In National Union Fire Insurance Company of Pittsburgh, PA v. Coinstar, Inc. (W.D. Wash., No. C13-1014-JCC, Aug. 7, 2014), the U.S. District Court for the Western District of Washington ruled that National Union Fire Insurance Company of Pittsburgh, PA had no duty to defend Redbox Automated Retail, LLC (Redbox), a Coinstar, Inc. subsidiary, in two separate class action suits alleging that Redbox violated its customers’ privacy. Notably, the first class action suit, Cain v. Redbox, alleged that Redbox violated Michigan’s Video Rental Privacy Act by sending to third parties customer information, without the customers’ consent, gathered when a customer rented a movie from a Redbox kiosk. The second class action suit, Mehrens v. Redbox, alleged that Redbox violated California’s Song-Beverly Credit Card Act by requiring customers to provide their billing ZIP code and/or email.
The policies issued by National Union to Coinstar, Inc. provided coverage for “personal and advertising injury,” including, “oral or written publication, in any manner, of material that violates a person’s right of privacy.” The policies also contained an exclusion for
Violation of Statutes in Connection with Sending, Transmitting, or Communicating Any Material or Information” (Exclusion p), which precludes coverage for any claim “arising out of … any act that violates any statute, ordinance or regulation of any … state … that addresses or applies to the sending, transmitting or communicating of any material or information, by any means whatsoever.
In evaluating coverage for the Cain class action, the district court held that Exclusion p plainly necessarily precluded coverage for actions arising under the Michigan Video Rental Privacy Act. The district court reasoned that the language of the exclusion, “sending, transmitting or communicating” of information, wholly encompassed the statutory prohibition against the “disclosure” of records or information.
Then, in evaluating coverage for the Mehrens class action, the district court held that there was no alleged “publication” of material, as required under the applicable definition of “personal and advertising injury.” More specifically, the district court found compelling that the Song-Beverly Act does not prohibit the publication of information, but rather, the requesting or requiring that a credit card holder provide personal identification information in connection with a credit card transaction. The district court disregarded the class representative’s superfluous factual allegations about Redbox sharing information with outside entities and sending marketing information to its customers based on its use of the wrongfully acquired personal identification information. The district court explained that those allegations were irrelevant to the alleged violations of the Song-Beverly Act, which may only be based on the requesting and collection of customer personal information.
This case demonstrates the limits of insurers’ exposure under Coverage B, including how statutory privacy exclusions are effectively narrowing the coverage available for consumer data privacy actions.