Retailers in California are engaged in coverage disputes with insurers over growing litigation alleging privacy violations for collecting customer ZIP codes during credit card transactions.
More than 150 lawsuits challenging the collection of ZIP code information have been filed against retailers that include Bed Bath & Beyond Inc., Crate & Barrel, Target Corp. and Wal-Mart Stores Inc.
Forty separate class action suits on the subject were filed just 10 days after the California Supreme Court ruled in February that ZIP codes constitute “personal identification information,” the collection of which violates the state’s consumer privacy law, said Steve Fraser, senior technical claims officer at Marsh Inc.’s liability claims practice in San Francisco.
While lower courts held consistently since 2008 that ZIP codes collected by retailers did not constitute personal identification information, the California Supreme Court ruled in Jessica Pineda vs. Williams-Sonoma Stores Inc. that ZIP code requests violate the state’s Song-Beverly Credit Card Act of 1971, which prohibits businesses from asking cardholders for personal information during credit card transactions.
The plaintiffs argued that ZIP codes, along with other credit card information, could be cross-referenced against existing databases to identify home addresses.
Fines for collecting ZIP codes are $1,000 per incident, which California law defines as every time a store clerk asks a customer for his or her ZIP code, Mr. Fraser said.
In a lawsuit filed last month in Massachusetts, which has similar consumer privacy laws as California, arts and crafts retailer Michaels Stores Inc. is accused of violating customer privacy by requesting ZIP codes in making credit card sales.
The nature of the violations and requested relief from retailers already has pitted insurers against retailers, litigation that observers expect to grow.
In a May lawsuit filed in federal court in Chicago, Hartford Fire Insurance Co., a unit of Hartford Financial Services Group Inc., sought declaratory relief against Euromarket Designs Inc., the parent of Crate & Barrel, on grounds that it is not obligated under its commercial general liability insurance policy to pay claims defending lawsuits alleging consumer privacy violations.
Hartford, which declined comment, is the first insurer to ask the courts whether this particular type of claim is covered under the policy, attorneys and brokers said.
There is an exception for collecting ZIP codes as part of credit card purchases made at the pump when buying gasoline; certain states require consumers to enter their ZIP code to verify the card for security purposes, experts say.
As high-profile hackings made recent headlines, some retailers also questioned whether coverage for ZIP code violations existed in their information network privacy or cyber liability policies, observers said.
Most cyber liability policies don’t specifically address the wrongful collection of data, said Kevin Kalinich, national managing director of Aon Risk Solutions’ financial services group in Chicago, an Aon Corp. unit.
In response, insurers are changing their policies to make it clear as to whether ZIP code violations are covered.
Risk managers should engage their counterparts across the organization to know what personally identifiable customer information is collected and evaluate its potential legal consequences.