Category Archives: Privacy Rights

No Coverage for Data Breach Where Insured Isn’t Accused of Publishing

This entry was posted by Joshua Mooney on November 29, 2017.

In the lawsuit Innovak Int’l, Inc. v. Hanover Ins. Co., the federal court for the middle district of Florida recently held that an underlying data breach class action lawsuit did not implicate “personal and advertising injury” coverage because the insured was not the entity accused of publishing the compromised personal information (PI).

The decision is relevant because not only did the court reject claims for cyber coverage under a CGL policy, but also because the decision is following a recent trend in litigation over Coverage B: namely, if the insured is not the one accused of publishing the information at issue, there is no “personal and advertising liability” coverage. In other words, Coverage B does not apply to third-party publications, even if the insured is the entity ultimately sued. E.g., Steadfast Ins. Co. v. Tomei, 2016 Pa. Super. Unpub. LEXIS 1864, at *17 (Pa. Super. Ct. May 24, 2016); Zurich Am. Ins. Co. v. Sony Corp., No. 651982/2011 (N.Y. Supr. Ct. Feb. 21, 2014). Read More

This entry was posted in Data Breach Insurance Coverage, Privacy Rights.

NAIC Passes Model Law for Insurers and Brokers on Cybersecurity

This entry was posted by Joshua Mooney on November 3, 2017.

By Joshua Mooney and Laura Schmidt

On October 24, 2017, the National Association of Insurance Commissioners (NAIC) passed its Insurance Data Security Model Law, intended to serve as model legislation for states to enact in order to govern cybersecurity and data protection practices of insurers, insurance agents, and other licensed entities registered under state insurance laws (defined therein as Licensees). Read More

Article III Standing in Data Breach Litigation and Problems Galaria Poses for Data Breach Responses

This entry was posted by Joshua Mooney on September 19, 2016.

Last week, in Galaria v. Nationwide Mut. Ins. Co., 2016 U.S. App. LEXIS 16840 (6^th Cir. Sept. 12, 2016), the United States Court of Appeals for the Sixth Circuit weighed in on the issue of Article III standing for data breach litigation and effectively lowered the threshold to establish standing. The decision echoes sentiments expressed by the Seventh Circuit in Lewert v. P.F. Chang’s China Bistro, Inc., 819 F.3d 963 (7th Cir. 2016), and Remijas v. Neiman Marcus Group, LLC, 794 F.3d 688 (7th Cir. 2015). The facts are straightforward, and it is part of an ongoing trend by courts to make it easier to allege injury and bring data breach litigation. This will drive up litigation. Yet, here is a bigger problem: the Sixth Circuit based its determination that standing existed to sue a breach victim on actions undertaken by the breach victim to mitigate damage and help consumers prevent the very harm that plaintiffs later sued over. Is the message of “darned if you do” one that courts want to establish? Can decisions like Galaria create an adverse impact on response efforts undertaken by breach victims? These are issues that a breach victim will have to wrestle with early on and provide one more reason why cyber counsel should be retained.

The facts of Galaria are straightforward. In that case, the breach victim, Nationwide, maintained records containing personal information of customers and potential customers, including names, dates of birth, marital statuses, employers, Social Security numbers, and driver’s license numbers. On October 3, 2012, hackers breached Nationwide’s computer network and stole the personal information of 1.1 million people. Id. at *3. In the underlying data breach litigation that followed, putative class actions alleged violation of the Fair Credit Reporting Act (“FCRA”) through Nationwide’s failure to adopt required procedures to protect against wrongful dissemination of plaintiffs’ data. Plaintiffs also alleged claims for negligence, and invasion of privacy by public disclosure of private facts – all based on Nationwide’s failure to secure Plaintiffs’ data. Id. at *4. Read More

This entry was posted in Data Breach Insurance Coverage, Privacy Rights and tagged Data Breach Litigation.

Making Records Accessible on the Internet Is a “Publication”

This entry was posted by Joshua Mooney on April 12, 2016.

We have all heard the question “if a tree falls in the forest…,” a philosophical experiment that raises questions of observation, knowledge, and reality. Whether or not the philosopher George Berkeley deserves credit for first raising the question, if still alive, he may have been disappointed in yesterday’s decision, Travelers Indem. Co. of Am. v. Portal Healthcare Solutions, LLC, No. 14-1944 (4^th Cir. Apr. 11, 2016). In that case, the trial court had addressed the legal question of “whether materials are published if they are posted on the Internet, but no one reads them?” As discussed by The Coverage Inkwell in August 2014, the trial court answered the question in the affirmative. Yesterday, the Fourth Circuit affirmed the decision, but never really weighed in on the question. That’s too bad.

The facts of the case are straightforward. The insured Portal Healthcare Solution (“Portal”) specialized in the electronic safekeeping of medical records for hospitals, clinics, and other medical providers. Travelers Indem. Co. of Am. v. Portal Healthcare Solutions, LLC, 35 F. Supp. 3d 765, 767-78 (E.D. Va. 2014). A New York putative class action was filed against it, alleging that Portal had failed to safeguard the confidentiality of the medical records of patients at Glen Falls Hospital (“Glen Falls”) by posting them on the Internet and making them publicly accessible through Internet searches. Id. Two patients of Glen Falls discovered the breach when they conducted a Google search for their names and found links that directed them to their Glen Falls medical records. Id. Read More

This entry was posted in Data Breach Insurance Coverage, Privacy Rights and tagged personal and advertising injury, Publication.

Electronic Data and Distribution of Material Exclusion Does Not Bar Coverage for Disclosure of Genetic Data

This entry was posted by Joshua Mooney on January 13, 2016.

Last week, the United States District Court for the Southern District of Texas held that an Electronic Data and Distribution of Material in Violation of Statutes exclusion, a variant of the Telephone Consumer Protection Act (“TCPA”) exclusion, did not prohibit coverage for an insured’s wrongful, online publication of genetic data in violation of a statute. Evanston Ins. Co. v. Gene By Gene, Ltd., 2016 WL 102294 (S.D. Texas, Jan. 6, 2016). In so holding, the court construed the exclusion to address solely intrusion upon seclusion claims. The facts of the case are straightforward.

The insured, Gene by Gene Ltd. (“GBG”), owned and operated a genealogy website whereby users of the site were offered the opportunity to take DNA tests and then use their genetic information from the tests to learn more about their ancestry and connect with other users whose results matched their own results in varying degrees. Gene By Gene, 2016 WL 102294 at *1. An underlying plaintiff sued GBG in Alaska federal court, alleging that GBG improperly published his DNA test results on its website without his consent and in violation of Alaska’s Genetic Privacy Act. Id. The Genetic Privacy Act prohibits disclosure of a person’s DNA analysis without written and informed consent. See AS §18.13.010. Read More

This entry was posted in Data Breach Insurance Coverage, Privacy Rights.

The Ninth Circuit Holds There Is No Coverage for Violation of the Song-Beverly Act

This entry was posted by Joshua Mooney on December 9, 2015.

This week, the United States Court of Appeals affirmed Big 5 Sporting Goods Corporation, a case in which the trial court had held that “personal and advertising injury” coverage did not exist for violation of California’s Song-Beverly Act, even where common law allegations of invasion of privacy were alleged in connection with the unlawful collection of ZIP Codes. See Big 5 Sporting Goods Corporation v. Zurich American Ins. Co., No. 13-6249 (9^th Cir. Dec. 7, 2015), affirming Big 5 Sporting Goods Corporation v. Zurich American Ins. Co., 957 F. Supp. 2d 1135 (C.D. Cal. 2013).

In Big 5, the insured was sued in multiple underlying class action lawsuits alleging invasion of privacy and violation of the Song-Beverly Act from the practice of requesting ZIP Code information during credit card transactions. See Big 5 Sporting Goods, 957 F. Supp. 2d at 1138. Some of the class actions alleged both violation of the Song-Beverly Act as well as common law negligence and invasion of privacy claims. Id. The insured sought coverage under “personal and advertising injury,” defined in part as injury arising out of “[o]ral or written publication, in any manner, of material that violates a person’s right of privacy.” Id. at 1140. Read More

This entry was posted in Privacy Rights and tagged personal and advertising injury, Song-Beverly Act, Statutory Violation Exclusion, ZIP Codes.

Third Circuit Holds “Privacy” Means Secrecy, “Publication” Means Dissemination to Public, and “in Any Manner” Does Not Change Meaning of “Publication”

This entry was posted by Joshua Mooney on October 2, 2015.

In OneBeacon Amer. Ins. Co. v. Urban Outfitters, 2015 WL 5333845 (3d. Cir. Sept. 15, 2015), the United States Court of Appeals for the Third Circuit held that three underlying class action lawsuits filed against Urban Outfitters and Anthropologie, Inc. did not allege “personal and advertising injury.” The Third Circuit held that for Coverage B “oral or written publication, in any manner, of material that violates person’s right of privacy,” (1)“privacy” refers only to the right of secrecy, not the right of seclusion; (2) “publication” requires dissemination of information to the public at large, and (3) “in any manner” does not modify or change the meaning of “publication” to a lesser standard.

In the spirit of full disclosure, I represented OneBeacon America in the litigation with my colleagues at White and Williams LLP. The facts of the matter are straightforward. Read More

This entry was posted in Privacy Rights and tagged Coverage B, ZIP Codes.

New York’s Highest Courts Says Coverage for Loss From “Fraudulent Entry” Into Computer System Limited to Hacking

This entry was posted by Joshua Mooney on June 26, 2015.

A source of computer fraud is the rogue employee or authorized user whose abuses access into a network system for unlawful purposes. Readers of The Coverage Inkwell will know that the Inkwell has addressed the meaning of unauthorized access in the context of cyber insurance for a few years.

In the context of the Computer Fraud and Abuse Act, 18 U.S.C. §1030, the United States Court of Appeals for the Ninth Circuit, in U.S. v. Nosal, 676 F.3d 854 (9^th Cir. 2012), in essence limited the meaning “exceeds authorized access” to hackers, not inside corporate personnel accessing a computer network for unauthorized (i.e., illegal) purposes. Yesterday, the New York Court of Appeals, in Universal American Corp. v. National Union Fire Ins. Co. of Pittsburgh, PA, 2015 N.Y. Slip Op. 05516, 2015 WL 3885816 (N.Y. June 25, 2015) held that the phrase “fraudulent entry” into a computer system was limited to instances of outside hackers, not fraudulent content submitted by authorized users. Read More

This entry was posted in Data Breach Insurance Coverage, Privacy Rights and tagged Cyber Insurance.

Pennsylvania Court Refuses to Impose New Duty on Employers to Protect PII From Data Breaches

This entry was posted by Joshua Mooney on June 8, 2015.

A common allegation in cyber security data breach litigation is that the data breach victim breached its duty of care in failing to adequately protect plaintiffs’ personal identification information (“PII”) from a data breach. Very recently, the Pennsylvania Court of Common Pleas of Allegheny County in Dutton v. UPMC, No. GD-14-003285 (May 28, 2015), dismissed such a claim, refusing requests to create a new duty of care on an employer who suffered a data breach resulting in the compromise of its employees’ PII. In so holding, the court reasoned that to create such a duty would place too heavy of a burden on corporate entities already incentivized to protect PII. It also would inundate the judiciary with a flood of litigation. The court instead looked to the state legislature to determine whether to impose this obligation.

In the case, the plaintiffs filed a putative class action of current and former The University of Pittsburgh Medical Center (“UPMC” )employees whose PII had been stolen from UPMC’s computer systems. Plaintiffs’ alleged that UPMC owed a duty to protect their PII and had breached that duty under theories of negligence and breach of contract. Dutton v. UPMC, No. GD-14-003285, slip op., at 1-2. Duties allegedly owed by UPMC included: Read More

This entry was posted in Data Breach Insurance Coverage, Privacy Rights and tagged Cyber Security Data Breaches, Data Breach Defense.

In IBM Data Breach Case, There Can Be No Publication Without Access

This entry was posted by Joshua Mooney on May 18, 2015.

In Recall Total Info. Management, Inc. v. Federal Ins. Co., No. SC 19291, the Connecticut Supreme Court upheld the appellate court’s decision that a data breach suffered by IBM was not covered under general liability policies’ “personal and advertising injury” coverage.

In that case, Recall Total had contracted with IBM to transport off-site and store computer tapes containing the encrypted personal information of current and former IBM employees. Recall then subcontracted the transportation services to Ex Log. Ex Log lost the computer tapes when they fell from Ex Log’s truck onto the roadside and were retrieved by an unknown individual. Importantly, there was no evidence that anyone ever accessed the information on the tapes or that their loss caused injury to any IBM employee. Nevertheless, IBM spent significant sums of money providing identity theft services and complying with state notification requirements. IBM sought to recoup its losses from Recall Total and Ex Log. Read More

This entry was posted in Data Breach Insurance Coverage, Privacy Rights.