IL App 1st / Biometric Information Privacy Act

Disclosure to 3rd Party a “Publication” – “Violation of Statutes” Exclusion Not Applicable to BIPA Claim

The Illinois Appellate Court for the First District, in an opinion written by Justice Mikva with Justices Connor and Harris concurring, applying Illinois law, affirmed the Circuit Court’s ruling and held that the insurer had a duty to defend claims for violations of the Biometric Information Privacy Act (“BIPA”) because the disclosure of fingerprint data to a third party constitutes “publication” as required for “personal injury” coverage.  Additionally, the Appellate Court held that coverage for the BIPA claims was not excluded by the policy’s “violation of statutes” exclusion, because the policy’s “violation of statutes” exclusion excluded coverage for statutes that regulate the method of communication, not the dissemination of information, like BIPA.

The opinion stems from a declaratory judgment action filed by West Bend Insurance Company (“West Bend”) asking the court to find that it does not have a duty to defend Krishna Schaumburg Tan, Inc. (“Krishna”) in a class action suit initiated against it by Klaudia Sekura.  The underlying suit alleges that Krishna violated §15(d)(1) of BIPA when it disclosed its customer’s fingerprint data to a third party without consent.  Upon receiving the complaint, Krishna notified West Bend and sought a defense and indemnification.  West Bend initially agreed to defend Krishna in the class action suit under a reservation of rights, but then filed a declaratory judgment action seeking a declaration that it had no duty to defend or indemnify Krishna.  On West Bend’s cross-motion for summary judgment, the Circuit Court determined that West Bend had a duty to defend because the underlying allegations fell within the policy’s coverage for “personal injury” as a “publication which violates a person’s right to privacy” and found that the policy’s  violation of statute exclusion did not apply to the BIPA violation allegations.  The Circuit Court, however, denied Krishna’s motion for summary judgment with respect to its §155 bad faith claim against West Bend finding that Krishna’s bare assertion that West Bend’s conduct constituted a “capricious” denial of coverage was not sufficient to meet the §155 standard of vexatious and unreasonable conduct.  West Bend appealed the ruling regarding the duty to defend.

The Appellate Court first addressed whether the allegations in the underlying complaint fell within the “personal injury” provision of the policy, which defines personal injury as an “injury, other than ‘bodily injury,’ arising out of … [o]ral or written publication of material that violates a person’s right to privacy.”  Whether West Bend had a duty to defend in the class action suit hinged on how the term “publication” was interpreted since the term was not expressly defined in the policy.  West Bend argued that the act of Krishna sharing the fingerprint data to a third party did not constitute publication within the meaning of policy because the information was not shared to the public at large, but rather, only shared to a single third party.  After reviewing the plain meaning, common understanding, and dictionary definitions of the term, the court determined that “publication” encompasses both the sharing of information to the public at large and the sharing of information to a single third party.  Given this definition, the Appellate Court held that West Bend had a duty to defend Krishna in the class action suit because the allegations set forth in the complaint fell within the “personal injury” coverage provision.

The Appellate Court then addressed whether Krishna’s alleged violation of §15(d)(1) of BIPA was excluded under the policy due to the policy’s violation of statutes exclusion.  The relevant policy language  states that the insurance does not apply to personal injuries “arising directly or indirectly out of any action or omission that violates or is alleged to violate … [a]ny statute, ordinance or regulation… that prohibits or limits the sending transmitting, communication or distribution of a material or information.”  West Bend argued that BIPA is a statute that would fall within the catch-all provision as a statute that regulates the sending of material or information.  After reviewing the exclusion as a whole, the Appellate Court determined that the exclusion only applies to statutes that regulate methods of communication and does not apply to statutes that regulate the dissemination of certain types of information.  The Appellate Court supported their determination by pointing out that the full title of the exclusion, “Violation of Statutes That Govern E-mails, Fax, Phone Calls or Other Methods of Sending Material Information,” very clearly only references methods of communication.  Additionally, the statutes that the provision expressly named, Telephone Consumer Protection ACT and CAN-SPAM ACT of 2003, only relate to methods of communication.

According to the Appellate Court, as written, the exclusion only intended to apply to statutes that regulate methods of communication and if West Bend wanted the statute to be interpreted more broadly, it could have written the exclusion in a way to express that information.  Thus, the Appellate Court concluded that BIPA does not fall within the narrow category of statutes because BIPA does not regulate methods of communication but instead regulates “the collection, use, safeguarding, handling, storage, retention and destruction of biometric identifiers and information.”  As such, the Appellate Court held that an alleged violation of BIPA is not excluded by the policy’s violation of statutes exclusion.  West Bend Mutual Insurance Co. v. Krishna Schaumburg Tan, Inc., 2020 IL App (1st) 191834 (Mar. 20, 2020).