Home Page The Publication The Editor Contact Information Insurance Key issues Book Subscribe


Vol. 3, Iss. 6
April 1, 2014


Court Addresses “Publication” Of Personal Information – Possible Impact On The CGL-Data Breach Issue


As discussed in the previous article, the potential availability of coverage, under a commercial general liability policy, for the loss of a company’s customers’ personally identifiable information, on account of a data breach, is the “It” issue these days. With very little case law on point, any decision that may shed even some light, or provide just some guidance – even if its factual underpinning is not a data breach -- is worthy of attention. One type of case that falls into this category is where the court addresses the meaning of the term “publication.” This is so because policyholders argue that the loss of personally identifiable information qualifies for coverage, under the “personal and advertising injury” section of a CGL policy, because it is “oral or written publication, in any manner, of material that violates a person’s right of privacy.”

For this reason, the Indiana federal court’s decision in Defender Security Company v. First Mercury Ins. Co., No. 13-245 (S.D. Ind. Mar. 14, 2014) is worthy of a look-see. This is especially so because Defender Security isn’t just any case that involves the definition of “publication.” It involves whether there has been publication of a person’s personal information.

At issue in the case was the availability of coverage for Defender Security for allegedly violating a California Penal Code section which prohibits the recording of confidential communications made by telephone without the consent of all parties to the communication. Specifically, it was alleged that Kami Brown “called the toll free telephone number for Protect Your Home printed on an advertisement for a promotional offer for ADT Security Services disseminated by Defender. During the call with Defender, Ms. Brown ‘shared personal information,’ including her full name and zip code, but was neither informed that the call would be recorded nor did she give her consent for such a recording. . . . According to the Brown Complaint, Defender used ‘Call Recording Technology’ that enabled it ‘to record all of its telephonic telephone conversations with consumers, and allowed them to store these recordings for various business purposes.’”

At you would expect, Defender Security sought coverage under the “personal and advertising injury” section of its commercial general liability policy, on the basis that the allegations against it qualified as “oral or written publication of material that violates a person’s right of privacy.”

In support of its position that there had been a “publication,” Defender Security argued that the Indiana Supreme Court has recognized that publication can consist of communication to just one individual. Defender Security also argued that the fact that the underlying complaint “alleged that Defender stores the recordings ‘for various business purposes’ implies that a third party will be listening to the recordings and that they are thus being produced for distribution to at least one person.”

The court was not persuaded and held that the claim was excluded: “This is at best a strained interpretation. Even accepting Defender’s definitions of ‘publication,’ the allegations contained in the Brown Complaint clearly do not fall within its terms. As First Mercury argues, the allegation that Ms. Brown shared personal information with Defender during her call establishes at most only that she published information about herself, not that Defender published information about her. Assuming the truth of Ms. Brown’s allegation that Defender utilized ‘Call Recording Technology’ to store the recording of her telephone call likewise shows merely that Defender maintained a record of the call, not that it communicated the content of the recording to anyone. Similarly, the allegation that Defender’s employees and representatives were trained and directed to record conversations with consumers establishes only that recordings of telephone calls occurred, not that the recorded information was distributed, sold, or shared with any other individual or entity.” (emphasis in original).

After its motion was fully briefed, Defender filed a notice of supplemental authority, based on the Southern District of Ohio’s decision in Encore Receivable Management, Inc. v. ACE Property and Casualty Insurance Company. Encore Receivable involved “insurance coverage disputes relating to two underlying lawsuits about call centers allegedly recording telephone conversations without customer consent and whether or not the underlying lawsuits fell within the Personal and Advertising Injury coverage provisions of the policies at issue. The Encore Court held that the underlying lawsuits did fall within the coverage provisions of the insurance policies at issue even though there was no allegation that the recordings were disseminated to the public because it determined that ‘publication’ occurred ‘at the very moment that the conversation is disseminated or transmitted to the recording device.’”

The Defender Security court declined to follow Encore Receivable. First, the court noted that the decision is currently on appeal to the Sixth Circuit. Second, the Defender Security court stated that it was not bound by Encore, not to mention that it just didn’t agree with it.

I addressed Encore Receivable in Coverage Opinions (July 24, 2014). There I concluded as follows: “[I]t is possible for a data breach, especially in a hacking situation, to result in no dissemination of customers’ personal identification information. At most, the information is exposed, or could be exposed, to the hacker, but it never reaches the general public at large. But that does not mean that the company will not be sued out the ying-yang. It will likely be alleged that the customers need to be provided with credit monitoring services, so they can be on the look-out for unauthorized use of their information. No doubt the suit will allege the violation of a statute that allows for an award of attorneys’ fees. In such cases, insurers can be expected to argue that “personal and advertising injury” coverage is not available because there has been no publication, in any manner, of material that violates a person’s right of privacy. However, the court in Encore Receivable held that, when it comes to secret information – which is what would likely be at issue in a data breach situation -- it does not have to be widely disseminated to constitute publication. Thus, while Encore has nothing at all to do with cyber liability or coverage, the court’s holding will likely provide an opportunity for it to be used by a company that has been hacked and now needs to put its square peg of a claim into the round role of its commercial general liability policy.”

This same analysis, but with the opposite conclusion, may apply here with respect to Defender Security Company v. First Mercury. In a hacking situation, where, at most, the only dissemination of customers’ personal identification information was that it was exposed, or could be exposed, to the hacker, but not to the general public at large, Defender Security supports an argument that there has been no “publication.”

Either way, this much can be said with certainty. With very little case law addressing the potential availability of coverage, under a commercial general liability policy, for the loss of personally identifiable information, on account of a data breach, any decision that addresses the meaning of the term “publication,” regardless of its facts, is going to be scrutinized for guidance on the issue.
 
Website by Balderrama Design Copyright Randy Maniloff All Rights Reserved