Most customers of companies using the internet to reach their suppliers of goods and services agree that digital access provides enormous convenience and often reduced cost. But along with that, it also seems to provide an unending stream of lawsuits and regulations over storage and use of data and hacking into data bases. The latest addition to this stream of lawsuits is SS&C Tech. Holdings v. AIG Specialty Insurance Co., 2019 U.S. Dist. Lexis 194196 (S.D.N.Y. Nov. 5, 2019).
As previously discussed in this blog, the prevalence of these types of lawsuits shows that any company which stores or communicates arguably personal data needs specialized insurance to protect itself against such suits even if proper precautions are taken when handling the data. The lawsuits relating to coverage for cyber incidents that have been addressed in the last several months emphasize that, even though some traditional policies have been successfully used to recover for the defense and settlement of privacy lawsuits, there is a need for more specialized digital-specific policies that simply pay for all the expenses and indemnities associated with these lawsuits. Many of these suits do not even seek actual damages or require any fault on the part of the defendant to seek to have liability imposed on the insured for primarily statutory penalties. These cases thus seem more appropriate for coverage akin to no-fault auto accident coverage than traditional fault-based liability coverage.
The category of data that seems to have sparked most of the recent lawsuits is that of biometrics. As several previous blogs have explained, these types of lawsuits allege that the Illinois Biometric Information Privacy Act (“BIPA”)requires notice to all persons whose biometric information is collected for use in identifying individuals for access to certain locations or premises, or as “passwords.” Under BIPA, statutory damages are available to plaintiffs without the need to show actual harm. Hundreds of purported class action lawsuits have been filed that allege BIPA violations in the collection, possession, or disclosure of biometric information. And insurers seem determined to make sure that their existing policies are not interpreted to provide coverage for the claims asserted in those suits. For example, in Union Insurance Co. v. R.A. Kerley Ink Engineers, Case No. 1:2019cv8304 (N.D. Ill. Dec. 19, 2019), the carrier filed a Declaratory Judgment action to establish that a BIPA case was not covered under the carrier’s traditional property, casualty, and employer liability policies. The underlying case alleged that Kerley, an ink manufacturer, required workers to provide biometric information and to allow that information to be used to track worker productivity, all allegedly without the mandatory notice and consent required under BIPA. The underlying case also alleged that the data was transferred to third parties for analysis, again without notice, permission to transfer, or a deletion plan, all in alleged violation of BIPA.
The Kerley lawsuit brought by the insurer to avoid coverage claims that there is no coverage under the following provisions in Kerley’s CGL policy: there are no allegations of bodily injury or personal or advertising injury, which are prerequisites for coverage; and coverage is barred by exclusions for violation of a statute; disclosure of personal information; or employment-related practices. The latter exclusion may not apply if the insured also bought employment practices coverage, but it seems that the carriers want to make sure that the traditional troika of policies, CGL, property, and employment practices, are not found to cover the onslaught of lawsuits relating to cyber incidents and alleging improper disclosure of private or confidential information. Although it would seem that a lawsuit over the handling of biometric information seeks property damage without any real disclosure of personal information and should be covered under a traditional CGL policy, there are many standard exclusions, including the ones discussed above, on which insurers seek to rely to avoid coverage. The Kerley coverage case is in its infancy and should be followed carefully to see whether the court ultimately finds coverage under these traditional policies.
Another recent case seems to indicate that traditional policies might at least be a reasonable bargaining chip to resolve coverage issues relating to underlying privacy or BIPA lawsuits. In Horn v. Liberty Insurance Underwriters, Inc., Case No. 19-12525 (11th Cir. July 3, 2019), pending in the Court of Appeals for the 11th Circuit, the plaintiffs’ lawyers in the underlying purported class action alleged violations of the TCPA based on allegedly improper calls and texts settled with the defendant for an assignment of the defendant’s claims against Liberty under its traditional CGL policies. The lawyers then sought to enforce a stipulated judgment of over $60m against Liberty. It seems obvious that the class-action defendant did not have $60m, so that the plaintiffs’ lawyers elected to take their chances in trying to enforce a claim against the insurance carrier rather than insisting on proceeding to trial against the class-action defendant. Liberty successfully resisted the claim in the district court using the CGL policy’s privacy exclusion; that ruling is the subject of the pending appeal. If the appeal succeeds, it will be interesting to see if the district court will eventually enforce an assignment of insurance claims as a settlement to an underlying lawsuit asserting breach of privacy claims. These types of settlements are often used in auto cases where the carrier refuses to defend the insured. Even if the carriers will not honor the traditional policies to cover cyber claims, the pressure of claims under an assignment of the policy might change their minds.
Regardless, the better course of action would be to purchase a tailored cyber policy that covers all negligently caused cyber problems, including misuse of biometrics, and that does not have a violation-of-statute exclusion. There is not yet extensive case law on claims under such policies, but they will hopefully not contain the same types of exclusions on which insurers rely to avoid coverage under traditional policies—and, before purchasing such policies, insureds should make sure that they do not.
 Another recent similar case under these types of policies, Church Mutual Insurance Co. v. Triad Senior Living, Inc., Case no. 1:2019cv07599 (N.D. Ill. Nov. 18, 2019), recently settled, indicating that carriers may well pay at least part of these claims under traditional policies. There also have been a few recent recoveries for phishing cases, but these recoveries occurred under fidelity and crime policies, not CGL or property policies.