Plaintiffs Use Privacy Pledge Against Insurer in Data Breach Claim
Armeen Mistry and Matthew Siegel of Cozen O’Connor write about a lawsuit over a data breach in 2014 that I don’t remember ever hearing about before. Whether plaintiffs will be able to show injury is down the road. For now, they survived a motion to dismiss:
On February 23, an Illinois federal court denied a motion to dismiss a proposed class action based on a “privacy pledge” included with the insurance policy documents provided to the employees of Dillard’s department store.
Lead plaintiff Anne Dolmage alleged that she and other Dillard’s employees received from the insurance company a document entitled “Our Privacy Pledge to You,” which states the company “will not disclose personal information about you, or any current or former insured, except as permitted and/or required by law.” The employees received the privacy pledge along with other materials relating to their applications for health insurance.
In May 2014, plaintiff filed a proposed class action on behalf of all Dillard’s employees and their dependents with policies issued by Combined Insurance Company of America. The complaint alleges that plaintiff and other proposed class members provided the insurer with personal information, including dates of birth and social security numbers. Combined then engaged third-party Enrolltek to perform the insurance enrollment functions and other tasks relating to the class members’ applications. Combined provided the personal information to Enrolltek’s principal, who copied the information to an allegedly unsecure external hard drive. The complaint states that the personal information was “posted online, unsecure and unprotected,” and was “accessible to anyone with an Internet connection.” When Dillard’s employees noticed their personal information was readily available online, they notified the insurance company. According to the complaint, Combined then formally notified the employees that their personal information was “stored on an Internet server by a third party enrollment system vendor since March 2012 without the proper security measures.” Plaintiff and the proposed class allege economic losses, based on false income tax returns, fraudulent cell phone charges, and fraudulent medical expenses incurred in their names.
The original complaint alleged claims under the Fair Credit Reporting Act (“FCRA”), 15 U.S.C. §1681 et seq., and state law claims of negligence, breach of fiduciary duty, breach of express contract, breach of implied contract, unjust enrichment, invasion of privacy, and violation of the Illinois Insurance Code, 215 Ill. Comp. Stat. 5/1001 et seq. On January 21, 2015, the court granted Combined’s motion to dismiss all of plaintiff’s claims, except for the breach of express contract and breach of fiduciary duty claims. Plaintiff then filed an amended complaint in September 2015 alleging only breach of contract, and Combined again moved to dismiss.
In its motion, Combined first argued that its privacy pledge was not included in the health insurance policies the Dillard’s employees received. Instead, Combined argued that it should have been obvious to plaintiff that the pledge was not part of the policy, which specifically stated: “The policy is a legal contract. It is the entire contract between you and us.” Based on this language, Combined argued that plaintiff could not consider outside documents, such as the privacy pledge, as part of the insurance contract. Plaintiff countered that “the policy” is defined as “this policy with any attached application(s), and any riders and endorsements.” Because plaintiff received the pledge along with the policy documents, the court found it reasonable for plaintiff to view the pledge as an endorsement. The court further suggested that Combined could have avoided any confusion by clearly labeling which documents sent with the policy were intended to be incorporated by reference.
Combined also argued that plaintiff failed to include “detailed factual allegations” about the privacy pledge, but the court held that at this stage, plaintiff was not required to plead “detailed factual allegations” in order to survive a motion to dismiss. The court noted that the standard for a motion to dismiss is much lower than the standard for determining standing under Article III. (The debate over standing in data breach litigation has been raging lately, as we have reported here, here, here, and here for example.)
Noting this lower standard for surviving a motion to dismiss, Judge Ruben Castillo stated, “[T]here is no question that Plaintiff will ultimately be required to prove that her damages were caused by Defendant’s actions. But, again, the issue at the pleadings stage is solely whether Plaintiff has stated a plausible claim for relief . . . Given the timeline of events, and the fact that at least 30 other Dillard’s employees allegedly suffered the same type of identity theft, it is certainly plausible that there is a causal link between Defendant’s failure to ensure the confidentiality of the data and the damages alleged” (internal citations omitted).
The case is Dolmage v. Combined Ins. Co. of Am., No. 1:14-cv-3089, pending in the U.S. District Court for the Northern District of Illinois.