Category Archives: Privacy Rights

No Coverage for Data Breach Where Insured Isn’t Accused of Publishing


This entry was posted by on .

In the lawsuit Innovak Int’l, Inc. v. Hanover Ins. Co., the federal court for the middle district of Florida recently held that an underlying data breach class action lawsuit did not implicate “personal and advertising injury” coverage because the insured was not the entity accused of publishing the compromised personal information (PI).

The decision is relevant because not only did the court reject claims for cyber coverage under a CGL policy, but also because the decision is following a recent trend in litigation over Coverage B: namely, if the insured is not the one accused of publishing the information at issue, there is no “personal and advertising liability” coverage. In other words, Coverage B does not apply to third-party publications, even if the insured is the entity ultimately sued. E.g., Steadfast Ins. Co. v. Tomei, 2016 Pa. Super. Unpub. LEXIS 1864, at *17 (Pa. Super. Ct. May 24, 2016); Zurich Am. Ins. Co. v. Sony Corp., No. 651982/2011 (N.Y. Supr. Ct. Feb. 21, 2014).

The facts in Innovak are straightforward. Innovak was sued in a putative class action following a data breach that compromised the underlying plaintiffs’ personal information. According to the lawsuit,  Innovak “designs, develops, and sells accounting and payroll computer software systems to schools, school districts, and to other entities across the United States.” Id. at *3. The lawsuit alleged that “Innovak’s software and database provides up-to-date W2 and paystub information to end users, which is accessible remotely via an internet portal,” and that Innovak suffered the data breach “when hackers appropriated the personal private information (‘PPI’) stored on its software, database, and/or its portals … from numerous individuals in several different states whose PPI was stored and made accessible through Innovak’s internet portal.” Id. at *3-4. The suit was filed because of “Innovak’s alleged failure to protect adequately the Underlying Claimants’ PPI and to timely disclose the data breach to end users.” Id. at *4.

Innovak sought a defense under the “personal and advertising injury” coverage in its CGL policy. The policy defined “personal and advertising injury” in part as “[o]ral or written publication, in any manner, of material that violates a person’s right of privacy.” Id. at *16. The carrier denied coverage and coverage litigation ensued.

The federal court, applying South Carolina law, held that the underlying lawsuit did not implicate Coverage B “personal and advertising injury” coverage because Innovak was not accused of publishing the PI in question. The court observed:

The Court notes that Innovak materially mischaracterizes the allegations of the Underlying Complaint. Nowhere in the Underlying Complaint do the Underlying Claimants contend that their PPI was “published,” whether by third party hackers or by Innovak. However, even if the Court views the alleged data breach as an alleged publication of the Underlying Claimants’ PPI, the Underlying Claimants do not allege that Innovak published their information.

Id. at *16. Citing the reasoning of the New York trial court in Zurich Am. Ins. Co. v. Sony Corp., the Florida court held that “the only plausible interpretation of Coverage B is that it requires the insured to be the publisher of the PPI.” Id. at *18. Allegations that the insured failed to protect PI adequately is not a publication, whether direct or indirect. Id.

What this case means. The insurance industry has attempted to shift coverage for liability for cyber risk from CGL policies to cybersecurity policies through promulgation of the Access Or Disclosure Of Confidential Or Personal Information And Data-related Liability Damages exclusion.

Thus, the real significance of this case is that it is yet another decision in which courts have limited Coverage B to claims in which the insured – and not a third party – has committed the publication. This limitation has a reach well beyond the scope of cybersecurity. It goes to an increasingly common theme in litigation where the insured is sued not for invading someone’s privacy, but for failing to prevent the invasion of privacy committed by a third party, whether by e-surveillance or vulnerabilities in the insured’s informational security, or from actions taken by rogue employees.

This entry was posted in Data Breach Insurance Coverage, Privacy Rights.

NAIC Passes Model Law for Insurers and Brokers on Cybersecurity


This entry was posted by on .

By Joshua Mooney and Laura Schmidt

On October 24, 2017, the National Association of Insurance Commissioners (NAIC) passed its Insurance Data Security Model Law, intended to serve as model legislation for states to enact in order to govern cybersecurity and data protection practices of insurers, insurance agents, and other licensed entities registered under state insurance laws (defined therein as Licensees).

The Model Law applies to “Licensees” that handle, process, store or transmit “Nonpublic Information.” (Insurers that are acting as an assuming insurer domiciled in another state or jurisdiction and purchasing groups or risk retention groups that are licensed and chartered in another state are not “Licensees.”) The definition for “Nonpublic Information” (NPI) is broader than state laws that typically focus on personally identifiable information (PII), and closely follows the meaning of “Nonpublic Information” under the New York Department of Financial Service’s (NYDFS) recently enacted Cybersecurity Regulations, 23 NYCRR § 500.00 et seq. (NYDFS cyber regulations). NPI under the Model Law includes:

  • business-related information of the Licensee that, if tampered with or disclosed, would have a material adverse impact on the Licensee’s business, operations or security;
  • information concerning a consumer that, because of an identifier in combination with certain data elements, can be used to identify the consumer; and
  • any information that is created by or derived from a heath care provider or consumer that qualifies as protected health information (PHI) under the Health Insurance Portability and Accountability Act (HIPAA).

In fact, a quick glance of the law reveals that its drafters were influenced significantly by the NYDFS cyber regulations. Like the cyber regulations, the Model Law requires Licensees to develop an information security program based upon a security assessment, and investigate and notify regulators of “Cybersecurity Events” the Licensee sustains. A drafting note in the law states that if a Licensee complies with the NYDFS’s cyber regulations, then the Licensee is deemed to comply with the requirements of the Model Law.

However, the Model Law also contains some noteworthy differences to the NYDFS cyber regulations regarding the establishment of an information security program and requirements for investigating and providing notice of a Cybersecurity Event.

Establishing an Information Security Program

Like the NYDFS cyber regulations, the Model Law requires insurers to develop an information security program designed to protect NPI and the Licensee’s information systems. The Licensee’s information security program must be based upon a risk assessment that identifies reasonably foreseeable internal or external threats (including the security of NPI and Information Systems accessible to or held by Third-Party Service Providers); the likelihood and potential damage of these threats; and the sufficiency of policies, procedures, Information Systems and other safeguards to manage these threats. Assessments and evaluations of cybersecurity risk must be included in the Licensee’s enterprise risk management process, and the Licensee must remain informed of emerging threats and vulnerabilities. Licensees also are required to develop an incident response plan to address a Cybersecurity Event.

Consistent with the NYDFS cyber regulations, the Model Law expressly imposes responsibility upon the Licensee’s board of directors to oversee the Licensee’s management of cybersecurity risk. The board of directors must direct senior management to develop, implement and maintain the information security program, and receive an annual report on the status of the entity’s information security program, including further assessments and third-party service provider arrangements. Gone are the days when cybersecurity was an IT or CIO problem. By expressly imposing responsibility upon the Licensee’s board of directors, the Model Law increases the directors’ and officers’ exposure should a cybersecurity incident occur. Like the NYDFS cyber regulations, the Model Law also requires the Licensee to certify in writing to the state commissioner every February 15 that its information security program complies with the law’s requirements. Like under the cyber regulations, if there are areas, systems, or processes that need improvement or are noncompliant, the Licensee must address the issue and identify remedial efforts that are planned or underway to remedy such issues.

Despite similarities between the Model Law and the NYDFS cyber regulations for establishing an information security program, there also are some material differences. The Model Law allows the information security program to be “commensurate with the size and the complexity of the Licensee, the nature and scope of the Licensee’s activities (including the use of third-party vendors), and the sensitivity of the NPI in the Licensee’s possession, custody, or control[.]” This qualifier is more akin to information security requirements under HIPAA than the NYDFS cyber regulations.

The Model Law also requires the Licensees to implement a risk management program to mitigate identified risks, but the program may be custom-tailored to the size and complexity of the Licensee. The Model Law identifies several security measures that the Licensee may implement if it determines the measures are appropriate, including using effective controls for individual access to NPI, implementing audit trails within the program to detect cybersecurity events, and instituting measures to protect against the loss, destruction or damage to NPI due to environmental hazards.

Additionally, The Model Law provides that the Licensee’s information security program must include the oversight of third-party service providers. However, unlike the NYDFS cyber regulations, the Model Law does not expressly require a Licensee to develop policies and procedures for conducting due diligence and oversight over third party service providers. Instead, Licensees only must exercise due diligence in selecting third-party service providers and require such providers to implement administrative, technical, and physical measures to protect and secure the Licensee’s NPI to which it has accesses or possession.

Investigation and Notification of a “Cybersecurity Event”

The Model Law requires Licensees to promptly investigate “Cybersecurity Events.” The Model Law is similar to the NYDFS cyber regulations in that it requires a Licensee to notify the state insurance commissioner no later than 72 hours from a determination that a Cybersecurity Event. However, there are material differences between the NYDFS cyber regulations and the Model Law for notice requirements.

First, the criteria for triggering notice under the Model Law are broader. Notice under the Model Law is required if the insurer is domiciled in the state in which the Model Law was enacted; or if the Licensee reasonably believes that the NPI involved is of 250 or more consumers residing in the state, and either: (a) the Licensee is required to provide notice of the Cybersecurity Event to any government body, self-regulatory agency or any other supervisory body pursuant to any state or federal law; or (b) there is a “reasonable likelihood” of the Cybersecurity Event  materially harming: (i) any Consumer residing in the state; or (ii) any material part of the normal operations of the Licensee. Under the NYDFS cyber regulations, notice is required only if the Cybersecurity Event requires notice to any government body, self-regulatory agency or any other supervisory body; or if the Cybersecurity Event has a “reasonable likelihood” of materially harming any Covered Entity’s normal operations.

Second, the Model Law has a narrower definition for “Cybersecurity Event.” Whereas the NYDFS cyber regulations defines a “Cybersecurity Event” as “means any act or attempt, successful or unsuccessful, to gain unauthorized access to, disrupt or misuse an Information System or information stored on such Information System,” the Model Law defines the term as “an event resulting in unauthorized access to, disruption or misuse of, an Information System or information stored on such Information System” (emphasis added). Under the Model Law, a Licensee also must conduct an investigation if it learns that a Cybersecurity Event occurred or may have occurred in a system maintained by one of its third-party vendors.

Any investigation must be geared toward determining: (1) whether a Cybersecurity Event occurred; (2) the nature and scope of the event; (3) the NPI implicated or compromised; and (4) necessary measures to restore the security of the Licensee’s Information Systems.

Third and finally, the Model Law recognizes the unique business to business relationships that exist within the insurance industry by including different notification requirements for reinsurers to insurers and insurers to producers of record.

Quick Takeaways

Regulators and lawmakers are identifying standards in cybersecurity that companies should be implementing to protect business operations and consumer information. The NAIC’s Model Law joins a growing group of laws and regulations instituted by New York, Connecticut, Massachusetts, Colorado, and Vermont that specifically require companies to institute cybersecurity programs, policies, and procedures. The Model Law has many similarities with the NYDFS cyber regulations, but there are some differences. Both regimes recognize that protecting critical business operations is just as important as protecting consumers information.

These laws and regulations will serve as a roadmap for plaintiffs and shareholders pursuing civil litigation against Licensees. The FTC also can be expected to look to these laws when determining whether a company engaged in “deceptive” or “unfair” practices. Companies that fail to implement these standards can expect enforcement, and perhaps significant fines. For some companies, a regulatory enforcement action piled on to the effects of a data breach or ransomware-type event can mean the difference between recovery and bankruptcy. Now is the time to act. Brokers and insurers should start preparing for cybersecurity compliance by conducting necessary risk assessments and building a solid information security program.

This entry was posted in Data Breach Insurance Coverage, Privacy Rights and tagged .

Article III Standing in Data Breach Litigation and Problems Galaria Poses for Data Breach Responses


This entry was posted by on .

Last week, in Galaria v. Nationwide Mut. Ins. Co., 2016 U.S. App. LEXIS 16840 (6th Cir. Sept. 12, 2016), the United States Court of Appeals for the Sixth Circuit weighed in on the issue of Article III standing for data breach litigation and effectively lowered the threshold to establish standing.  The decision echoes sentiments expressed by the Seventh Circuit in Lewert v. P.F. Chang’s China Bistro, Inc., 819 F.3d 963 (7th Cir. 2016), and Remijas v. Neiman Marcus Group, LLC, 794 F.3d 688 (7th Cir. 2015).  The facts are straightforward, and it is part of an ongoing trend by courts to make it easier to allege injury and bring data breach litigation. This will drive up litigation. Yet, here is a bigger problem: the Sixth Circuit based its determination that standing existed to sue a breach victim on actions undertaken by the breach victim to mitigate damage and help consumers prevent the very harm that plaintiffs later sued over. Is the message of “darned if you do” one that courts want to establish? Can decisions like Galaria create an adverse impact on response efforts undertaken by breach victims? These are issues that a breach victim will have to wrestle with early on and provide one more reason why cyber counsel should be retained.

The facts of Galaria are straightforward. In that case, the breach victim, Nationwide, maintained records containing personal information of customers and potential customers, including names, dates of birth, marital statuses, employers, Social Security numbers, and driver’s license numbers. On October 3, 2012, hackers breached Nationwide’s computer network and stole the personal information of 1.1 million people. Id. at *3. In the underlying data breach litigation that followed, putative class actions alleged violation of the Fair Credit Reporting Act (“FCRA”) through Nationwide’s failure to adopt required procedures to protect against wrongful dissemination of plaintiffs’ data. Plaintiffs also alleged claims for negligence, and invasion of privacy by public disclosure of private facts – all based on Nationwide’s failure to secure Plaintiffs’ data.  Id. at *4.

In support of their claims, plaintiffs alleged that an illicit international market exists for stolen personal data. According to the complaints, Nationwide’s data breach created an “imminent, immediate and continuing increased risk” that plaintiffs would be subject to identity theft. They cited a study purporting to show that in 2011 recipients of data-breach notifications were 9.6 times more likely to experience identity fraud, and had a fraud incidence rate of 19%.  They also alleged that victims of identity theft “typically spend hundreds of hours in personal time and hundreds of dollars in personal funds,” incurring an average of $354 in out-of-pocket expenses and $1,513 in total economic loss.  Id. at *5.

The federal district court dismissed the lawsuits, concluding that plaintiffs lacked statutory standing for the FCRA claims and lacked Article III standing for the negligence and bailment claims. The court also concluded that while plaintiffs had standing for their invasion of privacy claims, such claims failed to allege a cognizable injury. Plaintiffs appealed the trial court’s order, except for the dismissal of the invasion of privacy claims.  Id. at *6-7. The Sixth Circuit reversed.

In order to bring a lawsuit, a plaintiff must have standing under Article III of the United States Constitution; “[t]he doctrine of standing gives meaning to these constitutional limits by ‘identify[ing] those disputes which are appropriately resolved through the judicial process.'” Id. at *8 (citation omitted). In Spokeo v. Robins, 136 S. Ct. 1540, 1547 (2016), the United States Supreme Court explained that “the ‘irreducible constitutional minimum’ of standing consists of three elements.” Those elements are that a plaintiff “must have (1) suffered an injury in fact, (2) that is fairly traceable to the challenged conduct of a defendant, and (3) that is likely to be redressed by a favorable judicial decision.” Spokeo, 136 S. Ct. at 1547; Galaria, 2016 U.S. App. LEXIS 16840 at *8. A plaintiff must prove those elements.  Id. Focusing on the first two elements, the Sixth Circuit in Galaria concluded that plaintiffs met their burden of proof and established had Article III standing at the pleading stage to survive a motion to dismiss. As litigators know, that is half the battle.

The Galaria court explained that”[t]o establish injury in fact, a plaintiff must show that he or she suffered ‘an invasion of a legally protected interest’ that is ‘concrete and particularized’ and ‘actual or imminent, not conjectural or hypothetical.'” Galaria, 2016 U.S. App. LEXIS 16840 at *8 (quoting Spokeo, at 1548). Where a plaintiffs seeks to establish standing based on an imminent injury, “that ‘threatened injury must be certainly impending to constitute injury in fact’”; “'[a]llegations of possible future injury’ are not sufficient.” Id. at *9 (quoting Clapper v. Amnesty Int’l USA, 133 S. Ct. 1138, 1147 (2013)).

In the case before it, the Sixth Circuit concluded that plaintiffs’ allegations of increased risk of identity theft, coupled with “reasonably incurred mitigation costs,” established a concrete and particularized imminent injury for purposes of standing. Critically, the court based its decision on the fact that (1) there was proof that the plaintiffs’ information was in fact stolen, (2) hackers had targeted it, and (3) Nationwide had offered free credit monitoring services to help consumers mitigate their danger:

There is no need for speculation where Plaintiffs allege that their data has already been stolen and is now in the hands of ill-intentioned criminals.  Indeed, Nationwide seems to recognize the severity of the risk, given its offer to provide credit-monitoring and identity-theft protection for a full year. Where a data breach targets personal information, a reasonable inference can be drawn that the hackers will use the victims’ data for the fraudulent purposes alleged in Plaintiffs’ complaints. [Bold added.]

Id. at *9-10.

The fact that plaintiffs also could identify specific costs incurred by them from steps recommended by Nationwide in its data breach notification letter further supported the court’s finding that the underlying complaints alleged an imminent injury:

Although Nationwide offered to provide some of these services for a limited time, Plaintiffs allege that the risk is continuing, and that they have also incurred costs to obtain protections—namely, credit freezes—that Nationwide recommended but did not cover. This is not a case where Plaintiffs seek to “manufacture standing by incurring costs in anticipation of non-imminent harm.” [Citing Clapper, at 1155.]  Rather, these costs are a concrete injury suffered to mitigate an imminent harm, and satisfy the injury requirement of Article III standing.  [Bold added.]

Id. at *10-11.

Under the second element, the Sixth Circuit in Galaria held that the alleged harm was “fairly traceable” to Nationwide’s alleged conduct to satisfy Article III standing. Id. at *13. To satisfy the “fairly traceable” element, a plaintiff need not allege proximate causation. “Indirect” injury is sufficient.  Id. at *14. Here, the Galaria court held that plaintiffs had sufficiently alleged that their injuries were “fairly traceable” to Nationwide’s conduct, because Nationwide’s alleged negligence allowed the breach to happen:

Although hackers are the direct cause of Plaintiffs’ injuries, the hackers were able to access Plaintiffs’ data only because Nationwide allegedly failed to secure the sensitive personal information entrusted to its custody. In other words, but for Nationwide’s allegedly lax security, the hackers would not have been able to steal Plaintiffs’ data. These allegations meet the threshold for Article III traceability, which requires “more than speculative but less than but-for” causation.  [Bold added.]

Id. at *15.

Finally, the Sixth Circuit concluded that plaintiffs had statutory standing to bring their FCRA claims. Because plaintiffs had Article III standing to bring the lawsuit in general, they had standing to bring their FCRA claims, and there was no need to evaluate the causes of action allege din the complaints themselves.  Id. at *17-18.

What does this case mean? This case goes beyond the lowering of the standing threshold.  It also demonstrates why a data breach victim needs a cyber law attorney to help navigate the inevitable legal minefield that will follow a data breach. For instance, when a company suffers a data breach, state notification statutes require those companies to notify persons whose information has been compromised. Many state laws actually will require that notification letters include information explaining to consumers what steps may be taken to mitigate or monitor against any potential harm. Connecticut law requires that credit monitoring services be offered.  Many companies offer credit monitoring services as an act of goodwill.

Yet, in Galaria, the Sixth Circuit used the content of a breach victim’s notification letter and offer of credit monitoring services to permit multiple lawsuits to proceed against it. Does that leave a breach victim with an untenable, Hobson’s choice: comply with state notification laws and get sued, or potentially violate those laws to avoid creating Article III standing for future class actions? Some may say so. These are issues that breach victims are going to need to address when first responding to a breach. It’s another reason to have cyber counsel involved as early as possible when a breach has occurred.

This entry was posted in Data Breach Insurance Coverage, Privacy Rights and tagged .

MAKING RECORDS ACCESSIBLE ON THE INTERNET IS A “PUBLICATION”


This entry was posted by on .

We have all heard the question “if a tree falls in the forest…,” a philosophical experiment that raises questions of observation, knowledge, and reality. Whether or not the philosopher George Berkeley deserves credit for first raising the question, if still alive, he may have been disappointed in yesterday’s decision, Travelers Indem. Co. of Am. v. Portal Healthcare Solutions, LLC, No. 14-1944 (4th Cir. Apr. 11, 2016). In that case, the trial court had addressed the legal question of “whether materials are published if they are posted on the Internet, but no one reads them?”  As discussed by The Coverage Inkwell in August 2014, the trial court answered the question in the affirmative. Yesterday, the Fourth Circuit affirmed the decision, but never really weighed in on the question. That’s too bad.

The facts of the case are straightforward. The insured Portal Healthcare Solution (“Portal”) specialized in the electronic safekeeping of medical records for hospitals, clinics, and other medical providers.  Travelers Indem. Co. of Am. v. Portal Healthcare Solutions, LLC, 35 F. Supp. 3d 765, 767-78 (E.D. Va. 2014). A New York putative class action was filed against it, alleging that Portal had failed to safeguard the confidentiality of the medical records of patients at Glen Falls Hospital (“Glen Falls”) by posting them on the Internet and making them publicly accessible through Internet searches. Id. Two patients of Glen Falls discovered the breach when they conducted a Google search for their names and found links that directed them to their Glen Falls medical records. Id.

Travelers issued two policies, each having slightly different language. One covered injury arising from the “electronic publication of material that … gives unreasonable publicity to a person’s private life.” The second covered injury arising from the “electronic publication of material that … discloses information about a person’s private life.”  Id. at 767. The key issue in the trial court was whether making medical records accessible on the Internet constituted a “publication” under the terms of the policies, even if no one had read the information.

Looking to dictionary definitions for the word “publication,” the trial court concluded that the meaning of “publication” includes “to place before the public (as through a mass medium).” Id. at 770. Thus, making the records accessible constituted a “publication.”

Exposing medical records to the online searching of a patient’s name, followed by a click on the first result, at least “potentially or arguably” places those records before the public.  Any member of the public could retrieve the records of a Glen Falls patient, whether he or she was actively seeking those records or searching a patient’s name for other purposes, like a background check.  Because medical records were placed before the public, the Court finds that Portal’s conduct falls within the plain meaning of “publication.”

Id. at 770 (bold added). The trial court summarily rejected the argument that because Portal Healthcare had not intended to release the information, there was no “publication,” stating that “the issue cannot be whether Portal intentionally exposed the records to public viewing since the definition of ‘publication’ does not hinge on the would-be publisher’s intent.” Id.

Importantly, the court also rejected the argument that because no one had read the records, there was no “publication.” In other words, the court took the approach that if a tree falls, of course it makes a sound:

Publication occurs when information is “placed before the public,” not when a member of the public reads the information placed before it.  By Travelers’ logic, a book that is bound and placed on the shelves of Barnes & Noble is not “published” until a customer takes the book off the shelf and reads it.  Travelers’ understanding of the term “publication” does not comport with the term’s plain meaning, and the medical records were published the moment they became accessible to the public via an online search.

Id. at 771.

On appeal, the Fourth Circuit “commended” the trial court for its “sound legal analysis,” but did not add more, including on the scope of the term “publication.” Noting that Virginia is an “eight corners rule” state and that the duty to defend is broader than the duty to indemnify, the appellate court referred to the trial court’s conclusion that “the class-action complaint ‘at least potentially or arguably’ alleges a ‘publication’ of private medical information by Portal that constitutes conduct covered under the Policies.” (Slip Op. at 6.) Thus, the trial court reasoned, the release of information on the Internet, if proven, “would have given ‘unreasonable publicity to, and disclose[d] information about, patients’ private lives,’ because any member of the public with an internet connection could have viewed the plaintiffs’ private medical records during the time the records were available online.” (Id.) Under the broad scope of the duty to defend, the Fourth Circuit could not disagree:

Put succinctly, we agree with the Opinion that Travelers has a duty to defend Portal against the class-action complaint.  Given the eight corners of the pertinent documents, Travelers’s efforts to parse alternative dictionary definitions do not absolve it of the duty to defend Portal.  [Citation omitted.]   See Seals v. Erie Ins. Exch., 674 S.E.2d 860, 862 (Va. 2009) (observing that the courts “have been consistent in construing the language of [insurance] policies, where there is doubt as to their meaning, in favor of that interpretation which grants coverage, rather than that which withholds it” (quoting St. Paul Fire & Marine Ins. Co., 316 S.E.2d at 736)).

(Id. at 6-7.)

What this case means.  Two years ago, I noted that this was a difficult case for an insurer to win.  It was undisputed that the records were available on the Internet.  Typically, when determining whether an underlying complaint alleges a “publication,” many courts look to dictionary definitions, which define the term to mean distribution to the public at large.  That is what the trial court did here, and the Fourth Circuit agreed.  Typically, the question of whether the material at issue was read is not asked or addressed.

The trial court rejected the contention that if material is not read, it is not published.  In doing so, the court used a persuasive analogy of an untouched book on a shelf.  The Fourth Circuit appeared to have no interest in delving into that question, at least in the context of the duty to defend.  That is too bad because the argument does raise interesting issues, not the least of which is whether a ”publication” is just the release of information or also the consumption of it?

This entry was posted in Data Breach Insurance Coverage, Privacy Rights and tagged , .

ELECTRONIC DATA AND DISTRIBUTION OF MATERIAL EXCLUSION DOES NOT BAR COVERAGE FOR DISCLOSURE OF GENETIC DATA


This entry was posted by on .

Last week, the United States District Court for the Southern District of Texas held that an Electronic Data and Distribution of Material in Violation of Statutes exclusion, a variant of the Telephone Consumer Protection Act (“TCPA”) exclusion, did not prohibit coverage for an insured’s wrongful, online publication of genetic data in violation of a statute.  Evanston Ins. Co. v. Gene By Gene, Ltd., 2016 WL 102294 (S.D. Texas, Jan. 6, 2016).  In so holding, the court construed the exclusion to address solely intrusion upon seclusion claims.  The facts of the case are straightforward.

The insured, Gene by Gene Ltd. (“GBG”), owned and operated a genealogy website whereby users of the site were offered the opportunity to take DNA tests and then use their genetic information from the tests to learn more about their ancestry and connect with other users whose results matched their own results in varying degrees.  Gene By Gene, 2016 WL 102294 at *1.  An underlying plaintiff sued GBG in Alaska federal court, alleging that GBG improperly published his DNA test results on its website without his consent and in violation of Alaska’s Genetic Privacy Act.  Id.  The Genetic Privacy Act prohibits disclosure of a person’s DNA analysis without written and informed consent.  See AS §18.13.010.

GBG tendered its defense to its insurer, which issued four professional liability policies providing coverage for “personal injury,” defined therein as injury arising out of “oral or written publication of material that violates a person’s right of privacy.”  Id. at *1, *3.  The insurer, however, denied coverage based on an “Electronic Data and Distribution of Material in Violation of Statutes” exclusion.  Id. at *1.  Coverage litigation ensued and GBG moved for summary judgment.

GBG contended that defense coverage existed because the underlying action alleged injury that arises out of the written publication of material that violates a person’s right of privacy.  The insurer contended that Distribution of Material exclusion applied because the exclusion prohibited coverage for violation of “any other statute, law, rule, ordinance, or regulation that prohibits or limits the sending, transmitting, communication or distribution of information or other material.”  Id. *2.  Specifically, the insurer argued that the exclusion applied because the underlying action was brought pursuant to a statute (the Genetic Privacy Act), which prohibits the transmission, communication, or distribution of information or other material, namely, the public disclosure of a person’s DNA analysis on Gene by Gene’s website.  Id. at *4.  The court held that the underlying action alleged “personal injury” because the action asserted “the publication of material—the DNA analysis—that allegedly violates a person’s right to privacy.”  Id. at *3.  It then held that the Distribution of Material exclusion did not apply.

The court concluded that the insurer’s reading of the exclusion was too broad and would render the policies’ advertising injury and personal injury coverage illusory.  Id. at *4-5.  The exclusion prohibited both statutory and common law violations.  Because both advertising injury (libel and defamation) and personal injury (invasion of privacy) inherently involved communications in violation of law, the court reasoned that, under the insurer’s reading of the Distribution of Material exclusion, the exclusion would preclude coverage for all instances advertising injury and personal injury.  Id. at *5.  The court further noted that in some states, such as Texas, “traditional defamation” injuries, like libel and disparagement of goods and services, are regulated by statute.  Id.  The court concluded that the exclusion was not intended to preclude such claims.

Yet, perhaps most compelling to the court was its conclusion that the intent and protected interests behind the Distribution of Material exclusion and the Genetic Privacy Act differed.  The court held that the Distribution of Material exclusion, another variant of the TCPA exclusion, was intended to address intrusion upon seclusion claims, a protection that was not contemplated by the Genetic Privacy Act:

The Genetic Privacy Act does not concern unsolicited communication to consumers, but instead regulates the disclosure of a person’s DNA analysis.  The facts upon which the claim is based deal solely with Gene by Gene’s alleged improper disclosure of DNA test results on its public website and to third-parties.  The facts alleged in the complaint do not address the type of unsolicited seclusion invasion contemplated by the Exclusion.  Accordingly, the Underlying Lawsuit is not excluded from Gene by Gene’s policy coverage.  [Emphasis added.]

Id. at *6.  Because of this mismatch, the exclusion did not apply.

What this case means.  This case is interesting because it addresses a new twist on the TCPA exclusions.  Are cybersecurity claims next?  Some might herald this decision as a defeat for insurers and a scaling back of the exclusion.  My thought – not really.  The court construed the exclusion to address solely intrusion upon seclusion claims, which is not that remarkable – although, maybe unwarranted.  Yet, it is important remember that by including violations of mere “law” within its scope, the form of the exclusion at issue was very broad – indeed, broader than many variants of the TCPA exclusion.  That distinction was not lost on the court, which believed (and perhaps rightly so) that the fundamental logic for applying the exclusion in the case before it would have eviscerated coverage under the policy’s “advertising injury and personal injury” insuring agreement.  The court also recognized a potential mismatch between the exclusion and the Genetic Privacy Act.  It’s an interesting observation.  However, by then, the Court already had made its decision.

This entry was posted in Data Breach Insurance Coverage, Privacy Rights.

THE NINTH CIRCUIT HOLDS THERE IS NO COVERAGE FOR VIOLATION OF THE SONG-BEVERLY ACT


This entry was posted by on .

This week, the United States Court of Appeals affirmed Big 5 Sporting Goods Corporation, a case in which the trial court had held that “personal and advertising injury” coverage did not exist for violation of California’s Song-Beverly Act, even where common law allegations of invasion of privacy were alleged in connection with the unlawful collection of ZIP Codes.  See Big 5 Sporting Goods Corporation v. Zurich American Ins. Co., No. 13-6249 (9th Cir. Dec. 7, 2015), affirming Big 5 Sporting Goods Corporation v. Zurich American Ins. Co., 957 F. Supp. 2d 1135 (C.D. Cal. 2013). 

In Big 5, the insured was sued in multiple underlying class action lawsuits alleging invasion of privacy and violation of the Song-Beverly Act from the practice of requesting ZIP Code information during credit card transactions.  See Big 5 Sporting Goods, 957 F. Supp. 2d at 1138.  Some of the class actions alleged both violation of the Song-Beverly Act as well as common law negligence and invasion of privacy claims.  Id.  The insured sought coverage under “personal and advertising injury,” defined in part as injury arising out of “[o]ral or written publication, in any manner, of material that violates a person’s right of privacy.”  Id. at 1140. 

The insurers argued that defense and indemnity coverage for the underlying actions was barred by the  statutory violation exclusion, one of which barred coverage for “personal and advertising injury” “arising directly or indirectly out of” any act or omission that violates or is alleged to violate:

c. Any statute, ordinance or regulation, other than the TCPA or CAN–SPAM Act of 2003, that prohibits or limits the sending, transmitting, communicating or distribution of material or information. 

Id. at 1149.  The trial court agreed, and now, the Ninth Circuit has affirmed.

Perhaps the most significant component of the Ninth Circuit’s decision was that the allegations of common law claims, which were not accounted for in the statutory violation exclusion, nevertheless did not preclude application of the exclusion because the factual allegations did not assert actionable causes of action. 

Specifically, the insured argued that because some of the lawsuits alleged common law claims for invasion of privacy, for purposes of the duty to defend, the statutory violation exclusion could not apply.  Big 5, slip op., at 4.  The Ninth Circuit disagreed.  Holding that because “California does not recognize any common law or constitutional privacy causes of action for requesting, sending, transmitting, communicating, distributing, or commercially using ZIP Codes,” the Court concluded that the only possible claim for recovery was for penalties, not damages, under the Song-Beverly Act.  Id. at 45, citing Fogelstrom v. Lamps Plus, Inc., 195 Cal. App. 4th 986, 992 (2d Dist. 2011).  In Fogelstrom, the California Court of Appeal held that requesting ZIP Codes during credit card transactions does not assert an actionable claim for invasion of privacy, concluding that the action of “obtaining plaintiff’s address without his knowledge or permission, and using it to mail him coupons and other advertisements … is not an egregious breach of social norms, but routine commercial behavior.”  Fogelstrom, 195 Cal. App. 4th at 992. 

The Ninth Circuit also rejected the insured’s argument that the invasion of privacy and negligence claims were merely frivolous, and thus could not be discounted for purposes of the duty to defend because an insurance carrier has the duty to defend both meritorious and frivolous claims.  The Ninth Circuit distinguished frivolous claims form those that are not actionable, explaining that the privacy claims did not merely lack merit, they were not recognized under the law:

Under settled California law, they are not even recognized as cognizable causes of action, a status one step below “unmeritorious.”  Allowing Big 5’s fact pattern to rise to the level of a claim would require an insurance company to insure and defend against non-existent risks.

Id. at 6. 

Borrowing from Shakespeare, the Court similarly dispensed with the underlying negligence claims as mere “artful” pleading that could not circumvent an unambiguous policy exclusion:

Big 5’s negligence theory fares no better.  Just as a rose by another name is still a rose, so a ZIP Code case under any other label remains a ZIP Code case.  See Swain v. Cal. Cas. Ins. Co., 99 Cal. App. 4th 1, 8-9 (2002) (“A general boilerplate pleading of ‘negligence’ adds nothing to a complaint otherwise devoid of facts giving rise to a potential for covered liability.”).  As the district court recognized, the California Court of Appeal has discouraged the “artful drafting” of alleging superfluous negligence claims, saying to allow such a practice would inappropriately “erase exclusions in any policy.”  Fire Ins. Exch. v. Jimenez, 184 Cal. App. 3d 437, 443 n.2 (1986).

Id.

What does this case mean?  Like the Third Circuit in Urban Outfitters (also discussed in The Coverage Inkwell), a second United States Court of Appeals now has held that “personal and advertising injury” does not exist for underlying allegations of unlawful ZIP Code collection.  A unique aspect to this decision, however, is that where an underlying action alleges a cause of action that is not recognized under the law, that cause of action cannot be used to implicate a duty to defend. 

This entry was posted in Privacy Rights and tagged , , , .

THIRD CIRCUIT HOLDS “PRIVACY” MEANS SECRECY, “PUBLICATION” MEANS DISSEMINATION TO PUBLIC, AND “IN ANY MANNER” DOES NOT CHANGE MEANING OF “PUBLICATION”


This entry was posted by on .

In OneBeacon Amer. Ins. Co. v. Urban Outfitters, 2015 WL 5333845 (3d. Cir. Sept. 15, 2015), the United States Court of Appeals for the Third Circuit held that three underlying class action lawsuits filed against Urban Outfitters and Anthropologie, Inc. did not allege “personal and advertising injury.”  The Third Circuit held that for Coverage B “oral or written publication, in any manner, of material that violates  person’s right of privacy,” (1)“privacy” refers only to the right of secrecy, not the right of seclusion; (2) “publication” requires dissemination of information to the public at large, and (3) “in any manner” does not modify or change the meaning of “publication” to a lesser standard.

In the spirit of full disclosure, I represented OneBeacon America in the litigation with my colleagues at White and Williams LLP.  The facts of the matter are straightforward.

Urban Outfitters and Anthropologie (collectively, “Urban Outfitters”) were sued in three separate class actions filed in California, Massachusetts, and the District of Columbia.  (The California class action was actually a consolidation of multiple class actions.)  In each action, plaintiffs alleged that that Urban Outfitters wrongfully collected and used consumers’ ZIP codes and other data for marketing and purchase-tracking in violation of state statutes and privacy rights.  Urban Outfitters sought defense coverage for each lawsuit under “personal and advertising injury,” defined in part as “oral or written publication, in any manner, of material that violations a person’s right of privacy.”

In the first lawsuit, Hancock, the underlying complaint alleged that Urban Outfitters unlawfully collected consumers’ ZIP code information during credit card transactions in violation of District of Columbia statute.  Id. at *1.  By obtaining the consumers’ ZIP codes, Urban Outfitters was then able to obtain the consumers’ home and business addresses to use for marketing.  Id.  Urban Outfitters contended the exchange of data between the retailer and the consumers constituted a “publication” for purposes of “personal and advertising injury” coverage.  The Third Circuit disagreed and accepted the insurers’ arguments that “‘publication’ requires dissemination to the public.”  Id. at *2.  The court rejected the contention that the failure to define the term “publication” in the policy made the term ambiguous:

Although neither the policies nor the Pennsylvania Supreme Court have defined “publication,” that does not render the term ambiguous.  Rather, “[w]ords of common usage in an insurance policy are to be construed in their natural, plain, and ordinary sense, and we may inform our understanding of these terms by considering their dictionary definitions.”  Madison Constr. Co. v. Harleysville Mut. Ins. Co., 735 A.2d 100, 106 (PA. 1999).  The District Court cited three separate dictionary definitions of “publication,” all of which support the conclusion that “publication” requires dissemination to the public. [Emphasis added.]

Id.

Significantly, the Court also rejected the contention that the phrase “in any manner” changed the meaning of “publication”:

The fact that the policies specify that “publication” may be made “in any manner” does not alter the analysis; as the Eleventh Circuit correctly noted, the phrase “in any manner” “merely expands the categories of publication (such as e-mail, handwritten letters, and, perhaps, ‘blast-faxes’) covered by the [p]olicy,” but “cannot change the plain meaning of the underlying term ‘publication.’”  Creative Hosp. Ventures, Inc. v. U.S. Liab. Ins. Co., 444 F. App’x 370, 375 (11th Cir. 2011).  [Emphasis added.]

Id.

In the second lawsuit, Miller, the underlying complaint alleged that Urban Outfitters unlawfully collected consumers’ ZIP code information to use for marketing purposes, including to send unsolicited promotional materials and “junk mail.”  Id. at *3.  Noting that the Pennsylvania Superior Court has recognized that the privacy right contemplated in “personal and advertising injury” is the right to secrecy, not the right to seclusion, the Third Circuit concluded that Miller did not allege a violation of a person’s “right of privacy.”  Importantly, in reaching its conclusion, the Third Circuit ejected the contention that the consumers had a right of privacy in their ZIP codes, or that the lawsuit alleged violation of consumers’ rights to keep their addresses secret from the retailers:

[T]he factual allegations of the Miller complaint evince a concern with seclusion, and not secrecy. The complaint asserts that plaintiffs “have suffered an injury as a result of Defendant’s unlawful conduct by receiving unsolicited marketing and promotional materials, or ‘junk mail,’ from Defendant.” [Record citation omitted.] Although the complaint asserts that Urban Outfitters did collect plaintiffs’ ZIP code information, that information was collected allegedly “to identify the customer’s address and/or telephone number … to send unsolicited marketing and promotional materials.” . . .  Put simply, the complaint does not assert harms based on the plaintiffs’ interests in keeping their ZIP codes secret. Accordingly, it does not allege publication of material that violates a person’s “right to privacy” under the policies . . . .

Id.  at *4.

For the final lawsuit, Dremak, the Court held that the Recording and Distribution of Material of Information In Violation of Law exclusion barred coverage, because the lawsuit was brought under California’s Song-Beverly Credit Card Act.  Id. at *3. The lawsuit originally had alleged common law claims, but those causes of action were dismissed without prejudice while the coverage litigation was pending in the Pennsylvania federal district court.  Urban Outfitters argued that the dismissal of those claims was not dispositive because the factual allegations supporting the common law claims remained in the complaint, and Pennsylvania law required that the factual allegations, not the causes of action, determined an insurer’s duty to defend.  Id.  The Court rejected the argument because the same alleged facts that gave rise to common law claims also alleged the statutory violations.

[T]he Court looked to the factual allegations of the complaint in determining that the complaint alleged “action[s] or omission[s]” that were alleged to violate the Song–Beverly Credit Card Act.  The fact that those same “action[s] or omission[s]” were also alleged to give rise to common law claims (claims that were dismissed) is irrelevant to the analysis.  [Emphasis added.]

Id.

What does this case mean?  This decision is a significant one.  It is one of only a few appellate-level decisions holding that (1) “publication” requires dissemination to the public at large, and (2) that “right of privacy” means the right of secrecy, not the right of seclusion.  The decision is the only the second to address and debunk the myth that the phrase “in any manner” changes the meaning of “publication” in Coverage B.

This entry was posted in Privacy Rights and tagged , .

NEW YORK’S HIGHEST COURTS SAYS COVERAGE FOR LOSS FROM “FRAUDULENT ENTRY” INTO COMPUTER SYSTEM LIMITED TO HACKING


This entry was posted by on .

A source of computer fraud is the rogue employee or authorized user whose abuses access into a network system for unlawful purposes.  Readers of The Coverage Inkwell will know that the Inkwell has addressed the meaning of unauthorized access in the context of cyber insurance for a few years.

In the context of the Computer Fraud and Abuse Act, 18 U.S.C. §1030, the United States Court of Appeals for the Ninth Circuit, in U.S. v. Nosal, 676 F.3d 854 (9th Cir. 2012), in essence limited the meaning “exceeds authorized access” to hackers, not inside corporate personnel accessing a computer network for unauthorized (i.e., illegal) purposes.  Yesterday, the New York Court of Appeals, in Universal American Corp. v. National Union Fire Ins. Co. of Pittsburgh, PA, 2015 N.Y. Slip Op. 05516, 2015 WL 3885816 (N.Y. June 25, 2015) held that the phrase “fraudulent entry” into a computer system was limited to instances of outside hackers, not fraudulent content submitted by authorized users.

In the case, the insured Universal American Corp. (“Universal”) was a health insurance company that offers a choice of federal government-regulated alternatives to Medicare, known as medical advantage plans.  (Please note, because the decision was published only yesterday, page references currently are unavailable.)  Universal had a computerized billing system that allowed health care providers to submit bills for the medical advantage plans directly into the system.  A majority of such claims were approved and paid by Universal automatically and without manual review.  Universal ultimately suffered over $18 million in losses for payments of fraudulent claims for services that were never performed under the plans.

Universal sought coverage under had an insurance, which provided coverage by endorsement for computer systems fraud.  The endorsement stated as follows:

COMPUTER SYSTEMS

It is agreed that:

  1. the attached bond is amended by adding an Insuring Agreement as follows:

COMPUTER SYSTEMS FRAUD

Loss resulting directly from a fraudulent

(1) entry of Electronic Data or Computer Program into, or

(2) change of Electronic Data or Computer Program within the Insured’s proprietary Computer System

provided that the entry or change causes

(a) Property to be transferred, paid or delivered,

(b) an account of the insured, or of its customer, to be added, deleted, debited or credited, or

(c) an unauthorized account or a fictitious account to be debited or credited[.]  (Emphasis added)

The insurer denied coverage on the ground that the endorsement did not cover Medicare fraud, i.e., losses from payment for fraudulent claims submitted by authorized health care providers.

In the ensuring coverage litigation, the trial court granted the insurer summary judgment.  Focusing on the words “fraudulent” “entry,” and “change,” the court concluded that coverage did not extend to fraudulent claims entered into Universal’s system by authorized users; instead, coverage extended only to unauthorized entries into the computer system by a hacker or through a computer virus.  The New York Appellate Division affirmed, stating that the policy did not cover fraudulent content entered by authorized users, but instead covered “wrongful acts in manipulation of the computer system, i.e., by hackers.”

The New York Court of Appeals affirmed, holding that the policy endorsement was clear and unambiguous.  The Court held that the policy “unambiguously applies to losses incurred from unauthorized access to Universal’s computer system, and not to losses resulting from fraudulent content submitted to the computer system by authorized users.”  The Court based its conclusion on the fact that the term “fraudulent” modified the terms “entry” or “change” to mean that coverage applied to a dishonest entry or change of electronic data or computer program by “hacking” into the computer system:

The term “fraudulent” is not defined in the Rider, but it refers to deceit and dishonesty (see Merriam Webster’s Collegiate Dictionary [10th ed. 1993] ).  While the Rider also does not define the terms “entry” and “change,” the common definition of the former includes “the act of entering” or “the right or privilege of entering, access,” and the latter means “to make different, alter” (id.).  In the Rider, “fraudulent” modifies “entry” or “change” of electronic data or computer program, meaning it qualifies the act of entering or changing data or a computer program.  Thus, the Rider covers losses resulting from a dishonest entry or change of electronic data or computer program, constituting what the parties agree would be “hacking” of the computer system.  The Rider’s reference to “fraudulent” does not also qualify what is actually acted upon, namely the “electronic data” or “computer program” itself.  [Emphasis added.]

According to the Court, “[t]he intentional word placement of ‘fraudulent’ before ‘entry’ and ‘change’ manifests the parties’ intent to provide coverage for a violation of the integrity of the computer system through deceitful and dishonest access.”

In so holding, the Court rejected Universal’s argument that “‘fraudulent entry’ means ‘fraudulent input’ because a loss due to a fraudulent entry by necessity can only result from the input of fraudulent information.”  The Court reasoned that such a conclusion would render the words “a” and “of” in the sentence “a fraudulent (1) entry of Electronic Data or Computer Program into” superfluous:

This would render superfluous the word “a” before “fraudulent,” and the word “of” before “electronic data or computer program.” Universal’s proposed interpretation is easily achieved by providing coverage for a “loss resulting directly from fraudulent data.”  Of course, that is not what the [endorsement] says.

Because the losses suffered by Universal were not the result of hacking, there was no coverage under the policy.

Questions are welcome.

This entry was posted in Data Breach Insurance Coverage, Privacy Rights and tagged .

PENNSYLVANIA COURT REFUSES TO IMPOSE NEW DUTY ON EMPLOYERS TO PROTECT PII FROM DATA BREACHES


This entry was posted by on .

A common allegation in cyber security data breach litigation is that the data breach victim breached its duty of care in failing to adequately protect  plaintiffs’ personal identification information (“PII”) from a data breach.  Very recently, the Pennsylvania Court of Common Pleas of Allegheny County in Dutton v. UPMC, No. GD-14-003285 (May 28, 2015), dismissed such a claim, refusing requests to create a new duty of care on an employer who suffered a data breach resulting in the compromise of its employees’ PII.  In so holding, the court reasoned that to create such a duty would place too heavy of a burden on corporate entities already incentivized to protect PII.  It also would inundate the judiciary with a flood of litigation.  The court instead looked to the state legislature to determine whether to impose this obligation.

In the case, the plaintiffs filed a putative class action of current and former The University of Pittsburgh Medical Center (“UPMC” )employees whose PII had been stolen from UPMC’s computer systems.  Plaintiffs’ alleged that UPMC owed a duty to protect their PII and had breached that duty under theories of negligence and breach of contract.  Dutton v. UPMC, No. GD-14-003285, slip op., at 1-2.  Duties allegedly owed by UPMC included:

  • The duty to design, maintain, and test its security systems to protect against data breaches;
  • The duty to implement processes to detect security breaches “in a timely manner”;
  • The duty “to adopt, implement, and maintain adequate security measures”; and
  • The duty to satisfy “widespread industry standards relating to data security.”

Id. at 2-3.

Addressing the negligence claim first, the court concluded that because the alleged damages were economic only, under the economic loss doctrine, no cause of action based on negligence could exist.  Id. at 4.  Therefore, the claim was dismissed.  (The court also dismissed the breach of contract claim based on the lack of evidence that a contract existed, id. at 11-12, but the court’s discussion of the negligence claim is where the real interesting read is found.)

To save their case, Plaintiffs contended that a special duty should be imposed upon UPMC to protect employees’ PII.  Id. at 5.  The court refused to do so, concluding that to impose such a duty as means to combat the widespread problem of data breaches could overwhelm the judiciary and ill-serve public interest:

Plaintiffs’ proposed solution is the creation of a private negligence cause of action to recover actual damages, including damages for increased risks, upon a showing that the plaintiffs confidential information was made available to third persons through a data breach.

The public interest is not furthered by this proposed solution.  Data breaches are widespread. They frequently occur because of sophisticated criminal activity of third persons.  There is not a safe harbor for entities storing confidential information.  The creation of a private cause of action could result within Pennsylvania alone of the filing each year of possibly hundreds of thousands of lawsuits by persons whose confidential information may be in the hands of third persons.  Clearly, the judicial system is not equipped to handle this increased caseload of negligence actions.  Courts will not adopt a proposed solution that will overwhelm Pennsylvania’s judicial system.

Id. at 6.

The court also expressed concern over the lack of consensus standards for defining “adequate” security.  Id.  Litigation and “expert” testimony, the court observed, “is not a viable method for resolving the difficult issue of the minimum requirements of care that should be imposed in data breach litigation, assuming that any minimum requirements should be imposed.”  Id.  The court also worried that to create a new duty could place too heavy of a burden on companies already incentivized to combat data breaches:

Under plaintiffs’ proposed solution, in Pennsylvania alone, perhaps hundreds of profit and nonprofit entities would be required to expend substantial resources responding to the resulting lawsuits.  These entities are victims of the same criminal activity as the plaintiffs.  The courts should not, without guidance from the Legislature, create a body of law that does not allow entities that are victims of criminal activity to get on with their businesses.

Id. at 6-7.

Finally, the court concluded that the issue was best left to the legislative branch, not a single jurist:

I cannot say with reasonable certainty that the best interests of society would be served through the recognition of new affirmative duties of care imposing liability on health care providers and other entities electronically storing confidential information, the financial impact of which could even put these entities out of business.  Entities storing confidential information already have an incentive to protect confidential information because any breach will affect their operations. An “improved” system for storing confidential information will not necessarily prevent a breach of the system.  These entities are also victims of criminal activity.

It is appropriate for courts to consider the creation of a new duty where what the court is considering is sufficiently narrow that it is not on the radar screen of the Legislature. . . . However, where the Legislature is already considering what courts are being asked to consider, in the absence of constitutional issues, courts must defer to the Legislature.

Id. at 7-8.

Because “[t]he only duty that the General Assembly has chosen to impose as of today is notification of a data breach,” the court concluded that it should not create a new, additional duty on employers.  Id. at 10.  Quoting from the Illinois Court of appeals in Cooney v. Chicago Pub. Sch., 934 N.E.2d 23, 28-29 (Ill. Ct. App. 2010), the court stated:

While we do not minimize the importance of protecting this information, we do not believe that the creation of a new legal duty beyond legislative requirements already in place is part of our role on appellate review.  As noted, the legislature has specifically addressed the issue and only required the [defendant] to provide notice of the disclosure.

Id. at 10 (emphasis in original).

Thus, according to the Pennsylvania Court of Common Pleas, Allegheny County, the ball is in the court of the Pennsylvania General Assembly to determine whether the duty to protect employees’ PII form data breaches should be placed on employers.

What this case means.  Where should the responsibility (burden?) of protecting personal identification information from data breaches lay, and what are the standards by which to measure compliance with that responsibility?  These are straightforward questions that Judge Wettick asked and had no definitive answers for to convince him to recognize a legal duty assigning the responsibility of protecting employee PII to employers.

Should the  Pennsylvania General Assembly enact legislation creating an affirmative duty on employers to protect employees’ PII from data breaches, the duty would be state-specific, much like current data breach notification standards across the country.  Other jurisdictions may address the issue differently.  Courts in other states, for instance, may recognize a duty on employers outright in lieu of deferring to the legislative branch, or merely recognize a duty on employers to protect PII as an inherent component in a preexisting statute.  This area of law continues to develop rapidly.

I’d like to thank Laura Schmidt, an associate at White and Williams, for her invaluable assistance with this piece.

This entry was posted in Data Breach Insurance Coverage, Privacy Rights and tagged , .

IN IBM DATA BREACH CASE, THERE CAN BE NO PUBLICATION WITHOUT ACCESS


This entry was posted by on .

In Recall Total Info. Management, Inc. v. Federal Ins. Co., No. SC 19291, the Connecticut Supreme Court upheld the appellate court’s decision that a data breach suffered by IBM was not covered under general liability policies’ “personal and advertising injury” coverage.

In that case, Recall Total had contracted with IBM to transport off-site and store computer tapes containing the encrypted personal information of current and former IBM employees.  Recall then subcontracted the transportation services to Ex Log.  Ex Log lost the computer tapes when they fell from Ex Log’s truck onto the roadside and were retrieved by an unknown individual.  Importantly, there was no evidence that anyone ever accessed the information on the tapes or that their loss caused injury to any IBM employee.  Nevertheless, IBM spent significant sums of money providing identity theft services and complying with state notification requirements.  IBM sought to recoup its losses from Recall Total and Ex Log.

Recall Total and Ex Log, in turn, sought recovery from their general liability insurers, which had issued general liability policies providing “personal and advertising injury” coverage.  “Personal and advertising injury” was defined in part as ‘‘injury . . . caused by an offense of . . . electronic, oral, written or other publication of material that . . . violates a person’s right of privacy.”  The trial court held that coverage was not implicated by the events, and the appellate court affirmed, see 83 A.3d 664 (Ct. App. Ct. 2014).

The Connecticut Supreme Court affirmed on the basis that there was no alleged “publication.”  In doing so, the court adopted in whole the appellate court’s decision, stating:

Because the Appellate Court’s well reasoned opinion fully addresses the certified issue, it would serve no purpose for us to repeat the discussion contained therein.  We therefore adopt the Appellate Court’s opinion as the proper statement of the issue and the applicable law concerning that issue.

Some may recall that, because there was no evidence that the IBM employees’ PII had been accessed, the appellate court declined to expound upon the meaning of “publication.”  Instead, the court concluded that without access to the information, there was no “publication” under any definition of the term:

Regardless of the precise definition of publication, we believe that access is a necessary prerequisite to the communication or disclosure of personal information. In this regard, the plaintiffs have failed to provide a factual basis that the information on the tapes was ever accessed by anyone.

See 83 A.3d at 672-73.

Further bolstering the court’s conclusion was the fact that the parties had stipulated that none of the IBM employees affected had been injured.  The court stated: “Moreover, because the parties stipulated that none of the IBM employees have suffered injury as a result of the tapes being lost, we are unable to infer that there has been a publication.”  Id. at 673.  (See also The Coverage Inkwell, 1/16/2014.)

Finally, the Connecticut Supreme Court’s holding also affirms the appellate court’s decision that costs incurred from complying with data breach notification statutes do not implicate “personal and advertising injury” coverage.

What this case means: It is very simple.  If there is no evidence of access of, or capability of access of, the information, there is no publication.  This decision especially will be significant the underlying factual context of lost or stolen laptops that contain encrypted corporate data and PII.

This entry was posted in Data Breach Insurance Coverage, Privacy Rights.