Skip to content
Casualty Coverage Chronicle

Casualty Coverage Chronicle

Covering Casualty & Specialty Insurance Decisions & Developments

  • About
  • Contact
  • Capabilities
Menu

Illinois Appellate Court Requires CGL Insurer To Defend Insured Against BIPA Claim

Posted on April 16, 2020 by Farrell Miller, Rafael Rivera

Illinois’ Biometric Information Privacy Act (“BIPA”) restricts businesses that collect biometric information (e.g., DNA, fingerprints, facial and iris recognition) from disseminating that information. Although BIPA had been in effect for more than a decade, the Illinois Supreme Court’s ruling in Rosenbach v. Six Flags Entertainment Corp., 129 N.E.3d 1197 (Ill. 2019), spawned widespread litigation against companies. In Rosenbach, the court held that a plaintiff may be “aggrieved”, and has standing to sue for statutory damages, without alleging an “actual injury” caused by a BIPA violation. Since then, businesses and insurers have expressed concern about an influx of BIPA claims and how courts would address attendant coverage issues.

On March 20, 2020, an Illinois appellate court issued an opinion regarding CGL coverage for BIPA claims. West Bend Mut. Ins. Co. v. Krishna Schaumburg Tan, Inc. et al., — N.E.3d —-, 2020 IL App (1st) 191834 (Ill. App. Ct. 2020). The court held that an insurer must provide a defense in a lawsuit alleging that an insured disclosed a customer’s fingerprints (biometric data) without consent in violation of BIPA.

The insured, a tanning chain franchisee, required customers to scan their fingerprints for identification purposes. The claimant alleged that the insured violated BIPA by disclosing her biometric data to a third-party software vendor. After receiving notice, the insurer agreed to defend under a reservation of rights but simultaneously filed suit seeking a declaration that the policy did not cover the lawsuit.

The court held that the underlying suit alleged a “personal injury”, thus triggering coverage under the policy. “Personal injury” included injury arising out of “oral or written publication of material that violates a person’s right of privacy.” The court observed that the underlying lawsuit alleged that the insured provided the claimant’s biometrics to a third-party vendor. After considering dictionary definitions, the court reasoned that “publication” includes “both the broad sharing of information to multiple recipients . . . and a more limited sharing of information to a single third party.” Moreover, the court reasoned that if the insurer sought to limit the “publication” to mean communication to many people, it should have added language in the policy to that effect.

The court also rejected the insurer’s argument that a “violation of statutes” exclusion applied. The exclusion (titled “Violation of Statutes That Govern E-Mails, Fax, Phone Calls or Other Method of Sending Material or Information”) barred coverage for personal injuries arising out of violations of: (1) the TCPA; (2) the CAN-SPAM Act of 2003; or (3) “[a]ny statute, ordinance or regulation . . . that prohibits or limits the sending, transmitting, communication or distribution of material or information.” Specifically, the insurer argued that because BIPA prohibits the disclosure of biometric data, the underlying lawsuit fit within the exclusion’s catchall provision for “[a]ny statute . . . that prohibits” disclosure of “material or information.”

The court disagreed with the insurer, holding that the catchall must be read in light of the preceding references to the TCPA and CAN-SPAM Act. It reasoned that those “statutes . . . govern certain methods of communication, i.e., e-mails, faxes, and phone calls”, whereas BIPA does not and instead regulates a class of data (namely, biometric data) (emphasis added). Thus, the court held that the insurer had a duty to defend the insured for allegedly violating BIPA.

Conclusion

The appellate court’s decision raises several issues. First, the court interpreted the term “publication” in connection with a privacy-related claim to include disclosure of information to a single person. But publication to a single person generally applies only in the defamation context. The court did not analyze whether the term “publication”, in the context of privacy-related claims, warranted a different interpretation, to require publication to a broader audience as a prerequisite for liability.

Second, the court did not enforce the “violation of statutes” exclusion. BIPA actually says “[n]o private entity in possession of a biometric identifier or biometric information may disclose, redisclose, or otherwise disseminate a person’s or a customer’s biometric identifier or biometric information” unless certain conditions are met. As such, BIPA does regulate methods of communications in the sense that no company may “disclose, redisclose, or otherwise disseminate” a person’s biometric data using any method of transmission.

About The Authors
Share this...
Share on twitter
Twitter
Share on linkedin
Linkedin
Posted in UncategorizedTagged Biometric Information Privacy Act, BIPA, Commercial General Liability Insurance, Duty to Defend, Insurance biometric, Personal & Advertising Injury Coverage

Post navigation

California Supreme Court Holds That Notice-Prejudice Rule Is A “Fundamental Public Policy” That Can Override Choice of Law Provisions
Milkshake Kiosk Meets “Advertising Injury” Requirement for Publication

Related Post

  • Is there CGL Coverage for Cyber Breach Claims?
  • Contractual Limitations on Umbrella Coverage and the Texas Supreme Court: Umbrella Policy Coverage Extended Beyond Service Contract Requirements
  • Washington Supreme Court Holds Certain Hybrid Occurrence/Claims-Made and Reported Policies May Violate Public Policy
  • Forum Selection Pause: Washington’s Prohibition on Forum Selection Clauses in Insurance Contracts
  • Waste Water and Ambiguities: Oklahoma Supreme Court Affirms that Carrier Must Defend Oil and Gas Company in Property Damage Suit
  • When Negligence Is Not an Accident: No “Occurrence” for Intentional Land Clearing

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Disclaimer
This Blog/Website is made available by the lawyer or law firm publisher for educational purposes only as well as to give you general information and a general understanding of the law, not to provide specific legal advice. By using this blog site you understand that there is no attorney client relationship between you and the Blog/Website publisher. The Blog/Website should not be used as a substitute for competent legal advice from a licensed professional attorney in your state.