In a highly anticipated case before Illinois' highest court, the justices recently found an insurance carrier’s business liability policy requires it to defend a lawsuit alleging violations of the Illinois Biometric Information Privacy Act (“BIPA”). West Bend Mut. Ins. Co. v. Krishna Schaumburg Tan, Inc., 2021 IL 125978 (Ill., May 20, 2021). While the court’s opinion addresses specific policy language, the decision reinforces key principles and concepts supporting insurance coverage (indemnity and defense) under Illinois law. 

Background

In the underlying lawsuit, a tanning salon patron sued alleging the salon violated BIPA by scanning her and other customers’ fingerprints without consent and by disclosing their biometric identifiers and information to a third-party vendor. Upon receipt of the lawsuit, the tanning salon tendered the claim to its insurer requesting a defense. The insurance company issued a reservation of rights letter stating it believed the business liability policy did not cover the suit and, therefore, the insurer had no duty to defend. In turn, the carrier filed a declaratory judgment action against the tanning salon as well as the plaintiff contending it did not owe a duty to defend the lawsuit. Upon cross motions for summary judgment, the trial court entered judgment for the tanning salon. The first level appellate court then affirmed. 

Illinois Supreme Court Appeal

On appeal to the Illinois Supreme Court, the insurance carrier argued that its policy did not cover the alleged BIPA claims because (1) the tanning salon did not publish private information to the public at large thereby failing to inflict a covered injury and (2) the policy expressly excluded statutory violations. Like the lower courts, the Illinois Supreme Court rejected both of these arguments. 

First, the court set forth Illinois law with respect to the construction of insurance contracts, namely, Illinois decisions recognizing that insurance contracts are construed to give effect to the parties’ intentions and, if they are ambiguous, are to be interpreted against the insurer who drafted the policy. The court then considered the specific terms in the carrier’s policies to determine whether the allegations in the complaint alleged a covered claim that the business caused the plaintiff a personal or advertising injury and whether the sharing of biometric information was a publication of material that violated the plaintiff’s right to privacy. Although the policy defined the terms “personal injury” and “advertising injury”, it did not define the terms “publication” or “right to privacy”. Because the policies did not define “publication” and “right to privacy”, the court considered various definitions within dictionaries, treatises, and other secondary sources. The court concluded that the term “publication” has multiple definitions; therefore, the term is ambiguous and strictly construed it against the insurer drafted policy. With respect to the term “right to privacy”, the court relied upon court opinions and dictionary definitions to determine that it includes typical privacy rights such as the right to be left alone and to protect a person from having information about themselves disclosed. The court found that the Illinois legislature designed BIPA to protect an individual’s right to privacy of his or her biometric identifiers as well as to protect that information from being collected and disseminated without consent. 

After construing the policy terms deemed ambiguous, the court addressed whether the complaint’s allegations fell within the terms of the policy. First, the court found that the complaint alleged the plaintiff had suffered emotional upset, mental anguish, and distress from the collection and dissemination of biometric information, which comes within purview of the policies. Second, the court found that a “publication” occurs when information is shared with a single party, thus finding that the complaint sufficiently alleged that when the business shared the patron’s information with its vendor, that action fell potentially within the definition of the term publication within the policy. Finally, the court ruled that, because BIPA codifies a person’s right to privacy of biometric identifiers and information, the complaint’s allegations that the business collected fingerprints and shared them with the third-party vendor fall potentially within the term “right to privacy” in the insurer’s policy. As a result, the court held that the carrier has a duty to defend the business under the policies at issue. 

Finally, the court rejected the insurer’s argument that a policy exclusion for violation of statutes barred coverage. The court looked to the policy section titled “Violation of Statutes that Govern Emails, Fax, Phone Calls, or Other Methods of Sending Material or Information”. The policy provision referred to two federal statutes that regulate methods of communication, the Telephone Consumer Protection Act, 47 U.S.C. §227, and the CAN-SPAM Act of 2003, 15 U.S.C. §7701. The court concluded that because the policy language was intended to exclude coverage for alleged statutory violations involving various communication methods, the exclusion did apply to bar the BIPA claims. The Court held that BIPA does not regulate methods of communication but instead regulates the collection, use, safeguarding, handling, storage, retention, and destruction of biometric identifiers and information. In addition, the policy provisions’ “other than” language did not extend to claims under BIPA. The court followed the doctrine of ejusdem generis to conclude that BIPA is dissimilar from the TCPA and CAN-SPAM Act such that the policy exclusion would not be read to extend to BIPA claims. And, to the extent the “other than” language could be viewed as ambiguous, the court held it also must be construed in favor of finding coverage for the insured. 
Accordingly, the court found that the exclusion did not apply and the carrier, therefore, had a duty to defend the alleged BIPA claims. The court did not reach the issue of whether the policy also provided indemnity for any verdict or settlement of such BIPA claims. 

This ruling has provided helpful clarity to policyholders and insurers alike. While the court’s opinion was limited to the policy at issue, the court’s approach and rulings should help to ameliorate the uncertainty around insurance coverage for the growing new phenomenon of BIPA liability, both under Illinois law and those jurisdictions, such as New York, that are actively considering similar legislative protection for biometric privacy. With the potential financial exposure of BIPA claims, the nature and extent of available insurance coverage will continue to be a threshold strategic consideration and potential issue as these cases move forward, in Illinois and elsewhere around the U.S.