Category Archives: Data Breach Insurance Coverage

PENNSYLVANIA COURT REFUSES TO IMPOSE NEW DUTY ON EMPLOYERS TO PROTECT PII FROM DATA BREACHES


This entry was posted by on .

A common allegation in cyber security data breach litigation is that the data breach victim breached its duty of care in failing to adequately protect  plaintiffs’ personal identification information (“PII”) from a data breach.  Very recently, the Pennsylvania Court of Common Pleas of Allegheny County in Dutton v. UPMC, No. GD-14-003285 (May 28, 2015), dismissed such a claim, refusing requests to create a new duty of care on an employer who suffered a data breach resulting in the compromise of its employees’ PII.  In so holding, the court reasoned that to create such a duty would place too heavy of a burden on corporate entities already incentivized to protect PII.  It also would inundate the judiciary with a flood of litigation.  The court instead looked to the state legislature to determine whether to impose this obligation.

In the case, the plaintiffs filed a putative class action of current and former The University of Pittsburgh Medical Center (“UPMC” )employees whose PII had been stolen from UPMC’s computer systems.  Plaintiffs’ alleged that UPMC owed a duty to protect their PII and had breached that duty under theories of negligence and breach of contract.  Dutton v. UPMC, No. GD-14-003285, slip op., at 1-2.  Duties allegedly owed by UPMC included:

  • The duty to design, maintain, and test its security systems to protect against data breaches;
  • The duty to implement processes to detect security breaches “in a timely manner”;
  • The duty “to adopt, implement, and maintain adequate security measures”; and
  • The duty to satisfy “widespread industry standards relating to data security.”

Id. at 2-3.

Addressing the negligence claim first, the court concluded that because the alleged damages were economic only, under the economic loss doctrine, no cause of action based on negligence could exist.  Id. at 4.  Therefore, the claim was dismissed.  (The court also dismissed the breach of contract claim based on the lack of evidence that a contract existed, id. at 11-12, but the court’s discussion of the negligence claim is where the real interesting read is found.)

To save their case, Plaintiffs contended that a special duty should be imposed upon UPMC to protect employees’ PII.  Id. at 5.  The court refused to do so, concluding that to impose such a duty as means to combat the widespread problem of data breaches could overwhelm the judiciary and ill-serve public interest:

Plaintiffs’ proposed solution is the creation of a private negligence cause of action to recover actual damages, including damages for increased risks, upon a showing that the plaintiffs confidential information was made available to third persons through a data breach.

The public interest is not furthered by this proposed solution.  Data breaches are widespread. They frequently occur because of sophisticated criminal activity of third persons.  There is not a safe harbor for entities storing confidential information.  The creation of a private cause of action could result within Pennsylvania alone of the filing each year of possibly hundreds of thousands of lawsuits by persons whose confidential information may be in the hands of third persons.  Clearly, the judicial system is not equipped to handle this increased caseload of negligence actions.  Courts will not adopt a proposed solution that will overwhelm Pennsylvania’s judicial system.

Id. at 6.

The court also expressed concern over the lack of consensus standards for defining “adequate” security.  Id.  Litigation and “expert” testimony, the court observed, “is not a viable method for resolving the difficult issue of the minimum requirements of care that should be imposed in data breach litigation, assuming that any minimum requirements should be imposed.”  Id.  The court also worried that to create a new duty could place too heavy of a burden on companies already incentivized to combat data breaches:

Under plaintiffs’ proposed solution, in Pennsylvania alone, perhaps hundreds of profit and nonprofit entities would be required to expend substantial resources responding to the resulting lawsuits.  These entities are victims of the same criminal activity as the plaintiffs.  The courts should not, without guidance from the Legislature, create a body of law that does not allow entities that are victims of criminal activity to get on with their businesses.

Id. at 6-7.

Finally, the court concluded that the issue was best left to the legislative branch, not a single jurist:

I cannot say with reasonable certainty that the best interests of society would be served through the recognition of new affirmative duties of care imposing liability on health care providers and other entities electronically storing confidential information, the financial impact of which could even put these entities out of business.  Entities storing confidential information already have an incentive to protect confidential information because any breach will affect their operations. An “improved” system for storing confidential information will not necessarily prevent a breach of the system.  These entities are also victims of criminal activity.

It is appropriate for courts to consider the creation of a new duty where what the court is considering is sufficiently narrow that it is not on the radar screen of the Legislature. . . . However, where the Legislature is already considering what courts are being asked to consider, in the absence of constitutional issues, courts must defer to the Legislature.

Id. at 7-8.

Because “[t]he only duty that the General Assembly has chosen to impose as of today is notification of a data breach,” the court concluded that it should not create a new, additional duty on employers.  Id. at 10.  Quoting from the Illinois Court of appeals in Cooney v. Chicago Pub. Sch., 934 N.E.2d 23, 28-29 (Ill. Ct. App. 2010), the court stated:

While we do not minimize the importance of protecting this information, we do not believe that the creation of a new legal duty beyond legislative requirements already in place is part of our role on appellate review.  As noted, the legislature has specifically addressed the issue and only required the [defendant] to provide notice of the disclosure.

Id. at 10 (emphasis in original).

Thus, according to the Pennsylvania Court of Common Pleas, Allegheny County, the ball is in the court of the Pennsylvania General Assembly to determine whether the duty to protect employees’ PII form data breaches should be placed on employers.

What this case means.  Where should the responsibility (burden?) of protecting personal identification information from data breaches lay, and what are the standards by which to measure compliance with that responsibility?  These are straightforward questions that Judge Wettick asked and had no definitive answers for to convince him to recognize a legal duty assigning the responsibility of protecting employee PII to employers.

Should the  Pennsylvania General Assembly enact legislation creating an affirmative duty on employers to protect employees’ PII from data breaches, the duty would be state-specific, much like current data breach notification standards across the country.  Other jurisdictions may address the issue differently.  Courts in other states, for instance, may recognize a duty on employers outright in lieu of deferring to the legislative branch, or merely recognize a duty on employers to protect PII as an inherent component in a preexisting statute.  This area of law continues to develop rapidly.

I’d like to thank Laura Schmidt, an associate at White and Williams, for her invaluable assistance with this piece.

This entry was posted in Data Breach Insurance Coverage, Privacy Rights and tagged , .

IN IBM DATA BREACH CASE, THERE CAN BE NO PUBLICATION WITHOUT ACCESS


This entry was posted by on .

In Recall Total Info. Management, Inc. v. Federal Ins. Co., No. SC 19291, the Connecticut Supreme Court upheld the appellate court’s decision that a data breach suffered by IBM was not covered under general liability policies’ “personal and advertising injury” coverage.

In that case, Recall Total had contracted with IBM to transport off-site and store computer tapes containing the encrypted personal information of current and former IBM employees.  Recall then subcontracted the transportation services to Ex Log.  Ex Log lost the computer tapes when they fell from Ex Log’s truck onto the roadside and were retrieved by an unknown individual.  Importantly, there was no evidence that anyone ever accessed the information on the tapes or that their loss caused injury to any IBM employee.  Nevertheless, IBM spent significant sums of money providing identity theft services and complying with state notification requirements.  IBM sought to recoup its losses from Recall Total and Ex Log.

Recall Total and Ex Log, in turn, sought recovery from their general liability insurers, which had issued general liability policies providing “personal and advertising injury” coverage.  “Personal and advertising injury” was defined in part as ‘‘injury . . . caused by an offense of . . . electronic, oral, written or other publication of material that . . . violates a person’s right of privacy.”  The trial court held that coverage was not implicated by the events, and the appellate court affirmed, see 83 A.3d 664 (Ct. App. Ct. 2014).

The Connecticut Supreme Court affirmed on the basis that there was no alleged “publication.”  In doing so, the court adopted in whole the appellate court’s decision, stating:

Because the Appellate Court’s well reasoned opinion fully addresses the certified issue, it would serve no purpose for us to repeat the discussion contained therein.  We therefore adopt the Appellate Court’s opinion as the proper statement of the issue and the applicable law concerning that issue.

Some may recall that, because there was no evidence that the IBM employees’ PII had been accessed, the appellate court declined to expound upon the meaning of “publication.”  Instead, the court concluded that without access to the information, there was no “publication” under any definition of the term:

Regardless of the precise definition of publication, we believe that access is a necessary prerequisite to the communication or disclosure of personal information. In this regard, the plaintiffs have failed to provide a factual basis that the information on the tapes was ever accessed by anyone.

See 83 A.3d at 672-73.

Further bolstering the court’s conclusion was the fact that the parties had stipulated that none of the IBM employees affected had been injured.  The court stated: “Moreover, because the parties stipulated that none of the IBM employees have suffered injury as a result of the tapes being lost, we are unable to infer that there has been a publication.”  Id. at 673.  (See also The Coverage Inkwell, 1/16/2014.)

Finally, the Connecticut Supreme Court’s holding also affirms the appellate court’s decision that costs incurred from complying with data breach notification statutes do not implicate “personal and advertising injury” coverage.

What this case means: It is very simple.  If there is no evidence of access of, or capability of access of, the information, there is no publication.  This decision especially will be significant the underlying factual context of lost or stolen laptops that contain encrypted corporate data and PII.

This entry was posted in Data Breach Insurance Coverage, Privacy Rights.

SONY DATA BREACH COVERAGE LITIGATION SETTLES


This entry was posted by on .

As reported in news outlets, including Law360, Sony and its insurers have settled their data breach coverage litigation, two months after the New York appellate division heard oral argument.

Sony had sought coverage for numerous data breach class action lawsuits filed against it following the 2011 data breach into its PlayStation network.  Its general liability policies provided personal and advertising injury coverage for oral or written publication, in any manner, of material that violates a person’s right to privacy.  The trial court held that the insurers had no duty to defend because coverage applied only for violations of privacy committed by Sony, as the policyholder, and not by third parties who hacked into Sony’s network and stole personally identifiable information (“PII”).

The decision had other important aspects, often overlooked.  Analogizing the issue to the opening of Pandora’s Box, the trial court held that there mere accessing of information by the hackers constituted a “publication” under general liability policies.  The trial court also held that the phrase “in any manner” does not alter the meaning of the term “publication.”  Finally, the court held that in order for the “Insureds in Media and Internet Type of Business” exclusion to apply, the insured in question must solely be a content or service provider and not engage in other forms of business.  Here, because Sony engaged in other forms of business, the exclusion did not apply.

A more detailed discussion of the Sony decision may be found in an earlier Coverage Inkwell post located at: http://thecoverageinkwell.com/three-missed-takeaways-from-the-sony-data-breach-case/

My take is that the affect of the Sony settlement will be measured. For one thing, looking long term, the new personal data exclusions in CGL policies should shut the door on data breach coverage, to the extent it ever existed in the first place.  Second, Sony is a trial court decision without a written opinion, and the market already is shifting to cyber insurance.

Sony’s true legacy lay in the case’s publicity.  Sony showed that companies cannot look to general liability policies to cover data breaches.  They need to get cyber insurance.  The case was a Super Bowl ad for cyber liability insurance. That, and perhaps Target, showed companies that they have to get it.

Looking back, people will see Sony as the first big data breach coverage case.  It won’t be the last.

This entry was posted in Data Breach Insurance Coverage, Privacy Rights and tagged , .

U.S. Treasury To Banks: Buy Cyber Insurance


This entry was posted by on .

Here’s a quick item of note, which ran in recent reports and is worth repeating.  Deputy Treasury Secretary Sarah Raskin, when speaking at conference of the Texas Bankers’ Association, advised that banks need to purchase cyber risk insurance – pointing to recent data breaches suffered by Target, Home Depot, and JP Morgan as evidence.  Raskin stated:

We have learned from these attacks that the prevalence of cyber risk creates a persistent and complex challenge for financial institutions spanning the sector, including financial institutions of all types and all sizes.

Raskin further stated in a prepared statement that “I have been asking our insurance and cyber experts at Treasury to think about how to encourage an environment where market forces create insurance products that enhance cyber security for businesses.”  “Ideally, we can imagine the growth of the cyber insurance market as a mechanism that bolsters cyber hygiene for banks across the board.”

A link to Deputy Secretary Raskin’s prepared remarks is here: http://www.treasury.gov/press-center/press-releases/Pages/jl9711.aspx

This entry was posted in Data Breach Insurance Coverage and tagged .

Medical Records, The Internet, and A “Publication”


This entry was posted by on .

Last week, the federal District Court in Virginia issued a quasi security/data breach coverage case where the court concluded that making private medical records accessible online constituted a publication even though there was no evidence that a third party had accessed them.  Travelers Indem. Co. of Am. v. Portal Healthcare Solutions, LLC, No. 13-917, 2014 WL 3887797 (E.D. Va. Aug. 7, 2014).  The mere fact that the records were accessible satisfied the plain and ordinary meaning of the term “publication” to implicate the duty to defend.  What makes this decision noteworthy is how the Court distinguished the case before it from other decisions limiting the meaning of the term “publication.”  Given that many healthcare providers are introducing “online” services for medical records, brokers and underwriters also may want to take note of this decision. 

Portal Healthcare Solution (“Portal”) was a business specializing in the electronic safekeeping of medical records for hospitals, clinics, and other medical providers.  Id. at *1.  A New York putative class action was filed against it, alleging that Portal had failed to safeguard confidential medical records of patients at Glen Falls Hospital (“Glen Falls”), posting those records on the internet and causing them to become publicly accessible on the internet.  Id.  Two patients of Glen Falls discovered the breach when they ran a Google search of their names, and found links that directed them to their Glen Falls medical records.  Id. at *2.  (Honestly, how many of you are now going to Google your name?  I did.) 

Travelers issued two policies, each having slightly different language.  One provided coverage for damages because of injury arising from (1) the “electronic publication of material that … gives unreasonable publicity to a person’s private life”; the other provided coverage for injury arising from the “electronic publication of material that … discloses information about a person’s private life.”  Id. at *1. 

Because the term “publication” was undefined in the policies, the court looked to dictionary definitions to ascertain its “plain and ordinary meaning.”  Id. at *4.  The Court concluded that the meaning of “publication” includes “to place before the public (as through a mess medium).”  Id.  The Court thereafter held that making the medical records accessible satisfied this meaning:

Exposing medical records to the online searching of a patient’s name, followed by a click on the first result, at least “potentially or arguably” places those records before the public.  Any member of the public could retrieve the records of a Glen Falls patient, whether he or she was actively seeking those records or searching a patient’s name for other purposes, like a background check.  Because medical records were placed before the public, the Court finds that Portal’s conduct falls within the plain meaning of “publication.”

Id. at *4.       

The Insurer argued that there was no “publication” because there was no evidence that a third party had accessed or viewed the medical records at issue.   Instead, the only evidence that existed was that the claimants themselves had accessed their own medical records.  Id.  The Court disagreed, analogizing the situation to displaying a book at Barnes & Nobel: 

Publication occurs when information is “placed before the public,” not when a member of the public reads the information placed before it.  By Travelers’ logic, a book that is bound and placed on the shelves of Barnes & Noble is not “published” until a customer takes the book off the shelf and reads it.  Travelers’ understanding of the term “publication” does not comport with the term’s plain meaning, and the medical records were published the moment they became accessible to the public via an online search. 

Id. at *5 (emphasis added).

The Court also distinguished the case before it from others.  Creative Hospital Adventures, inc. v. U.S. Liab. Co., 444 Fed App’x 370 (11th Cir. 2011) and Whole Enchilada, Inc. v. Travelers Prop. Cas. Co. of Am., 581 F. Supp. 2d 677 (W.D. Pa. 2008) were distinguishable because there the information had been directly disclosed to a single person. In contrast, with the case before it, “the medical records were given not only to the patients but to anyone with a computer and internet access.”  Id.

Recall Total Info. Mgmt., Inc. v. Federal Ins. Co.., 83 A.3d 664 (Conn. Ct. App. 2013) was distinguishable because in the case before it, “the information was posted on the internet and thus, was given not just to a single thief but to anyone with a computer and internet access.”  Id.  (As an aside, and as discussed in a prior issue of The Coverage Inkwell, the court in Recall Total also emphasized that there was no evidence that anyone had the ability to access the information in the lost media tapes – a very different factual scenario than the one represented in Portal Healthcare.) 

What this case means.  Placing information online constitutes a “publication,” whether or not there are assertions that a third party accessed the information.  “Publication occurs when information is ‘placed before the public,’ not when a member of the public reads the information placed before it.”  Admittedly, it’s hard to argue against the point, and other courts likely will reach similar conclusions.  In my opinion, the real value of this decision is how the Court distinguished this case from other decisions that had held there was no publication without criticizing those decisions or calling them into question. 

Questions are welcome.

This entry was posted in Data Breach Insurance Coverage, Privacy Rights, Uncategorized and tagged .

Three Missed Takeaways from the Sony Data Breach Case


This entry was posted by on .

In Zurich Amer. Ins. Co. v. Sony Corp., Index No. 651982/2011 (N.Y. Supr. Ct. Feb. 21, 2014), the New York trial court held that Sony Corporation was not entitled to insurance coverage under general liability policies for the multitude of data breach lawsuits filed against it in connection with the Sony’s PlayStation data breach.  The Court reasoned that because none of the lawsuits alleged that Sony had been the entity publishing material, the lawsuits did not allege “oral or written publication, in any manner, of material that violates a person’s right of privacy” to satisfy the definition for “personal and advertising injury” under Coverage B of the policies.

Plenty has been written about this holding.  However, comparably little attention has been given to other conclusions rendered by the Court in its decision.  Arguably, given Sony’s notoriety, and the forthcoming ISO data breach exclusions for general liability policies, these other holdings could have a broader and more long-lasting impact in privacy litigation than the main holding that has caused such an uproar.

The 82-page transcript for the Sony hearing provides critical detail and insight into the Court’s decision.  (The Court did not issue a written opinion.)  Given that the trial court’s decision has been appealed, and amicus briefs are likely, these other holdings should not be overlooked.  They are:  (1) the phrase “in any manner” does not alter the meaning of the term “publication”; (2) analogizing the issue to Greek mythology, the Court held that the underlying data breach lawsuits alleged a “publication”; and (3) for the Insureds in Media and Internet Type of Business exclusion to apply, the excluded business must be the insured’s sole business.  The first decision is similar to that rendered by the Eleventh Circuit in Creative Hospitality Ventures, Inc. v. U.S. Liab. Ins. Co., 444 Fed. App’x 370 (11th Cir. 2011).  The two other decisions are extraordinary.

The Meaning of “In Any Manner”.  Policyholders frequently argue that the phrase “publication, in any manner, of material” means any type of dissemination of material, whatsoever; whether the dissemination be a distribution to the public at large, a discrete disclosure to a third party, or even the mere recording or collecting of material.

Sony advanced the same argument, but with a twist.  Sony asserted that the phrase “in any manner” meant any type of dissemination by anyone – i.e., that the insured itself need not be the one publishing the material at issue in order to implicate “personal and advertising injury” coverage under the defined offense “oral or written publication, in any manner, of material that violates a person’s right of privacy.”  Sony contended that the phrase “in any manner” changed the meaning of the word publication:  “They [the insurers] could have said oral or written publication in any media.  It says, in any manner.”  (Tr., p. 63.)

The Court disagreed, concluding that the phrase does not modify the meaning of the term “publication.”  Instead, it merely expands upon the methods of publication to include electronic means:

In any manner, as Zurich’s counsel pointed out, means oral or written publication in any manner.  It is the medium.  It is the kind of way it is being publicized.  It’s either by fax, it is either by e-mail, either by so forth.  But, it doesn’t define who actually sends that kind of publication.

(Tr., p. 78.)

This decision is the same rendered by the Eleventh Circuit in Creative Hospitality Ventures, supra, where the court held that the phrase “in any manner” did not render the term “publication” ambiguous.  According to the court,  the phrase “merely expands the categories of publication (such as e-mail, handwritten letters, and, perhaps ‘blast-faxes’) covered by the Policy.  But the phrase cannot change the plain meaning of the underlying term ‘publication.’”  Id. at 376 (emphasis added).  Notably, this understanding is also consistent with ISO filings that explained the phrase was intended to have the term publication also mean electronic publications.  See Commercial General Liability, Forms Filing GL-2000-OMF00.  Thus, the New York court’s decision in Sony is consistent with other authority.

What is a “Publication”?  The meaning of the phrase “publication,” and whether an underlying action alleges one, is a commonly litigated issue.  Part of the problem is that the criteria for defining “publication” are different for different causes of action.  For instance, a “publication” for an invasion of privacy claim requires dissemination of information either to the public at large or to so many persons that it is substantially certain that the information will become public knowledge.”  E.g., Restatement (Second) of Torts, § 652D, comment a.  A “publication” for a defamation claim, on the other hand, requires only disclosure to a single third party.  Id. at §577.

Some courts stick to the meaning of “publication” in an invasion of privacy claim.  Whole Enchilada Inc. v. Travelers Prop. Cas. Co. of Am., 581 F. Supp. 2d 677, 697 (W.D. Pa. 2008).  Although the offense “oral or written publication, in any manner, of material that violates a person’s right of privacy,” on its face, addresses an invasion of privacy claim, other courts interpret “publication” under a defamation standard.  Park Univ. Enters., Inc. v. Am Cas. Co. of Reading, 442 F.3d 1239 (10th Cir. 2006).  Some courts go so far as to eschew a disclosure requirement altogether.  Encore Receivable Mgmt., Inc. v. ACE Prop. & Cas. Ins. Co., 2013 WL 3354571 (S.D. Ohio July 3, 2013) (mere recording constituted publication).

In Sony, the Court went One Step Beyond.  Analogizing the issue to Pandora’s Box, the Court held that once the hackers broke into Sony’s network, there was a publication.  It mattered not that none of the lawsuits alleged the hackers actually had “published” the information that was stolen:

[MR. COUGHLIN]  But, there is no allegation that the hackers themselves published anything.

THE COURT:  That is getting into real subtleties. Because, I look at this as a Pandora’s box.  Once it is opened, it doesn’t matter who does what with it.  It is out there.  It is out there in the world, that information.  And whether or not it’s actually used later on to get any benefit by the hackers, that in my mind is not the issue.  The issue is that it was in their vault.

(Tr., p. 42.)

According to the New York Court, “[w]hen you open up the box, it’s the Pandora’s box.  Everything comes out.”  (Id.)  The Court later reiterated its reasoning in its conclusions:

So that in the box, [the information] is safe and it is secured.  Once it is opened, it comes out.  And this is where I believe that’s where the publication comes in.  It’s been opened.  It comes out.  It doesn’t matter if it has to be oral or written.

(Tr., pp. 76-77.)

Notably, another recent data breach insurance decision held differently.  In Recall Total Info. Management, Inc. v. Federal Ins. Co., 83 A.2d 664, 666-67 (Conn. App. Ct. 2014), the Appellate Court of Connecticut held that without proof of access, stolen data could not be considered published no matter the meaning of the term.

Insureds in Media and Internet Type of Business Exclusion.  The exclusion, which may be found in Coverage B of general liability policy forms, prohibits coverage for “personal and advertising injury” committed by an insured whose business is “an internet search, access, content or service provider.”  Generally, the exclusion applies when the insured’s principal business fall within one of the exclusion’s enumerated industries.  State Auto Prop. & Cas. Ins. Co. v. Travelers Indem. Co. of Am., 343 F.3d 249, 261 (4th Cir. 2003); Penn Nat’l Ins. Co. v. Group C Communications, Inc., 2011 WL 3241491, at *6-7 (N.J. Super. Ct. A.D., Aug. 1, 2011).

The insurers in Sony argued that because Sony provided content through its PlayStation Network, such as gaming content and access to Hulu and Netflix, Sony is a content and/or service provider and, therefore, the exclusion applied.  (Tr., pp. 14, 17.)  Noting that Sony engages in additional activities and services, the Court concluded that Sony is a “hybrid,” something that Zurich conceded:

It sounds like they [Sony defendants] do more than being an internet search, or access, or content or service provider.  They are sort of a hybrid.  They do a lot of things.

MR. COUGHLIN:  They certainly do, your Honor.

(Tr., p. 16.)

This concession may have been fatal to Zurich’s argument.  The Court ultimately reached the conclusion that Sony’s additional business activities, which made it a “hybrid,” precluded application of the exclusion.  When Zurich argued that Sony’s additional activities did not preclude the exclusion, because Sony principally was a content or service provider, the Court rejected the notion:

MR. COUGHLIN:  And the case law says it doesn’t have to be the only business.  It has to be a principal business.

THE COURT:  That’s not what this says.  That is not what your policy said.

* * *

So that when you talk about that I would like you to point out in paragraph 3 [of the exclusion addressing content and service providers] where you get that principal language.  I looked at that policy.  I didn’t see it.

(Tr., p. 17.)

According to the Court, an insured must solely be a content or service provider in order for the exclusion to apply:

MR. COUGHLIN:  That’s correct.  This on-line platform, Judge.  So, that on-line platform, which is without doubt from their own witness a significant part of their business.  Not the exclusive.  We have never said that.  But, to say that unless it is the only part of their business the exclusion should not apply, I think, misreads the intent of the words.

THE COURT:  No.  That’s not misreading the intent of the words.  That is just reading it on face value what the words say.  Because, there are issues in terms of these policies here.  And what you’re asking me to do is you’re asking me to read this, these straight forward words, unambiguous words.  You’re asking me to read this you way of saying that, well, it doesn’t mean that’s exclusively what they have to do, but principally what they have to do.  There is no such wording in here that says, either principally or exclusively.  But you’re asking me to read this that way.

(Tr., pp. 19-20.)  But, by deciding not “to read it this way,” the Sony court read the exclusion in an entirely different way.

What does this case mean? Sony is significant because of its notoriety and because it is among the first data breach insurance coverage decisions.  Because of this, the Court’s holdings on “in any manner” and “publication” could have extraordinary effect on privacy-rights coverage if an intermediate appellate court or, ultimately, the New York Court of Appeals affirms them.  The Court’s interpretation of “in any manner” can be another nail in the coffin for the argument that the phrase alters the meaning of “publication.”  The Court’s broad interpretation of “publication,” meanwhile, can have a broad and unintended effect in the context of other invasion of privacy claims.  The Court’s interpretation of the Insureds in Media and Internet Type of Business exclusion may limit the provision in other contexts.

In other cases, these decisions would have garnered considerable attention; yet, very little attention has been given to them here.  To be fair, that largely may be the result of the fact that there is no written opinion.  However, the uproar over Sony’s decision of no coverage undoubtedly helped overshadow them.  The New York trial court announced that it was issuing a ruling from the bench in lieu of a written opinion because the case was “important enough that it needs to seek Appellate review as quickly as possible.”  There will be another day to argue.  Hopefully, these additional decisions will not be lost in the mix.

This entry was posted in Data Breach Insurance Coverage and tagged , , .

Sony Data Breach: No Publication By Sony, No Coverage


This entry was posted by on .

Today, as reported by Law360, the New York Supreme Court (New York’s trial court) held that two insurers have no duty to defend Sony Corporation in approximately 60 underlying lawsuits filed in connection with the 2011 data breach of Sony’s PlayStation Network.  There is no written opinion available.

Following oral arguments, Judge Oing ruled from the bench that Sony’s liability policies, which provide personal and advertising injury coverage for oral or written publication of material that violates a person’s right to privacy, applies only to actions committed by Sony, as the policyholder, and not to the actions of third-parties who hacked into the network and stole personally identifiable information (PII).

Sony argued that the policies did not possess language excluding coverage on the basis that the policyholder, itself, was not the entity accused of disseminating or publishing the material at issue.  Zurich, on the other hand, argued that because there were no allegations that Sony disseminated the stolen PII, there was no “publication” of material to implicate coverage.   As quoted in Law360, Zurich distinguished the authorities cited by Sony, stating that “[i]n every case cited by Sony in support of the proposition that negligent security equals publication, the conduct has been by the insured.”

What does this case mean?  Further analysis will be provided as more information on the New York court’s holding becomes available.  If the existence of coverage is to be demarcated by whether or not the policyholder itself published the lost or stolen information, most data breach lawsuits will fall outside the scope of personal and advertising injury coverage.

The holding does have some similarities with two other recent data breach cases, Recall Total Info. Management, Inc. v. Fed. Ins. Co., — A.3d –, 2014 WL 43529 (Conn. App. Ct. Jan. 14, 2014) and Galaria v. Nationwide Mut. Ins. Co., No. 13-118 (S.D. Ohio Feb. 10, 2014), each of which essentially held that the theft or loss of information in of itself does not constitute a publication.

This entry was posted in Data Breach Insurance Coverage.

Data Breach Lawsuits Don’t Allege Viable Invasion Of Privacy Claim


This entry was posted by on .

Last week, The Coverage Inkwell discussed a new data breach case, Galaria v. Nationwide Mut. Ins. Co., No. 13-118 (S.D. Ohio Feb. 10, 2014), in which an Ohio federal court held that a slew of allegations in two putative class action lawsuits, including increased risk of identity theft, and out-of-pocket credit monitoring expenses, did not constitute an injury for purposes of standing.  The court also addressed whether the lawsuits alleged viable claims of the tort of invasion of privacy.  This latter issue is now addressed here.

In Galaria, Nationwide Mutual Insurance Company was sued by two putative class actions after it notified class members that data thieves had hacked into its computer systems and stolen class members’ personally identifiable information (PII).  (Id. at 2-3.)  In its notification letter, Nationwide suggested that plaintiffs undertake steps to safeguard their PII, including to monitor their credit reports and bank statements, and it offered them one year of free credit monitoring and identity theft protection through Equifax. (Id. at 2.)  Nationwide also suggested that plaintiffs freeze on their credit reports at their own expense.  (Id.)

Nationwide moved to dismiss the lawsuits on various grounds, including that the lawsuits did not allege a viable claim for invasion of privacy.  In general, a claim for invasion of privacy entails four separate and distinct torts.  Publicity to private life and intrusion upon seclusion are the torts most commonly implicated in a data breach claim.  Publicity given to private life involves rights of secrecy and happens when private facts are published and their publication would be highly offensive and not of legitimate public concern.  Intrusion upon seclusion involves a person’s the right to be left alone, including freedom from investigation of private affairs.  Intrusion upon seclusion does not have a publication component or requirement.

In Galaria, Nationwide contended that the lawsuits’ invasion of privacy claims failed because there were no allegations that Nationwide had publicly disclosed the PII in question.  (Id. at 27.)  Specifically, Nationwide argued that because the complaint acknowledged that the PII had been stolen, the complaint necessarily acknowledged that Nationwide took no action to publicize the PII as would be required to prove liability under the tort.  (Id. at 28.)  Nationwide also argued that the complaint failed to allege that the PII had reached the public at large, or that the PII was substantially certain to become public knowledge, in order to met the tort’s publication requirements.  (Id. at 27-28.)

Plaintiffs counter-argued that tort of publication of private facts does not require publication to the public at large, contending that the inquiry focuses on the type of information disclosed rather than the number of individuals whom obtain the information.  (Id. at 29.)  In the alternative, plaintiffs also argued that the lawsuits alleged intrusion upon seclusion, which does not require publication.  (Id.)

The Court disagreed with plaintiffs and concluded that the lawsuits did not allege a viable invasion of privacy claim for two reasons.  First, because the complaint failed to allege that Nationwide had taken any action to disseminate information, Nationwide could not be held liable for an invasion of privacy claim as a matter of law:

First, there is no allegation in the Complaint that Defendant disclosed Named Plaintiffs’ private affairs.  While the Complaint alleges Defendant disseminated Named Plaintiffs’ PII, that allegation is conclusory.  There are no factual allegations in the Complaint to make plausible the allegation that Defendant disseminated Named Plaintiffs’ PII.  Rather, the Complaint alleges the PII was stolen from Defendant, not that Defendant disseminated it to anyone.

(Id. at 29.)

Second, the Court held that the complaint failed to allege a sufficient dissemination of the information to the public at large to satisfy the publication requirements of the tort:

The Complaint fails to allege publicity.  It alleges the PII is in the hands of the hacker(s), not the general public.  Specifically, the Complaint alleges that “the criminal(s) and/or their customers now have Plaintiffs and the other Class Members’ compromised PII,” Compl. ¶ 19, ECF No. 1.  The Complaint thus fails to allege how many hackers ever had the PII and whether the hacker(s) sold the PII to anyone, let alone to how many people the hacker(s) sold the PII.  Therefore, the allegation that the data breach “resulted in the theft and wrongful dissemination of Plaintiffs and the other Class Members’ PII into the public domain,” Id. at ¶ 55, is conclusory in that Named Plaintiffs allege no facts to make plausible the assertion that Named Plaintiffs’ PII is in the public domain.

(Id. at 30.)

Notably, the Court did not address the intrusion upon seclusion argument.  This may be an oversight.  However, based on the Court’s analysis, my take is that the Court would have rejected the argument because there were no allegations that plaintiffs’ seclusion had been breached, or that Nationwide was doing the “intruding.”

What does this case mean?  Most data breach lawsuits allege common law invasion of privacy as a throw-in, boilerplate claim.  This case highlights an important wrinkle that makes such claims susceptible to early dismissal.  The tort of publicity to private life requires that the defendant disseminate information to the public at large.  However, few, if any, data breach lawsuits allege that that the corporate defendant suffering the breach, itself, disseminated anything, or that the information reached the public.  A fundamental premise to the Galaria court’s holding is that theft is not a dissemination of information (1) by the defendant (2) to the public at large.  Thus, these lawsuits may not satisfy the tort’s prima facie requirements.  Similar analysis should apply to an intrusion upon seclusion claim.

When rendering its decision, the Court also correctly focused upon the type of dissemination alleged (or not alleged), rather than the nature of information at issue.  The Galaria plaintiffs’ argument that a court’s inquiry for publication should focus on the type of information being disclosed rather than the number of individuals whom obtained the information is a common refrain of claimants in both defense and insurance coverage contexts.  But a determination of the meaning of “publication” should be independent of the nature of the information at issue, whether that information be ZIP codes, social security numbers, internet cookies, or whatever.

Finally, Galaria also highlights a decision where a court rejected conclusory assertions as a substitute for factual allegations.  That’s a good thing.  Too often, conclusory assertions that are completely divorced of the context of the factual allegations are asserted for the mere purpose of surviving early dismissal motions and/or in hope of hooking insurance coverage.

Questions and comments are welcome.

This entry was posted in Data Breach Insurance Coverage.

Attention Shoppers: Increased Risk Of Identity Theft From A Data Breach Is Not An Injury


This entry was posted by on .

A new data breach decision has just come out, Galaria v. Nationwide Mut. Ins. Co., No. 13-118 (S.D. Ohio Feb. 10, 2014).  The decision, a copy of which is attached, involves two putative class action lawsuits alleging increased risk of identity theft as a result of a data breach and theft of personally identifiable information (“PII”).  The issues addressed by the Court are whether such claims allege an injury, and whether they allege a viable claim for invasion of privacy.

Both issues are critical in data breach claims.  Because space afforded here is limited, The Coverage Inkwell will address each issue separately.  This issue focuses on the Court’s discussion of whether allegations of increased risk of identity theft, fraud, and phishing resulting from a data breach constitutes an actual injury to satisfy standing requirements.  The next issue will focus on the Court’s discussion of whether the data breach claim alleged a viable claim for invasion of privacy.

In Galaria, Nationwide Mutual Insurance Company was sued by two putative class actions after it notified class members that data thieves had hacked into its computer systems and stolen class members’ PII.  (Id. at 2-3.)  In its notification letter, Nationwide suggested that plaintiffs undertake steps to safeguard their PII, including to monitor their credit reports and bank statements, and offered them one year of free credit monitoring and identity theft protection through Equifax. (Id. at 2.)  Nationwide also suggested that plaintiffs freeze on their credit reports at their own expense.  (Id.)

The lawsuits that followed alleged claims for violation of the Fair Credit Reporting Act (“FCRA”), and common law claims for negligence, invasion of privacy, and bailment.  (Id. at 1.)  The lawsuits alleged that because of the data breach, plaintiffs incurred damages in the form of: (i) the increased risk of identity theft and phishing, (ii) out-of-pocket expenses incurred to purchase credit monitoring and to mitigate the risk of identity theft, (iii) loss of value in their PII, and (iv) loss of privacy.  (Id. at 4-5.)  Importantly, neither lawsuit alleged that named plaintiffs’ PII had been misused or that his identity had been stolen.  (Id. at 3.)

Nationwide moved for dismissal, arguing that plaintiffs lacked standing because they failed to allege an injury-in-fact.  (Id. at 4.)  The Court agreed.

What is Standing?  In order to prosecute a lawsuit, a plaintiff must demonstrate standing by showing that he or she has suffered an injury that can be redressed by the court.  The alleged injury must be “concrete, particularized, and actual or imminent; fairly traceable to the challenged action; and redressable by a favorable ruling.”  (Id. at 6, citing Clapper v. Amnesty Int’l USA, 133 S.Ct. 1138, 1146 (2013).)  The “imminent” requirement for an injury is to ensure that the alleged injury, if not actual, is “certainly impending.”  (Id. (same).)  As explained by the Court in Galaria, allegations of “increased risk” of injury alone are insufficient:

Thus, the Supreme Court has “repeatedly reiterated that threatened injury must be certainly impending to constitute injury in fact, and that [a]llegations of possible future injury are not sufficient” to confer standing.  Id. (internal quotations and citations omitted).  Moreover, the Supreme Court is “reluctan[t] to endorse standing theories that rest on speculation about the decisions of independent actors.”

(Id.)

The Galaria Court held that the lawsuits failed to allege an actual or imminent injury to satisfy standing requirements, thereby requiring their dismissal.  Looking at the case before it, the Galaria Court noted that although plaintiffs alleged their PII had been stolen and disseminated, they did not allege that it had been used or that they had been victimized by identity theft.  (Id. at 11.)  Instead, they urged that the data theft placed them at an increased risk of fraud.  According to the Court, this was not enough.  Allegations of increased risk of identity theft and phishing alone do not satisfy the requirement that an injury be actual or imminent:

In this case, an increased risk of identity theft, identity fraud, medical fraud or phishing is not itself an injury-in-fact because Named Plaintiffs did not allege—or offer facts to make plausible—an allegation that such harm is “certainly impending.”  Even though Plaintiffs alleged they are 9.5 times more likely than the general public to become victims of theft or fraud, that factual allegation sheds no light as to whether theft or fraud meets the “certainly impending” standard.  That is, a factual allegation as to how much more likely they are to become victims than the general public is not the same as a factual allegation showing how likely they are to become victims.

(Id. at 12 (emphasis added).)  (The Court also held that the lawsuits did not satisfy statutory standing under FCRA – id. at 7-9.)

Buttressing the Court’s conclusion that the alleged injuries were “speculative” was the fact that any actual injury would be wholly dependent upon the future actions of a independent third party, not the defendant:

That speculative nature of the injury is further evidenced by the fact that its occurrence will depend on the decisions of independent actors.  Even though Named Plaintiffs allege a third party or parties have their PII, whether Named Plaintiffs will become victims of theft or fraud or phishing is entirely contingent on what, if anything, the third party criminals do with that information.  If they do nothing, there will be no injury.

(Id. at 13.)  Because the lawsuits did not show that injury from identity theft or phishing was certainly impending, there was no alleged injury.  (Id. at 20.)

The Court also rejected that plaintiffs’ alleged out-of-pocket expenses incurred to monitor their credit and safeguard against fraud constituted an actual injury.  The Court based its conclusion on the observation that litigants cannot bootstrap standing by incurring costs to create an injury:

Named Plaintiffs allege they incurred costs to mitigate the increased risk of identity theft, identity fraud, medical fraud, and phishing. . . . Such injury does not suffice to confer standing because “respondents cannot manufacture standing merely by inflicting harm on themselves based on their fears of hypothetical future harm that is not certainly impending.

(Id. at 18, quoting Clapper, supra (emphasis added).)  According to the Court, allowing plaintiffs to “bring this action based on costs they incurred in response to a speculative threat would be tantamount to accepting a repackaged version of [Named Plaintiffs’] first failed theory of standing.”  (Id. at 19, citation omitted.)  A plaintiff “cannot create standing by choosing to make expenditures in order to mitigate a purely speculative harm.”  (Id. at 20.)

The Court also rejected arguments that the loss of value of PII constituted an injury.  Sidestepping the argument of whether PII has value, the Court held that because the lawsuits did not show how plaintiffs had been deprived of any value, there was no alleged injury:

Regardless of whether Named Plaintiffs argue the value of their PII has merely diminished or whether they allege complete deprivation of value, they have failed to allege any facts explaining how their PII became less valuable to them (or lost all value) by the data breach.  Specifically, Named Plaintiffs allege that stolen PII can be sold on the cyber black market for $14 to $25 per record … but fail to allege how the data breach prevents them from selling their PII at that value.  Indeed, Named Plaintiffs fail to allege that they could even access that illegal market and sell their PII. For example, neither Named Plaintiff alleges he tried to sell his PII after the data breach but was unable to do so because of the breach or was forced to sell it for less than its full worth.

(Id. at 22-23.)

Finally, the Court held that while the theft and dissemination of PII alleged a loss of privacy, that loss alone does not constitute an injury to satisfy standing:

Named Plaintiffs failed to allege that the loss of privacy has itself resulted in any adverse consequences apart from the speculative injury of increased risk of identity theft, identity fraud, medical fraud, or phishing.  A finding that the loss of privacy alone constitutes an injury sufficient to confer standing would contradict the Court’s above conclusion that mere exposure of PII is insufficient to confer standing and would mean that any time a plaintiffs PII has been exposed as a result of a data breach, he would have standing to sue—regardless of whether that PII is ever actually misused or the plaintiff ever suffers adverse consequences from the exposure.

(Id. at 21.)

What does this case mean?  There is a lot to ponder in this case.  The case represents a momentary blow for those class action lawsuits that have nothing to show in terms of “injury” other than the claim of “increased risk” of identity theft.  Paging Target shoppers….  I say “momentary,” because I anticipate that clever pleading may find its way into future complaints for the sole purpose of surviving similar motions to dismiss.  Nevertheless, the decision draws a line on what constitutes an injury and what does not for data breach cases whose central premise is that consumers have been injured through an increased risk of fraud.

Although Galaria is not an insurance coverage case, does it have coverage implications?  You bet.  If an increased risk of identity theft and phishing does not constitute an injury for purposes of standing, could it be argued that such claims cannot allege “damages” because of “personal and advertising injury”?  The argument has been made in other contexts.  It’s an issue to think about.

Questions and comments are welcome.

This entry was posted in Data Breach Insurance Coverage.