Do your privacy policies give a clear, conspicuous and accurate statement of the company’s practices?
A recent decision from the Northern District of Illinois, on the other hand, illustrates the pitfalls that could arise from current insurance industry practices involving the issuance of privacy statements and insurance policies if done without the appropriate precautions. The process of issuing an insurance policy, either directly or through an employer group, requires care and deliberate action when it comes to issues of proper integration, documentation and transmittal.
On February 23, 2016, Judge Rubén Castillo from the Northern District of Illinois issued an opinion that provides guidance on best practices for the insurance industry when it issues privacy policies to insureds. Failure to institute appropriate protocols may increase an insurer’s liability exposure in the event of a data breach that compromises an insured’s personal identifiable information.
In Dolmage v. Combined Ins. Co. of Am., (No. 1:14-cv-3089, N.D. Ill. Feb. 23, 2016), the court denied the defense motion to dismiss a breach of contract claim based on a “Privacy Pledge” document that was included in insurance policy documents provided to employees of Dillard’s department store (Dillard’s). The decision raises a novel theory by plaintiffs and warrants attention given the number of “privacy statements” consumers receive in the mail every day from banks and credit card issuers and the use of third-party vendors in the management of personal data. In denying the motion to dismiss, the court concluded that it was “certainly plausible” that there was a causal link between the defendant’s failure to ensure the confidentiality of the data and the damages alleged. Citing Remijas v. Neiman Marcus Grp., LLC, 794 F.3d 688 (7th Cir. 2015), the court held that was all that was required at this stage of the proceeding. Judge Castillo previously granted the defense motion to dismiss with prejudice the claims under the Fair Credit Reporting Act (FCRA), 15 U.S.C. § 1681, state law claims of negligence, breach of implied contract, unjust enrichment, invasion of privacy and violation of the Illinois Insurance Code, 215, Ill. Comp. Stats. 5/1001. Dolmage v. Combined Ins. Co. of Am. No. 14 C 3809, 2015 WL 292947 (N.D. Ill. Jan. 21, 2015). In his initial 2015 ruling, Judge Castillo noted that an implied contract claim cannot coexist with an express contract on the same subject.
The plaintiff was granted to leave to replead a breach of fiduciary duty claim but chose not to pursue that claim. A Florida federal district court rejected plaintiff’s attempts to bring breach of fiduciary duty claims under the theory that “guardians” of plaintiff’s sensitive information somehow create a fiduciary relationship. Mere receipt of confidential information has not been sufficient to “transform an arm’s length transaction into a fiduciary relationship.” See, Weinberg v. Advanced Data Processing, Inc. _ F. Supp. 3d ___, 2015 WL 8098555 (S.D. Fla. Nov. 17, 2015), citing, Dolmage v. Combined Ins. Co. of America, 2015 WL 292947 (N.D. Ill. Jan. 21, 2015) and other cases.
On May 14, 2014, plaintiffs filed a putative class action against Combined Insurance Company of America (Combined or the defendant) following a data breach by a third-party company. The proposed class members are employees of Dillard’s who purchased insurance coverage from Combined, an insurance provider of a number of insurance products, including disability, accident, health and life insurance policies, through their employer.
According to the allegations in the amended complaint, Combined promised to protect plaintiff’s personal information in its written “Privacy Pledge” to its customers. In the “Privacy Pledge”, the insurer allegedly indicated that it “maintains physical, electronic and procedural safeguards that comply with federal regulations to guard its customers’ personal information, and that it restricts access its customers’ personal information to those employees who need to know such information.” Combined hired a third-party company, Enrolltek, to perform insurance enrollment functions and other tasks relating to the applications. The defendant regularly provided the principal of Enrolltek with access to the personal information from the applications, including allowing the principal to copy the information to an external hard drive. This external hard drive was not secure. Plaintiffs alleged that for a 16-month period, personal information was “posted online, unsecure and unprotected” and was “accessible to anyone with an Internet connection.”
Upon notification of the data breach by some of the affected Dillard’s employees, Combined issued a letter notifying the plaintiffs and other class members that their personal information had been “stored on an Internet server by a third party enrollment system vendor without the proper security measures.” It offered the class members credit monitor services for a one-year period. While plaintiffs were unsuccessful in their pursuit of the majority of claims initially asserted, they survived a motion to dismiss on the issue of whether the defendant breached the promises made in its “Privacy Pledge” in connection with the handling of plaintiffs’ personal information. Plaintiffs successfully alleged, for purposes of a motion to dismiss, that the “Privacy Pledge” was part of the insurance policy obtained from the defendant.
As is typical in litigation arising from a data breach, the plaintiff in Dolmage chose to file the lawsuit in federal court where the “notice pleading” requirements are more lenient. Unlike state jurisdictions which require “detailed factual allegations” to survive a motion to dismiss, the court in Dolmage concluded that all that is required in federal court is “just enough detail to present a story that holds together.” It was the plaintiff’s story that prevailed, at least with respect to whether she was able to state a claim.
In denying the motion to dismiss, the court rejected the defense arguments that the “Privacy Pledge” was not incorporated into the parties’ insurance policy or that it was otherwise enforceable in a breach of contract action. The court disagreed with the defendant’s assertion that the “Privacy Pledge,” as a matter of law, was not part of the insurance contract between plaintiff and the defendant. Instead, the court found that the plaintiff’s claim that the insurance policy incorporated the “Privacy Pledge” was “not implausible.” The problem in Dolmage was the fact that the policy expressly incorporate certain extraneous documents. Specifically, the term “policy” was defined as “this Policy with any attached application(s), and any riders and endorsements.” Further compounding the problem was the fact that the policy’s table of contents specifically referred to “the application and any riders and endorsements follow page 17.” The documents submitted to the court included several pages after page 17, including the Privacy Pledge.
In its opinion, the court provided important guidance on how the defendant could have avoided any ambiguity and thus, may have prevailed on its motion to dismiss. For example, if the defendant had clearly labeled the documents sent with the policy that were intended to be incorporated, that might have been enough to prevail on the motion to dismiss. The court also noted that the defendant could have drafted an integration clause that did not reference outside documents. Had it done so, the plaintiff would have been precluded from relying on outside documents to assert a breach of contract claim.
Next, the court also rejected the defense argument that plaintiff’s claim failed because she did not rely on or read the “Privacy Pledge” before she agreed to the insurance contract. Reliance is not one of the elements of a breach of contract claim under Illinois law.
1. Evaluate the language in any integration clauses in the policy. Avoid references to
extraneous documents that may ultimately be delivered with the policy.
2. Avoid any ambiguity by clearly labeling the documents sent with a policy that are intended to incorporate by reference. In virtually all jurisdictions, if there is an ambiguity about contractual language, the courts will construe the ambiguity against the insurer.
3. Carefully review policy language: (1) what documents are included in the definition of the policy; (2) who must approve endorsements.
In Dolmage, the policy required that endorsements be approved by the insurer’s president or one of its vice presidents. The “Privacy Pledge” was authored by the insurer’s chairman, president and chief executive officer.
4. Consider adding disclaimer language to documents that are not part of the insurance policy.
In Dolmage, the court noted that one of the documents accompanying the policy included the prominent disclaimer: “THIS IS A PROPOSAL AND IS NOT PART OF THE CONTRACT.” The “Privacy Pledge” did not contain a similar disclaimer. The Dolmage court also found the plaintiff’s allegations that the “Privacy Pledge” accompanied the policy that was mailed to her as a supplement or possibly a policy endorsement by providing additional benefits to insureds regarding the handing of their personal information.
5. Do not include other provisions in the “Privacy Pledge” that are unrelated to the insurers’ compliance with federal regulations.
In Dolmage, the court noted that the insurer correctly stated that a party’s promise to “do what it is already legally obligated to do” does not give rise to contractual rights.” The court found, however, that the “Privacy Pledge” contained other provisions unrelated to defendant’s compliance with federal law. For instance, it provided that the defendant would restrict access of the insureds’ personal information to “to those employees who need to know such information,” and further, that if insureds’ personal information is shared with a third party, defendant will “require them to abide by the same privacy standards as those indicated here.” As a result, the court found that the amended complaint plausibly alleged that the defendant breached these promises when it provided class members’ personal information to a third party without ensuring that the third party properly limited the disclosure of that information.
6. If an insurer makes promises about the steps a third-party will take in the treatment of personal information, the insurer must take adequate steps to ensure that the third-party limits access to of the insureds’ personal information under the same standards it employs. adhere to the law does not give rise to contractual rights violations.
By following the court’s guidance in Dolmage, insurers will be better positioned to defend against claims that are likely to be raised by plaintiffs in litigation arising from data breaches. By proactively reviewing their privacy policies and practices in issuing policies, insurers will be better able to resist the laundry list of claims that plaintiffs raise in litigation arising out of a data breach. By taking adequate steps to limit access to personal information, insurers may have a strong defense on the merits of a breach of contract claim. The court in Dolmage left for another day, the issue of causation. In any data breach situation, the issue will be whether the plaintiff sustained any damages as a result of the defendant’s conduct. The more insurers can limit the theories that survive a motion to dismiss, the greater chance they may have to limit any ultimate exposure and/or class certification.
Carol J. Gerner is counsel and Cinthia Granados Motley is partner in Sedgwick LLP’s Chicago office. They can be reached at firstname.lastname@example.org and email@example.com, respectively, or via the firm’s website – http://www.sedgwicklaw.com.
Was this article valuable?
Here are more articles you may enjoy.