Privacy Policies: Time to Disclose, Time to Check for Coverage

Financial Services Alert

PUBLISHED ON: May 1, 2001

Download PDF

In order to comply with privacy regulations enacted as part of the Gramm-Leach-Bliley Financial Services Modernization Act of 1999 (the “GLB Act”), financial services companies are required to send privacy policy notifications to every customer by July 1, 2001. The notifications are part of the comprehensive privacy program enacted in Title V of the GLB Act. While the GLB Act provides only for administrative agency enforcement of the privacy provisions, many state Unfair and Deceptive Acts and Practices statutes give consumers individual rights of action to enforce consumer protection laws, and actions already can be brought under the Fair Credit Reporting Act. Accordingly, it is worthwhile for financial service companies to determine whether they are properly covered for the claims that are likely to result under the GLB privacy provisions.

Many existing policies already contain such coverage. Before purchasing any new insurance product, therefore, policyholders should look at their current insurance programs to determine whether the coverage is adequate and cost-effective. Additionally, policyholders are well-advised to check into the insurance company’s claims handling history before purchasing any insurance product. Insurance brokers are typically aware of whether the insurance companies are honoring their obligations under the newer insurance products being sold.

Existing CGL Coverage: The 1973 and 1986 Standard-Form Provisions

In the first instance, financial institution policyholders should look to their general umbrella liability policies for insurance coverage for privacy violation claims. In 1976, the insurance industry began marketing the “advertising injury” coverage provision as part of the “broadest package of coverage available to the average insured.” Today advertising injury coverage remains one of the most valuable components of standard-form liability insurance. One advantage of this coverage part is that it typically does not include an “expected or intended” exclusion.

In Sentex Sys., Inc. v. Hartford Accident & Indem. Co., 93 F.3d 578 (9th Cir.1996), a federal court of appeals held that interpretation of the advertising injury provisions of a CGL policy requires a contemporary approach.“[I]n this day and age, advertising cannot be limited to written sales materials, and the concept of marketing includes a wide variety of direct and indirect advertising strategies.” Id. Personal customer information that is used for cross-marketing purposes should satisfy the advertising injury requirement.

Controversies over advertising injury insurance coverage generally arise under either the 1973 or 1986 standard-form provisions. The 1973 Broad Form Liability Endorsement states that: “‘Advertising injury’ means injury arising out of an offense committed during the policy period occurring in the course of the named insured’s advertising activities, if such injury arises out of libel, slander, defamation, violation of right of privacy, piracy, unfair competition, or infringement of copyright, title or slogan. ”In 1986, the definition of advertising injury was changed to mean injury arising out of one or more specified offenses, including oral or written publication of material that violates a person’s right of privacy. The earlier wording may still exist in some programs, especially those with longstanding manuscript elements.

Umbrella Policy Analysis

Financial service companies also should analyze their umbrella program for privacy violations coverage. Umbrella policies sometimes have non-standard language, and potentially provide coverage that is broader than that afforded by the primary. With respect to advertising injury, for example, one umbrella policy states that “we will pay such damages when liability is imposed on the insured bylaw or assumed by the insured under an insured contract because of personal injury or advertising injury to which this coverage applies.” This policy defines “advertising injury” to mean, among other things “any invasion of right of privacy.” The term “any” is generally viewed as broad, and this wording does not require the “oral or written publication of material” as the standard form provision does. This could provide more coverage, for example, for claims arising from web-based information gathering techniques, even if the information is not published to a third party.


Financial services institutions that are creating and disseminating their privacy policies should simultaneously prepare for the claims that will arise for alleged violations of those policies. Risk managers should review their policies to determine if they provide potentially applicable coverage for invasion of the right to privacy. As with all kinds of insurance, policyholders may sometimes be forced to wrangle with their insurance companies in order to secure full and complete coverage. Policyholder persistence is crucial in maximizing insurance coverage under almost all policies.