An Illinois intermediate appellate court has held that a cosmetic surgery center was not entitled to coverage because a claim alleging that it violated the Telephone Consumer Protection Act (TCPA) by sending unsolicited text messages advertising its services did not allege a “privacy wrongful act” under a “cyber claims endorsement” in a medical professional liability policy. Doctors Direct Ins., Inc. v. Beaute’e’mergente, LLC, 2015 IL App (1st) 142919-U (Ill. App. Ct. June 22, 2015).
An underlying claimant brought a putative class action lawsuit for violations of the TCPA and the Illinois Consumer Fraud and Deceptive Business Practices Act, alleging that the insured, a cosmetic surgery center, sent unsolicited text messages advertising its services. The insured tendered that suit under its medical professional liability insurance policy, which included a “cyber claims endorsement” covering, among other things, any claim alleging a “privacy wrongful act.” The term “privacy wrongful act” was defined to mean “any breach or violation of U.S. federal, state, or local statutes and regulations associated with the control and use of personally identifiable financial, credit or medical information, whether actual or alleged….” The insurer filed a declaratory judgment action seeking a determination as to its obligations under the policy, and the trial court granted summary judgment in its favor, holding that the underlying complaint did not allege a “privacy wrongful act.” With the insured in bankruptcy, the coverage dispute went forward between the insurer and the underlying claimant.
On appeal, the court affirmed the decision in favor of the insurer. After concluding that the phrase “associated with” modified the phrase “U.S. federal, state, or local statutes and regulations,” and not “any breach or violation,” the court determined that the TCPA is not “associated with” the control and use of personally identifiable financial, credit, or medical information. Instead, according to the court, the TCPA only prohibits the actual making of certain kinds of telephone calls, and it does not address how a caller might control or use certain information (even if that information was used in selecting the call recipients). The court also found that the allegations for violations of the state consumer fraud statute did not allege a “privacy wrongful act” because the specific violations alleged were based on conduct that violated the TCPA and other similar state statutes, which were not “associated with” the control and use of personally identifiable financial, credit, or medical information. In so holding, the court rejected the claimant’s argument that the consumer fraud act also could be violated by violations of privacy-related statutes, noting that the underlying complaint did not mention those statutes or conduct that would violate them.
The court also rejected the claimant’s argument that “the collection of names and telephone numbers implicates the control and use of personally identifiable financial, credit, or medical information,” concluding that the mere fact that a list with names and telephone numbers was in the possession of a doctor did not make the information personally identifiable medical information. Likewise, the court noted that the insured was not a “financial institution” or “other person” over whom the Federal Trade Commission (FTC) had enforcement authority under the Gramm-Leach-Bliley Act, and it therefore rejected the claimant’s argument that the regulations promulgated by the FTC to define “personally identifiable financial information” had any relevance under the circumstances.