Privacy & Cybersecurity Update - April 2019

Skadden, Arps, Slate, Meagher & Flom LLP

In this month's Privacy & Cybersecurity Update, we examine several recent U.K.-related cybersecurity developments and the SEC's risk alert reminding investment advisers and broker-dealers to follow through on implementing their privacy policy obligations. We also review the Canadian Office of the Privacy Commissioner's investigation on the impact of the Equifax breach on Canadians and an Eleventh Circuit decision in a putative class action alleging Telephone Consumer Protection Act violations.

EU and UK Developments

UK’s Cybersecurity Agency Will Not Report Data Breaches to Regulator

UK Information Commissioner’s Office Levies ‘Unprecedented’ Fine for Illegal Sharing of Personal Data

SEC Reminds Firms to Follow Their Privacy Policies

Canadian Privacy Commissioner Concludes Investigation into Equifax Breach

Eleventh Circuit Finds no Coverage Under CGL Policy in Junk Fax Putative Class Action

EU and UK Developments

Recent developments in the European Union and United Kingdom’s cybersecurity policies and programs — most prominently the adoption of the EU Cybersecurity Act — continued to demonstrate the region’s focus on improving cybersecurity in the public and private sectors, while also providing practical guidance and tools to assist companies and their boards with cyber risk management.

The Cybersecurity Act

On April 9, 2019, the General Affairs Council of the European Council adopted the “Regulation on ENISA (the European Union Agency for Network and Information Security) and on Information and Communications Technology Cybersecurity Certification and Repealing Regulation (EU) No 526/2013” (Cybersecurity Act).1 Whereas ENISA previously operated off of a limited mandate that would have ended in 2020, the Cybersecurity Act gives the agency a permanent role as the EU agency for cybersecurity. The act also creates a mechanism for establishing a common framework for EU-wide cybersecurity certification schemes for information and communications technology (ICT).

The Cybersecurity Act recognizes the pervasive and “vital role” that network and information systems play in society and economic growth, noting that they are the “cornerstone of the digital single market.” As the EU faces a greater number of cybersecurity challenges from “borderless […] cyber threats,” the Cybersecurity Act aims to increase cooperation between EU authorities and across countries. Accordingly, the Cybersecurity Act envisions a one-stop shop, regardless of the differences between schemes, in which national authorities will issue cybersecurity certifications for ICT products that meet certain standards, while also ensuring these certificates will be valid across the EU.

The certification schemes will be adopted by the European Commission and implemented by national authorities, but ENISA will help support their uptake and policy development. The schemes will be designed for specific groups of ICT products, processes and services, and may involve some elements of self-certification or third-party certification of product, process and service resilience and security. The Cybersecurity Act will come into force 20 days after publication in the EU’s official journal and certification will be voluntary (unless member state or EU law specifies otherwise).

Recommendation on 5G Networks

On March 26, 2019, the European Commission recommended2 operational steps to promote cybersecurity in European 5G networks. The recommendation included a national risk assessment of 5G network infrastructures to be completed by each member state by the end of

June 2019. ENISA also will complete a coordinated risk assessment by October 1, 2019, via a Cooperation Group of competent authorities as dictated under the Security of Network and Information Systems Directive. The recommendation also mentions the implementation of the EU-wide certification framework as discussed in the Cybersecurity Act and encourages member states to cooperate with the European Commission and ENISA to prioritize a certification framework for 5G networks. Lastly, the recommendation states that, by October 1, 2020, member states shall assess the effects of the recommendation and determine whether further steps are merited.

UK Department for Digital, Culture, Media & Sport Cybersecurity Survey Results

On April 3, 2019, the U.K.’s Department for Digital, Culture, Media & Sport (DCMS) published its Cybersecurity Breaches Survey,3 a report on information about cybersecurity issues garnered from surveyed U.K. businesses and charities.

Thirty-two percent of U.K. businesses surveyed identified cybersecurity breaches or attacks in 2018, and 48 percent of that group experienced at least one breach or attack per month. As well, around 60 percent of medium and large businesses reported cybersecurity breaches or attacks. While the overall number of businesses reporting breaches or attacks in this survey shows a decrease from 2017, the businesses that have reported cyberattacks are experiencing higher volumes of attacks than in the past.

DCMS presented some hypotheses for this trend, suggesting that businesses could stand to be more secure, or that attackers could be focusing more narrowly on larger businesses. DCMS also hypothesized that “[the EU General Data Protection Regulation] might have changed what businesses consider to be a breach, or led to some businesses becoming less willing to admit to having cyber breaches.” The survey separately showed that the financial cost of cybersecurity breaches in which data or assets were lost has consistently increased since 2017.

UK National Cybersecurity Centre Releases Toolkit Supporting Corporate Defences

The U.K. National Cybersecurity Centre (NCSC), an independent government organization under the auspices of the U.K. Government Communications Headquarters (GCHQ) tasked with providing the private and public sectors with cybersecurity guidance, support and assistance with cybersecurity incident responses, recently released a “Board Toolkit.”4 The Toolkit emphasizes board responsibility for good cybersecurity practices, especially in light of high-profile media coverage of cyberattacks, their high risk and impact, and new regulations (such as the General Data Protection Regulation (GDPR)) “rais[ing] expectations of partners, shareholders, customers and the wider public.” The Toolkit also provides boards with guidance on how to promote cybersecurity within their companies. The NCSC also runs a “cyber accelerator”5 (as a part of the U.K. National Cyber Security Strategy 2016-20216), fostering the growth of cybersecurity startups that promise to bring “‘better, faster and cheaper’ security products to the market.” These initiatives are geared toward making the private sector more self-sufficient when it comes to cybersecurity policies and more resilient to cyberthreats.

Key Takeaways

As 2019 has posed novel cybersecurity challenges for states and businesses, cybersecurity-related bodies both at the EU and the member state level are taking additional measures to increase cooperation and transparency in the interest of further cyber resilience. The approaches thus far have been all-encompassing, providing support for governments and corporations alike, signalling that the EU has a continued focus on preventing cyberattacks and promoting overall cybersecurity.

UK’s Cybersecurity Agency Will Not Report Data Breaches to Regulator

Seeking to address a common concern about sharing cyberthreat information with government authorities, the U.K.’s national cybersecurity agency and data protection authority announced that information provided to the former will not automatically be shared with the latter.

The U.K.’s national cybersecurity agency announced that it will not automatically report data breaches to the country’s data privacy regulator without the victim’s consent. The joint decision of the NCSC and the Information Commissioner’s Office (ICO), announced on April 25, 2019, is designed to address concerns that companies would be less willing to share information about data breaches with the NCSC out of concern of being fined by the ICO.

The European Union’s GDPR allows the ICO to impose fines of up to 4 percent of a company’s global revenue in the event of a data breach. The NCSC, a separate U.K. government agency from the ICO, is tasked with strengthening the U.K.’s national infrastructure against cyberattacks. It offers free, confidential advice to British businesses on how to mitigate cyberattacks and provides assistance to victims of such attacks. When the GDPR came into effect in May 2018, the NCSC worried that the threat of steep fines from the ICO would have a chilling effect on companies’ willingness to provide information regarding cyberthreats they had experienced.

James Dipple-Johnstone, the ICO’s deputy commissioner, said that while the regulator agreed to this “clarification of roles,” organizations still have a legal obligation to report data breaches to the ICO, or risk substantial penalties. The decision means the NCSC may find itself in the potentially awkward position of knowing about GDPR violations and withholding that information from the ICO or other parts of government. The NCSC said in a statement that while it would not notify the ICO of breaches without the victim’s permission, it would encourage organizations to comply with the law. The NCSC also said that it would seek to establish a similar arrangement with U.K. law enforcement agencies that investigate cyberattacks.

The NCSC has not seen any change in the number or size of breaches being reported since the GDPR took effect, according to Paul Chichester, the NCSC’s director of operations, who commented on the announcement at a cybersecurity conference in Glasgow, Scotland, on April 24, 2019.

Key Takeaways

The joint announcement by the ICO and NCSC is intended to alleviate a common tension across many jurisdictions. Sharing information about cyberthreats helps the community at-large defend against those threats, but companies fear that disclosing attacks they have suffered may provide a roadmap for regulators and others to make claims against them.

UK Information Commissioner’s Office Levies ‘Unprecedented’ Fine for Illegal Sharing of Personal Data

The U.K. data protection authorities have levied an unprecedented fine against a company that shared information about pregnant women and their children without providing proper notice.

On April 12, 2019, the U.K.’s ICO levied what it described as an “unprecedented” £400,000 fine to Bounty UK Ltd., a pregnancy and parenting club, for illegally sharing the personal data of more than 14 million people.7 The ICO imposed the fine under the Data Protection Act of 1998 (DPA of 1998), the predecessor to the EU’s GDPR and the U.K.’s Data Protection Act of 2018 (DPA of 2018), which implements the GDPR, but is nevertheless instructive for two reasons. Firstly, it shows that the DPA of 1998 continues to be relevant today, and, secondly, it is an indication of the types of behaviors that can still give rise to liability, even under the GDPR.

Bounty’s Data Collection

Bounty is a pregnancy and parenting club headquartered in the United Kingdom. Founded in 1959, the company was initially a promotions business, offering sample products to new mothers through hospital networks across England and Wales. With the increasing prevalence of social media, Bounty expanded to offer fertility, pregnancy and parenting mobile apps, as well as free online guides to new parents. Bounty invited users to register for its digital platform and product distribution in three ways: in person at hospitals, through its mobile app or through its website. Bounty collected personal information of expecting parents as well as their newborn children through all three avenues.

Bounty’s Privacy Policy

Bounty collected personal information from individuals, but did not always provide complete information on its privacy practices to the affected data subjects. For example, although Bounty shared personal information with a number of organizations, including credit reference and marketing agencies such as Acxiom, Equifax, Indicia and Sky, it did not identify all of these organizations until it updated its privacy policy in 2018. Furthermore, although Bounty made its privacy policy available on its website and on its mobile app, it did not provide the policy to users who registered in person. In other words, users who registered in person not only did not receive an initial general description of how their information may be shared with third persons, but they also did not receive the more specific listing of the actual organizations that would receive it.

Similarly, online users were given an option to opt-in to receiving marketing communications from Bounty and third parties, while in-person or “offline” users were given notice that their information may be shared, but no opportunity to opt-out.

Between June 1, 2017, and April 30, 2018, Bounty sent approximately 34.4 million records to Acxiom, Equifax, Indicia and Sky. Approximately two-thirds of the records shared consisted of data acquired through offline registrations.

The Data Protection Act of 1998

The ICO is the U.K.’s independent regulator for data protection charged with enforcing various data and privacy regulations, including the DPA of 1998. The office applied the DPA of 1998 to Bounty’s actions because they took place before the GDPR and the DPA of 2018 took effect. The DPA of 1998 requires that personal data be processed fairly and lawfully, including in particular, the prohibition of the processing of personal data unless one of six conditions is met. The ICO looked closely at two of these conditions as potentially relevant:

  • the data subject has consented to the processing; and
  • the processing is necessary in order to pursue the legitimate interests of the "data controller" or "third parties" (unless it could unjustifiably prejudice the interests of the data subject).

Under the DPA of 1998, the ICO is authorized to impose monetary fines up to a maximum of £500,000, depending on various criteria, including the severity of the violation, whether the violation would likely cause substantial damage and whether the violation was deliberate.

ICO Decision

In finding Bounty violated the DPA of 1998, the ICO noted that the “fairness” requirement of data collection and processing imposed a transparency duty on data controllers to outline the purposes for which data subjects’ information will be used, and that Bounty failed to fulfill that duty. In addition, the ICO stated that the “fairness” requirement also calls for data controllers to treat individuals fairly when using their personal data, including by setting “reasonable expectations of how their data will be used and not using their data in ways that risk causing them damage or distress, unless there is some sufficiently weighty justification for doing so.” Regarding this final point, Steve Eckersley, ICO’s director of investigations, shed some light on the office’s special consideration given to pregnant women and young children as a uniquely vulnerable class of subjects, as well as the illegitimate purpose of collecting information for sale to unaffiliated third parties:

“Bounty was not open or transparent to the millions of people that their personal data may be passed on to such large number of organisations. Any consent given by these people was clearly not informed. Bounty’s actions appear to have been motivated by financial gain, given that data sharing was an integral part of their business model at the time.

“Such careless data sharing is likely to have caused distress to many people, since they did not know that their personal information was being shared multiple times with so many organisations, including information about their pregnancy status and their children”

Importantly, the ICO found that, with respect to online users, the violations continued until Bounty updated its privacy policy to identify the specific organizations that received the information. For offline users — to whom Bounty never provided the original or amended policy — the ICO concluded that the violations were ongoing.

The fine, while not the maximum the ICO is authorized to impose under the DPA of 1998, reflects the seriousness of the violation, considering:

  • the number of affected data subjects;
  • the fact that some of the affected individuals’ data was shared on multiple occasions;
  • the sustained and prolonged duration of the violation;
  • the vulnerability of the class of data subjects;
  • the violation of the privacy notices;
  • the nature of the data involved; and
  • the loss of control over the data.

Furthermore, the ICO found that the violation was likely to cause substantial damage or distress, and that Bounty’s actions in sharing the data were “plainly deliberate.”

Key Takeaways

Despite the newer regulations, the ICO is still enforcing the DPA of 1998 despite newer regulations, including the DPA of 2018 and the GDPR, imposing even stricter obligations on companies that collect and process data, and authorizing enforcement agencies to levy even harsher fines in the event of a breach. As demonstrated by the Bounty case, the ICO is closely reading privacy policies and carefully reviewing the opportunities that data subjects are offered to opt out. As such, companies that sell information to third parties need to be transparent with their users that they are doing so.

SEC Reminds Firms to Follow Their Privacy Policies

The SEC has issued a risk alert identifying a range of privacy and cybersecurity compliance issues its staff has identified in the past two years. Many of these issues relate to failure to properly implement firms’ written policies.

On April 16, 2019, the Securities and Exchange Commission’s Office of Compliance Inspections and Examinations (OCIE) released a risk alert reminding investment advisers and broker-dealers that they must actually implement the promises they make with respect to protecting investors’ personal information in order to fulfill their regulatory obligations.8 The OCIE explained that it had found a number of firms had inadequate policies, or had failed to implement the measures they described in their policies, thus prompting the alert. The risk alert provided useful guidance to firms on the OCIE’s priorities with respect to privacy policy and related implementation requirements.

Regulation S-P and Required Privacy Practices

In the risk alert, the OCIE reminded firms that Regulation S-P requires firms to provide clear and conspicuous notice to their customers that accurately reflects their privacy policies and practices, to update that notice annually, and to accurately explain to investors their right to opt out of certain types of personal information disclosures. The regulation explains what must be included in these privacy and opt-out notices.

In addition, Regulation S-P’s Safeguard Rule requires firms to adopt written policies and procedures that address the administrative, technical and physical safeguards firms use to protect customer records and information. These must be “reasonably designed to ensure the security and confidentiality of customer records and information, protect against any anticipated threats or hazards to the security or integrity of [investor] records and information, and protect against unauthorized access to or use of [investor] records or information that could result in substantial harm or inconvenience to any [investor].”

Common Deficiencies in OCIE Investigations

The OCIE’s risk alert identified a number of common issues it has encountered over the last two years with respect to complying with these Regulation S-P requirements.

Lack of Required Notices

First, the OCIE reported a number of deficiencies with respect to the actual notices given to investors. It found that a number of firms did not provide the required notices when establishing the initial relationship with the investor, did not provide the required annual update notice and/or did not provide the required explanation of the investors’ opt-out rights.

Lack of Written Internal Policies

Second, the OCIE found that some firms did not have the written policies for protecting customer information required under the Safeguards Rule. Some firms’ policies simply restated the Safeguards Rule, but did not include policies and procedures for the actual safeguards. Others had policies and procedures that still contained blank spaces to be filled in by the firms. Still others had policies for delivering required privacy notices, but lacked any description of personal information safeguards.

Implementation and Adequacy Issues

Finally, the OCIE identified a number of examples of situations where it found that firms either did not adequately implement the policies they provided to investors or that the policies did not properly address the potential risks to investor information. Specifically, the OCIE identified 10 different areas where it found issues:

  • Personal Devices. Policies and procedures did not appear reasonably designed to safeguard investor information on personal devices. The OCIE’s staff found that some firm employees regularly stored and maintained investor information on their personal laptops, but that the firm’s policies and procedures did not address how to properly protect this information on these devices.
  • Electronic Communications. Policies and procedures did not address the inclusion of personal information in electronic communications. For example, the OCIE’s staff found firms that did not appear to have policies and procedures reasonably designed to prevent employees from regularly sending unencrypted emails containing this information.
  • Training and Monitoring. Firms failed to properly train employees on how to follow their policies and procedures. For example, the OCIE found that some firms had policies and procedures that required investor information to be encrypted, password-protected and transmitted using only registrant-approved methods, but that employees were not provided adequate training on these methods and the firm failed to monitor if the policies were being followed by employees. This lack of training and monitoring rendered the policies and procedures themselves inadequate under Regulation S-P.
  • Unsecure Networks. Policies and procedures did not prohibit employees from sending investor personal information to unsecure locations outside of the firms’ networks.
  • Outside Vendors. Some firms failed to follow their own policies and procedures regarding outside vendors. For example, the OCIE’s staff found firms that failed to require outside vendors to contractually agree to keep investors’ personal information confidential, even though such agreements were mandated by the firms’ policies and procedures.
  • System Inventory. Policies and procedures did not identify all systems on which the firm maintained investor personal information. Without an inventory of such systems, the OCIE staff noted, firms may be unaware of the categories of information that they maintain, which could limit their ability to adopt reasonably designed policies and procedures, and adequately safeguard that information.
  • Incident Response Plans. Written incident response plans did not address important incident response topics, such as role assignments for implementing the plan, actions required to address a cybersecurity incident and assessments of system vulnerabilities.
  • Insecure Physical Locations. Unsecure physical storage of investor information, such as in unlocked file cabinets in open offices.
  • Login Credentials. Login credential practices were not secure, such as using login credentials that had been disseminated to more employees than permitted under the firms’ policies and procedures.
  • Departed Employees. Instances existed where former employees retained access rights after their departure and therefore could access restricted investor information.

Key Takeaways

The OCIE’s risk alert highlights the care that firms should take in designing and implementing their cybersecurity and data privacy policies to ensure that they adequately address the risks that they face. Further, it is important for firms to not simply adopt a “boilerplate” policy and assume they have satisfied their regulatory obligations. Rather, firms should be sure to adapt the policies to meet their regulatory obligations and to reflect their actual practices, and then train their staff on how to comply with the policies they adopt.

Canadian Privacy Commissioner Concludes Investigation into Equifax Breach

The Office of the Privacy Commissioner of Canada (OPC) recently concluded its investigation on the impact of the Equifax breach on Canadians. In its report, the OPC found that Equifax Canada and its U.S.-based parent company fell short of its obligations under Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA).

On April 9, 2019, the OPC released its report on the 2017 Equifax data breach, outlining how the actions of Equifax and its Canadian-based subsidiary Equifax Canada, impacted Canadians. The report concluded that the two companies had failed to meet their obligations under Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA).9

Background on the Equifax Breach

In September 2017, U.S.-based credit reporting company Equifax publicly announced that attackers gained access to the personal information of more than 143 million individuals, including approximately 19,000 Canadians who had purchased credit monitoring or fraud alert products from Equifax Canada. Almost all of the impacted Canadians had their social insurance number and other accompanying identifying information compromised.

According to the OPC’s report, the attackers gained access to Equifax’s systems in May 2017 and operated undetected for more than two months. Equifax did not notify Equifax Canada of the breach until shortly before Equifax disclosed the breach to the public in July 2017. Canadians who were impacted by the breach did not receive notifications that their personal information had been compromised until October 2017.

Although Equifax Canada provided free credit monitoring to the affected Canadians, the company did not provide the same post-breach protections that its U.S. parent company provided. For example, Equifax offered Americans the opportunity to freeze their credit files, while Equifax Canada did not provide that same credit freeze option to affected Canadians.

The OPC Report

After investigating the cause of the breach and the impact on Canadian residents, the OPC published a report that addressed the gaps in Equifax and Equifax Canada’s data protection practices and makes several recommendations for Equifax and Equifax Canada going forward. The report noted the following gaps with respect to Equifax and Equifax Canada’s compliance with PIPEDA:

  • Equifax and Equifax Canada did not provide safeguards appropriate to the sensitivity of the personal information at issue;
  • Equifax did not comply with PIPEDA’s data retention and destruction requirements;
  • Equifax Canada did not demonstrate adequate accountability for protecting the personal information of Canadians; and
  • Equifax Canada did not provide mitigation measures to the affected individuals that were adequate to protect their personal information from unauthorized use, such as future identity theft.

The OPC also found that Equifax Canada failed to obtain express consent to transfer personal information to a separate entity in the U.S. PIPEDA generally requires organizations to obtain express consent prior to such a transfer, where individuals would not reasonably expect the cross-border transfer of their information to a separate entity or where the proposed transfer involves certain types of sensitive information. Equifax Canada’s Canadian customers interacted exclusively with Equifax Canada and were not given any express notice that their information would be processed in the U.S. However, the OPC concluded that Equifax Canada acted in good faith in not seeking express consent for these disclosures because of previous OPC guidance that indicated that the transfers at issue did not require express consent.

The OPC concluded the report with the following recommendations to Equifax Canada:

  • implement a procedure to ensure that the written arrangement between Equifax and Equifax Canada concerning the collection and disclosure of Canadian personal information remains up to date;
  • implement a robust monitoring program to ensure compliance with that written arrangement;
  • identify personal information that should no longer be retained by Equifax according to a set retention schedule, and delete such information; and
  • every two years for a six-year term, provide the OPC (1) a report regarding the monitoring program described above, (2) an audit report and certification conducted by an appropriate external auditor against an acceptable security standard that covers all Canadian personal information for which Equifax Canada is responsible, including information processed by Equifax, and (3) a third-party assessment of Equifax’s data retention practices that covers all Canadian personal information processed by Equifax.

Equifax Canada entered into a compliance agreement with the OPC under which Equifax Canada agreed to comply with these recommendations and other requirements aimed at improving Equifax Canada’s data protection practices.10 For example, the agreement also requires Equifax Canada to improve the process by which it obtains consent to transfer personal information. As part of the agreement, Equifax Canada also agreed to extend its free credit monitoring service to impacted Canadians. However, Equifax Canada did not agree to provide the free or low-cost credit freeze product offered to impacted Americans after the breach.

Key Takeaways

The Equifax breach and the OPC’s response provides a useful reminder about the importance of compliance with local data protection laws to companies that store or process personal information from consumers in multiple jurisdictions. Years after the breach, Equifax and its local subsidiaries remain subject to extensive audit periods from government regulators and increased obligations to improve and maintain their data protection practices. The potential costs of a breach can outweigh the costs of implementing and maintaining comprehensive data protection policies and practices.

Eleventh Circuit Finds no Coverage Under CGL Policy in Junk Fax Putative Class Action

A federal appeals court, applying Georgia law, recently held that Travelers unit St. Paul Fire & Marine Insurance Company (St. Paul) did not need to cover a multimillion-dollar settlement in a junk fax putative class action alleging Telephone Consumer Protection Act (TCPA) violations. According to the court, the alleged unsolicited faxes did not constitute an “accident” under St. Paul’s insurance policies — a condition precedent to coverage.

On April 12, 2019, the Eleventh Circuit affirmed a district court’s holding that St. Paul has no obligation under a series of commercial general liability (CGL) policies issued to Atlanta-based manufacturing sourcing provider MFG.com (MFG) to cover a $22 million settlement reached in a putative class action alleging TCPA violations.11

The Junk Faxes

As part of a fax advertising campaign, MFG purchased lists of individuals who MFG believed had consented to receive marketing materials via fax. Between September 2005 and November 2008, MFG sent approximately 494,212 unsolicited fax advertisements to those individuals. Although MFG believed that its advertising campaign complied with all applicable laws, MFG was mistaken, as the fax recipients had not in fact consented to MFG’s unsolicited advertisements. The junk faxes allegedly caused property damage to the fax recipients in the use of their fax machines, depleting their ink and paper.

The St. Paul Policies

At the time MFG sent the junk faxes, it had in place a series of CGL policies (the policies) that covered liability for “property damage” caused by an “event.” The policies defined “property damage” as “physical damage to tangible property of others, including all resulting use of that property” or “loss of use of tangible property of others that isn’t physically damaged.” The policies defined “event” as “an accident, including continuous or repeated exposure to substantially the same general harmful conditions.” The policies did not define “accident.”

The TCPA Putative Class Actions

In November 2008, G.M. Sign, Inc. (GM Sign), a commercial sign manufacturer and recipient of MFG’s junk faxes, commenced a putative class action in Illinois state court against MFG. The lawsuit alleged that MFG sent GM Sign and the putative class members fax advertisements without their permission, in violation of the TCPA. MFG noticed the claim to St. Paul, which denied coverage.

MFG removed the underlying case to federal court, and on July 29, 2009, the parties stipulated to dismiss the lawsuit without prejudice to refile. One day later, GM Sign commenced another lawsuit in Illinois state court alleging the same TCPA claims on behalf of the same putative class. The lawsuit eventually settled for $22,536,500, though the parties agreed that MFG would pay only $460,000 of that amount. MFG then assigned to GM Sign and the putative class MFG’s claims against and rights to payment, if any, under the policies.

The Coverage Action and the District Court’s Decision

GM Sign, as assignee of MFG’s rights under the policies, then filed a declaratory judgment action against St. Paul in Georgia state court seeking a declaration that the policies covered the settled claims. St. Paul removed the coverage action to Georgia federal court and filed a counterclaim that it owed no coverage. On the parties’ cross-motions for summary judgment, the court granted St. Paul’s motion, holding that under the Eleventh Circuit’s decision in Mindis Metals, Inc. v. Transportation Insurance Co., “the intentional delivery of fax advertisements does not qualify as an ‘accident’ under Georgia law, even if the sender erroneously believed that it had consent to send the fax advertisements.” GM Sign appealed.

The Eleventh Circuit’s Decision

The Eleventh Circuit agreed with St. Paul and the district court, holding that the settled TCPA claims were not covered under the policies because the alleged property damage was not caused by an “accident,” a condition precedent to coverage. In reaching its conclusion, the court determined that it was bound by its decision in Mindis Metals, which held that intentional conduct premised on erroneous information does not constitute an accident. “MFG intended to send the faxes and thus intended to cause the resulting property damage, the use of the fax machines and the depletion of the machines’ ink and paper,” the court wrote. Moreover, “[t]he fact that MFG mistakenly thought the recipients had consented to receive the faxes is insufficient under Mindis Metals to render the property damage an accident under Georgia law.” Accordingly, the court concluded, the settled TCPA claims were not covered under the policies.

Key Takeaways

As the court’s decision in G.M. Sign illustrates, TCPA claims may not fit neatly into coverage. However, given the increased frequency of TCPA lawsuits in recent years and their significant costs, policyholders should nonetheless consider all coverage lines that may respond to such claims, including, for example, CGL, directors and officers liability, errors and omissions liability and cyber liability. In addition, policyholders faced with TCPA exposure would be well-advised to proactively work their insurance brokers, advisers and carriers in an effort to obtain the most favorable coverage possible.

_______________

1 The General Affairs Council’s regulation can be read here.

2 The commission’s recommendation can be read here.

3 The survey can be read here.

4 The Board Toolkit can be found here.

5 Information on the cyber accelerator can be found here.

6 The U.K. National Cyber Security Strategy 2016-2021 can be found here.

7 A copy of the ICO’s decision is available here.

8 The risk alert is available here.

9 The full text of the OPC report can be found here.

10 The full text of the compliance agreement can be found here.

11 G.M. Sign, Inc. v. St. Paul Fire & Marine Ins. Co., No. 17-14247, 2019 WL 1579792 (11th Cir. Apr. 12, 2019).

Download pdf

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Skadden, Arps, Slate, Meagher & Flom LLP | Attorney Advertising

Written by:

Skadden, Arps, Slate, Meagher & Flom LLP
Contact
more
less

Skadden, Arps, Slate, Meagher & Flom LLP on:

Readers' Choice 2017
Reporters on Deadline

Related Case Law

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide

JD Supra Privacy Policy

Updated: May 25, 2018:

JD Supra is a legal publishing service that connects experts and their content with broader audiences of professionals, journalists and associations.

This Privacy Policy describes how JD Supra, LLC ("JD Supra" or "we," "us," or "our") collects, uses and shares personal data collected from visitors to our website (located at www.jdsupra.com) (our "Website") who view only publicly-available content as well as subscribers to our services (such as our email digests or author tools)(our "Services"). By using our Website and registering for one of our Services, you are agreeing to the terms of this Privacy Policy.

Please note that if you subscribe to one of our Services, you can make choices about how we collect, use and share your information through our Privacy Center under the "My Account" dashboard (available if you are logged into your JD Supra account).

Collection of Information

Registration Information. When you register with JD Supra for our Website and Services, either as an author or as a subscriber, you will be asked to provide identifying information to create your JD Supra account ("Registration Data"), such as your:

  • Email
  • First Name
  • Last Name
  • Company Name
  • Company Industry
  • Title
  • Country

Other Information: We also collect other information you may voluntarily provide. This may include content you provide for publication. We may also receive your communications with others through our Website and Services (such as contacting an author through our Website) or communications directly with us (such as through email, feedback or other forms or social media). If you are a subscribed user, we will also collect your user preferences, such as the types of articles you would like to read.

Information from third parties (such as, from your employer or LinkedIn): We may also receive information about you from third party sources. For example, your employer may provide your information to us, such as in connection with an article submitted by your employer for publication. If you choose to use LinkedIn to subscribe to our Website and Services, we also collect information related to your LinkedIn account and profile.

Your interactions with our Website and Services: As is true of most websites, we gather certain information automatically. This information includes IP addresses, browser type, Internet service provider (ISP), referring/exit pages, operating system, date/time stamp and clickstream data. We use this information to analyze trends, to administer the Website and our Services, to improve the content and performance of our Website and Services, and to track users' movements around the site. We may also link this automatically-collected data to personal information, for example, to inform authors about who has read their articles. Some of this data is collected through information sent by your web browser. We also use cookies and other tracking technologies to collect this information. To learn more about cookies and other tracking technologies that JD Supra may use on our Website and Services please see our "Cookies Guide" page.

How do we use this information?

We use the information and data we collect principally in order to provide our Website and Services. More specifically, we may use your personal information to:

  • Operate our Website and Services and publish content;
  • Distribute content to you in accordance with your preferences as well as to provide other notifications to you (for example, updates about our policies and terms);
  • Measure readership and usage of the Website and Services;
  • Communicate with you regarding your questions and requests;
  • Authenticate users and to provide for the safety and security of our Website and Services;
  • Conduct research and similar activities to improve our Website and Services; and
  • Comply with our legal and regulatory responsibilities and to enforce our rights.

How is your information shared?

  • Content and other public information (such as an author profile) is shared on our Website and Services, including via email digests and social media feeds, and is accessible to the general public.
  • If you choose to use our Website and Services to communicate directly with a company or individual, such communication may be shared accordingly.
  • Readership information is provided to publishing law firms and authors of content to give them insight into their readership and to help them to improve their content.
  • Our Website may offer you the opportunity to share information through our Website, such as through Facebook's "Like" or Twitter's "Tweet" button. We offer this functionality to help generate interest in our Website and content and to permit you to recommend content to your contacts. You should be aware that sharing through such functionality may result in information being collected by the applicable social media network and possibly being made publicly available (for example, through a search engine). Any such information collection would be subject to such third party social media network's privacy policy.
  • Your information may also be shared to parties who support our business, such as professional advisors as well as web-hosting providers, analytics providers and other information technology providers.
  • Any court, governmental authority, law enforcement agency or other third party where we believe disclosure is necessary to comply with a legal or regulatory obligation, or otherwise to protect our rights, the rights of any third party or individuals' personal safety, or to detect, prevent, or otherwise address fraud, security or safety issues.
  • To our affiliated entities and in connection with the sale, assignment or other transfer of our company or our business.

How We Protect Your Information

JD Supra takes reasonable and appropriate precautions to insure that user information is protected from loss, misuse and unauthorized access, disclosure, alteration and destruction. We restrict access to user information to those individuals who reasonably need access to perform their job functions, such as our third party email service, customer service personnel and technical staff. You should keep in mind that no Internet transmission is ever 100% secure or error-free. Where you use log-in credentials (usernames, passwords) on our Website, please remember that it is your responsibility to safeguard them. If you believe that your log-in credentials have been compromised, please contact us at privacy@jdsupra.com.

Children's Information

Our Website and Services are not directed at children under the age of 16 and we do not knowingly collect personal information from children under the age of 16 through our Website and/or Services. If you have reason to believe that a child under the age of 16 has provided personal information to us, please contact us, and we will endeavor to delete that information from our databases.

Links to Other Websites

Our Website and Services may contain links to other websites. The operators of such other websites may collect information about you, including through cookies or other technologies. If you are using our Website or Services and click a link to another site, you will leave our Website and this Policy will not apply to your use of and activity on those other sites. We encourage you to read the legal notices posted on those sites, including their privacy policies. We are not responsible for the data collection and use practices of such other sites. This Policy applies solely to the information collected in connection with your use of our Website and Services and does not apply to any practices conducted offline or in connection with any other websites.

Information for EU and Swiss Residents

JD Supra's principal place of business is in the United States. By subscribing to our website, you expressly consent to your information being processed in the United States.

  • Our Legal Basis for Processing: Generally, we rely on our legitimate interests in order to process your personal information. For example, we rely on this legal ground if we use your personal information to manage your Registration Data and administer our relationship with you; to deliver our Website and Services; understand and improve our Website and Services; report reader analytics to our authors; to personalize your experience on our Website and Services; and where necessary to protect or defend our or another's rights or property, or to detect, prevent, or otherwise address fraud, security, safety or privacy issues. Please see Article 6(1)(f) of the E.U. General Data Protection Regulation ("GDPR") In addition, there may be other situations where other grounds for processing may exist, such as where processing is a result of legal requirements (GDPR Article 6(1)(c)) or for reasons of public interest (GDPR Article 6(1)(e)). Please see the "Your Rights" section of this Privacy Policy immediately below for more information about how you may request that we limit or refrain from processing your personal information.
  • Your Rights
    • Right of Access/Portability: You can ask to review details about the information we hold about you and how that information has been used and disclosed. Note that we may request to verify your identification before fulfilling your request. You can also request that your personal information is provided to you in a commonly used electronic format so that you can share it with other organizations.
    • Right to Correct Information: You may ask that we make corrections to any information we hold, if you believe such correction to be necessary.
    • Right to Restrict Our Processing or Erasure of Information: You also have the right in certain circumstances to ask us to restrict processing of your personal information or to erase your personal information. Where you have consented to our use of your personal information, you can withdraw your consent at any time.

You can make a request to exercise any of these rights by emailing us at privacy@jdsupra.com or by writing to us at:

Privacy Officer
JD Supra, LLC
10 Liberty Ship Way, Suite 300
Sausalito, California 94965

You can also manage your profile and subscriptions through our Privacy Center under the "My Account" dashboard.

We will make all practical efforts to respect your wishes. There may be times, however, where we are not able to fulfill your request, for example, if applicable law prohibits our compliance. Please note that JD Supra does not use "automatic decision making" or "profiling" as those terms are defined in the GDPR.

  • Timeframe for retaining your personal information: We will retain your personal information in a form that identifies you only for as long as it serves the purpose(s) for which it was initially collected as stated in this Privacy Policy, or subsequently authorized. We may continue processing your personal information for longer periods, but only for the time and to the extent such processing reasonably serves the purposes of archiving in the public interest, journalism, literature and art, scientific or historical research and statistical analysis, and subject to the protection of this Privacy Policy. For example, if you are an author, your personal information may continue to be published in connection with your article indefinitely. When we have no ongoing legitimate business need to process your personal information, we will either delete or anonymize it, or, if this is not possible (for example, because your personal information has been stored in backup archives), then we will securely store your personal information and isolate it from any further processing until deletion is possible.
  • Onward Transfer to Third Parties: As noted in the "How We Share Your Data" Section above, JD Supra may share your information with third parties. When JD Supra discloses your personal information to third parties, we have ensured that such third parties have either certified under the EU-U.S. or Swiss Privacy Shield Framework and will process all personal data received from EU member states/Switzerland in reliance on the applicable Privacy Shield Framework or that they have been subjected to strict contractual provisions in their contract with us to guarantee an adequate level of data protection for your data.

California Privacy Rights

Pursuant to Section 1798.83 of the California Civil Code, our customers who are California residents have the right to request certain information regarding our disclosure of personal information to third parties for their direct marketing purposes.

You can make a request for this information by emailing us at privacy@jdsupra.com or by writing to us at:

Privacy Officer
JD Supra, LLC
10 Liberty Ship Way, Suite 300
Sausalito, California 94965

Some browsers have incorporated a Do Not Track (DNT) feature. These features, when turned on, send a signal that you prefer that the website you are visiting not collect and use data regarding your online searching and browsing activities. As there is not yet a common understanding on how to interpret the DNT signal, we currently do not respond to DNT signals on our site.

Access/Correct/Update/Delete Personal Information

For non-EU/Swiss residents, if you would like to know what personal information we have about you, you can send an e-mail to privacy@jdsupra.com. We will be in contact with you (by mail or otherwise) to verify your identity and provide you the information you request. We will respond within 30 days to your request for access to your personal information. In some cases, we may not be able to remove your personal information, in which case we will let you know if we are unable to do so and why. If you would like to correct or update your personal information, you can manage your profile and subscriptions through our Privacy Center under the "My Account" dashboard. If you would like to delete your account or remove your information from our Website and Services, send an e-mail to privacy@jdsupra.com.

Changes in Our Privacy Policy

We reserve the right to change this Privacy Policy at any time. Please refer to the date at the top of this page to determine when this Policy was last revised. Any changes to our Privacy Policy will become effective upon posting of the revised policy on the Website. By continuing to use our Website and Services following such changes, you will be deemed to have agreed to such changes.

Contacting JD Supra

If you have any questions about this Privacy Policy, the practices of this site, your dealings with our Website or Services, or if you would like to change any of the information you have provided to us, please contact us at: privacy@jdsupra.com.

JD Supra Cookie Guide

As with many websites, JD Supra's website (located at www.jdsupra.com) (our "Website") and our services (such as our email article digests)(our "Services") use a standard technology called a "cookie" and other similar technologies (such as, pixels and web beacons), which are small data files that are transferred to your computer when you use our Website and Services. These technologies automatically identify your browser whenever you interact with our Website and Services.

How We Use Cookies and Other Tracking Technologies

We use cookies and other tracking technologies to:

  1. Improve the user experience on our Website and Services;
  2. Store the authorization token that users receive when they login to the private areas of our Website. This token is specific to a user's login session and requires a valid username and password to obtain. It is required to access the user's profile information, subscriptions, and analytics;
  3. Track anonymous site usage; and
  4. Permit connectivity with social media networks to permit content sharing.

There are different types of cookies and other technologies used our Website, notably:

  • "Session cookies" - These cookies only last as long as your online session, and disappear from your computer or device when you close your browser (like Internet Explorer, Google Chrome or Safari).
  • "Persistent cookies" - These cookies stay on your computer or device after your browser has been closed and last for a time specified in the cookie. We use persistent cookies when we need to know who you are for more than one browsing session. For example, we use them to remember your preferences for the next time you visit.
  • "Web Beacons/Pixels" - Some of our web pages and emails may also contain small electronic images known as web beacons, clear GIFs or single-pixel GIFs. These images are placed on a web page or email and typically work in conjunction with cookies to collect data. We use these images to identify our users and user behavior, such as counting the number of users who have visited a web page or acted upon one of our email digests.

JD Supra Cookies. We place our own cookies on your computer to track certain information about you while you are using our Website and Services. For example, we place a session cookie on your computer each time you visit our Website. We use these cookies to allow you to log-in to your subscriber account. In addition, through these cookies we are able to collect information about how you use the Website, including what browser you may be using, your IP address, and the URL address you came from upon visiting our Website and the URL you next visit (even if those URLs are not on our Website). We also utilize email web beacons to monitor whether our emails are being delivered and read. We also use these tools to help deliver reader analytics to our authors to give them insight into their readership and help them to improve their content, so that it is most useful for our users.

Analytics/Performance Cookies. JD Supra also uses the following analytic tools to help us analyze the performance of our Website and Services as well as how visitors use our Website and Services:

  • HubSpot - For more information about HubSpot cookies, please visit legal.hubspot.com/privacy-policy.
  • New Relic - For more information on New Relic cookies, please visit www.newrelic.com/privacy.
  • Google Analytics - For more information on Google Analytics cookies, visit www.google.com/policies. To opt-out of being tracked by Google Analytics across all websites visit http://tools.google.com/dlpage/gaoptout. This will allow you to download and install a Google Analytics cookie-free web browser.

Facebook, Twitter and other Social Network Cookies. Our content pages allow you to share content appearing on our Website and Services to your social media accounts through the "Like," "Tweet," or similar buttons displayed on such pages. To accomplish this Service, we embed code that such third party social networks provide and that we do not control. These buttons know that you are logged in to your social network account and therefore such social networks could also know that you are viewing the JD Supra Website.

Controlling and Deleting Cookies

If you would like to change how a browser uses cookies, including blocking or deleting cookies from the JD Supra Website and Services you can do so by changing the settings in your web browser. To control cookies, most browsers allow you to either accept or reject all cookies, only accept certain types of cookies, or prompt you every time a site wishes to save a cookie. It's also easy to delete cookies that are already saved on your device by a browser.

The processes for controlling and deleting cookies vary depending on which browser you use. To find out how to do so with a particular browser, you can use your browser's "Help" function or alternatively, you can visit http://www.aboutcookies.org which explains, step-by-step, how to control and delete cookies in most browsers.

Updates to This Policy

We may update this cookie policy and our Privacy Policy from time-to-time, particularly as technology changes. You can always check this page for the latest version. We may also notify you of changes to our privacy policy by email.

Contacting JD Supra

If you have any questions about how we use cookies and other tracking technologies, please contact us at: privacy@jdsupra.com.

- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.