Insurance Coverage Update - Illinois Appellate Court Finds Coverage for BIPA Lawsuit Under General Liability Policy
In a unanimous decision, the Illinois First District Appellate Court affirmed a lower court’s decision that an insurer must defend its insured in a proposed class-action lawsuit for alleged violations of the Biometric Information Privacy Act (“BIPA”), 740 Ill. Comp. Stat. Ann. 14/1 et seq., under its business liability policies. W. Bend Mut. Ins. Co. v. Krishna Schaumburg Tan, Inc., 2020 IL App (1st) 191834 (March 20, 2020).
As background, BIPA is an Illinois biometric privacy law that regulates the collection, use and retention of biometric information, which is data that stems from an individual’s biological characteristics such as a retina scan, fingerprint, voiceprint, or scan of hand or face geometry. BIPA prohibits the collection of biometric information from Illinois residents without providing certain disclosures and obtaining written consent. BIPA also uniquely permits individuals whose biometric information is collected in violation of the act to sue and possibly recover liquidated damages up to $1,000 for each negligent violation, and up to $5,000 for each intentional or reckless violation, among other things.
The insurance coverage dispute in West Bend stemmed from an underlying lawsuit in which the plaintiff alleged that the insured tanning salon, Krishna Schaumburg Tan Inc., violated BIPA when it provided customer fingerprint data to a third-party vendor. According to the lawsuit, the salon required customers to enroll in its national membership database and have their fingerprints scanned so the salon could verify the customer’s identity when purchasing services. The salon allegedly violated BIPA by disclosing the underlying plaintiff’s fingerprints to a third-party vendor, SunLync, without prior consent.
The insured salon tendered the underlying action for coverage under two business liability policies that West Bend Mutual Insurance Co. (“West Bend”) issued to the salon. The Policies provided coverage for “personal injury” and defined “personal injury” to mean, in part, “injury, other than ‘bodily injury,’ arising out of … oral or written publication of material that violates a person’s right of privacy.” West Bend agreed to defend the insured salon, subject to a reservation of rights, and then filed a declaratory judgment action in Illinois state court, seeking a ruling that it had no duty to defend or indemnify the salon in the underlying action. The trial court found that West Bend had a duty to defend because the claims fell within the policies' coverage for “personal injury” as a “publication which violates a person's right to privacy.” Moreover, the court determined that a policy exclusion for violation of statutes that govern e-mails, fax, phone calls and other methods of sending material or information (i.e., the violation of statutes exclusion) did not preclude coverage.
On appeal, West Bend argued that the lower court erred in finding a duty to defend because the underlying BIPA allegations did not fall within the policies' definition of “personal injury.” Specifically, West Bend asserted that “publication” requires communication of information to the public at large, not simply disclosure to a single third party. The court, however, disagreed and found that the underlying complaint alleged a personal injury because the plaintiff asserted that the insured salon violated BIPA by providing her fingerprint data to a third-party vendor. The Court reasoned that had West Bend “wished the term ‘publication’ to be limited to communication of information to a large number of people, it could have explicitly defined it as such in its policy,” but it did not do so here.
In addition, when discussing “publication,” the Court did not distinguish the meaning of “publication” in the context of a privacy claim versus a defamation claim. The Court reasoned:
To the extent that West Bend suggests that “publication” means something different in the context of defamation than it does in the context of privacy rights, the policies use the exact same terminology of “[o]ral or written publication of material” as the basis for both a defamation-related injury and a privacy-related injury. These two definitions are immediately sequential in the policies. When construing insurance policies, “‘it is a general rule that absent language to the contrary, a word or phrase in one part is presumed to have the same meaning when it is used in another part of a policy.’” . . . This should be particularly true where, as here, the two policy provisions are in the same section of the policies.
Ultimately, the Court determined that the allegations asserted in the underlying BIPA lawsuit were potentially covered under the policies pursuant to the “personal injury” coverage provisions and, therefore, West Bend was obligated to defend its insured against the lawsuit.
The Court also determined that the policy exclusion for violation of statutes did not exclude coverage for the alleged violations of BIPA. The violation of statutes exclusion bars coverage for personal injuries arising out of violations of statutes that govern e-mails, fax, phones or other methods of sending material or information, such as the Telephone Consumer Protection Act, the CAN-SPAM Act of 2003, or “[a]ny statute, ordinance or regulation … that prohibits or limits the sending, transmitting, communication or distribution of material or information.” The Court noted that the exclusion explicitly applies to the federal Telephone Consumer Protection Action and other laws that regulate “methods” of communication. Because BIPA regulates “the collection, use, safeguarding, handling, storage, retention, and destruction of biometric identifiers and information,” which does not pertain to a “method” of communication, the Court found that it was not applicable.
Lastly, the Court affirmed the lower court’s decision to dismiss the insured’s counterclaim against West Bend for bad faith denial of coverage under Section 155 of the Illinois Insurance Code. In accordance with long-standing Illinois law, the Court found the statute inapplicable because there was a bona fide coverage dispute regarding the insurer’s obligations to defend its insured.
Since BIPA was enacted in 2008, a growing number of Illinois businesses have been sued in class action lawsuits under the statute. We anticipate this trend will continue, especially in light of the Illinois Supreme Court’s 2019 decision finding that a person need not demonstrate “actual injury or adverse effect, beyond violation of his or her rights under the Act [BIPA], in order to qualify as an aggrieved person.” See Rosenbach v. Six Flags Entm't Corp., 2019 IL 123186. While the vast majority of these lawsuits have been filed in state court, this week, the Seventh Circuit carved a path for BIPA litigation to proceed in federal court. In Bryant v. Compass Grp. USA, Inc., the Seventh Circuit determined that a plaintiff alleging violations of BIPA for failure to provide proper notice and obtain written consent before collecting biometric data has standing to litigate these claims in federal court. Bryant v. Compass Grp. USA, Inc., No. 20-1443, 2020 WL 2121463, at *1 (7th Cir. May 5, 2020) (holding that failure to provide proper disclosures and obtain written consent before collecting biometric information “leads to an invasion of personal rights that is both concrete and particularized”). With these significant decisions, BIPA litigation is here to stay for the time being. That said, in the wake of the Rosenbach, the Illinois legislature is considering legislation that would remove the private right of action from BIPA. If this bill were to pass, it could curtail BIPA litigation which, in turn, could impact the number of claims insurers face relating to BIPA.
Nevertheless, whether coverage for BIPA claims exists under various types of policies – cyber liability, media liability, professional liability, employers liability and commercial general liability policies – will remain an issue, as other states are considering whether to enact similar legislation. In addition, there will still be potential liability exposure to companies that collect, use and store biometric information. The Court’s decision in West Bend is only the most recent example of how a court has analyzed this issue. Consequently, it is important for insurers to be aware of whether its policies may provide coverage for these claims and to continue to monitor the insurance coverage litigation on this topic.
If you have any questions about this Update, please contact the author listed below or the Aronberg Goldgehn attorney with whom you normally consult:
Amber O. LaFevers
CLICK HERE to view a PDF copy of this Update.
©2020 Aronberg Goldgehn. All rights reserved. The above material is intended for general information and promotional purposes, and should not be relied on or construed as professional advice. Under the Illinois Rules of Professional Conduct, the above information may be considered advertising material. The transmission of this information is not intended to create, and receipt of it does not create, a lawyer-client relationship.