In Ellicott City Cable LLC v. AXIS Ins. Co., the U.S. District Court for the District of Maryland held the term “data” did not include cable television programming that was accessed without DirecTV’s authorization. The definition of “data” became the central question in this declaratory judgment action initiated by Ellicott City Cable LLC (Ellicott) to establish coverage under its multimedia liability policy issued by AXIS Ins. Co. (AXIS).

Ellicott sought coverage under its media policy when it was sued by DirecTV, LLC (DirecTV). Ellicott was formed to provide cable, internet and telephone service to two residential communities in Maryland. Ellicott entered into contracts with DirecTV agents for programming and equipment. At some point, DirecTV filed suit based on allegations that Ellicott “fraudulently obtain[ed], and assist[ed] others in obtaining DIRECTV’s satellite television programming and distribut[ed] that programming over unauthorized cable television systems.”

After receiving notice of the DirecTV lawsuit, AXIS denied coverage on the grounds that the litigation resulted from Ellicott’s allegedly intentional unauthorized access to DirecTV’s programming. After the DirecTV lawsuit was settled, AXIS continued to deny coverage on the basis that Ellicott’s “unauthorized use of data precludes a duty to defend and is within the exclusion of the liability policies issued.”

In particular, AXIS denied coverage under an exclusion for claims “for or arising out of any actual or alleged…unauthorized access to, unauthorized use of, or unauthorized alteration of any computer or system, hardware, software, program, network, data, database, communication network or service, including the introduction of malicious code or virus by any person….” Ellicott argued this exclusion was inapplicable because DirecTV’s cable television programming was not “data.”

In finding the exclusion did not apply because Ellicott did not use DirecTV’s “data,” the District Court interpreted “data” using the definition found in the dictionary and analyzing the way the term was used in the underlying litigation:

In this case, the term “data” is ambiguous within the meaning of the unauthorized access exclusions. As a preliminary matter, DirecTV did not use “data” to describe the television programming that it alleged ECC and Dr. Taylor accessed without authorization. Moreover, the Policies do not define “data.” This term, however, is broadly defined by the Merriam-Webster Dictionary as “facts or information used usually to calculate, analyze, or plan something” or “information that is produced or stored by a computer.” Data, Merriam-Webster Dictionary, (last visited Jul. 14, 2016). Given the breadth of this definition, the principles of ejusdem generis and noscitur a sociis counsel consideration of “the accompanying words so that…general and specific words, capable of analogous meaning, when associated together, take color from each other[.]” LeRoy v. Kirk, 277 A.2d 611, 614 (Md. 1971) (citing Black’s Law Dictionary (4th Ed.)).

AXIS further took the position that the exclusion barred coverage to the extent DirecTV’s programming “in its digital form, is ‘digitized and compressed…into a signal that is then encrypted’ and sent to DirecTV receivers via satellite signal.” The District Court rejected AXIS’ argument that DirecTV’s television programming takes both digital and analog forms because it was concerned that, under this interpretation of “data,” Ellicott “would receive insurance coverage for unauthorized access to analog television programming, and not digital television programming.”

Beyond the scope of pirated cable, this decision demonstrates that novel terms in insurance cases such as “data” are going to be subject to interpretation as this body of law develops. However, the court reviewed the policy as a whole and found the parties intended the policies to provide coverage for allegations that Ellicott pirated DirecTV’s programming. In reviewing all the provisions of the policy, the court held “[t]o interpret ‘data’ as including DirecTV’s television programming would effectively broaden the scope of the exclusion to eliminate any coverage for piracy.” Therefore, this case, while limited in scope, demonstrates the need for insureds and insurers to understand the unique terms and concerns that go into coverage for these emerging risks.

The post Walk the Plank: Court Finds Pirated Cable Programming Not “Data” in Multimedia Liability Policy appeared first on Privacy Risk Report.

There have been more developments in the law related to cyber and data breach claims in the last two weeks than in the last year. First, Sony and Zurich settled their coverage dispute that left the lower court’s decision (which was favorable to insurers) untouched. Then, a Federal court in Utah held there was no duty to defend under a cyber policy.

Now, there is a decision making it more difficult to claim for damages related to data breaches under CGL policies. On May 18, 2015, the Connecticut Supreme Court affirmed a lower court’s decision in Recall Total Info. Management, Inc. v. Federal Ins. Co., finding there is no insurance coverage for more than $6 million in losses related to the exposure of private information belonging to nearly 500,000 IBM employees.

In Recall Total, the insured sought coverage under its CGL policy when it lost data storage tapes storing its customer’s private information. The tapes fell out of the back of the insured’s van onto the road. It was believed that after falling out of the van, about 130 of the tapes were taken from the side of the road by an unknown person. The CGL policy at issue provided coverage for “personal injury” which included, “publication of material that…violates a person’s right to privacy.”

In analyzing this provision and the facts of this case, the court held first that there was no dispute that the information on the tapes was private, and, second, the threshold was whether the information on the tapes had been “published.” In finding there was no coverage, the lower court held there was no evidence that the information on the tapes had been found or used after the tapes fell off the van. In reviewing the evidence, the Court found, “[t]here is nothing in the record suggesting that the information on the tapes was ever accessed by anyone.” Specifically, the Recall Total lower court decision addressed the personal injury provision in the following manner:

“On the basis of our review of the policy, we conclude that personal injury presupposes publication of the personal information contained on the tapes. Thus, the dispositive issue is not loss of the physical tapes themselves; rather, it is whether the information in them has been published. The plaintiffs contend that the mere loss of the tapes constitutes a publication, and has alleged that the information was published to a thief. The plaintiffs have failed to cite any evidence that the information was published and thereby failed to take their allegation beyond the realm of speculation. See, e.g., Norse Systems, Inc. v. Tingley Systems, Inc., supra, 49 Conn.App. at 591, 715 A.2d 807 (speculation or conjecture will not overcome motion for summary judgment). As the complaint and affidavits are entirely devoid of facts suggesting that the personal information actually was accessed, there has been no publication.”

In its concise decision, the Connecticut Supreme Court said there was no purpose in repeating the discussion in the superior court’s “well-reasoned” January 2014 ruling.

While this decision does not involve a data breach or a classic cyber claim, it provides insight into how a data breach might be viewed from a coverage perspective when there is no evidence that the private or confidential information was actually published to third parties. More importantly, the reasoning of the Recall Total decision is in harmony with the trial court’s decision in Sony’s coverage action against Zurich. In that case, which was settled before the appellate court could render its decision, the New York trial court ruled Zurich had no duty to defend because there was no “publication” under Coverage B of the CGL policy. These two decisions, coupled with the cyber exclusions that are becoming more common in CGL policies, are beginning to fill the void in case law related to these claims.

The post Connecticut Supreme Court Finds No Coverage Under CGL Policy for Lost Data appeared first on Privacy Risk Report.

On April 27, 2015 the U.S. Supreme Court granted Spokeo, Inc.’s Petition for a Writ of Certiorari appealing an opinion from the U.S. Court of Appeals for the Ninth Circuit. The Ninth Circuit decision held that the Plaintiff, Thomas Robins, had standing to bring claims under the Fair Credit Reporting Act (FCRA) on behalf of a purported class. A number of plaintiffs have had their data breach cases dismissed based on findings that they lacked standing because they were incapable of showing they were injured.

In his First Amended Complaint, Robins, an unemployed individual, brought a purported class action under FCRA and California’s Unfair Competition Law based on a consumer report that Spokeo allegedly prepared indicating that he had a graduate degree, his economic health was “very strong” and he was in the top 10% wealth level. Robins alleged that these reported facts were false. He claimed that Spokeo’s marketing of inaccurate consumer reporting information caused him actual and/or imminent harm sufficient enough to confer upon him standing to sue Spokeo. The trial court ultimately held that Robins did not have standing to bring suit because a mere violation of the statute was insufficient to confer standing absent an injury in fact. The trial court considered Robins’ diminished employment prospects on account of the false information contained in the report to be too speculative to constitute a cognizable injury.

The Ninth Circuit issued an opinion reversing the trial court’s decision to dismiss the case for lack of standing. The court held where Congress permits a private party to sue for violations of a statute, the statutory violation is sufficient to constitute a concrete injury for standing if that individual’s statutory rights were violated. Given that FCRA does not require a showing of actual harm for willful violations of the statute, Robins was not required to show any cognizable injury other than the violation itself.

The Supreme Court will address the standing issue, and likely resolve a split among the U.S. Courts of Appeal. The decision in this matter will likely have implications on standing for other plaintiffs’ data breach and privacy class actions where sometimes the only cognizable injury is a violation of a statute. If the U.S. Supreme Court were to rule in Robins’ favor on this matter, it may lower the threshold for plaintiffs to establish standing in data breach claims.

The post U.S Supreme Court to Hear Case That May Have Major Implications on Data Breach Cases appeared first on Privacy Risk Report.

We are still in the early stages of insurance coverage for cyberliability and data breaches. While there may be no question that cyberliability does not trigger CGL insurance as “bodily injury” or “property damage,” a court may face questions of whether cyber liability constitutes “personal injury” under CGL policies.  In particular, courts may be called on to decide whether data breach claims similar to those seen in the Target matter constitute a “publication of material that violates a person’s right to privacy,” and, therefore triggers coverage as “personal injury.”

A recent white paper published by Swiss Re entitled “Is CGL insurance coverage tonic for the data breach blues?” provides insight on these emerging issues.

The post CGL Policies May Not Provide a Safe Harbor For Data Breach appeared first on Privacy Risk Report.