Author Archives: Joshua Mooney

Dude, Where’s My Car?


This entry was posted by on .

Here is a story almost as startling as the movie Dude, Where’s My Car? is bad.  According to news reports, millions of cars and trucks are vulnerable to hacking through wireless technologies that could jeopardize driver safety and privacy.  A congressional report, overseen by Sen. Ed Markey, D-Massachusetts, concludes that vehicles are vulnerable to hacking through wireless networks, smart phones, and “infotainment” systems like OnStar.

Sen. Markey cited studies showing that hackers can access controls of some vehicles, causing them to accelerate, turn, brake, sound the horn, control the headlights, and/or modify speedometer and gas gauge readings.   Also of note are additional concerns regarding information in navigation systems, which can record and send location or driving history information.  According to Sen. Markey, security measures used by automakers, such as identification codes and radio frequencies, can be identified and rewritten or bypassed. Read More

This entry was posted in Privacy Rights and tagged , .

Knowing The Knowing Violation Exclusion


This entry was posted by on .

The Knowing Violation of Rights of Another exclusion, found in Coverage B of most CGL policies, can be difficult to apply in the context of determining the duty to defend.  A recent decision issued by the United States Court of Appeals for the Eleventh Circuit, in Travelers Pro. Cas. Co. of America v. Kansas City Landsmen, — Fed. App’x –, 2015 WL 137816 (11th Cir. Jan. 12, 2015), provides a good example of why.

The case involved whether the insurer owed a duty to defend its insureds, car rental companies, against an underlying lawsuit alleging that the insureds willfully violated 15 U.S.C. §1681c(g)(1), a provision of the Fair and Accurate Credit Transaction Act (“FACTA”) that prohibits the printing of more than the last five digits of a credit card number or the expiration date on a receipt provided to the cardholder.  The underlying litigation, a putative class action, alleged that insured car rental companies had printed credit-card receipts that included more than the last five digits of the card number as well as the card’s expiration date, and accordingly, had “failed to protect” plaintiff and class members “against identity theft and credit card and debit card fraud.”  Id. at *2.  The action sought statutory and punitive damages under 15 U.S.C. §1681n(a), which imposes liability on “[a]ny person who willfully fails to comply with any requirement” of FACTA. Read More

This entry was posted in Uncategorized and tagged , .

Article III Standing: The First Wall of Defense In Security Data Breach Litigation


This entry was posted by on .

2014 witnessed a proliferation of cyber security data breaches and resulting data breach litigation.  Most class actions filed in the wake of a data breach assert injuries for increased risk of identity theft, fraudulent financial charges on credit cards, and costs incurred from having to enroll in third-party credit-monitoring services.  But realistically, not every data breach results in an injury.  Article III standing can be a significant defense for disposing security data breach claims in the relatively early stages of litigation.

Standing derives from Article III of the U.S. Constitution, which limits the powers of the federal judiciary to the resolution of “cases” and “controversies.”  U.S. Const. Art. III, §2.  To maintain a lawsuit, every plaintiff must plead and ultimately prove that he or she has suffered sufficient injury to satisfy the “case or controversy” requirement.  At the pleading stage, a plaintiff must allege: (1) an injury-in-fact that is concrete and particularized, as well as actual or imminent; (2) that the injury is fairly traceable to the challenged action of the defendant; and (3) that the injury can be remedied by a favorable ruling.  If the plaintiff cannot satisfy this criteria, the claim must be dismissed.  This article discusses some recent data breach decisions that address standing. Read More

This entry was posted in Uncategorized.

U.S. Treasury To Banks: Buy Cyber Insurance


This entry was posted by on .

Here’s a quick item of note, which ran in recent reports and is worth repeating.  Deputy Treasury Secretary Sarah Raskin, when speaking at conference of the Texas Bankers’ Association, advised that banks need to purchase cyber risk insurance – pointing to recent data breaches suffered by Target, Home Depot, and JP Morgan as evidence.  Raskin stated:

We have learned from these attacks that the prevalence of cyber risk creates a persistent and complex challenge for financial institutions spanning the sector, including financial institutions of all types and all sizes. Read More

This entry was posted in Data Breach Insurance Coverage and tagged .

Medical Records, The Internet, and A “Publication”


This entry was posted by on .

Last week, the federal District Court in Virginia issued a quasi security/data breach coverage case where the court concluded that making private medical records accessible online constituted a publication even though there was no evidence that a third party had accessed them.  Travelers Indem. Co. of Am. v. Portal Healthcare Solutions, LLC, No. 13-917, 2014 WL 3887797 (E.D. Va. Aug. 7, 2014).  The mere fact that the records were accessible satisfied the plain and ordinary meaning of the term “publication” to implicate the duty to defend.  What makes this decision noteworthy is how the Court distinguished the case before it from other decisions limiting the meaning of the term “publication.”  Given that many healthcare providers are introducing “online” services for medical records, brokers and underwriters also may want to take note of this decision. 

Portal Healthcare Solution (“Portal”) was a business specializing in the electronic safekeeping of medical records for hospitals, clinics, and other medical providers.  Id. at *1.  A New York putative class action was filed against it, alleging that Portal had failed to safeguard confidential medical records of patients at Glen Falls Hospital (“Glen Falls”), posting those records on the internet and causing them to become publicly accessible on the internet.  Id.  Two patients of Glen Falls discovered the breach when they ran a Google search of their names, and found links that directed them to their Glen Falls medical records.  Id. at *2.  (Honestly, how many of you are now going to Google your name?  I did.)  Read More

This entry was posted in Data Breach Insurance Coverage, Privacy Rights, Uncategorized and tagged .

Are “Right of Privacy” and “Person” Ambiguous? New York Weighs In


This entry was posted by on .

Last week, I vacationed in beautiful Cooperstown, NY, where I watched baseball in stadiums built to resemble early 20th century ballparks, visited the Baseball Hall of Fame, and enjoyed scenic views of the green Catskill Mountains.  Oh, and there’s the Ommegang brewery, too.  During that week, I was totally free of daily faxes promoting low-budget roof repairs, instant credit for business loans, and vacation hideaways in Cancun.  So, what a return to reality it was to see Tower National Ins. Co. v. National Business Capital, Inc., No. 155786/2012, 2014 WL 3728500 (N.Y. Supr. Ct. July 28, 2014), a case addressing the meaning of “right of privacy” in the context of blast faxes.  Thanks (or maybe not) to Roberta Anderson at K&L Gates for bringing this case to my attention as I returned back to the 21st century.

The underlying lawsuit was a putative class action seeking damages for National Business Capital’s (“NBC”) alleged blast faxing in violation of the TCPA and Connecticut’s version of the statute.  NBC sought coverage under its CGL policy for “personal and advertising injury” under “[o]ral or written publication, in any nature, of material that violates a person’s right of privacy.”  Id. at *1-2.  The issue was one of first impression in New York.  (NBC also contended that the underlying action alleged “property damage,” but the court held that the complaint did not allege an “occurrence” to implicate coverage under Coverage A.  Id. at *4.) Read More

This entry was posted in Privacy Rights, Uncategorized.

Text Messaging Is “Publication” That Violates “Right of Privacy,” but TCPA Exclusion Applies


This entry was posted by on .

Which ad campaign do you think cost Papa John’s more – Payton Manning and the giveaway of one million pizzas, or its text messaging?  Payton Manning probably came cheaper.  In National Fire Ins. Co. of Pitt., Pa. v. Papa John’s Int’l, Inc., 2014 WL 2993825 (W.D. Ky. July 3, 2014), the Kentucky federal court held that the Distribution of Material in Violation of a Statute (“DMVS”) exclusion barred coverage for a class action asserting damages for the text messaging.

What makes this decision notable is the court’s deliberation over the meanings of “publication” and “right of privacy” in general liability policies were issues of first impression under Kentucky law.  The decision can have a wide effect beyond the TCPA context, including with cyber liability and data breaches.  Also of interest, the court rejected arguments that the DMVS exclusion rendered Coverage B illusory. Read More

This entry was posted in Uncategorized.

Product Disparagement and The Duty To Defend: Swift Distribution Affirmed; Charlotte Russe Disapproved


This entry was posted by on .

June 13, 2014.  In the November 2, 2012 issue of The Coverage Inkwell, I discussed the California Court of Appeal decision in Hartford Cas. Ins. Co. v. Swift Distribution, Inc., 148 Cal. Rptr. 3d 679 (Cal. Ct. App. 2012), noting its importance because (1) it provided a reminder as to why claims of “passing off” should not constitute trade libel to implicate coverage under general liability policies, and (2) its sharp criticism of Travelers Prop. & Cas. Co. v. Charlotte Russe Holding, Inc., 144 Cal. Rptr. 3d 12 (Cal. Ct. App. 2012).  Charlotte Russe had held that allegations of placing fashionable apparel in a markdown display constituted trade disparagement to implicate a duty to defend.

Yesterday, the Supreme Court of California affirmed Swift Distribution and scaled back product disparagement claims for implicating a duty to defend under Coverage B of general liability policies.  Hartford Cas. Ins. Co. v. Swift Distribution, Inc., — P.3d –, 2014 WL 2609753 (Cal. June 12, 2014).  The decision also disapproves Charlotte Russe and should call into doubt other decisions that broadly construe trade libel and product disparagement to implicate a duty to defend in product knock-off and passing-off litigation. Read More

This entry was posted in Counterfeiting, Product Disparagement, Trade Libel and tagged , , , , , .

Coverage B: A Person Is Not a Company


This entry was posted by on .

Here’s an interesting question:  does “oral or written publication of material that violates a person’s right of privacy” include privacy rights of a corporation?  (And, yes, some courts believe that business have rights of privacy, including the right of seclusion.  E.g., Park Univ. Enters., Inc. v. Am. Cas. Co. of Reading, Pa., 442 F.3d 1239, 1247 (10th Cir. 2006); Owners Ins. Co. v. European Auto Works, Inc., 2011 WL 3847469, at *3 (D. Minn. Aug. 30, 2011).)

This is not a mere “if a tree falls in the woods…” type of question, for the answer can have a significant impact on litigation as rights of privacy claims become more boilerplate, whether in the context of cyber liability, claims of unlawful collection of PII, or media/mass marketing lawsuits.  This week, in Sportsfield Specialties, Inc. v. Twin City Fire Ins. Co., — N.Y.S.2d –, 2014 WL 1491514 (N.Y.A.D., 3d Dep’t Apr. 17, 2014), the New York Appellate Division addressed the issue as a matter of first impression, holding that “oral or written publication of material that violates a person’s right of privacy” in a general liability policy does not include a corporation’s right of privacy.  The court reasoned its decision on the wording of the definition for “personal and advertising injury.” Read More

This entry was posted in Privacy Rights and tagged , .

Three Missed Takeaways From the Sony Data Breach Case


This entry was posted by on .

In Zurich Amer. Ins. Co. v. Sony Corp., Index No. 651982/2011 (N.Y. Supr. Ct. Feb. 21, 2014), the New York trial court held that Sony Corporation was not entitled to insurance coverage under general liability policies for the multitude of data breach lawsuits filed against it in connection with the Sony’s PlayStation data breach.  The Court reasoned that because none of the lawsuits alleged that Sony had been the entity publishing material, the lawsuits did not allege “oral or written publication, in any manner, of material that violates a person’s right of privacy” to satisfy the definition for “personal and advertising injury” under Coverage B of the policies.

Plenty has been written about this holding.  However, comparably little attention has been given to other conclusions rendered by the Court in its decision.  Arguably, given Sony’s notoriety, and the forthcoming ISO data breach exclusions for general liability policies, these other holdings could have a broader and more long-lasting impact in privacy litigation than the main holding that has caused such an uproar. Read More

This entry was posted in Data Breach Insurance Coverage and tagged , , .