Cyber Insurance: Judge Holds Insurer’s “Privacy Pledge” Could Be Part of Policy In Data Breach Class Action

cyber-liability

CHICAGO, Feb. 23 – A Federal Judge in Illinois has allowed a proposed data breach  class action case against an insurer to proceed, ruling the insurer’s “Privacy Pledge” could be a part of the insuring agreement.

Dolmage and other employees of Dillard’s Stores purchased coverage from Combined Insurance through her employer between 2011 and 2012.  During the course of the application process, Dolmage and other employees were required to provide personal information to Combined.  During the process Combined furnished applicant’s with a “Privacy Pledge,” which indicated that personal information obtained in the application process, such as social security numbers, would be safeguarded and protected.   The Pledge further stated that Combined would provide information to affiliated companies to assist with the insurance placement process.

Combined engaged Enrolltek to assist with processing and placement of the coverage, and provided Enrollteck with a database of applicants’ information, which Enrolltek copied to an unsecure external hard drive and later maintained on an unsecured website.  Dolmage and other employees discovered through Google searches that their personal information from this process was readily available online at the unsecure website operated by Enrolltek.

Dolmage and other class action plaintiffs filed a ten – count complaint in federal court alleging, among other things, breach of contract and breach of fiduciary duty.  Following a Rule 12(b)(6) motion filed by Combined, the class action plaintiffs filed an amended complaint alleging only a breach of contract claim, and Combined filed a motion to dismiss, alleging that the complaint failed to state a plausible cause of action against it relating to the “Privacy Pledge” serving as the basis for a breach claim.

Judge Ruben Castillo denied Combined’s dismissal motion, and ruled that the Privacy Pledge, as the Plaintiffs alleged, was part of the insuring agreement between Combined and the Dillard’s employees, despite an integration clause in the policy, presumably preventing the policy from being supplemented.  Castillo ruled that at other parts of the policy,  Combined did incorporate by reference other extraneous documents, such as applications, riders, and endorsements.   The Court also relied on case law and Black’s Law Dictionary to point out that the terms “rider” and “endorsement” were broad, covering many possible amendments to the insuring agreement.

The Court, accepting all of the averments of the amended complaint as true, and giving the Plaintiffs the benefit of all reasonable inferences,  also dismissed Combined’s arguments that the amended complaint 1.) failed to allege that the Plaintiff’s relied on the pledge,  2.) failed to allege the Privacy Policy was part of the insuring agreement because it was provided to Plaintiffs after coverage was placed, 3.) failed to allege the Privacy Policy was supported by adequate consideration; and 4.) failed to allege how Combined breached the policy.  As to the latter claim, Judge Castillo observed that it was reasonable to infer that Combined’s failure to require Enrolltek to adhere to Combined’s data security policies and procedures could constitute a breach of the Privacy Policy.

Dolmage v. Combined Insurance Co. of America (N.D. Ill, February 23, 2016)

Advertisements

Author: CJ Haddick

C.J. Haddick is a Director with the law firm of Dickie, McCamey, & Chilcote, PC, based in Pittsburgh, Pa. He has advised and represented insurers in insurance coverage and bad faith litigation for more than a quarter of a century, and written and spoken throughout the United States on insurance coverage and bad faith prevention and litigation. He is Managing Director of the firm's Harrisburg, Pa. office. Reach him at chaddick@dmclaw.com or 717-731-4800.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s