An insurance company has filed a lawsuit in federal court seeking a declaratory judgment that it does not have to cover a collection agency in connection with a class-action lawsuit that was filed after the agency suffered a data breach, because the policy excluded damages arising out of the disclosure of a consumer’s personal or confidential information, among other reasons.
A copy of the complaint, filed in the District Court for the Northern District of Illinois, in the case of Scottsdale Insurance Company v. Steel River Systems, Jay Heath, Beverly Stoll, Amber Bower, and Joel Courtney can be accessed by clicking here.
The agency suffered a data breach in 2022, having become aware of suspicious activity on its computer network. The class-action complaint alleges that the agency did not know about the unauthorized access for nine weeks and that cyber criminals access Personal Identifiable Information (PII) of Heath, Stoll, Bower, and Courtney. Published reports indicated that the personal information about about 219,000 individuals was compromised as a result of the breach.
The complaint accuses the agency of failing to implement adequate and reasonable cyber-security procedures and protocols and that the agency failed to provide timely and adequate notice of the incident. It accuses the agency of negligence, invasion of privacy, and unjust enrichment.
The agency filed a claim with the plaintiff — its insurance provider — which denied the tender.
The insurance company claims the policy only covers instances of bodily injury and property damage, and none of that happened as a result of the breach, or at least it was part of the injuries mentioned in the class-action lawsuit against the agency. The policy also allegedly excludes situations where confidential or personal information and data-related liability is accessed or disclosed.