Key Win for Silent Cyber Coverage: Illinois Supreme Court Rules Insurer Has Duty to Defend in Biometric Information Privacy Case
A recent Illinois Supreme Court opinion found that the coverage afforded for personal or advertising injuries in business owners’ liability policies may apply to claims under the state’s Biometric Information Privacy Act (“BIPA”). We anticipate this decision will have a significant impact in this area going forward. West Bend Mutual Insurance Company v. Krishna Schaumburg Tan, Inc., 2021 IL 125978 (Ill. May 20, 2021). The case stands for the proposition that BIPA claims may fall within the personal and advertising injury coverage afforded under standard form CGL policies even if the policyholder cannot show a widespread publication. Read on to learn more and what it all means.
First, let’s take a look at the facts of the underlying BIPA litigation. The plaintiff purchased a membership from the defendant tanning salon. To obtain her membership, the plaintiff was required to provide her fingerprints to the defendant, which then sent the fingerprints to a salon management software vendor. The plaintiff filed a class-action lawsuit alleging, in relevant part, that the defendant had violated BIPA, which regulates the collection, retention, disclosure, and destruction of biometric identifiers (“a retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry”) and information (“any information . . . based on an individual’s biometric identifier used to identify an individual”). Specifically, the plaintiff alleged that the defendant violated the statute when it “systematically and automatically collected, used, stored, and disclosed [to the vendor] their [customers’] biometric identifiers or biometric information without first obtaining the written release required by [BIPA].”
Importantly here, the defendant maintained CGL policies with coverage for personal injury and advertising injury. The policies defined both “personal injury” and “advertising injury” to include injuries arising from a “publication” of material that violates one’s “right of privacy.” The policies did not define “publication” or “right of privacy.”
The defendant provided notice of the lawsuit to its insurer and requested a defense under the policies. The insurer filed a declaratory judgment action, alleging that the plaintiff’s complaint did not fall within the policies’ coverage for two reasons. First, the lawsuit did not allege a “personal injury” or “advertising injury” as defined in the policies, because it did not allege a “publication” of material that violates a person’s “right of privacy.” Alternatively, the policies’ violation-of-statutes exclusion applied and therefore barred coverage. The defendant filed a counterclaim in the declaratory judgment action alleging, in relevant part, that the allegations in the underlying complaint potentially fell within the policies’ coverage. The insurer and defendant ultimately filed cross motions for summary judgment.
The insurer argued that a “publication” under Illinois law is a “communication to the public at large,” as opposed to “disclosure to a single party,” meaning that the defendant’s communication with its vendor did not constitute a “publication.” Because the complaint did not allege any “publication,” the insurer argued, the coverage afforded for personal and advertising injuries did not apply. Alternatively, the insurer argued that the plaintiff’s allegations fell within the policies’ violation-of-statutes exclusion.
The defendant, on the other hand, argued in relevant part that a communication with a single party constitutes a “publication,” and therefore, its alleged disclosure to its vendor was a publication covered by the policies. The defendant addressed the insurer’s motion, arguing that the violation-of-statutes exclusion did not apply “because the exclusion only applies to statutes that regulate methods of communication.”
The trial court held that the insurer had a duty to defend the defendant, and the appellate court affirmed. The Illinois Supreme Court engaged in de novo review.
II. Issues Before the Illinois Supreme Court
The issue for the Illinois Supreme Court was whether the insurer had a duty to defend its insured. This required the court to determine, in key part, whether defendant’s sharing of biometric identifiers and information with its vendor was a “publication” of material that violated the plaintiff’s “right of privacy.”
In regards to whether disclosure to a single party constitutes a “publication,” the court looked to dictionary definitions, treatises on insurance and privacy law, and the Restatement of the Law of Torts. Based on those sources, the court found that “publication” means “both the communication of information to a single party and the communication of information to the public at large.” Because there was more than one reasonable interpretation of “publication” as used in the policies, the term was determined to be ambiguous and the court was required, under Illinois precedent, to “construe the insurance contract in favor of the insured and against the insurer that drafted the contract.” Doing so, the court found that the term “publication” encompassed a communication with a single party such as the salon’s software vendor.
To determine whether the lawsuit alleged a violation of a “right of privacy,” the court looked to dictionary definitions and court interpretations of the phrase. Earlier decisions in Illinois recognized that the right to privacy includes a “right to secrecy,” i.e., “the right to keep certain information confidential.” Based on this precedent, the court found, BIPA protects a “secrecy interest,” namely, “the right of an individual to keep his or her personal identifying information like fingerprints secret.” Further, “disclosing a person’s biometric identifiers or information without their consent or knowledge necessarily violates that person’s right to privacy in biometric information.” The court found that the underlying plaintiff’s claim that the defendant shared her biometric identifiers and information with the vendor alleged a potential violation of the plaintiff’s right to privacy within the coverage afforded by salon’s the insurance policies.
For those reasons, the Court determined that the underlying plaintiff’s claim under BIPA alleged a “publication” that violated the plaintiff’s “right of privacy,” bringing the claim potentially within the policies’ coverage for personal or advertising injury. Having determined that the underlying claims fell within the policy’s coverage grant, the Court turned to the question of whether the violation-of-statutes exclusion acted to bar coverage. The relevant exclusion is titled “Violation of Statutes that Govern E-Mails, Fax, Phone Calls or Other Methods of Sending Material or Information.” [Note: Many CGL policies contain this exclusion, which excludes from coverage claims for damages arising from violation of the Telephone Consumer Protection Act (“TCPA”) and CAN-SPAM Act of 2003, among others.]
The Illinois Supreme Court, however, found the exclusion inapplicable under the facts of this case. Why? For the simple reason that BIPA itself does not regulate methods of communication. Rather, the statute applies to the collection, use, safeguarding, handling, storage, retention and destruction of biometric information while the exclusion was allegedly drafted to bar coverage for statutes that regulate methods of communication
So there you have it. This case may have widespread implications for insurers and policyholders alike. It represents a significant victory for policyholders under so-called silent cyber coverage, affirming that insuring policies do not have to include specific language to cover BIPA claims (and potentially other data privacy claims). For more on this, stay tuned. CPW will be there.