A federal court in Washington recently issued an unpublished decision affirming that a common policy exclusion protects insurers from having to provide coverage in certain cases of alleged privacy violations. The same court issued a similar order earlier this year. Taken together, these decisions may persuade other courts that coverage is barred under commercial general liability policies with exclusions that bar coverage when underlying lawsuits allege disclosure of consumers’ personally identifiable information (PII) in violation of federal or state law.
Regarding the specific matters at hand, National Union insured Coinstar under two commercial general liability policies, through which Coinstar’s subsidiary, Redbox, was also an insured. Redbox operates DVD-vending machines throughout the United States. To use Redbox’s vending machines, consumers provide PII and pay for rentals with a credit card.
In Sterk v. Redbox Automated Retail, LLC, Redbox was sued for allegedly misusing consumers’ PII for marketing purposes and improperly disclosing consumers’ information to third parties, in violation of the VPPA. National Union brought a declaratory judgment action against Redbox regarding its obligations to defend or indemnify. Coinstar and Redbox brought counterclaims alleging that National Union was obligated to defend or indemnify Redbox in the lawsuit. The Court granted National Union partial summary judgment in February, finding that the Statutes Exclusion barred coverage for the Sterk lawsuit, as “[t]he sole purpose of the VPPA is to protect consumers’ privacy by prohibiting the ‘sending, transmitting or communicating’ of their personal information ‘to any other person’ except in specific, limited circumstances.”
Building on this ruling, the same Court held in August that National Union had no duty to defend or indemnify Redbox in two other lawsuits. The first lawsuit, Cain v. Redbox Automated Retail, LLC, alleged that Redbox violated Michigan’s Video Rental Privacy Act (VRPA), which prohibits business entities that rent video recordings “from disclosing to any person, other than the consumer, a record or information concerning the purchase, lease, rental, or borrowing of those materials by a customer that indicates the identity of the customer,” when Redbox sent consumer information to third parties without the consumers’ consent. The Court concluded that the VRPA “is effectively identical to the federal VPPA at issue in Sterk,” and coverage for the Cain lawsuit was also barred by the Statutes Exclusion.
The second lawsuit, Mehrens v. Redbox Automated Retail, LLC, alleged that Redbox violated California’s Song-Beverly Credit Card Act, which prohibits “entities that accept credit cards for the transaction of business from requesting or requiring the cardholder to write, or provide to the entity to write, any [PII] on a credit card transaction form,” because Redbox requested consumers’ billing zip code and/or email address. In the Court’s view, the statute was not concerned with the publication of information, but rather its collection, and the Court concluded that there was no coverage for the Mehrens lawsuit because it contained no allegation of sufficient personal and advertising injury to trigger coverage.