Washington state recently passed the My Health My Data Act (the Act), which will almost certainly lead to an explosion of consumer lawsuits and follow-on insurance coverage disputes.

The measure is intended to protect “consumer health data” collected by entities not otherwise subject to federal Health Insurance Portability and Accountability Act (HIPAA) rules, which includes a vast array of businesses operating in Washington state. The Act, which goes into effect on March 31, 2024 (with some exceptions), imposes new requirements and restrictions on regulated entities (see our prior Updates here, here, and here for more details).

Notably, the Act includes a broad private right of action authorizing consumers to sue for damages and other relief. The private right of action means that a “consumer”—any Washington resident or any individual whose consumer health data is collected in Washington—who suffered injury “in his or her business or property” as a result of a violation of the Act can sue under the Washington Consumer Protection Act (WCPA). The WCPA provides that a successful plaintiff may seek actual damages (including treble damages up to $25,000 in the court’s discretion), injunctive relief, and attorneys’ fees.

Like the My Health My Data Act, Illinois’s Biometric Information Privacy Act (BIPA) is one of the few U.S. privacy laws that includes a private right of action. BIPA has generated a deluge of lawsuits, including more than 2,000 class actions since 2015. It is anticipated that the Act’s private right of action might make Washington a new hot spot for class-action litigation involving consumer health data, resulting in numerous insurance coverage disputes. This Update discusses some of the insurance issues that companies may face when confronting claims under the Act.

Lessons Learned From Biometric Privacy Lawsuits

Companies can learn a few things about insurance coverage for biometric privacy lawsuits from the BIPA lawsuits in Illinois. Find an analysis of coverage actions for BIPA claims here and here. First, regardless of policy terms, insurers will aggressively disclaim coverage for suits brought under the statute’s private right of action, even seeking declaratory judgment actions against policyholders (thereby opening up a two-front legal battle for policyholders). And second, and on the other hand, courts are reluctant to find that claims like these are not covered and tend to support policyholders whenever possible. Washington law includes several expansive protections for policyholders that may cover the cost of litigating with a recalcitrant insurer over these types of claims.

For these reasons, once the Act goes into effect, policyholders should not simply accept a denial letter from their insurer(s) for a claim under the Act. Instead, companies should carefully review their insurance policies and the allegations of any complaint to determine if they have a coverage claim. Coverage counsel can assist with this process, including responding to denials and working with insurers to resolve disputes. 

Three Types of Insurance Policies That Cover Claims Under the Act

1. Cyberliability. Cyberliability policies usually cover claims alleging a “privacy event” or similar occurrence. This type of occurrence typically includes any actual or alleged failure to protect confidential information, any violation of a statute related to the protection of confidential information, or a breach of the company’s privacy policy. Ultimately, availability of coverage under a cyberliability policy will likely turn on the policy’s definition of “confidential information.”
2. Professional/executives and officers liability. Under the Media Liability Coverage part of these policies, the “Wrongful Acts” covered usually include violations of “rights to privacy.”
3. Commercial/general liability. Personal and advertising liability (PAIL) coverage may respond to these claims. Key concerns are whether the alleged violation meets the “publication” requirement contained in most PAIL coverage, any “privacy violations” exclusions, or exclusions that seek to steer coverage toward Employment Practices Liability Insurance (EPLI) policies.

Potential Coverage Issues Across All Policies

1. Statutory violations exclusions. Policies generally exclude violations of law from coverage. However, clients should be careful to avoid policies with exclusions for claims under statutory privacy laws or exclusions that specifically reference either the WCPA or BIPA.
2. Intentional conduct exclusions. Policies also typically exclude intentional conduct.

Companies with questions regarding the My Health My Data Act should seek experienced counsel.

This Update is the fourth in a series.

© 2023 Perkins Coie LLP