NY: No Coverage For Negligent Handling of Electronic Data

edi-spotlight-banner

NEW YORK, Feb. 18 – A New York  intermediate appellate court ruled on Feb. 18 that claims against an insured for the alleged negligent handling of the electronic data of customers were  not covered.

In RVST Holdings v. Main Street America Assurance Co., the  liability policy in question provided for defense and indemnity to RVST for liability arising out of direct physical loss to tangible property.  The policy, however, excluded losses relating to electronic data.  The intermediate appellate court, giving the language in question its plain meaning, ruled that the insurer did not have a duty to defend or indemnify  RVST from claims relating to RVST’s alleged negligent handling of electronic data.

RVST Holdings, Inc. v. Main Street America Assurance Co.,(N.Y. App. 3rd Dept., Feb. 18, 2016)

Cyber Insurance: Judge Holds Insurer’s “Privacy Pledge” Could Be Part of Policy In Data Breach Class Action

cyber-liability

CHICAGO, Feb. 23 – A Federal Judge in Illinois has allowed a proposed data breach  class action case against an insurer to proceed, ruling the insurer’s “Privacy Pledge” could be a part of the insuring agreement.

Dolmage and other employees of Dillard’s Stores purchased coverage from Combined Insurance through her employer between 2011 and 2012.  During the course of the application process, Dolmage and other employees were required to provide personal information to Combined.  During the process Combined furnished applicant’s with a “Privacy Pledge,” which indicated that personal information obtained in the application process, such as social security numbers, would be safeguarded and protected.   The Pledge further stated that Combined would provide information to affiliated companies to assist with the insurance placement process.

Combined engaged Enrolltek to assist with processing and placement of the coverage, and provided Enrollteck with a database of applicants’ information, which Enrolltek copied to an unsecure external hard drive and later maintained on an unsecured website.  Dolmage and other employees discovered through Google searches that their personal information from this process was readily available online at the unsecure website operated by Enrolltek.

Dolmage and other class action plaintiffs filed a ten – count complaint in federal court alleging, among other things, breach of contract and breach of fiduciary duty.  Following a Rule 12(b)(6) motion filed by Combined, the class action plaintiffs filed an amended complaint alleging only a breach of contract claim, and Combined filed a motion to dismiss, alleging that the complaint failed to state a plausible cause of action against it relating to the “Privacy Pledge” serving as the basis for a breach claim.

Judge Ruben Castillo denied Combined’s dismissal motion, and ruled that the Privacy Pledge, as the Plaintiffs alleged, was part of the insuring agreement between Combined and the Dillard’s employees, despite an integration clause in the policy, presumably preventing the policy from being supplemented.  Castillo ruled that at other parts of the policy,  Combined did incorporate by reference other extraneous documents, such as applications, riders, and endorsements.   The Court also relied on case law and Black’s Law Dictionary to point out that the terms “rider” and “endorsement” were broad, covering many possible amendments to the insuring agreement.

The Court, accepting all of the averments of the amended complaint as true, and giving the Plaintiffs the benefit of all reasonable inferences,  also dismissed Combined’s arguments that the amended complaint 1.) failed to allege that the Plaintiff’s relied on the pledge,  2.) failed to allege the Privacy Policy was part of the insuring agreement because it was provided to Plaintiffs after coverage was placed, 3.) failed to allege the Privacy Policy was supported by adequate consideration; and 4.) failed to allege how Combined breached the policy.  As to the latter claim, Judge Castillo observed that it was reasonable to infer that Combined’s failure to require Enrolltek to adhere to Combined’s data security policies and procedures could constitute a breach of the Privacy Policy.

Dolmage v. Combined Insurance Co. of America (N.D. Ill, February 23, 2016)

Cyber Liability Insurance Bad Faith Suit Trimmed In Utah

A U.S. District Court Judge in Utah has granted partial summary judgment in favor of Travelers Insurance in a bad faith suit involving a Cyber Liability insurance policy.  U.S. District Judge Ted Stewart of Utah has dismissed portions of a bad faith suit against Travelers, ruling that it has no duty to defend or indemnify its insured, Federal Recovery, in an underlying data breach lawsuit.  The Court found that Travelers’ coverage position was “fairly debatable,” and therefore that the position it took cannot, as a matter  of law, be found to have been taken in bad faith.

The Court denied Traveler’s motion to dismiss that portion of the suit against it relating to Traveler’s intake and handling of the claim, however.  The insured claims that Travelers breached its duty of good faith and fair dealing in allegedly misleading its insured to delay the filing of the claim until it received formal suit papers.   The Court also found there were factual issues relating to whether Travelers  diligently investigated, evaluated, and communicated about the claim to its insured, and denied Travelers’ summary judgment motion as to those claims also.

The Takeaway:   This decision is a textbook example of a jurisdiction in which having a reasonable position to deny coverage to an insured is not the end of the bad faith analysis.  Claims handling (the means), separate and apart from the claims decision (the end), is subject to bad faith scrutiny under this jurisdiction’s bad faith law.  Best claims practices, therefore, should facilitate proper claims decisions being made in conjunction with proper claims handling, from initial intake to final coverage decision.

Travelers v. Fed. Recovery Services (D. Utah 2016)

%d bloggers like this: