Illinois District Court Finds a “Privacy Pledge” May Be an Endorsement to Policyshoke2013
Refuses to dismiss data breach claims despite fact policyholders were provided it in a separate document.
An Illinois Federal District Court, applying Illinois law, denied Combined Insurance Company of America’s (“Combined Insurance”) Motion to Dismiss a Dillard’s employee’s proposed class action and breach of contract claim. The court held that the plaintiff had sufficiently plead its claim and that it was plausible that Combined Insurance had indeed breached its contractual obligations to keep its privacy promise under the insurance policies it issued to Dillard’s employees.
Anne Dolmage, an employee of Dillard’s, brought a class action claim against Combined Insurance asserting breach of contract after being a victim of identity theft. Dolmage and the other proposed class members are Dillard’s employees who purchased insurance policies from Combined Insurance between March 2010 and March 2012.. Dolmage’s identity theft allegedly occurred as a result of Combined Insurance’s hiring of Enrolltek to help process insurance applications. According to Dolmage, Enrolltek stored the applicant’s information on an unsecured hard drive. Dolmage alleges that proposed class members’ personal information was “posted online, unsecure and unprotected,” and was “accessible to anyone with an Internet connection.” Combined Insurance was notified about the data breach by Dillard’s employees who, upon entering their names into a Google search, had discovered that their personal information was readily available online. Combined Insurance notified Dolmage and the proposed class members about the improper security measures and offered a credit monitoring services for a one-year period.
According to the amended complaint, Dolmage and the proposed class members received a document from Combined Insurance entitled “Our Privacy Pledge to you” (“Privacy Pledge”) along with other materials relating to his or her application for health insurance. Dolmage asserted that the Privacy Pledge was a part of the insurance policy obtained from Combined Insurance. Combined Insurance disagreed and argued that the Privacy Pledge was not incorporated into the insurance policy and that it was not otherwise enforceable in a breach of contract action.
The district court rejected Combined Insurance’s argument that the policy documents barred the breach of contract claim as a matter of law. The court relied on the health insurance policy definition of “policy” which includes any attached applications, and riders and endorsements. The court examined Illinois case law and Black’s Law Dictionary and ruled that the Privacy Pledge could be considered an endorsement to the policy, and, therefore, the Privacy Pledge falls could fall under the definition of policy. Thus, the court rejected Combined Insurance’s argument that there was no claim as a matter of law. U.S. District Court Judge Ruben Castillo stated: “Based on plaintiff’s allegations and the language of the policy, her claim that the policy incorporated the Privacy Pledge is not implausible.” The Judge also noted that Combined Insurance could have avoided any ambiguity by clearly labeling the documents sent with the policy that were intended to be incorporated by reference or could have drafted an integration clause that did not reference outside documents, but Combined Insurance did not do so.
Combined Insurance also argued that the breach of contract claim should be dismissed because Dolmage did not allege that she relied on the Privacy Pledge before she agreed to the insurance contract. The court rejected this argument and found that reliance is not an element of breach of contract under Illinois law. In addition, in response to Combined Insurance’s argument that Dolmage had not sufficiently alleged causation, the court stated: “Given the timeline of the events, and the fact that at least 30 other Dillard’s employees allegedly suffered the same type of identity theft, it was certainly plausible that there is a causal link between Defendant’s failure to ensure the confidentiality of the date and the damages alleged. That is all that is required at this stage.” Dolmage v. Combined Ins. Co., No. 14 C 3809 (N.D. Ill. Feb. 23, 2016).