Below is an excerpt from §13.34 of COMMERCIAL AND PROFESSIONAL LIABILITY INSURANCE — 2019 EDITION.
Invasion of Privacy Coverage Questions
In certain instances, the advertising injury and personal injury coverage provisions may list enumerated offenses that overlap with one another. One such offense is the “oral or written publication of material that violates a person’s right of privacy.” The post-1998 ISO forms did away with this redundancy by combining the advertising injury and personal injury coverages into one personal and advertising injury coverage provision. Unlike some of the other personal and advertising injury offenses, this provision does not require that the written publication of material that violates the right of privacy be made in an advertisement.
An example of this “right of privacy” exposure is found in Preferred National Insurance Co. v. Docusearch, Inc., 149 N.H. 759, 829 A.2d 1068, 1071 (2003) (applying New Hampshire law), in which an insured Internet-based information broker argued that the “[o]ral or written publication of material that violates a person’s right to privacy” offense of its policy’s personal and advertising injury coverage encompassed the insured’s liability arising out of its sale of a woman’s social security number and place of employment to an individual who later fatally shot the woman as she left work.
The sharing of third-party personal information also served as the backdrop for the coverage dispute in Travelers Indemnity Company of America v. Portal Healthcare Solutions, L.L.C., 644 Fed.Appx. 245 (4th Cir. 2016) (Virginia law). There, the court concluded that, in allegedly making the claimants’ confidential medical information publicly accessible through an Internet search, the insured records company — potentially — electronically published material that gave “unreasonable publicity [to]” or “disclose[d] information about” a person’s private life, within the meaning of the insurer’s policy. 644 Fed.Appx. at 247. Consequently, the court concluded that the insurer’s duty to defend was triggered. See also Evanston Insurance Co. v. Gene by Gene, Ltd., 155 F.Supp.3d 706 (S.D.Tex. 2016) (finding that insured’s alleged posting of users’ confidential DNA information online triggered duty to defend under personal and advertising injury coverage for publication of material that violates person’s right of privacy).
Data breaches, in which third-party hackers gain access to Internet users’ confidential information, are also becoming more and more commonplace. Courts that have addressed such breaches have recognized that an insured’s alleged negligence in failing to protect against the wrongful appropriation of claimants’ confidential information by third-party hackers or other malicious users does not implicate personal and advertising injury coverage under the right of privacy offense. Instead, the insured itself must have disseminated confidential information to third parties. See, e.g., St. Paul Fire & Marine Insurance Co. v. Rosen Millennium, Inc., 337 F.Supp.3d 1176 (M.D.Fla. 2018) (finding insured hotel allegedly responsible for data breach of hotel guests’ personal information was not covered because data breach was perpetrated by third-party hackers), appeal filed, No. 18-14427 (11th Cir. Oct. 19, 2018); Innovak International v. Hanover Insurance Co., 280 F.Supp.3d 1340 (M.D.Fla. 2017) (concluding that there was no coverage because third-party hackers, not insured, caused data breach and policy’s personal and advertising injury coverage required insured to be publisher of private information); Zurich American Insurance Co. v. Sony Corporation of America, No. 651982/2011 (N.Y.Sup. Feb. 21, 2014) (data breach claim did not involve insured’s publication of material, for purposes of privacy offense, because breach was committed by third-party hackers).
In Netscape Communications Corp. v. Federal Insurance Co., No. C 06-00198 JW, 2007 WL 2972924 (N.D.Cal. Oct. 10, 2007), rev’d, 343 Fed.Appx. 271 (9th Cir. 2009), America Online, Incorporated (AOL) and its subsidiary Netscape Communications Corporation (Netscape) brought suit against their insurers seeking a determination that the insurers were obligated to defend them in four civil actions alleging claims that AOL and Netscape had intercepted private electronic communications through Netscape’s SmartDownload software program. The disputed program contained a feature that provided Netscape with information concerning users’ Internet activities — information Netscape used to create user profiles.
AOL and Netscape sought a defense in the lawsuits under their personal injury coverage, asserting that the underlying lawsuits involved the “[m]aking known to any person or organization written or spoken material that violates a person’s right to privacy” offense. 2007 WL 2972924 at *5.
The district court, applying California law, concluded that the underlying lawsuit potentially invoked the personal injury coverage. In this regard, the court reasoned that when Netscape received user information gathered from the SmartDownload program, Netscape “ma[de] it known” to AOL by transmitting it to AOL. 2007 WL 2972924 at *6. Nevertheless, the court concluded that no duty to defend was owed AOL and Netscape. In making that determination, the court observed that the policy excluded personal injury coverage for all “Online Activities,” a term the policy defined as “providing e-mail services, instant messaging services, 3rd party advertising, supplying 3rd party content and providing internet access to 3rd parties.” 2007 WL 2972924 at **2 – 3. The court concluded that the plain meaning of the term “online activities” included those products and services that provided for, allowed for, and facilitated access to the Internet and its content. 2007 WL 2972924 at *7. The court reasoned that by providing software that facilitated the ability of users to make use of the Internet, AOL and Netscape provided Internet access to those third-party users. Accordingly, the court found the scope of the exclusions to encompass AOL and Netscape’s alleged activities in connection with the SmartDownload program. Id.
The Ninth Circuit Court of Appeals reversed on appeal. The Ninth Circuit acknowledged that the claims against AOL were not “traditional” breach of privacy claims. 343 Fed.Appx. at 272. Even so, the court concluded that the district court correctly construed the personal injury coverage provisions — and the privacy offense, in particular — broadly to encompass AOL’s alleged interception and internal dissemination of private online communications.
Nevertheless, the Ninth Circuit determined that the district court erred in its construction of the policy’s online-activities exclusion. Finding the district court had construed the exclusion “too broadly,” the court observed that the SmartDowload program did not provide an Internet connection and was useless without one. Id. Accordingly, the court determined that AOL did not provide Internet access in making the utility available. The Ninth Circuit, therefore, reversed the district court’s summary judgment determination and remanded for further proceedings.
Interestingly, some courts have determined that whether a claim potentially invokes coverage under the privacy offense depends on the identity of the claimant bringing the claim against the insured. For example, the coverage dispute in Santos v. Peerless Insurance Co., No. A121071, 2009 WL 1164972, *1 (Cal.App. Apr. 30, 2009) (unpublished), emanated from a lawsuit in which
Apple Computer, Inc., asserted that the insured — the corporate officer-controlling owner of one of Apple’s former authorized resellers and service providers — had, among other things, “repeatedly and deliberately designed computer programs to breach the security features of Apple’s websites and access non-public information on the websites.”
The insured sought coverage against Apple’s claims under both the property damage coverage and personal and advertising injury coverage of his liability policy. The insurer denied owing the insured any duty to defend and indemnify, and the insured filed suit thereafter.
In the ensuing coverage action, the Santoscourt concluded that no duty to defend existed under the personal and advertising injury coverage. The insured maintained that the underlying lawsuit potentially involved the coverage’s “publication of material that violates a person’s right of privacy” offense. 2009 WL 1164972 at *8. However, the court rejected the argument. In doing so, the Santos court embraced the insurer’s arguments that no coverage under the offense existed because Apple did not allege or seek damages based on a theory that Apple’s privacy rights were violated and that Apple lacked standing to assert the privacy rights of its customers. Accordingly, the Santoscourt concluded, as a matter of law, that no duty to defend existed under the personal and advertising injury coverage. 2009 WL 1164972 at *9.
For more information about insurance law, see the upcoming COMMERCIAL AND PROFESSIONAL LIABILITY INSURANCE — 2019 EDITION, available for preorder here.