Category Archives: Privacy Rights

Article III Standing in Data Breach Litigation and Problems Galaria Poses for Data Breach Responses


This entry was posted by on .

Last week, in Galaria v. Nationwide Mut. Ins. Co., 2016 U.S. App. LEXIS 16840 (6th Cir. Sept. 12, 2016), the United States Court of Appeals for the Sixth Circuit weighed in on the issue of Article III standing for data breach litigation and effectively lowered the threshold to establish standing.  The decision echoes sentiments expressed by the Seventh Circuit in Lewert v. P.F. Chang’s China Bistro, Inc., 819 F.3d 963 (7th Cir. 2016), and Remijas v. Neiman Marcus Group, LLC, 794 F.3d 688 (7th Cir. 2015).  The facts are straightforward, and it is part of an ongoing trend by courts to make it easier to allege injury and bring data breach litigation. This will drive up litigation. Yet, here is a bigger problem: the Sixth Circuit based its determination that standing existed to sue a breach victim on actions undertaken by the breach victim to mitigate damage and help consumers prevent the very harm that plaintiffs later sued over. Is the message of “darned if you do” one that courts want to establish? Can decisions like Galaria create an adverse impact on response efforts undertaken by breach victims? These are issues that a breach victim will have to wrestle with early on and provide one more reason why cyber counsel should be retained.

The facts of Galaria are straightforward. In that case, the breach victim, Nationwide, maintained records containing personal information of customers and potential customers, including names, dates of birth, marital statuses, employers, Social Security numbers, and driver’s license numbers. On October 3, 2012, hackers breached Nationwide’s computer network and stole the personal information of 1.1 million people. Id. at *3. In the underlying data breach litigation that followed, putative class actions alleged violation of the Fair Credit Reporting Act (“FCRA”) through Nationwide’s failure to adopt required procedures to protect against wrongful dissemination of plaintiffs’ data. Plaintiffs also alleged claims for negligence, and invasion of privacy by public disclosure of private facts – all based on Nationwide’s failure to secure Plaintiffs’ data.  Id. at *4.

In support of their claims, plaintiffs alleged that an illicit international market exists for stolen personal data. According to the complaints, Nationwide’s data breach created an “imminent, immediate and continuing increased risk” that plaintiffs would be subject to identity theft. They cited a study purporting to show that in 2011 recipients of data-breach notifications were 9.6 times more likely to experience identity fraud, and had a fraud incidence rate of 19%.  They also alleged that victims of identity theft “typically spend hundreds of hours in personal time and hundreds of dollars in personal funds,” incurring an average of $354 in out-of-pocket expenses and $1,513 in total economic loss.  Id. at *5.

The federal district court dismissed the lawsuits, concluding that plaintiffs lacked statutory standing for the FCRA claims and lacked Article III standing for the negligence and bailment claims. The court also concluded that while plaintiffs had standing for their invasion of privacy claims, such claims failed to allege a cognizable injury. Plaintiffs appealed the trial court’s order, except for the dismissal of the invasion of privacy claims.  Id. at *6-7. The Sixth Circuit reversed.

In order to bring a lawsuit, a plaintiff must have standing under Article III of the United States Constitution; “[t]he doctrine of standing gives meaning to these constitutional limits by ‘identify[ing] those disputes which are appropriately resolved through the judicial process.'” Id. at *8 (citation omitted). In Spokeo v. Robins, 136 S. Ct. 1540, 1547 (2016), the United States Supreme Court explained that “the ‘irreducible constitutional minimum’ of standing consists of three elements.” Those elements are that a plaintiff “must have (1) suffered an injury in fact, (2) that is fairly traceable to the challenged conduct of a defendant, and (3) that is likely to be redressed by a favorable judicial decision.” Spokeo, 136 S. Ct. at 1547; Galaria, 2016 U.S. App. LEXIS 16840 at *8. A plaintiff must prove those elements.  Id. Focusing on the first two elements, the Sixth Circuit in Galaria concluded that plaintiffs met their burden of proof and established had Article III standing at the pleading stage to survive a motion to dismiss. As litigators know, that is half the battle.

The Galaria court explained that”[t]o establish injury in fact, a plaintiff must show that he or she suffered ‘an invasion of a legally protected interest’ that is ‘concrete and particularized’ and ‘actual or imminent, not conjectural or hypothetical.'” Galaria, 2016 U.S. App. LEXIS 16840 at *8 (quoting Spokeo, at 1548). Where a plaintiffs seeks to establish standing based on an imminent injury, “that ‘threatened injury must be certainly impending to constitute injury in fact’”; “'[a]llegations of possible future injury’ are not sufficient.” Id. at *9 (quoting Clapper v. Amnesty Int’l USA, 133 S. Ct. 1138, 1147 (2013)).

In the case before it, the Sixth Circuit concluded that plaintiffs’ allegations of increased risk of identity theft, coupled with “reasonably incurred mitigation costs,” established a concrete and particularized imminent injury for purposes of standing. Critically, the court based its decision on the fact that (1) there was proof that the plaintiffs’ information was in fact stolen, (2) hackers had targeted it, and (3) Nationwide had offered free credit monitoring services to help consumers mitigate their danger:

There is no need for speculation where Plaintiffs allege that their data has already been stolen and is now in the hands of ill-intentioned criminals.  Indeed, Nationwide seems to recognize the severity of the risk, given its offer to provide credit-monitoring and identity-theft protection for a full year. Where a data breach targets personal information, a reasonable inference can be drawn that the hackers will use the victims’ data for the fraudulent purposes alleged in Plaintiffs’ complaints. [Bold added.]

Id. at *9-10.

The fact that plaintiffs also could identify specific costs incurred by them from steps recommended by Nationwide in its data breach notification letter further supported the court’s finding that the underlying complaints alleged an imminent injury:

Although Nationwide offered to provide some of these services for a limited time, Plaintiffs allege that the risk is continuing, and that they have also incurred costs to obtain protections—namely, credit freezes—that Nationwide recommended but did not cover. This is not a case where Plaintiffs seek to “manufacture standing by incurring costs in anticipation of non-imminent harm.” [Citing Clapper, at 1155.]  Rather, these costs are a concrete injury suffered to mitigate an imminent harm, and satisfy the injury requirement of Article III standing.  [Bold added.]

Id. at *10-11.

Under the second element, the Sixth Circuit in Galaria held that the alleged harm was “fairly traceable” to Nationwide’s alleged conduct to satisfy Article III standing. Id. at *13. To satisfy the “fairly traceable” element, a plaintiff need not allege proximate causation. “Indirect” injury is sufficient.  Id. at *14. Here, the Galaria court held that plaintiffs had sufficiently alleged that their injuries were “fairly traceable” to Nationwide’s conduct, because Nationwide’s alleged negligence allowed the breach to happen:

Although hackers are the direct cause of Plaintiffs’ injuries, the hackers were able to access Plaintiffs’ data only because Nationwide allegedly failed to secure the sensitive personal information entrusted to its custody. In other words, but for Nationwide’s allegedly lax security, the hackers would not have been able to steal Plaintiffs’ data. These allegations meet the threshold for Article III traceability, which requires “more than speculative but less than but-for” causation.  [Bold added.]

Id. at *15.

Finally, the Sixth Circuit concluded that plaintiffs had statutory standing to bring their FCRA claims. Because plaintiffs had Article III standing to bring the lawsuit in general, they had standing to bring their FCRA claims, and there was no need to evaluate the causes of action allege din the complaints themselves.  Id. at *17-18.

What does this case mean? This case goes beyond the lowering of the standing threshold.  It also demonstrates why a data breach victim needs a cyber law attorney to help navigate the inevitable legal minefield that will follow a data breach. For instance, when a company suffers a data breach, state notification statutes require those companies to notify persons whose information has been compromised. Many state laws actually will require that notification letters include information explaining to consumers what steps may be taken to mitigate or monitor against any potential harm. Connecticut law requires that credit monitoring services be offered.  Many companies offer credit monitoring services as an act of goodwill.

Yet, in Galaria, the Sixth Circuit used the content of a breach victim’s notification letter and offer of credit monitoring services to permit multiple lawsuits to proceed against it. Does that leave a breach victim with an untenable, Hobson’s choice: comply with state notification laws and get sued, or potentially violate those laws to avoid creating Article III standing for future class actions? Some may say so. These are issues that breach victims are going to need to address when first responding to a breach. It’s another reason to have cyber counsel involved as early as possible when a breach has occurred.

This entry was posted in Data Breach Insurance Coverage, Privacy Rights and tagged .

MAKING RECORDS ACCESSIBLE ON THE INTERNET IS A “PUBLICATION”


This entry was posted by on .

We have all heard the question “if a tree falls in the forest…,” a philosophical experiment that raises questions of observation, knowledge, and reality. Whether or not the philosopher George Berkeley deserves credit for first raising the question, if still alive, he may have been disappointed in yesterday’s decision, Travelers Indem. Co. of Am. v. Portal Healthcare Solutions, LLC, No. 14-1944 (4th Cir. Apr. 11, 2016). In that case, the trial court had addressed the legal question of “whether materials are published if they are posted on the Internet, but no one reads them?”  As discussed by The Coverage Inkwell in August 2014, the trial court answered the question in the affirmative. Yesterday, the Fourth Circuit affirmed the decision, but never really weighed in on the question. That’s too bad.

The facts of the case are straightforward. The insured Portal Healthcare Solution (“Portal”) specialized in the electronic safekeeping of medical records for hospitals, clinics, and other medical providers.  Travelers Indem. Co. of Am. v. Portal Healthcare Solutions, LLC, 35 F. Supp. 3d 765, 767-78 (E.D. Va. 2014). A New York putative class action was filed against it, alleging that Portal had failed to safeguard the confidentiality of the medical records of patients at Glen Falls Hospital (“Glen Falls”) by posting them on the Internet and making them publicly accessible through Internet searches. Id. Two patients of Glen Falls discovered the breach when they conducted a Google search for their names and found links that directed them to their Glen Falls medical records. Id.

Travelers issued two policies, each having slightly different language. One covered injury arising from the “electronic publication of material that … gives unreasonable publicity to a person’s private life.” The second covered injury arising from the “electronic publication of material that … discloses information about a person’s private life.”  Id. at 767. The key issue in the trial court was whether making medical records accessible on the Internet constituted a “publication” under the terms of the policies, even if no one had read the information.

Looking to dictionary definitions for the word “publication,” the trial court concluded that the meaning of “publication” includes “to place before the public (as through a mass medium).” Id. at 770. Thus, making the records accessible constituted a “publication.”

Exposing medical records to the online searching of a patient’s name, followed by a click on the first result, at least “potentially or arguably” places those records before the public.  Any member of the public could retrieve the records of a Glen Falls patient, whether he or she was actively seeking those records or searching a patient’s name for other purposes, like a background check.  Because medical records were placed before the public, the Court finds that Portal’s conduct falls within the plain meaning of “publication.”

Id. at 770 (bold added). The trial court summarily rejected the argument that because Portal Healthcare had not intended to release the information, there was no “publication,” stating that “the issue cannot be whether Portal intentionally exposed the records to public viewing since the definition of ‘publication’ does not hinge on the would-be publisher’s intent.” Id.

Importantly, the court also rejected the argument that because no one had read the records, there was no “publication.” In other words, the court took the approach that if a tree falls, of course it makes a sound:

Publication occurs when information is “placed before the public,” not when a member of the public reads the information placed before it.  By Travelers’ logic, a book that is bound and placed on the shelves of Barnes & Noble is not “published” until a customer takes the book off the shelf and reads it.  Travelers’ understanding of the term “publication” does not comport with the term’s plain meaning, and the medical records were published the moment they became accessible to the public via an online search.

Id. at 771.

On appeal, the Fourth Circuit “commended” the trial court for its “sound legal analysis,” but did not add more, including on the scope of the term “publication.” Noting that Virginia is an “eight corners rule” state and that the duty to defend is broader than the duty to indemnify, the appellate court referred to the trial court’s conclusion that “the class-action complaint ‘at least potentially or arguably’ alleges a ‘publication’ of private medical information by Portal that constitutes conduct covered under the Policies.” (Slip Op. at 6.) Thus, the trial court reasoned, the release of information on the Internet, if proven, “would have given ‘unreasonable publicity to, and disclose[d] information about, patients’ private lives,’ because any member of the public with an internet connection could have viewed the plaintiffs’ private medical records during the time the records were available online.” (Id.) Under the broad scope of the duty to defend, the Fourth Circuit could not disagree:

Put succinctly, we agree with the Opinion that Travelers has a duty to defend Portal against the class-action complaint.  Given the eight corners of the pertinent documents, Travelers’s efforts to parse alternative dictionary definitions do not absolve it of the duty to defend Portal.  [Citation omitted.]   See Seals v. Erie Ins. Exch., 674 S.E.2d 860, 862 (Va. 2009) (observing that the courts “have been consistent in construing the language of [insurance] policies, where there is doubt as to their meaning, in favor of that interpretation which grants coverage, rather than that which withholds it” (quoting St. Paul Fire & Marine Ins. Co., 316 S.E.2d at 736)).

(Id. at 6-7.)

What this case means.  Two years ago, I noted that this was a difficult case for an insurer to win.  It was undisputed that the records were available on the Internet.  Typically, when determining whether an underlying complaint alleges a “publication,” many courts look to dictionary definitions, which define the term to mean distribution to the public at large.  That is what the trial court did here, and the Fourth Circuit agreed.  Typically, the question of whether the material at issue was read is not asked or addressed.

The trial court rejected the contention that if material is not read, it is not published.  In doing so, the court used a persuasive analogy of an untouched book on a shelf.  The Fourth Circuit appeared to have no interest in delving into that question, at least in the context of the duty to defend.  That is too bad because the argument does raise interesting issues, not the least of which is whether a ”publication” is just the release of information or also the consumption of it?

This entry was posted in Data Breach Insurance Coverage, Privacy Rights and tagged , .

ELECTRONIC DATA AND DISTRIBUTION OF MATERIAL EXCLUSION DOES NOT BAR COVERAGE FOR DISCLOSURE OF GENETIC DATA


This entry was posted by on .

Last week, the United States District Court for the Southern District of Texas held that an Electronic Data and Distribution of Material in Violation of Statutes exclusion, a variant of the Telephone Consumer Protection Act (“TCPA”) exclusion, did not prohibit coverage for an insured’s wrongful, online publication of genetic data in violation of a statute.  Evanston Ins. Co. v. Gene By Gene, Ltd., 2016 WL 102294 (S.D. Texas, Jan. 6, 2016).  In so holding, the court construed the exclusion to address solely intrusion upon seclusion claims.  The facts of the case are straightforward.

The insured, Gene by Gene Ltd. (“GBG”), owned and operated a genealogy website whereby users of the site were offered the opportunity to take DNA tests and then use their genetic information from the tests to learn more about their ancestry and connect with other users whose results matched their own results in varying degrees.  Gene By Gene, 2016 WL 102294 at *1.  An underlying plaintiff sued GBG in Alaska federal court, alleging that GBG improperly published his DNA test results on its website without his consent and in violation of Alaska’s Genetic Privacy Act.  Id.  The Genetic Privacy Act prohibits disclosure of a person’s DNA analysis without written and informed consent.  See AS §18.13.010.

GBG tendered its defense to its insurer, which issued four professional liability policies providing coverage for “personal injury,” defined therein as injury arising out of “oral or written publication of material that violates a person’s right of privacy.”  Id. at *1, *3.  The insurer, however, denied coverage based on an “Electronic Data and Distribution of Material in Violation of Statutes” exclusion.  Id. at *1.  Coverage litigation ensued and GBG moved for summary judgment.

GBG contended that defense coverage existed because the underlying action alleged injury that arises out of the written publication of material that violates a person’s right of privacy.  The insurer contended that Distribution of Material exclusion applied because the exclusion prohibited coverage for violation of “any other statute, law, rule, ordinance, or regulation that prohibits or limits the sending, transmitting, communication or distribution of information or other material.”  Id. *2.  Specifically, the insurer argued that the exclusion applied because the underlying action was brought pursuant to a statute (the Genetic Privacy Act), which prohibits the transmission, communication, or distribution of information or other material, namely, the public disclosure of a person’s DNA analysis on Gene by Gene’s website.  Id. at *4.  The court held that the underlying action alleged “personal injury” because the action asserted “the publication of material—the DNA analysis—that allegedly violates a person’s right to privacy.”  Id. at *3.  It then held that the Distribution of Material exclusion did not apply.

The court concluded that the insurer’s reading of the exclusion was too broad and would render the policies’ advertising injury and personal injury coverage illusory.  Id. at *4-5.  The exclusion prohibited both statutory and common law violations.  Because both advertising injury (libel and defamation) and personal injury (invasion of privacy) inherently involved communications in violation of law, the court reasoned that, under the insurer’s reading of the Distribution of Material exclusion, the exclusion would preclude coverage for all instances advertising injury and personal injury.  Id. at *5.  The court further noted that in some states, such as Texas, “traditional defamation” injuries, like libel and disparagement of goods and services, are regulated by statute.  Id.  The court concluded that the exclusion was not intended to preclude such claims.

Yet, perhaps most compelling to the court was its conclusion that the intent and protected interests behind the Distribution of Material exclusion and the Genetic Privacy Act differed.  The court held that the Distribution of Material exclusion, another variant of the TCPA exclusion, was intended to address intrusion upon seclusion claims, a protection that was not contemplated by the Genetic Privacy Act:

The Genetic Privacy Act does not concern unsolicited communication to consumers, but instead regulates the disclosure of a person’s DNA analysis.  The facts upon which the claim is based deal solely with Gene by Gene’s alleged improper disclosure of DNA test results on its public website and to third-parties.  The facts alleged in the complaint do not address the type of unsolicited seclusion invasion contemplated by the Exclusion.  Accordingly, the Underlying Lawsuit is not excluded from Gene by Gene’s policy coverage.  [Emphasis added.]

Id. at *6.  Because of this mismatch, the exclusion did not apply.

What this case means.  This case is interesting because it addresses a new twist on the TCPA exclusions.  Are cybersecurity claims next?  Some might herald this decision as a defeat for insurers and a scaling back of the exclusion.  My thought – not really.  The court construed the exclusion to address solely intrusion upon seclusion claims, which is not that remarkable – although, maybe unwarranted.  Yet, it is important remember that by including violations of mere “law” within its scope, the form of the exclusion at issue was very broad – indeed, broader than many variants of the TCPA exclusion.  That distinction was not lost on the court, which believed (and perhaps rightly so) that the fundamental logic for applying the exclusion in the case before it would have eviscerated coverage under the policy’s “advertising injury and personal injury” insuring agreement.  The court also recognized a potential mismatch between the exclusion and the Genetic Privacy Act.  It’s an interesting observation.  However, by then, the Court already had made its decision.

This entry was posted in Data Breach Insurance Coverage, Privacy Rights.

THE NINTH CIRCUIT HOLDS THERE IS NO COVERAGE FOR VIOLATION OF THE SONG-BEVERLY ACT


This entry was posted by on .

This week, the United States Court of Appeals affirmed Big 5 Sporting Goods Corporation, a case in which the trial court had held that “personal and advertising injury” coverage did not exist for violation of California’s Song-Beverly Act, even where common law allegations of invasion of privacy were alleged in connection with the unlawful collection of ZIP Codes.  See Big 5 Sporting Goods Corporation v. Zurich American Ins. Co., No. 13-6249 (9th Cir. Dec. 7, 2015), affirming Big 5 Sporting Goods Corporation v. Zurich American Ins. Co., 957 F. Supp. 2d 1135 (C.D. Cal. 2013). 

In Big 5, the insured was sued in multiple underlying class action lawsuits alleging invasion of privacy and violation of the Song-Beverly Act from the practice of requesting ZIP Code information during credit card transactions.  See Big 5 Sporting Goods, 957 F. Supp. 2d at 1138.  Some of the class actions alleged both violation of the Song-Beverly Act as well as common law negligence and invasion of privacy claims.  Id.  The insured sought coverage under “personal and advertising injury,” defined in part as injury arising out of “[o]ral or written publication, in any manner, of material that violates a person’s right of privacy.”  Id. at 1140. 

The insurers argued that defense and indemnity coverage for the underlying actions was barred by the  statutory violation exclusion, one of which barred coverage for “personal and advertising injury” “arising directly or indirectly out of” any act or omission that violates or is alleged to violate:

c. Any statute, ordinance or regulation, other than the TCPA or CAN–SPAM Act of 2003, that prohibits or limits the sending, transmitting, communicating or distribution of material or information. 

Id. at 1149.  The trial court agreed, and now, the Ninth Circuit has affirmed.

Perhaps the most significant component of the Ninth Circuit’s decision was that the allegations of common law claims, which were not accounted for in the statutory violation exclusion, nevertheless did not preclude application of the exclusion because the factual allegations did not assert actionable causes of action. 

Specifically, the insured argued that because some of the lawsuits alleged common law claims for invasion of privacy, for purposes of the duty to defend, the statutory violation exclusion could not apply.  Big 5, slip op., at 4.  The Ninth Circuit disagreed.  Holding that because “California does not recognize any common law or constitutional privacy causes of action for requesting, sending, transmitting, communicating, distributing, or commercially using ZIP Codes,” the Court concluded that the only possible claim for recovery was for penalties, not damages, under the Song-Beverly Act.  Id. at 45, citing Fogelstrom v. Lamps Plus, Inc., 195 Cal. App. 4th 986, 992 (2d Dist. 2011).  In Fogelstrom, the California Court of Appeal held that requesting ZIP Codes during credit card transactions does not assert an actionable claim for invasion of privacy, concluding that the action of “obtaining plaintiff’s address without his knowledge or permission, and using it to mail him coupons and other advertisements … is not an egregious breach of social norms, but routine commercial behavior.”  Fogelstrom, 195 Cal. App. 4th at 992. 

The Ninth Circuit also rejected the insured’s argument that the invasion of privacy and negligence claims were merely frivolous, and thus could not be discounted for purposes of the duty to defend because an insurance carrier has the duty to defend both meritorious and frivolous claims.  The Ninth Circuit distinguished frivolous claims form those that are not actionable, explaining that the privacy claims did not merely lack merit, they were not recognized under the law:

Under settled California law, they are not even recognized as cognizable causes of action, a status one step below “unmeritorious.”  Allowing Big 5’s fact pattern to rise to the level of a claim would require an insurance company to insure and defend against non-existent risks.

Id. at 6. 

Borrowing from Shakespeare, the Court similarly dispensed with the underlying negligence claims as mere “artful” pleading that could not circumvent an unambiguous policy exclusion:

Big 5’s negligence theory fares no better.  Just as a rose by another name is still a rose, so a ZIP Code case under any other label remains a ZIP Code case.  See Swain v. Cal. Cas. Ins. Co., 99 Cal. App. 4th 1, 8-9 (2002) (“A general boilerplate pleading of ‘negligence’ adds nothing to a complaint otherwise devoid of facts giving rise to a potential for covered liability.”).  As the district court recognized, the California Court of Appeal has discouraged the “artful drafting” of alleging superfluous negligence claims, saying to allow such a practice would inappropriately “erase exclusions in any policy.”  Fire Ins. Exch. v. Jimenez, 184 Cal. App. 3d 437, 443 n.2 (1986).

Id.

What does this case mean?  Like the Third Circuit in Urban Outfitters (also discussed in The Coverage Inkwell), a second United States Court of Appeals now has held that “personal and advertising injury” does not exist for underlying allegations of unlawful ZIP Code collection.  A unique aspect to this decision, however, is that where an underlying action alleges a cause of action that is not recognized under the law, that cause of action cannot be used to implicate a duty to defend. 

This entry was posted in Privacy Rights and tagged , , , .

THIRD CIRCUIT HOLDS “PRIVACY” MEANS SECRECY, “PUBLICATION” MEANS DISSEMINATION TO PUBLIC, AND “IN ANY MANNER” DOES NOT CHANGE MEANING OF “PUBLICATION”


This entry was posted by on .

In OneBeacon Amer. Ins. Co. v. Urban Outfitters, 2015 WL 5333845 (3d. Cir. Sept. 15, 2015), the United States Court of Appeals for the Third Circuit held that three underlying class action lawsuits filed against Urban Outfitters and Anthropologie, Inc. did not allege “personal and advertising injury.”  The Third Circuit held that for Coverage B “oral or written publication, in any manner, of material that violates  person’s right of privacy,” (1)“privacy” refers only to the right of secrecy, not the right of seclusion; (2) “publication” requires dissemination of information to the public at large, and (3) “in any manner” does not modify or change the meaning of “publication” to a lesser standard.

In the spirit of full disclosure, I represented OneBeacon America in the litigation with my colleagues at White and Williams LLP.  The facts of the matter are straightforward.

Urban Outfitters and Anthropologie (collectively, “Urban Outfitters”) were sued in three separate class actions filed in California, Massachusetts, and the District of Columbia.  (The California class action was actually a consolidation of multiple class actions.)  In each action, plaintiffs alleged that that Urban Outfitters wrongfully collected and used consumers’ ZIP codes and other data for marketing and purchase-tracking in violation of state statutes and privacy rights.  Urban Outfitters sought defense coverage for each lawsuit under “personal and advertising injury,” defined in part as “oral or written publication, in any manner, of material that violations a person’s right of privacy.”

In the first lawsuit, Hancock, the underlying complaint alleged that Urban Outfitters unlawfully collected consumers’ ZIP code information during credit card transactions in violation of District of Columbia statute.  Id. at *1.  By obtaining the consumers’ ZIP codes, Urban Outfitters was then able to obtain the consumers’ home and business addresses to use for marketing.  Id.  Urban Outfitters contended the exchange of data between the retailer and the consumers constituted a “publication” for purposes of “personal and advertising injury” coverage.  The Third Circuit disagreed and accepted the insurers’ arguments that “‘publication’ requires dissemination to the public.”  Id. at *2.  The court rejected the contention that the failure to define the term “publication” in the policy made the term ambiguous:

Although neither the policies nor the Pennsylvania Supreme Court have defined “publication,” that does not render the term ambiguous.  Rather, “[w]ords of common usage in an insurance policy are to be construed in their natural, plain, and ordinary sense, and we may inform our understanding of these terms by considering their dictionary definitions.”  Madison Constr. Co. v. Harleysville Mut. Ins. Co., 735 A.2d 100, 106 (PA. 1999).  The District Court cited three separate dictionary definitions of “publication,” all of which support the conclusion that “publication” requires dissemination to the public. [Emphasis added.]

Id.

Significantly, the Court also rejected the contention that the phrase “in any manner” changed the meaning of “publication”:

The fact that the policies specify that “publication” may be made “in any manner” does not alter the analysis; as the Eleventh Circuit correctly noted, the phrase “in any manner” “merely expands the categories of publication (such as e-mail, handwritten letters, and, perhaps, ‘blast-faxes’) covered by the [p]olicy,” but “cannot change the plain meaning of the underlying term ‘publication.’”  Creative Hosp. Ventures, Inc. v. U.S. Liab. Ins. Co., 444 F. App’x 370, 375 (11th Cir. 2011).  [Emphasis added.]

Id.

In the second lawsuit, Miller, the underlying complaint alleged that Urban Outfitters unlawfully collected consumers’ ZIP code information to use for marketing purposes, including to send unsolicited promotional materials and “junk mail.”  Id. at *3.  Noting that the Pennsylvania Superior Court has recognized that the privacy right contemplated in “personal and advertising injury” is the right to secrecy, not the right to seclusion, the Third Circuit concluded that Miller did not allege a violation of a person’s “right of privacy.”  Importantly, in reaching its conclusion, the Third Circuit ejected the contention that the consumers had a right of privacy in their ZIP codes, or that the lawsuit alleged violation of consumers’ rights to keep their addresses secret from the retailers:

[T]he factual allegations of the Miller complaint evince a concern with seclusion, and not secrecy. The complaint asserts that plaintiffs “have suffered an injury as a result of Defendant’s unlawful conduct by receiving unsolicited marketing and promotional materials, or ‘junk mail,’ from Defendant.” [Record citation omitted.] Although the complaint asserts that Urban Outfitters did collect plaintiffs’ ZIP code information, that information was collected allegedly “to identify the customer’s address and/or telephone number … to send unsolicited marketing and promotional materials.” . . .  Put simply, the complaint does not assert harms based on the plaintiffs’ interests in keeping their ZIP codes secret. Accordingly, it does not allege publication of material that violates a person’s “right to privacy” under the policies . . . .

Id.  at *4.

For the final lawsuit, Dremak, the Court held that the Recording and Distribution of Material of Information In Violation of Law exclusion barred coverage, because the lawsuit was brought under California’s Song-Beverly Credit Card Act.  Id. at *3. The lawsuit originally had alleged common law claims, but those causes of action were dismissed without prejudice while the coverage litigation was pending in the Pennsylvania federal district court.  Urban Outfitters argued that the dismissal of those claims was not dispositive because the factual allegations supporting the common law claims remained in the complaint, and Pennsylvania law required that the factual allegations, not the causes of action, determined an insurer’s duty to defend.  Id.  The Court rejected the argument because the same alleged facts that gave rise to common law claims also alleged the statutory violations.

[T]he Court looked to the factual allegations of the complaint in determining that the complaint alleged “action[s] or omission[s]” that were alleged to violate the Song–Beverly Credit Card Act.  The fact that those same “action[s] or omission[s]” were also alleged to give rise to common law claims (claims that were dismissed) is irrelevant to the analysis.  [Emphasis added.]

Id.

What does this case mean?  This decision is a significant one.  It is one of only a few appellate-level decisions holding that (1) “publication” requires dissemination to the public at large, and (2) that “right of privacy” means the right of secrecy, not the right of seclusion.  The decision is the only the second to address and debunk the myth that the phrase “in any manner” changes the meaning of “publication” in Coverage B.

This entry was posted in Privacy Rights and tagged , .

NEW YORK’S HIGHEST COURTS SAYS COVERAGE FOR LOSS FROM “FRAUDULENT ENTRY” INTO COMPUTER SYSTEM LIMITED TO HACKING


This entry was posted by on .

A source of computer fraud is the rogue employee or authorized user whose abuses access into a network system for unlawful purposes.  Readers of The Coverage Inkwell will know that the Inkwell has addressed the meaning of unauthorized access in the context of cyber insurance for a few years.

In the context of the Computer Fraud and Abuse Act, 18 U.S.C. §1030, the United States Court of Appeals for the Ninth Circuit, in U.S. v. Nosal, 676 F.3d 854 (9th Cir. 2012), in essence limited the meaning “exceeds authorized access” to hackers, not inside corporate personnel accessing a computer network for unauthorized (i.e., illegal) purposes.  Yesterday, the New York Court of Appeals, in Universal American Corp. v. National Union Fire Ins. Co. of Pittsburgh, PA, 2015 N.Y. Slip Op. 05516, 2015 WL 3885816 (N.Y. June 25, 2015) held that the phrase “fraudulent entry” into a computer system was limited to instances of outside hackers, not fraudulent content submitted by authorized users.

In the case, the insured Universal American Corp. (“Universal”) was a health insurance company that offers a choice of federal government-regulated alternatives to Medicare, known as medical advantage plans.  (Please note, because the decision was published only yesterday, page references currently are unavailable.)  Universal had a computerized billing system that allowed health care providers to submit bills for the medical advantage plans directly into the system.  A majority of such claims were approved and paid by Universal automatically and without manual review.  Universal ultimately suffered over $18 million in losses for payments of fraudulent claims for services that were never performed under the plans.

Universal sought coverage under had an insurance, which provided coverage by endorsement for computer systems fraud.  The endorsement stated as follows:

COMPUTER SYSTEMS

It is agreed that:

  1. the attached bond is amended by adding an Insuring Agreement as follows:

COMPUTER SYSTEMS FRAUD

Loss resulting directly from a fraudulent

(1) entry of Electronic Data or Computer Program into, or

(2) change of Electronic Data or Computer Program within the Insured’s proprietary Computer System

provided that the entry or change causes

(a) Property to be transferred, paid or delivered,

(b) an account of the insured, or of its customer, to be added, deleted, debited or credited, or

(c) an unauthorized account or a fictitious account to be debited or credited[.]  (Emphasis added)

The insurer denied coverage on the ground that the endorsement did not cover Medicare fraud, i.e., losses from payment for fraudulent claims submitted by authorized health care providers.

In the ensuring coverage litigation, the trial court granted the insurer summary judgment.  Focusing on the words “fraudulent” “entry,” and “change,” the court concluded that coverage did not extend to fraudulent claims entered into Universal’s system by authorized users; instead, coverage extended only to unauthorized entries into the computer system by a hacker or through a computer virus.  The New York Appellate Division affirmed, stating that the policy did not cover fraudulent content entered by authorized users, but instead covered “wrongful acts in manipulation of the computer system, i.e., by hackers.”

The New York Court of Appeals affirmed, holding that the policy endorsement was clear and unambiguous.  The Court held that the policy “unambiguously applies to losses incurred from unauthorized access to Universal’s computer system, and not to losses resulting from fraudulent content submitted to the computer system by authorized users.”  The Court based its conclusion on the fact that the term “fraudulent” modified the terms “entry” or “change” to mean that coverage applied to a dishonest entry or change of electronic data or computer program by “hacking” into the computer system:

The term “fraudulent” is not defined in the Rider, but it refers to deceit and dishonesty (see Merriam Webster’s Collegiate Dictionary [10th ed. 1993] ).  While the Rider also does not define the terms “entry” and “change,” the common definition of the former includes “the act of entering” or “the right or privilege of entering, access,” and the latter means “to make different, alter” (id.).  In the Rider, “fraudulent” modifies “entry” or “change” of electronic data or computer program, meaning it qualifies the act of entering or changing data or a computer program.  Thus, the Rider covers losses resulting from a dishonest entry or change of electronic data or computer program, constituting what the parties agree would be “hacking” of the computer system.  The Rider’s reference to “fraudulent” does not also qualify what is actually acted upon, namely the “electronic data” or “computer program” itself.  [Emphasis added.]

According to the Court, “[t]he intentional word placement of ‘fraudulent’ before ‘entry’ and ‘change’ manifests the parties’ intent to provide coverage for a violation of the integrity of the computer system through deceitful and dishonest access.”

In so holding, the Court rejected Universal’s argument that “‘fraudulent entry’ means ‘fraudulent input’ because a loss due to a fraudulent entry by necessity can only result from the input of fraudulent information.”  The Court reasoned that such a conclusion would render the words “a” and “of” in the sentence “a fraudulent (1) entry of Electronic Data or Computer Program into” superfluous:

This would render superfluous the word “a” before “fraudulent,” and the word “of” before “electronic data or computer program.” Universal’s proposed interpretation is easily achieved by providing coverage for a “loss resulting directly from fraudulent data.”  Of course, that is not what the [endorsement] says.

Because the losses suffered by Universal were not the result of hacking, there was no coverage under the policy.

Questions are welcome.

This entry was posted in Data Breach Insurance Coverage, Privacy Rights and tagged .

PENNSYLVANIA COURT REFUSES TO IMPOSE NEW DUTY ON EMPLOYERS TO PROTECT PII FROM DATA BREACHES


This entry was posted by on .

A common allegation in cyber security data breach litigation is that the data breach victim breached its duty of care in failing to adequately protect  plaintiffs’ personal identification information (“PII”) from a data breach.  Very recently, the Pennsylvania Court of Common Pleas of Allegheny County in Dutton v. UPMC, No. GD-14-003285 (May 28, 2015), dismissed such a claim, refusing requests to create a new duty of care on an employer who suffered a data breach resulting in the compromise of its employees’ PII.  In so holding, the court reasoned that to create such a duty would place too heavy of a burden on corporate entities already incentivized to protect PII.  It also would inundate the judiciary with a flood of litigation.  The court instead looked to the state legislature to determine whether to impose this obligation.

In the case, the plaintiffs filed a putative class action of current and former The University of Pittsburgh Medical Center (“UPMC” )employees whose PII had been stolen from UPMC’s computer systems.  Plaintiffs’ alleged that UPMC owed a duty to protect their PII and had breached that duty under theories of negligence and breach of contract.  Dutton v. UPMC, No. GD-14-003285, slip op., at 1-2.  Duties allegedly owed by UPMC included:

  • The duty to design, maintain, and test its security systems to protect against data breaches;
  • The duty to implement processes to detect security breaches “in a timely manner”;
  • The duty “to adopt, implement, and maintain adequate security measures”; and
  • The duty to satisfy “widespread industry standards relating to data security.”

Id. at 2-3.

Addressing the negligence claim first, the court concluded that because the alleged damages were economic only, under the economic loss doctrine, no cause of action based on negligence could exist.  Id. at 4.  Therefore, the claim was dismissed.  (The court also dismissed the breach of contract claim based on the lack of evidence that a contract existed, id. at 11-12, but the court’s discussion of the negligence claim is where the real interesting read is found.)

To save their case, Plaintiffs contended that a special duty should be imposed upon UPMC to protect employees’ PII.  Id. at 5.  The court refused to do so, concluding that to impose such a duty as means to combat the widespread problem of data breaches could overwhelm the judiciary and ill-serve public interest:

Plaintiffs’ proposed solution is the creation of a private negligence cause of action to recover actual damages, including damages for increased risks, upon a showing that the plaintiffs confidential information was made available to third persons through a data breach.

The public interest is not furthered by this proposed solution.  Data breaches are widespread. They frequently occur because of sophisticated criminal activity of third persons.  There is not a safe harbor for entities storing confidential information.  The creation of a private cause of action could result within Pennsylvania alone of the filing each year of possibly hundreds of thousands of lawsuits by persons whose confidential information may be in the hands of third persons.  Clearly, the judicial system is not equipped to handle this increased caseload of negligence actions.  Courts will not adopt a proposed solution that will overwhelm Pennsylvania’s judicial system.

Id. at 6.

The court also expressed concern over the lack of consensus standards for defining “adequate” security.  Id.  Litigation and “expert” testimony, the court observed, “is not a viable method for resolving the difficult issue of the minimum requirements of care that should be imposed in data breach litigation, assuming that any minimum requirements should be imposed.”  Id.  The court also worried that to create a new duty could place too heavy of a burden on companies already incentivized to combat data breaches:

Under plaintiffs’ proposed solution, in Pennsylvania alone, perhaps hundreds of profit and nonprofit entities would be required to expend substantial resources responding to the resulting lawsuits.  These entities are victims of the same criminal activity as the plaintiffs.  The courts should not, without guidance from the Legislature, create a body of law that does not allow entities that are victims of criminal activity to get on with their businesses.

Id. at 6-7.

Finally, the court concluded that the issue was best left to the legislative branch, not a single jurist:

I cannot say with reasonable certainty that the best interests of society would be served through the recognition of new affirmative duties of care imposing liability on health care providers and other entities electronically storing confidential information, the financial impact of which could even put these entities out of business.  Entities storing confidential information already have an incentive to protect confidential information because any breach will affect their operations. An “improved” system for storing confidential information will not necessarily prevent a breach of the system.  These entities are also victims of criminal activity.

It is appropriate for courts to consider the creation of a new duty where what the court is considering is sufficiently narrow that it is not on the radar screen of the Legislature. . . . However, where the Legislature is already considering what courts are being asked to consider, in the absence of constitutional issues, courts must defer to the Legislature.

Id. at 7-8.

Because “[t]he only duty that the General Assembly has chosen to impose as of today is notification of a data breach,” the court concluded that it should not create a new, additional duty on employers.  Id. at 10.  Quoting from the Illinois Court of appeals in Cooney v. Chicago Pub. Sch., 934 N.E.2d 23, 28-29 (Ill. Ct. App. 2010), the court stated:

While we do not minimize the importance of protecting this information, we do not believe that the creation of a new legal duty beyond legislative requirements already in place is part of our role on appellate review.  As noted, the legislature has specifically addressed the issue and only required the [defendant] to provide notice of the disclosure.

Id. at 10 (emphasis in original).

Thus, according to the Pennsylvania Court of Common Pleas, Allegheny County, the ball is in the court of the Pennsylvania General Assembly to determine whether the duty to protect employees’ PII form data breaches should be placed on employers.

What this case means.  Where should the responsibility (burden?) of protecting personal identification information from data breaches lay, and what are the standards by which to measure compliance with that responsibility?  These are straightforward questions that Judge Wettick asked and had no definitive answers for to convince him to recognize a legal duty assigning the responsibility of protecting employee PII to employers.

Should the  Pennsylvania General Assembly enact legislation creating an affirmative duty on employers to protect employees’ PII from data breaches, the duty would be state-specific, much like current data breach notification standards across the country.  Other jurisdictions may address the issue differently.  Courts in other states, for instance, may recognize a duty on employers outright in lieu of deferring to the legislative branch, or merely recognize a duty on employers to protect PII as an inherent component in a preexisting statute.  This area of law continues to develop rapidly.

I’d like to thank Laura Schmidt, an associate at White and Williams, for her invaluable assistance with this piece.

This entry was posted in Data Breach Insurance Coverage, Privacy Rights and tagged , .

IN IBM DATA BREACH CASE, THERE CAN BE NO PUBLICATION WITHOUT ACCESS


This entry was posted by on .

In Recall Total Info. Management, Inc. v. Federal Ins. Co., No. SC 19291, the Connecticut Supreme Court upheld the appellate court’s decision that a data breach suffered by IBM was not covered under general liability policies’ “personal and advertising injury” coverage.

In that case, Recall Total had contracted with IBM to transport off-site and store computer tapes containing the encrypted personal information of current and former IBM employees.  Recall then subcontracted the transportation services to Ex Log.  Ex Log lost the computer tapes when they fell from Ex Log’s truck onto the roadside and were retrieved by an unknown individual.  Importantly, there was no evidence that anyone ever accessed the information on the tapes or that their loss caused injury to any IBM employee.  Nevertheless, IBM spent significant sums of money providing identity theft services and complying with state notification requirements.  IBM sought to recoup its losses from Recall Total and Ex Log.

Recall Total and Ex Log, in turn, sought recovery from their general liability insurers, which had issued general liability policies providing “personal and advertising injury” coverage.  “Personal and advertising injury” was defined in part as ‘‘injury . . . caused by an offense of . . . electronic, oral, written or other publication of material that . . . violates a person’s right of privacy.”  The trial court held that coverage was not implicated by the events, and the appellate court affirmed, see 83 A.3d 664 (Ct. App. Ct. 2014).

The Connecticut Supreme Court affirmed on the basis that there was no alleged “publication.”  In doing so, the court adopted in whole the appellate court’s decision, stating:

Because the Appellate Court’s well reasoned opinion fully addresses the certified issue, it would serve no purpose for us to repeat the discussion contained therein.  We therefore adopt the Appellate Court’s opinion as the proper statement of the issue and the applicable law concerning that issue.

Some may recall that, because there was no evidence that the IBM employees’ PII had been accessed, the appellate court declined to expound upon the meaning of “publication.”  Instead, the court concluded that without access to the information, there was no “publication” under any definition of the term:

Regardless of the precise definition of publication, we believe that access is a necessary prerequisite to the communication or disclosure of personal information. In this regard, the plaintiffs have failed to provide a factual basis that the information on the tapes was ever accessed by anyone.

See 83 A.3d at 672-73.

Further bolstering the court’s conclusion was the fact that the parties had stipulated that none of the IBM employees affected had been injured.  The court stated: “Moreover, because the parties stipulated that none of the IBM employees have suffered injury as a result of the tapes being lost, we are unable to infer that there has been a publication.”  Id. at 673.  (See also The Coverage Inkwell, 1/16/2014.)

Finally, the Connecticut Supreme Court’s holding also affirms the appellate court’s decision that costs incurred from complying with data breach notification statutes do not implicate “personal and advertising injury” coverage.

What this case means: It is very simple.  If there is no evidence of access of, or capability of access of, the information, there is no publication.  This decision especially will be significant the underlying factual context of lost or stolen laptops that contain encrypted corporate data and PII.

This entry was posted in Data Breach Insurance Coverage, Privacy Rights.

SONY DATA BREACH COVERAGE LITIGATION SETTLES


This entry was posted by on .

As reported in news outlets, including Law360, Sony and its insurers have settled their data breach coverage litigation, two months after the New York appellate division heard oral argument.

Sony had sought coverage for numerous data breach class action lawsuits filed against it following the 2011 data breach into its PlayStation network.  Its general liability policies provided personal and advertising injury coverage for oral or written publication, in any manner, of material that violates a person’s right to privacy.  The trial court held that the insurers had no duty to defend because coverage applied only for violations of privacy committed by Sony, as the policyholder, and not by third parties who hacked into Sony’s network and stole personally identifiable information (“PII”).

The decision had other important aspects, often overlooked.  Analogizing the issue to the opening of Pandora’s Box, the trial court held that there mere accessing of information by the hackers constituted a “publication” under general liability policies.  The trial court also held that the phrase “in any manner” does not alter the meaning of the term “publication.”  Finally, the court held that in order for the “Insureds in Media and Internet Type of Business” exclusion to apply, the insured in question must solely be a content or service provider and not engage in other forms of business.  Here, because Sony engaged in other forms of business, the exclusion did not apply.

A more detailed discussion of the Sony decision may be found in an earlier Coverage Inkwell post located at: http://thecoverageinkwell.com/three-missed-takeaways-from-the-sony-data-breach-case/

My take is that the affect of the Sony settlement will be measured. For one thing, looking long term, the new personal data exclusions in CGL policies should shut the door on data breach coverage, to the extent it ever existed in the first place.  Second, Sony is a trial court decision without a written opinion, and the market already is shifting to cyber insurance.

Sony’s true legacy lay in the case’s publicity.  Sony showed that companies cannot look to general liability policies to cover data breaches.  They need to get cyber insurance.  The case was a Super Bowl ad for cyber liability insurance. That, and perhaps Target, showed companies that they have to get it.

Looking back, people will see Sony as the first big data breach coverage case.  It won’t be the last.

This entry was posted in Data Breach Insurance Coverage, Privacy Rights and tagged , .

TWO RECENT TCPA CASES: A LOOK AT HOW THEY CAN AFFECT PRIVACY LITIGATION


This entry was posted by on .

Last week saw two separate Telephone Consumer Protection Act (“TCPA”) decisions in which federal district courts, one for the Eastern District of Pennsylvania, the other for the Northern District of Illinois, held no coverage existed for underlying TCPA litigation.  The decisions’ results were not surprising, as TCPA coverage claims have been wilting like Wisconsin’s lead over Duke in last night’s final.  What is interesting in the cases, Auto-Owners Ins. Co. v. Stevens & Ricci, Inc., No. 12-7228, 2015 WL 1456085 (E.D. Pa. Mar. 31, 2015) and Addison Automatics, Inc. v. Hartford Cas. Ins. Co., No. 13-1922, slip op. (N.D. Ill. Mar. 31, 2015), is that the courts reached their decisions on different bases.  The reasoning behind each basis can apply to other privacy litigation.

In Stevens & Ricci, the insured was sued in a class action for faxing over 18,000 unsolicited fax advertisements in violation of the TCPA, 47 U.S.C. § 227.  The underlying litigation alleged, among other claims, that the unsolicited faxes violated the privacy rights of class members who received them.  Id. at *1.  The insured’s policy defined “personal injury” and “advertising injury” in part as “oral or written publication of material that violates a person’s right of privacy.”  Id. at *2-3.

The insurer argued that because the underlying complaint did not plead a cause of action for invasion of privacy, there was no coverage because the policy provided coverage only for the tort.   In the alternative, the insurer argued that even if the tort were alleged, the underlying action did not implicate coverage.  Although the invasion of privacy claim entails four separate torts, the privacy right covered under insurance policies contemplates the right to secrecy only.  Id. at *8.  Because TCPA litigation implicated the privacy right of seclusion, and not the right of secrecy, there was no coverage.  Id.

The trial court agreed with the second argument and explained:

No coverage exists for “advertising injury,” as determined by the Third Circuit, this District Court, and the Pennsylvania courts which have so held because the type of privacy violation covered by insurance policies such as the Auto–Owners Policy—privacy interests in secrecy—are not violated by “junk” faxes.

* * *

In this case, Stevens & Ricci hired a third party to send out the faxes. Each court that concluded that privacy interests in secrecy are not violated by junk faxes holds that such violations are violative of the right of seclusion, even when it is alleged that a policyholder hired a third-party vendor, and the third-party vendor was responsible for sending the problematic faxes.  [Citations omitted.]  Accordingly, there is no coverage under the Auto–Owners Policy because the privacy interests in secrecy are not violated by the junk faxes sent out by Hymed.

Id. at *8-9.

In Addison Automatics, the insured was sued in a class action for violation of the TCPA, the Illinois Consumer Fraud Act and Deceptive Business Practices Act, and common law conversion following its involvement in a blast-faxing campaign.  The underlying action settled and the class pursued claims under assignment against the insured’s insurance carrier.  Addison Automatics, slip op., at 1, 3.

Two different policies were at issue, each containing a “Violation of Statutes That Govern E-Mails, Fax, Phone Calls or Other Methods of Sending Material or Information” exclusion.  Id. at 5, 7.  The exclusions barred coverage for claims “arising directly or indirectly out of any action or omission that violates or is alleged to violate . . . . the Telephone Consumer Protection Act.”  Id.  The claimants argued that the exclusions did not bar coverage because many of their claims did not involve the TCPA or any other statute that prohibited a method of sending material or information.   Id. at 14-15.  In particular, the claimants argued that because their conversion claims had nothing to do with any statute, the exclusions could not apply.  Id.

I encounter this argument often in the context that such exclusions do not apply to common law claims for invasion of privacy.  The argument has a fatal flaw – it ignores the “arising out of” language contained in the exclusion.  Here, the Addison Automatics court recognized that flaw.  Explaining that a court must focus upon the language of the policies, and not “peer[] myopically at the elements of” underlying causes of action, the court held that the exclusions barred coverage because the common law conversion claims involved injuries from conduct that violated the TCPA:

A close reading of the exclusionary provisions reveal that their focus is not on the legal elements of a particular claim asserted by the underling plaintiff, but the factual cause of the “bodily injury” and “property damage” that is alleged in the underlying complaint.  So long as the injury and damage alleged in the operative complaint “arises directly or indirectly out of any action or omission that violates or is alleged to violate” the TCPA, the claims asserting the injury (whatever the particular legal theory may be) falls within the purview of the exclusions.  This is what the language of the exclusionary provisions require.

Id. at 14-15.

What Do These Cases Mean?  The real value in these cases is found in the reasoning behind the decisions.  Stevens & Ricci shows that “privacy” is more than a buzz word to guarantee coverage.  Some jurisdictions assign a limited meaning to the phrase “right of privacy” found in business and general liability policies, and a court should examine the factual allegations of an underlying complaint to ascertain exactly what privacy interests are implicated in the case.  Sometimes those interests are not covered.  In Addison Automatics, the court correctly focused on the broad language of the exclusions at issue and the underlying factual allegations, not the elements of the causes of action pleaded in the underlying complaint.

The reasoning on both these cases can apply to coverage actions involving privacy rights, including ZIP code lawsuits, the collection and use of consumer data, unauthorized surveillance, and cyber/data breach cases.  Feel free to email me with any questions.

This entry was posted in Privacy Rights and tagged .