Personal and advertising injury coverage appears in standard commercial general liability (“CGL”) policies. Even though courts have been hostile to invasion of privacy claims based on data security breaches, such claims frequently are filed and are not always dismissed at an early stage. Particularly for companies that do not have specialized data security coverage, CGL coverage might provide a basis for the payment of defense costs and, if necessary, indemnity in response to such third-party claims.
For a company faced with a data breach resulting in the possible disclosure of private information, an important question is how, if at all, commercial general liability insurance will respond to third-party claims alleging damages. If your company has specialty coverage for data security loss, cybertheft, or similar liabilities, then your right to coverage might be clear.1 If you do not have such special coverage available, however, then you might nevertheless have a prospect of recovering defense costs and indemnity under your CGL policy.
Through both inadvertence and malice, corporate entities are exposed to the risk of data security breaches that can result in the revelation of the private data pertaining to millions of customers, employees, or others. The Privacy Rights Clearinghouse estimates that more than 343 million individual records containing sensitive personal information have been involved in data security breaches in the U.S. for the period January 2005 through January 2010. See Privacy Rights Clearinghouse, “Chronology of Data Breaches.” The recent data attacks on Google and Yahoo! illustrate the way in which even the most technologically capable entities are subject to the risk that personal data of their customers can be revealed. See, e.g., The Wall Street Journal, “Google Investigating If China Staff Involved in Cyber Attack” (Jan. 21, 2010).
The opportunities for inadvertent loss and outright theft have grown exponentially with the ubiquity of laptops, PDA/ BlackBerry devices, large-capacity microdisks, and external access to corporate systems and data. Furthermore, corporations have reported that targeted data attacks, originating from both inside and outside the entity, are on the rise. See, e.g., Outpacing Change: Ernst & Young’s 12th Annual Global Information Security Survey (2009) (in 2009, “41% of respondents noted an increase in external attacks and 25% of respondents witnessed an increase in internal attacks.”). Moreover, the sophistication of data analysis is such that even data believed to be safely encrypted can sometimes be decoded by determined parties. See, e.g, Valdez-Marquez, et al. v. Netflix, Inc., C09-05903 (N.D. Cal. 2009) (complaint filed Dec. 17, 2009) (anonymized video rental data allegedly de-anonymized and reviewed by third parties).
Just as the opportunities for security breaches escalate, legislative efforts to protect privacy rights have increased to the point of saturation. Numerous federal and state statutes now require both protection of data and notification of security breaches, meaning that customers and the public swiftly learn when a data breach occurs. 2 These statutes can also provide for penalties or private rights of action. In what has been reported as the first instance of state enforcement under HIPAA, the Connecticut Attorney
General recently sued Health Net, Inc. over an alleged failure to protect private data (and to report the breach of security) regarding more than 400,000 enrollees following the loss of a laptop computer. Attorney General v. Health Net of the Northeast, Inc., D. Conn., 3:10-CV-00057-PCD (complaint filed Jan. 13, 2010).
The insurance market has responded to these risks with special coverage written to address this type of claim.3 Nevertheless, for those companies with CGL insurance and no special coverage, there is an opportunity to seek coverage for defense costs (or indemnity payments, in the event of a settlement or judgment) for third-party claims under standard CGL policy wording.4
Third-Party Claims Based on Disclosure of Private In formation
To date, courts have been somewhat hostile to claims seeking to recover damages for security breaches, rejecting them on the grounds that the plaintiffs assert only speculative loss. See, e.g., Pisciotta v. Old Nat’l Bancorp, 499 F.3d 629, 634 (7th Cir. 2007) (compromise of personal information was not a “compensable injury” as required for negligence or breach of contract under Indiana law).5 Nevertheless, there is no guarantee that all such claims will fail, and due to the wide variety of common-law and statutory provisions addressing this subject, it is likely that a significant number of such claims will survive early stages of litigation and potentially proceed to final resolution.6
For example, the United States District Court for the Northern District of Illinois recently declined to dismiss a putative class action alleging violations of the Fair Credit Reporting Act and an Illinois privacy statute, along with a common-law invasion of privacy claim. Rowe v. Unicare Life and Health Insur. Co., 2010 U.S. Dist. LEXIS 1576, 09-C-2286 (N.D. Ill. Jan. 10, 2010). In Rowe, the defendant health insurance providers advised individual plan members that some of their personal information inadvertently had been made available online to the general public. The private information included Social Security numbers, as well as medical and pharmacy information for the members and their dependents. There was no allegation that any of the information actually had been accessed or used, but simply that it had been made available online to persons who did not have the right to see it.
Among other things, the plaintiff claimed damage due to anxiety and emotional distress, an increased risk of future identity theft, and invasion of privacy. With respect to the invasion of privacy claim, the plaintiffs alleged:
As alleged herein, Defendants allowed Plaintiff’s and the Class’ PHI [Private Health Information] records to be published via the Internet without such persons’ knowledge, authorization or consent. The publication of such private facts and information is one that is highly offensive or objectionable to a reasonable person of ordinary sensibilities. The publication of such private facts and information does not include information which is of a legitimate public concern.
Defendants violated the rights of privacy of Plaintiff and the Class by publishing Plaintiffs and the Class’ PHI records without their consent on the Internet where they were accessible to third parties.
The defendants moved to dismiss the complaint, contending that the plaintiff had not alleged injury or damage adequate to state a viable claim under any of the theories asserted. The district court denied the motion and allowed the case to proceed to discovery. In particular, the court determined that the mere “availability” of private information in a publicly accessible place (an unprotected part of the defendants’ web site) might be enough to constitute a “communication” of private information for purposes of the Fair Credit Reporting Act. The court observed that, under a standard dictionary definition of “communication,” if a simple expression of information is sufficient to constitute a “communication,” then “the issue of whether anyone accessed the [private] information may be irrelevant.” Id. at 4. Because the court was ruling on a motion to dismiss, it held out the possibility that, if the evidence established that private information actually was not accessed by any third party, then the FCRA claim might fail. The district court also permitted the case to proceed based largely on alleged emotional harm and an increased risk of future harm.
Addressing the common-law invasion of privacy claim, the court permitted the plaintiff to proceed based on asserted nonpecuniary harm (i.e., emotional or reputational harm). The court provisionally accepted the notion that a negligent or inadvertent disclosure of protected information, even if not accessed by unauthorized persons, was a “publication” of information sufficient to allege an invasion of privacy claim under Illinois common-law.7
It is likely that future statutory claims will be coupled with common-law invasion of privacy claims. A recent example is the class action lawsuit against Netflix, Inc. over customer movie rental data that allegedly could be “de-anonymized” in order to access private information. Although the complaint primarily asserts statutory claims under the Video Privacy Act and other statutes, the plaintiffs also assert a common-law breach of privacy claim. Valdez-Marquez, et al. v. Netflix, Inc., C09-05903 (N.D. Cal. 2009) (filed Dec. 17, 2009).8 As discussed below, claims such as these would appear to quite clearly fall within the basic CGL coverage grant for personal and advertising injury. Under the law of most jurisdictions, the defendant company therefore would be entitled to coverage of defense costs for all of the claims asserted against the company until such time as the covered claims are dismissed or, at a minimum, until there is a clear basis for allocation of defense costs among covered and noncovered claims.
CGL Covera ge for Disclosure of Private In formation
The foundation for coverage under the CGL policy form is in the Side B coverage for personal and advertising injury. See, e.g., ISO CG 00 01 12 07 (“We will pay those sums that the Insured becomes legally obligated to pay as damages because of ‘personal and advertising injury’ to which this insurance applies.”). Whereas Side A coverage provides coverage for bodily injury and property damage, the “personal and advertising injury” found in Side B covers somewhat less common types of claims. In particular, the standard definition of “advertising injury” provides, in pertinent part:
14. “Personal and advertising injury” means injury, including consequential “bodily injury”, arising out of one or more of the following offenses:
* * *
e. Oral or written publication, in any manner, of material that violates a person’s right of privacy . . . .
The CGL form does not provide a definition for “injury,” although it seems clear that the term means something more than “bodily injury,” since injury “includes” (but is not limited to) consequential bodily injury.9 And, as observed by the court in Rowe, a plaintiff asserting a breach of privacy claim might be able to recover based on damages for emotional distress that are not linked to other bodily injury or to pecuniary loss. Rowe, slip op. at 16; see also Creative Hospitality Ventures, Inc., v. United States Liability Insurance Co., 655 F. Supp. 2d 1613 (S.D. Fla. 2009) (“advertising injury” is different from “bodily injury” and could include a violation of one’s privacy interest in credit card information), adopted in part, ruling reserved in part, 655 F. Supp. 2d 1316 (S.D. Fla. 2009) (Zloch, J.).
A question likely will arise as to whether an unknowing, unintended, or inadvertent release of information—or indeed a theft of private information—can fulfill the requirement of “publication” necessary both to support a claim and to invoke coverage for the publication.10 As discussed above, the Rowe court held in the context of a motion to dismiss that it might be satisfactory simply for the information to be available to the public in order for it to be “communicated” within the meaning of the FCRA.11
A federal magistrate judge for the United States District Court for the Southern District of Florida recently considered the concept of “publication” under the standard CGL wording, concluding that the phrase “publication, in any manner” is so broad that it does not require public dissemination. Creative Hospitality Ventures, Inc. v. United States Liability Insurance Co., 655 F. Supp. 2d 1319 (S.D. Fla. 2009) (Rosenbaum, U.S.M.J.), adopted in part, ruling reserved in part, 655 F. Supp. 2d 1316 (S.D. Fla. 2009) (reserving ruling on determination that publication requirement had been fulfilled) (Zloch, U.S.D.J.). The magistrate judge observed that publication for purposes of insurance coverage is not limited to the concept of publication required for defamation, ruling that even a disclosure to the owner of the information stated a satisfactory allegation for purposes of the duty to defend and, potentially, to indemnify. Id. at 9–11.12
As shown by the magistrate judge’s opinion in Creative Hospitality Ventures opinion, tort-law definitions of “publication” do not necessarily strictly control the meaning of “publication” for purposes of insurance coverage. Nevertheless, tort law references can still be useful in making a coverage determination. For example, the Restatement (Second) of Torts provides guidance on the meaning of publication in the context of defamation law. The Restatement view is that, as long as defamatory information is revealed by way of negligence, it is sufficient to constitute publication. Restatement (Second) of Torts §577 (“Publication of defamatory matter is its communication intentionally or by a negligent act to one other than the person defamed.”). One of the examples given by the Restatement is that of a cartoonist who leaves a defamatory drawing on his desk in the middle of an office where passersby can see it. Id. cmt. k(5). Likewise, if an underlying claimant is able to show that a company has negligently allowed private information to be accessed by the outside world, it is likely that a strong argument for “publication” can be made.
Limitations on Personal and Advertising Injury
Of course, it is not enough simply to analyze the CGL coverage grant for purposes of determining whether a data breach claim might be covered. The other policy terms also must be considered.
In particular, there is an exclusion for “knowing” violations of another’s rights.13 Under the type of claim addressed here, however, the policyholder is not likely to have knowingly published or released the private information of the underlying claimants. Instead, the underlying cause of the breach is likely to have been negligence or theft, as in the case of a lost or stolen laptop computer. Therefore, this standard exclusion to personal and advertising injury coverage should not apply, because the policyholder would not possess the requisite advance knowledge.
Another limitation on coverage under personal and advertising injury is that the injury must be caused by an “offense” arising out of the policyholder’s business that is committed in the coverage territory during the policy period. This type of requirement ought to be readily satisfied by most data breaches. A further coverage limitation that sometimes is asserted is that the conduct creating liability must have occurred in the course of the policyholder’s “advertising.” That is, an insurer might take the position that the policy does not provide coverage unless the publication in dispute is an “advertisement.” This limitation does not, however, apply to the “invasion of privacy” coverage under the standard wording. When an invasion of privacy is asserted, the coverage responds to “oral or written publication, in any manner, that violates a person’s right of privacy,” and no restriction to advertising conduct exists.14
The magistrate judge in Creative Hospitality Ventures discussed the distinction between invasion of privacy coverage and other advertising injury. There, the insurers contended that publication could only occur in the context of an “advertisement.” Id. at 1328 n.6. The court rejected this argument, stating:
This idea does not assist the Court, however as the definition of “personal and advertising injury” dos not necessarily require a covered injury to be incurred as a result of an “advertisement.” . . . Nothing in these descriptions [of covered forms of conduct and injury] requires that such injuries be incurred as the result of an “advertisement.”
A final exclusion that should be considered is Exclusion (p), which is entitled “Distribution of Material in Violation of Statutes.”15 As it pertains to personal and advertising injury, the exclusion eliminates coverage for injury arising directly or indirectly from actual or alleged violations of the Telephone Consumer Protection Act, the CAN-SPAM Act, and other statutes, ordinances, or laws that prohibit the sending, transmitting, communicating, or distribution of material or information. This exclusion initially appeared as a standalone exclusion but now is incorporated into the basic policy form.16 It was interpreted by the magistrate judge in Creative Hospitality Ventures to exclude coverage for claims under the Fair and Accurate Transaction Act, 15 U.S.C. § 1681c(g). 655 F. Supp. 2d at 1339-40.17 The exclusion does not, however, purport to address common-law breach of privacy claims, and it will be a matter for litigation to determine exactly what the reach of this exclusion will be.
When a third-party claimant alleges a data security breach involving a failure to safeguard private information, a corporate insured should look not only to any specialty coverage but also to its CGL policies to see if there is a prospect of coverage. Indeed, once a data breach is known, a prudent policyholder will seek advice as to whether notice to insurers is advisable even before a claim is asserted. Any complaint is likely to assert several theories of recovery, including both statutory and common-law claims. As long as one of the asserted claims appears to involve coverage, then the policyholder may have a viable argument for reimbursement of defense costs. Moreover, if the underlying claim proceeds toward full resolution, the policyholder may also have a basis for indemnification.