As data privacy statutes proliferate, insurance coverage disputes are rising concerning whether liability policies cover the defense and indemnification of violations of data privacy statutes. Many of these consumer data privacy statutes predate the mass electronic collection and storage of personally identifiable information. The analysis is similar about whether there is coverage against lawsuits arising out of older consumer privacy statutes or newer data privacy statutes. In a recent case, the coverage dispute arose over a lawsuit brought under the Driver’s Privacy Protection Act of 1994 (“DPPA”).
In Hartford Casualty Insurance Co. v. Davis & Gleshenen, LLP, No. 19-1578 (4th Cir. Mar. 10, 2020) (Unpublished), a law firm was sued in a putative class action for mailing advertisements for legal services without consent to drivers who had been involved in automobile accidents in violation of DPPA. The law firm sought coverage from its business liability insurance carrier and the carrier brought a declaratory judgment action seeking an order that it had no duty to defend or indemnify the law firm. The carrier moved for judgment on the pleadings based on two exclusions: the privacy exclusion and the communications exclusion. The district court granted the motion for judgment on the pleadings and dismissed the action. The law firm appealed.
In affirming the dismissal of the law firm’s action, the circuit court had a simple task because in 2018 it ruled on a similar dispute with one of the law firm’s co-defendants. See Hartford Cas. Ins. Co. v. Ted A. Greve & Assocs., PA, 742 F. App’x (4th Cir. 2018). In that case, the court affirmed the district court’s order concluding that the insurance company had no duty to defend or indemnify because the DPPA claim unambiguously fell within an identical privacy exclusion.
The privacy exclusion excluded coverage for personal and advertising injury arising out of the violation of an individual’s right to privacy created by any state or federal law. The communications exclusion, which the circuit court did not need to reach, excluded coverage for personal and advertising injury arising directly or indirectly from a statute, ordinance or regulation that prohibits or limits the sending, transmitting, communicating, or distributing of material or information.
The case was decided under North Carolina law with the court outlining the coverage rules found in most states. The insured has the burden of bringing itself within the policy language and, if it does so, the insurer must prove that the exclusion excepts that particular injury from coverage. The law firm did not attempt to distinguish the 2018 case and the court concluded that the same reasoning applied. Thus, because the privacy exclusion precluded coverage, the carrier had no duty to defend or indemnify the law firm.
This scenario will continue to repeat as violations of newer data privacy laws result in lawsuits and regulatory action, with defendants continuing to seek coverage under traditional liability policies (silent cyber) and under cyber insurance policies. Whether there is a duty to defend or indemnify is all in the details of the coverage grants and exclusions of these policies.