News & Insights  |  Newsletters

‘Personal Injury’ Coverage Triggered by Posting of Genetic Data Online

February 2016
Privacy In Focus

In a unique case involving a professional liability insurance policy, a Texas federal district court, applying Texas law, has held that an insurer had a duty to defend and indemnify a policyholder under the policy’s “Personal Injury” coverage in a suit alleging that the policyholder unlawfully posted personal information about claimants on its website. See Evanston Insurance Co. v. Gene by Gene, Ltd., No. H-14-1842, 2016 WL 102294 (S.D. Tex. Jan. 6, 2016). In so ruling, the court held inapplicable an exclusion barring coverage where there is “any other statute, law, rule, ordinance, or regulation that prohibits or limits the sending, transmitting, communication or distribution of information or other material.”

The policyholder, the owner and operator of a genetic genealogy website, offered DNA testing kits to its users to allow them to learn more about their ancestry. The policyholder was sued for allegedly publishing DNA test results on its website without obtaining consent from its users, in violation of a state statute. It sought coverage under a professional liability policy, which included coverage for “Personal Injury,” defined to include “oral or written publication of material that violates a person’s right of privacy.” The insurer filed a declaratory judgment action, seeking a declaration that it did not have a duty to defend or indemnify the policyholder in connection with that suit. The policyholder counterclaimed for breach of contract, and it moved for summary judgment.

Summary Judgment Granted

The court ruled that the policy was triggered in the first instance by allegations of the publication of material—the DNA analysis—that allegedly violated a person’s right to privacy. The insurer argued, however, that an exclusion barred coverage. In relevant part, that exclusion barred coverage for claims based upon or arising out of any violation of the Telephone Consumer Protection Act, the CAN-SPAM Act of 2003, or “any other statute, law, rule, ordinance, or regulation that prohibits or limits the sending, transmitting, communication, or distribution of information or other material.” The insurer argued that the latter part of the exclusion applied because the relevant claim arose out of an alleged violation of a state statute prohibiting transmitting, communicating, or distributing information on a person’s DNA without his or her consent. The policyholder argued that the exclusion should be read together with other nearby provisions, which barred coverage only for claims arising out of statutes prohibiting unsolicited communications by telephone or email.

The court granted summary judgment in favor of the policyholder, reasoning that the policyholder’s reading of the exclusion was reasonable. The court reasoned that the insurer’s interpretation of the exclusion would render illusory the Advertising Injury coverage under the policy, which afforded coverage for claims involving “injury … arising out of oral or written publication of material that libels or slanders a person or organization or a person’s or organization’s products, goods or operations … occurring in the course of the Named Insured’s Advertisement.” According to the court, claims based on statutes, laws, or regulations for libel or slander would be excluded from coverage under the insurer’s reading. Consequently, it ruled that the policyholder’s construction of the exclusion was reasonable. As a result, the court also ruled that the insurer breached its contract when it refused to defend and indemnify the policyholder.

Gene by Gene is an interesting case, although it is likely to have limited precedential effect. Indeed, the facts in Gene by Gene involve intentional, volitional conduct, and the parties appeared to have conceded that there was “publication”—which in most instances requires actual access by a third party. By contrast, in a typical “hacking” case involving a security breach, the “publication” element is often not satisfied because a policyholder is unable to show that the sensitive information at issue was actually accessed by a third party and/or because any claim concerns failure to provide notice or failure to adequately protect information, not publication of private material. See, e.g., Recall Total Info. Mgmt., Inc. v. Fed. Ins. Co., 115 A.3d 458 (Conn. 2015).