A group of Liberty Mutual insurance companies successfully obtained declaratory relief that they had no duty to defend Aspen Way Enterprises and Aaron’s Inc. from two underlying actions alleging that spyware had been installed on rent-to-own computers. 

A group of Liberty Mutual insurance companies successfully obtained declaratory relief that they had no duty to defend Aspen Way Enterprises and Aaron’s Inc. from two underlying actions alleging that spyware had been installed on rent-to-own computers.

One of these, the Byrd Action, was a putative class action brought by customers who alleged that the policyholders received private data after activating spyware on the leased computers. The Byrds brought four causes of action, including violation of the Electronic Communications Privacy Act (ECPA) and invasion of privacy. In the coverage action, Liberty Mutual argued there was no coverage under its various commercial general liability policies.

The court disagreed in part, finding the Byrd Action fell within the scope of the insuring agreement in that it alleged “personal and advertising injury” in the form of a written publication of material that violates a person’s right of privacy. Fatal to coverage, however, was the policyholders’ partial success on a motion to dismiss. After so moving, only the ECPA claim remained.

The invasion of privacy claim, which was vital to coverage, was dismissed because the underlying court concluded that Wyoming law does not have a tort cause of action for invasion of privacy. With only the ECPA claim remaining in the case, there was no potential for coverage due to the “Recording and Distribution of Material Or Information In Violation of Law” exclusion, which bars coverage for “[a]ny federal, state, or local statute, ordinance, or regulation, other than the TCPA, CAN-SPAM Act of 2003, or FCRA and their amendments and additions, that addresses, prohibits, or limits the printing, dissemination, disposal, collecting, recording, sending, transmitting, communicating, or distribution of material or information.”

TIP: Companies that find themselves facing a lawsuit after a data breach should not only check to see if they have coverage, but also think about what type of defense they will raise and the impact it will have on coverage. For example, if you have a “mixed” action which contains both covered and non-covered claims or both insured and non-insured parties, weigh the risk of a motion that knocks out all the covered claims only to leave in all the non-covered ones.