News & Insights  |  Newsletters

No Insurance Coverage for ZIP Code Collection Suits

June 2014

A Pennsylvania federal district court, applying Pennsylvania law, has found no insurance coverage is afforded under commercial general liability (CGL) and umbrella policies for three underlying lawsuits alleging that an insured retailer violated state statutes and common law privacy rights by gathering personal ZIP code information while processing credit card purchases.  See OneBeacon Am. Ins. Co. v. Urban Outfitters, Inc., No. 2:13-cv-05269-SD (E.D. Pa. May 15, 2014).  The court's analysis identified three independent reasons why there was no coverage for each of the three suits.

Nature of this Action

The policyholder, a clothing retailer, was sued in three underlying lawsuits alleging that it violated a number of state statutes and customers' common law privacy rights by gathering personal ZIP code information from them while processing their credit card purchases.  After the policyholder sought coverage for those suits from two insurers that had issued it CGL and umbrella policies, one of the insurers filed a declaratory judgment action seeking a determination that it had no duty to defend or indemnify the policyholder in the three underlying suits.  The policyholder, in turn, joined the second insurer as a third-party defendant.

The policies at issue afforded coverage for “personal and advertising injury,” which was defined to mean an injury arising out of “oral or written publication [, in any manner,] of material that violates a person's right of privacy.”  The policies also contained identical exclusions for “‘personal and advertising injury' arising directly or indirectly out of any action or omission that violates or is alleged to violate . . . [any] statute, ordinance or regulation . . . that addresses, prohibits or limits the . . . dissemination, . . . collecting, recording, sending, transmitting, communicating or distribution of material or information.”

Ruling on cross motions for summary judgment, the court found in favor of both insurers, concluding that their policies did not afford coverage for the underlying suits.

Summary Judgment Rulings

The court first analyzed a suit alleging that the policyholder collected customers' ZIP code information in order to match customer names with their ZIP codes in commercially available databases “for [its] own pecuniary benefit, including by engaging in direct marketing campaigns without customers' permission.”  In addressing those allegations, the court ruled that there was no “publication,” as required by the policies, because there was no allegation that the information gathered was disseminated to the public at large.  Instead, the court noted that the suit only alleged that the retailer used the data itself.  Since the absence of a “publication” was dispositive, the court did not discuss whether the allegations involved a violation of any person's “right of privacy.”

The court next analyzed a suit alleging, among other things, that the policyholder disseminated customer ZIP code information to other vendors and retailers.  The court found that “the allegation that [the policyholder] disseminated information broadly to third parties . . . suffices to fall within [the] definition of ‘publication'” within the meaning of the policies.  The court also found that the underlying allegations in this suit “turn[ed] on the private nature of the plaintiffs' ZIP code” and thus were not necessarily based on an intrusion upon seclusion, which the insurers argued should place them outside the scope of coverage.  Nonetheless, the court applied an exclusion in the policies barring coverage for “‘personal and advertising injury' arising directly or indirectly out of any action or omission that violates or is alleged to violate . . . [any] statute, ordinance or regulation . . . that addresses, prohibits or limits the . . . dissemination, . . . collecting, recording, sending, transmitting, communicating or distribution of material or information” and ruled that that exclusion barred coverage for the suit in its entirety.

Third, the court analyzed an action alleging that the policyholder violated a state statute and invaded the plaintiffs' privacy by recording ZIP code information and using that data to send junk mail to them.  In particular, the court analogized claims based on the receipt of “junk mail” to claims based on the receipt of “junk faxes” in violation of the Telephone Consumer Protection Act (TCPA), and it noted that courts applying Pennsylvania law had concluded that TCPA “junk fax” claims do not trigger coverage under the “advertising injury” prong of a CGL policy since that coverage only applies offenses based on secrecy-related privacy rights, not those based on intrusions upon seclusion.  Applying that rationale, the court ruled that there was no coverage for the underlying suit because allegations that the plaintiffs received junk mail that breached their privacy did not allege violation of any secrecy-related privacy right and instead were based on an intrusion of seclusion, which was outside the scope of coverage.

Rulings' Implications

The Urban Outfitters ruling with respect to the “publication” issue is consistent with a number of cases holding that there is a “publication” only when there is widespread distribution of information to a third party, such as another retailer.  See, e.g., Creative Hospitality Ventures, Inc. v. U.S. Liab. Ins. Co., 444 Fed. App'x 370 (11th Cir. 2011) (act of giving a consumer a debit or credit card receipt in violation of FACTA was not a “publication” as used in a CGL policy); Recall Total Info. Mgmt., Inc. v. Fed. Ins. Co., No. X07CV095031734S, 2012 WL 469988 (Conn. Super. Ct. Jan. 17, 2012) (finding no publication because there was no communication to a third party), aff'd, 83 A.3d 664 (Conn. App. Ct. 2014); but see Zurich Am. Ins. Co. v. Fieldstone Mortg. Co., No. 06–2055, 2007 WL 3268460, at *5 (D. Md. Oct. 26, 2007) (ruling that “publication need not be to a third party”).  Although there are contrary rulings, courts frequently find that the plain meaning of the word “publication”  requires some dissemination of information to the public at large.  See, e.g., Whole Enchilada, Inc. v. Travelers Prop. Cas. Co. of Am., 581 F. Supp. 2d 677, 697 (E.D. Pa. 2008) (looking to dictionary definitions of the term “publication” and finding no “publication” where the complaint did “not allege that . . . information was in any way made generally known, announced publicly, disseminated to the public, or released for distribution”).

In addition, the Urban Outfitters decision reaffirms the reasoning in a large number of decisions holding that the privacy interest covered under the “personal and advertising” injury prong concerns secrecy interests, not a right to seclusion.  See, e.g., State Farm Gen. Ins. Co. v. JT's Frames, Inc., 104 Cal. Rptr. 3d 573, 584-85 (Cal. Ct. App. 2010) (no coverage for alleged TCPA violations by sending mass faxes because the policy language providing coverage for “[o]ral or written publication of material that violates a person's right of privacy” covered secrecy-based privacy interests, and not seclusion-based privacy interests, and only the latter were implicated by the alleged TCPA violations); Auto-Owners Ins. Co. v. Websolv Computing, Inc., 580 F.3d 543 (7th Cir. 2009) (applying Iowa law) (same); Ace Mortgage Funding, Inc. v. Travelers Indem. Co. of Am., No. 1:05-cv-1631, 2008 WL 686953 (S.D. Ind. Mar. 10, 2008) (same); Hartford Fire Ins. Co. v. Flagstaff Indus. Corp., No. 1:11-CV-1137, 2012 WL 1669845 (N.D. Ohio May 10, 2012) (applying Pennsylvania law) (same).  The courts often reason that the term “publication” is implicated only where the relevant concern is secrecy, since an interest in seclusion can be violated without any publication.  See Websolv, 580 F.3d at 550.  In addition, some courts have applied the “last antecedent rule,” concluding that the phrase “that violates a person's right of privacy” modifies the term “material,” not the word “publication.”  See JT's Frames, 104 Cal. Rptr. 3d at 586. This also leads to the conclusion that the policy's reference to a right of privacy concerns a secrecy interest, not a right to seclusion.

Urban Outfitters adds to limited precedent directly addressing whether CGL and umbrella insurance coverage may respond to a suit alleging improper gathering and use of ZIP code information.  This evolving area of the law merits continuing attention.