• Combined Insurance Prevails in Data Breach Lawsuit
  • January 11, 2018 | Authors: Francis A. Citera; Brett M. Doran
  • Law Firm: Greenberg Traurig, LLP - Chicago Office
  • Combined Insurance Company of America (“Combined”) obtained summary judgment in the Northern District of Illinois in an action (Dolmage v. Combined Ins. Co. of Amer., No. 14-cv-3809 (N.D. Ill.)) alleging breach of contract for failing to safeguard Plaintiff’s personally identifiable information. The decision is an important win for the defense bar, with impact on privacy litigation and the insurance industry. Combined is represented by DRI members Frank Citera and Brett Doran of Greenberg Traurig, LLP.

    The Plaintiff is a former Dillard’s store employee who obtained supplemental insurance coverage from Combined, including a life policy underwritten by Combined and a group hospital product underwritten by ACE American Insurance Company. Plaintiff alleged that in March 2012 a third-party enrollment services vendor used by Combined placed two files containing the personal information of over 4,000 Dillard’s employees and their dependents onto an unsecured location on the vendor’s website. Combined had no knowledge of this until 18 months later, when the files were discovered on the Internet by a Dillard’s employee. Combined immediately removed the files from the Internet and notified potentially affected individuals.

    Plaintiff filed her original 10-count Class Action Complaint in May 2014, asserting violations of the Fair Credit Reporting Act and the Illinois Insurance Code, as well as claims of negligence, breach of contract and breach of fiduciary duty. In January 2015, Chief Judge Ruben Castillo dismissed eight counts with prejudice and two counts (breach of contract and breach of fiduciary duty) without prejudice, and granted Plaintiff leave to amend her breach of contract and breach of fiduciary duty claims.

    In September 2015, Plaintiff filed an Amended Class Action Complaint, re-asserting her breach of contract claim only (and dropping her breach of fiduciary duty claim). Plaintiff alleged her insurance contract incorporated Combined’s privacy policy (the “Privacy Pledge”), a document sent to new insureds with other fulfillment materials. Plaintiff further alleged that Combined breached the Privacy Pledge in connection with the third-party vendor’s handling of the data.

    In late 2016, Plaintiff moved to certify a class of Dillard’s employees and their dependents whose information was included in the files left unsecured on the vendor’s website. The court denied certification, ruling that whether the Privacy Pledge was part of Plaintiff’s and putative class members’ insurance contracts would require the application of multiple state laws and that damages could not be determined in a classwide basis.

    After defeating class certification, Combined moved for summary judgment on Plaintiff’s individual claim, arguing that the Privacy Pledge was not part of her insurance contract.

    In an Opinion (2017 WL 5178792) closely tracking Combined’s arguments, the Court granted the motion and held that the Privacy Pledge was not part of Plaintiff’s insurance contract. The Court’s ruling was based on several key findings:

    • The Court agreed with Combined that Iowa law applied because Plaintiff’s policy was issued in Iowa, where she lived. Plaintiff argued Illinois law applied as the forum state and that Combined waived the application of Iowa law by not raising it in earlier proceedings. Plaintiff was wrong. The Court noted that not only did Combined assert in its opposition to class certification the application of the law of the state where the putative class members’ respective policies issued (including Iowa for Plaintiff’s policy), but this was indeed “one of the reasons the Court denied class certification.”
    • The Court agreed with Combined that the Privacy Pledge could be part of Plaintiff’s insurance contract only if it is a rider or endorsement to her insurance policy. The insurance contract was “fully integrated” and included only the policy, the application and any riders or endorsements. Plaintiff did not dispute this and “[n]otably, Plaintiff did not claim that the [Privacy Pledge] is an enforceable contract in its own right.” The Court further acknowledged that other courts have “routinely held that a corporate privacy policy is not enforceable under a breach of contract theory unattached to some underlying contract.” The Court cited In re Zappos.com, Inc., 2016 WL 2637810 (D. Nev. May 6, 2016); In re Anthem, Inc. Data Breach Litig., 162 F. Supp. 3d 953 (N.D. Cal. 2016); Dyer v. Nw. Airlines Corps., 334 F. Supp. 2d 1196 (D. N.D. 2004).
    • Combined demonstrated in discovery that it sent the Privacy Pledge to new insureds to comply with the Gramm-Leach Bliley Act. Plaintiff denied this in opposing Combined’s summary judgment motion, but Plaintiff failed to present any evidence disputing this fact. As a result, the Court deemed the fact admitted.
    • Charles Morgan, Combined’s insurance industry expert, opined that the Privacy Pledge cannot be a rider or endorsement to Plaintiff’s insurance policy because the Privacy Pledge bore none of the hallmarks of a rider or endorsement. The Privacy Pledge was not called a rider or endorsement, was not signed by the company, nor did it reference the underlying policy. Furthermore, Combined did not file the Privacy Pledge with the Iowa insurance department as a form that could be attached to the policy as a rider or endorsement. In contrast, the Court noted, Plaintiff’s policy included a clearly labeled “accelerated payment rider” satisfying each of these hallmarks.
    • Finally, the Court rejected Plaintiff’s “unusual argument” that the Privacy Pledge was a rider or endorsement simply because it was included in the envelope of documents she received shortly after applying for coverage. The Court agreed with Combined in noting that the fulfillment materials sent to Plaintiff contained many documents that were clearly not part of the contract, such as blank claims forms and an insurance industry pamphlet. Consequently, the Court found Plaintiff’s suggestion that “any loose document submitted with an insurance policy constitutes a rider or endorsement … is not in accord with insurance industry standards.”
    The Court concluded that the Privacy Pledge was not a rider or endorsement to Plaintiff’s insurance policy and therefore was not part of her contract. As a result, the Court held that Plaintiff’s breach of contract claim failed as a matter of law and entered summary judgment against Plaintiff.