In Doctors Direct Ins., Inc. v. Beaute’ E’mergente, LLC, No. 1-14-2919 (Ill. App. Ct. June 22, 2015), an Illinois state appellate court recently affirmed that a medical malpractice liability insurer did not owe a duty to defend or indemnify its insured in an underlying class action lawsuit alleging violations of the Telephone Consumer Protection Act (the “TCPA”) and the Illinois Consumer Fraud and Deceptive Business Practices Act (the “ICFA”), because there was no coverage under the “privacy wrongful act” provision of the policy’s cyber claimsendorsement.
David Bochenek filed a class action lawsuit in federal court against McAdoo Cosmetic Surgery (McAdoo) on behalf of himself and others who similarly received unsolicited text messages like the following from McAdoo:
50% off Rockford area Botox, now $7/unit. Call within 4 weeks (815) 397–3373 McAdoo Cosmetic Surgery Reply STOP to opt-out.
25% off filler, Juvederm now $450/syringe when you schedule in the next 4 weeks. 815 397–3373 McAdoo Cosmetic Surgery Reply STOP to opt-out.
McAdoo Cosmetic Surgery 815–397–3373: Please reply VIP to receive inside privileged offers: Botox, fillers, product, etc. Reply STOP to opt-out.
Bochenek alleged that McAdoo obtained a list of customer names and telephone numbers from a spa without the customers’ consent, and used that personally identifiable information to send the above advertising text messages to those customers, believing they would be likely to purchase cosmetic surgery products, and that this conduct violated both the TCPA and ICFA.
McAdoo provided timely notice of the federal lawsuit to its medical professional liability insurance provider, Doctors Direct Insurance, Inc., and demanded coverage under the policy’s cyber claims endorsement, which states:
Subject to all terms, conditions, definitions and exclusions of the Policy, we agree to reimburse protected parties, up to the applicable limit indicated in this endorsement, for costs protected parties become legally obligated to pay as a result of a Cyber Claim for any Network Security Wrongful Act or Privacy Wrongful Act including Patient Notification Costs and Credit Monitoring Costs incurred for any Privacy Wrongful Act and for Data Recovery Costs incurred due to a Data Interference Act, including Defense Costs of a Government Investigation for a Privacy Wrongful Act.
The endorsement defines a Cyber Claim as:
a demand for money or services as compensation, such as a claim letter, notice of attorney’s lien, or a civil suit, administrative proceeding, arbitration or mediation seeking to compel such compensation in which protected parties must participate.
Additionally, a Privacy Wrongful Act is defined as:
any breach or violation of U.S. federal, state, or local statutes and regulations associated with the control and use of personally identifiable financial, credit or medical information, whether actual or alleged, but only if committed or allegedly committed by protected parties.
Shortly after Doctors Direct commenced an action in Illinois state court seeking a declaration that it did not have to provide a defense to McAdoo in the federal lawsuit, or to indemnify McAdoo for any damages awarded, McAdoo filed for bankruptcy, and those separate proceedings in the United States Bankruptcy Court for the Northern District of Illinois ultimately resulted in Bochenek’s potential recovery against McAdoo being limited to the proceeds of the McAdoo’s insurance policy with Doctors Direct. Bochenek appeared in the declaratory judgment action and, in his answer to Doctors Direct’s complaint, asserted that his claims against McAdoo in the underlying federal class action constituted a privacy wrongful act under the cyber claims endorsement of the policy.
Doctor’s Direct filed a motion for judgment on the pleadings, which the trial court granted in its entirety, ruling that Doctors Direct had no duty to defend or indemnify McAdoo based on the following conclusions:
- The TCPA “does not regulate actions that may be taken to prepare for the placement of these automated phone calls,” and therefore cannot be construed to be “ ‘associated with the control and use of personally identifiable financial, credit, or medical information.’” Nothing in the plain language of the TCPA indicates an intent to protect against the compilation of consumers’ names and phone numbers for use in telemarketing. Rather, the TCPA was intended to protect consumers from certain forms of undesirable communication.
- Even if one were to construe the TCPA as being associated with the control and use of personally identifiable financial, credit, or medical information, Bochenek failed to establish “that the collection of names and telephone numbers implicates the control and use of personally identifiable financial, credit, or medical information.” A list of prospective customers for cosmetic surgery services does not constitute personally identifiable financial information.
- The policy did not cover violations of the ICFA, as there is nothing in the plain language of that statute to indicate that it was to protect against the disclosure of personally identifiable financial, credit, or medical information.
- That the ICFA does prohibit the violation of other state statutes that are associated with the control and use of personally identifiable financial, credit, or medical information, is irrelevant, because Bochenek’s federal lawsuit did not allege a violation of those other state statutes.
Bochenek filed an appeal. In support of his appeal, he argued that the TCPA claim did allege a privacy wrongful act under the Doctors Direct policy, because the phrase “associated with” must be construed expansively, such that the conduct at issue and the statutes and regulations prohibiting the conduct are necessarily associated with the control and use of personally identifiable financial, credit, or medical information.
To determine whether the policy provided coverage, the appellate Court considered the policy’s definition of a privacy wrongful act, and compared that language to the allegations in the underlying complaint. Specifically, the appellate Court attempted to clarify what relationship between “U.S. federal, state or local statues and regulations” and “control and use of personally identifiable financial, credit or medical information” was required to trigger coverage under the policy. The Court looked to the dictionary definition of “associate,” which it found to be “to join (things) together or connect (one thing) with another,” to “combine,” or to “unite.” Applying this definition, the Court had little difficulty concluding that the control and use of personally identifiable financial, credit, or medical information is not joined, combined, united, or connected with the TCPA, which, by its express terms, outlaws only the following four practices:
- making a call using an automated dialing system or artificial or prerecorded voice, without the prior express consent of the called party, to any emergency telephone line, guest or patient room of a hospital, health care facility, elderly home, or similar establishment, or to any telephone number assigned to a paging service, cellular telephone service, specialized mobile radio service, other radio common carrier service, or any service for which the called party is charged for the call;
- initiating any telephone call to any residential telephone line using an artificial or prerecorded voice to deliver a message without prior express consent;
- using a fax machine, computer, or other device to send unsolicited advertisements to a fax machine, subject to certain exceptions; and
- using an automatic telephone dialing system such that two or more telephone lines of a multi-line business are engaged at the same time.
47 U.S.C. § 227(b)(1)(A) through (D) (2012) (defining “call” to encompass both voice calls and text messages). Thus, as the Court observed:
The plain language of the Telephone Consumer Protection Act illustrates that the statute only prohibits the actual making of certain kinds of calls. The statute does not address how a caller might control or use personally identifiable financial, credit, or medical information either before or after the call is made.
While this plain meaning of the statute rendered statutory construction unnecessary, the Court nevertheless examined the history of the TCPA, noting that the statute was enacted to address telemarketing abuses related to the use of unsolicited automated telephone calls to telephones, cellular telephones, and fax machines. The Court noted that Congress found that such unrestricted telemarketing could be intrusive and that automated or prerecorded telephone calls to private residences were regarded by recipients as an invasion of privacy. This analysis reinforced the Court’s conclusion that the TCPA’s focus is on the calls themselves, and is not joined, combined, united, or connected to the control and use of personally identifiable financial, credit, or medical information to make the calls. Bochenek’s TCPA claim against McAdoo was therefore not covered as a privacy wrongful act under the policy.
The Court next considered Bochenek’s claim under the ICFA, a statute which in pertinent part prohibits “[u]nfair methods of competition and unfair or deceptive acts or practices, including . . . the use or employment of any deception, fraud, false pretense, false promise, misrepresentation or the concealment, suppression or omission of any material fact” with the intent that someone rely on that concealment, suppression, or omission. The ICFA also enumerates certain other statutes the knowing violation of which can also constitute a violation of the ICFA. As part of its analysis, the Court noted that all violations of the ICFA alleged by Bochenek similarly focused on the act of calling or reaching someone, as opposed to the control or use of personally identifiable financial, credit, or medical information, and that Bochenek failed to allege other potential violations that might be more applicable. As such, Bochenek also failed to allege any claim under the ICFA that would be covered under the policy.
Bochenek attempted to preserve his only source of a potential recovery by arguing that the collection of names and telephone numbers used to send the unsolicited text messages implicates the control and use of personally identifiable financial, credit, or medical information, because being placed on a list of prospects for cosmetic surgery services compiled by a medical professional conveys medical information about the people on the list, as well as financial information, since the services are costly. The Court was not persuaded, because there were no allegations in the underlying complaint regarding how the list was compiled and, even if there were, such a definition of personally identifiable medical information would be too broad, and could effectively “turn any list of names and phone numbers into personally identifiable medical information as long as a doctor had the list.” That the list of names and numbers used to send the unsolicited text message may have come from a spa was also insufficient to make the list personally identifiable medical information. Absent any further allegations that the spa was a medical provider or released medical information about its customers to McAdoo, the Court reasoned that Bochenek’s argument still relied on the unavailing notion that it was McAdoo’s status as a doctor that made the list personally identifiable medical information.
Finding that the allegations in Bochenek’s federal complaint failed to even potentially fall within the coverage of the policy, the Court affirmed the trial court’s ruling that Doctors Direct does not have a duty to defend or indemnify McAdoo in the federal lawsuit