on .

In Recall Total Info. Management, Inc. v. Federal Ins. Co., No. SC 19291, the Connecticut Supreme Court upheld the appellate court’s decision that a data breach suffered by IBM was not covered under general liability policies’ “personal and advertising injury” coverage.

In that case, Recall Total had contracted with IBM to transport off-site and store computer tapes containing the encrypted personal information of current and former IBM employees.  Recall then subcontracted the transportation services to Ex Log.  Ex Log lost the computer tapes when they fell from Ex Log’s truck onto the roadside and were retrieved by an unknown individual.  Importantly, there was no evidence that anyone ever accessed the information on the tapes or that their loss caused injury to any IBM employee.  Nevertheless, IBM spent significant sums of money providing identity theft services and complying with state notification requirements.  IBM sought to recoup its losses from Recall Total and Ex Log.

Recall Total and Ex Log, in turn, sought recovery from their general liability insurers, which had issued general liability policies providing “personal and advertising injury” coverage.  “Personal and advertising injury” was defined in part as ‘‘injury . . . caused by an offense of . . . electronic, oral, written or other publication of material that . . . violates a person’s right of privacy.”  The trial court held that coverage was not implicated by the events, and the appellate court affirmed, see 83 A.3d 664 (Ct. App. Ct. 2014).

The Connecticut Supreme Court affirmed on the basis that there was no alleged “publication.”  In doing so, the court adopted in whole the appellate court’s decision, stating:

Because the Appellate Court’s well reasoned opinion fully addresses the certified issue, it would serve no purpose for us to repeat the discussion contained therein.  We therefore adopt the Appellate Court’s opinion as the proper statement of the issue and the applicable law concerning that issue.

Some may recall that, because there was no evidence that the IBM employees’ PII had been accessed, the appellate court declined to expound upon the meaning of “publication.”  Instead, the court concluded that without access to the information, there was no “publication” under any definition of the term:

Regardless of the precise definition of publication, we believe that access is a necessary prerequisite to the communication or disclosure of personal information. In this regard, the plaintiffs have failed to provide a factual basis that the information on the tapes was ever accessed by anyone.

See 83 A.3d at 672-73.

Further bolstering the court’s conclusion was the fact that the parties had stipulated that none of the IBM employees affected had been injured.  The court stated: “Moreover, because the parties stipulated that none of the IBM employees have suffered injury as a result of the tapes being lost, we are unable to infer that there has been a publication.”  Id. at 673.  (See also The Coverage Inkwell, 1/16/2014.)

Finally, the Connecticut Supreme Court’s holding also affirms the appellate court’s decision that costs incurred from complying with data breach notification statutes do not implicate “personal and advertising injury” coverage.

What this case means: It is very simple.  If there is no evidence of access of, or capability of access of, the information, there is no publication.  This decision especially will be significant the underlying factual context of lost or stolen laptops that contain encrypted corporate data and PII.

This entry was posted in Data Breach Insurance Coverage, Privacy Rights.

EVEN IN THE CYBER WORLD, INTENTIONAL MISCONDUCT IS NOT NEGLIGENCE


This entry was posted by on .

Yesterday, Travelers Prop. Cas. Co. of Amer. v. Federal Recovery Services, Inc., No. 14-170 (D. Utah) determined that no coverage existed under a Technology Errors and Omissions Liability Form found in a cyber insurance policy after the insured data processer had failed to return valuable personal identification information it held on behalf of the information’s owner.  This case is going to get a lot of attention simply because it is the first published decision involving a cyber insurance policy form.  What it shows is that, even in the cyber world, intentional misconduct is not negligence.

The facts of the case are straightforward.  The underlying plaintiff, Global Fitness, owned and operated fitness centers in several states.  As part of its operations, Global Fitness had numerous members who would provide credit card or bank account information through which Global Fitness could bill them (“Member Accounts Data.”).  (Slip. op. at 3.)  Defendants were engaged in the business of providing processing, storage, transmission, and other handling of electronic data for customers.  (Id. at 1.)  Global Fitness entered into a contract with Defendants to process the Member Accounts and transfer the members’ fees to Global Fitness.  (Id. at 3.)

Global Fitness later entered into an asset purchase agreement with L.A. Fitness, which included as part of the sale, the transfer of Global Fitness’s Member Accounts Data.  Global Fitness requested that Defendants return the Member Accounts Data to Global Fitness for inclusion in the asset purchase.  Although Defendants stated that they would cooperate and transfer the data back to Global Fitness, according to the litigation that ensured, they did not.  (Id. at 3-4.)

Defendants produced the Member Accounts Data, but data was missing.  Defendants produced the data in an alternative format that included some, but not all of, the missing information.  (Id. at 4.)  According to the underlying complaint, Defendants did not produce credit card, checking account, and savings account information contained in the Member Accounts Data.  (Id.)  Global Fitness requested this information, and then requested that Defendants transfer the billing information back to Global Fitness.

Nevertheless, the information was not produced.  Instead, according to the underlying complaint, Defendants “withheld the Member Accounts Data until Global Fitness satisfied several vague demands for significant compensation.”  In addition, Defendants “refused to transfer funds it received in servicing the Member Accounts for the past week until all matters were resolved.”

Global Fitness filed a lawsuit, asserting claims against Defendants for conversion, tortious interference, and breach of contract.  An amended complaint further alleged that Defendants purposefully withheld pieces of the Member Accounts Data for payment:

Global Fitness alleged that “[Defendants] withheld the Billing Data unless and until Global Fitness satisfied several demands for significant compensation above and beyond what were provided in the Agreement.”  In addition, Global Fitness alleged that “[Defendants] retained possession of Member Accounts Data, including the Billing Data, which was the property of Global Fitness and was only provided to Paramount pursuant to the terms of the Agreement.”  “[Defendants] willfully interfered with Global Fitness’s property and refused to return Global Fitness’s property without cause or justification.”  “[Defendants] actions deprived Global Fitness of the use of its Member Accounts Data and its monies and threatened its ability to comply with its obligations under the APA with L.A. Fitness.”

(Id. at 4-5.)

The amended complaint asserted that, “[a]s a result of the delay caused by [Defendants’] actions, the purchase price of the APA decreased dramatically,” and Defendants “knowingly harmed Global Fitness’s rights under the APA with L.A. Fitness thereby causing Global Fitness irreparable harm and loss.”  (Id. at 5.)

The insureds purchased a cyber insurance policy with a Network and Information Security Liability Form and a Technology Errors and Omissions Liability Form under which they sought defense coverage.  (Id. at 1-2.)  The insuring agreement stated as follows:

SECTION I – ERRORS AND OMISSIONS LIABILITY COVERAGE

  1. Insuring Agreement

  2. We will pay those sums that the insured must pay as “damages” because of loss to which this insurance applies. The amount we will pay for “damages” is limited as described in Section III- Limits Of Insurance in your CyberFirst General Provisions Form.

  3. This insurance applies to loss only if:

(1) The loss arises out of “your product” provided to others or “your work” provided or performed for others;

(2) The loss is caused by an “errors and omissions wrongful act” committed in the “coverage territory”;

(3) The “errors and omissions wrongful act” was not committed before the Errors and Omissions Retroactive Date shown in the CyberFirst Declarations or after the end of the policy period; and

(4) A claim or “suit” by a person or organization that seeks “damages” because of the loss is first made or brought against any insured . . . .

(Id. at 2.)  Thus, the cyber policy provided coverage for loss caused by an “errors and omissions wrongful act.”  (Id. at 7.)  “Errors and omissions wrongful act” was defined as “any error, omission or negligent act.”  (Id. at 7.)

In the ensuing coverage litigation, the insurer contended that the cyber policy did not apply because the underlying action did not allege damages from an “error, omission or negligent act.”  Instead, the underlying complaints alleged intentional wrongdoing.  (Id.).  The Defendant insureds, on the other hand, contended that defense coverage existed because of the potential that they “may be found liable for an error, omission or negligent act relating to the holding, transferring or storing of data.”  (Id. at 7-.8)  Defendants contended that “Global’s claims that [Defendants] ‘withheld’ the data is broad enough to encompass possible error, omission or negligent act by [Defendants].”  (Id.)

The Utah federal court disagreed with the insureds.  Even in the cyber world, intentional misconduct is not negligence:

While the policy covers errors, omissions, and negligent acts, Global’s claims against Defendants allege far different justifications for the data to be withheld.  Global does not allege that Defendants withheld the data because of an error, omission, or negligence.  Global alleges that Defendants knowingly withheld this information and refused to turn it over until Global met certain demands.  Defendants allegedly did so despite repeated requests from Global to provide the data. Instead of alleging errors, omissions, or negligence, Global alleges knowledge, willfulness, and malice.

(Id. at 8 (emphasis added).)  The court concluded: To trigger Travelers’ duty to defend, there must be allegations in the Global action that sound in negligence. As discussed above, there are no such allegations.”  (Id.)  Therefore, the policy was not implicated and there was no duty to defend.

One cannot argue with that logic.

This entry was posted in Uncategorized.

SONY DATA BREACH COVERAGE LITIGATION SETTLES


This entry was posted by on .

As reported in news outlets, including Law360, Sony and its insurers have settled their data breach coverage litigation, two months after the New York appellate division heard oral argument.

Sony had sought coverage for numerous data breach class action lawsuits filed against it following the 2011 data breach into its PlayStation network.  Its general liability policies provided personal and advertising injury coverage for oral or written publication, in any manner, of material that violates a person’s right to privacy.  The trial court held that the insurers had no duty to defend because coverage applied only for violations of privacy committed by Sony, as the policyholder, and not by third parties who hacked into Sony’s network and stole personally identifiable information (“PII”).

The decision had other important aspects, often overlooked.  Analogizing the issue to the opening of Pandora’s Box, the trial court held that there mere accessing of information by the hackers constituted a “publication” under general liability policies.  The trial court also held that the phrase “in any manner” does not alter the meaning of the term “publication.”  Finally, the court held that in order for the “Insureds in Media and Internet Type of Business” exclusion to apply, the insured in question must solely be a content or service provider and not engage in other forms of business.  Here, because Sony engaged in other forms of business, the exclusion did not apply.

A more detailed discussion of the Sony decision may be found in an earlier Coverage Inkwell post located at: http://thecoverageinkwell.com/three-missed-takeaways-from-the-sony-data-breach-case/

My take is that the affect of the Sony settlement will be measured. For one thing, looking long term, the new personal data exclusions in CGL policies should shut the door on data breach coverage, to the extent it ever existed in the first place.  Second, Sony is a trial court decision without a written opinion, and the market already is shifting to cyber insurance.

Sony’s true legacy lay in the case’s publicity.  Sony showed that companies cannot look to general liability policies to cover data breaches.  They need to get cyber insurance.  The case was a Super Bowl ad for cyber liability insurance. That, and perhaps Target, showed companies that they have to get it.

Looking back, people will see Sony as the first big data breach coverage case.  It won’t be the last.

This entry was posted in Data Breach Insurance Coverage, Privacy Rights and tagged , .

ANOTHER DATA BREACH CLASS ACTION DISMISSED FOR LACK OF INJURY


This entry was posted by on .

On the heels of the Target settlement, another security data breach class action has been dismissed for lack of standing under Article III.  In the lawsuit In re Horizon Healthcare Servs., Inc. Data Breach Litig., 2015 WL 1472483 (D.N.J. Mar. 31, 2015), a federal district court held that class plaintiffs alleged neither sufficient injury nor causation to establish standing.

In that case, an unknown thief stole from the company’s headquarters two password-protected laptop computers containing personal information of company members.  Id. at *1.  The company reported the theft to law enforcement the next day.  A month later, it notified potentially affected members of the theft by letter and press release.  Id.  In its notification, the company informed members that “[d]ue to the way the stolen laptops were configured, we are not certain that all of the member information contained on the laptops is accessible.”  It also offered credit-monitoring protection.  Id.

Plaintiffs filed a putative class action on behalf of themselves and other company members whose information was housed in the stolen laptops.  Plaintiffs alleged they were “placed at an imminent, immediate, and continuing increased risk of harm from identity theft, identity fraud, and medical fraud, requiring them to take the time and effort to mitigate the actual and potential impact of the Data Breach on their lives.”  Id.  The company moved to dismiss on the basis that plaintiffs had not alleged injury or causation to satisfy standing under Article III of the United States Constitution.

To establish standing , a plaintiff must show:

(1) an ‘injury in fact,’ i.e., an actual or imminently threatened injury that is ‘concrete and particularized’ to the plaintiff; (2) causation, i.e., traceability of the injury to the actions of the defendant; and (3) redressability of the injury by a favorable decision by the Court.

Id. at *2.  While all three elements are constitutionally required for standing, the injury-in-fact requirement is perhaps the one litigated most often in data breach cases.

An alleged future injury must be “imminent” and “certainly impending” to constitute an injury-in-fact.  Allegations of possible future injury are insufficient.  E.g., Clapper v. Amnesty Int’l USA, — U.S. –, 133 S. Ct. 1138 (2013).  A plaintiff must also show a “causal connection” between the injury and the alleged wrongful conduct.  The standard for this criterion is less than that of proximate causation in tort law, but requires more than mere speculation.  Id. at *3.  “[T]he injury has to be fairly traceable to the challenged action of the defendant, and not the result of the independent action of some third party not before the court.”  Id. (emphasis added).

The case involved four named plaintiffs, three of whom alleged injury based on economic injury, violation of statutory law, and imminent risk of future harm (i.e., increased risk of fraud and identity theft).  The company argued that because these plaintiffs did not allege that their personal information had been accessed or misused, or that they had suffered unauthorized withdrawals from bank accounts, or identity theft, they failed to allege concrete and particularized harm to satisfy standing.  Id. at *4.  The Court agreed.

The Court, comparing the claims before it with another case in which plaintiffs suffered identity theft, and in which fraudulent bank accounts and credit cards had been opened and charged, concluded that plaintiffs’ generalized allegations did not show particularized injury.  Because plaintiffs did not allege they had carefully guarded their information, or suffered monetary loss, or injuries like identity theft or medical fraud, they did not allege “economic injury” to satisfy standing.  Id. at *5.  The Court also held that violations of statute or common law do not create standing.  The Court explained:

Standing does not merely require a showing that the law has been violated, or that a statute will reward litigants in general upon showing of a violation.  Rather, standing demands some form of injury—some showing that the legal violation harmed you in particular, and that you are therefore an appropriate advocate in federal court. [Brackets and quotation marks in text omitted.]

Id.  Simply put, a  plaintiff cannot rely upon legal violations to bootstrap standing.

Finally, the Court determined that allegations of increased risk of identity theft do not confer standing – an issue that is perhaps the most hotly-disputed area of Article III standing in data breach cases.  Many courts have held that allegations of increased risk of identity theft, and accompanying claims of economic injury from subscriptions to credit-monitoring services, do not allege imminent, “certainly impending” injury necessary to confer standing.  E.g., In re Science Applications Int’l Corp. (SAIC), — F. Supp. 2d –, (D.D.C. May 9, 2014); Galaria v. Nationwide Mut. Ins. Co., 998 F. Supp. 2d 646 (S.D. Ohio 2014).  However, other federal courts have held differently.  E.g., In re Adobe Sys. Inc. Privacy Litig., (N.D. Cal. Sept. 4, 2014).   The critical factor appears to be whether the stolen data was targeted by data thieves in a manner that would suggest the data’s later use.

Horizon did not depart from this evolving line of jurisprudence, holding that the absence of evidence indicating that the laptop thief would or could use plaintiffs’ information foreclosed any standing from mere allegations of increased risk.  The Court guided its conclusion under the Third Circuit’s decision in Reilly v. Ceridian Corp., 664 F.3d 38 (3d Cir. 2011), a network breach case, and also by Polanco v. Omnicell, Inc., 988 F. Supp. 2d 451 (D.N.J. 2013), a stolen laptop case.

Reilly involved an unknown hacker who infiltrated a payroll processing firm’s computer system, potentially gaining access to the information of approximately 27,000 employees.  Id. at * 5.  In Reilly, as in the present case, the company worked with law enforcement and investigators to identify the information the hacker may have accessed, notified affected persons, and offered free credit-monitoring protection.  Id.  In the ensuing data breach litigation, the Reilly court held that “an increased risk of identity theft resulting from a security breach was insufficient to secure standing” because there was no indication that the hacker had read and understood the stolen personal information, intended to misuse it, or even had the ability to do so.  Id.  To suggest otherwise without proof was speculation.  Id.  In the present case, the Court held that the same circumstance was in the case before it:

With respect to “an imminent risk of future harm”, Plaintiffs contend that, despite their lack of injury thus far, “identity theft could occur at moment”. (Pls.’ Opp’n at 15.) The Third Circuit’s decision in Reilly is both squarely on point and binding on this Court.

Id.

In so holding, the Court also rejected plaintiffs’ argument that “[t]he imminence of future harm in data breach cases depends upon two factors:  (1) whether any of the compromised data was misused post-breach, causing injury, and (2) whether the facts surrounding the data breach indicate that the data theft was sophisticated, intentional, or malicious.”  Id. at *6.  Even assuming that such a standard were applicable, the Court held that plaintiffs failed to satisfy it.  Plaintiffs had not alleged post-breach misuse of compromised data.  Id.  They also failed to allege a sophisticated breach:

With respect to the “sophisticated, intentional, or malicious” nature of the data breach—a factor supported only by oblique dicta in Reilly—the Court fails to see how the theft of Horizon laptops here is any more “sophisticated, intentional, or malicious” than the taking of a laptop from a locked car in Polanco or the hacking of a computer system in Reilly.  If anything, hacking a computer seems to require more planning, savvy, and sophistication than the simple theft of two laptops.

Id. at *6.

Finally, the Court reasoned that plaintiffs’ claims of increased risk ultimately rested on the same conjecture rejected in Reilly:

Additionally, compared to hypothetical string of events identified in Reilly, Plaintiff’s injury is even more attenuated: (1) the crook must gain access to the information on the password-protected laptops, (2) he or she must read, copy, and understand the personal information; (3) he or she must intend to commit future criminal acts by misusing the information; and (4) the perpetrator must then be able to use such information to the detriment of Plaintiffs by making unauthorized transactions in Plaintiffs’ names.  See Reilly, 664 F.3d at 42.  As in Reilly and other data breach cases, Plaintiffs’ future injuries stem from the conjectural conduct of a third party bandit and are therefore inadequate to confer standing.

Id.  For these reasons, the claims of increased risk did not satisfy standing.

The lawsuit’s fourth named plaintiff alleged fraudulent charges to his credit card and that the laptop thief had filed a fraudulent joint tax return under his and his wife’s names.  However, these allegations failed to show causation.  There was no evidence that the filed tax return had any connection to the stolen laptops.  Underscoring this conclusion was (1) personal information belonging to plaintiff’s wife was not on either stolen laptop and (2) no other putative class member alleged identity theft.  Id.  In addition, plaintiff admitted to receiving his tax refund.  Id. at *8.  Therefore, even if there were a casual connection, there was no injury.

Similarly, because plaintiff’s credit card information had not been on the laptops, any alleged injury from fraudulent charges to the card were not “fairly traceable” to the laptops’ theft.  The Court explained:

Defendant points out, and Rindner does not contest, that current credit card information (as opposed to a new credit card, which can be fraudulently obtained using a stolen Social Security number) was not on the stolen laptops. (Def.’s Reply at 2.) Thus, any harm stemming from the fraudulent use of Rindner’s current credit card is not “fairly traceable” to Defendant.

Id. at *9.

What This Case Means.  Most data breach class actions assert some form of injury from increased risk of identity theft.  A few also allege fraudulent financial charges.  Realistically, however, not every data breach results in actual injury.  Nor is every fraudulent charge on a credit card the result of a headlined data breach.  For this reason, Article III standing has become a golden defense in the relatively early stages of data breach litigation.  For more information, see Mooney, J., “Standing In Data Breach Litigation: Lessons From 2014,” Law360 Privacy, 1/6/2015.

This case continues the emerging line of case law that holds, in the absence of evidence indicating imminent use of stolen data, claims of increased risk of identity theft do not meet the imminent and certainly impending injury requirement for standing.  The case also shows that allegations of fraudulent charges and actual identity theft are not enough – a plaintiff still must plead enough evidence to show a causal connection between the injury and the data breach.

This entry was posted in Uncategorized and tagged .

TWO RECENT TCPA CASES: A LOOK AT HOW THEY CAN AFFECT PRIVACY LITIGATION


This entry was posted by on .

Last week saw two separate Telephone Consumer Protection Act (“TCPA”) decisions in which federal district courts, one for the Eastern District of Pennsylvania, the other for the Northern District of Illinois, held no coverage existed for underlying TCPA litigation.  The decisions’ results were not surprising, as TCPA coverage claims have been wilting like Wisconsin’s lead over Duke in last night’s final.  What is interesting in the cases, Auto-Owners Ins. Co. v. Stevens & Ricci, Inc., No. 12-7228, 2015 WL 1456085 (E.D. Pa. Mar. 31, 2015) and Addison Automatics, Inc. v. Hartford Cas. Ins. Co., No. 13-1922, slip op. (N.D. Ill. Mar. 31, 2015), is that the courts reached their decisions on different bases.  The reasoning behind each basis can apply to other privacy litigation.

In Stevens & Ricci, the insured was sued in a class action for faxing over 18,000 unsolicited fax advertisements in violation of the TCPA, 47 U.S.C. § 227.  The underlying litigation alleged, among other claims, that the unsolicited faxes violated the privacy rights of class members who received them.  Id. at *1.  The insured’s policy defined “personal injury” and “advertising injury” in part as “oral or written publication of material that violates a person’s right of privacy.”  Id. at *2-3.

The insurer argued that because the underlying complaint did not plead a cause of action for invasion of privacy, there was no coverage because the policy provided coverage only for the tort.   In the alternative, the insurer argued that even if the tort were alleged, the underlying action did not implicate coverage.  Although the invasion of privacy claim entails four separate torts, the privacy right covered under insurance policies contemplates the right to secrecy only.  Id. at *8.  Because TCPA litigation implicated the privacy right of seclusion, and not the right of secrecy, there was no coverage.  Id.

The trial court agreed with the second argument and explained:

No coverage exists for “advertising injury,” as determined by the Third Circuit, this District Court, and the Pennsylvania courts which have so held because the type of privacy violation covered by insurance policies such as the Auto–Owners Policy—privacy interests in secrecy—are not violated by “junk” faxes.

* * *

In this case, Stevens & Ricci hired a third party to send out the faxes. Each court that concluded that privacy interests in secrecy are not violated by junk faxes holds that such violations are violative of the right of seclusion, even when it is alleged that a policyholder hired a third-party vendor, and the third-party vendor was responsible for sending the problematic faxes.  [Citations omitted.]  Accordingly, there is no coverage under the Auto–Owners Policy because the privacy interests in secrecy are not violated by the junk faxes sent out by Hymed.

Id. at *8-9.

In Addison Automatics, the insured was sued in a class action for violation of the TCPA, the Illinois Consumer Fraud Act and Deceptive Business Practices Act, and common law conversion following its involvement in a blast-faxing campaign.  The underlying action settled and the class pursued claims under assignment against the insured’s insurance carrier.  Addison Automatics, slip op., at 1, 3.

Two different policies were at issue, each containing a “Violation of Statutes That Govern E-Mails, Fax, Phone Calls or Other Methods of Sending Material or Information” exclusion.  Id. at 5, 7.  The exclusions barred coverage for claims “arising directly or indirectly out of any action or omission that violates or is alleged to violate . . . . the Telephone Consumer Protection Act.”  Id.  The claimants argued that the exclusions did not bar coverage because many of their claims did not involve the TCPA or any other statute that prohibited a method of sending material or information.   Id. at 14-15.  In particular, the claimants argued that because their conversion claims had nothing to do with any statute, the exclusions could not apply.  Id.

I encounter this argument often in the context that such exclusions do not apply to common law claims for invasion of privacy.  The argument has a fatal flaw – it ignores the “arising out of” language contained in the exclusion.  Here, the Addison Automatics court recognized that flaw.  Explaining that a court must focus upon the language of the policies, and not “peer[] myopically at the elements of” underlying causes of action, the court held that the exclusions barred coverage because the common law conversion claims involved injuries from conduct that violated the TCPA:

A close reading of the exclusionary provisions reveal that their focus is not on the legal elements of a particular claim asserted by the underling plaintiff, but the factual cause of the “bodily injury” and “property damage” that is alleged in the underlying complaint.  So long as the injury and damage alleged in the operative complaint “arises directly or indirectly out of any action or omission that violates or is alleged to violate” the TCPA, the claims asserting the injury (whatever the particular legal theory may be) falls within the purview of the exclusions.  This is what the language of the exclusionary provisions require.

Id. at 14-15.

What Do These Cases Mean?  The real value in these cases is found in the reasoning behind the decisions.  Stevens & Ricci shows that “privacy” is more than a buzz word to guarantee coverage.  Some jurisdictions assign a limited meaning to the phrase “right of privacy” found in business and general liability policies, and a court should examine the factual allegations of an underlying complaint to ascertain exactly what privacy interests are implicated in the case.  Sometimes those interests are not covered.  In Addison Automatics, the court correctly focused on the broad language of the exclusions at issue and the underlying factual allegations, not the elements of the causes of action pleaded in the underlying complaint.

The reasoning on both these cases can apply to coverage actions involving privacy rights, including ZIP code lawsuits, the collection and use of consumer data, unauthorized surveillance, and cyber/data breach cases.  Feel free to email me with any questions.

This entry was posted in Privacy Rights and tagged .