(Article from Insurance Law Alert, November 2022)
For more information, please visit the Insurance Law Alert Resource Center.
A New York district court denied in part an insurer’s motion to dismiss claims stemming from the alleged disclosure of plaintiffs’ personal identifying information to cybercriminals. Rand v. Travelers Indem. Co., 2022 WL 15523722 (S.D.N.Y. Oct. 26, 2022).
A putative class of plaintiffs alleged that the insurance quote application on Travelers’ website “is easily exploitable by non-parties” and that unauthorized users obtained sensitive personal information by improperly using the credentials of Travelers agents. Plaintiffs alleged that they spent time and resources detecting and preventing misuse of personal information and that additional costs would be incurred in the future in order to avoid identity theft or fraud. Travelers moved to dismiss the complaint on several bases, most of which the court denied.
The court rejected the contention that the plaintiffs did not allege an injury-in-fact to support Article III standing. The court explained that a loss of privacy, as well as the harm incurred in mitigating existing and future identity theft, were properly alleged injuries-in-fact, notwithstanding the absence of allegations that the personal information had actually been misused by cybercriminals. Noting that this was a “close call,” the court concluded that based on the suspicious activity of the hackers, as well as the sensitive nature of the information accessed (name, address, date of birth and driver’s license number), the complaint adequately pled an imminent risk of future identity theft and mitigating costs so as to constitute an injury-in-fact.
The court further ruled that the complaint alleged claims under the Driver’s Privacy Protection Act, which prohibits entities from “knowingly disclosing or otherwise making available to any person or entity” personal information. The court explained that Travelers could be liable under this statute for a third-party’s impermissible use of personal information based on its voluntary decision to auto-populate its quote responses online with sensitive personal information. In so ruling, the court emphasized that two warnings had been issued by the New York State Department of Finance as to the vulnerability of this website feature.
The court also declined to dismiss negligence claims, finding that the complaint alleged a violation of a duty of care and recoverable damages. As to damages, the court emphasized that actual costs incurred in purchasing credit monitoring and identity theft services were cognizable expenses, but that various other current and future costs, including the time and effort spent addressing the potential consequences of a data breach or the mere fact of a lower credit score, were not recoverable damages.