The ruling on the Californian case – Hartford Casualty Insurance Co. v. Corcino & Associates ( CV 13-03728-GAF – C.D. Cal. Oct. 7, 2013) – held that a general liability policy covered data breach claims alleging violations of California patients’ right to medical privacy.
ITSP notes that the court rejected the insurer’s contention that coverage was effectively negated by an exclusion for liabilities resulting from a violation rights created by state or federal acts in the US.
The court’s decision also rejected an attempt commonly made by insurers to exclude coverage for statutory penalties.
The case is interesting on several levels, ITSP notes, as it is one of the first times that an insurance company’s small print on the IT security and data breach front has been ruled inadmissible.
According to the Lexology legal newswire, last year a group of patients brought a lawsuit against Stanford Hospital and Clinics – as well as Corcino and Associates – after confidential medical information was posted on a public Web site.
The lawsuit claimed that private information and medical records of some 20,000 patients entrusted to Stanford and Corcino were posted online by a Corcino job applicant without the patients’ consent.
The patients then sued Stanford and Corcino – alleging a number of violations of the plaintiffs’ constitutional right of privacy, breach of the plaintiffs’ common law privacy rights, and violation of California’s Confidentiality of Medical Information Act (CMIA) and the Lanterman-Petris-Short Act.
Corcino then submitted the privacy lawsuit to its general liability insurer, Hartford Casualty Insurance Company, seeking a defence and indemnification.
And here’s where it gets interesting, as Hartford accepted the defence under a reservation of rights process, but sought to escape insurance coverage by contending that the claims were precluded by an exclusion for violations of statutorily created rights.
Lexology says that, whilst the privacy lawsuit was pending in state court, Hartford commenced a declaratory judgment action in the US District Court for the Central District of California seeking a declaration of no coverage.
Hartford asserted that the exclusion in the parties’ insurance policy precluded any coverage for damages caused by “personal and advertising injury” arising out of the violation of a person’s right to privacy “created by any state or federal act.”
And the court ruled…
The California federal court rejected Hartford’s contention that the policy’s statutory exclusion barred coverage for statutory damages arising out of the alleged privacy violations.
The court said that courts should interpret insurance coverage provisions broadly – and coverage exclusions narrowly and against the insurer – so as to afford the greatest possible protection to the policyholder.
Applying these rules of construction, the court read the plain language of the policy’s statutory exclusion as barring coverage only for violations of privacy rights that were created by legislation.
COMMENT: Although precedent setting only in the US courts, the case is notable for the fact that the court effectively distinguished the plaintiffs’ privacy claims from legislation-based rights, arguing that the plaintiffs’ right to privacy existed under California common law – which effectively pre-dates other more specific legislation.
The court also rejected Hartford’s reliance on an exclusion for statutory penalties, reasoning that state legislation merely reinforces existing common law and constitutional rights.
As Lexology and the court records note, the ruling demonstrates that data breach and other privacy violations are covered under general liability insurance.