There has been lots of litigation over the potential availability of coverage, for invasion of privacy, under a commercial general liability policy. This is no surprise, as “personal and advertising injury” is almost always defined to include “injury, including consequential ‘bodily injury’, arising out of one or more of the following offenses: . . . [o]ral or written publication, in any manner, of material that violates a person’s right of privacy.”
Of recent vintage has been litigation specifically over the availability of CGL coverage, for invasion of privacy, on account of an insured’s data breach. In other words, an insured’s computer system is hacked, or, for some other reason, customers’ personal information is no longer within the insured’s control and is revealed to the public at large or a hacker.
ISO does not intend for injury and damage from data breaches to be covered under its standard CGL policy. A few years back the policy language gang added an endorsement that precludes, in part, “‘personal and advertising injury’ arising out of any access to or disclosure of any person’s or organization’s confidential or personal information, including patents, trade secrets, processing methods, customer lists, financial information, credit card information, health information or any other type of nonpublic information.”
The scope of this exclusion was recently put to the test in Iheartcoffee, LLC v. Pacific Salmon Property & Casualty Co., No. 18-347 (Ore. Cir. Ct. (Marion Cty.) May 3, 2019).
The coverage case arose out of the following facts. Iheartcoffee, in Salem, Oregon, installed ordering kiosks. Hadley Anderson used a kiosk to place an order, selecting a variety of options for her beverage. She was prompted to enter her first name so that the barista could call out her order when ready for pick-up. In addition, she was given the option to enter her email address and birthday (month and day only). If so, just before her birthday, Iheartcoffee promised to send her a coupon for a free coffee. Hadley provided this information.
In December 2017 hackers breached Iheartcoffee’s computer network. As a result, information about its customers was available on the internet. This included their first name and related coffee order. But, for those who opted to get a free birthday coffee, the hacked data included their email address and birthday.
Jeff Boyd, a frequent patron of Iheartcoffee, has his curiosity piqued about the breach and found the customer data on the internet. In scrolling through it he saw the name Hadley. He only knew one person named Hadley – a woman who worked out quite seriously at his gym and who Boyd always noticed, to his dismay, did not clean off the equipment after she used it. Wondering if it could be her, given the unusual name, Boyd looked closer. Indeed it was. This Boyd knew as Hadley’s email address was included in the leaked information and it contained the domain of her employer. Boyd knew Hadley’s employer as she had mentioned it to him once, during a chat, while he waited, endlessly, for her to fill up a 64-ounce bottle of water at the fountain.
Boyd saw that Hadley frequently ordered a Venti Half-Soy Nonfat Decaf Organic Chocolate Brownie Iced Vanilla Double-Shot Gingerbread Cappuccino Extra Hot With Foam Whipped. And one Nutrasweet.
Boyd was amused by Hadley’s highly unusual coffee drink. He knew that others at the gym would be too. He shared the information with other members. And they sure were. Within days Hadley had been dubbed “The Queen Bean.” It didn’t take long for Hadley to learn that she was being called this name. After two weeks, Hadley began to believe that her workouts were less effective, as she was preoccupied by the idea of gym members calling her “The Queen Bean.”
Hadley filed suit against Iheartcoffee in Oregon Circuit Court in Marion County, alleging that, on account of the data breach, Iheartcoffee had violated her right to privacy. Hadley alleged that, as a result of being called “The Queen Bean,” she sustained emotional distress and, as a result of less effective workouts, the loss of muscle tone in her triceps.
Iheartcoffee sought coverage for the suit from its general liability insurer, Pacific Salmon Property & Casualty Co. Pacific Salmon disclaimed coverage for a defense and any liability on the basis of the data breach exclusion contained in its policy. While Pacific Salmon acknowledged that there had been oral or written publication, in any manner, of material that violated Hadley’s right of privacy, any “personal and advertising injury” was, the insurer maintained, “arising out of any access to or disclosure of any person’s or organization’s confidential or personal information, including patents, trade secrets, processing methods, customer lists, financial information, credit card information, health information or any other type of nonpublic information.” [Iheartcoffee did not dispute that loss of muscle tone was not “bodily injury.”]
Iheartcoffee undertook its own defense and filed an action, seeking a declaratory judgment, that Pacific Salmon had an obligation to provide coverage to it for a defense and any liability in the Anderson action.
The court in Iheartcoffee, LLC v. Pacific Salmon Property & Casualty Co. agreed that coverage was owed: “We reject the insurer’s argument that a person’s coffee preference, even if it is as unique as a fingerprint -- Venti Half-Soy Nonfat Decaf Organic Chocolate Brownie Iced Vanilla Double-Shot Gingerbread Cappuccino Extra Hot With Foam Whipped. And one Nutrasweet – qualifies as their “confidential or personal information.” Id. at 5. “It is clearly not of the same type of non-public information described in the exclusion. The exclusion addresses information that has value to its owner, such as trade secrets, customer lists and financial information. That cannot be said of one’s coffee preference. Words are interpreted by the company they keep. In addition, a person’s coffee order is not nonpublic information, even if they’d like it to be.” Id at 6.
The court explained that “[t]he flaw in Pacific Salmon’s argument is that, simply because a person has information that, personally, they’d prefer to keep private -- as clearly evidenced by the fact that its disclosure caused emotional injury -- does not make it per se confidential or personal, as that term is used in the exclusion. Pacific Salmon mistakenly equates the two. It should now be wide awake.” Id. at 7.
|
