Category Archives: Privacy Rights

SONY DATA BREACH COVERAGE LITIGATION SETTLES


This entry was posted by on .

As reported in news outlets, including Law360, Sony and its insurers have settled their data breach coverage litigation, two months after the New York appellate division heard oral argument.

Sony had sought coverage for numerous data breach class action lawsuits filed against it following the 2011 data breach into its PlayStation network.  Its general liability policies provided personal and advertising injury coverage for oral or written publication, in any manner, of material that violates a person’s right to privacy.  The trial court held that the insurers had no duty to defend because coverage applied only for violations of privacy committed by Sony, as the policyholder, and not by third parties who hacked into Sony’s network and stole personally identifiable information (“PII”).

The decision had other important aspects, often overlooked.  Analogizing the issue to the opening of Pandora’s Box, the trial court held that there mere accessing of information by the hackers constituted a “publication” under general liability policies.  The trial court also held that the phrase “in any manner” does not alter the meaning of the term “publication.”  Finally, the court held that in order for the “Insureds in Media and Internet Type of Business” exclusion to apply, the insured in question must solely be a content or service provider and not engage in other forms of business.  Here, because Sony engaged in other forms of business, the exclusion did not apply.

A more detailed discussion of the Sony decision may be found in an earlier Coverage Inkwell post located at: http://thecoverageinkwell.com/three-missed-takeaways-from-the-sony-data-breach-case/

My take is that the affect of the Sony settlement will be measured. For one thing, looking long term, the new personal data exclusions in CGL policies should shut the door on data breach coverage, to the extent it ever existed in the first place.  Second, Sony is a trial court decision without a written opinion, and the market already is shifting to cyber insurance.

Sony’s true legacy lay in the case’s publicity.  Sony showed that companies cannot look to general liability policies to cover data breaches.  They need to get cyber insurance.  The case was a Super Bowl ad for cyber liability insurance. That, and perhaps Target, showed companies that they have to get it.

Looking back, people will see Sony as the first big data breach coverage case.  It won’t be the last.

This entry was posted in Data Breach Insurance Coverage, Privacy Rights and tagged , .

TWO RECENT TCPA CASES: A LOOK AT HOW THEY CAN AFFECT PRIVACY LITIGATION


This entry was posted by on .

Last week saw two separate Telephone Consumer Protection Act (“TCPA”) decisions in which federal district courts, one for the Eastern District of Pennsylvania, the other for the Northern District of Illinois, held no coverage existed for underlying TCPA litigation.  The decisions’ results were not surprising, as TCPA coverage claims have been wilting like Wisconsin’s lead over Duke in last night’s final.  What is interesting in the cases, Auto-Owners Ins. Co. v. Stevens & Ricci, Inc., No. 12-7228, 2015 WL 1456085 (E.D. Pa. Mar. 31, 2015) and Addison Automatics, Inc. v. Hartford Cas. Ins. Co., No. 13-1922, slip op. (N.D. Ill. Mar. 31, 2015), is that the courts reached their decisions on different bases.  The reasoning behind each basis can apply to other privacy litigation.

In Stevens & Ricci, the insured was sued in a class action for faxing over 18,000 unsolicited fax advertisements in violation of the TCPA, 47 U.S.C. § 227.  The underlying litigation alleged, among other claims, that the unsolicited faxes violated the privacy rights of class members who received them.  Id. at *1.  The insured’s policy defined “personal injury” and “advertising injury” in part as “oral or written publication of material that violates a person’s right of privacy.”  Id. at *2-3.

The insurer argued that because the underlying complaint did not plead a cause of action for invasion of privacy, there was no coverage because the policy provided coverage only for the tort.   In the alternative, the insurer argued that even if the tort were alleged, the underlying action did not implicate coverage.  Although the invasion of privacy claim entails four separate torts, the privacy right covered under insurance policies contemplates the right to secrecy only.  Id. at *8.  Because TCPA litigation implicated the privacy right of seclusion, and not the right of secrecy, there was no coverage.  Id.

The trial court agreed with the second argument and explained:

No coverage exists for “advertising injury,” as determined by the Third Circuit, this District Court, and the Pennsylvania courts which have so held because the type of privacy violation covered by insurance policies such as the Auto–Owners Policy—privacy interests in secrecy—are not violated by “junk” faxes.

* * *

In this case, Stevens & Ricci hired a third party to send out the faxes. Each court that concluded that privacy interests in secrecy are not violated by junk faxes holds that such violations are violative of the right of seclusion, even when it is alleged that a policyholder hired a third-party vendor, and the third-party vendor was responsible for sending the problematic faxes.  [Citations omitted.]  Accordingly, there is no coverage under the Auto–Owners Policy because the privacy interests in secrecy are not violated by the junk faxes sent out by Hymed.

Id. at *8-9.

In Addison Automatics, the insured was sued in a class action for violation of the TCPA, the Illinois Consumer Fraud Act and Deceptive Business Practices Act, and common law conversion following its involvement in a blast-faxing campaign.  The underlying action settled and the class pursued claims under assignment against the insured’s insurance carrier.  Addison Automatics, slip op., at 1, 3.

Two different policies were at issue, each containing a “Violation of Statutes That Govern E-Mails, Fax, Phone Calls or Other Methods of Sending Material or Information” exclusion.  Id. at 5, 7.  The exclusions barred coverage for claims “arising directly or indirectly out of any action or omission that violates or is alleged to violate . . . . the Telephone Consumer Protection Act.”  Id.  The claimants argued that the exclusions did not bar coverage because many of their claims did not involve the TCPA or any other statute that prohibited a method of sending material or information.   Id. at 14-15.  In particular, the claimants argued that because their conversion claims had nothing to do with any statute, the exclusions could not apply.  Id.

I encounter this argument often in the context that such exclusions do not apply to common law claims for invasion of privacy.  The argument has a fatal flaw – it ignores the “arising out of” language contained in the exclusion.  Here, the Addison Automatics court recognized that flaw.  Explaining that a court must focus upon the language of the policies, and not “peer[] myopically at the elements of” underlying causes of action, the court held that the exclusions barred coverage because the common law conversion claims involved injuries from conduct that violated the TCPA:

A close reading of the exclusionary provisions reveal that their focus is not on the legal elements of a particular claim asserted by the underling plaintiff, but the factual cause of the “bodily injury” and “property damage” that is alleged in the underlying complaint.  So long as the injury and damage alleged in the operative complaint “arises directly or indirectly out of any action or omission that violates or is alleged to violate” the TCPA, the claims asserting the injury (whatever the particular legal theory may be) falls within the purview of the exclusions.  This is what the language of the exclusionary provisions require.

Id. at 14-15.

What Do These Cases Mean?  The real value in these cases is found in the reasoning behind the decisions.  Stevens & Ricci shows that “privacy” is more than a buzz word to guarantee coverage.  Some jurisdictions assign a limited meaning to the phrase “right of privacy” found in business and general liability policies, and a court should examine the factual allegations of an underlying complaint to ascertain exactly what privacy interests are implicated in the case.  Sometimes those interests are not covered.  In Addison Automatics, the court correctly focused on the broad language of the exclusions at issue and the underlying factual allegations, not the elements of the causes of action pleaded in the underlying complaint.

The reasoning on both these cases can apply to coverage actions involving privacy rights, including ZIP code lawsuits, the collection and use of consumer data, unauthorized surveillance, and cyber/data breach cases.  Feel free to email me with any questions.

This entry was posted in Privacy Rights and tagged .

Dude, Where’s My Car?


This entry was posted by on .

Here is a story almost as startling as the movie Dude, Where’s My Car? is bad.  According to news reports, millions of cars and trucks are vulnerable to hacking through wireless technologies that could jeopardize driver safety and privacy.  A congressional report, overseen by Sen. Ed Markey, D-Massachusetts, concludes that vehicles are vulnerable to hacking through wireless networks, smart phones, and “infotainment” systems like OnStar.

Sen. Markey cited studies showing that hackers can access controls of some vehicles, causing them to accelerate, turn, brake, sound the horn, control the headlights, and/or modify speedometer and gas gauge readings.   Also of note are additional concerns regarding information in navigation systems, which can record and send location or driving history information.  According to Sen. Markey, security measures used by automakers, such as identification codes and radio frequencies, can be identified and rewritten or bypassed.

Sen. Markey’s report is not the only announcement.  On CBS News’ “60 Minutes,” a segment showed how vehicles can be remotely hacked.  Just last month, BMW AG said it had patched a security flaw that could have allowed up to 2.2 million BMWs, Minis, and Rolls-Royces to have their doors remotely opened by hackers.

Here are some links for further reading on the issue:

http://money.cnn.com/2014/06/01/technology/security/car-hack/

http://www.theguardian.com/business/2015/feb/09/most-cars-vulnerable-hacking-privacy-intrusions-senate-report

http://www.cnbc.com/id/101123279#.

 

This entry was posted in Privacy Rights and tagged , .

Medical Records, The Internet, and A “Publication”


This entry was posted by on .

Last week, the federal District Court in Virginia issued a quasi security/data breach coverage case where the court concluded that making private medical records accessible online constituted a publication even though there was no evidence that a third party had accessed them.  Travelers Indem. Co. of Am. v. Portal Healthcare Solutions, LLC, No. 13-917, 2014 WL 3887797 (E.D. Va. Aug. 7, 2014).  The mere fact that the records were accessible satisfied the plain and ordinary meaning of the term “publication” to implicate the duty to defend.  What makes this decision noteworthy is how the Court distinguished the case before it from other decisions limiting the meaning of the term “publication.”  Given that many healthcare providers are introducing “online” services for medical records, brokers and underwriters also may want to take note of this decision. 

Portal Healthcare Solution (“Portal”) was a business specializing in the electronic safekeeping of medical records for hospitals, clinics, and other medical providers.  Id. at *1.  A New York putative class action was filed against it, alleging that Portal had failed to safeguard confidential medical records of patients at Glen Falls Hospital (“Glen Falls”), posting those records on the internet and causing them to become publicly accessible on the internet.  Id.  Two patients of Glen Falls discovered the breach when they ran a Google search of their names, and found links that directed them to their Glen Falls medical records.  Id. at *2.  (Honestly, how many of you are now going to Google your name?  I did.) 

Travelers issued two policies, each having slightly different language.  One provided coverage for damages because of injury arising from (1) the “electronic publication of material that … gives unreasonable publicity to a person’s private life”; the other provided coverage for injury arising from the “electronic publication of material that … discloses information about a person’s private life.”  Id. at *1. 

Because the term “publication” was undefined in the policies, the court looked to dictionary definitions to ascertain its “plain and ordinary meaning.”  Id. at *4.  The Court concluded that the meaning of “publication” includes “to place before the public (as through a mess medium).”  Id.  The Court thereafter held that making the medical records accessible satisfied this meaning:

Exposing medical records to the online searching of a patient’s name, followed by a click on the first result, at least “potentially or arguably” places those records before the public.  Any member of the public could retrieve the records of a Glen Falls patient, whether he or she was actively seeking those records or searching a patient’s name for other purposes, like a background check.  Because medical records were placed before the public, the Court finds that Portal’s conduct falls within the plain meaning of “publication.”

Id. at *4.       

The Insurer argued that there was no “publication” because there was no evidence that a third party had accessed or viewed the medical records at issue.   Instead, the only evidence that existed was that the claimants themselves had accessed their own medical records.  Id.  The Court disagreed, analogizing the situation to displaying a book at Barnes & Nobel: 

Publication occurs when information is “placed before the public,” not when a member of the public reads the information placed before it.  By Travelers’ logic, a book that is bound and placed on the shelves of Barnes & Noble is not “published” until a customer takes the book off the shelf and reads it.  Travelers’ understanding of the term “publication” does not comport with the term’s plain meaning, and the medical records were published the moment they became accessible to the public via an online search. 

Id. at *5 (emphasis added).

The Court also distinguished the case before it from others.  Creative Hospital Adventures, inc. v. U.S. Liab. Co., 444 Fed App’x 370 (11th Cir. 2011) and Whole Enchilada, Inc. v. Travelers Prop. Cas. Co. of Am., 581 F. Supp. 2d 677 (W.D. Pa. 2008) were distinguishable because there the information had been directly disclosed to a single person. In contrast, with the case before it, “the medical records were given not only to the patients but to anyone with a computer and internet access.”  Id.

Recall Total Info. Mgmt., Inc. v. Federal Ins. Co.., 83 A.3d 664 (Conn. Ct. App. 2013) was distinguishable because in the case before it, “the information was posted on the internet and thus, was given not just to a single thief but to anyone with a computer and internet access.”  Id.  (As an aside, and as discussed in a prior issue of The Coverage Inkwell, the court in Recall Total also emphasized that there was no evidence that anyone had the ability to access the information in the lost media tapes – a very different factual scenario than the one represented in Portal Healthcare.) 

What this case means.  Placing information online constitutes a “publication,” whether or not there are assertions that a third party accessed the information.  “Publication occurs when information is ‘placed before the public,’ not when a member of the public reads the information placed before it.”  Admittedly, it’s hard to argue against the point, and other courts likely will reach similar conclusions.  In my opinion, the real value of this decision is how the Court distinguished this case from other decisions that had held there was no publication without criticizing those decisions or calling them into question. 

Questions are welcome.

This entry was posted in Data Breach Insurance Coverage, Privacy Rights, Uncategorized and tagged .

Are “Right of Privacy” and “Person” Ambiguous? New York Weighs In


This entry was posted by on .

Last week, I vacationed in beautiful Cooperstown, NY, where I watched baseball in stadiums built to resemble early 20th century ballparks, visited the Baseball Hall of Fame, and enjoyed scenic views of the green Catskill Mountains.  Oh, and there’s the Ommegang brewery, too.  During that week, I was totally free of daily faxes promoting low-budget roof repairs, instant credit for business loans, and vacation hideaways in Cancun.  So, what a return to reality it was to see Tower National Ins. Co. v. National Business Capital, Inc., No. 155786/2012, 2014 WL 3728500 (N.Y. Supr. Ct. July 28, 2014), a case addressing the meaning of “right of privacy” in the context of blast faxes.  Thanks (or maybe not) to Roberta Anderson at K&L Gates for bringing this case to my attention as I returned back to the 21st century.

The underlying lawsuit was a putative class action seeking damages for National Business Capital’s (“NBC”) alleged blast faxing in violation of the TCPA and Connecticut’s version of the statute.  NBC sought coverage under its CGL policy for “personal and advertising injury” under “[o]ral or written publication, in any nature, of material that violates a person’s right of privacy.”  Id. at *1-2.  The issue was one of first impression in New York.  (NBC also contended that the underlying action alleged “property damage,” but the court held that the complaint did not allege an “occurrence” to implicate coverage under Coverage A.  Id. at *4.)

Tower National argued that the phrase “the right of privacy” in the definition for “personal and advertising injury” means rights of secrecy only, and does not contemplate the right of seclusion to implicate coverage for TCPA litigation.  Id. at *5.  The insurer also argued that “to the extent privacy includes that right of seclusion, the right to privacy would not include fax blasting since it is not the type of intrusion that ‘would be highly offensive to a reasonable person’” under the Restatement (Second) of Torts, §652.  Id.

 The court disagreed.  Citing dictionary definitions, the New York trial court held that, at best, the term “privacy” was ambiguous and included rights to seclusion.  Thus, the TCPA lawsuit implicated coverage under the policy:

 The term privacy is ordinarily understood to mean “seclusion or isolation from the view of, or contact of others.”  Webster New College Dictionary 880 (2001).  Black’s Law Dictionary 1325 (7th ed. 1999) defines the right of privacy as “the right to personal autonomy” or “the right of a person and the person’s property to be free from unwarranted public scrutiny or exposure.” Here, given that the phrase “right of privacy” is susceptible to at least two reasonable interpretations, the court finds that the phrase is ambiguous and thus must be construed in favor of coverage. . . . Accordingly, the court finds that “privacy right” includes the injury alleged in the underlying action resulting from NBC’s sending of unsolicited faxes in alleged violation of the TCPA and the Connecticut statute.

 Id. at *5.

 The court also rejected the argument that the context of the right of privacy offense in the definition for “personal and advertising injury” restricted the meaning of “privacy” to rights of secrecy.  Id. at *6.  Noting the definition for “personal and advertising injury” includes numerous torts within the enumerated offenses, the court concluded that the phrase “right of privacy” referred to the tort for “invasion of the right of privacy,” which includes the right to seclusion.

 Finally, the court distinguished the case before it from the New York appellate court’s recent decision in Sports Specialties, Inc. v. Twin City Ins. Co., 116 A.D.3d 1270 (N.Y.A.D. 2014), which had held that the phrase “right of privacy” was limited to natural persons and did not include the rights of corporations.  Here, the trial court held that the “right of privacy” applied to both persons and companies.

 The New York trial court rejected the reasoning in Sports Specialties that use of the term “person,” coupled with the omission of the term “organization,” in the “right of privacy” offense signaled that the policy only contemplated an individual’s right of privacy.  Id. at *7-8.  The court based its reasoning on the observation that “with the exception of the wrongful eviction or invasion of the occupancy offense, which refers to a person, the other clauses in the provision either omit any reference to a person or organization or use the term ‘another.’”  Id.

 According to the trial court, the Sports Specialties decision was not based on the omission of the term “organization,” but instead on the nature of the claims asserted against plaintiff.  In doing so, the trial court noted the following observation by the appellate division:  “[a]lthough parties debate whether [the umbrella] policy draws as clear a distinction between the terms at issue, this issue need not detain us because plaintiff’s actions—tortious interference with contract and business relations, unfair and deceptive trade practices and misappropriation of trade secrets—do not constitute a violation of ‘person’s right of privacy’ within the meaning of [the subject policies].”  Id. at *7.  That this observation by the appellate only had applied to one of the policies before it, however, did not seem to matter to the trial court.

 Finally, the trial court also noted that the “right of privacy” offense in the CGL policy at issue in Sports Specialties had been “sandwiched between two other offenses … that make express reference to misdeeds perpetrated against either a person or an organization.”  Id.  That was not the case in the policy before it:

 [W]hile the clause before the violation of privacy offense, relating to libel and disparagement refers to an organization and a person, the following clause does not and, instead, refers to “the use of another’s advertising idea in your advertising.”  The next clause similarly refers to “[i]nfringing on another’s copyright, trade dress or slogan in ‘your advertisement.’” 

Id.  The court also noted that the underlying class likely contained individuals as well.  Id.

What does this case mean?  For now, New York has joined the collection of states holding that TCPA litigation implicates “personal and advertising injury” coverage.  The court’s use of the common law tort for “invasion of privacy” to broaden the meaning of “privacy” to include rights of seclusion is interesting considering that New York does not recognize the common law invasion of privacy.

However, the court’s conclusion that the term “person” is ambiguous to broaden coverage to privacy rights held by companies likely is suspect.  For one, the court’s reasoning now makes terms such as “your” and “organization” within the definition for “personal and advertising injury” superfluous.  (Never mind that the term “your” is defined in the preamble to Section I of CGL policies.)  In addition, the court’s focus on the appellate division’s isolated remark in Sports Specialties unjustly limits the decision.  And its observation that the putative class members potentially included individuals arguably makes the court’s entire analysis of the issue moot.

This entry was posted in Privacy Rights, Uncategorized.

COVERAGE B: A Person Is Not A Company


This entry was posted by on .

Here’s an interesting question:  does “oral or written publication of material that violates a person’s right of privacy” include privacy rights of a corporation?  (And, yes, some courts believe that business have rights of privacy, including the right of seclusion.  E.g., Park Univ. Enters., Inc. v. Am. Cas. Co. of Reading, Pa., 442 F.3d 1239, 1247 (10th Cir. 2006); Owners Ins. Co. v. European Auto Works, Inc., 2011 WL 3847469, at *3 (D. Minn. Aug. 30, 2011).)

This is not a mere “if a tree falls in the woods…” type of question, for the answer can have a significant impact on litigation as rights of privacy claims become more boilerplate, whether in the context of cyber liability, claims of unlawful collection of PII, or media/mass marketing lawsuits.  This week, in Sportsfield Specialties, Inc. v. Twin City Fire Ins. Co., — N.Y.S.2d –, 2014 WL 1491514 (N.Y.A.D., 3d Dep’t Apr. 17, 2014), the New York Appellate Division addressed the issue as a matter of first impression, holding that “oral or written publication of material that violates a person’s right of privacy” in a general liability policy does not include a corporation’s right of privacy.  The court reasoned its decision on the wording of the definition for “personal and advertising injury.”

In Sportsfield, plaintiff, a sports equipment company, hired a competitor’s employee who was subject to a non-compete agreement and an electronic rights agreement that imposed various restrictions upon him, including the use/dissemination of proprietary information.  Id. at *1.  The competitor commenced litigation, alleging tortious interference with contract and business relations, unfair and deceptive trade practices, and misappropriation of trade secrets.  The insured’s CGL carrier denied coverage; the insured never provided notice to its umbrella carrier.  The underlying action went to verdict, where a jury held the insured liable for $3.2 million.  Id.  Sportsfield then contacted both its CGL and umbrella carrier for indemnity coverage, and commenced coverage litigation shortly thereafter.  Id.

The CGL policy defined “personal and advertising injury” to include injury arising out of both the insured’s “[o]ral or written publication of material that violates a person’s right of privacy.”  The umbrella carrier had a similar definition for “advertising injury.”  Id. at *2.  The insured argued that the term “person” included both individuals and corporations, and that the misdeeds alleged in the underlying complaint broadly implicated its competitor’s “right of privacy.”  Id.  The New York trial court rejected the argument, and the Appellate Division affirmed.

As a general matter, the Appellate Division agreed with the insured that the term “person” can be construed broadly to include both persons and corporations.  However, the court flatly rejected the insured’s argument that the general definition for “person” was the issue before it.  Id.  Instead, the court explained that the issue of the case was whether the term “person” can “reasonably be construed to include a corporate entity” when read “in the context of the underlying insurance policies.”  Id.

Observing that the offense “[o]ral or written publication of material that violates a person’s right of privacy” is sandwiched in between two offenses that expressly reference misdeeds against both a person and an organization (i.e., slander of a person’s or organization’s products, and copying of a person’s or organization’s advertising idea), the court concluded that the omission of the term “organization” in the privacy offense was deliberate.  The court explained:

As Supreme Court aptly observed, the offense at issue-the “[o]ral or written publication of material that violates a person’s right of privacy”—is sandwiched between two other offenses in Twin City’s policy that make express reference to misdeeds perpetrated against either a person or an organization, thereby suggesting that the omission of any reference to an organization from the subject offense was intentional [citations omitted].

Id at *2 (emphasis in original).  This omission, according to the court, demonstrated that the privacy offense was not meant to apply to companies and corporations.

As a second reason, the court also held that the alleged claims for tortious interference with contract and business relations, unfair and deceptive trade practices and misappropriation of trade secrets do not allege a violation of a person’s right of privacy.  The court held:

To be sure, the complaint in the underlying action alleged conduct on the part of plaintiff that extended beyond the misappropriation of trade secrets and, in general, encompassed the acquisition and/or use of confidential and proprietary information belonging to its competitor. However, equating those allegations with an invasion of the competitor’s “right of privacy” ignores both the competitor’s status as a corporate entity [citations omitted] and the historically personal nature of privacy rights in general [citations omitted].

Id at *3.  The court also noted, without analysis, that all of the allegations in the underlying complaint fell under the knowing violation exclusion, breach of contract exclusion, and/or the intellectual property exclusion.  Id.

What does this case mean?  There are two key points to take from this case: (1) the court’s limitation of the term “person” in general liability policies to exclude companies and corporations and (2) the court’s use of all of the enumerated offenses in the definition of “personal and advertising injury” to limit and better define the scope of a single offense.  Too often, insurance provisions are read in a vacuum.  Here, the Sportsfield court rejected that approach and read each offense not in isolation, but in context together.  Questions and comments are welcome.

This entry was posted in Privacy Rights and tagged , .