SteveK November 16th, 2009
By
Steven A. Kunzman, Esq.
And
Todd B. Ruback, Esq., CIPP
Privacy Overview
The pervasive use of the Internet as a business platform and for the collection, use and transmission of personal information presents fertile ground for the growth in claims arising from data breaches and improper privacy practices. As these claims arise, they will undoubtedly be tendered to insurers for defense and indemnification under various commercial policy forms, including those recently developed to provide coverage for privacy claims.[1] Insurance companies must be cognizant of the changing winds on the privacy landscape. Due to increasing regulatory compliance requirements and a spike in privacy related litigation flowing from record setting data breaches, organizations and insurance carriers will undoubtedly be faced with privacy as a significant risk component to business. According to Verizon Business’s 2009 Data Breach Investigation Report, 2008 saw more reported data breaches than the previous four years combined, with 285 million records breached. [2] The Poneman Institute estimated in its 2009 Annual Study that the average cost for a data breach exceeded $200 per record for organizations that were first time victims of a data breach.[3] Numerous class action suits for privacy violations have been filed, the most famous of which is against Heartland Payment Systems, for a massive breach caused by external hackers.[4] Additionally, the FTC and Attorneys General of states across the country appear to be stepping up enforcement actions against companies for improper privacy practices.
The likelihood of an organization facing a privacy-related claim for liability or a regulatory enforcement action for improper privacy practices has increased significantly. Concordantly, claims for coverage under insurance polices will increase significantly over the coming years. Although the present anticipated harm to any individual does not appear to be significant, these claims will have an impact on an insurer by increasing costs for claims processing, investigation, incident response management, complying with statutorily required breach notification processes, litigation defense and payment of claims, particularly the costs for any class action claims.
Privacy Litigation and its Impact Upon the Insurance Carrier
Some background in privacy issues is helpful to put these potential claims into an understandable context. There are two components to privacy: data protection and privacy practices. Both components are governed in large part by either regulation or statute, and in some cases by common law.
Data Protection: Data Protection encompasses the security of data that contains personal information. There are generally three elements to security: technical, physical and administrative. Industries such as financial services and healthcare have security standards as respectively enumerated in the Gramm-Leach-Bliley Act (GLBA) and Health Insurance Portability and Accountability Act (HIPAA). Further, the payment card industry has created its own technically objective security standard, PCI-DSS, which applies to many organizations that accept payment cards.
A security breach may take many forms, some of which include the unauthorized access to personal information by an external source such as a hacker or an outsourced service provider, the unauthorized access to personal information by an internal source such as an employee or contractor, or something as simple as the theft of a company laptop that contains personal information
Private party lawsuits against companies for failing to protect data due to deviation from certain standards are based upon a negligence theory. To date plaintiffs have had difficulty prevailing on negligence claims, although there have been numerous and significant settlements.[5] The challenge plaintiffs have faced is in proving actual damages that were proximately caused by the defendant’s failure to protect personal information.6 Some courts, however, are beginning to view data breach litigation in a similar light to toxic tort medical monitoring claims in that the threat of future harm may be sufficient to sustain a claim.7 If this “future risks” approach to data protection litigation gains traction, then insurance companies can look forward to more protracted and costly litigation, with the potential for significant jury awards under the class action umbrella.
Privacy Practices: Privacy practices that may be subject to claims include: improper collection, use, or transfer of personal information; the improper collection of information using unauthorized cookies, spiders, spy ware, or other technological means; failure to protect personal information according to a company’s posted online privacy statement; having a privacy statement that does not meet regulatory requirements8 spamming, improper faxing or telemarketing, and the commission of privacy torts such as the invasion of privacy. For companies that transact online business in not only the United States, but also the European Union (EU) where the laws on privacy practices are greatly different, compliance become complex and risk of an improper privacy practice rises greatly.
Companies committing improper privacy practices are often subject to multiple layers of penalties or fines not only in the EU but also in the United States. For example, if a company fails to protect personal information according to its posted online privacy statement, it may be subject to an investigation and penalties from both the Federal Trade Commission (FTC) and state authorities for unfair/deceptive online trade practices,9 in addition to the potential private claims for violations of state consumer protection laws. In essence, a company may pay three times for the same transgression in the US. Although insurance policies generally exclude coverage for regulatory or enforcement actions by governmental bodies, the exposure is presented in private litigation, which may require aggressive defense of the regulatory claim. It appears, however, that some of the new privacy insurance policies may offer coverage for regulatory matters.
Insurance Coverage: Coverage Part B of a typical Comprehensive General Liability (CGL) insurance policy generally includes coverage for damages cause by “personal injury” and “advertising injury.” Although those representing the insured often consider this section of the insurance policy to provide an expansive grant of coverage, this coverage is usually considered by the insurer to be limited to a number of specified claims such as personal injury, which is often defined in a CGL policy as “an injury arising out of…violation of an individual’s right of privacy.” Part B of the policy states that the insurance applies to personal injury if “caused by an offense…[a]rising out of the conduct of your business, excluding advertising, publishing, broadcasting or telecasting done by or for you.” These policy forms were surely designed without any contemplation of the current risks since they have only come into existence with the pervasive use of computers and the Internet to transact business. In addition, there may be issues as to when the “injury” has taken place; at the time of the breach or the time when the personal injury is actually sustained. In order to be able to properly evaluate and assume the risks some insurers have, therefore, developed policies to specifically address the risks presented. Undoubtedly if claims continue to rise and develop as anticipated, insurers may dispute coverage and/or respond to the claims being asserted based upon polices that, at the time of issuance, did not envision the present risk of injury caused by data breach. Management of the risk therefore requires a thorough understanding of the nuances of the laws and requirements of best of breed privacy practices
Conclusion
The changing privacy landscape will have a tangible impact on an insurance carrier’s costs of responding to claims under the personal injury and advertising portions of the CGL policies and under specifically designed policies. Foresight in addressing these
risks and an understanding of the landscape of privacy laws and issues will be an
essential component to underwriting the risks and defending the claims.
End Notes
[1] Zurich North America Commercial Expands Security, Privacy Insurance Coverage, http://www.darkreading.com/security/vulnerabilities/showArticle.jhtml?articleID=218400572
2 Verizon Business 2009 Data Breach Investigations Report, By Wade Baker, April 15, 2009
3 Poneman Institute’s Fourth Annual US Cost of Data Breach Study, By Dr. Larry Poneman, January 2009
4 In Re: Heartland Payment Systems, Inc. (626 F. Supp 2d 1336; 2009 U.S. Dist. LEXIS 81493) (Order
granting consolidation of class action lawsuits.)
5 See, In re TJX Cos. Retail Sec. Breach Litig., 246 F.R.D. 389; 2007 U.S. Dist. LEXIS 87920 (over $40M settlement) and Department of Veterans Affairs Data Theft Litigation, No. 06-0506 (D.D.C. January 27, 2009) ($20M settlement)
6 See, Forbes v. Wells Fargo Bank, N.A., 420 F. Supp2d 1018, 1021 (D.Minn.2006); Giordano v. Wachovia Sec., LLC., 2006 2177036 (D.N.J. July 31, 2006) (unpublished); Guin v. Brazos Higher Educ. Serv. Corp., Inc. 2006 WL 288483 (D. Minn.) Feb 7, 2006 (unpublished); Hendricks v. DSW Shoe Warehouse, 444 F. Supp. 2d 775, 783 (W.D. Mich. 2006)
7 See, Pisciotta v. Old Nat. Bancorp, 499 F.3rd 629 (7th Cir. Aug. 21, 2007)
8 See, GLBA
9 See, Pinero v. Jackson Hewitt Tax Services, No. 08-3535 (E.D. La. Jan 7, 2009)
About the Authors
Todd B. Ruback, Esq. is chair of the Privacy and Technology Practice at the law firm of DiFrancesco, Bateman, Coley, Yospin, Kunzman, Davis & Lehrer, P.C. He is also a Certified Information Privacy Professional (CIPP) and thought leader in the area of privacy law. He has authored or co-authored numerous publications on privacy and is also a lecturer at various privacy seminars and conferences. He is a present nominee to be on the Board of Directors of the International Association of Privacy Professionals (IAPP) for the upcoming term of 2010-2015 and will be a speaker at the IAPP International Privacy Convention to be held in Washington, D.C. in April 2010, where he will lecture on trends and risk in privacy litigation.
Steven Kunzman, Esq. is the chair of the Insurance Coverage Practice of the law firm of DiFrancesco, Bateman, Coley, Yospin, Kunzman, Davis & Lehrer, P.C. He has been providing counsel and representation to insurance companies on insurance coverage matters and defense to insurance company clients for over 25 years.
Tags: insurance law new jersey, Privacy Law, Technology Law
