In the relatively undefined realm of cyber coverage interpretation, the First District of the Illinois Appellate Court held that a cyber claims endorsement to a professional liability policy that provided coverage for a “privacy wrongful act” did not extend to allegations of violations of the Telephone Consumer Protection Act (“TCPA”) or the Illinois Consumer Fraud and Deceptive Business Practices Act (“Consumer Fraud Act”).
In Doctors Direct Insurance, Inc. v. Bochenek, 2015 IL App (1st) 142919, the court found that Doctors Direct Insurance, Inc. (“Doctors Direct”) had no duty to defend or indemnify under a medical professional liability insurance policy it issued to its insured, McAdoo Cosmetic Surgery (“McAdoo”). McAdoo was sued in a federal class action lawsuit filed by David Bochenek (“Bochenek”), alleging that McAdoo violated the TCPA and Consumer Fraud Act by sending unsolicited text messages advertising cosmetic surgery procedures which were allegedly part of a “mass broadcasting” (the “Bochenek suit”).
The Doctors Direct policy included a cyber claims endorsement which covered, in pertinent part, “costs protected parties become legally obligated to pay as a result of a Cyber Claim for any Network Security Wrongful Act or Privacy Wrongful Act….” The endorsement defined a “privacy wrongful act” as “any breach or violation of U.S. federal, state, or local statutes and regulations associated with the control and use of personally identifiable financial, credit or medical information, whether actual or alleged, but only if committed or allegedly committed by protected parties.”
Doctors Direct argued that Bochenek’s claims under the TCPA and the Consumer Fraud Act were not based on a “privacy wrongful act” because neither statute was applied or associated with the control or use of personally identifiable financial, credit or medical information. Bochenek, who was arguing in favor of coverage following McAdoo’s bankruptcy, responded that the cyber claims endorsement was ambiguous as to whether the “breach or violation” of a statute must be associated with the control and use of personally identifiable information. Bochenek also argued that both the particular conduct at issue and the laws violated were nevertheless associated with the control and use of such personally identifiable information.
The court determined that the TCPA focused only on certain types of telephone calls; it did not address how a caller might control or use personally identifiable information and was thus not associated with the use of such information. The court similarly found that the plain language of the Consumer Fraud Act focused on unfair methods of competition and unfair or deceptive acts or practices, not personally identifiable information. Although the court noted that the Act referenced another state statute that did involve improper use of “personal information” (the Personal Information Protection Act), such reference could not trigger coverage because the complaints filed in the Bochenek suit did not mention the type of information the Personal Information Protection Act protected, let alone the statute itself.
Bochenek also argued that the collection of names and telephone numbers to use for purposes of mass marketing of cosmetic surgery services implicated the control and use of personally identifiable information because it conveyed medical information about people on the list. The court disagreed, finding that there was no information in the original complaint about how the telephone numbers were compiled. The court also found that interpreting the term “personally identifiable medical information” to include the list would be too broad because it would extend to any information in a doctor’s possession.
The Bochenek decision serves to illustrate the scope of cyber coverage. Although the decision only interpreted a cyber claims endorsement as opposed to a full cyber policy, the coverage offered under cyber policies typically will only extend to the disclosure of personally identifiable information and its attendant consequences. Indeed, many cyber policies exclude claims brought under the TCPA or deceptive business practice statutes. The takeaway from the Bochenek case is that insureds must know the scope of coverage offered by their available policies. Trying to shoehorn a “square-peg” claim into a “round-hole” policy will likely fail.