(Article from Insurance Law Alert, March 2016)
For more information, please visit the Insurance Law Alert Resource Center.
An Illinois federal district court denied an insurer’s motion to dismiss a putative class action suit alleging improper handling of policyholders’ personal information. Dolmage v. Combined Ins. Co. of Am., 2016 WL 754731 (N.D. Ill. Feb. 23, 2016).
The insurer issued disability, health, life, and accident policies to the plaintiff and putative class members. In connection with issuance of the policies, the insurer sent each enrollee a document entitled “Our Privacy Pledge to You,” along with other materials relating to the policies. The Privacy Pledge describes the insurer’s handling of policyholders’ personal information and states, among other things, that it maintains safeguards that comply with federal regulations to protect personal data, and that to the extent personal information is shared with other entities, it will “require them to abide by the same privacy standards as indicated here.”
The insurer retained Enrolltek, a vendor that performs enrollment and other administrative functions, and provided it with the proposed class members’ personal information for those purposes. According to the complaint, Enrolltek stored the personal information “online, unsecure and unprotected.” The information was allegedly “accessible to anyone with an Internet connection.” The insurer was allegedly aware of these security lapses but took no immediate action. The insurer later issued a formal notification to the plaintiff and potential class members that their personal information had been stored without proper security measures. Based on these allegations, plaintiff asserted a breach of contract claim, alleging that the data breach was a direct and foreseeable result of the insurer’s failure to ensure that Enrolltek implemented appropriate security measures, as represented in the Privacy Pledge. The insurer moved to dismiss the complaint, which the court denied.
The court concluded that the complaint stated a viable cause of action for breach of the insurance contracts. The court held that the complaint sufficiently alleged that the Privacy Pledge was incorporated into the class members’ insurance contracts because each policy was defined as “this policy with any attached application(s), and any riders and endorsements.” The court therefore reasoned that the Privacy Pledge could arguably be considered an endorsement, explaining that it could “be read to supplement the policy by providing additional benefits to insureds regarding the handling of their personal information.” In this context, the court noted that the insurer “could have avoided any ambiguity by clearly labeling the documents sent with the policy that were intended to be incorporated by reference, but it did not do so.” The court also rejected the insurer’s argument that the Privacy Pledge does not give rise to a contractual right because it is “nothing more than a statement that [Defendant] is complying with its preexisting duties to follow applicable federal regulations.” The court explained that, in addition to promising compliance with federal regulations, the Privacy Pledge also made other assurances about the safeguarding of enrollees’ personal information.