BatesCarey's Joanna Gau Swartout discussed the May 20, 2021 Illinois Supreme Court ruling that an insurer owes a duty to defend a policyholder in a putative class action complaint alleging violations of Illinois’ Biometric Information Privacy Act (“BIPA”) related to the collection of customers’ fingerprints at a L.A. Tan franchise in West Bend Mut. Ins. Co. v. Krishna Schaumburg Tan, Inc., 2021 IL 125978. While the decision settles the specific coverage interpretation at issue in that matter, numerous pending and future coverage battles involving BIPA claims raise different and unresolved coverage challenges.

THE BIPA CLAIM AGAINST KRISHNA

BIPA seeks to safeguard individuals’ biometric identifiers and information, including a scan of an individual’s face geometry or fingerprints.  This is the software often used by employers for their employees to “swipe in” with a handprint, or by a dentist office for patients to register upon arrival with a finger on a glass screen, or even by amusement parks so that season ticket holders can be easily identified for entry to the park.

Pursuant to BIPA, private entities are: (a) prohibited from collecting, capturing, or otherwise obtaining an individual’s biometric identifiers and information without providing written notice and obtaining a written release; (b) prohibited from selling, leasing, trading, or otherwise profiting from an individual’s biometric identifiers and information; (c) prohibited from disclosing redisclosing, or otherwise disseminating an individual’s biometric identifiers or information in the absence of circumstances specifically set forth in the statute; and (d) required, to the extent it is in possession of biometric identifiers or information, to develop a written policy, made available to the public, that establishes a retention schedule and guidelines for permanently destroying such identifiers and information. BIPA provides for a private right of action and allows a prevailing party to recover liquidated damages in the amount of: (a) $1,000 or actual damages, whichever is greater, for negligent violations of its provisions; and (b) $5,000 or actual damages, whichever is greater, for intentional or reckless violations of its provisions. BIPA also allows for the recovery of attorneys’ fees and costs, and injunctive relief.

On April 7, 2016, Klaudia Sekura filed a class-action lawsuit in the Circuit Court of Cook County against Krishna Schaumburg Tan, Inc. (“Krishna”), a tanning salon in Iliinois. Sekura alleged that Krishna (1) violated BIPA provisions relating to the collection of biometric identifiers and biometric information when it scanned Sekura’s and other customers’ fingerprints and (2) violated BIPA provisions relating to the disclosure of biometric identifiers and information when it disclosed biometric information containing her fingerprints “to an out-of-state third party vendor, SunLync.” Krishna tendered the defense of Sekura’s lawsuit to its insurer West Bend Mutual Insurance Company (“West Bend”). West Bend defended under a reservation of rights and filed a declaratory judgment action against Krishna, contending that it did not owe a duty to defend Krishna against Sekura’s lawsuit because the allegations in the lawsuit did not constitute a “personal or advertising injury.” Specifically, West Bend argued that its personal and advertising injury coverage only applied to privacy claims arising from a “publication” of private materials, and with regard to BIPA violations, there is no true wide-spread “publication” of the biometric information. The West Bend policy also included an exclusion applicable to claims that allege violation of statutes that govern email and other methods of sending information, including the Telephone Consumer Protection Act and the CAN-SPAM Act of 2003 (“Violation of Statutes exclusion”).

West Bend and Krishna filed cross-motions for summary judgment. The trial court entered a judgment for Krishna, finding that the lawsuit implicated the policy's coverage for invasion of privacy claims, and that the Violation of Statutes exclusion was inapplicable. West Bend appealed, and, in March 2020, the Illinois First District appeals court affirmed that violations of BIPA constitute a potentially covered claim for invasion of privacy, that disclosure of biometric information to just one person satisfies the “publication” requirement, and that the exclusion only applies to statutes that govern certain means of transmission like “emails, fax, phone calls or other methods of sending material or information,” as opposed to statutes that generically address the transmission of information through other means. West Bend Mut. Ins. Co. v. Krishna Schaumburg Tan, Inc., 2020 IL App (1st) 191834. 

THE ILLINOIS SUPREME COURT’S RULING 

On May 20, the Illinois Supreme Court affirmed the First District in ruling that the underlying complaint alleges that Krishna’s acts in requiring underlying plaintiff to submit fingerprints caused the underlying plaintiff a “personal injury” and that the sharing of biometric identifiers and information to an out-of-state vendor was a “publication” of material that violated underlying plaintiff’s right to privacy. West Bend,  2021 IL 125978, ¶¶36, 43, 46. In so ruling, the Court reasoned that, since the West Bend policies do not define the term “publication,” the ordinary and popular meaning is afforded to it which includes both communications to a single party and communication to the public at large. “Accordingly, we adopt the construction used by Krishna and the appellate court and construe the term publication in West Bend’s policies to include a communication with a single party.” 

Then, the Illinois Supreme Court held that West Bend has a duty to defend Krishna because the underlying complaint alleges or potentially alleges that underlying plaintiff suffered a personal injury within the purview of West Bend’s policies, that Krishna shared underlying plaintiff’s biometric identifiers with an out-of-state vendor which falls within the meaning of publication of the West Bend policies, and that alleged sharing of information also falls within or potentially within the term “right of privacy” within the West Bend policies. Id. at ¶¶49-51.

Finally, the Illinois Supreme Court held that the exclusion titled “Violation of Statutes that Govern Emails, Fax, Phone Calls, or Other Methods of Sending Material or Information” did not apply to bar coverage. Like the appellate court, the Supreme Court agreed that this exclusion was meant to exclude the “same general kind of statutes that regulate methods of communication like the TCPA and the CAN-SPAM Act. Therefore, since [BIPA] is not a statute of the same kind as the TCPA and the CAN-SPAM Act and since [BIPA] does not regulate methods of communication, the violation of statutes exclusion does not apply to [BIPA].” Id. at ¶58.

The Illinois Supreme Court affirmed the decision of the appellate court and the cause remanded. 

WHAT WAS NOT ADDRESSED IN THIS RECENT BIPA DECISION

While the Supreme Court’s ruling appears to resolve the questions of whether BIPA violations constitute a “personal and advertising injury” violation and whether the specific distribution of information exclusionary language in that case applies, other coverage issues were not adjudicated and remain unresolved. 

Some policies contain an endorsement adding an Employment-Related Practices Exclusion, which bars coverage for “personal and advertising injury” to a person arising out of any “employment related practices, policies, acts or omissions, such as coercion, demotion, evaluation, reassignment, discipline, defamation, harassment, humiliation, discrimination, or malicious prosecution directed at that person.” This exclusion commonly applies to bar coverage for instances of termination, defamation, retaliatory discharge, or harassment in the workplace. See West Bend Mut. Ins. Co. v. Rosemont Exposition Services, Inc., 378 Ill. App.3d 478 (1st Dist. 2007)(defamation claim brought by terminated employees was related to employment relationship and excluded from coverage under employment-related practices exclusion). This exclusion would come into play with BIPA cases where underlying plaintiffs are current and former employees alleging violations most often in using their finger or handprints for timekeeping purposes.  The applicability of the Employment-Related Practices Exclusion to BIPA violations is currently being litigated in a few declaratory judgment actions: 1) Starr Surplus Lines Ins. Co. v. McDonald’s USA, LLC, et al, No.2021CH01706 (Ill. Cir. Ct., Cook Cnty. Apr. 8, 2021); 2) State Automobile Mutual Insurance Co. v. Tony's Finer Foods Enterprises Inc. et al, No. 20C6199 (N.D. Ill. Jan. 28, 2021) and, 3) Society Ins. v. Cermak Produce, et al., No. 1:21-CV-01510 (N.D. Ill. Mar. 18, 2021). 

Some policies also contain an endorsement that adds the Access or Disclosure of Confidential or Personal Information and Data-Related Liability Exclusion (the “Disclosure of Personal Information Exclusion”), which precludes coverage for disclosure of any person's confidential or personal information, including health information or any other type of nonpublic information. The endorsement excludes from coverage “personal and advertising injury” arising out of “any access to or disclosure of any person's or organization's confidential or personal information, including patents, trade secrets, processing methods, customer lists, financial information, credit card information, health information or any other type of nonpublic information.” Similar exclusions were raised in the above referenced McDonald’s and Cermak Produce declaratory judgment actions, and remain pending. 

Finally, some newer policies contain an exclusion titled Recording and Distribution of Material or Information in Violation of Law which provides, in relevant part, that this insurance does not apply to “personal and advertising injury” “arising directly or indirectly out of any action of omission” that violated or is alleged to violate TCPA, CAN-SPAM Act of 2003, the Fair Credit Reporting Act (FCRA) or “any federal, state or local statute, ordinance or regulation, other than the TCPA, CAN-SPAM Act of 2003 or FCRA and their amendments and additions, that addresses, prohibits, or limits the printing, dissemination, disposal, collecting, recording, sending, transmitting, communicating or distribution of material or information.”  This exclusion is a more recent version of the “Violation of Statutes that Govern Emails, Fax, Phone Calls, or Other Methods of Sending Material or Information” addressed in West Bend v. Krishna and contains more expansive language, as well as specifically adds the FRCA which is a statute aimed at regulating the collection of consumers’ credit information and access to their credit reports. The FCRA falls into a different classification of statute not aimed at regulating methods of communication unlike the reasoning utilized in Krishna. Like BIPA, the FCRA regulates the collection and use of information.  The applicability of the Recording and Distribution of Material or Information in Violation of Law exclusion is currently being litigated in Citizens Ins. Co. v. Wynndalco Enters., LLC, No. 1:20-CV-03873 (N.D. Ill. July 1, 2020).

TAKEAWAYS 

The West Bend v. Krishna decision makes clear that BIPA violations will likely satisfy the “personal injury” requirement of Coverage B through the publication of material that violates a person’s right of privacy and that this specific version of the Violation of Statutes exclusion also does not exclude coverage. Thus, it seems that non-employment instances of BIPA claims have gained more ground toward finding coverage for such claims. However, in both employment and non-employment claims alike, there still remain potentially strong additional exclusions not addressed in West Bend v. Krishna that are at the precipice of being tested in Illinois courts.