The past several years have seen data breaches and cybersecurity incidents become more common and sophisticated, and significantly more costly—a trend likely to continue. Notwithstanding the severe risks these incidents pose to businesses, not all companies have purchased cyber liability or similar specialized insurance, turning instead—albeit with mixed success—to their general liability insurance policies and other traditional insurance policies when a data breach or other cyber liability event occurs. While insurance carriers increasingly have incorporated into those policies exclusions explicitly designed to bar coverage for certain cyber risks (a trend equally likely to continue), all hope is not lost, at least not yet. Indeed, although policyholders should purchase cyber risk insurance regardless of the nature of their business, policyholders facing data privacy claims should avoid the potentially costly mistake of assuming that coverage does not exist under a non-cyber risk policy.
The Illinois Supreme Court’s recent decision in West Bend Mutual Insurance Co. v. Krishna Schaumburg Tan, Inc., No. 125978, 2021 WL 2005464 (Ill. May 20, 2021), illustrates well the potential benefits of exploring all avenues of available coverage in the event of a cyber liability or data privacy incident. The underlying plaintiff there filed a class-action lawsuit (Underlying Action) against a tanning salon, alleging it (1) violated provisions of Illinois’ Biometric Information Privacy Act (Act) relating to the collection of biometric identifiers and biometric information when, as a condition of salon membership, it allegedly scanned customers’ fingerprints without securing a written release as required by the Act, and (2) violated the Act’s provisions relating to the disclosure of biometric identifiers and information when it allegedly disclosed biometric information containing the underlying plaintiff’s fingerprints to a single out-of-state vendor. Id. at *1.
The salon tendered the Underlying Action to its insurance carrier, from which it had purchased two business owners’ liability insurance policies (“Policies”). Id. at *1–2. The insurer agreed to defend the salon subject to a reservation of rights, maintaining that it possessed no duty, under the Policies, to defend against the Underlying Action. Id. at *3. The insurer thereafter filed a lawsuit against the salon seeking a declaration that it need not defend the Underlying Action. Id. at *1. The parties cross-moved for summary judgment on the duty to defend issue, and the trial court ruled in the salon’s favor. Id. An Illinois appellate court affirmed, the insurer subsequently appealed to the Illinois Supreme Court, and the Supreme Court affirmed. Id.
The Policies obligated the insurer to “pay those sums that the [salon] becomes legally obligated to pay as damages because of . . . ‘personal injury’ or ‘advertising injury’ to which this insurance applies,” and required it to “defend the [salon] against any ‘suit’ seeking those damages.” Id. at *2. Like most standard form commercial general liability policies, the Policies defined “personal injury” and “advertising injury” to encompass certain injury “arising out of one or more” enumerated offenses, including “oral or written publication of material that violates a person’s right of privacy.” Id. The Policies specified that any enumerated offense causing “advertising injury” must occur “in the course of advertising [the salon’s] goods, products or services,” and that any “personal injury” must “aris[e] out of [the salon’s] business, excluding advertising, publishing, broadcasting or telecasting done by or for” the salon. Id.
The court determined the Underlying Action alleged a potential “personal injury” within the purview of the Policies because the underlying plaintiff alleged she suffered “emotional upset, mental anguish, and mental injury” when the policyholder “disclosed her biometric identifiers, fingerprints, and biometric information . . . in violation of her right to privacy under the Act.” Id. at *5.
The court rejected the insurer’s contention that the Underlying Action’s allegations fell outside the Policies’ “personal injury” and “advertising injury” coverages because they involved no “publication of material that violates a person’s right of privacy.” Id. at *3. The insurer asserted the Underlying Action complaint did not allege a “publication,” because “publication” means “communication to the public at large,” not “disclosure to a single party,” and the policyholder-salon allegedly shared customers’ biometric identifiers and other biometric information with only a single third-party vendor. Id. at *3–4. In reaching its decision, the court examined various dictionaries, legal treatises, and the Restatement of the Law of Torts to discern the “plain, ordinary, and popular meaning” of “publication.” Id. at *6–7. The court’s examination confirmed the term enjoys “at least two definitions and means both the communication of information to a single party and the communication of information to the public at large.” See id. at *7 (emphasis added). The court held the term’s dual definition rendered it ambiguous, and, under settled Illinois insurance law principles, the court resolved the ambiguity in the policyholder’s favor. Id. Significantly, if the Policies had defined “publication,” the definition likely would have guided the court’s decision.
The court likewise ruled that the Underlying Action alleged the policyholder had violated the underlying plaintiff’s “right to privacy” within the purview of the Policies. Id. at *8. Although the Policies left the phrase “right to privacy” undefined, the court explained such right generally “includes two primary privacy interests: seclusion and secrecy.” Id. at *7 (citation omitted). Recognizing that courts define the “right to secrecy” as “the right to keep certain information confidential,” and the “right to seclusion” as “the right to be left alone and protect[ed] . . . from another’s prying into [one’s] physical boundaries or affairs,” the court turned to the Underlying Action’s specific allegations to discern whether, in fact, they alleged a right to privacy violation. Id. (internal and external citations omitted). It determined they did. Id. at *8.
Noting that the Underlying Action complaint alleged the policyholder had violated the Act by disclosing the underlying plaintiff’s biometric identifiers and information to a third party, the court observed that the Act “codifies (1) an individual’s right to privacy in their biometric identifiers—fingerprints, retina or iris scans, voiceprints, or scans of hand or face geometry—and (2) an individual’s right to privacy in their biometric information—information based on an individual’s biometric identifiers that is then used to identify an individual.” Id. (citations omitted). Accordingly, because the policyholder allegedly disclosed such information without the underlying plaintiff’s consent, the court held the Underlying Action alleged a potential right to privacy violation within the purview of the Policies. Id. (citation omitted).
The court, finally, rejected the insurer’s contention that the Underlying Action’s allegations fell within an exclusion purportedly barring coverage for “personal injury” and “advertising injury” claims “arising directly or indirectly out of any action or omission that violates or is alleged to violate” the Telephone Consumer Protection Act (“TCPA”), the CAN-SPAM Act of 2003, or “[a]ny statute, ordinance or regulation, other than the TCPA or CAN-SPAM Act of 2003, that prohibits or limits the sending, transmitting, communicating or distribution of material or information.” Id. at *2–3, *9–10. The insurer asserted the exclusion barred coverage for the policyholder’s alleged Act violations because “it applies to statutes that ‘prohibit the communicating of information[,]’ and the Act limits the communication of information.” Id. at *9. The court disagreed, holding the exclusion did not apply to alleged violations of the Act. Id. at *10. The court reasoned that (1) the Act, unlike the TCPA and CAN-SPAM Act, “does not regulate methods of communication but regulates the collection, use, safeguarding, handling, storage, retention, and destruction of biometric identifiers and information,” and (2) the exclusion’s “other than” language encompasses only “other statutes of the same general kind that regulate methods of communication like the TCPA and the CAN-SPAM Act.” Id. at *9. The exclusion, in other words, applied “only to statutes like the TCPA and the CAN-SPAM Act, which regulate methods of communication like telephone calls, faxes, and e-mails.” Id. at *10. Because the exclusion did not apply, the court held the insurer was obligated to defend the policyholder against the Underlying Action. Id.
Significantly, the court reached its decision without even considering whether coverage existed under the Policies’ endorsement, “adding coverage for costs from a data compromise of the insured.” Id. at *3–4, *10. The court explained that although the policyholder had asserted, in its Supreme Court briefing, that coverage exists “for a violation of the Act under the [Policies’] Illinois data compromise coverage endorsement,” the appellate court below did not consider the argument. Id. at *3–4. The court, in any event, held that because the Policies’ “personal injury” or “advertising injury” coverage sections required the insurer to defend the policyholder, there existed “no need to determine whether the data compromise endorsement applies.” Id. at *10.
While every coverage case ultimately turns on its own facts, policy language, and governing law, West Bend represents an example of a recent decision holding coverage exists under a traditional general liability insurance policy for a claim arising from a data privacy incident. The decision, of course, does not alter the facts that (1) the law remains mixed as to whether data privacy claims trigger personal and advertising injury coverage under traditional general liability policies, (2) traditional general liability insurance policies continue incorporating exclusions limiting coverage for data privacy and cyber liability risks, (3) policyholders should carefully examine their policies for any coverage exclusion(s) or limitation(s) for data privacy or cyber liability claims, and (4) policyholders should add cyber risk coverage to their insurance portfolios. The opinion nevertheless confirms that companies facing losses or claims arising from such risks should locate and analyze all potentially applicable insurance policies for coverage, avoid assuming that no coverage exists under traditional liability insurance policies, and, to the extent appropriate, cast a wide coverage net to maximize potential insurance recoveries. Employing such strategies might mean the difference between securing coverage for a claim or having to shoulder alone the attendant financial burden inherent in litigating such claims.