Court Holds that Privacy Violations Allegations Are Not Covered


A federal court in Washington recently issued an unpublished decision affirming that a common policy exclusion protects insurers from having to provide coverage in certain cases of alleged privacy violations. The same court issued a similar order earlier this year. Taken together, these decisions may persuade other courts that coverage is barred under commercial general liability policies with exclusions that bar coverage when underlying lawsuits allege disclosure of consumers’ personally identifiable information (PII) in violation of federal or state law.

Regarding the specific matters at hand, National Union insured Coinstar under two commercial general liability policies, through which Coinstar’s subsidiary, Redbox, was also an insured. Redbox operates DVD-vending machines throughout the United States. To use Redbox’s vending machines, consumers provide PII and pay for rentals with a credit card.

In Sterk v. Redbox Automated Retail, LLC, Redbox was sued for allegedly misusing consumers’ PII for marketing purposes and improperly disclosing consumers’ information to third parties, in violation of the VPPA. National Union brought a declaratory judgment action against Redbox regarding its obligations to defend or indemnify. Coinstar and Redbox brought counterclaims alleging that National Union was obligated to defend or indemnify Redbox in the lawsuit. The Court granted National Union partial summary judgment in February, finding that the Statutes Exclusion barred coverage for the Sterk lawsuit, as “[t]he sole purpose of the VPPA is to protect consumers’ privacy by prohibiting the ‘sending, transmitting or communicating’ of their personal information ‘to any other person’ except in specific, limited circumstances.”

Building on this ruling, the same Court held in August that National Union had no duty to defend or indemnify Redbox in two other lawsuits. The first lawsuit, Cain v. Redbox Automated Retail, LLC, alleged that Redbox violated Michigan’s Video Rental Privacy Act (VRPA), which prohibits business entities that rent video recordings “from disclosing to any person, other than the consumer, a record or information concerning the purchase, lease, rental, or borrowing of those materials by a customer that indicates the identity of the customer,” when Redbox sent consumer information to third parties without the consumers’ consent. The Court concluded that the VRPA “is effectively identical to the federal VPPA at issue in Sterk,” and coverage for the Cain lawsuit was also barred by the Statutes Exclusion.

The second lawsuit, Mehrens v. Redbox Automated Retail, LLC, alleged that Redbox violated California’s Song-Beverly Credit Card Act, which prohibits “entities that accept credit cards for the transaction of business from requesting or requiring the cardholder to write, or provide to the entity to write, any [PII] on a credit card transaction form,” because Redbox requested consumers’ billing zip code and/or email address. In the Court’s view, the statute was not concerned with the publication of information, but rather its collection, and the Court concluded that there was no coverage for the Mehrens lawsuit because it contained no allegation of sufficient personal and advertising injury to trigger coverage.

About The Author

Meredith E. Dishaw joined the Seattle office in 2010 as an associate in the Global Insurance Group. Meredith counsels primary, umbrella, and excess insurance companies in all stages of complex coverage and bad faith matters, and litigates for those clients in the state and federal courts.

Posted in Insurance, Privacy, Video Privacy Protection Act

Leave a Reply

Your email address will not be published. Required fields are marked *


About Cyber Law Monitor
In the new digital world, individuals and businesses are almost entirely dependent on computer technology and electronic communications to function on a daily basis. Although the power of modern technology is a source of opportunity and inspiration—it also poses huge challenges, from protecting privacy and securing proprietary data to adhering to fast-changing statutory and regulatory requirements. The Cyber Law Monitor blog covers privacy, data security, technology, and cyber space. It tracks major legal and policy developments and provides analysis of current events.
Subscribe For Updates


Cozen O’Connor Blogs