Collection of information, invasion of privacy, and the CGL coverage form
By David Thamann
Unsolicited faxed advertisements have created liability coverage disputes between insureds and insurers. Insureds see claims against them as claims covered by section B in the CGL form (personal and advertising injury liability), and insurers declare coverage does not exist because the definition of personal and advertising injury is not met since there is no publication that violates a person's right to privacy. Courts hearing these disputes have tended to side with insureds.
The Insurance Services Office (ISO) sought to counter this judicial trend by adding an exclusion to the CGL form. Initially, an endorsement was published with the relevant exclusion and then, the exclusionary language was incorporated into the CGL form itself. Exclusion (p), distribution of material in violation of statutes, prevents coverage for personal and advertising injury arising out of any action or omission that violates the Telephone Consumer Protection Act (TCPA), the CAN-SPAM Act of 2003, and any statute, ordinance, or regulation that prohibits or limits the sending, transmitting, communicating or distribution of material or information. How and whether this exclusion will be applicable in future coverage disputes is not judicially settled at this time. However, a new aspect of this question is now being raised.
A class action lawsuit has been filed in the United States District Court for the District of Massachusetts wherein the plaintiffs have sued Google, Inc., claiming an "invasion of legally protected privacy interests, acquisition of personal and private information without permission or consent, and violation of privacy and security and rights" granted by law. According to the complaint, Google generated a programming code that sampled and decoded all categories of publicly broadcast WiFi data. This type of program is commonly called a packet analyzer, or network analyzer, packet sniffer, Ethernet sniffer or wireless sniffer. As data streams across the wireless network, the sniffer secretly captures each packet of information, then decodes and analyzes its content. Google is charged with collecting data that included e-mail, video, audio components, documents and other personal and business sent over the Internet.
The plaintiffs, Galaxy Internet Services, Inc. on behalf of themselves and their customers and others, claim that Google collected and decoded the data and stored the information on its servers. This data, according to Galaxy, is typically not readable by the public absent sophisticated decoding and so, it is reasonably considered and understood to be private, protected information by users and operators of home-based WiFi systems. Since Google has stored this information, the claim is that hundreds if not thousands of Google employees have access to the data, and the expectation of privacy on the part of those transmitting the data has been violated. Should this case go forward and others follow, the question then arises: will the CGL form cover this type of claim? Coverage A, bodily injury and property damage liability, is not applicable because there are no claims of bodily injury or property damage as defined in the CGL form. What about coverage B?
Coverage under that part of the CGL form initially depends on the claim fulfilling the definition of personal and advertising injury. That definition includes oral or written publication, in any manner, of material that violates a person's right of privacy. An insurer seeking to deny coverage can argue whether a person has a reasonable right of privacy when sending information out on the Internet under normal conditions; after all, putting information in the Internet is akin to throwing out the weekly trash--it is out there, open for the public to see. On the other hand, in this case in particular, the information collected by Google was encrypted and had to be decoded by Google in order to use the information, so it can be reasonably argued that the plaintiffs intended their information to be private, especially if the information was business related.
So, an insurer denying coverage based on no "right of privacy" might not be in a strong position. What can be used in this instance to bolster an insurer's denial of coverage is the "publication" part of the definition. It is true that Google did collect the information and it could be true that the plaintiff is correct in describing the data as private. However, collecting data is not the same as publishing the data; and, unless it can be shown that Google released the collected data to a third party, there has been no publication. Publication is defined as making generally known or disseminating to the public and unless that happens, the publication condition has failed.
It will be interesting to see how this class action lawsuit is resolved and if other similar lawsuits occur. However, if insurers receive notice of such lawsuits from their insureds, it would not be an act of bad faith to deny general liability coverage. The insurers can cite the lack of personal and advertising injury as defined in the policy. Of course, exclusion (p) as previously noted, can also be cited but if the requirements of the insuring agreement are not met, there is really no need to project an exclusion into the coverage dispute.
*For further information, or to contact this author, please leave a comment and your e-mail address in the forum below.