Two recent cases and NetDiligence’s 2015 Cyber Claims Study suggest that every organization that collects personally identifiable information from consumers should consider buying cyber insurance.
Consumer businesses, non-profits, and government-run utilities often collect consumer personally identifiable information, such as full names, dates of birth, social security numbers, account user names and passwords, etc., in the course of their operations. Many states regulate how such personally identifiable information can be collected, recorded, stored, used, and disposed. If your organization does business across state lines, you have the added burden of trying to keep track of whether the information you collect from a consumer complies with the state laws where the consumer resides.
Some organizations believe their standard commercial general liability (CGL) insurance policy will defend and indemnify them in they are accused of violating such laws, but two recent cases suggest otherwise.
In Defender Security Company v. First Mercury Insurance Company, available here, an Indiana company recorded consumer telephone calls where its customers provided personal information, including their full name, address, date of birth, and social security number. A California customer filed a class action lawsuit against the company alleging that it violated California law, which prohibited confidential telephone communications from being recorded without the consent of all parties. The company asserted that the lawsuit should be covered under its commercial general liability policy as a “personal injury” arising from the publication of private information. The Seventh Circuit Court of Appeals, however, sided with the insurer deciding that there was no coverage because there was no evidence that the information collected had been accessed or disclosed to anyone. Without a publication of the private information, there was no covered claim. The end result is that the company now finds itself uninsured for what may be an expensive claim to defend.
In American Economy Insurance Company v. Aspen Ways Enterprises, Inc., available here, Aspen Ways lost a coverage dispute over two separate lawsuits filed against it. Aspen Ways operates a rent-to-own and leasing business. It had installed a software called PC Rental Agent onto computers sold or rented to customers. A class action lawsuit in Pennsylvania resulted from the discovery that Aspen Ways activated the software after customers became delinquent on payments. The software allowed Aspen Ways to take pictures of its customers using the computer’s webcam in order to show the customers were using the computers. The software also allowed Aspen Ways to capture keystrokes and take screen shots, and then email the data. The class action lawsuit claimed that Aspen Way received and accessed private and confidential data, including private emails, keystrokes logs for usernames and passwords, bank and credit card statements, social security numbers, and webcam photos of individuals in various states of undress. The main claim involved violations of the federal Electronic Communications Privacy Act, 18 U.S.C. § 2511.
Aspen Way’s second lawsuit was brought against it by the State of Washington. The State of Washington alleged that Aspen Way’s use of the PC Rental Agent software violated various state laws, including Washington’s Consumer Protection Act and Computer Spyware Act.
Aspen Way was insured with several companies under standard commercial general liability and umbrella policies. In short, the district court in the coverage dispute held that there was no coverage because of an exclusion in the policies for the recording or distribution of material or information in violation of law. Since Aspen Way’s actions had violated state law, there was no insurance coverage.
Cyber insurance may have provided coverage for both companies. NetDiligence’s recent 2015 Cyber Claims Study, available here, addressed claims for the wrongful collection of data. NetDiligence reported that the most surprising fact of its 2015 study was that the largest legal and regulatory costs from cyber claims were from mid-revenue organizations (between $2 and $10 billion dollars in sales) accused of wrongful data collection. The total costs, including the self-insured retention, for those claims showed that the median costs of such claims was $2,437,028; the mean cost of those claims was $3,182,715; and the maximum cost was $6,700,142.
The takeaway from these cases is that you cannot count on traditional commercial general liability policies to protect your business from class action lawsuits and regulatory actions if you collect consumer personally identifiable information in violation of state law. The takeaway from the NetDiligence 2015 Cyber Claims Study is that these claims can cost your organization several millions of dollars to defend and settle, but they may be covered under cyber insurance policies.
The author, Bill Wagner, JD, CPCU, CIPP/US, CIPP/G, is a member of the Sedona Conference Working Groups on Data Security and Privacy Liability, and Electronic Document Retention and Production. He also serves as a Steering Committee Member to DRI’s Government Enforcement and Corporate Compliance Committee.