OneBeacon America Insurance Company filed a DJ against retailers Urban Outfitters and Anthropologie in federal court in Pennsylvania on September 10, 2013. The retailers have been sued in “Zip Code Actions” brought by consumers alleging that the stores request zip codes when completing credit card transactions, a practice that allegedly violates consumer protection and privacy laws in the District of Columbia, Massachusetts and California. OneBeacon Declaratory Judgment Complaint
The complaint seeks a declaration of no coverage for defense or indemnity under the OneBeacon CGL and Umbrella policy primarily because: (1) the ZIP Code Actions do not allege ‘personal and advertising injury’ as defined in the policy; (2) the policy excludes recording and distributing material information that violates the law; and (3) the policy excludes known violations.
This case comes less than a month after Liberty Mutual filed a DJ in Missouri against Schnuck Markets, also seeking a declaration of no coverage under a CGL policy for the grocery chain’s data breach.
These two coverage disputes arise from different facts but they both demonstrate potential problems when a privacy/data security dispute is tendered under a traditional CGL policy. Companies that believe they already have coverage for privacy/data disputes may want to take a look at these lawsuits and compare them to their own business risks and their current wordings.
At least three class action lawsuits have been filed, two in state court and one in federal court, after Advocate Medical Group in Illinois reported four stolen laptops containing protected health information of 4 million patients. The breach is believed to be the second largest loss of unsecured PHI since mandatory reporting began in 2009.
On July 15, 2013, four password-protected but unencrypted laptops were stolen from Advocate’s offices outside of Chicago. The laptops allegedly contained names, addresses, dates of birth, social security numbers, medical diagnoses and health insurance information of 4.03 million patients.
About a month later, Advocate began notifying affected individuals by letters. Advocate offered credit monitoring, established a call center, created a website and stated that it has enhanced security measures and conducted a thorough review of policies.
The federal complaint was filed August 30, 2013 in the US District Court for the Northern District of Illinois (Advocate Class Action- Federal Court) and the state court actions were filed in Cook County, Illinois on September 4, 2013 (Advocate Class Action State Court (Lozada) and on September 5, 2013 by the Clifford Law Office Advocate Class Action State Court (Petrich)
The breach is also being investigated by the federal OCR and the Illinois Attorney General’s office.
There is an increasing number of reported breaches in our school systems. Just this past July:
•Ferris State University in Michigan reported that PII for 39,000 students and employees was briefly available after an unauthorized entry into its system. Ferris State Breach
•high school in North Carolina’s Guildford County inadvertently disclosed the PII of 456 students in a mailing to one student. North Carolina High School Breach
•University of Delaware may be looking at upwards of $19M to handle a network breach that exposed the PII of an estimated 72,000 individuals. University of Delaware Breach
Data breaches at schools seem to be shrugged off even by those writing and selling insurance:
–schools do not have enough money to secure networks or train personnel;
–identity theft is not a concern for students who grew up in a cyber world and expect breaches;
–breaches do not happen at the high school or elementary school levels and even if they did, only Higher Ed stores PII.
This thought process – a data breach cannot happen to me – has dotted the cyber/privacy field since the beginning: it is a problem for the big players like Sony; or, if the Pentagon can be hacked, then how does the SME protect itself; or, it is not a concern unless your data is regulated by the government, like a bank or hospital.
But even the brief history of data breaches has taught us this lesson – no entity or industry is immune from cyber breach, and the cost of doing nothing will be much higher than the cost of preparing. Expenses of a breach and damage to reputation are difficult to control, especially for the unprepared. Even if college students are complacent about a data breach, the faculty, alumni and parents are not, especially if the parent’s bank account is the one breached. Many school administrators recognize that data security is an important issue but they need help dealing with it.
Liberty Mutual has sued Schnuck Markets, denying indemnification obligations under a CGL policy for Schnuck’s data breach involving 2.4 million credit and debit cards.
In April 2013 Schnuck reported a data breach involving approximately 2.4 million credit and debit cards used at 79 grocery stores that occurred between December 2012 and March 29, 2013. Since then, 8 lawsuits (including class actions) have been filed against Schnuck as well as a number of demands for damages. The grocery chain tendered the lawsuits and notices of claims to Liberty Mutual.
On August 16, 2013 Liberty Mutual filed a DJ against Schnuck in federal court in Missouri denying it owes coverage under an excess CGL policy effective July 1, 2012-2013. The complaint, portions of which are redacted, asserts no coverage exists under either Coverage A or B of the Liberty Mutual policy because:
•there is no allegation of “bodily injury” or “property damage” in the lawsuits or demands;
•the “expected or intended” exclusion applies;
•the relief sought by claimants does not constitute “damages”;
•the “contractual liability exclusion” applies;
•the damages are not the result of oral or written publication or materials;
•Schnuck violated the “known loss and fortuity doctrine” when it delayed reporting the breach ;
•the “offense” was not committed during the policy period; and
•the claims arose out of first publication before the policy period.
This coverage litigation is a good example of what may happen if a business does not have “cyber” coverage because it believes a breach is covered under a CGL policy. Even if there is eventually a finding of coverage, how much does a company pay out-of-pocket in the meantime to correct the breach, notify customers, defend against class actions lawsuits, respond to notices of claims and litigate a Dec action? Companies may find themselves out of cash before they can even start to repair damage to their reputation or market brand.
Earlier today Kari Timm moderated a panel on cyber risk and insurance for law firms and other professional firms during the 2013 PLUS Professional Risk Symposium. To see a short video discussion on cyber risks for professional services firms from the 2013 PLUS Professional Risk Symposium please visit the PLUS Blog (http://plusblog.org/2013/04/10/cyber-risk-and-professional-firms/).
The influential Ninth Circuit Court of Appeals recently issued an important decision in a “watershed case” regarding the expectation of privacy in password protected electronic devices. US v Cotterman
Handed down on March 8, 2013, US v Cotterman involved the border search of a registered sex offender entering the US from Mexico. When they were unable to override password protected files, the DHS shipped the laptop to a forensics office 170 miles away. Once opened, the protected files showed evidence of criminal behavior leading to Cotterman’s arrest.
In upholding the search, the Court of Appeals deveoted much of its 82-page opinion to the issue of electronic data. The court found that the uniquely sensitive nature of data on an electronic device carries with it a significant expectation of privacy, rendering an exhaustive exploratory search more intrusive than with other forms of property.
There are many distinct aspects to this case including its criminal, not civil, nature and the “border exception” to search and seizure rules. But the case has implications for civil privacy-related litigation because it acknowledges the inherent value to data stored on electronic devices, equating data with “personal pages in the words of the Constitution.” The court noted that data exists well beyond the point of erasure because browsing histories can be tracked, and that storing data on the cloud is particularly problematic when addressing expectations of privacy.
Many civil actions are dismissed because plaintiffs cannot establish an injury to a legally protected right or damages when data is lost or breached. Many courts see loss of data as a hypothetical or future loss that is not recoverable in the here-and-now.
What the US v Cotterman case gives plainitffs is a legally protected right, an expectation of privacy deserving of constitutional protection. Civil cases may still fail due to the lack of demonstrable harm, but cases like US v Cotterman show a heightened judicial awareness of the value of electronic data.
The Seventh Circuit Court of Appeals ruled on January 11, 2013 that there is no coverage under a homeowner’s policy for an employee of an accounting firm who had a CD stolen from her car. The CD contained financial information and other PII of 30,000 members of a pension fund and client of the accounting firm. The pension fund incurred more than $200,000 for credit monitoring and related mitigation expenses. It sued the accounting firm but also named the employee individually for negligently safeguarding the data. The employee tendered the claim to her homeowner insurer, Nationwide Insurance, which denied coverage on grounds that the policy excludes coverage for (i) damage to property “in the care of” the insured and (ii) a claim arising out of or related to a “business” engaged in by the insured. Applying Illinois law, the Court of Appeals affirmed the finding of no coverage based upon the two policy exclusions.
A company seeking to recover all the costs that come with loss or theft of PII such as credit monitoring, notice, etc. will “follow the money” by looking to as many insurers as possible. In this case, the pension fund also sued the accounting firm, but the employee’s coverage dispute would have been expensive. Who paid to pursue the DJ through the court of appeals? Are employers at risk to defend employees for coverage disputes arising out of work-related cyber breaches? The fact pattern in Nationwide is a common, probably daily occurrence. And a scenario employers and their insurers should consider in advance.
Nationwide Insurance v Central Laborers’ Pension Fund (Case No. 12-1784).
In addition to the near-daily reports of more breaches, new laws and controversial workplace privacy issues, there have been 3 significant developments involving cyber and privacy already in 2013.
1. On January 17, 2013 the Department of Health and Human Services released its final “omnibus” rule in relation to HIPAA, effective March 26, 2013. The sweeping rule implements privacy regulations, increases penalties for HITECH violations, modifies breach notification rules, restricts disclosure of genetic information and expands the definition and responsibilities of business associates.
2. In his State of the Union address on February 14, 2013 President Obama unveiled an Executive Order on Cybersecurity. An executive order does not carry the same effect of law, and it mostly encourages voluntary conduct among federal agencies and the private sector. But the order raises awareness of threats to critical infrastructures, balanced against the preservation of privacy and civil liberties.
3. On February 17, 2013 Mandiant, a US security company, released a report detailing massive espionage into US companies by hackers associated with the Chinese military under the mysterious name “Unit 61398.” The scope and pervasiveness of this type of hacking reminds all businesses that they must take cyber threats seriously and implement preventative measures. Because the risk is not only to third parties but also to their intellectual property.
Looking further at the crystal ball and what may catch our attention in 2013, let’s consider Privilege.
Assume a breach of PII from an organization. The internal investigation team is likely to consist of in-house counsel, an IT group and a “C-suite” executive. Are communications with in-house counsel privileged?
As with most things, it depends – on the jurisdiction and whether the communications allow the attorney to provide a legal service to the corporation. This is a narrowly construed test because most courts consider the mixed legal and business functions of in-house counsel. So, communications about a data breach with in-house counsel may not be privileged.
Are documents created during an internal investigation of a privacy breach privileged? Generally no. Ordinary business documents that would have been prepared regardless of whether the recipient is an attorney are not protected.
What about work product? If a business hires outside counsel to advise on legal issues in a breach, then the advice may be protected as attorney client privilege and/or work product. The difference between them is whether the work of outside counsel was performed “in anticipation of litigation.”
What if an insurance policy names a data forensic company to immediately help control a breach. Is their report privileged? Unlikely.
What if the forensic company is retained by the insurer’s counsel? Then the report may be work product and protected, unless for example they were to testify.
But having the forensic company controlled by a lawyer may frustrate the goal of identifying and fixing a breach as soon as possible, if the lawyer must first vet their decisions and analyses.
Born December 19, 2012 to Krista (our blog co-author and webinar master) and Josh Figlewicz. Congratulations!