A New York federal district court has ruled that two exclusions in a cyber risk policy barred coverage for a claim alleging violations of the Telephone Consumer Protection Act (TCPA). Flores v. ACE American Ins. Co., No. 17-cv-8674 (S.D.N.Y. Apr. 30, 2018). Among other rulings, the court held that the TCPA was not a “Privacy Regulation” as defined in the operative policy because the TCPA does not regulate the control or use of personally identifiable information.

The insured, an online food ordering company, was sued in a class action alleging that it violated the TCPA by sending text messages to customers without their consent. Without answering, the insured settled with the plaintiff, stipulated to a consent judgment, and assigned all rights against its insurer (which denied coverage) to the plaintiff. The plaintiff then sued to collect from the insurer.

On the insurer’s motion to dismiss, the court held that two exclusions applied to bar coverage.

First, the court held that coverage was barred by an exclusion for any claim “alleging, based upon, arising out of or attributable to any unsolicited electronic dissemination of faxes, emails or other communications by or on behalf of the Insured to multiple actual or prospective customers of the Insured or any other third party, including but not limited to actions brought under the Telephone Consumer Protection Act.” The court rejected the plaintiff’s argument that the texts were targeted (and tailored to each individual recipient) – and thus were not sent to “multiple” recipients as required by the exclusion – observing that there was nothing in the exclusion requiring that the texts be identical.

Second, after noting that the TCPA is a consumer protection statute, the court held that an exclusion applicable to claims for “false, deceptive or unfair business practices or any violation of consumer protection laws” precluded coverage for the suit.

In so doing, the court rejected the plaintiff’s argument that a carve-back for “any unintentional violation of the Insured’s privacy policy that results in the violation of any Privacy Regulation” would apply. In relevant part, the term “Privacy Regulation” was defined as “statutes and regulations associated with the control and use of personally identifiable financial, medical or other sensitive information,” which included certain enumerated statutes as well as “other similar state, federal, and foreign identity theft and privacy protection legislation that requires commercial entities that collect Personal Information to post privacy policies, adopt specific privacy or security controls, or notify individuals in the event that Personal Information has potentially been compromised.” The court reasoned that the term “Privacy Regulation” referred to “laws associated with the ‘control and use’ of personal data that require commercial entities collecting such data to ‘adopt specific privacy or security controls’ to avoid identity theft.” Here, observed the court, “[t]he purpose of the TCPA is not to avoid identity theft, and the TCPA does not require commercial entities to adopt privacy or security controls.” Accordingly, the court held that the TCPA was not a “Privacy Regulation” under the policy and, therefore, that the carve-back to the exclusion did not apply.