Arch Insurance Co. told an Illinois federal court Friday that it doesn't have to defend Michaels Stores Inc. against a slew of putative data breach class actions because no private information was published, but policyholder attorneys say courts have in the past broadly interpreted what counts as "publication."
The coverage dispute involves seven putative class actions claiming that Michaels failed to prevent criminals from tampering with PIN pad terminals at its stores and stealing customers' credit and debit card information. The underlying plaintiffs also say the criminals have withdrawn money from their bank accounts.
In its partial summary judgment motion, Arch said it was raising for the first time the issue of whether a commercial general liability policy covers the defense of class actions against a retailer that failed to prevent third-party criminals from pilfering data. According to the insurer, there is no duty to defend Michaels because the underlying suits don't allege personal injury stemming from oral or written publication of material that violated privacy rights.
But Arch's argument that coverage is unwarranted because there was no publication of private information is not new. The Ninth Circuit and courts in Maryland, Indiana and Illinois have all handed down policyholder-friendly rulings after adopting broad interpretations of what counts as dissemination of private information, according to Scott Godes, a policyholder attorney at Dickstein Shapiro LLP.
"There are decisions that, in my view, disagree with what Arch is saying," Godes said. "At bottom you're talking about private information that's supposed to remain private and not published."
Courts have found that even information improperly viewed within a company counts as publication of private information that triggers the duty to defend, Godes said.
Still, Arch maintains that coverage is unwarranted because the underlying plaintiffs sued Michaels for its failure to prevent thieves from stealing customers' financial information and its subsequent failure to adequately notify customers of the data breaches.
"That passive conduct does not involve an 'oral or written publication' at all," Arch said in its motion.
In its own partial summary judgment motion filed Friday, Michaels said that each complaint in the underlying suit claimed that criminals acquired the private financial information from "skimmers" who tampered with PIN pad devices at Michaels stores.
"That the complaints allege publication by skimmers as opposed to Michaels is immaterial, as the policy places no limitation on the publisher's identity," the retailer argued.
But Arch argued that there would be no "publication" of private information even if the actions of third-party criminals were taken into account, though they shouldn't be.
"Under even the broadest reading of the underlying lawsuits, there is simply no allegation that plaintiffs' financial data was 'publicly distributed," Arch said. "Indeed, it would make no sense for criminals to publicly distribute illicitly obtained financial information."
Robert Chesler, a policyholder attorney, said Monday that Arch's motion was well-argued, but that Michaels has the upper hand on the question of whether private information was published. In Chesler's view, there is "publication" when third parties score credit card information.
"I've always thought this was a strong issue for policyholders," Chesler said. "[But] I never expected the insurance companies would just roll over on it."
Like Arch, XL Insurance America Inc. is also locked in a battle with Michaels over coverage of the PIN pad suits. The umbrella insurer's June 1 complaint in New York state court says the underlying lawsuits do not assert claims for personal and advertising injury.
Chesler said the insurance industry continues to argue that commercial general liability policies were intended to cover invasion of privacy claims resulting from the publication of sensitive information, rather than data breaches, which would be covered under cyber insurance policies. Insurers will probably start tucking data breach exclusions into their CGL policies, while many large retailers have already flocked to cyber coverage, Chesler said.
Attorneys for Michaels and Arch were not immediately available for comment on Monday.
Michaels is represented by Morgan Hirst, Mark DeMonte and Edward Joyce of Jones Day.
Arch is represented by Ryan Brown and Matthew Foy of Gordon & Rees LLP.
The case is Arch Insurance Co. v. Michaels Stores Inc., case number 1:12-cv-00786, in the U.S. District Court for the Northern District of Illinois.