A recent unpublished decision from the Western District of Washington provides yet another example of a court endorsing limits on general commercial insurer responsibility in the area of consumer privacy violations.
In Nat’l Union Fire Ins. Co. of Pittsburgh, PA v. Coinstar, Inc., 2014 U.S. Dist. LEXIS 31441 (W.D. Wash. Feb. 28, 2014), the court concluded that insurance coverage may be excluded for lawsuits alleging the insured violated a statute, regulation or ordinance related to “sending, transmitting or communicating” any material or information, including consumers’ personally identifiable information. In this case, the insurer was not obligated to defend or indemnify its insured in an underlying lawsuit alleging that the insured violated the federal Video Privacy Protection Act (“VPPA”).
National Union insured Coinstar under two commercial general liability policies through which Coinstar’s subsidiary, Redbox, was also an insured. Redbox is a well-known operator of DVD-vending machines throughout the United States. To use Redbox’s vending machines, consumers provide personally identifiable information and pay for rentals with a credit card. Redbox was sued in Sterk v. Redbox Automated Retail, LLC, Case No. C11-1729 (N.D. Ill. 2011), alleging Redbox used consumers’ personally identifiable information for marketing purposes, and improperly disclosed their information to third parties without the consumers’ express permission, in violation of the VPPA.
The National Union policies contained an exclusion: “Exclusion – Violation of Statutes in Connection with Sending, Transmitting, or Communicating Any Material or Information,” barring coverage for a claim “arising out of or resulting from, caused directly or indirectly…by any act that violates any statute…that addresses or applies to the sending, transmitting or communicating of any material or information, by any means whatsoever.”
The trial court ruled that the insurer’s exclusion clearly barred coverage for the Sterk lawsuit. The Court noted that “[t]he sole purpose of the VPPA is to protect consumers’ privacy by prohibiting the ‘sending, transmitting or communicating’ of their personal information ‘to any person’ except in specific, limited circumstances.” In the Court’s view, this matched up to the plain language of the insurance policy exclusion barring any injury that arises from any act that violates any statute that applies to the sending, transmitting, or communicating of any material or information.
An insurer’s obligation to defend an insured is based only on allegations against an insured in an underlying suit and is broader than an insurer’s obligation to pay for judgments. Because the Sterk lawsuit alleged that Redbox’s actions violated the VPPA—and thus only alleged actions that were barred by the policy—National Union never had an obligation to defend Redbox in the Sterk lawsuit, even if those allegations were later established to be false.
While unpublished, this decision may be persuasive to other courts addressing insurance policies containing substantially similar exclusions. Such exclusions fist became widely adopted by insurers in response to Telephone Consumer Protection Act class actions, commonly known as “fax blast” litigation, and lawsuits alleging violations of the CAN-SPAM Act of 2003. Such exclusions have since evolved and become more broadly applicable.