Three More Recent Opinions

The Northern District of Illinois issued three rulings regarding insurance coverage for alleged violations of the Illinois Biometric Information Privacy Act. In each decision, the Court considered certain exclusions relied upon by the respective insurers to deny coverage: an Employment-Related Practices (“ERP”) exclusion, a Distribution of Material in Violation of Statutes (“Statutory Violation”) exclusion, and Access/Disclosure exclusion. Each opinion treated the arguments differently.

Regarding the ERP exclusion, all three of the courts ruled in favor of the insured, but for distinct reasons. Each of the courts set out to determine whether the practice at issue (that is, collecting employees’ handprints or fingerprints on time clocks) fell within an exclusion for claims of personal and advertising injury arising out of any (a) refusal to employ that person; (b) termination of that person’s employment; or (c) employment-related practices, policies, acts or omissions, such as coercion, demotion, evaluation, reassignment, discipline, defamation, harassment, humiliation, or discrimination directed at that person. The Carnagio court held that the list related to actions involving the employee’s performance, while the Tony’s Finer Foods court held that the list covers a “subset of claims brought by employees.” In both cases, the collection of fingerprints for clock-in and clock-out was too dissimilar from those examples such that the exclusion was found not to apply. Thermoflex, finally, found the provision was ambiguous and held for the insured for that reason.

Regarding the Statutory Violation exclusion considered in two of the cases, both courts ruled in favor of the insured. The Thermoflex and Carnagio courts both relied upon recent Illinois precedent, in W. Bend Mut. Ins. Co. v. Krishna Schaumburg Tan, Inc., 2021 WL 2005464 (May 20, 2021) (see Insurance Bytes summary) in holding that BIPA is dissimilar to the statutes mentioned in the exclusion—the Telephone Consumer Protection Act, the CAN-SPAM Act of 2003, and the Fair Credit Reporting Act—and thus not within the ambit of the exclusion.

Lastly, the Access/Disclosure exclusion was considered in two cases, with the courts arriving at opposite results. The exclusion in both cases precludes coverage for any personal and advertising injury “arising out of any access to or disclosure of any person’s or organization’s confidential or personal information, including patents, trade secrets, processing methods, customer lists, financial information, credit card information, health information or any other type of nonpublic information.” However, the Thermoflex court, noting that BIPA itself distinguishes between “biometric identifiers” and “confidential and sensitive information” held that it was ambiguous whether handprints fell into the exclusion (thus ruling for the insured), while the Carnagio court was willing to make a determination: biometric data protected by BIPA is within a category of information which individuals “have a heightened interest in keeping from third-parties or the public at large.” Thus, the Carnagio court held that the Access/Disclosure exclusion does exclude coverage for allegations of BIPA violations, coming to a different conclusion than the Thermoflex court did.

Cases discussed: Citizens Ins. Co. of Am. v. Thermoflex Waukegan, LLC, 2022 WL 602534 (N.D. Ill. Mar. 1, 2022); Am. Family Mut., Ins. Co., S.I. v. Carnagio Enters., Inc., 2022 WL 952533 (N.D. Ill. Mar. 30, 2022); State Auto. Mut. Ins. Co. v. Tony’s Finer Foods Enters., Inc., 2022 WL 683688 (N.D. Ill. Mar. 8, 2022)