Companies doing business in Illinois are keenly aware of the recent flood of lawsuits alleging violations of the Illinois Biometric Information Privacy Act (BIPA). They know that BIPA lawsuits can be costly to defend. And they understand that if they are found to have mishandled the retention, collection, disclosure or destruction of biometric information, they could face substantial exposure.

Not surprisingly, the first question most companies ask when they learn about a new BIPA lawsuit is: Do we have coverage for that? To answer that question, companies will want to closely review the recent Illinois Appellate Court decision in West Bend Mutual Insurance Co. v. Krishna Schaumburg Tan, Inc., 2020 IL App (1st) 191834. According to that ruling, they might have coverage.

My colleagues Al Fowerbaugh and Karen Borg previously wrote about BIPA’s potential application in Clearview AI’s creation of biometric data for this Law360 article.

Why is the West Bend Mutual v. Krishna ruling important? 

In a novel ruling, the Illinois Appellate Court found that an insurer had a duty to defend a BIPA class action lawsuit under the relevant commercial liability policy. Specifically, the court found that the BIPA lawsuit’s allegations potentially fell within the policy’s definition of “personal injury.” As a result, companies facing a BIPA lawsuit should carefully review their commercial liability policies to see if they contain similar language.

What did that BIPA lawsuit allege?

In the underlying lawsuit, the plaintiff alleged that the insured—an L.A. Tan franchisee—automatically enrolled its customers into the L.A. Tan national database so they could use their membership at various L.A. Tan locations. According to the complaint, customers were required to scan their fingerprints so the fingerprint data could be used to verify their identify at various tanning salons. The plaintiff claimed that the insured violated BIPA by, among other things, disclosing her fingerprint data to an out-of-state third-party vendor without her consent.

What was the relevant policy language? 

Under that Businessowners Liability Coverage Form, the insurer would pay “those sums that [the insured] becomes legally obligated to pay as damages because of ‘personal injury’ to which this insurance applies.” The insurer would have a duty to defend the insured against “any ‘suit’ seeking those damages.” Coverage would apply to “‘personal injury’ caused by an offense arising out of your business, excluding advertising, publishing, broadcasting or telecasting done by or for you.” “Personal injury” was defined as: “[I]njury, other than ‘bodily injury,’ arising out of . . . [o]ral or written publication of material that violates a person’s right of privacy.”

The policy also included the following “violation of statutes” exclusion:

EXCLUSION — VIOLATION OF STATUTES THAT GOVERN E-MAILS, FAX, PHONE CALLS OR OTHER METHODS OF SENDING MATERIAL OR INFORMATION

* * *

This insurance does not apply to:

DISTRIBUTION OF MATERIAL IN VIOLATION OF STATUTES

‘Bodily injury,’ ‘property damage,’ ‘personal injury’ or ‘advertising injury’ arising directly or indirectly out of any action or omission that violates or is alleged to violate:

    1. The Telephone Consumer Protection Act (TCPA), including any amendment of or addition to such law; or
    2. The CAN-SPAM ACT of 2003, including any amendment of or addition to such law; or
    3. Any statute, ordinance or regulation, other than the TCPA or CAN-SPAM Act of 2003, that prohibits or limits the sending, transmitting, communicating or distribution of material or information.

Why did the court find coverage? 

The relevant policy language provided that the insurer would defend a lawsuit alleging a “personal injury,” which was defined as “injury, other than ‘bodily injury,’ arising out of oral or written publication of material that violates a person’s right of privacy.” The crux of the court’s decision turned on the meaning of the undefined term “publication.” Specifically, whether providing fingerprint data to a single third-party vendor constitutes “publication” under the policy. The court rejected the insurer’s argument that “publication” meant broad sharing to multiple recipients. Instead, relying on common understandings and dictionary definitions, the court applied a much broader definition that also included a more limited sharing of information with a single third party. Since the BIPA complaint alleged that the insured provided fingerprint data to a third party, the court found that the policy potentially covered the BIPA claim. As a result, the insurer had a duty to defend its insured against the underlying complaint pursuant to the “personal injury” coverage provision.

The court also rejected the insurer’s argument that the “violation of statutes” exclusion bars coverage. The court narrowly construed the exclusion, holding that it only applies to bar coverage of violations of statutes that regulate methods of communication, like telephone calls, e-mails, and faxes. Since BIPA says nothing about methods of communication—it regulates “the collection, use, safeguarding, handling, storage, retention, and destruction of biometric identifiers and information”—the court found that the exclusion did not bar coverage for BIPA claims.

Anything else of interest? 

The insured also argued for coverage under the policy’s Data Compromise Endorsement. That endorsement provided “an Additional Coverage” for “personal data compromise” under certain conditions. The definition section of that endorsement read as follows:

7. “Personal Data Compromise” means the loss, theft, accidental release or accidental publication of “personally identifying information” or “personally sensitive information” as respects one or more “affected individuals.” This definition is subject to the following provisions:

***

b. “Personal Data Compromise” includes disposal or abandonment of “personally identifying information” or “personally sensitive information” without appropriate safeguards such as shredding or destruction, subject to the following provisions:

1. The failure to use appropriate safeguards must be accidental and not reckless or deliberate.

But having found that the BIPA complaint’s allegations potentially fell within the policy’s definition of “personal injury” and that the “violation of statutes” exclusion did not apply to bar coverage, the court did not consider whether the data compromise endorsement would also provide coverage.  As a result, that is still an open issue in Illinois.

Conclusion

West Bend provides important guidance in determining whether companies’ commercial liability policies will cover BIPA claims. When faced with such a claim, it is a good idea to quickly engage counsel to help assess available insurance coverages.

For more information please contact Andrew Shapiro or any member of Porter Wright’s Insurance Litigation or Data Privacy & Security practice groups.