A New York federal district court has ruled that two exclusions in a cyber risk policy barred coverage for a claim alleging violations of the Telephone Consumer Protection Act (TCPA). Flores v. ACE American Ins. Co., No. 17-cv-8674 (S.D.N.Y. Apr. 30, 2018). Among other rulings, the court held that the TCPA was not a “Privacy Regulation” as defined in the operative policy because the TCPA does not regulate the control or use of personally identifiable information.
The insured, an online food ordering company, was sued in a class action alleging that it violated the TCPA by sending text messages to customers without their consent. Without answering, the insured settled with the plaintiff, stipulated to a consent judgment, and assigned all rights against its insurer (which denied coverage) to the plaintiff. The plaintiff then sued to collect from the insurer.
On the insurer’s motion to dismiss, the court held that two exclusions applied to bar coverage.
First, the court held that coverage was barred by an exclusion for any claim “alleging, based upon, arising out of or attributable to any unsolicited electronic dissemination of faxes, emails or other communications by or on behalf of the Insured to multiple actual or prospective customers of the Insured or any other third party, including but not limited to actions brought under the Telephone Consumer Protection Act.” The court rejected the plaintiff’s argument that the texts were targeted (and tailored to each individual recipient) – and thus were not sent to “multiple” recipients as required by the exclusion – observing that there was nothing in the exclusion requiring that the texts be identical.
Second, after noting that the TCPA is a consumer protection statute, the court held that an exclusion applicable to claims for “false, deceptive or unfair business practices or any violation of consumer protection laws” precluded coverage for the suit.