As lawsuits against companies for breach of privacy-related laws and cyber security failures continue to rise, the only thing that is certain is that it is uncertain just how much coverage is out there under commercial general liability (“CGL”) policies, directors and officers (“D&O”) policies, and cyber policies. In two high-profile insurance cases this week, policyholders and insurance companies battled over whether well-worn exclusions in D&O and CGL policies bar coverage for class actions brought under the Telephone Consumer Protection Act of 1991 (“TCPA”). These cases highlight the importance of carefully assessing your company’s risk and reviewing company insurance policies to make sure significant gaps are closed and the language of the policies does not lend itself to “gotcha” denials by insurers when your company needs coverage most.
In Los Angeles Lakers, Inc. v. Federal Insurance Co., No. 14-CV-07743-DMG (C.D. Cal. 2015), the insurer sought to exclude coverage under a D&O policy for a TCPA class action filed against the Los Angeles Lakers stemming from a marketing campaign that encouraged game attendees to text a posted number in order to have their texts displayed on the jumbo screen during the game. Individuals who did so received text messages back that they were charged for, allegedly in violation of the TCPA. Although the trial court ultimately dismissed the suit, the Lakers settled on appeal and sought to obtain insurance coverage for their defense costs and the settlement from their D&O insurer. The insurer successfully argued in the federal district court that coverage was not available for the TCPA claim because it “arose out of” an “invasion of privacy.” The Lakers are currently arguing on appeal to the U.S. Court of Appeals for the Ninth Circuit that the underlying lawsuit was primarily about nuisance and not privacy and therefore should be covered.
In National Union Fire Insurance Co. v. Dish Network LLC, No. 1:15-cv-01053-RPM (D. Colo.), Dish Network is trying—so far without success—to consolidate declaratory actions filed by multiple insurers in jurisdictions across the country seeking to avoid coverage for an up to $2 billion dollar TCPA suit brought by state and federal agencies pending against Dish Network in the U.S. District Court for the Central District of Illinois. In particular, Dish Network’s insurers claim the TCPA class action is not covered under its commercial liability umbrella policies due to exclusions for bodily injuries, personal injuries, advertising injuries, knowing violations, and intentional conduct.
Of course, these kinds of exclusions began to appear in D&O and general liability policies long before the dawn of the information age and prior to the rise of new statutory and regulatory frameworks that were implemented to address growing privacy concerns. Unfortunately for companies like Dish Network and the Los Angeles Lakers, insurers often argue that these exclusions, which in some cases were drafted decades ago, bar coverage for TCPA lawsuits, even in the absence of an express TCPA exclusion. Moreover, many cyber policies in the current marketplace either explicitly exclude TCPA coverage, or have exclusions for intentional conduct or claims arising out of advertising practices.
The TCPA is just one of the growing body of privacy-related statutes that have been implemented at both the state and federal level to address growing concerns over the use and protection of digital personal information. Like the TCPA, some of these statutes impose statutory fines that can quickly add up to substantial liability. Indeed, some of the greatest costs to companies from privacy-related incidents can be from regulatory actions brought by state and federal agencies, where the cost to comply with the investigation alone can be in the millions of dollars.
To protect itself against the risk of privacy liabilities, a company should carefully assess and prioritize its areas of vulnerability based upon the nature of its business. A company should then engage legal counsel and its insurance broker to make sure that its CGL, D&O, and cyber policies work together to give the company the appropriate coverage, and to avoid potential gaps in coverage. Special attention should be given to establishing policyholder-favorable language in the terms, conditions, definitions, and exclusions so as to limit insurers’ ability to limit claims on unexpected and technical grounds.