A Comprehensive Index of BIPA Insurance Coverage Cases 

In May 2021, the Illinois Supreme Court ruled on the seminal Illinois insurance coverage case for underlying actions alleging violations of the Illinois Biometric Information Privacy Act 740 ILCS 14/1 et seq. (West 2018) (“BIPA”), West Bend Mut. Ins. Co. v. Krishna Schaumburg Tan, Inc., 2021 IL 125978.  It held West Bend had a duty to defend because the disclosure of fingerprint data to a third party constitutes “publication” as required for “personal injury” coverage under the general liability policy.  Additionally, the Illinois Supreme Court concluded coverage was not excluded by the policy’s distribution of material in violation of statutes exclusion, because it excluded coverage for statutes that regulate the method of communication, not the dissemination of information, like BIPA. (See Previous Bytes Summary)   

More recently, the Illinois Supreme Court decided two critical issues that will directly affect insurance coverage for BIPA actions. First, it held that a five-year statute of limitations applies to claims under BIPA. Tims v. Black Horse Carriers, Inc., 2023 IL 127801. Second, it held that a BIPA claim accrues each time biometric identifiers or information are collected or disseminated, and not only on first scan and first transmission. Cothron v. White Castle System, Inc., 2023 Il 128004. 

Below please find brief summaries of Illinois federal district court insurance coverage opinions that have been decided since West Bend: 

Twin City Fire Ins. Co. v. Vonachen Servs. Inc., 567 F. Supp. 979 (C.D. Ill. Oct. 19 2021). 

The U.S District Court for the Central District of Illinois, in an opinion written by Judge Shadid, held that coverage for alleged violations of BIPA (1) was barred by the invasion of privacy exclusion under the D&O policy, but a defense obligation (2) fell within the employment practices liability coverage for breach of the employment contract, including any obligation arising from the employee handbook. The exclusion in the D&O policy provided that the insurer shall not pay loss in connection with any claim based upon, arising from, or in any way related to any actual or alleged invasion of privacy. The Court relied on holdings from the Illinois Supreme Court and various other state and federal courts to conclude that BIPA claims “generally relate to or arise from invasion of privacy.” With respect to the EPL coverage, the Court rejected the insurer’s claims that the employee handbook did not create contractual obligations, and it held that the claim potentially fell within the definition of “employment practices wrongful act,” which was defined as any breach of any written employment contract including any obligation arising under from an employment handbook. 

American Family Mutual Ins. Co. v. Caremel, Inc., No. 20 C 637, 2022 WL 79868 (N.D. Ill. Jan. 7, 2022). 

In Caremel, in an opinion written by Judge Leinenweber, the Court determined that the plain language of an employment-related practices (“ERP”) exclusion barred coverage for BIPA violations. In reaching its conclusion, the Court held that a BIPA violation was of the “same nature” as the exemplar, employment-related practices listed in the exclusion because they all “reflect a practice that can cause an individual harm to an employee.” The Court further rejected the insured’s argument that its fingerprint requirement was directed to all employees whereas the exclusion applied only to those employment practices directed at individuals. The Court reasoned that the harm, if any, would be experienced individually such that the exclusion would apply. Finally, the Court held that neither the access or disclosure exclusion nor the violation of statute exclusion applied to BIPA claims. With respect to the access/disclosure exclusion, the Court concluded that fingerprints were not similar in nature to the type of information (intellectual property, financial, and healthcare) listed by the exclusion. The Court also held that the violation of statute exclusion did not exclude coverage for BIPA claims as it was “virtually identical” to the provision in West Bend that the Illinois Supreme Court found did not exclude coverage. (See Previous Bytes Summary) 

Citizens Ins. Co. of America v. Thermoflex Waukegan, LLC, No. C 5980, 2022 WL 602534 (N.D. Ill. Mar. 1, 2022). 

The U.S District Court for the Northern District of Illinois, in an opinion written by Judge Kness, held that coverage under a primary commercial lines policy and a follow form excess and umbrella policy for alleged BIPA violations was not barred by the employment-related practices exclusion, the recording and distribution exclusion, or the access or disclosure exclusion. In each instance, the Court found that the provisions of the policy were ambiguous, and therefore, it had to resolve such ambiguities in favor of the insured. The employment-related exclusion barred coverage for employment practices and actions such as “coercion, demotion, evaluation, reassignment, discipline, defamation, harassment, humiliation, discrimination or malicious prosecution.” The Court concluded that the conduct in question in the case (collection of employees’ handprints) did not unambiguously share “general similitude with … other matters specifically enumerated in the [exclusion].” With respect to the recording and distribution exclusion, which excluded violations of any federal, state, or local ordinance or regulation, the Court relied heavily on the Illinois Supreme Court’s West Bend decision, in concluding that coverage should be permitted. The final exclusion stated that insurance does not apply to personal or advertising injury arising out of any access to or disclosure of any person’s confidential or personal information. Once again, the Court concluded that this provision was ambiguous.  (See Previous Bytes Summary) 

State Auto. Mutual Ins. Co. v. Tony’s Finer Foods Enterprises, Inc., No. 20-cv-6199, 2022 WL 683688 (N.D. Ill. Mar. 8, 2022). 

In Tony’s Finer Foods, State Farm filed a suit for a declaratory judgment, arguing that it had no duty to defend BIPA claims arising out of its insured’s collection and use of its employees’ fingerprints to clock in and out of work. State Farm denied coverage under a policy exclusion for certain employment-related practices. In denying State Farm’s motion for summary judgment, the Court, in an opinion written by Judge Seeger, determined that the policy exclusion did not apply to “any and all claims by employees” (such as BIPA) based on its structure and text. Instead, the policy language made clear that the exclusion applied only to a subset of employment claims: those that required a change in employment status or other negative treatment directed at the employee. The Court reasoned that scanning a fingerprint was not a disciplinary action, nor did it affect an employee’s standing with the company or otherwise constitute mistreatment of an employee. Accordingly, the Court concluded that the BIPA claims did not fall within the employment-related practices exclusion of the policy.  (See Previous Bytes Summary) 

Citizens Ins. Co. of Am. v. Highland Baking Co., Inc., No. 20-cv-04997, 2022 WL 1210709 (N.D. Ill. Mar. 29, 2022).  

In Highland Baking, the insurers filed a declaratory judgment action seeking declarations that they had no duty to defend or indemnify Highland Baking in an underlying putative class action alleging violations of BIPA and the Illinois Minimum Wage Act. The insurers argued that three exclusions applied and precluded coverage for the BIPA claims: (i) the employment-related practices exclusion; (ii) the recording and distribution of material or information in violation of law exclusion; and (iii) the access or disclosure of confidential or personal information exclusion. The Court, in an opinion written by Judge Pacold, concluded that none of the exclusions unambiguously precluded coverage of the BIPA claims based on the reasoning set forth in Citizens Ins. Co. of Am. v. Thermoflex Waukegan, LLC, No. 20-cv-05980, 2022 WL 602534 (N.D. Ill. Mar. 1, 2022), which the Court found “persuasive and fully applicable” and adopted without further comment.  

Citizens Ins. Co. of America v. Wynndalco Enterprises, LLC, No. 20 C 3875, 2022 WL 592534 (N.D. Ill. Mar. 30, 2022).  

In Wynndalco Enterprises, the U.S District Court for the Northern District of Illinois, in an opinion written by Judge Lee, held that coverage for alleged violations of BIPA was not unambiguously precluded by the distribution of material in violation of statutes exclusion in the business liability insurance policy at issue.  The exclusion barred coverage for injury arising out of violations of the Telephone Consumer Protection Act (“TCPA”), the CAN-SPAM Act of 2003, the Fair Credit Reporting Act (“FCRA”), the Fair and Accurate Credit Transaction Act (“FACTA”), or “any other laws, statutes… that address, prohibit, or limit the printing, dissemination, disposal, collecting, recording, sending, transmitting, communicating or distribution of material or information.” 

The Court held that BIPA did not share a common characteristic to the four statutes listed in the exclusion and because two senses of privacy existed within the exclusion, it was ambiguous: “To interpret the exclusion to cover every statute that concerns a person or entity doing practically anything whatsoever with ‘information’ would make certain coverage provisions illusory, including, for example, those that provide coverage for injuries ‘arising out of … [o]ral or written publication, in any manner, of material that violates a person’s right of privacy.’” (See Previous Bytes Summary) 

Thermoflex Waukegan, LLC v. Mitsui Sumitomo Ins., 595 F. Supp. 3d 677 (N.D. Ill. Mar. 30, 2022). 

In this case, the Court, in an opinion written by Judge Lee, held that the access or disclosure of confidential or personal information exclusion barred coverage for BIPA claims. In reaching its conclusion, the Court found the language of the commercial general liability policy exclusion (“This insurance does not apply to … [d]amages arising out of … any access to or disclosure of any person’s … personal information…”) unequivocal and expansive. Based on that unambiguous language, the Court ruled that because the underlying BIPA litigation sought damages arising out of a third-party’s access to or disclosure of personal information, “it clearly [fell] within the scope of the exclusion.” Further, the Court noted that even if it were to find the exclusion ambiguous, it would apply the interpretative canon of noscitur a sociis (literally meaning “it is known from its associates”) to conclude that the subset of information listed under the exclusion identifies the kind of information that individuals “have a heightened interest in keeping from third-parties or the public at large.” The Court determined that the biometric data that BIPA protects certainly falls within that category. Accordingly, the Court granted summary judgment in favor of the insurer. 

American Family Mut. Ins. Co. v. Carnagio Enterprises, Inc., No. 20-C-3665, 2022 WL 952533 (N.D. Ill. Mar. 30, 2022). 

In Carnagio, the Court, in an opinion written by Judge Lee, considered whether three different policy exclusions found in the insured’s Businessowners’ Liability Insurance policies precluded coverage for alleged violations of BIPA. The Court found that the employment-related practices (“ERP”) exclusion did not apply as it was “not enough that the underlying claim simply arise out of an employer-employee relationship.” Rather, the exclusion applied only when it involved an action related to an employee’s work performance. Because the practice of requiring employees to use their fingerprints to clock in and out of work applied generally to all employees rather than to a particular one and was otherwise unrelated to work performance, it did not fall within the ERP exclusion.  

Similarly, the Court, found that a distribution of material in violation of statutes provision did not exclude coverage. The Court construed the exclusion as applying only to those statutes it specifically identified – the Telephone Consumer Protection Act and the CAN-SPAM Act of 2003 (collectively the “Acts”) — and statutes, ordinances or regulations similar to those Acts. The Court concluded that BIPA was not similar to those Acts because it protected “a different kind of privacy” by regulating information that private citizens give away rather than regulating information they receive.   

Finally, the Court held that an access or disclosure of confidential or personal information and data-related liability exclusion did preclude coverage. The Court determined that the biometric data protected by BIPA clearly fell within the scope of the exclusion as it was the type of “confidential” or “personal” information which individuals “have a heightened interest in keeping from third-parties or the public at large.  (See Previous Bytes Summary) 

Philadelphia Indem. Ins. Co. v. Lewis Produce Market No. 2 Inc., No. 21 C 4037, 2022 WL 1045640 (N.D. Ill. Apr. 7, 2022).  

The U. S. District Court for the Northern District of Illinois, in an opinion written by Judge Kennelly, granted an insurer’s motion for judgment on the pleadings, holding no coverage for a lawsuit alleging violations of BIPA because the insured was unaware of the “claim” until after the policy period ended.   

The insurer issued two consecutive claims made policies to the policyholder, one for February 2, 2020 to February 1, 2021 and one for February 2, 2021 to February 1, 2022. The parties agreed that the 2021 policy does not provide coverage for lawsuits alleging privacy violations under BIPA.   

The 2020 policy at issue covered “Loss from Claims made against the Insured during the Policy Period.” The policy provides that a “Claim shall be considered made when an Insured first receives notice of the Claim.”  The lawsuit was filed on the last day of the policy period and the policyholder first learned of the lawsuit on February 8, 2021, about a week after the 2020 policy period.  After acknowledging the practical difficulties involved when a lawsuit is filed late on the last day of a policy period, the Court concluded that the policy could not be interpreted to provide greater coverage than the parties bargained for.  (See Previous Bytes Summary)  

Church Mut. Ins. Co. v. Prairie Village Supportive Living, LLC, No. 21 C 3752, 2022 WL 3290686 (N.D. Ill. Aug. 11, 2022). 

The United States District Court for the Northern District of Illinois, in an opinion written by Judge Kocoras, granted an insurer’s motion for judgment on the pleadings and held coverage for an alleged BIPA violation was precluded by the violation of laws applicable to employers exclusion in the employment practices liability (EPL) coverage.  

Church Mutual argued that it did not owe Prairie Village a defense or indemnity for an underlying lawsuit alleging BIPA violations filed by a former employee due to the EPL policy’s employment-related practices exclusion. Under this exclusion, any claim that arose out of a violation of an insured’s responsibility imposed by state statutes was exempt from coverage, however, the exclusion did not apply to claims arising out of certain enumerated exempted laws.  

As BIPA was not explicitly mentioned, the Court compared BIPA’s provisions to the laws within the exemption to the exclusion and found that BIPA imposes responsibilities on employers, which was categorically different from the exempted enumerated laws proscribing discrimination in one form or another (the ADA, Title VII, the FMLA, etc.). The Court determined that BIPA more closely shared general similarities with the statutes excluded, and thus, the Court held that Church Mutual had no duty to defend or indemnify Prairie Valley. 

Continental Western Ins. Co. v. Cheese Merchants of America, LLC, No. 21-CV-1571, 2022 WL 4483886 (N.D. Ill. Sept. 27, 2022).  

In Cheese Merchants, the U. S. District Court for the Northern District of Illinois, in an opinion written by Judge Seeger, held no coverage for a former employee’s lawsuit alleging violations of BIPA.  

First, the Court concluded the policy exclusion for employment-related practices (“ERP”) did not unambiguously preclude coverage for former employee’s claims. In interpreting the ERP exclusion, the court adopted the reasoning of Tony’s Finer Foods (see supra), and determined that using one’s hand or finger to clock-in and clock-out of work is a practice related to employment, but, after considering the complete text and the overall structure of the exclusion, it is a categorically different type of practice than everything else listed: “[E]verything else in the list involves mistreatment targeted at a specific employee – conduct direct ‘at that person.’”  

Next, the Court analyzed the access or disclosure of confidential or personal information exclusion and reasoned that a claim arising from the scanning of one’s hand unambiguously constituted a claim about personal information, and therefore, the exclusion barred coverage for the underlying BIPA action. 

Lastly, contrary to other courts in the district, the Court determined that the violation of laws exclusion also applied to preclude coverage:  “The inclusion of the FCRA makes this case meaningfully different than West Bend. … [H]ere, the exclusion covers two types of privacy statutes: two statutes that protect privacy when communicating with consumers (the TCPA and the CAN-SPAM Act), and one statute that protects the privacy of information given by consumers (the FCRA). The inclusion of the FCRA expands the scope of the exclusion.”  

State Auto Prop. & Cas. Ins. Co. v. Fruit Fusion, Inc., No. 3:21-CV-1132-NJR, 2022 WL 4549824 (S.D. Ill. Sept. 29, 2022). 

The United States District Court for the Southern District of Illinois, in an opinion written by Judge Rosenstengel, held coverage for an alleged BIPA violation was precluded by the recording and distribution of material or information in violation of law exclusion in a commercial general liability policy.  

First, State Auto’s personal and advertising liability provision included injury arising out of the oral or written publication of material that violates a person’s right to privacy, but it did not define “publication.” Using the court’s reasoning from West Bend, the Court reasoned that the term had at least two definitions, and although the underlying complaint did not clearly allege “publication” of biometric information, the Court must liberally construe ambiguities in favor of the insured. 

Similarly, the Court held that State Auto’s employment-related practices exclusion did not bar coverage because it did not unambiguously exclude BIPA claims. Consistent with other district court holdings, the Court reasoned that it would have to interpret the exclusion broadly for it to bar BIPA claims.  

Lastly, in interpreting the recording and distribution of material exclusion, the Court found the reasoning in Cheese Merchants instructive. Thus, the Court held that the underlying BIPA claim fell within State Auto’s exclusion because BIPA, like the FCRA, is concerned with the collection and transmittal of private information, and the underlying claim alleged the dissemination of an employee’s biometric information.  

Thermoflex Waukegan, LLC v. Mitsui Sumitomo Ins., No. 21 C 788, 2023 WL 319235 (N.D. Ill. Jan. 29, 2023). 

In this case, the United States District Court for the Northern District of Illinois, in an opinion written by Judge Durkin, declined to disturb Judge Lee’s previous ruling that Mitsui had no duty to defend or indemnify Thermoflex under the primary commercial general liability policies it issued to Thermoflex because of the access or disclosure exclusion. The Court further held that Mitsui owes Thermoflex a duty to defend under excess and umbrella policies, but that duty to defend does not arise until the limits of Thermoflex’s defending primary policy (Citizens see supra) are reached. 

As to the statutory violation exclusion, the Court distinguished West Bend because the exclusion at issue references three specific statutes, not two: the TCPA, the CAN-SPAM Act, and the FCRA / FACTA.  The exclusion at issue also contemplates other ways of handling material or information, including collecting, recording, printing, and disposing of material or information.  However, the Court reasoned that reading the exclusion to encompass any statute that relates in any other way to handling material or information would seem to swallow up large parts of coverage.  Thus, it held the exclusion is ambiguous and must be construed in favor of coverage.  

Next, the Court concluded that when the excess and umbrella policies were read as a whole, the data breach exclusion was not intended to bar coverage beyond data breach liability, but to the extent the data breach exclusion is open to another reasonable interpretation in light of its similar language to the access or disclosure exclusion, it is ambiguous and must be construed in favor of coverage.  

Finally, with regard to the employment-related practices (“ERP”) exclusion, the Court concluded that Theremoflex’s “policy” of requiring hourly workers to use a biometric time tracking and attendance system does not fall within the ERP exclusion, or at a minimum is ambiguous, and therefore, must be construed in favor of coverage.