Among the various consumer data privacy laws are laws precluding companies from collecting and selling consumer credit card information.  When a company is accused of selling its customers’ credit card information to third-parties in a class action, does it have insurance coverage to defend it from that class action?  The Ninth Circuit recently addressed this question.

In Brighton Collectibles, LLC v. Certain Underwriter’s at Lloyd’s, London, No. 18-56403 (9th Cir. Mar. 16, 2020), a company faced a putative class action by consumers accusing the company of collecting and selling their personal credit card information in violation of the California’s Song-Beverly Credit Card Act (the “Credit Card Act”), Cal. Civ. Code § 1747.08.  The company went to its insurance company and asked for a defense.  The insurance company declined, and the policyholder brought suit to compel the insurance company to defend. The district court granted summary judgment to the insurance company and the policyholder appealed.

In reversing the district court and holding that the insurance company had a duty to defend the policyholder in the underlying lawsuit, the circuit court addressed the broad nature of the duty to defend.  The court noted that under California law, an insurer has a duty to defend unless there is no potential for coverage.  Here, the court found that the policy covered the policyholder for personal injury caused by an offence arising out of the policyholder’s business, including the oral or written publication of material that violates a person’s right of privacy.

Looking at the allegations in the complaint, the court found that the complaint alleged a violation of the underlying customer’s right of privacy within the meaning of the insurance policy.  Citing to a TCPA ruling, Los Angeles Lakers, Inc. v. Federal Insurance Co., 869 F.3d 795 (9th Cir. 2017), the court analogized its privacy analysis there to the Credit Card Act, which was supported by the California Supreme Court’s interpretation of the Credit Card Act as having an overriding purpose to protect the personal privacy of consumers.

The policy contained an exclusion exclusion for advertising, publishing, broadcasting or telecasting done by or for the policyholder and the insurance company argued that the exclusion eliminated its obligation to defend.  The court rejected this argument, holding that

[t]he word “publishing” in this coverage exclusion cannot be read to have the same meaning as the word “publication” in the personal injury provision.  Such a reading would exclude coverage for virtually any publication over which Brighton might realistically be sued, rendering the policies’ express coverage for publications that violate privacy rights “practically meaningless (citations omitted).

The court stated that the grouping of “publishing” with “advertising . . . , broadcasting or telecasting” in the coverage exclusion suggested that the exclusion applied only to broad, public-facing marketing activities.  The allegations in the complaint, however, were that the policyholder sold consumer credit card information to third-party marketers, which, if true, would be a publication of the information.  Accordingly, the case was reversed and remanded to the district court.