[BreachExchange] Plaintiffs Use Privacy Pledge Against Insurer in Data Breach Claim

Audrey McNeil audrey at riskbasedsecurity.com
Fri Mar 11 16:54:34 EST 2016


http://www.jdsupra.com/legalnews/plaintiffs-use-privacy-pledge-against-78404/

On February 23, an Illinois federal court denied a motion to dismiss a
proposed class action based on a “privacy pledge” included with the
insurance policy documents provided to the employees of Dillard’s
department store.

Lead plaintiff Anne Dolmage alleged that she and other Dillard’s employees
received from the insurance company a document entitled “Our Privacy Pledge
to You,” which states the company “will not disclose personal information
about you, or any current or former insured, except as permitted and/or
required by law.” The employees received the privacy pledge along with
other materials relating to their applications for health insurance.

In May 2014, plaintiff filed a proposed class action on behalf of all
Dillard’s employees and their dependents with policies issued by Combined
Insurance Company of America. The complaint alleges that plaintiff and
other proposed class members provided the insurer with personal
information, including dates of birth and social security numbers. Combined
then engaged third-party Enrolltek to perform the insurance enrollment
functions and other tasks relating to the class members’ applications.
Combined provided the personal information to Enrolltek’s principal, who
copied the information to an allegedly unsecure external hard drive. The
complaint states that the personal information was “posted online, unsecure
and unprotected,” and was “accessible to anyone with an Internet
connection.” When Dillard’s employees noticed their personal information
was readily available online, they notified the insurance company.
According to the complaint, Combined then formally notified the employees
that their personal information was “stored on an Internet server by a
third party enrollment system vendor since March 2012 without the proper
security measures.” Plaintiff and the proposed class allege economic
losses, based on false income tax returns, fraudulent cell phone charges,
and fraudulent medical expenses incurred in their names.

The original complaint alleged claims under the Fair Credit Reporting Act
(“FCRA”), 15 U.S.C. §1681 et seq., and state law claims of negligence,
breach of fiduciary duty, breach of express contract, breach of implied
contract, unjust enrichment, invasion of privacy, and violation of the
Illinois Insurance Code, 215 Ill. Comp. Stat. 5/1001 et seq. On January 21,
2015, the court granted Combined’s motion to dismiss all of plaintiff’s
claims, except for the breach of express contract and breach of fiduciary
duty claims. Plaintiff then filed an amended complaint in September 2015
alleging only breach of contract, and Combined again moved to dismiss.

In its motion, Combined first argued that its privacy pledge was not
included in the health insurance policies the Dillard’s employees received.
Instead, Combined argued that it should have been obvious to plaintiff that
the pledge was not part of the policy, which specifically stated: “The
policy is a legal contract. It is the entire contract between you and us.”
Based on this language, Combined argued that plaintiff could not consider
outside documents, such as the privacy pledge, as part of the insurance
contract. Plaintiff countered that “the policy” is defined as “this policy
with any attached application(s), and any riders and endorsements.” Because
plaintiff received the pledge along with the policy documents, the court
found it reasonable for plaintiff to view the pledge as an endorsement. The
court further suggested that Combined could have avoided any confusion by
clearly labeling which documents sent with the policy were intended to be
incorporated by reference.

Combined also argued that plaintiff failed to include “detailed factual
allegations” about the privacy pledge, but the court held that at this
stage, plaintiff was not required to plead “detailed factual allegations”
in order to survive a motion to dismiss. The court noted that the standard
for a motion to dismiss is much lower than the standard for determining
standing under Article III. (The debate over standing in data breach
litigation has been raging lately, as we have reported here, here, here,
and here for example.)

Noting this lower standard for surviving a motion to dismiss, Judge Ruben
Castillo stated, “[T]here is no question that Plaintiff will ultimately be
required to prove that her damages were caused by Defendant’s actions. But,
again, the issue at the pleadings stage is solely whether Plaintiff has
stated a plausible claim for relief . . . Given the timeline of events, and
the fact that at least 30 other Dillard’s employees allegedly suffered the
same type of identity theft, it is certainly plausible that there is a
causal link between Defendant’s failure to ensure the confidentiality of
the data and the damages alleged” (internal citations omitted).
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160311/958f1fd0/attachment.html>


More information about the BreachExchange mailing list