Do your privacy policies give a clear, conspicuous and accurate statement of the company’s practices?
The major federal privacy statute applicable to insurers is Gramm-Leach-Bliley, 15 U.S.C. § 6801 et seq., which applies to all financial services companies. A number of states have insurance privacy statutes that set more stringent standards. Aside from any statutory requirements that may govern an insurance company’s privacy policy, the manner in which it is delivered may create unnecessary liabilities. Courts, for example, have enforced clickwrap agreements in breach-of-contract actions which may include provisions that an applicant has read and agreed to a “hyper-linked” Privacy Policy and the Terms & Conditions in order to apply on-line for a credit agreement. See Defillipis v. Dell Financial Services, 3:14-CV-00115 (2016 WL 394003, M.D. Penn. 1/29/16), appeal docked (3d Cir. 3/3/16).
A recent decision from the Northern District of Illinois, on the other hand, illustrates the pitfalls that could arise from current insurance industry practices involving the issuance of privacy statements and insurance policies if done without the appropriate precautions. The process of issuing an insurance policy, either directly or through an employer group, requires care and deliberate action when it comes to issues of proper integration, documentation and transmittal.
On February 23, 2016, Judge Rubén Castillo from the Northern District of Illinois issued an opinion that provides guidance on best practices for the insurance industry when it issues privacy policies to insureds. Failure to institute appropriate protocols may increase an insurer’s liability exposure in the event of a data breach that compromises an insured’s personal identifiable information.
In Dolmage v. Combined Ins. Co. of Am., (No. 1:14-cv-3089, N.D. Ill. Feb. 23, 2016), the court denied the defense motion to dismiss a breach of contract claim based on a “Privacy Pledge” document that was included in insurance policy documents provided to employees of Dillard’s department store (Dillard’s). The decision raises a novel theory by plaintiffs and warrants attention given the number of “privacy statements” consumers receive in the mail every day from banks and credit card issuers and the use of third-party vendors in the management of personal data. In denying the motion to dismiss, the court concluded that it was “certainly plausible” that there was a causal link between the defendant’s failure to ensure the confidentiality of the data and the damages alleged. Citing Remijas v. Neiman Marcus Grp., LLC, 794 F.3d 688 (7th Cir. 2015), the court held that was all that was required at this stage of the proceeding. Judge Castillo previously granted the defense motion to dismiss with prejudice the claims under the Fair Credit Reporting Act (FCRA), 15 U.S.C. § 1681, state law claims of negligence, breach of implied contract, unjust enrichment, invasion of privacy and violation of the Illinois Insurance Code, 215, Ill. Comp. Stats. 5/1001. Dolmage v. Combined Ins. Co. of Am. No. 14 C 3809, 2015 WL 292947 (N.D. Ill. Jan. 21, 2015). In his initial 2015 ruling, Judge Castillo noted that an implied contract claim cannot coexist with an express contract on the same subject.
The plaintiff was granted to leave to replead a breach of fiduciary duty claim but chose not to pursue that claim. A Florida federal district court rejected plaintiff’s attempts to bring breach of fiduciary duty claims under the theory that “guardians” of plaintiff’s sensitive information somehow create a fiduciary relationship. Mere receipt of confidential information has not been sufficient to “transform an arm’s length transaction into a fiduciary relationship.” See, Weinberg v. Advanced Data Processing, Inc. _ F. Supp. 3d ___, 2015 WL 8098555 (S.D. Fla. Nov. 17, 2015), citing, Dolmage v. Combined Ins. Co. of America, 2015 WL 292947 (N.D. Ill. Jan. 21, 2015) and other cases.
On May 14, 2014, plaintiffs filed a putative class action against Combined Insurance Company of America (Combined or the defendant) following a data breach by a third-party company. The proposed class members are employees of Dillard’s who purchased insurance coverage from Combined, an insurance provider of a number of insurance products, including disability, accident, health and life insurance policies, through their employer.
According to the allegations in the amended complaint, Combined promised to protect plaintiff’s personal information in its written “Privacy Pledge” to its customers. In the “Privacy Pledge”, the insurer allegedly indicated that it “maintains physical, electronic and procedural safeguards that comply with federal regulations to guard its customers’ personal information, and that it restricts access its customers’ personal information to those employees who need to know such information.” Combined hired a third-party company, Enrolltek, to perform insurance enrollment functions and other tasks relating to the applications. The defendant regularly provided the principal of Enrolltek with access to the personal information from the applications, including allowing the principal to copy the information to an external hard drive. This external hard drive was not secure. Plaintiffs alleged that for a 16-month period, personal information was “posted online, unsecure and unprotected” and was “accessible to anyone with an Internet connection.”
Upon notification of the data breach by some of the affected Dillard’s employees, Combined issued a letter notifying the plaintiffs and other class members that their personal information had been “stored on an Internet server by a third party enrollment system vendor without the proper security measures.” It offered the class members credit monitor services for a one-year period. While plaintiffs were unsuccessful in their pursuit of the majority of claims initially asserted, they survived a motion to dismiss on the issue of whether the defendant breached the promises made in its “Privacy Pledge” in connection with the handling of plaintiffs’ personal information. Plaintiffs successfully alleged, for purposes of a motion to dismiss, that the “Privacy Pledge” was part of the insurance policy obtained from the defendant.
As is typical in litigation arising from a data breach, the plaintiff in Dolmage chose to file the lawsuit in federal court where the “notice pleading” requirements are more lenient. Unlike state jurisdictions which require “detailed factual allegations” to survive a motion to dismiss, the court in Dolmage concluded that all that is required in federal court is “just enough detail to present a story that holds together.” It was the plaintiff’s story that prevailed, at least with respect to whether she was able to state a claim.
In denying the motion to dismiss, the court rejected the defense arguments that the “Privacy Pledge” was not incorporated into the parties’ insurance policy or that it was otherwise enforceable in a breach of contract action. The court disagreed with the defendant’s assertion that the “Privacy Pledge,” as a matter of law, was not part of the insurance contract between plaintiff and the defendant. Instead, the court found that the plaintiff’s claim that the insurance policy incorporated the “Privacy Pledge” was “not implausible.” The problem in Dolmage was the fact that the policy expressly incorporate certain extraneous documents. Specifically, the term “policy” was defined as “this Policy with any attached application(s), and any riders and endorsements.” Further compounding the problem was the fact that the policy’s table of contents specifically referred to “the application and any riders and endorsements follow page 17.” The documents submitted to the court included several pages after page 17, including the Privacy Pledge.
The court also rejected the insurer’s arguments that the “Privacy Pledge” could not be an endorsement. The court considered the allegations that the Privacy Policy accompanied the policy that was mailed to her. As a result, the court considered that it could be read to supplement the policy by providing additional benefits to insured regarding the handling of her personal information. In addition, the policy at issue provided that any endorsements must be approved by the insurer’s president or one of its vice presidents. In Dolmage, the “Privacy Pledge” was, in fact, authored by the insurer’s chairman, president and chief executive officer. This fact no doubt helped buttress plaintiff’s arguments in opposition to the motion to dismiss.
In its opinion, the court provided important guidance on how the defendant could have avoided any ambiguity and thus, may have prevailed on its motion to dismiss. For example, if the defendant had clearly labeled the documents sent with the policy that were intended to be incorporated, that might have been enough to prevail on the motion to dismiss. The court also noted that the defendant could have drafted an integration clause that did not reference outside documents. Had it done so, the plaintiff would have been precluded from relying on outside documents to assert a breach of contract claim.
Next, the court also rejected the defense argument that plaintiff’s claim failed because she did not rely on or read the “Privacy Pledge” before she agreed to the insurance contract. Reliance is not one of the elements of a breach of contract claim under Illinois law.
As noted by the court in Dolmage, the circumstances of the issuance of the insurance policy with the “Privacy Pledge” was directed exclusively to the defendant’s insureds. As a result, the court concluded that the plaintiff was not trying to enforce the “Privacy Pledge” as a “stand-alone” contract. Instead, plaintiff’s argument was that the “Privacy Pledge” was part of the parties’ insurance agreement. Thus, the court had no trouble distinguishing the facts before it from those cases cited by the defendant where courts have found that a privacy policy is not an enforceable contract (i.e. a bank’s privacy policy, Azeltine v. Bank of America, No. CV 190-218-TUC-RCC (HCE), 2010 WL 6511710 (D. Ariz. Dec. 14, 2010), or an airline’s privacy policy posted on its website, Dyer v. Northwest Airlines Corps., 334 F. Supp. 2d 1196 (D.N.D. 2004)).
Enforcement of a privacy policy as a stand-alone contract may not be a viable remedy for identity theft following a data breach. As noted by the court in Dolmage, however, issuers of privacy policies must take the necessary steps to avoid any ambiguities with underlying contractual documents if they want to foreclose having to litigate a breach of contract claim. Failure to do so, may also increase liability exposure when the privacy policy, such as the one issued by the defendant in Dolmage, includes promises that third-party vendors will abide by certain privacy standards.
Given the frequency of data breaches involving protected information, the Dolmage decision serves as a reminder that there are simple offensive steps insurers can take to limit their potential liability in the event of future litigation. In order to avoid a possible breach of contract claim based on a privacy policy, for example, Dolmage provides sound best practices insurers should adopt to strength their defense to such claims. As part of their ongoing review of their privacy policies and insurance contracts, insurers should consider the following:
1. Evaluate the language in any integration clauses in the policy. Avoid references to
extraneous documents that may ultimately be delivered with the policy.
2. Avoid any ambiguity by clearly labeling the documents sent with a policy that are intended to incorporate by reference. In virtually all jurisdictions, if there is an ambiguity about contractual language, the courts will construe the ambiguity against the insurer.
3. Carefully review policy language: (1) what documents are included in the definition of the policy; (2) who must approve endorsements.
In Dolmage, the policy required that endorsements be approved by the insurer’s president or one of its vice presidents. The “Privacy Pledge” was authored by the insurer’s chairman, president and chief executive officer.
4. Consider adding disclaimer language to documents that are not part of the insurance policy.
In Dolmage, the court noted that one of the documents accompanying the policy included the prominent disclaimer: “THIS IS A PROPOSAL AND IS NOT PART OF THE CONTRACT.” The “Privacy Pledge” did not contain a similar disclaimer. The Dolmage court also found the plaintiff’s allegations that the “Privacy Pledge” accompanied the policy that was mailed to her as a supplement or possibly a policy endorsement by providing additional benefits to insureds regarding the handing of their personal information.
5. Do not include other provisions in the “Privacy Pledge” that are unrelated to the insurers’ compliance with federal regulations.
In Dolmage, the court noted that the insurer correctly stated that a party’s promise to “do what it is already legally obligated to do” does not give rise to contractual rights.” The court found, however, that the “Privacy Pledge” contained other provisions unrelated to defendant’s compliance with federal law. For instance, it provided that the defendant would restrict access of the insureds’ personal information to “to those employees who need to know such information,” and further, that if insureds’ personal information is shared with a third party, defendant will “require them to abide by the same privacy standards as those indicated here.” As a result, the court found that the amended complaint plausibly alleged that the defendant breached these promises when it provided class members’ personal information to a third party without ensuring that the third party properly limited the disclosure of that information.
6. If an insurer makes promises about the steps a third-party will take in the treatment of personal information, the insurer must take adequate steps to ensure that the third-party limits access to of the insureds’ personal information under the same standards it employs. adhere to the law does not give rise to contractual rights violations.
By following the court’s guidance in Dolmage, insurers will be better positioned to defend against claims that are likely to be raised by plaintiffs in litigation arising from data breaches. By proactively reviewing their privacy policies and practices in issuing policies, insurers will be better able to resist the laundry list of claims that plaintiffs raise in litigation arising out of a data breach. By taking adequate steps to limit access to personal information, insurers may have a strong defense on the merits of a breach of contract claim. The court in Dolmage left for another day, the issue of causation. In any data breach situation, the issue will be whether the plaintiff sustained any damages as a result of the defendant’s conduct. The more insurers can limit the theories that survive a motion to dismiss, the greater chance they may have to limit any ultimate exposure and/or class certification.
Carol J. Gerner is counsel and Cinthia Granados Motley is partner in Sedgwick LLP’s Chicago office. They can be reached at carol.gerner@sedgwicklaw.com and cinthia.motley@sedgwicklaw.com, respectively, or via the firm’s website – http://www.sedgwicklaw.com.
Was this article valuable?
Here are more articles you may enjoy.