Recent California Decision Holds That Privacy/Data Breach Liability Covered Under “Traditional” Insurance Policy

more+
less-

In an October 7th decision, the United States District Court for the Central District of California upheld coverage under a commercial general liability policy for a hospital data breach that compromised the records of nearly 20,000 patients in Hartford Casualty Insurance Company v. Corcino & Associates et al.[1]

The two underlying class action lawsuits in Corcino alleged that Stanford Hospital and Clinics and the insured, medical consulting firm Corcino & Associates, violated the privacy rights of numerous patients by providing confidential personally identifiable medical information to an individual who posted the information on a public website. In particular, the claimants alleged that “the private, confidential, and sensitive medical and/or psychiatric information of almost 20,000 patients of Stanford’s Emergency Department appeared on a public website and remained publicly available online for almost one full year.”[2] The underlying complaints contained causes of action for violations of the claimants’ constitutional right of privacy, common law privacy rights, the California Confidentiality of Medical Information Act (CMIA)[3] and the California Lanterman Petris Short (LPS) Act.[4] The suits sought, among other things, statutory damages of $1,000 per person under CMIA and statutory damages of up to $10,000 per person under LPS.

The insured sought a defense and indemnity under its commercial general liability (CGL) insurance policy.  The “personal and advertising injury” insuring clause of policy stated that the insurer, Hartford Casualty Insurance Company, would “pay those sums that the insured becomes legally obligated to pay as damages because of… ‘personal and advertising injury.’”[5] The term “personal and advertising injury” was defined in the Policy as follows:

“Personal and advertising injury” means injury, including consequential “bodily injury”, arising out of one or more of the following offenses:

* * *

e.   Oral, written or electronic publication of material that violates a 
       person’s right of privacy;

* * *

As used in this definition, oral, written or electronic publication includes publication of material by someone not authorized to access or distribute the material[.][6]

Hartford accepted the defense of the claims, but reserved its right to deny coverage and initiated coverage litigation seeking a declaration that the statutory relief sought by the claimants is excluded from coverage under the following exclusion pertaining to violations of statutorily created rights:

This insurance does not apply to:

* * *

p.   Personal And Advertising Injury

      (11)      Arising out of the violation of a person’s right to privacy
                   created by any state or federal act.

      However, this exclusion does not apply to liability for
      damages that the insured would have in absence of
      such state or federal act.[7]

Citing to this exclusionary language, Harford contended that “the Policy provides no coverage for any statutory relief (including, but not necessarily limited to, statutory damages) awarded against [the insureds] because such relief would arise out of the violation of a person’s right to privacy created by a state act(s) for which [the insureds] would have no such liability in the absence of such state act(s).”[8]

Stanford moved to dismiss the Hartford’s complaint for failure to state a claim. In particular, Stanford contended that the exclusion did not apply, and therefore, Hartford’s complaint failed to state a claim upon which relief can be granted, because the statutes did not “create” privacy rights, but rather provided remedies for breach of existing constitutional and common law right.”[9]

Hartford’s exclusion does not apply because the plaintiffs in the underlying cases seek statutory remedies for breaches of privacy rights that were not themselves ‘created by any state or federal act,’ but which exist under common law and the California Constitution – and which existed for decades before the Legislature made the current statutory remedies available for them.[10]

In considering Stanford’s motion to dismiss, the court noted that “insurance coverage is interpreted broadly so as to afford the greatest possible protection to the insured, [whereas]. . . exclusionary clauses are interpreted narrowly against the insurer.”[11] Therefore, “[i]f any reasonable interpretation of the policy would result in coverage, a court must find coverage even if other reasonable interpretations would preclude coverage.”[12]

Applying these well-established rules of insurance policy construction, the court concluded that Stanford’s interpretation of the policy was reasonable.[13] In reaching this conclusion, the court noted that “medical records have been considered private and confidential for well over 100 years at common law.”[14] The court also found that “[t]he legislative history of the LPS and CMIA, under which the plaintiffs seek relief against [the insured], demonstrates that these statutes were intended not to create new privacy rights, but rather to codify existing rights and create effective remedies that would encourage affected individuals to enforce them.”[15] The court reasoned that “because the LPS and CMIA do not create new privacy rights and because the Policy exclusion by its terms ‘does not apply to liability for damages that the insured would have in absence of such state or federal act,’ the relief sought under these statutes can reasonably be interpreted to fall outside of Hartford’s Policy exclusion.”[16] The court also rejected Hartford’s argument that statutory penalties are not covered  “damages” because of “personal and advertising injury,” finding that “[t]he statutes… permit an injured individual to recover damages for breach of an established privacy right, and as such, fall squarely within the Policy’s coverage.”[17]

The court concluded that the hospital’s “interpretation of the Policy exclusion’s scope based on the language and plain meaning of the exclusion is reasonable” and, therefore, “any relief awarded under the LPS and CMIA would be covered, rather than excluded, under Hartford’s Policy.”[18] The court granted Stanford’s motion to dismiss with prejudice.[19]

The Corcino decision underscores that, although insurers have increasingly added exclusions to “traditional” policies purporting to limit or cut off coverage for privacy liability and electronic data-related claims,[20] there may yet be valuable privacy and data breach coverage under traditional policies that should not be overlooked. While some companies carry specialty “cyber” insurance policies that are specifically designed to afford coverage for cyber risk, most companies have various forms of “traditional” insurance policies that may cover cyber risks, including CGL policies. As Corcino illustrates, there may be significant coverage under traditional policies, including for data breaches that result in disclosure of personally identifiable information and other claims alleging violation of a right to privacy. 

Notes:
[1] No. CV 13-3728 GAF (JCx), Minutes (In Chambers) Order Re: Motion To Dismiss (Oct. 7, 2013).

[2] Id. at 2 (quoting the Second Amended Class Action Complaint in Springer, et al. v. Stanford Hosp. and Clinics, et al., No. BC470S22 (Cal. Super. Ct., filed May 12, 2012)).

[3] Cal. Civ. Code §§56-56.37.

[4] Cal. Welf. & Inst. Code §§ 5328-5330.

[5] Hartford’s First Amended Complaint For Declaratory Relief, filed on June 18, 2012, at ¶ 18.

[6] Id. at ¶ 19.

[7] Id. at ¶ 20.

[8] Id. at ¶ 21.

[9] Corcino, No. CV 13-3728 GAF (JCx), at 6.

[10] Defendant Stanford Hospital And Clinics’ [Corrected] Notice of Motion to Dismiss Complaint, at 1 (filed Aug. 19, 2013) (original emphasis).

[11] Corcino, No. CV 13-3728 GAF (JCx), at 5 (quoting MacKinnon v. Truck Ins. Exch., 73 P.3d 1205, 1213 (Cal. 2003)).

[12] Id. at 5-6 (quoting Bodell v. Walbrook Ins. Co., 119 F.3d 1411, 1413 (9th Cir. 1997)).

[13] See id. at 6.

[14] Id. at 6-7.

[15] Id. at 7.

[16] Id

[17] Id.

[18] Id. at 7-8.

[19] Id. at 8.

[20] See Roberta D. Anderson, ISO's Newly-Filed Data Breach Exclusions Provide Yet Another Reason To Consider “Cyber” Insurance, Law360 (Sept. 23, 2013).