Court Finds No Coverage for Spyware Claims
Judge Susan P. Watters of the U.S. District Court for the District of Montana, applying Montana law, has ruled on questions concerning the application of personal and advertising injury coverage in Comprehensive General Litigation (CGL) policies to claims arising from the use of computer software that allegedly captured private data remotely from computers rented or sold to consumers.
Judge Watters held that a lawsuit filed by a state government alleging that a policyholder used software to “collect information on consumers” and “collect private computer activity while consumers were unaware of the activities being recorded” did not allege any “publication” and thus did not trigger personal and advertising injury coverage. Am. Econ. Ins. Co. v. Aspen Way Enters., Inc., 2015 US Dist. Lexis 129274, No. 1:14-00009-SPW (D. Mont. Sept. 25, 2015). In addition, the court ruled that a different lawsuit filed by private litigants and alleging that the policyholder violated the Electronic Communications Privacy Act (ECPA), 18 U.S.C. § 2511 by “intentionally collecting, transmitting, storing and disclosing, or endeavoring to disclose, to any other person,” certain private and confidential information triggered coverage in the first instance but coverage was barred by a “recording and distribution” exclusion in the relevant policies.
The policyholder was a franchisee that owned and operated rent-to-own stores in Montana, Washington, and Wyoming. During the relevant time period, the policyholder installed software into computers rented or sold to customers. That software, which was activated remotely, enabled the stores to secretly take photographs with the computer’s webcam, capture keystrokes, and take screen shots. Once those photographs, keystroke captures, and/or screen shots were taken, the software designer would email the data to the store that activated the software (in this case, the policyholder).
The policyholder’s use of the software led to several legal actions against it. First, the policyholder faced a private class action lawsuit by plaintiffs who claimed that the policyholder and other franchisees received private and confidential data after activating the software. After a number of counts in that lawsuit were dismissed, the only remaining claim was for violation of the ECPA, and the plaintiffs alleged that the policyholder violated that statute by “intentionally collecting, transmitting, storing and disclosing, or endeavoring to disclose, to any other person,” the contents of private data collected by the software. Second, the policyholder was sued by the State of Washington, which alleged that the policyholder violated Washington’s Consumer Protection Act and Computer Spyware Act by installing the software on customers’ computers.
The policyholder sought coverage under a number of general liability insurance policies, and a coverage action involving multiple insurers and the policyholder followed. The court granted summary judgment in favor of the insurers, holding that their policies did not afford coverage for either of the underlying suits.
The Court’s Analysis
First, with respect to the private party class action, the court ruled that the suit alleged “oral or written publication, in any manner, of material that violates a person’s right of privacy” and thus triggered the personal and advertising injury coverage sections of the relevant policies. The court reasoned that that coverage was triggered because the operative complaint alleged that the plaintiffs’ private information was collected by the software installed on their computers and that it had “been repeatedly transmitted via unencrypted email and forwarded to unknown persons and locations.” However, each policy contained a “recording and distribution” exclusion, which barred coverage for any suit that alleged a violation of a federal statute that prohibits the transmitting or distribution of material or information. The court applied that exclusion and held that there was no coverage for the private suit because the only count remaining in the action was for violation of the ECPA, which is a federal statute prohibiting the disclosure or use of intercepted electronic communications. On that basis, the court ruled that none of the policies afforded coverage for the private party class action suit.
The court also found no coverage for the lawsuit brought by the State of Washington. The court ruled that the suit did not trigger “personal and advertising injury” coverage because it did not allege “publication.” Instead, said the court, the complaint alleged that the policyholder violated Washington state law by collecting and retaining customers’ private data in violation of the Washington Consumer Protection Act and the Washington Computer Spyware Act. The court noted that, although one count was titled “Unfair Collection and Disclosure of Private and Confidential Information,” the complaint did not allege any “disclosures” but instead focused on the policyholder’s use of the software to “collect information on consumers” and to “collect private computer activity while consumers were unaware of the activities being recorded.” As such, the court ruled that the government lawsuit did not trigger coverage in the first place.
This case is illustrative of the growing body of case law rejecting coverage under the personal and advertising injury coverage sections in CGL policies for certain privacy-related claims. For example, earlier this month, the Third Circuit Court of Appeals held that three different lawsuits arising from a retailer’s alleged improper collection and use of ZIP code information in violation of a state statute prohibiting such conduct were not covered under a series of CGL and umbrella policies. See the story in this issue on OneBeacon Am. Ins. Co. v. Urban Outfitters, Inc., No. 14-2976 (3d Cir. Sept. 15, 2015).
Aspen Way Enters., Inc. is significant because of the court’s refusal to disregard the “publication” element necessary to trigger personal and advertising injury coverage. Here, the policyholder argued that the allegations of improper collection and retention of customers’ private data, combined with the title to one of the counts alleging “Unfair Collection and Disclosure of Private and Confidential Information” (emphasis added), was enough to trigger coverage. The court disagreed, observing that there is a distinction between “collection” or “use,” on the one hand, and “publication,” on the other. Likewise, although the court ultimately determined that the private party class action lawsuit’s allegations were sufficient to trigger coverage (but ruling for the insurers on the basis of an exclusion), it noted that the information was shared between the software developer, the retailer, and other “unknown persons and locations” in unencrypted form. Thus, in a case where there is no transfer of information to a third party, or if the information is in encrypted form and there is no evidence of access to that information, the court might well find the “publication” element not satisfied. See Recall Total Info. Mgmt., Inc. v. Fed. Ins. Co., 115 A.3d 458 (Conn. 2015) (no “publication” where there was no proof that a third party accessed confidential information on data tapes).