Insurance for Data Security Breaches And Consumer Privacy Claims

Every other day we read about some new data security breach or proposal to regulate the use of consumer's private data. However, there is good news too: Most courts are intolerant of privacy claims brought by plaintiffs who have suffered no actual damage, and most companies have insurance for privacy claims without knowing it.

The Current Legal Landscape: Data Security Breach Litigation

In 2002, legislators across the country began passing laws requiring consumer notification when there is a security breach involving private information. As of February 2009, 44 states, the District of Columbia, Puerto Rico, and the U.S. Virgin Islands have passed security breach notification laws affecting private entities.

This legislation has spawned many lawsuits. Plaintiffs allege a variety of common law claims, including negligence, breach of contract, breach of implied covenant, and breach of fiduciary duty. Plaintiffs also bring claims for violations of state or federal consumer protection statutes or deceptive and unfair trade practices acts like the Fair Credit Reporting Act, Electronic Communications Privacy Act, or California's Business & Professions Code section 17200.

Courts are almost universally intolerant of claims brought by plaintiffs whose only alleged injury is an enhanced “risk of identity theft,” as opposed to actual damages. However, the courts are split, and even some of these claims may proceed to trial.

In Pisciotta v. Old National Bancorp, 499 F.3d 629 (7th Cir. 2007), the only published circuit court opinion to date, the Seventh Circuit ruled that, where the only “damages” alleged following a data security breach were the increased risk of future identify theft, or the costs of credit monitoring, a plaintiff had no case. The decision dealt a blow to so-called “identity exposure” plaintiffs seeking to recover damages stemming from the unauthorized disclosure of their personal information. In doing so, the Seventh Circuit joined a chorus of federal district courts that had already rejected credit monitoring costs as a form of cognizable injury sufficient to support legal claims for damages. See, e.g., Kahle v. Litton Loan Serv. LP, 486 F. Supp. 2d 705, 712-13 (S.D. Ohio 2007); Forbes v. Wells Fargo Bank, N.A., 420 F. Supp. 2d 1018, 1021 (D. Minn. 2006); Guin v. Brazos Higher Educ. Serv. Corp., 2006 WL 288483 (D. Minn. Feb. 7, 2006); Hendricks v. DSW Shoe Warehouse, 444 F. Supp. 2d 775, 783 (W.D. Mich. 2006).

In Shafran v. Harley-Davidson, Inc., 2008 WL 763177 (S.D.N.Y. Mar. 20, 2008), the court likewise dismissed the plaintiff's lost laptop lawsuit because it found that the alleged claimed injury ' credit monitoring costs sought to protect against speculative identity theft that might occur because of the data loss ' was not actual, legally cognizable injury. In so holding, the court noted that “[c]ourts have uniformly ruled that the time and expense of credit monitoring to combat an increased risk of future identity theft is not, in itself, an injury that the law is prepared to remedy.”

At least one court has found to the contrary. The Northern District of California has, in a published opinion, allowed claims to proceed even in the absence of actual injury. In Ruiz v. Gap, Inc., 540 F. Supp. 2d 1121, 1125-26 (N.D. Cal. 2008), the court found that an allegation of “increased risk of identity theft” from a lost Social Security number was sufficient “injury in fact” to establish standing and survive a motion to dismiss plaintiff's negligence claim. See also Pinero v. Jackson Hewitt Tax Serv. Inc., –F. Supp. 2d –, 2009 WL 43098 (E.D. La. Jan. 7, 2009) (dismissing all claims except for an invasion of privacy claim after data that had been given to defendant was found in a dumpster, but not misused). It remains to be seen whether more courts will follow the principles set forth in Pisciotta and the majority of district court cases, and cut these cases off at the pleading stage or on summary judgment, or whether they will be allowed to proceed to trial, even in the absence of a demonstration of actual loss.

Regardless of whether these cases proceed to trial, they can be expensive to defend. Most companies have insurance that may cover the costs, without even knowing it.

CGL Policies

An often-overlooked provision of the standard comprehensive general liability (“CGL”) carried by most companies promises to cover claims alleging “oral or written publication of material that violates a person's “right of privacy.” The “right of privacy” claims covered under CGL policies include both common law and statutory claims. For example, courts have found CGL policies to cover claims that an insured disclosed confidential medical information in violation of state law (LensCrafters, Inc. v. Liberty Mut. Fire Ins. Co., 2005 WL 146896 (N.D. Cal. Jan. 20, 2005)), distributed consumer credit history information in violation of the Fair Credit Reporting Act (Am. Family Mut. Ins. Co. v. C.M.A. Mortgage, Inc., 2008 WL 906230 (S.D. Ind. Mar. 31, 2008); Pietras v. Sentry Ins. Co., 2007 WL 715759 (N.D. Ill. Mar. 6, 2007); Zurich Am. Ins. Co. v. Fieldstone Mortgage Co., 2007 WL 3268460 (D. Md. Oct. 26, 2007)), or shared data about users' Web browsing activities in violation of the Electronic Communications Privacy Act (Netscape Commc'ns Corp. v. Fed. Ins. Co., 2007 WL 2972924 (N.D. Cal. Oct. 10, 2007)).

Whether coverage exists for a particular kind of privacy claim depends on what the insurance policy means by “publication” and “right of privacy.” Not surprisingly, insurance companies have advocated that these terms be interpreted narrowly, while policyholders have advanced broad interpretations.

Insurance companies often contend that “publication” requirement means that there can be no coverage absent a widespread distribution of private information to a large audience. Some courts have accepted this interpretation (especially when the policy language additionally required the publication to be in the context of “advertising”), but others have rejected it. For example, one court held that a company's disclosure of patients' private eye exam results to its affiliate for the purpose of dispensing prescription eyewear was a “publication.” The court explained that although the common law tort of invasion of privacy may require widespread disclosure, the word “publication” can refer to disclosure to a single person ' as in defamation cases ' and therefore is flexible enough to cover a “less than public dissemination of information.” See LensCrafters, 2005 WL 146896, at *10.

Another court confronted with a common variant on the standard policy language (covering the act of “making known” private information, as opposed to “publishing” it) held that a company's transmission of private data about its customers' Web browsing habits to its parent for the purpose of generating targeted advertising was potentially covered. Netscape, 2007 WL 2972924. at *6; cf. Res. Bankshares Corp. v. St. Paul Mercury Ins. Co., 407 F.3d 631, 641 (4th Cir. 2005) (holding that the “making known” language only applies if there is broad transmission). Many Telephone Consumer Protection Act or “junk fax” cases have held that the unlawful transmission of unwanted faxes to a plaintiff is a “publication” for purposes of CGL coverage, regardless of whether it involves the disclosure of information to anyone else. Park Univ. Enters., Inc. v. Am. Cas. Co. of Reading, PA, 442 F.3d 1239, 1250-51 (10th Cir. 2006).

Insurance companies also commonly argue that there is no coverage unless the publication discloses private information. Courts are split on this question, which they have addressed mainly in the context of claims for coverage “junk fax” lawsuits. Some courts have agreed that there is no coverage for such suits unless they involve the publication of private information. See, e.g., Am. States Ins. Co. v. Capital Assocs. of Jackson County, Inc., 392 F.3d 939 (7th Cir. 2004); ACS Sys., Inc. v. St. Paul Fire & Marine Ins. Co., 53 Cal. Rptr. 3d 786 (2007) (same, under the “making known” language). Others have found coverage for such claims because the “right of privacy” encompasses not only the right of “secrecy,” but also the “right to be left alone.” See, e.g., Park Univ. Enters., Inc. v. Am. Cas. Co. of Reading, PA, 442 F.3d 1239, 1250-51 (10th Cir. 2006); Valley Forge Ins. Co. v. Swiderski Elecs., Inc., 860 N.E.2d 307 (Ill. 2006). Interestingly, some courts have also found coverage for “junk fax” suits under the separate “property damage” provisions of CGL policies, due to the loss of printer paper and ink and the loss of use of the fax machine involved in the receipt of unwanted faxes. See, e.g., Acuity v. Superior Mktg. Sys., Inc., 2003 WL 24004567 (Ill. App. Ct. May 30, 2003); Prime TV, LLC v. Travelers Ins. Co., 223 F. Supp. 2d 744 (M.D. N.C. 2002); cf. Western Rim Inv. Advisors, Inc. v. Gulf Ins. Co., 269 F. Supp. 2d 836 (N.D. Tex. 2003), aff'd, 96 Fed. Appx. 960 (5th Cir. 2004) (finding no coverage on the ground that the property damage was intended by the insured).

E&O Policies

Another kind of insurance that may cover privacy claims is errors and omissions (“E&O”) coverage, which typically promises to defend and indemnify the insured against claims alleging “acts, errors or omissions” in the course of providing a “professional service.” There are many variations on this theme: for example, Media Liability policies cover errors and omissions in connection with the insured's “media activities,” and Internet Liability policies cover errors and omissions in connection with the insured's “Internet activities.” Insurance companies are now even selling Security Breach policies specifically to cover errors and omissions in connection with handling of data.

Whether data security breach and other privacy claims are covered under such policies will depend largely on the individual policy's definition of the covered activity. Some policies limit their coverage to the conduct of one specific professional activity; insurers can be expected to argue that ancillary activities, such as administrative or marketing activities that might give rise to a security breach or privacy claim, are not covered. But E&O policies are often broadly written to cover essentially any business activity of the policyholder, or they are ambiguous, and such policies should be construed against the insurer that wrote them and in favor of coverage. See generally PMI Mortgage Ins. Co. v. Am. Int'l Specialty Lines Ins. Co., 394 F.3d 761 (9th Cir. 2005).

Assuming that the claim arises out of a kind of business activity that is covered, the coverage afforded by an E&O policy for privacy claims will generally be broader than CGL coverage in one key respect: it is not limited to “publications” that violate the “right of privacy.” For that reason, it may be easier to find coverage under an E&O policy for some kinds of privacy claims than it would be under a CGL policy.

There is another respect in which insurance companies may argue that E&O coverage for privacy claims is narrower than CGL coverage. Unlike CGL policies, which do not limit coverage to negligent disclosure, some E&O policies promise to cover only “unintentional omissions” and “negligent acts.” In one of the few decisions to date regarding the availability of E&O coverage for privacy claims, the court construed this language to preclude coverage for all but accidental privacy breaches. There, the insured sought coverage for a lawsuit alleging that it had violated a plaintiff's privacy rights by installing spyware onto his computer. In rejecting the insured's argument that it was entitled to coverage because its intentional conduct had caused unintended injury, and therefore was negligent, the court explained that the insured had intentionally installed the software but the policy language required that the insured's “act” be unintentional. Eyeblaster, Inc. v. Fed. Ins. Co., 2008 WL 4539497 (D. Minn. Oct. 7, 2008).

The Eyeblaster decision probably does not mark the beginning of a trend, for two reasons. First, most E&O policies are not restricted to “unintentional omissions” and “negligent acts”: They simply cover wrongful “acts” and “omissions,” and many affirmatively promise to defend the insured against allegations of intentional misconduct.

Second, in most jurisdictions, it is well-established that policy provisions limiting coverage to negligent conduct do not bar coverage for intentional conduct as long as it causes unintended injury. See, e.g., J.C. Penney Cas. Ins. Co. v. M.K., 278 Cal. Rptr. 64 (1991).

Conclusion

The bottom line is this. If you face a data security breach or other privacy claim, make sure your counsel is well-versed not only in privacy and data security law, but also in insurance. Tender the claim to your insurers and if they deny coverage, do not assume they are right. Depending on the language of your insurance policy and which state's law applies, you may have coverage without knowing it.

Reynold L. Siemens is a partner in the Insurance Coverage Practice Group at Proskauer Rose LLP, Los Angeles. Tanya Forsheit is a partner in the Privacy and Data Security Practice Group in the same office.

Every other day we read about some new data security breach or proposal to regulate the use of consumer's private data. However, there is good news too: Most courts are intolerant of privacy claims brought by plaintiffs who have suffered no actual damage, and most companies have insurance for privacy claims without knowing it.

The Current Legal Landscape: Data Security Breach Litigation

In 2002, legislators across the country began passing laws requiring consumer notification when there is a security breach involving private information. As of February 2009, 44 states, the District of Columbia, Puerto Rico, and the U.S. Virgin Islands have passed security breach notification laws affecting private entities.

This legislation has spawned many lawsuits. Plaintiffs allege a variety of common law claims, including negligence, breach of contract, breach of implied covenant, and breach of fiduciary duty. Plaintiffs also bring claims for violations of state or federal consumer protection statutes or deceptive and unfair trade practices acts like the Fair Credit Reporting Act, Electronic Communications Privacy Act, or California's Business & Professions Code section 17200.

Courts are almost universally intolerant of claims brought by plaintiffs whose only alleged injury is an enhanced “risk of identity theft,” as opposed to actual damages. However, the courts are split, and even some of these claims may proceed to trial.

In Pisciotta v. Old National Bancorp , 499 F.3d 629 (7th Cir. 2007), the only published circuit court opinion to date, the Seventh Circuit ruled that, where the only “damages” alleged following a data security breach were the increased risk of future identify theft, or the costs of credit monitoring, a plaintiff had no case. The decision dealt a blow to so-called “identity exposure” plaintiffs seeking to recover damages stemming from the unauthorized disclosure of their personal information. In doing so, the Seventh Circuit joined a chorus of federal district courts that had already rejected credit monitoring costs as a form of cognizable injury sufficient to support legal claims for damages. See, e.g., Kahle v. Litton Loan Serv. LP , 486 F. Supp. 2d 705, 712-13 (S.D. Ohio 2007); Forbes v. Wells Fargo Bank, N.A. , 420 F. Supp. 2d 1018, 1021 (D. Minn. 2006); Guin v. Brazos Higher Educ. Serv. Corp., 2006 WL 288483 (D. Minn. Feb. 7, 2006); Hendricks v. DSW Shoe Warehouse , 444 F. Supp. 2d 775, 783 (W.D. Mich. 2006).

In Shafran v. Harley-Davidson, Inc., 2008 WL 763177 (S.D.N.Y. Mar. 20, 2008), the court likewise dismissed the plaintiff's lost laptop lawsuit because it found that the alleged claimed injury ' credit monitoring costs sought to protect against speculative identity theft that might occur because of the data loss ' was not actual, legally cognizable injury. In so holding, the court noted that “[c]ourts have uniformly ruled that the time and expense of credit monitoring to combat an increased risk of future identity theft is not, in itself, an injury that the law is prepared to remedy.”

At least one court has found to the contrary. The Northern District of California has, in a published opinion, allowed claims to proceed even in the absence of actual injury. In Ruiz v. Gap, Inc. , 540 F. Supp. 2d 1121, 1125-26 (N.D. Cal. 2008), the court found that an allegation of “increased risk of identity theft” from a lost Social Security number was sufficient “injury in fact” to establish standing and survive a motion to dismiss plaintiff's negligence claim. See also Pinero v. Jackson Hewitt Tax Serv. Inc., –F. Supp. 2d –, 2009 WL 43098 (E.D. La. Jan. 7, 2009) (dismissing all claims except for an invasion of privacy claim after data that had been given to defendant was found in a dumpster, but not misused). It remains to be seen whether more courts will follow the principles set forth in Pisciotta and the majority of district court cases, and cut these cases off at the pleading stage or on summary judgment, or whether they will be allowed to proceed to trial, even in the absence of a demonstration of actual loss.

Regardless of whether these cases proceed to trial, they can be expensive to defend. Most companies have insurance that may cover the costs, without even knowing it.

CGL Policies

An often-overlooked provision of the standard comprehensive general liability (“CGL”) carried by most companies promises to cover claims alleging “oral or written publication of material that violates a person's “right of privacy.” The “right of privacy” claims covered under CGL policies include both common law and statutory claims. For example, courts have found CGL policies to cover claims that an insured disclosed confidential medical information in violation of state law (LensCrafters, Inc. v. Liberty Mut. Fire Ins. Co., 2005 WL 146896 (N.D. Cal. Jan. 20, 2005)), distributed consumer credit history information in violation of the Fair Credit Reporting Act (Am. Family Mut. Ins. Co. v. C.M.A. Mortgage, Inc., 2008 WL 906230 (S.D. Ind. Mar. 31, 2008); Pietras v. Sentry Ins. Co., 2007 WL 715759 (N.D. Ill. Mar. 6, 2007); Zurich Am. Ins. Co. v. Fieldstone Mortgage Co., 2007 WL 3268460 (D. Md. Oct. 26, 2007)), or shared data about users' Web browsing activities in violation of the Electronic Communications Privacy Act (Netscape Commc'ns Corp. v. Fed. Ins. Co., 2007 WL 2972924 (N.D. Cal. Oct. 10, 2007)).

Whether coverage exists for a particular kind of privacy claim depends on what the insurance policy means by “publication” and “right of privacy.” Not surprisingly, insurance companies have advocated that these terms be interpreted narrowly, while policyholders have advanced broad interpretations.

Insurance companies often contend that “publication” requirement means that there can be no coverage absent a widespread distribution of private information to a large audience. Some courts have accepted this interpretation (especially when the policy language additionally required the publication to be in the context of “advertising”), but others have rejected it. For example, one court held that a company's disclosure of patients' private eye exam results to its affiliate for the purpose of dispensing prescription eyewear was a “publication.” The court explained that although the common law tort of invasion of privacy may require widespread disclosure, the word “publication” can refer to disclosure to a single person ' as in defamation cases ' and therefore is flexible enough to cover a “less than public dissemination of information.” See LensCrafters, 2005 WL 146896, at *10.

Another court confronted with a common variant on the standard policy language (covering the act of “making known” private information, as opposed to “publishing” it) held that a company's transmission of private data about its customers' Web browsing habits to its parent for the purpose of generating targeted advertising was potentially covered. Netscape, 2007 WL 2972924. at *6; cf. Res. Bankshares Corp. v. St. Paul Mercury Ins. Co. , 407 F.3d 631, 641 (4th Cir. 2005) (holding that the “making known” language only applies if there is broad transmission). Many Telephone Consumer Protection Act or “junk fax” cases have held that the unlawful transmission of unwanted faxes to a plaintiff is a “publication” for purposes of CGL coverage, regardless of whether it involves the disclosure of information to anyone else. Park Univ. Enters., Inc. v. Am. Cas. Co. of Reading, PA , 442 F.3d 1239, 1250-51 (10th Cir. 2006).

Insurance companies also commonly argue that there is no coverage unless the publication discloses private information. Courts are split on this question, which they have addressed mainly in the context of claims for coverage “junk fax” lawsuits. Some courts have agreed that there is no coverage for such suits unless they involve the publication of private information. See, e.g., Am. States Ins. Co. v. Capital Assocs. of Jackson County, Inc. , 392 F.3d 939 (7th Cir. 2004); ACS Sys., Inc. v. St. Paul Fire & Marine Ins. Co. , 53 Cal. Rptr. 3d 786 (2007) (same, under the “making known” language). Others have found coverage for such claims because the “right of privacy” encompasses not only the right of “secrecy,” but also the “right to be left alone.” See, e.g., Park Univ. Enters., Inc. v. Am. Cas. Co. of Reading, PA , 442 F.3d 1239, 1250-51 (10th Cir. 2006); Valley Forge Ins. Co. v. Swiderski Elecs., Inc. , 860 N.E.2d 307 (Ill. 2006). Interestingly, some courts have also found coverage for “junk fax” suits under the separate “property damage” provisions of CGL policies, due to the loss of printer paper and ink and the loss of use of the fax machine involved in the receipt of unwanted faxes. See, e.g., Acuity v. Superior Mktg. Sys., Inc., 2003 WL 24004567 (Ill. App. Ct. May 30, 2003); Prime TV, LLC v. Travelers Ins. Co. , 223 F. Supp. 2d 744 (M.D. N.C. 2002); cf. Western Rim Inv. Advisors, Inc. v. Gulf Ins. Co. , 269 F. Supp. 2d 836 (N.D. Tex. 2003), aff'd, 96 Fed. Appx. 960 (5th Cir. 2004) (finding no coverage on the ground that the property damage was intended by the insured).

E&O Policies

Another kind of insurance that may cover privacy claims is errors and omissions (“E&O”) coverage, which typically promises to defend and indemnify the insured against claims alleging “acts, errors or omissions” in the course of providing a “professional service.” There are many variations on this theme: for example, Media Liability policies cover errors and omissions in connection with the insured's “media activities,” and Internet Liability policies cover errors and omissions in connection with the insured's “Internet activities.” Insurance companies are now even selling Security Breach policies specifically to cover errors and omissions in connection with handling of data.

Whether data security breach and other privacy claims are covered under such policies will depend largely on the individual policy's definition of the covered activity. Some policies limit their coverage to the conduct of one specific professional activity; insurers can be expected to argue that ancillary activities, such as administrative or marketing activities that might give rise to a security breach or privacy claim, are not covered. But E&O policies are often broadly written to cover essentially any business activity of the policyholder, or they are ambiguous, and such policies should be construed against the insurer that wrote them and in favor of coverage. See generally PMI Mortgage Ins. Co. v. Am. Int'l Specialty Lines Ins. Co. , 394 F.3d 761 (9th Cir. 2005).

Assuming that the claim arises out of a kind of business activity that is covered, the coverage afforded by an E&O policy for privacy claims will generally be broader than CGL coverage in one key respect: it is not limited to “publications” that violate the “right of privacy.” For that reason, it may be easier to find coverage under an E&O policy for some kinds of privacy claims than it would be under a CGL policy.

There is another respect in which insurance companies may argue that E&O coverage for privacy claims is narrower than CGL coverage. Unlike CGL policies, which do not limit coverage to negligent disclosure, some E&O policies promise to cover only “unintentional omissions” and “negligent acts.” In one of the few decisions to date regarding the availability of E&O coverage for privacy claims, the court construed this language to preclude coverage for all but accidental privacy breaches. There, the insured sought coverage for a lawsuit alleging that it had violated a plaintiff's privacy rights by installing spyware onto his computer. In rejecting the insured's argument that it was entitled to coverage because its intentional conduct had caused unintended injury, and therefore was negligent, the court explained that the insured had intentionally installed the software but the policy language required that the insured's “act” be unintentional. Eyeblaster, Inc. v. Fed. Ins. Co., 2008 WL 4539497 (D. Minn. Oct. 7, 2008).

The Eyeblaster decision probably does not mark the beginning of a trend, for two reasons. First, most E&O policies are not restricted to “unintentional omissions” and “negligent acts”: They simply cover wrongful “acts” and “omissions,” and many affirmatively promise to defend the insured against allegations of intentional misconduct.

Second, in most jurisdictions, it is well-established that policy provisions limiting coverage to negligent conduct do not bar coverage for intentional conduct as long as it causes unintended injury. See, e.g., J.C. Penney Cas. Ins. Co. v. M.K. , 278 Cal. Rptr. 64 (1991).

Conclusion

The bottom line is this. If you face a data security breach or other privacy claim, make sure your counsel is well-versed not only in privacy and data security law, but also in insurance. Tender the claim to your insurers and if they deny coverage, do not assume they are right. Depending on the language of your insurance policy and which state's law applies, you may have coverage without knowing it.

Reynold L. Siemens is a partner in the Insurance Coverage Practice Group at Proskauer Rose LLP, Los Angeles. Tanya Forsheit is a partner in the Privacy and Data Security Practice Group in the same office.