In this day and age, virtually every business is a "data" or "Internet" company by virtue of handling various types of personal information, and thus has exposure to privacy and data security related claims. Whether the claims arise from a "hacking" incident on a company's website or network, a misplaced laptop containing customer or employee information, or allegations of improperly collecting or using personal information, companies that have even transitory possession of customers' or employees' personal confidential information face potential liability and regulatory risk. While most companies are becoming increasingly aware of some of the risks they face, many companies remain surprisingly unaware that they should or do have insurance to cover such claims. But the devil is in the details. While numerous insurance companies offer attractively packaged "cyber-risk" policies, often buried in those policies are exclusions and exceptions that insurers would argue deprive their policyholders of the very coverage they believed they had purchased, or at least limit their entitlement to coverage. Significantly, however, most companies are unaware that their standard commercial general liability policy may provide coverage in the event of a privacy or data security claim.
Overview Of Privacy And Data Security Claims
Privacy and Data Security claims come in several different forms. Over the years, a variety of statutes have been enacted by federal and state governments relating to privacy or data security, some of which allow for private causes of action. On the federal side, the Federal Credit Reporting Act ("FCRA"), as amended by the Fair and Accurate Credit Transactions Act of 2003 ("FACTA"), imposes statutory penalties and attorney's fees for willful noncompliance with its provisions, and allows for damages and attorney's fee for even negligent noncompliance. See 15 U.S.C. § 1681. On the state side, many states have passed "Database Breach Notification Laws," requiring under certain circumstances that companies that experience a security breach of their computerized systems notify potentially affected customers. See, e.g., La. Rev. Stat. Ann. §51:3072; N.Y. Gen. Bus. Law § 899-aa; Cal. Civ. Code § 1789.82.Other state statutes may limit or regulate companies' collection or use of personal information. See, e.g., Cal. Civil Code § 1747.08 ("The Song-Beverly Credit Card Act"). In third-party actions, plaintiffs often invoke "unfair trade practice" statutes to support their privacy-related claims, as well as common-law claims that have been styled as variously as negligence, breach of contract, fraud, invasion of privacy, breach of fiduciary duty, conversion, bailment and/or unjust enrichment.
With regard to such private actions, a substantial body of case law has developed over recent years, dismissing causes of action based on allegations of a company negligently causing a person's confidential material to be disclosed. In the absence of actual damages suffered by the person whose material was disclosed, courts have held that the mere increased risk of potential future identity theft does not state a claim, whether sounding in contract or in tort. See, e.g., Pinero v. Jackson Hewitt Tax Service Inc., 594 F.Supp.2d 710 (E.D. La. 2009); Caudle v. Towers, Perrin, Forster & Crosby, 580 F. Supp. 2d 273 (S.D.N.Y. 2008); Ruiz v. Gap, Inc. , No. 07-5739, 2009 WL 941162 (N.D. Cal. April 6, 2009).
Moreover, in addition to private claims, regulatory enforcement actions by the Federal Trade Commission ("FTC") and other government agencies are on the rise, with privacy and data security issues at the forefront. Recently, the FTC and the Department of Health and Human Services jointly brought a claim against CVS/Caremark for failing to shred confidential customer information - a claim which settled for $2.25 million. Similarly, in 2006, Choicepoint settled an FTC investigation over its privacy procedures for $15 million. And the list goes on.
Regardless of the ultimate outcome on the merits of private and governmental actions, companies facing such actions may incur substantial costs in defending such litigation. Insurance, however, may do much to minimize these costs.
Insurance Coverage For Privacy And Data Security Lawsuits
No matter how a private claim is styled, whether it sounds in tort or is statutory in nature, it may be covered by one or more of a company's insurance policies. While the insurance industry markets certain insurance products as "cyber-risk" or "technology" policies, the reality is that the title of the coverage matters little. Insurers often will deny coverage for a privacy or data security claim, even under policies containing explicitly named "privacy endorsement." Sometimes, the best bet for coverage is simply to look to the company's commercial general liability coverage ("CGL").
Often overlooked by companies facing privacy or data-breach related claims are CGL policies - which is coverage that most companies purchase as a baseline. Such policies, in addition to covering third-party claims of bodily injury and property damage, also typically provide coverage for third-party claims of "Personal or Advertising Injury" ("PI coverage"). Depending on the terms of the specific policy, the coverage granted by the CGL policy may be very broad, requiring that an insurer defend and indemnify any claim for injuries, including mental distress or anguish, arising out of an "oral or written publication, in any manner, of material that violates a person's right of privacy." Some are written in still broader terms, requiring only allegations of "injury to the feelings and reputation of a natural person (including mental anguish) caused by an offense arising out of your business."
Generally, courts have interpreted such provisions broadly in the privacy-related context. For example, courts have held that FCRA claims can trigger this coverage under a CGL policy. See, e.g., Zurich American Insurance Co. v. Fieldstone Mortgage Co ., No. 06-2055, 2007 U.S. Dist. LEXIS 81570 (D. Md. Oct. 26, 2007). In Zurich , the court held that the insurer had a duty to defend the policyholder under the PI clause in its CGL policies. The underlying claim alleged that the policyholder had violated FCRA by improperly accessing the plaintiffs' credit information to solicit their business for sub-prime mortgages. Finding coverage under Fieldstone's CGL policy, the court held that "there is no question that the information that was accessed was secret," and furthermore, "one of the purposes of [FCRA] is to ensure that consumer credit reports are kept private." Id. at *15-16. Additionally, the court held, the mere use of this information in a written solicitation constituted a "publication," and thus fell within the scope of the "Personal or Advertising Injury" clause of Fieldstone's CGL policies. Id. 1
That is not to suggest that more specialized "cyber-risk" or "privacy and information security" policies cannot be valuable, or even essential if exclusions act to limit the broad grant of coverage in the standard CGL language. Privacy-specific coverage can take the form of a stand-alone policy, or an endorsement or amendment to a CGL, Errors and Omissions ("E&O") policy, or other forms of coverage.
Some such policies split up privacy or data security claims into different branches of coverage. "Failure of security" can be defined as losses of data due to actions by third parties, referring to a "failure of a security system" or a "computer attack." "Privacy Perils" are often enumerated to include claims alleging: unauthorized disclosures by the insured; a failure to disclose potential identity theft (such as a claim under a state database breach notification statute); or any federal or state "privacy statute" (which would presumably include FCRA).
Beware Of Exclusions
Even if a company appears to benefit from a broad grant of coverage under their CGL policies, and supplemental coverage through a "cyber-risk" or "privacy and information security" policy, be very wary of exclusions when purchasing coverage. Exclusions in CGL policies may place at risk what, on its face, originally appeared to be a broad grant of coverage. For example, in the case of Netscape Communications Corp. v. Federal Insurance Co ., the court held that a company's collection and distribution of its consumers' personal data, which triggered suit for breach of contract, breach of the covenant of good faith and fair dealing, and violations of California statutes, ordinarily would have been covered under the "personal injury" provisions of the company's CGL policy.2However, the court went on to conclude that an "Online Activity Exclusion" in the policy precluded coverage.3
Furthermore, many common exclusions used in insurance policies could act to bar coverage, such as a "financial services" or "professional services" exclusion - even where the possible effect of that exclusion would be to make the coverage illusory, as would be the case where the only business of the company is providing professional or financial services. Some CGL policies, while appearing to grant broad coverage for privacy-related allegations, may attempt to exclude all coverage for "publication" of any sort. Other CGL policies may purport to exclude mental anguish or distress as "injury" in the absence of physical harm.
Moreover, even as the insurance industry works to market new products to capitalize on worries about identity theft, it is busy drafting exclusions in their CGL policies to ensure that customers have an incentive to purchase the new product. For example, one exclusion, drafted by the Insurance Services Office ("ISO") in 2004, excludes claims arising out of any action or omission that violates the Telephone Consumer Protection Act ("TCPA"), the CAN-SPAM Act of 2003, or similar statute or ordinance "that prohibits or limits the sending, transmitting, communicating or distribution of material or information." Other exclusions seen in some CGL policies bar coverage for personal and advertising injuries "arising out of the violation of a person's right of privacy created by any state or federal act." Although not named in the exclusion, such exclusions could arguably be used to deny coverage for FCRA and other privacy-related statutory claims. Such statutory exclusions are significant, because many of these statutes provide for statutory damages, thus enabling plaintiffs to pursue claims in the absence of actual damages.
Conclusions
No company is immune to privacy or data breach claims, and accordingly no company should remain in the dark as to whether they have adequate insurance protection in place to deal with those claims. Policyholders should negotiate with their insurers (and potential insurers when shopping for coverage) over policy language and exclusions and consult with coverage counsel to evaluate the scope of the exclusions' potential impact on the company's privacy coverage. The bottom line is know what you are buying.
And when a claim arises, companies should not accept conventional wisdom as to whether the claim is covered by their insurance, regardless of the source, whether it be your broker or your insurance company. The labels and titles of coverage matter little - what matters are the terms and conditions of the coverage. Having experienced insurance counsel review the company's insurance program, prior to the first privacy or data security claim , may save significant dollars in the long run.
1 See also American Family Mut. Ins. Co. v. C.M.A. Mortgage, Inc., et al., No. 1:06-cv-1044, 2008 U.S. Dist. LEXIS 30233, at *15-16 (S.D. Ind. March 31, 2008) ("A reasonable person who reads the advertising injury provisions of these policies would conclude that coverage exists for a claim arising out of the mailing of a solicitation letter that was triggered by a violation of the privacy protection rights established in FCRA."); Pietras v. Sentry Ins. Co., et al., No. 06 C 3576, 2007 U.S. Dist. LEXIS 16015, at *11(N.D. Ill. March 6, 2007) ("the Court holds that the FCRA allegations in the underlying complaint fall within the 'advertising injury' provision in the Sentry policy").
2 Netscape Commc'ns Corp., et al. v. Fed. Ins. Co., No. 06-cv-00198-JW, 2007 U.S. Dist. LEXIS 78400, *17 (N.D. Cal. Oct. 10, 2007).
3 Id. at *20-21.
Published June 1, 2009.