Not a day goes by it seems without news of a cyber attack resulting in the release of 4 trillion people’s personal information. It has gotten to the point where one’s identity could seemingly be stolen several times a month. Perhaps the solution for identify theft is to simply wait for your fake identity to be stolen. Clearly not all data breaches -- and probably most do not -- cause any identifiable or quantifiable harm to the person whose personal information was so-called “compromised.” After all, for decades there was a major breach of personal information that didn’t seem to bother anyone – it was called The White Pages.
Looking at the insurance side of things, it has also been all-cyber all-the-time. Insurers have been actively marketing cyber insurance policies and coverage professionals have been analyzing the claims – real and potential. We are likely on the cusp of lots of coverage claims, and possible disputes, under all of these new-fangled cyber policies that are being sold. For now, the cyber/data breach coverage issues have been tied to plain old commercial general liability policies. [But this will likely diminish soon on account of data breach exclusions being added to CGL policies, in addition to the popularity of specialized cyber policies.]
While cyber/data breach coverage cases under CGL policies are not long for this world, last week’s decision from an Oregon trial court demonstrates the fun that we’ll be missing. In Oscines v. Mt. Hood Insurance Company, Circuit Court of Oregon, Benton County, No. 1401-426 (July 2, 2015), the Oregon trial court addressed the potential for coverage, for a data breach, under a commercial general liability policy. The coverage dispute arose out of the following situation, as described in the underlying complaint at Billingsley v. Oscines, LLC, Circuit Court of Oregon, Benton County, No. 1401-125.
Chuck Billingsley was an accountant in Corvallis, Oregon. But his hobby was far removed from counting beans. Billingsley participated in “tough guy” competitions. As the court described it, the participants compete in races while hauling heavy and bulky items such as truck tires and bricks. Other competitions involve tearing phone books, pulling trucks, lifting boulders and chopping wood. The court made the point, for a reason, that being a “tough guy” had become Billingsley’s ingrained identity.
Billingsley kept his music library on a music server called Oscines (Latin for song bird). In October 2013, Oscines’s server was hacked and the identity of all of its users, and the contents of their music libraries, became public on the internet. As a result, it became known that Billingsley’s music library included several albums from Barry Manilow, Neil Diamond, Abba and the Carpenters. The information also revealed that Billingsley had once played Copa Cabana 32 times in a five hour period. This resulted in Billingsley being teased by other “tough guy” competitors. He also alleged that a co-worker hummed Dancing Queen when he walked into a meeting and that the disc jockey at the company’s holiday party played The Carpenters’s Rainy Days and Mondays and dedicated it to him. Billingsley alleged that the release of this information, given his public persona as a “tough guy,” caused him extreme emotional distress. Billingsley filed suit against Oscines seeking damages for invasion of privacy.
Oscines tendered the suit to Mt. Hood Insurance Company and sought coverage under a commercial general liability policy. Mt. Hood denied a defense on the basis that the allegations against Oscines, in Billingsley’s suit, did not trigger coverage. Specifically, Mt. Hood argued that Billingsley was not injured on account of the “oral or written publication, in any manner, of material that violates a person’s right of privacy.” So the insurer’s argument went, the Billingsley suit did not seek damages for “personal and advertising injury” to trigger coverage under the CGL policy. Shortly after the denial of coverage, Billingsley and Oscines settled the matter for $65,000. Oscines then filed suit against Mt. Hood for the recovery of the settlement amount and $8,000 in defense costs.
The parties in the coverage dispute filed competing motions for summary judgment. The trial court in Oscines v. Mt. Hood held that Billingsley had alleged that he was injured on account of “oral or written publication, in any manner, of material that violates a person’s right of privacy.”
First, the court concluded, despite Mt. Hood’s argument to the contrary, that there had been oral or written publication, in any manner, of material. Mt. Hood argued that there is nothing oral or written about the actions of a hacker and subsequent release of information on the internet. As Mt. Hood saw it, hacking does not involve speaking or the written word. The court pointed to the “in any manner” language and concluded that its intent was to not limit publication so specifically.
The court also rejected Mt. Hood’s argument that the contents of one’s music library is not personal, such that its release to others qualifies as an “invasion of privacy.” The court looked at this issue closely. The opinion suggests that this may in fact be the case in some situations, but not here. Given that being a “tough guy” was such a significant part of Billingsley’s identity, knowledge by others that he had huge collections of music by Barry Manilow, Neil Diamond, Abba and the Carpenters was sufficient to qualify as an invasion of privacy.
The decision is a Beautiful Noise for Oscines and Song Sung Blue for Mt. Hood.
Let’s end it with this:
I’m on the top of the world looking down on creation
And the only explanation I can find
Is the love that I’ve found ever since you’ve been around
Your love’s put me at the top of the world
Good luck getting that out of your head before Thursday. Sorry.