Home Page The Publication The Editor Contact Information Insurance Key issues Book Subscribe


Vol. 3, Iss. 6
April 1, 2014


CGL And Data Breach:
Taking A Different Approach Than –
Is There Publication Of Material That Violates A Person’s Right Of Privacy?


Lately the coverage world has been abuzz over the New York trial court’s decision in Zurich American Ins. Co. v. Sony Corp. of America -- the first decision to address in earnest whether a commercial general liability policy provides coverage for the loss of a company’s customers’ personally identifiable information on account of a hacking incident. Not since the Betamax has anything involving Sony generated this much interest.

Insurers generally argue that such hacking incidents are not covered under a CGL policy and policyholders should look to stand-alone Cyber Liability policies for redress. Policyholders say not so fast. They maintain that the loss of personally identifiable information qualifies for coverage under the “personal and advertising injury” section of a CGL policy because it is “oral or written publication, in any manner, of material that violates a person’s right of privacy.”

This issue has been debated at length and the Sony decision has been analyzed more than the Federalist Papers by counsel working in this area that are looking for any guidance on what impact the decision may have on the future landscape.

It is understandable that the Sony decision (actually, a lengthy argument transcript) is generating so much attention. The question whether a commercial general liability policy provides coverage, for the loss of personally identifiable information, on account of a data breach, is here to stay – at least for the moment. Data breaches are on the rise. The purchase rate of Cyber Liability policies is not high. And while ISO is soon to be introducing Data Breach exclusions as part of a CGL policy, it will take a little time before the impact of them is felt.

For all of these reasons, whether the loss of personally identifiable information, on account of a data breach, qualifies as “oral or written publication, in any manner, of material that violates a person’s right of privacy” is going to continue to generate interest. But what if there’s another way to address the issue? Take a look at National Union Fire Ins. Co. v. Coinstar, Inc., No. 13-1014 (W.D. Wash. Feb. 28, 2014).

While the Washington federal court’s decision in Coinstar is not a hacking coverage case, it does involve the release of a company’s customers’ personally identifiable information. And the court addressed the coverage issue without analyzing whether it was publication of material that violated a person’s right of privacy.

The case goes like this. “Redbox operates automated DVD-vending machines in various locations around the United States. In order to obtain a rental DVD, Blu-ray disc, or video game from a Redbox vending machine, customers input their personal information into the digital record system on the machines and pay via credit card.” Plaintiffs in an Underlying Action alleged that “Redbox maintains customers’ ‘personally identifiable information,’ including their name, billing and contact information, credit card numbers, and video rental history for indefinite periods of time after customers obtain rentals from Redbox kiosks. The [underlying] complaint further alleges that Redbox uses customers’ personal information for marketing purposes and discloses customers’ personal information to third parties without their express permission. Plaintiffs allege that this retention and disclosure of their personal information violates the [Video Privacy Protection Act].”

Redbox sought coverage under commercial general liability policies issued to Coinstar, Redbox’s parent. The court noted that the policies provided coverage for “oral or written publication, in any manner, of material that violates a person’s right of privacy.” However, the court did not address this aspect of the policy because it concluded that the exclusion for “Violation of Statutes in Connection with Sending, Transmitting, or Communicating Any Material Or Information” applied. This exclusion provided: “This insurance does not apply to any loss, injury, damage, claim, suit, cost or expense arising out of or resulting from, caused directly or indirectly, in whole or in part by, any act that violates any statute, ordinance or regulation of any federal, state or local government, including any amendment of or addition to such laws, that addresses or applies to the sending, transmitting or communicating of any material or information, by any means whatsoever.”

The court noted that “[t]he sole purpose of the VPPA is to protect consumers’ privacy by prohibiting the ‘sending, transmitting or communicating’ of their personal information ‘to any person’ except in specific, limited circumstances.” Thus, the court concluded, “any potential liability for Redbox would arise only from ‘act[s] that violate a[ ] statute that addresses or applies to the sending, transmitting or communicating of ... material or information.’” Therefore, the court held that, under the unambiguous terms of the exclusion, there was no basis for Redbox to obtain coverage.

How is this relevant to a data breach, on account of a hacking incident, that results in the loss of a company’s customers’ personally identifiable information? A data breach is likely to result in a claim that an insured violated a statute, ordinance or regulation that addresses or applies to the sending, transmitting or communicating of any material or information. There are certainty statutes on the books that could apply to loss of individuals’ personally identifiable information. At a minimum there are statutes that require the giving of timely notice to affected individuals. Indeed, such statutes are likely attractive to plaintiffs in data breach cases as they may include a provision that allows for an award of attorney’s fees.

Thus, the exclusion for “Violation of Statutes in Connection with Sending, Transmitting, or Communicating Any Material Or Information” could apply to a statutory claim related to the loss of a company’s customers’ personally identifiable information. But, you say, a hacking incident is different, because the hacker’s actions do not qualify as “sending, transmitting or communicating” of personally identifiable information. Why not? The exclusion does not state that it had to be the insured who did the sending, transmitting or communicating of material or information. Further, the exclusion states that the sending, transmitting or communicating of material or information could be “by any means whatsoever.” A hacker’s actions, that give rise to sending, transmitting or communicating, is by any means whatsoever.
 
Website by Balderrama Design Copyright Randy Maniloff All Rights Reserved