Since the California Supreme Court’s decision this February in Pineda v. Williams-Sonoma Stores, Inc., 51 Cal. 4th 524 (2011), scores of plaintiffs have filed class action suits in that state’s courts against more than 100 retailers that require customers to provide their ZIP codes during credit card transactions.
In Pineda, the court held that a consumer’s ZIP code constitutes “personal identification information” for purposes of the Song-Beverly Credit Card Act of 1971, California Civil Code, §1747 et seq. (the Credit Card Act), and that, therefore, a business that requests and records a customer’s ZIP code during a credit card transaction violates the Credit Card Act. A business that violates the Credit Card Act is subject to a civil penalty of up to $250 for the first violation and up to $1,000 for each subsequent violation.
Significantly, other states have statutes similar to the Credit Card Act.1 Pineda may inspire plaintiffs’ attorneys to pursue ZIP-code-collection class actions in those states. One such suit has already been filed in the U.S. District Court for the District of Massachusetts.2
Retailers facing these new lawsuits have turned to their insurers for coverage, resulting in at least two coverage lawsuits to date. Lawsuits based on the collection of ZIP codes raise numerous coverage issues. Insureds will argue that the lawsuits involve the “personal injury” offense of “[o]ral or written publication, in any manner, of material that violates a person’s right of privacy.” Because the lawsuits typically allege that the defendants requested and recorded the plaintiffs’ ZIP codes, insureds will argue an allegation that one of its employees recorded the information necessarily implies “publication” of the information to, at a minimum, other employees and that the publication violated the plaintiffs’ right of privacy. Moreover, plaintiffs in the class actions have alleged not only that retailers have collected ZIP codes, but that they used the ZIP codes to identify the plaintiffs’ addresses and telephone numbers and then sold that information to third parties. Insured’s will argue that the alleged sale of plaintiffs’ information also satisfies the “publication” requirement of “personal injury” coverage.
Even assuming that the Credit Card Act lawsuits potentially involve a “personal injury” offense, other significant coverage issues exist. For example, the civil penalty available under the Credit Card Act may not qualify as “damages” for purposes of insurance coverage. Similarly, public policy may bar coverage for claims for disgorgement of amounts insureds obtained by selling plaintiffs’ personal information. Also, the Credit Card Act provides that “no civil penalty shall be assessed ... if the defendant shows by a preponderance of the evidence that the violation was not intentional and resulted from a bona fide error made notwithstanding the defendant’s maintenance of procedures reasonably adopted to avoid that error.” Based on this provision, coverage for Credit Card Act claims may be barred by public policy or exclusions for intentional or knowing acts.
Credit Card Act lawsuits also potentially implicate the ISO endorsement entitled “EXCLUSION-VIOLATION OF STATUTES THAT GOVERN E-MAILS, FAX, PHONE CALLS OR OTHER METHODS OF SENDING MATERIAL OR INFORMATION.” That endorsement excludes coverage for injury “arising directly or indirectly out of any action or omission that violates or is alleged to violate ... [a]ny statute, ordinance or regulation, other than the TCPA or CAN-SPAM act of 2003, that prohibits or limits the sending, transmitting, communicating or distribution of material or information.” This exclusion may be deemed to preclude coverage for Credit Card Act lawsuits because the Credit Card Act is a “statute ... that prohibits or limits ... communicating ... information.”
Significantly, resolution of these and other issues raised by the Credit Card Act lawsuits may turn on what state’s law governs the interpretation of the insurance policy at issue. Insurers should be prepared to develop a comprehensive strategy for handling a possible influx of requests for coverage in connection with Credit Card Act lawsuits and be mindful of the many potential defenses to coverage that may be available.