INTRODUCTION

Disputes between insurers and their policyholders relating to insurers’ coverage obligations in biometric privacy-related litigation are on the rise. Over the past year, insurers have commenced a number of declaratory judgment actions asserting that they have no duty to defend their policyholders in lawsuits alleging violations of biometric privacy statutes. A recent Supreme Court of Illinois decision, however, brings good news for policyholders, with the Northern District of Illinois largely following suit.

LITIGATION RELATING TO BIOMETRIC PRIVACY STATUTES

In 2008, Illinois enacted the Biometric Information Privacy Act (BIPA), which marked Illinois as unique in the protections provided for biometric information.¹ BIPA is intended to protect the privacy interests associated with an individual’s biometric information by regulating how businesses collect, use, and store biometric identifiers.² Illinois’s BIPA sets itself apart from privacy statutes enacted by other states in being the first state to create a private right of action that entitles individuals to seek statutory liquidated damages for violations of the statute.³ 

The interest of state legislatures in regulating the collection, use, and storage of biometric data remains strong. In the first quarter of 2022, seven state legislatures—in California,⁴ Kentucky,⁵ Maine,⁶ Maryland,⁷ Massachusetts,⁸ Missouri,⁹ and New York¹⁰ —introduced biometric privacy laws based on BIPA.

While the interest of state legislatures has risen, litigation in this area got off to a slow start. It was not until 2015 that the first suits—filed by customers and employees—began to appear. As litigation in this area began to pick up, companies named as defendants in these lawsuits naturally looked to their insurers to provide defense and indemnity coverage. 

TYPES OF INSURANCE POLICIES AT ISSUE

Companies faced with biometric privacy claims may have a range of options for insurance coverage. Claims under BIPA often assert both negligent and intentional invasions of privacy. Additionally, BIPA claims are often brought by an employee (or class of employees) against his or her employer relating to that employer’s collection, storage, and use of sensitive personal information. The nature of the BIPA lawsuits makes three types of insurance policies possible sources of coverage: commercial general liability (CGL) policies, employment practices liability policies, and cyber insurance policies.

While there may be various types of coverage available, at present, policyholders appear to have their sights focused primarily on CGL coverage. The broad duty to defend typically provided by CGL policies, which requires insurers to provide a full defense of any claim that is potentially covered by the policy, makes CGL coverage an obvious first place to look. That being said, as explained below, insurance companies have—and a policyholder should expect—that insurers will raise a number of challenges to coverage under CGL policies.¹¹ Those CGL coverage challenges are the focus of the present article.¹² 

DEFENSES RAISED BY INSURERS

Over the last year, a number of insurers have sought declarations from courts that they have no obligation to defend their policyholders under CGL policies for claims brought by a policyholder’s customers or employees alleging violations of BIPA. 

The insurers have raised a number of defenses to coverage, including the following:

• The underlying complaint does not allege a “personal injury” as that term is defined in the policy; 

• The policy’s Employment Practices Liability exclusion bars coverage for claims asserted by the policyholder’s employees; 

• The Recording and Distribution exclusion, also referred to as the Violation of Statutes exclusion, bars coverage; or 

• The Access or Disclosure exclusion bars coverage.¹³

1.    “PERSONAL INJURY”

Liability policies often provide coverage for claims alleging “personal injury.” In many policies, “personal injury” includes “[o]ral or written publication of material that violates a person’s right of privacy.” Insurers have contended that the underlying BIPA-related actions do not allege a “personal injury” because they do not allege “publication of material.”¹⁴ The insurers’ assert that “publication” must mean that the policyholder disseminated the information to the public writ large. As explained further below, however, the Supreme Court of Illinois has rejected the insurers’ interpretation of “publication” and has concluded that “publication” can arise even in circumstances where the information was shared with just one other third-party.¹⁵ Despite this recent decision, Insurers continue to raise this line of argument as a basis for denying coverage.¹⁶ 

2.    EMPLOYMENT PRACTICES LIABILITY EXCLUSION

Many general liability policies include an “Employment Practices Liability” exclusion, which exempts from the policy’s coverage those personal injuries arising out of: (1) an employer’s refusal to employ the underlying plaintiff; (2) termination of the underlying plaintiff’s employment; or (3) “[e]mployment related practices, policies, acts, or omissions, such as coercion, demotion, evaluation, reassignment, discipline, defamation, harassment, discrimination, or malicious persecution.”¹⁷ The intent of this exclusion appears to be preclusion of coverage for claims related to an employer’s decisions to hire, fire, or take an adverse employment action against an employee. 

The Northern District of Illinois is currently split on whether BIPA-related claims fall within the plain language of this exclusion. Several cases have held that the exclusion does not apply, such as State Auto. Mut. Ins. Co. v. Tony’s Finer Foods Enters., Inc. et al.¹⁸ In Tony’s Finer Foods, the insurers argued that biometric information practices fell within the “[e]mployment-related practices” prong of the exclusion.¹⁹ In looking at the language of the exclusion as a whole, however, the court held that this exclusion did not apply to BIPA-related claims because they involve a “categorically different type of practice” from the listed activities.²⁰ 

In contrast, the court in American Family Mut. Ins. Co. v. Caremel, Inc., et al.²¹ disagreed, finding coverage was barred by the Employment Practices Liability exclusion because BIPA-related claims were “of the same nature” as the activities listed in the exclusion.²² Specifically, the court reasoned that a BIPA-related practice is similar to the listed activities because it is “a practice that can cause an individual harm to an employee.”²³ 

As it stands, it is unclear which stance will prevail in the Northern District of Illinois or in other courts applying Illinois law, but the weight of the case law is currently leaning in the policyholder’s favor. 

3.    RECORDING AND DISTRIBUTION/VIOLATION OF STATUTES EXCLUSION

In a number of declaratory judgment actions, insurers have pointed to the “Recording and Distribution,” also referred to as the “Violation of Statutes,” exclusion as a basis for denying coverage for BIPA-related claims. This exclusion precludes coverage for personal injury that arises “directly or indirectly” from an action that violates a number of statutes relating to the “printing, dissemination, collecting, recording, sending, transmitting, communicating or distribution” of information.²⁴ The Violation of Statutes exclusion often identifies several specific statutes including the Telephone Consumer Protection Act (TCPA), Controlling the Assault of Non-Solicited Pornography And Marketing Act of 2003, Fair Credit Reporting Act, and Fair and Accurate Credit Transactions Act.²⁵ Insurers argue that BIPA is meant to prohibit similar kinds of conduct and should be similarly excluded. As explained further below, however, the Supreme Court of Illinois recently concluded that because BIPA does not regulate the methods by which biometric information is communicated and, instead, only the methods by which it is collected and stored, this exclusion does not apply to bar coverage for BIPA-related actions.²⁶ 

4.    ACCESS AND DISCLOSURE EXCLUSION

Lastly, a number of insurers have pointed to the “Access and Disclosure” exclusion in their CGL policies as a basis for denying coverage. The Access and Disclosure exclusion precludes coverage for injury “arising out of any access to or disclosure of any person’s…confidential or personal information, including patents, trade secrets, processing methods, customer lists, financial information, credit card information, health information or any other type of nonpublic information.”²⁷ When read in its entirety, this exclusion has questionable application to BIPA-related claims. The specifically enumerated list of information that constitutes “confidential or personal information” appears targeted to information of some independent value, i.e., patents, trade secrets, and customer lists. Biometric information is unlike the types of information identified in the exclusion. As a general principle where, as here, the language of an exclusion is ambiguous, courts interpret the policy in favor of coverage and against the insurer. The Northern District of Illinois agreed with this reasoning in Am. Family Mut. Ins. Co. v. Caremel, Inc., finding that the language of the Access or Disclosure exclusion was not broad enough to unambiguously include “biometric information.”²⁸ 

WEST BEND MUT. INS. CO. V. KRISHNA SCHAUMBERG TAN, INC.

In late May 2022, the Supreme Court of Illinois issued a decision in West Bend Mut. Ins. Co. v. Krishna Schaumberg Tan, Inc. that was favorable to policyholders in that it rejected several of the defenses to coverage typically raised by insurers and held that an insurer had a duty to defend its policyholder in a claim brought by one of its customers for alleged violations of BIPA.²⁹ 

More specifically, in Krishna Schaumberg Tan, Inc., the policy provided coverage for “personal injury,” which is defined to include “[o]ral or written publication of material that violates a person’s right of privacy.”³⁰ The insurer argued that the term “publication” as used in the policy required distribution of the customer’s data to the public.³¹ The court held that the term “publication” has more than one meaning; and thus, is ambiguous.³² Because the term was ambiguous, the court construed the term in favor of coverage and concluded that “publication” could occur even when the information was shared with only one party—as opposed to the public writ large.³³ 

The court also rejected the insurer’s argument that the policy’s “Violation of Statutes” exclusion applied to bar coverage.³⁴ The court concluded that this exclusion applied only to statutes that regulate certain methods of sending information like the TCPA.  The court reasoned that BIPA does not regulate the methods of communication of biometric information, but the collection, storage, handling, and use of that information.³⁶ 

KEY TAKEAWAYS FOR POLICYHOLDERS

While Krishna Schaumberg Tan, Inc. is a positive, precedential result for policyholders, it is clear from the number of lawsuits filed by insurers in the recent months that insurers are not conceding that coverage exists for biometric privacy-related suits. Policyholders, however, should not accept any coverage denials without closer examination of relevant policy wording.  Policyholders should continue to closely analyze their liability policies to determine whether they may provide coverage for lawsuits alleging violations of biometric privacy statutes. This review should include an analysis of any potentially applicable exclusions.

Additionally, policyholders should look beyond their general liability policies and review their entire insurance program, including any cyber, employment practices liability, and additional specialty coverages that they may have in place.³⁷ A pro-active approach is required by policyholders to identify any coverage available for this growing source of litigation.

FOOTNOTES

¹ 740 ILL. COMP. STAT. 14/5 (2008).

² BIPA defines “biometric identifier” as “a retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry” but does not include signatures, physical descriptions, data used for healthcare treatment, or data used for valid scientific testing. 740 ILL. COMP. STAT. 14/10 (2008). 

³ Texas (TEX. BUS. & COM. § 503.001 (2017)), Arkansas (ARK. CODE § 4-110-104 (2010)), and Washington (WASH. REV. CODE § 19.375.020 (2017)) have each enacted their own similar biometric privacy statutes, but these statutes do not create a private right of action. California’s statute (CAL. CIV. CODE § 1798.100 (2018)) permits a private right of action, but only under limited circumstances.

⁴ S.B. 1189 (2022). S.B. 1189 would extend the private right of action authorized by the current California statute.

⁵ H.B. 626 (2022).

⁶ H.B. 1945 (2022).

⁷ H.B. 259 (2022).

⁸ S.B. 2687 (2022).

⁹ H.B. 2716 (2022).

¹⁰ A.B. A27 (2022).

¹¹ Policyholders should also be on the lookout for insurers including new “cyber incident” exclusions in liability policies which specifically bar coverage for BIPA-type claims, such as policies issued by Hiscox, Ltd. See Daphne Zhang, Insurers Add Biometric Exclusions as Privacy Lawsuits Pile Up, BLOOMBERG LAW (June 30, 2022) (available at: https://news.bloomberglaw.com/daily-labor-report/insurers-add-biometric-exclusions-as-privacy-lawsuits-pile-up) (last accessed: Aug. 17, 2022). Nonetheless, the applicability of such exclusions to BIPA claims remains unclear as there has not been any reported litigation yet involving these novel exclusions. 

¹² For additional information relating to the other types of policies that may provide coverage, please refer to Carolyn Branthoover, The Risky Business of Using Biometric Information: Insurance Coverage Considerations, K&L GATES HUB (Nov. 11, 2017), https://www.klgates.com/The-Risky-Business-of-Using-Biometric-Information--Insurance-Coverage-Considerations-11-17-2017.

¹³ See, e.g., Citizens Ins. Co. of Am. v. Nw. Pallet Servs., LLC, Docket No. 1:21-cv-02804, ECF No. 1 (N.D. Ill. May 25, 2021); Citizens Ins. Co. of Am. v. MIFAB, Inc., Docket No. 1:21-cv-03704, ECF No. 1 (N.D. Ill. July 13, 2021); Union Ins. Co. v. RT Wholesale, LLC d/b/a Food Evolution, et al., Docket No. 1:21-cv-03757, ECF No. 1 (N.D. Ill. July 14, 2021); Aspen Spec. Ins. Co. v. New Crown Holdings, LLC, et al., No. 1:21-cv-03838, ECF No. 1 (N.D. Ill. July 19, 2021). 

¹⁴ Id. 

¹⁵ W. Bend Mut. Ins. Co. v. Krishna Schaumberg Tan, Inc., No. 125978, 2021 LEXIS 1255978, at *20 (Ill. 2021).

¹⁶ The following actions were all filed by insurers months after the Supreme Court of Illinois resolved this very issue: Citizens Ins. Co. of Am. v. MIFAB, Inc., Docket No. 1:21-cv-03704, ECF No. 1 (N.D. Ill. July 13, 2021); Union Ins. Co. v. RT Wholesale, LLC d/b/a Food Evolution, et al., Docket No. 1:21-cv-03757, ECF No. 1 (N.D. Ill. July 14, 2021); Aspen Spec. Ins. Co. v. New Crown Holdings, LLC, et al., No. 1:21-cv-03838, ECF No. 1 (N.D. Ill. July 19, 2021). 

¹⁷ Citizens Ins. Co. of Am. v. Northwest Pallet Servs., LLC, Docket No. 1:21-cv-02804, ECF No. 1 (N.D. Ill. May 25, 2021).

¹⁸ State Auto. Mut. Ins. Co. v. Tony’s Finer Foods Enters., Inc. et al., No. 1:20-cv-06199, ECF No. 43, at *10 (N.D. Ill. Mar. 8, 2022).

¹⁹ Id. 

²⁰ Id. at *13.

²¹ Am. Family Mut. Ins. Co. v. Caremel, Inc., et al., No. 1:20-cv-00637, ECF No. 71 (N.D. Ill. Jan. 7, 2022).

22 Id. at *10.

²³Id. 

²⁴ Citizens Ins. Co. of Am. v. Nw. Pallet Servs., LLC, Docket No. 1:21-cv-02804, ECF No. 1 (N.D. Ill. May 25, 2021).

²⁵ Id.

²⁶ W. Bend Mut. Ins. Co. v. Krishna Schaumberg Tan, Inc., No. 125978, 2021 LEXIS 1255978, at *20 (Ill. 2021); see also, Citizens Ins. Co. of Am. v. Wynndalco Enters, LLC et al., No. 1:20-cv-03873, ECF No. 111 (N.D.Ill. Mar. 30, 2022) (finding that a Statutory Violation exclusion was ambiguous as it related to BIPA liability and as such did not negate insurers’ duty to defend), 

²⁷ See, e.g., Aspen Spec. Ins. Co. v. New Crown Holdings, LLC, et al., No. 1:21-cv-03838, ECF No. 1 (N.D. Ill. July 19, 2021); Am. Fam. Ins. Co. v. Schmitt South Eola, LLC, No. 1:20-cv-01872, ECF No. 47 (N.D. Ill. Dec. 30, 2020).

²⁸ No. 1:20-cv-00637, ECF No. 71 (N.D. Ill. Jan. 7, 2022).

²⁹ No. 125978, 2021 LEXIS 1255978 (Ill. 2021).

³⁰ Id. at *5.

³¹ Id. at *7.

³² Id. at *20.

³³ Id.

³⁴ Id. at *25.

³⁵ Id. 

³⁶ Id. 

³⁷ Carolyn Branthoover, The Risky Business of Using Biometric Information: Insurance Coverage Considerations, K&L GATES HUB (Nov. 11, 2017), https://www.klgates.com/The-Risky-Business-of-Using-Biometric-Information--Insurance-Coverage-Considerations-11-17-2017.