Do Certain Exclusions Preclude a Duty to Defend for Claims Under the Illinois Biometric Information Privacy Act?
Federal district courts recently provided mixed guidance on insurance coverage for litigation under the Illinois Biometric Information Privacy Act (BIPA), which regulates the collection, use and storage of an individual’s biometric data. On March 1, 2022, in Citizens Ins. Co. of American et al. v. Thermoflex Waukegan LLC, et al., No. 1:2020cv05980, Document 52 (N.D. Ill. 2022), a trial court in the Northern District of Illinois held that a general liability insurer must defend an insured against a proposed class action of the insured’s employees’ BIPA claims, rejecting the insurers’ arguments that three different exclusions precluded coverage, including the Employment-Related Practices Exclusion. This decision is important insofar as it appears contrary to another recent decision in the Northern District of Illinois issued on January 7, 2022, which found no duty to defend based on an Employment-Related Practices Exclusion. Compare, American Family Mutual Ins. Co. v. Caremel, Inc., Case No. 20 C 637 (N.D. Ill. January 7, 2022).
Prior BIPA Decisions on Duty to Defend Under CGL Policies
In West Bend Mutual Ins. Co. v. Krishna Schaumburg Tan Inc., 2021 IL 125978 (Ill. 2021), the Illinois Supreme Court held that a general liability insurer had a duty to defend an insured in a proposed class action under BIPA when the insured allegedly shared customer fingerprint data with a third-party vendor. The Illinois Supreme Court found that a defense under the “personal and advertising injury” insuring agreement was triggered as an invasion of the right of privacy insofar as BIPA protects a privacy right to keep biometric information secret. The Illinois Supreme Court also held that an older and narrow exclusion entitled “Violation of Statutes that Govern E-Mails, Fax Phone Calls or Other Methods of Sending Material or Information” did not preclude a duty to defend. The Illinois Supreme Court reasoned that this older exclusion did not apply to statutes such as BIPA that regulate the collection, use, safeguarding, handling and retention of biometric information, finding that this narrower exclusion only applied to statutes governing methods of communication, such as the Telephone Consumer Protection Act (TCPA). Our previous analysis of Krishna, “Illinois Supreme Court Finds Insurer Has Duty to Defend BIPA Suit,” appeared in Bloomberg Law on June 18, 2021.
After Krishna, two other federal decisions found certain exclusions precluded a defense obligation under general liability policies for BIPA claims. First, in Massachusetts Bay Insurance Company et al. v. Impact Fulfillment Services, LLC, Case No. 20-cv-926-WLO (M.D.N.C. September 24, 2021), a federal court applying North Carolina law held that the broader Recording and Distribution of Material or Information in Violation of Law Exclusion precluded a defense obligation because it excluded coverage for claims under statutes that protect and govern privacy interests in personal information. Since BIPA protects individuals’ privacy interests in their personal biometric information, the Impact court found the general liability insurer had no duty to defend. For more detailed analysis, see “North Carolina Federal Court Finds No Duty to Defend Illinois BIPA Suit.”
Second, in American Family Mutual Ins. Co. v. Caremel, Inc., Case No. 20 C 637 (N.D. Ill. January 7, 2022) a Northern District of Illinois trial court held that an Employment-Related Practices Exclusion precluded a defense of BIPA claims brought by the insured’s employees. The Caremel court reasoned that because the employees were required to give their fingerprints as part of their employment, it is an employment-related practice and therefore excluded. The Caremel court rejected the insured’s argument that the BIPA violation is unlike the exemplar employment harms listed in the exclusion, reasoning fingerprint collection also is a practice that can cause an “individual harm to an employee.” Thus, the exclusion applied. In dicta, the Caremel court further stated that the Access or Disclosure of Confidential or Personal Information Exclusion did not preclude a defense. The Caremel court reasoned that biometric information, such as fingerprints, is not intellectual property or financial information, and it would be a “stretch” to include it under “health information” because a fingerprint is a physical characteristic unrelated to a person’s health. The insured did not appeal the Caremel decision.
The Thermoflex Ruling
The insured in Thermoflex was sued by a proposed class of its employees for violations of BIPA after the insured collected employees’ handprints and used them for timekeeping purposes. The general liability and umbrella insurers filed a lawsuit seeking a declaration that they owed no duty to defend based on three exclusions: (1) the Employment-Related Practices Exclusion, (2) the Recording and Distribution of Material or Information in Violation of Law Exclusion, and (3) the Access or Disclosure of Confidential or Personal Information Exclusion. The Thermoflex court found that none of the exclusions unambiguously precluded coverage and thus found the insurers owed a duty to defend.
The Thermoflex court held that the Employment-Related Practices Exclusion was ambiguous as it applied to BIPA claims brought by employees, reasoning that collecting biometric information is not listed in the examples of employment-related practices in the exclusion and found the “mixture of examples” in the exclusion illustrated an ambiguity. The court explained that some examples involved legal claims and some involved employer conduct, and collecting biometric information was not clearly similar to the exclusion’s examples. Without much discussion, the Thermoflex court disagreed with the Caremel decision. It also reasoned exclusions must be interpreted narrowly, and applying the exclusion to this context could preclude coverage for any claims brought against any employer. The Thermoflex court also disagreed with the American Family reasoning, finding that not all the listed examples – such as evaluation and reassignment – are inherently harmful.
Next, the Thermoflex court rejected the insurers’ attempt to distinguish the broader policy language in the Recording and Distribution of Material or Information in Violation of Law Exclusion from the exclusion at issue in Krishna. The insurers in Thermoflex argued that the broader exclusion, with a different title, precluded coverage for BIPA claims because the exclusion included statutes that address or limit the collection and/or recording of information, unlike the exclusion at issue in Krishna. The Thermoflex court rejected this argument finding even though this exclusion was broader, it was not the “same kind” of statute listed in the exclusion relying on Krishna. Alternatively, the Thermoflex court found the exclusion as applied to BIPA claims was ambiguous and must be construed in the insured’s favor.
Finally, the Thermoflex court rejected application of the Access or Disclosure of Confidential or Personal Information Exclusion. The insurers argued the exclusion applied because it precludes “coverage for claims involving any access to or disclosure of any person's … confidential or personal information, including … any other type of nonpublic information” falling within the catch-all provision. The Thermoflex court relied on the BIPA statute’s different treatment of “biometric identifiers,” such as handprints, from “confidential and sensitive information” such as genetic markers or other unique identifiers such as social security numbers. The Thermoflex court reasoned that handprints are not types of confidential and sensitive information that would fall within the “nonpublic information” catch-all given the other examples. At the very least, the Thermoflex court found that the exclusion was ambiguous as applied to BIPA claims.
The only thing clear about these cases is that insurance coverage for BIPA lawsuits under general liability policies is currently unclear.
There are other exclusions – such as the Statutory Right of Privacy Exclusion – used by some insurers that have not yet been addressed by the courts. This is significant given that courts, including the Illinois Supreme Court, discuss BIPA as a privacy statute. Therefore, insurers should specifically evaluate these exclusions.
Moreover, given the split among district courts in the Northern District of Illinois, it would not be surprising if the insurers in Thermoflex appeal this case to the Seventh Circuit. The question is when an appeal may be taken given that the insured has two breach of contract claims that were not specifically addressed in the opinion. What really remains of those claims is unclear. However, even though this is not yet a final order, the insurers may have an option for an interlocutory appeal. Although not yet decided in the Seventh Circuit, several other U.S. circuits have held that trial court orders requiring an insurer to defend an insured are immediately appealable injunctions under 28 U.S.C §1292(a)(1).
The differing results in Thermoflex, Caremel and Massachusetts Bay highlight that the outcome of coverage may hinge on venue and/or choice of law considerations. Insurers should evaluate these considerations closely and examine how various jurisdictions handle similar exclusions in other contexts in an effort to predict how a particular court may rule on coverage for BIPA claims. Moreover, it is important to note that while the Thermoflex decision lends some support to policyholders, federal district court decisions are not binding on either other federal district courts or state courts. Even if a trial court has rejected certain coverage defenses, insurers should continue to assert all potentially applicable coverage defenses to preserve them for appeal.