The protection of consumer privacy interests is at the forefront of public awareness and state and federal regulation, causing the potential for increased exposure to companies for alleged breaches of privacy statutes. With the ever-evolving risk that advances in technology will lead to interferences with consumer privacy interests, governmental entities seem poised to not only enact more laws and regulations to protect consumer privacy, but encourage strict enforcement of the laws already in existence. For example, on Sept. 23, 2013, modifications to the Health Insurance Portability and Accountability Act will become effective that expand the protections afforded to private patient information and increase liabilities associated with claimed breaches. Additionally, statutes such as the Song Beverly Act in California and cases interpreting them have led to upticks in class action litigation by consumers claiming improprieties by retailers with respect to the collection and use of customer zip code information. And a number of state’s attorney generals are increasing regulation to address these privacy concerns.

While not all privacy statutes permit a private right of action, many do and often impose a specific damage amount, per violation, which, under certain statutes, can be trebled under certain circumstances. As a result, if the conduct in question involved thousands if not hundreds of thousands of claimed violations, the potential statutory exposure can be significant. In that circumstance, insurance can be a critical resource to help a company respond to claims against it and the risk of substantial “per violation” liability.

Regardless, insurers often will seek to avoid exposure by claiming that the policyholder’s liability does not involve covered “damages.” A popular insurer argument is that the alleged privacy statute violation involves an uncovered statutory “fine” or “penalty.” Policyholders should reject such insurer arguments, even where the statute at issue expressly refers to the amount to be paid as a fine or penalty. In fact, the insurer argument is too simplistic. The question is not the words used in the statute to describe what the policyholder must pay but instead the nature of the liability.

Privacy (and other) statutes often will include a fixed amount that must be paid per violation. Insurers will argue that that fact means that the statute is imposing a fine/penalty. However, in many instances it is difficult to assign a specific monetary value resulting from a claimed violation. The statute thus creates a form of a liquidated damage to facilitate statutory enforcement. Liquidated damages are just that “damages,” which traditionally are covered by insurance. If the statutory amount is compensatory, rather than penal in nature, then companies should argue for coverage for these compensatory damages.

Recent court decisions have adopted this approach and should be cited by policyholders to counter coverage denials. For example, in May 2013, the Illinois Supreme Court in Standard Mutual Insurance Co. v. Lay rejected an insurer argument that the statutory damages set forth in the Telephone Consumer Protection Act were punitive and uninsurable under public policy. In finding the statutory damages remedial in nature, the court stated the TCPA is “clearly within the class of remedial statutes which are designed to grant remedies for the protection of rights, introduce regulation conducive to the public good, or cure public evils.” The court noted that Congress identified certain harms caused by a breach of the TCPA (“loss of paper and ink, annoyance and inconvenience”) and made them compensable by a liquidated sum per violation. The court further found that these liquidated damages were intended by Congress to be “an incentive for private parties to enforce the statute.” The court therefore concluded in favor of coverage based upon its statement that regardless of whether the statutory damages were viewed as a sum for actual harm or an incentive for aggrieved parties to enforce the statute, or both, the “fixed amount clearly serves more than purely punitive or deterrent goals.”

In August, the Supreme Court of Missouri in Columbia Casualty Co. v. HIAR Holdings, L.L.C. reached a similar conclusion, finding that fixed TCPA damages encompassed compensable harms and, therefore, were covered “damages.” 

Considering this recent case law, and the compensatory nature of the financial exposure created by many privacy statutes, policyholders should actively pursue coverage for any potential award of statutory damages for violation of a consumer privacy law. In addition, they should be aware of this issue when purchasing privacy coverage. Some privacy policy forms include express exclusions for statutory fines, penalties or damages. Such exclusions are overly broad, given that courts are increasingly finding in favor of coverage when the amount owed under the privacy statute reflects a liquidated damage for a breach that is otherwise difficult to quantify. Thus, policyholders should seek to negotiate to narrow the language of the exclusion to comport with these recent decisions.