Fueled by statutory damages that can amount to millions of dollars, companies are increasingly finding themselves the subject of class-action lawsuits for alleged invasions of privacy, including violations of federal and state statutes, as well as claims of negligence and of common law invasion of privacy. Faced with the potential of incurring substantial defense costs in addition to any ultimate liability, policyholders should first look towards their errors and omissions (E&O) and/or technology/media liability insurance policies to provide coverage for liability including any defense costs arising out of an invasion of privacy claim.
These policies often contain specific coverage grants for alleged violations of privacy laws. A policyholder’s directors and officers (D&O) policies or employment practices liability (if the claim is made by an employee) policies may also provide coverage. In the absence of specific coverage, policyholders can also look to the advertising coverage grant of their commercial general liability (CGL) policies to provide for payment of defense costs and/or potential liability arising out of a settlement or judgment of a claim.
A typical CGL policy’s advertising coverage grant provides that the insurer “will pay those sums that the insured becomes legally obligated to pay as damages because of ‘personal and advertising injury’ to which this insurance applies.” “Personal and advertising injury” will typically be defined as “injury, including consequential ‘bodily injury,’ arising out of one or more of the following offenses: . . . Oral or written publication, in any manner, of material that violates a person’s right of privacy.” Absent an applicable exclusion, when a complaint implicitly or explicitly alleges, could be construed to allege, or could be amended to allege, a violation of the right of privacy, an insurance company has a duty to defend under a CGL policy.
No matter what type of policy your company has, if your company tenders a privacy-based claim to its insurer, there are several issues that your company will likely encounter.
A common question relating to advertising injury coverage under CGL policies is to what extent the alleged unauthorized recording of a phone call or the alleged dissemination of private information is an “oral or written publication of material.” Since the term “publication” is typically not defined in CGL policies, insurers will often argue that in order to constitute an advertising injury under a CGL policy, the recordings or private information must have been disclosed to a third party, i.e. someone outside the company.
However, this argument has been squarely rejected by a number of courts. A California federal district court held that an insurance carrier has a duty to defend its insured under a CGL policy against an underlying class action in which the insured was alleged to have violated the California Confidentiality of Medical Information Act. Lenscrafters Inc. v. Liberty Mutual Fire Insurance Co. (N.D. Cal. Jan. 20, 2005). The court held that the insuring clause “publication of material that violates a person’s right to privacy” does not require widespread disclosure, because the “right to privacy” is not limited to common law invasion of privacy by public disclosure of private facts, but encompasses, for example, violations of the California constitutional right of privacy.
The court in Motorists Mutual Insurance Co. v. Dandy-Jim Inc. adopted a similar approach when it rejected an insurance company’s argument that the term “publication” in a policy’s “advertising injury” coverage required disclosure to a third party. 182 Ohio App. 3d 311, 320-21 (Ohio Ct. App. 2009). The court recognized that “there is nothing in the [applicable] policy that suggests that ‘publication’ means communicating the offending material to a third party.”
Insurers may try to avoid coverage for advertising injury by arguing that the statutory minimums available to an injured party under various federal and state privacy statutes are excluded “fines or penalties.” This argument has failed in California, where in 2012 a California Superior Court, in Visa Inc. v. Certain Underwriters at Lloyd’s, London, held that the statutory minimums available under California law constituted covered damages under the policy language.
In Visa, the policy defined damages to exclude fines, sanctions, or penalties. The policyholder successfully argued that the state privacy statutes at issue, including California Penal Code § 637.2(a), did not characterize the statutorily mandated minimum damages of $5,000 as a fine, sanction, or penalty to be imposed on one who violates the statute by the state or any governmental authority. The court found that because the statutory minimums at issue in Visa had both a remedial function as damages as well as a punitive aspect, that they did not fall solely and exclusively under the exclusion, and constituted covered damages under the policy.
Because allegations that a company violated a person’s right to privacy often involve alleged intentional conduct, insurers may also try to assert an intentional act exclusion to preclude coverage. The “Knowing Violation of Rights of Another” exclusion is a good example of such an exclusion, which purports to exclude advertising injury caused by or at the direction of the insured with the knowledge that the act would violate the rights of another and would inflict advertising injury.
Despite this language, policyholders should not automatically conclude that there is no coverage. As the duty to defend is typically determined by comparing the allegations in the complaint with the terms of the policy, if the complaint contains any allegations that, if true, would result in potentially covered damages under the policy, then the insurer must defend the lawsuit.
Policyholders should also be aware of another exclusion, the “Distribution of Material in Violation of Statutes” exclusion, present in many CGL policies, which purports to eliminate coverage for injury arising directly or indirectly from actual or alleged violations of the Telephone Consumer Protection Act, Controlling the Assault of Non-Solicited Pornography and Marketing Act and other statutes, ordinances, or laws that prohibit the sending, transmitting, communicating, or distribution of material or information. To the extent policyholders face common law claims of negligence and/or invasion of privacy claims in addition to statutory claims, under the law of most jurisdictions, policyholders are entitled to coverage of defense costs for all of the claims asserted against the company until such time as the covered claims are dismissed or, at a minimum, until there is a clear basis for allocation of defense costs among covered and non-covered claims.
When faced with defending a privacy-based class-action lawsuit, understanding coverage under your company’s various liability policies and the most common defenses raised by insurers will allow the well-prepared policyholder to access valuable coverage for these types of claims. Policyholders should look carefully for specifically crafted exclusions for TCPA and other privacy statute violations and aggressively seek coverage for what has become a rising tide of privacy-based class-action lawsuits.
In addition, if your company engages with consumers, handles consumer information, or otherwise participates in business activities that could potentially trigger a privacy violation, you should be aware of specific exclusions for privacy statute violations and the issues discussed above when purchasing liability policies and constructing your company’s insurance coverage program. It is important to try to negotiate coverage for these types of claims at the outset to avoid potentially large liabilities down the road. •