There are only a handful of decisions addressing whether a commercial general liability (CGL) policy provides coverage for lawsuits brought against retailers allegedly collecting their customers’ ZIP code information. Thus, when a decision is issued in this area, particularly a decision denying coverage, it is noteworthy.
Recently, in OneBeacon American Ins. Co. v. Urban Outfitters, Inc.., Case 2:13-cv-05269-SD (E.D.Pa.) (May 15, 2014), a federal district court found that two primary insurers (One Beacon and Hanover) did not have a duty to defend two retailers (Urban Outfitters and Anthropologie) against three ZIP code cases. In One Beacon, the parties cross-moved for summary judgment seeking a declaration regarding OneBeacon’s and Hanover’s duty to defend (or not) Urban Outfitters and Anthropologie under the applicable CGL policies’ “personal and advertising injury” coverage. (One Beacon and Hanover issued virtually identical policies to the retailers over a five-year period.) The court found that there was no duty to defend the retailers against the three lawsuits.
In the first two underlying cases, Hancock and Miller, plaintiffs alleged statutory violations under District of Columbia and Massachusetts statutes, respectively. In both cases, plaintiffs alleged that the retailers’ request and collection of ZIP code information violated the applicable statute. Plaintiffs further alleged that the retailers used the information to identify their home or business address for the purpose of sending the customers unsolicited mailings or other material. Importantly, neither complaint alleged that the retailers sold – or otherwise gave – the information to third parties. The applicable policies defined “personal and advertising injury” to include an injury arising out of “[o]ral or written publication of material that violates a person’s right of privacy.” The court held that neither lawsuit fell within the policies’ definition of “personal and advertising injury” because plaintiffs did not allege “publication” of their ZIP code information. In reaching this conclusion, because the term “publication” was not defined, the court referred to the dictionary definition. After examining three different dictionaries, the court explained that the “essence of publication” is “promulgation to the public, even to a limited number of people.” The court further explained that, in the invasion of privacy context, publication means to make information public by communicating it to the public at large. Because plaintiffs alleged only that the retailers used the ZIP code information to determine their home or business addresses, the claim did not allege that the information gathered was communicated to the public. Therefore, the allegations failed to constitute “publication” under the policies’ definition of “personal and advertising” injury.
In the third underlying case, Dremak, plaintiff alleged statutory violations under the Song-Beverly Act, as well as common law claims of negligence, violation of privacy rights and intentional intrusion upon seclusion. In this case – unlike the other two – the plaintiff alleged that the retailers could sell the information to third parties. Although observing that the plaintiff’s allegation that the retailers disseminated the information to third parties was generalized, the allegation was sufficient to constitute “publication” in the context of an invasion of privacy claim. The court, however, found that the policy’s exclusion barring coverage for any claim arising directly or indirectly out of the collection, recording, sending, transmitting or distribution of material in violation of any statute, ordinance or regulation was applicable. The court explained that the language of the exclusion, “which bars collecting and recording information, is consonant with the Song-Beverly prohibition against ‘request[ing], require[ing]’ or ‘record[ing]’ ZIP code data as a condition of purchase.” As such, while the case fell within the definition of “personal and advertising injury”, there was no coverage.
Most cyber liability insurance policies would have provided, at a minimum, defense expenses coverage to the two retailers in this case. Thus, the OneBeacon decision is yet another reminder for retailers – and indeed all businesses who collect personal information – to evaluate whether cyber liability insurance would be an effective risk management tool to address their exposure in this area.