In two recent cases, the Third Circuit and Seventh Circuit each found an absence of coverage under general liability policies resulting from consumer privacy claims, one for alleged violations of a state ZIP code statute and another for alleged violations of a state unauthorized recording statute. Since both cases involved coverage for class action lawsuits seeking statutory damages, these are big wins for insurers.
First, the Third Circuit in OneBeacon America Insurance Co. v. Urban Outfitters, Inc., No 14-2976, 2015 U.S. App. LEXIS 16399 (Sept. 15, 2015), ruled in favor of two insurers, OneBeacon America Insurance Company and Hanover Insurance Group, finding they had no duty to defend Urban Outfitters, Inc. and its subsidiary, Anthropologie, Inc. (collectively “Urban Outfitters”) in connection with three putative class action lawsuits alleging statutory violations for the unauthorized collection of customers’ ZIP code information. The Third Circuit referred to three underlying cases as the Hancock action (District of Columbia), Dremak action (California), and Miller action (Massachusetts). The district court determined that the insurers did not have a duty to defend Urban Outfitters in any of the underlying actions and, thus, granted the insurers’ motion for summary judgment. The Third Circuit upheld the district court’s ruling with respect to each of the underlying actions, albeit on different grounds.
In the Hancock action, the complaint generally alleged that Urban Outfitters requested and collected customers’ ZIP codes so that it could use the ZIP codes for its own pecuniary benefit, including for marketing purposes. In particular, the underlying complaint set forth two counts for violations of District of Columbia statutes regarding the collection of credit card information and deceptive practices. Urban Outfitters contended it was entitled to coverage under the subject policies’ Privacy Offense under the definition of “personal and advertising injury.” In agreeing with the district court, the Third Circuit determined that the “publication” requirement of the Privacy Offense was not satisfied. While acknowledging that the term “publication” was not defined in the policies, the dictionary definition of the term required dissemination to the general public in order to satisfy the ordinary meaning of the term. Because none of the alleged private information was circulated widely, the “publication” requirement was not met, and in turn, there was no duty to defend against the Hancock action.
The Dremak action, which itself was the collection of six consolidated putative class actions, alleged that Urban Outfitters requested the cardholders’ information, including ZIP codes, and then recorded that information into their electronic database system for business-related purposes. Notably, the single cause of action against Urban Outfitters was for violations of California’s Song-Beverly Credit Card Act, which makes it illegal for businesses operating in California to require customers, as a condition of credit card payment, to divulge personal information. The Third Circuit agreed with the district court that the “Recording and Distribution Of Material Or Information In Violation Of Law” exclusion plainly precluded coverage.
Further, the Third Circuit upheld the district court with respect to the Miller action. The underlying Miller complaint alleged that Urban Outfitters had a practice of collecting ZIP codes at checkout, recording that information for marketing and promotion, and sending junk mail. The district court held that there was no coverage because the injury arising out of the publication did not violate a person’s “right of privacy,” as required by the policies. The Third Circuit noted that, under Pennsylvania law, the privacy right encapsulated in the insurance policies’ “right of privacy” clause protects only the right to secrecy, not the right to seclusion. Since the Miller action only concerned injuries stemming from alleged violations of the putative class members’ right to seclusion, and not secrecy, no coverage was available.
Second, the Seventh Circuit in Defender Security Co. v. First Mercury Insurance Co., No. 14-1805 (Sept. 29, 2015), applying Indiana law, held that the underlying putative class action lawsuit for violations of California’s unauthorized recording statute did not satisfy the “publication” element of the CGL Policy’s Privacy Offense. The underlying lawsuit specifically alleged that the class representative made several calls to Defender Security, during which she provided personal information, including her social security number. She contended that Defender recorded those calls without her consent and then stored them. This practice allegedly violated California Penal Code § 632 and entitled her and the class to statutory damages.
Following the district court’s dismissal of Defender’s breach of contract action against its insurer, First Mercury Insurance Company, the Seventh Circuit affirmed, finding that the alleged conduct did not involve a “publication.” Specifically, the Seventh Circuit concluded that no class member’s personal information was ever allegedly communicated to a third party and merely transmitting the personal information to a recording device maintained by Defender would not suffice. The court reasoned that the common meaning of “publication,” as well as the meaning of the term in other legal contexts like defamation, required at least the release of private information a third party. And, absent any indication that a third party accessed the recordings, that necessary element was not met.