ZIP codes deliver liabilitiesReprints
Retailers in California are engaged in coverage disputes with insurers over growing litigation alleging privacy violations for collecting customer ZIP codes during credit card transactions.
More than 150 lawsuits challenging the collection of ZIP code information have been filed against retailers that include Bed Bath & Beyond Inc., Crate & Barrel, Target Corp. and Wal-Mart Stores Inc.
Forty separate class action suits on the subject were filed just 10 days after the California Supreme Court ruled in February that ZIP codes constitute “personal identification information,” the collection of which violates the state's consumer privacy law, said Steve Fraser, senior technical claims officer at Marsh Inc.'s liability claims practice in San Francisco.
“This was not on anybody's radar,” Mr. Fraser said. “This came out of the blue. I don't think anybody anticipated this.”
While lower courts held consistently since 2008 that ZIP codes collected by retailers did not constitute personal identification information, the California Supreme Court ruled in Jessica Pineda vs. Williams-Sonoma Stores Inc. that ZIP code requests violate the state's Song-Beverly Credit Card Act of 1971, which prohibits businesses from asking cardholders for personal information during credit card transactions.
The plaintiffs argued that ZIP codes, along with other credit card information, could be cross-referenced against existing databases to identify home addresses.
Fines for collecting ZIP codes are $1,000 per incident, which California law defines as every time a store clerk asks a customer for his or her ZIP code, Mr. Fraser said.
In a lawsuit filed last month in Massachusetts, which has similar consumer privacy laws as California, arts and crafts retailer Michaels Stores Inc. is accused of violating customer privacy by requesting ZIP codes in making credit card sales.
The nature of the violations and requested relief from retailers already has pitted insurers against retailers, litigation that observers expect to grow.
In a May lawsuit filed in federal court in Chicago, Hartford Fire Insurance Co., a unit of Hartford Financial Services Group Inc., sought declaratory relief against Euromarket Designs Inc., the parent of Crate & Barrel, on grounds that it is not obligated under its commercial general liability insurance policy to pay claims defending lawsuits alleging consumer privacy violations.
Hartford, which declined comment, is the first insurer to ask the courts whether this particular type of claim is covered under the policy, attorneys and brokers said.
Insurers may take the stance that the acts in question are intentional and that the CGL policy does not cover fines and penalties, Mr. Fraser said.
“The distinction between an intentional act and intentional damage is something that exists throughout all of insurance,” said William G. Passannante, shareholder and co-chair of the insurance recovery group at Anderson Kill & Olick P.C. in New York.
“When the retailers were collecting credit card information, did they know that the (California) Supreme Court was going to say that was a violation of the California credit card act? Probably not,” Mr. Passannante said. “This type of claim—the claim that during a retail transaction someone collected information that subsequently leads to liability—is the type of claim that you would expect to be addressed by various liability policies.”
Mr. Passannante advises risk managers to work with their brokers to ensure that retail operations have the broadest coverage possible. But even if a large retailer has broad policy forms, there is a “reasonable probability” that insurers would dispute any ZIP code violation claims retailers may make, he said.
There is an exception for collecting ZIP codes as part of credit card purchases made at the pump when buying gasoline; certain states require consumers to enter their ZIP code to verify the card for security purposes, experts say.
As high-profile hackings made recent headlines, some retailers also questioned whether coverage for ZIP code violations existed in their information network privacy or cyber liability policies, observers said.
Most cyber liability policies don't specifically address the wrongful collection of data, said Kevin Kalinich, national managing director of Aon Risk Solutions' financial services group in Chicago, an Aon Corp. unit.
He said some retailers argue that collecting ZIP codes is part of advertising, which could fall under the CGL policy's advertising injury coverage.
In response, insurers are changing their policies to make it clear as to whether ZIP code violations are covered, Mr. Kalinich said.
In addition, some insurers are adding endorsements to their network risk policies. “Some insurers have already developed those endorsements and they are already on some of the policies where you get a special endorsement to cover wrongful collection of data,” he said.
Laura A. Foggan, partner at Wiley Rein L.L.P. and leader of the firm's insurance appellate group in Washington, said it is “unlikely” that policyholders will find coverage in their CGL policies for ZIP code violation claims.
“I cannot envision any way that a credible argument could be made about bodily injury or property damage liability coverage under a CGL policy,” Ms. Foggan said. “So we're really talking about the question of the meaning of the advertising and personal injury coverage part.”
Such insurance covers slander and libel. “Those characteristics just aren't present in the ZIP code cases that we're seeing,” Ms. Foggan said.
Mr. Kalinich said risk managers should engage their counterparts across the organization to know what personally identifiable customer information is collected and evaluate its potential legal consequences. “I don't think (risk managers) can look at the ZIP codes as an isolated incident. You really have to look at how the services are evolving and how their particular retail company is utilizing technology,” he said.