Category Archives: Uncategorized

Another Data Breach Class Action Dismissed for Lack of Injury

This entry was posted by Joshua Mooney on April 10, 2015.

On the heels of the Target settlement, another security data breach class action has been dismissed for lack of standing under Article III. In the lawsuit In re Horizon Healthcare Servs., Inc. Data Breach Litig., 2015 WL 1472483 (D.N.J. Mar. 31, 2015), a federal district court held that class plaintiffs alleged neither sufficient injury nor causation to establish standing.

In that case, an unknown thief stole from the company’s headquarters two password-protected laptop computers containing personal information of company members. Id. at *1. The company reported the theft to law enforcement the next day. A month later, it notified potentially affected members of the theft by letter and press release. Id. In its notification, the company informed members that “[d]ue to the way the stolen laptops were configured, we are not certain that all of the member information contained on the laptops is accessible.” It also offered credit-monitoring protection. Id. Read More

This entry was posted in Uncategorized and tagged Data Breach.

Knowing The Knowing Violation Exclusion

This entry was posted by Joshua Mooney on January 29, 2015.

The Knowing Violation of Rights of Another exclusion, found in Coverage B of most CGL policies, can be difficult to apply in the context of determining the duty to defend. A recent decision issued by the United States Court of Appeals for the Eleventh Circuit, in Travelers Pro. Cas. Co. of America v. Kansas City Landsmen, — Fed. App’x –, 2015 WL 137816 (11^th Cir. Jan. 12, 2015), provides a good example of why.

The case involved whether the insurer owed a duty to defend its insureds, car rental companies, against an underlying lawsuit alleging that the insureds willfully violated 15 U.S.C. §1681c(g)(1), a provision of the Fair and Accurate Credit Transaction Act (“FACTA”) that prohibits the printing of more than the last five digits of a credit card number or the expiration date on a receipt provided to the cardholder. The underlying litigation, a putative class action, alleged that insured car rental companies had printed credit-card receipts that included more than the last five digits of the card number as well as the card’s expiration date, and accordingly, had “failed to protect” plaintiff and class members “against identity theft and credit card and debit card fraud.” Id. at *2. The action sought statutory and punitive damages under 15 U.S.C. §1681n(a), which imposes liability on “[a]ny person who willfully fails to comply with any requirement” of FACTA. Read More

This entry was posted in Uncategorized and tagged FACTA, Knowing Violation Exclusion.

Article III Standing: The First Wall of Defense In Security Data Breach Litigation

This entry was posted by Joshua Mooney on December 18, 2014.

2014 witnessed a proliferation of cyber security data breaches and resulting data breach litigation. Most class actions filed in the wake of a data breach assert injuries for increased risk of identity theft, fraudulent financial charges on credit cards, and costs incurred from having to enroll in third-party credit-monitoring services. But realistically, not every data breach results in an injury. Article III standing can be a significant defense for disposing security data breach claims in the relatively early stages of litigation.

Standing derives from Article III of the U.S. Constitution, which limits the powers of the federal judiciary to the resolution of “cases” and “controversies.” U.S. Const. Art. III, §2. To maintain a lawsuit, every plaintiff must plead and ultimately prove that he or she has suffered sufficient injury to satisfy the “case or controversy” requirement. At the pleading stage, a plaintiff must allege: (1) an injury-in-fact that is concrete and particularized, as well as actual or imminent; (2) that the injury is fairly traceable to the challenged action of the defendant; and (3) that the injury can be remedied by a favorable ruling. If the plaintiff cannot satisfy this criteria, the claim must be dismissed. This article discusses some recent data breach decisions that address standing. Read More

This entry was posted in Uncategorized.

Medical Records, The Internet, and A “Publication”

This entry was posted by Joshua Mooney on August 14, 2014.

Last week, the federal District Court in Virginia issued a quasi security/data breach coverage case where the court concluded that making private medical records accessible online constituted a publication even though there was no evidence that a third party had accessed them. Travelers Indem. Co. of Am. v. Portal Healthcare Solutions, LLC, No. 13-917, 2014 WL 3887797 (E.D. Va. Aug. 7, 2014). The mere fact that the records were accessible satisfied the plain and ordinary meaning of the term “publication” to implicate the duty to defend. What makes this decision noteworthy is how the Court distinguished the case before it from other decisions limiting the meaning of the term “publication.” Given that many healthcare providers are introducing “online” services for medical records, brokers and underwriters also may want to take note of this decision.

Portal Healthcare Solution (“Portal”) was a business specializing in the electronic safekeeping of medical records for hospitals, clinics, and other medical providers. Id. at *1. A New York putative class action was filed against it, alleging that Portal had failed to safeguard confidential medical records of patients at Glen Falls Hospital (“Glen Falls”), posting those records on the internet and causing them to become publicly accessible on the internet. Id. Two patients of Glen Falls discovered the breach when they ran a Google search of their names, and found links that directed them to their Glen Falls medical records. Id. at *2. (Honestly, how many of you are now going to Google your name? I did.) Read More

This entry was posted in Data Breach Insurance Coverage, Privacy Rights, Uncategorized and tagged Meaning of Publication.

Are “Right of Privacy” and “Person” Ambiguous? New York Weighs In

This entry was posted by Joshua Mooney on August 8, 2014.

Last week, I vacationed in beautiful Cooperstown, NY, where I watched baseball in stadiums built to resemble early 20^th century ballparks, visited the Baseball Hall of Fame, and enjoyed scenic views of the green Catskill Mountains. Oh, and there’s the Ommegang brewery, too. During that week, I was totally free of daily faxes promoting low-budget roof repairs, instant credit for business loans, and vacation hideaways in Cancun. So, what a return to reality it was to see Tower National Ins. Co. v. National Business Capital, Inc., No. 155786/2012, 2014 WL 3728500 (N.Y. Supr. Ct. July 28, 2014), a case addressing the meaning of “right of privacy” in the context of blast faxes. Thanks (or maybe not) to Roberta Anderson at K&L Gates for bringing this case to my attention as I returned back to the 21^stcentury.

The underlying lawsuit was a putative class action seeking damages for National Business Capital’s (“NBC”) alleged blast faxing in violation of the TCPA and Connecticut’s version of the statute. NBC sought coverage under its CGL policy for “personal and advertising injury” under “[o]ral or written publication, in any nature, of material that violates a person’s right of privacy.” Id. at *1-2. The issue was one of first impression in New York. (NBC also contended that the underlying action alleged “property damage,” but the court held that the complaint did not allege an “occurrence” to implicate coverage under Coverage A. Id. at *4.) Read More

This entry was posted in Privacy Rights, Uncategorized.

Text Messaging Is “Publication” That Violates “Right of Privacy,” but TCPA Exclusion Applies

This entry was posted by Joshua Mooney on July 9, 2014.

Which ad campaign do you think cost Papa John’s more – Payton Manning and the giveaway of one million pizzas, or its text messaging? Payton Manning probably came cheaper. In National Fire Ins. Co. of Pitt., Pa. v. Papa John’s Int’l, Inc., 2014 WL 2993825 (W.D. Ky. July 3, 2014), the Kentucky federal court held that the Distribution of Material in Violation of a Statute (“DMVS”) exclusion barred coverage for a class action asserting damages for the text messaging.

What makes this decision notable is the court’s deliberation over the meanings of “publication” and “right of privacy” in general liability policies were issues of first impression under Kentucky law. The decision can have a wide effect beyond the TCPA context, including with cyber liability and data breaches. Also of interest, the court rejected arguments that the DMVS exclusion rendered Coverage B illusory. Read More