The attorneys of Barnes & Thornburg are providing real-time updates, analysis and information regarding the myriad business issues stemming from the COVID-19 pandemic, including with regard to the complicated insurance issues resulting from it. As businesses continue to confront the impacts of the pandemic on their operations, employees, customers and finances, there is some welcome news on a different “viral” front. In what may be a boon for businesses (including employers and other entities) facing litigation under the Illinois Biometric Information Privacy Act (BIPA), the Appellate Court of Illinois (First District) recently held that an insurer had a duty to defend its insured against a lawsuit brought under BIPA.
As a general matter, among other provisions, BIPA prohibits businesses from collecting or disseminating an individual’s biometric information without prior written consent. Moreover, businesses must notify the individual why the biometric information is being collected and how long it will be kept. The biometric information collected by the business must be stored and protected in the same manner – or a more secure one – by which the business stores its own confidential information. BIPA provides penalties of up to $5,000 per violation.
In West Bend Mutual Insurance Company v. Krishna Schaumburg Tan, Inc., the underlying BIPA class action alleged that the defendant, a tanning salon, required customers “to have their fingerprints scanned,” and that the named plaintiff in the underlying suit “was never provided with, nor signed, a written release allowing Krishna to disclose her biometric data to any third party.” Critically, the underlying suit also alleged that the defendant tanning salon violated BIPA by “disclosing her fingerprint data to an out-of-state third-party vendor . . . without her consent.”
The tanning salon sought coverage for the BIPA suit from its insurance company, and the insurer agreed “agreed to defend . . . under a reservation of rights.” The insurer subsequently filed an action “seeking a declaration that it had no duty to defend or indemnify” the insured. On cross-motions for summary judgment, the trial court sided with the insured tanning salon, finding that the insurer had a duty to defend its insured in the underlying BIPA suit. The insurer appealed, and the appellate court rejected the insurer’s arguments, affirming the circuit court’s decision.
"This is another good pro-policyholder decision on this so-called 'silent cyber' issue," Barnes & Thornburg Insurance Recovery and Counseling partner Scott Godes explained in a recent Law360 article. "This was a non-cyber insurance policy found to respond to a data privacy situation."
At issue were two provisions of the insurance policies: (1) whether the policies’ definition of “personal injury” encompassed the allegations in the underlying BIPA class action; and (2) whether the policies’ “Violation of Statutes” exclusion barred coverage. The parties also presented argument regarding a third provision—the “Data Compromise Endorsement.” However, both the trial court and the appellate court found that because the policies themselves provided coverage, there was no need to reach the issue of the endorsement’s effect.
Personal Injury Under the Policies
The policies defined “personal injury” to include claims arising out of “[o]ral or written publication of material that violates a person’s right of privacy.” The underlying BIPA class action alleged that the tanning salon “violated the Act by providing her fingerprint data to a single third-party vendor.” The court agreed with the parties that “whether West Bend has a duty to defend specifically turns on the meaning of ‘publication’ in the policies.”
“Publication” was not defined in the policies, and the court rejected the insurance company’s argument that “publication” is limited to circumstances involving widespread dissemination of content. Rather, the court gave “publication” its plain meaning, explaining that “[c]ommon understandings and dictionary definitions of ‘publication’ clearly include both the broad sharing of information to multiple recipients . . . and a more limited sharing of information with a single third party.”
Moreover, the court focused on the terms that the insurance company chose to use, and what it did not include in the policy. It explained that had the insurance company “wished the term ‘publication’ to be limited to communication of information to a large number of people, it could have explicitly defined it as such in its policy.” Ultimately, the court held that the insurer had a duty to defend the underlying BIPA class action.
Violation of Statutes Exclusion
The insurer also argued that coverage was barred by the policies’ “violation of statutes” exclusion, which barred coverage for “personal injuries” arising out of “any action or omission that violates or is alleged to violate” the Telephone Consumer Protection Act (TCPA), the CAN¬-SPAM Act of 2003, or “[a]ny statute, ordinance or regulation … that prohibits or limits the sending, transmitting, communicating or distribution of material or information.” The insurer invoked the exclusion, arguing that BIPA “prohibits or limits the sending … of material or information.”
The court disagreed, noting that the exclusion’s full title and text made clear that it barred coverage only for violations of statutes governing methods of communication, such as the TCPA or CAN-SPAM Act. The court held that the exclusion did not apply to statutes governing the fact of “sending or sharing of certain information,” such as BIPA. Again, the court focused on the insurance company’s choice of language when drafting of the policies, explaining that had the insurance company wanted its “violation of statutes” exclusion to apply to statutes, like BIPA, that “lend themselves to class action litigation [and] pose serious insurance risks,” “it could have written it so.”
In making that ruling, the court followed basic principles of insurance law. As Law360 noted:
However, as Barnes & Thornburg's Godes sees it, the panel applied bedrock principles of insurance policy interpretation across the board — including the maxim that exclusions should be interpreted narrowly.
"I have seen arguments that this [violation of statutes] exclusion bars coverage for any class action stemming from a privacy-related statute, so it was significant that the appeals court rejected that position," he said. "I was glad to see the court point out that if the insurance company wanted a narrower interpretation of the policy language, it should have included that language in the first place."
The West Bend decision is important for businesses operating in Illinois. BIPA remains a substantial source of litigation, and Illinois remains the epicenter of the ongoing wave of BIPA class action litigation. Employers and other businesses would be well served by reviewing their policies and procedures with regard to biometric information to be sure they are in compliance with BIPA. Further, in light of the guidance from the West Bend decision, companies that find themselves facing litigation under BIPA (or the prospect of litigation) may also wish to review their insurance policies to determine if coverage is available.
