Check Your Insurance Policy for Coverage Against CIPA Lawsuits, Lawyer Says
Businesses defending themselves against charges under the California Invasion of Privacy Act (CIPA) sometimes find that exclusions and limitations in their insurance policies for cyber or commercial general liability (CGL) leave them exposed, attorney Kathryn Rattigan said in a blog post Thursday. For CIPA claims, her key takeaway is "don’t assume your insurance will cover [a] privacy lawsuit," the Robinson+Cole lawyer added.
Sign up for a free preview to unlock the rest of this article
Privacy Daily provides accurate coverage of newsworthy developments in data protection legislation, regulation, litigation, and enforcement for privacy professionals responsible for ensuring effective organizational data privacy compliance.
Though cyber liability policies "cover data breaches and cyber incidents,” they “may also extend to claims of improper collection, retention, or disclosure of private information,” she said. CGL policies typically are "broader in scope, and sometimes cover ‘personal and advertising injury,’ which can include privacy violations.” Reviewing your coverage and policies is helpful to protect your business, she advised.
For example, some cyber policies exclude violations of specific laws, such as the Illinois Biometric Information Privacy Act (BIPA). The 7th U.S. Circuit Court of Appeals in 2022 considered whether CGL policy exclusions applied to BIPA, and “upheld an access and disclosure exclusion, finding that biometric identifiers are clearly personal information,” Rattigan said.
But the court “rejected an overly broad statutory violation exclusion, reasoning that BIPA protects biometric data in a way ‘patently different in kind’ from statutes like" the Telephone Consumer Protection Act or the Controlling the Assault of Non-Solicited Pornography and Marketing Act, she added. “This split decision highlights how nuanced policy interpretation can be.”
Some cyber policies use broad language to include any state or federal privacy statutes, while others “specifically bar coverage for claims of improper tracking, recording, or monitoring of communications.” And CGL policies “often exclude claims tied to statutory violations” by naming specific statutes or using sweeping language to block coverage for privacy law claims.
In sum, by "carefully reviewing policy language and negotiating coverage terms, businesses can better position themselves to secure coverage when privacy claims like CIPA inevitably come knocking.”