Invasion of Privacy Exclusion in a Claims-Made Policy and Looking Ahead to Data Privacy Litigation
This week in Horn v. Liberty Insurance Underwriters, Inc., 2019 U.S. Dist. LEXIS 90194 (S.D. Fla. May 30, 2019), the Florida district court held that an invasion of privacy exclusion under a claims-made policy prohibited coverage for an underlying Telephone Consumer Protection Act (TCPA) lawsuit. The decision is of interest because of the court’s reasoning, and as it may foreshadow the direction of coverage litigation as more and more data privacy (as opposed to data security) laws and regulations are passed and enforced.
The facts of Horn are straightforward. The insured, iCAN Holdings, described as a “national direct response marketer and seller of insurance products,” was sued in an underlying TCPA class action for allegedly sending unsolicited text messages. iCAN was insured under a “Private Advantage Insurance Policy,” which provided coverage for loss the insured becomes legally obligated to pay “by reason of any Claim first made against the Company during the Policy Period … for any Wrongful Acts by the Company ….” Horn, 2019 U.S. Dist. LEXIS 90194, at *2-3, 7. After the insurer denied coverage, the insured executed a $60 million consent settlement and assigned its rights to the underlying plaintiffs to recover the settlement amount from the insurer. Id. at *3. Coverage litigation ensued.
The insurer denied coverage under an “Invasion of Privacy” exclusion, which prohibited coverage for “Loss on account of any Claim made against the Company … based upon, arising out of, or attributable to any actual or alleged … invasion of privacy[.]” Id. at *7. The insurer argued that because the policy defined “Claim” as a “civil proceeding,” and because an underlying class action alleged TCPA violations which caused harm from an invasion of privacy, the lawsuit “arose out of an invasion of privacy, thereby implicating the exclusion. Id. at *9. The plaintiffs, on the other hand, contended that the exclusion did not apply because the lawsuit had allegations in addition to invasion of privacy that fell outside such an exclusion. Id. The plaintiffs also contended that the exclusion did not apply because they did not have to prove invasion of privacy to prevail because invasion of privacy “is not an element of the TCPA cause of action.” Id.
The federal court agreed with the insurer, first accepting the premise that although invasion of privacy is not an element for a TCPA claim, “a violation of the TCPA may in some circumstances be considered an invasion of privacy for the purposes of analyzing coverage in an insurance policy[.]” Id. at *10 (emphasis in original). The court noted that the underlying complaint itself alleged “that the class action plaintiffs’ privacy was invaded by the violative texts.” Id. at *16. The court also looked to recent decisions by other courts. The court noted the Florida Supreme Court’s acknowledgment in Penzer v. Transportation Ins. Co., 29 So.3d 1000, 1006 (Fla. 2010), that for TCPA litigation, “the source of the right of privacy is the TCPA, which provides the privacy right to seclusion.” Id. at *10-11. Similarly, the Ninth Circuit, in LA Lakers, Inc. v. Fed. Ins. Co., 869 F.3d 795, 806 (9th Cir. 2017), held that an invasion of privacy exclusion precluded coverage for TCPA litigation because “a TCPA claim is inherently an invasion of privacy claim[.]” Id. at *12. The court further examined the broad language of “arising out of,” a phrase that is “broader in meaning than the term ‘caused by’ and means ‘originating from,’ ‘having its origin in,’ ‘growing out of,’ ‘flowing from,’ ‘incident to’ or ‘having a connection with.’” Id. at *14. Thus “coupling” the invasion-of-privacy case law with the meaning of “arising out of,” the court concluded that the alleged TCPA violations “arise out of an invasion of privacy and therefore are excluded” by the Invasion of Privacy exclusion. Id. at *14-15.
Whether the exclusion applied to the entire lawsuit, the insurer argued that the policy’s definition for “Claim” required a broad application of the exclusion. Because the policy defined “Claim” as “a civil proceeding against any Insured commenced by the service of a complaint…,” a “Claim” constituted “the entire underlying civil proceeding” filed against iCAN, and not merely a set of damages or allegations. Id. at *15. In other words, because the exclusion prohibited coverage for Loss “on account of any Claim [ i.e., lawsuit]” that was “arising out of any … invasion of privacy,” the exclusion barred coverage for the entire lawsuit. The court found that it need not address the insurer’s argument, holding that regardless of the definition of “Claim” as a lawsuit or an allegation, the underlying claims all arose out of the alleged TCPA violations based on the allegations of the underlying complaint itself. Id. at *16. The court observed:
Throughout the underlying Complaint, Plaintiffs expressly alleged invasion of privacy as a basis for their lawsuit. [Citation.] Plaintiffs further represented that the iCan Action was “premised on violations of the TCPA, which caused actual harm to the Plaintiffs' class in the form of aggravation and nuisance and invasion of privacy.” [Citation.] Plaintiffs also concede in their Statement of Facts that the “pertinent allegations” for the relief sought in the underlying Class Action include “actual harm and cognizable legal injury” caused by “invasions of privacy that result from the sending and receipt of such text messages . . . .” [Citation.]
Id. at *16. Thus, “the Claim – however defined – includes allegations that the iCAN plaintiffs suffered the harm of invasion of privacy.” Id. As a result, the court concluded that the policy’s “broad exclusion barring coverage for Claims arising out of an actual or alleged invasion of privacy precludes coverage here entirely … regardless of whether Claim is viewed as the entire iCan Action as a whole or as separate Claims for each cause of action.” Id. at *16-17.
Notwithstanding the Horn court’s dismissal of the entire class action based on the Invasion of Privacy exclusion, the court also held there was no coverage because the underlying settlement had not allocated loss between covered and uncovered claims. Florida law requires the party seeking coverage for a settlement to prove that the settlement is covered. Id. at *17. Because the consent settlement did not provide an allocation of damages, the court concluded that even if coverage were available for “other, non-invasion of privacy harms” identified in the complaint, Plaintiffs “still cannot recover under the [policy] because of their failure to allocate the lump sum settlement between covered and non-covered losses.” Id. at *18.
What This Case Means
Admittedly, the facts of this case are straightforward, and some of the issues therein have been addressed elsewhere, as even the Horn court observed. But we believe the Horn case has significance beyond any rote application of law to straightforward facts. “Cyber regulation” in 2019 has been shifting greater focus from data security to data privacy – i.e., inherent privacy rights held by data subjects whose information is collected and acquired lawfully by companies and marketplaces. Those privacy rights are articulated in rights of access, correction, deletion, and notice/disclosure. The growing need for data portability and rights of access, for instance, and the legal exposure arising from an inability to comply with those rights, arguably have not been fully addressed by various insurance products. If so, and when questions of coverage arise for such liabilities, legal issues like the inherent interests/motivations behind a statute, the meaning of policy terms, and the precise nature of the underlying allocations will be instructive – if not dispositive – of resolving difficult and emerging coverage issues.