Illinois BIPA Insurance Coverage Cases
In May 2021, the Illinois Supreme Court ruled on the seminal Illinois insurance coverage case for underlying actions alleging violations of the Illinois Biometric Information Privacy Act 740 ILCS 14/1 et seq. (West 2018) (“BIPA”), West Bend Mut. Ins. Co. v. Krishna Schaumburg Tan, Inc., 2021 IL 125978. It held West Bend had a duty to defend because the disclosure of fingerprint data to a third party constitutes “publication” as required for “personal injury” coverage under the general liability policy. Additionally, the Illinois Supreme Court concluded coverage was not excluded by the policy’s distribution of material in violation of statutes exclusion, because it excluded coverage for statutes that regulate the method of communication, not the dissemination of information, like BIPA. (See Previous Bytes Summary)
Below are summaries of Illinois state and federal insurance coverage cases (most recent first) since the West Bend v. Krishna Illinois Supreme Court ruling.
Exclusions Not Applicable to Bar Personal and Advertising Coverage
Continental Western Ins. Co. v. Tony’s Finder Foods Enterprises, Inc., No. 22-cv-3575, 2023 WL 4351469 (N. D. Ill. July 5, 2023).
The United States District Court for the Northern District of Illinois, in an opinion by Judge Alonso, applying Illinois law, denied an insurer’s motion for judgment on the pleadings, holding that Continental Western Insurance Company (“Continental”) had a duty to defend its insured, Tony’s Finer Foods Enterprises (“Tony’s”), in an underlying lawsuit that alleged Tony’s violated the Illinois Biometric Information Privacy Act (“BIPA”) by requiring employees to scan their fingerprints to track their time and unlawfully collecting and disclosing their fingerprint data.
The District Court began by considering whether the underlying lawsuit alleged “personal and advertising injury” as provided by the multiperil commercial lines insurance policy at issue. Relying on the Illinois Supreme Court’s analysis of materially similar policy language in West Bend Mut. Ins. Co. v. Krishna Schaumburg Tan, Inc., the District Court found that the underlying lawsuit similarly alleged the improper disclosure of employee’s fingerprint data to at least one third-party in violation of BIPA and it alleged that the plaintiff suffered an injury, including mental anguish. Accordingly, the District Court held that the underlying lawsuit falls within or potentially within the scope of the Continental policy.
Continental argued that three exclusions precluded coverage: (i) the recording and distribution of material or information in violation of law exclusion; (ii) the access or disclosure of confidential or personal information exclusion; and (iii) the employment-related practices exclusion. The District Court concluded that none of the exclusions unambiguously preclude coverage. The first exclusion did not apply based on the Seventh Circuit’s June 15, 2023, reasoning from the controlling Wynndalco Enterprises case. A broad construction made the second exclusion ambiguous, which the District Court could not resolve with the applications of ejusdem generis and noscitur a sociis because the listed examples had no readily identifiable common theme. Finally, the policy of fingerprint scanning to track employees’ time and failing to obtain their informed consent was not targeted at specific employees and did not relate to any particular employee’s performance, and therefore did not fall within the employment-related practices exclusion. Continental Western Ins. Co. v. Tony’s Finder Foods Enterprises, Inc., No. 22-cv-3575, 2023 WL 4351469 (N. D. Ill. July 5, 2023).
7th Cir. / BIPA Duty to Defend
“Catch-All” Statutory Violation Exclusion Ambiguous
Citizens Ins. Co. of Am. v. Wynndalco Enter., LLC, No. 22-2313, 2023 WL 4004766, (7th Cir. June 15, 2023).
The Seventh Circuit, in an opinion by Judge Rovner, applying Illinois law, affirmed the district court’s judgment on the pleadings holding that an insurer had a duty to defend two class action lawsuits alleging violations of the Illinois Biometric Information Privacy Act (“BIPA”). The court determined the language of the catch-all provision of the statutory violation exclusion to be intractably ambiguous, and consequently, the insurer had a duty to defend its insured.
This insurance coverage dispute arose from two class action lawsuits filed against Wynndalco Enterprises, LLC (“Wynndalco”) alleging that it violated BIPA when it licensed and sold to Clearview AI access to Illinois customers, including the Chicago Police Department. Clearview AI is an artificial intelligence firm that creates facial recognition software and has assembled a database of facial-image scans.
Wynndalco sought coverage under the “personal and advertising” provisions of a business liability insurance policy from Citizens Insurance Company of America (“Citizens”). The “personal and advertising injury” provision includes “[o]ral or written publication, in any manner, of material that violates a person’s right of privacy.” Citizens denied coverage for the BIPA claims based on a catch-all provision in an exclusion that precluded coverage for injuries arising from certain statutory violations (the “Statutory Violation exclusion”). The Statutory Violation exclusion included four enumerated statutes and one catch-all provision for acts that violate “[a]ny other laws, statutes, ordinances, or regulations, that address, prohibit, or limit the printing, dissemination, disposal, collecting, recording, sending, transmitting, communicating or distribution of material or information.”
The Seventh Circuit determined that a plain-text reading of the catch-all provision would exclude coverage for injuries resulting from all statutory prohibitions that concern the recording, distribution, and so forth of material and information, which would include BIPA violations because BIPA governs the collection, sale, and transmission of biometric identifiers and information. However, under this interpretation, the exclusion would all but eliminate coverage for certain claims that the policy otherwise explicitly purported to cover under the “personal and advertising injury” provision. Thus, the court concluded the exclusion was ambiguous.
Citizens argued that the enumerated statutes in the Statutory Violation exclusion only applied to causes of action related to privacy, and therefore the catch-all provision should only encompass statutes regulating privacy. This reading would not conflict with the definition of “personal and advertising injury” and would eliminate the ambiguity. The Seventh Circuit, however, noted that the language of the Statutory Violation exclusion’s heading and provisions did not indicate a focus on privacy. Further, the principles of ejusdem generis and noscitur a sociis did not resolve this ambiguity because the text lacked a readily discernible theme.
The Seventh Circuit held that the ambiguity must be construed against Citizen and in favor of the insured, Wynndalco. It concluded that the injuries at least potentially fall within the policy’s coverage, and thus Citizens had a duty to defend Wynndalco against the BIPA complaints. Citizens Ins. Co. of Am. v. Wynndalco Enter., LLC, No. 22-2313, 2023 WL 4004766, (7th Cir. June 15, 2023).
Defense Costs Owed under Media Liability Coverage
Remprex, LLC v. Certain Underwriters at Lloyd’s London, 2023 IL App. (1st) 211097 (Apr. 17, 2023).
The Appellate Court of Illinois for the First District, applying New York law due to a choice of law provision, held that Certain Underwriters at Lloyd’s London (“Lloyd’s”) had an obligation to pay for defense expenses for its insured, a technology company, in an underlying lawsuit that alleged the insured violated the Illinois Biometric Information Privacy Act (“BIPA”) by unlawfully collecting fingerprint data as part of a railroad’s security gate system.
The underlying disputes arose from a truck driver who filed two class action lawsuits alleging violations of BIPA. The first class action suit was against BNSF Railway Company (“BNSF”), and it was alleged that BNSF violated BIPA by negligently or recklessly collecting biometric information from truck drivers. Remprex was not named as a defendant in the BNSF suit, but because it contracted with BNSF to provide automated gate services at BNSF facilities, Remprex was subpoenaed for documents, and some of its officers were deposed. Remprex was named as a defendant in the second BIPA class action suit against CN Transportation, an affiliate of the Canadian National Railway Company (“CN”).
Remprex sought coverage from Lloyd’s under the data and network liability and the media liability provisions of a Beazley Breach Response policy underwritten by Lloyd’s for costs it incurred in defending the two BIPA class action suits. The crux of the coverage dispute was whether the alleged BIPA violations, as outlined in the class action suits, triggered Lloyd’s media liability or data and network liability coverage. The data & network liability section of the policy provides coverage for damages and claims expenses for a data breach, a security breach, or failure by the Insured to comply with specific provisions of a privacy policy. The media liability section of the policy provides coverage for damages and claims expenses for media liability. “[M]edia liability” is defined to include one or more enumerated acts committed by or on behalf of the insured in the course of creating, displaying, broadcasting, disseminating, or releasing media material to the public. Because Remprex was not named in the BNSF class action suit, the Appellate Court held that Lloyd’s did not have a duty to defend Remprex under either the data & network liability coverage or the media liability coverage.
Regarding the CN lawsuit, the Appellate Court ruled that coverage was not owed under the portion of the media liability section applying to the dissemination of material to the public. The Appellate Court reasoned that collecting truck drivers’ fingerprints and disseminating them to the counterparty of the agreement to collect such information was not equivalent to disseminating the fingerprints to the public.
However, the media liability section of the policy also provided coverage for violating a right to an individual’s right to privacy during the “course of creating media material.” The Appellate Court noted that the policy exclusion for losses arising from the unlawful collection of personally identifiable information on behalf of the insured was also applicable. Ultimately, the Appellate Court concluded an exception to that exclusion, which provides the exclusion does not apply to claims expenses incurred in defending the insured against allegations of the unlawful collection of personally identifiable information. Thus, the exception to the policy exclusion outlined exactly what Remprex was accused of doing: unlawfully collecting the plaintiffs’ fingerprints. The Appellate Court concluded that the trial erred and that Remprex was entitled to coverage for its claims expenses incurred in defending against the CN lawsuit under the policy’s media liability provision.
The Appellate Court held no coverage for Remprex under the data & network liability coverage of the policy because that coverage appeared to apply primarily to third-party breaches of the insured’s computer systems that in turn expose the stored personal information to unauthorized persons, which is not alleged in the CN lawsuit. Remprex, LLC v. Certain Underwriters at Lloyd’s London, 2023 IL App. (1st) 211097 (Apr. 17, 2023).
Thermoflex Waukegan, LLC v. Mitsui Sumitomo Ins., No. 21 C 788, 2023 WL 319235 (N.D. Ill. Jan. 29, 2023).
In this case, the United States District Court for the Northern District of Illinois, in an opinion written by Judge Durkin, declined to disturb Judge Lee’s previous ruling that Mitsui had no duty to defend or indemnify Thermoflex under the primary commercial general liability policies it issued to Thermoflex because of the access or disclosure exclusion. The Court further held that Mitsui owes Thermoflex a duty to defend under excess and umbrella policies, but that duty to defend does not arise until the limits of Thermoflex’s defending primary policy (Citizens see supra) are reached.
As to the statutory violation exclusion, the Court distinguished West Bend because the exclusion at issue references three specific statutes, not two: the TCPA, the CAN-SPAM Act, and the FCRA / FACTA. The exclusion at issue also contemplates other ways of handling material or information, including collecting, recording, printing, and disposing of material or information. However, the Court reasoned that reading the exclusion to encompass any statute that relates in any other way to handling material or information would seem to swallow up large parts of coverage. Thus, it held the exclusion is ambiguous and must be construed in favor of coverage.
Next, the Court concluded that when the excess and umbrella policies were read as a whole, the data breach exclusion was not intended to bar coverage beyond data breach liability, but to the extent the data breach exclusion is open to another reasonable interpretation in light of its similar language to the access or disclosure exclusion, it is ambiguous and must be construed in favor of coverage.
Finally, with regard to the employment-related practices (“ERP”) exclusion, the Court concluded that Theremoflex’s “policy” of requiring hourly workers to use a biometric time tracking and attendance system does not fall within the ERP exclusion, or at a minimum is ambiguous, and therefore, must be construed in favor of coverage.
State Auto Prop. & Cas. Ins. Co. v. Fruit Fusion, Inc., No. 3:21-CV-1132-NJR, 2022 WL 4549824 (S.D. Ill. Sept. 29, 2022).
The United States District Court for the Southern District of Illinois, in an opinion written by Judge Rosenstengel, held coverage for an alleged BIPA violation was precluded by the recording and distribution of material or information in violation of law exclusion in a commercial general liability policy.
First, State Auto’s personal and advertising liability provision included injury arising out of the oral or written publication of material that violates a person’s right to privacy, but it did not define “publication.” Using the court’s reasoning from West Bend, the Court reasoned that the term had at least two definitions, and although the underlying complaint did not clearly allege “publication” of biometric information, the Court must liberally construe ambiguities in favor of the insured.
Similarly, the Court held that State Auto’s employment-related practices exclusion did not bar coverage because it did not unambiguously exclude BIPA claims. Consistent with other district court holdings, the Court reasoned that it would have to interpret the exclusion broadly for it to bar BIPA claims.
Lastly, in interpreting the recording and distribution of material exclusion, the Court found the reasoning in Cheese Merchants instructive. Thus, the Court held that the underlying BIPA claim fell within State Auto’s exclusion because BIPA, like the FCRA, is concerned with the collection and transmittal of private information, and the underlying claim alleged the dissemination of an employee’s biometric information.
Continental Western Ins. Co. v. Cheese Merchants of America, LLC, No. 21-CV-1571, 2022 WL 4483886 (N.D. Ill. Sept. 27, 2022).
In Cheese Merchants, the U. S. District Court for the Northern District of Illinois, in an opinion written by Judge Seeger, held no coverage for a former employee’s lawsuit alleging violations of BIPA.
First, the Court concluded the policy exclusion for employment-related practices (“ERP”) did not unambiguously preclude coverage for former employee’s claims. In interpreting the ERP exclusion, the court adopted the reasoning of Tony’s Finer Foods (see supra), and determined that using one’s hand or finger to clock-in and clock-out of work is a practice related to employment, but, after considering the complete text and the overall structure of the exclusion, it is a categorically different type of practice than everything else listed: “[E]verything else in the list involves mistreatment targeted at a specific employee – conduct direct ‘at that person.’”
Next, the Court analyzed the access or disclosure of confidential or personal information exclusion and reasoned that a claim arising from the scanning of one’s hand unambiguously constituted a claim about personal information, and therefore, the exclusion barred coverage for the underlying BIPA action.
Lastly, contrary to other courts in the district, the Court determined that the violation of laws exclusion also applied to preclude coverage: “The inclusion of the FCRA makes this case meaningfully different than West Bend. … [H]ere, the exclusion covers two types of privacy statutes: two statutes that protect privacy when communicating with consumers (the TCPA and the CAN-SPAM Act), and one statute that protects the privacy of information given by consumers (the FCRA). The inclusion of the FCRA expands the scope of the exclusion.”
Church Mut. Ins. Co. v. Prairie Village Supportive Living, LLC, No. 21 C 3752, 2022 WL 3290686 (N.D. Ill. Aug. 11, 2022).
The United States District Court for the Northern District of Illinois, in an opinion written by Judge Kocoras, granted an insurer’s motion for judgment on the pleadings and held coverage for an alleged BIPA violation was precluded by the violation of laws applicable to employers exclusion in the employment practices liability (EPL) coverage.
Church Mutual argued that it did not owe Prairie Village a defense or indemnity for an underlying lawsuit alleging BIPA violations filed by a former employee due to the EPL policy’s employment-related practices exclusion. Under this exclusion, any claim that arose out of a violation of an insured’s responsibility imposed by state statutes was exempt from coverage, however, the exclusion did not apply to claims arising out of certain enumerated exempted laws.
As BIPA was not explicitly mentioned, the Court compared BIPA’s provisions to the laws within the exemption to the exclusion and found that BIPA imposes responsibilities on employers, which was categorically different from the exempted enumerated laws proscribing discrimination in one form or another (the ADA, Title VII, the FMLA, etc.). The Court determined that BIPA more closely shared general similarities with the statutes excluded, and thus, the Court held that Church Mutual had no duty to defend or indemnify Prairie Valley.
Philadelphia Indem. Ins. Co. v. Lewis Produce Market No. 2 Inc., No. 21 C 4037, 2022 WL 1045640 (N.D. Ill. Apr. 7, 2022).
The U. S. District Court for the Northern District of Illinois, in an opinion written by Judge Kennelly, granted an insurer’s motion for judgment on the pleadings, holding no coverage for a lawsuit alleging violations of BIPA because the insured was unaware of the “claim” until after the policy period ended.
The insurer issued two consecutive claims made policies to the policyholder, one for February 2, 2020 to February 1, 2021 and one for February 2, 2021 to February 1, 2022. The parties agreed that the 2021 policy does not provide coverage for lawsuits alleging privacy violations under BIPA.
The 2020 policy at issue covered “Loss from Claims made against the Insured during the Policy Period.” The policy provides that a “Claim shall be considered made when an Insured first receives notice of the Claim.” The lawsuit was filed on the last day of the policy period and the policyholder first learned of the lawsuit on February 8, 2021, about a week after the 2020 policy period. After acknowledging the practical difficulties involved when a lawsuit is filed late on the last day of a policy period, the Court concluded that the policy could not be interpreted to provide greater coverage than the parties bargained for. (See Previous Bytes Summary)
American Family Mut. Ins. Co. v. Carnagio Enterprises, Inc., No. 20-C-3665, 2022 WL 952533 (N.D. Ill. Mar. 30, 2022).
In Carnagio, the Court, in an opinion written by Judge Lee, considered whether three different policy exclusions found in the insured’s Businessowners’ Liability Insurance policies precluded coverage for alleged violations of BIPA. The Court found that the employment-related practices (“ERP”) exclusion did not apply as it was “not enough that the underlying claim simply arise out of an employer-employee relationship.” Rather, the exclusion applied only when it involved an action related to an employee’s work performance. Because the practice of requiring employees to use their fingerprints to clock in and out of work applied generally to all employees rather than to a particular one and was otherwise unrelated to work performance, it did not fall within the ERP exclusion.
Similarly, the Court, found that a distribution of material in violation of statutes provision did not exclude coverage. The Court construed the exclusion as applying only to those statutes it specifically identified – the Telephone Consumer Protection Act and the CAN-SPAM Act of 2003 (collectively the “Acts”) — and statutes, ordinances or regulations similar to those Acts. The Court concluded that BIPA was not similar to those Acts because it protected “a different kind of privacy” by regulating information that private citizens give away rather than regulating information they receive.
Finally, the Court held that an access or disclosure of confidential or personal information and data-related liability exclusion did preclude coverage. The Court determined that the biometric data protected by BIPA clearly fell within the scope of the exclusion as it was the type of “confidential” or “personal” information which individuals “have a heightened interest in keeping from third-parties or the public at large. (See Previous Bytes Summary)
Thermoflex Waukegan, LLC v. Mitsui Sumitomo Ins., 595 F. Supp. 3d 677 (N.D. Ill. Mar. 30, 2022).
In this case, the Court, in an opinion written by Judge Lee, held that the access or disclosure of confidential or personal information exclusion barred coverage for BIPA claims. In reaching its conclusion, the Court found the language of the commercial general liability policy exclusion (“This insurance does not apply to … [d]amages arising out of … any access to or disclosure of any person’s … personal information…”) unequivocal and expansive. Based on that unambiguous language, the Court ruled that because the underlying BIPA litigation sought damages arising out of a third-party’s access to or disclosure of personal information, “it clearly [fell] within the scope of the exclusion.” Further, the Court noted that even if it were to find the exclusion ambiguous, it would apply the interpretative canon of noscitur a sociis (literally meaning “it is known from its associates”) to conclude that the subset of information listed under the exclusion identifies the kind of information that individuals “have a heightened interest in keeping from third-parties or the public at large.” The Court determined that the biometric data that BIPA protects certainly falls within that category. Accordingly, the Court granted summary judgment in favor of the insurer.
Citizens Ins. Co. of America v. Wynndalco Enterprises, LLC, No. 20 C 3875, 2022 WL 592534 (N.D. Ill. Mar. 30, 2022).
In Wynndalco Enterprises, the U.S District Court for the Northern District of Illinois, in an opinion written by Judge Lee, held that coverage for alleged violations of BIPA was not unambiguously precluded by the distribution of material in violation of statutes exclusion in the business liability insurance policy at issue. The exclusion barred coverage for injury arising out of violations of the Telephone Consumer Protection Act (“TCPA”), the CAN-SPAM Act of 2003, the Fair Credit Reporting Act (“FCRA”), the Fair and Accurate Credit Transaction Act (“FACTA”), or “any other laws, statutes… that address, prohibit, or limit the printing, dissemination, disposal, collecting, recording, sending, transmitting, communicating or distribution of material or information.”
The Court held that BIPA did not share a common characteristic to the four statutes listed in the exclusion and because two senses of privacy existed within the exclusion, it was ambiguous: “To interpret the exclusion to cover every statute that concerns a person or entity doing practically anything whatsoever with ‘information’ would make certain coverage provisions illusory, including, for example, those that provide coverage for injuries ‘arising out of … [o]ral or written publication, in any manner, of material that violates a person’s right of privacy.’” (See Previous Bytes Summary)
Citizens Ins. Co. of Am. v. Highland Baking Co., Inc., No. 20-cv-04997, 2022 WL 1210709 (N.D. Ill. Mar. 29, 2022).
In Highland Baking, the insurers filed a declaratory judgment action seeking declarations that they had no duty to defend or indemnify Highland Baking in an underlying putative class action alleging violations of BIPA and the Illinois Minimum Wage Act. The insurers argued that three exclusions applied and precluded coverage for the BIPA claims: (i) the employment-related practices exclusion; (ii) the recording and distribution of material or information in violation of law exclusion; and (iii) the access or disclosure of confidential or personal information exclusion. The Court, in an opinion written by Judge Pacold, concluded that none of the exclusions unambiguously precluded coverage of the BIPA claims based on the reasoning set forth in Citizens Ins. Co. of Am. v. Thermoflex Waukegan, LLC, No. 20-cv-05980, 2022 WL 602534 (N.D. Ill. Mar. 1, 2022), which the Court found “persuasive and fully applicable” and adopted without further comment.
State Auto. Mutual Ins. Co. v. Tony’s Finer Foods Enterprises, Inc., No. 20-cv-6199, 2022 WL 683688 (N.D. Ill. Mar. 8, 2022).
In Tony’s Finer Foods, State Farm filed a suit for a declaratory judgment, arguing that it had no duty to defend BIPA claims arising out of its insured’s collection and use of its employees’ fingerprints to clock in and out of work. State Farm denied coverage under a policy exclusion for certain employment-related practices. In denying State Farm’s motion for summary judgment, the Court, in an opinion written by Judge Seeger, determined that the policy exclusion did not apply to “any and all claims by employees” (such as BIPA) based on its structure and text. Instead, the policy language made clear that the exclusion applied only to a subset of employment claims: those that required a change in employment status or other negative treatment directed at the employee. The Court reasoned that scanning a fingerprint was not a disciplinary action, nor did it affect an employee’s standing with the company or otherwise constitute mistreatment of an employee. Accordingly, the Court concluded that the BIPA claims did not fall within the employment-related practices exclusion of the policy. (See Previous Bytes Summary)
Citizens Ins. Co. of America v. Thermoflex Waukegan, LLC, No. C 5980, 2022 WL 602534 (N.D. Ill. Mar. 1, 2022).
The U.S District Court for the Northern District of Illinois, in an opinion written by Judge Kness, held that coverage under a primary commercial lines policy and a follow form excess and umbrella policy for alleged BIPA violations was not barred by the employment-related practices exclusion, the recording and distribution exclusion, or the access or disclosure exclusion. In each instance, the Court found that the provisions of the policy were ambiguous, and therefore, it had to resolve such ambiguities in favor of the insured. The employment-related exclusion barred coverage for employment practices and actions such as “coercion, demotion, evaluation, reassignment, discipline, defamation, harassment, humiliation, discrimination or malicious prosecution.” The Court concluded that the conduct in question in the case (collection of employees’ handprints) did not unambiguously share “general similitude with … other matters specifically enumerated in the [exclusion].” With respect to the recording and distribution exclusion, which excluded violations of any federal, state, or local ordinance or regulation, the Court relied heavily on the Illinois Supreme Court’s West Bend decision, in concluding that coverage should be permitted. The final exclusion stated that insurance does not apply to personal or advertising injury arising out of any access to or disclosure of any person’s confidential or personal information. Once again, the Court concluded that this provision was ambiguous. (See Previous Bytes Summary)
American Family Mutual Ins. Co. v. Caremel, Inc., No. 20 C 637, 2022 WL 79868 (N.D. Ill. Jan. 7, 2022).
In Caremel, in an opinion written by Judge Leinenweber, the Court determined that the plain language of an employment-related practices (“ERP”) exclusion barred coverage for BIPA violations. In reaching its conclusion, the Court held that a BIPA violation was of the “same nature” as the exemplar, employment-related practices listed in the exclusion because they all “reflect a practice that can cause an individual harm to an employee.” The Court further rejected the insured’s argument that its fingerprint requirement was directed to all employees whereas the exclusion applied only to those employment practices directed at individuals. The Court reasoned that the harm, if any, would be experienced individually such that the exclusion would apply. Finally, the Court held that neither the access or disclosure exclusion nor the violation of statute exclusion applied to BIPA claims. With respect to the access/disclosure exclusion, the Court concluded that fingerprints were not similar in nature to the type of information (intellectual property, financial, and healthcare) listed by the exclusion. The Court also held that the violation of statute exclusion did not exclude coverage for BIPA claims as it was “virtually identical” to the provision in West Bend that the Illinois Supreme Court found did not exclude coverage. (See Previous Bytes Summary)
Twin City Fire Ins. Co. v. Vonachen Servs. Inc., 567 F. Supp. 979 (C.D. Ill. Oct. 19 2021).
The U.S District Court for the Central District of Illinois, in an opinion written by Judge Shadid, held that coverage for alleged violations of BIPA (1) was barred by the invasion of privacy exclusion under the D&O policy, but a defense obligation (2) fell within the employment practices liability coverage for breach of the employment contract, including any obligation arising from the employee handbook. The exclusion in the D&O policy provided that the insurer shall not pay loss in connection with any claim based upon, arising from, or in any way related to any actual or alleged invasion of privacy. The Court relied on holdings from the Illinois Supreme Court and various other state and federal courts to conclude that BIPA claims “generally relate to or arise from invasion of privacy.” With respect to the EPL coverage, the Court rejected the insurer’s claims that the employee handbook did not create contractual obligations, and it held that the claim potentially fell within the definition of “employment practices wrongful act,” which was defined as any breach of any written employment contract including any obligation arising under from an employment handbook.
Recording and Distribution of Material or Information Exclusion Applies to IL BIPA Violations
Mass. Bay Ins. Co. v. Impact Fulfillment Serv., LLC, 2021 WL 4392061 (Sept. 24, 2021).
The United States District Court for the Middle District of North Carolina, applying North Carolina law, granted the insurers’ motion for judgment on the pleadings, holding that the insurers had no duty to defend the insured against alleged violations of the Illinois Biometric Information Privacy Act (BIPA) because those allegations fall within the Recording and Distribution of Material or Information Exclusion. Specifically, the district court found that BIPA, which regulates the retention, collection, disclosure, and destruction of biometric information (such as, in this case, digital fingerprint scans), is analogous to the statutes enumerated in the exclusion, including the Telephone Consumer Protection Act (TCPA), the CAN-SPAM Act of 2003, and the Fair Credit Reporting Act (FCRA). Thus, allegations of BIPA violations are likewise excluded from coverage.
In the underlying litigation, employees of the insured Impact Fulfillment Services, LLC (“Impact”) alleged violations of BIPA, claiming that Impact used their fingerprints as part of payroll time-keeping procedures at a facility in Illinois. Critically, Impact never informed their employees of the purpose, length of collection, or use this biometric data.
In discussing whether BIPA fell within the Recording and Distribution of Material or Information Exclusion, the court noted the decisions of other district courts nationwide that brought violations of federal privacy laws into the exclusion on the basis of a provision in the exclusion that concerns “[a]ny federal, state or local statute, ordinance or regulation… that addresses, prohibits, or limits the printing, dissemination, disposal, collecting, recording, sending, transmitting, communicating or distribution of material or information.” The district court stated that “the main purpose of this exclusion is to exclude from coverage [violation of] statutes that protect and govern privacy interests in personal information.”
Because BIPA governs a person’s privacy interest in their own biometric information, the District Court found that it is of the same kind, character, and nature as the enumerated statutes. Thus, under North Carolina law, violations of BIPA are excluded from coverage, and the insurers’ motion for judgment on the pleadings was granted. Mass. Bay Ins. Co. v. Impact Fulfillment Serv., LLC, 2021 WL 4392061 (Sept. 24, 2021).
IL Sup. Ct. / Biometric Information Privacy Act (“BIPA”)
Disclosure to 3rd Party a “Publication” – “Violation of Statute” Exclusion Inapplicable
West Bend Mutual Insurance Co. v. Krishna Schaumburg Tan, Inc., 2021 IL 125978 (May 20, 2021).
The Illinois Supreme Court, in an opinion written by Justice Neville, applying Illinois law, affirmed the lower courts’ rulings and held that the insurer had a duty to defend claims for violations of the Biometric Information Privacy Act (“BIPA”) because the disclosure of fingerprint data to a third party constitutes “publication” as required for “personal injury” coverage. Additionally, the Illinois Supreme Court held that coverage for the BIPA claims was not excluded by the policy’s “violation of statutes” exclusion, because it excluded coverage for statutes that regulate the method of communication, not the dissemination of information, like BIPA.
The opinion stems from a declaratory judgment action filed by West Bend Insurance Company (“West Bend”) asking the court to find that it does not have a duty to defend Krishna Schaumburg Tan, Inc. (“Krishna”) in a class action suit initiated against it by Klaudia Sekura. The underlying suit alleges that Krishna violated BIPA when it disclosed its customers’ fingerprint data to a third-party vendor without consent. Upon receiving the complaint, Krishna notified West Bend and sought a defense. West Bend agreed to defend Krishna in the class action suit under a reservation of rights and filed a declaratory judgment action seeking a declaration that it had no duty to defend Krishna. On cross-motion for summary judgment, the trial court determined that West Bend had a duty to defend because the underlying allegations fell within the policy’s coverage for “personal injury” as a “publication which violates a person’s right to privacy” and the policy’s violation of statutes exclusion did not apply to the BIPA violation allegations. The appellate court affirmed.
Under a de novo review, the Illinois Supreme Court construed the policies to determine whether the underlying complaint alleges: (1) a “personal injury or advertising injury,” (2) a “publication” of material by Krishna that violated Sekura’s right to privacy, and (3) a publication of material by Krishna that violated Sekura’s “right of privacy.”
First, it determined that the underlying complaint alleged a potential nonbodily injury under West Bend’s policy, thus alleging a “personal injury or advertising injury” under the policy. Next, it examined the definition of “publication” in various dictionaries, treatises on insurance law and the law of privacy, and the Restatement of the Law of Torts, and it found that the term “publication” has at least two definitions and means both the communication of information to a single party and the communication of information to the public at large. Thus, the Illinois Supreme Court found the term to be ambiguous, and therefore, must be strictly construed against the insurer who drafted the policies. Accordingly, it construed the term “publication” to include a communication with a single party and found that the allegations in the underlying complaint established there was a “publication”.
Then, it looked to Black’s Law Dictionary to determine that “right of privacy” means the right to personal autonomy. It found that courts have recognized the “right of privacy” to include the interests of seclusion and secrecy. BIPA protects a secrecy interest: “[T]he right of an individual to keep his or her personal information like fingerprints secret.” Therefore, it found that Sekura’s assertions in the underlying complaint that Krishna shared biometric identifiers and information with a third party alleges a potential violation of Sekura’s right to privacy.
Lastly, the Illinois Supreme Court interpreted the violation of statutes exclusion, finding that it does not apply to bar coverage for the underlying action. The violation of statutes exclusion excludes coverage for (1) the TCPA, (2) the CAN-SPAM Act, and (3) statutes “other than” the TCPA or CAN-SPAM Act that prohibit or limit the communication of information. Because the violation of statutes exclusion does not list BIPA, the court analyzed the “other than” language in prong three, and it determined, based on the doctrine of ejusdem generis, that it only applies to statutes like TCPA (phone calls and faxes) and the CAN-SPAM Act (e-mails) that regulate methods of communication.
Based on its analysis, the Illinois Supreme Court held that West Bend has a duty to defend Krishna against the underlying action. West Bend Mutual Insurance Co. v. Krishna Schaumburg Tan, Inc., 2021 IL 125978 (May 20, 2021).