Lessons From Insurers' Latest BIPA Coverage Arguments
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
Portfolio Media. Inc. | 111 West 19th Street, 5th Floor | New York, NY 10011 | www.law360.com Phone: +1 646 783 7100 | Fax: +1 646 783 7161 | customerservice@law360.com Lessons From Insurers' Latest BIPA Coverage Arguments By Caroline Meneau and Michael Linden (January 29, 2021, 4:52 PM EST) Litigation under Illinois' Biometric Information Privacy Act, which regulates the collection, use and storage of biometric data,[1] continues to present important questions for businesses, including as it relates to insurance coverage. Though several states have enacted laws aimed at regulating an individual's biometrics, BIPA was the first law of its kind. Unlike the laws in these other states, BIPA provides a private right of action for any person aggrieved by a BIPA violation. Aggrieved persons may recover $1,000 per violation where an entity negligently violates BIPA and $5,000 per violation in the case of intentional or reckless violations. Caroline Meneau Courts have resolved certain threshold issues under BIPA. Most notably, in Rosenbach v. Six Flags Entertainment Corp., the Illinois Supreme Court held that when a private entity violates the notice and release requirements of BIPA, any person whose biometric information is subject to that violation is an aggrieved person within the meaning of the act.[2] In other words, an individual can seek statutory damages for the real and significant injury caused by such a violation of BIPA even without showing any tangible, personalized harm. Michael Linden Unsurprisingly, the Supreme Court's decision in Rosenbach has unleashed a torrent of BIPA putative class action litigations. Many of the defendants in these litigations have turned to their insurers for defense, prompting coverage disputes. The first Illinois appellate court to review a BIPA-related coverage dispute affirmed a policyholder victory, holding that the underlying BIPA complaint alleged a personal injury within the scope of the business owner's liability policy at issue and that the policy's exclusion for violations of statutes did not apply.[3] In that case, West Bend Mutual Insurance Co. v. Krishna Schaumburg Tan Inc., the Appellate Court of Illinois, First District, considered whether allegations that a tanning salon shared customer fingerprint data with a third-party vendor could constitute a personal injury under the tanning salon's insurance policy.
The policy covered injuries "arising out of oral or written publication of material that violates a person's right of privacy." The insurer, relying on Valley Forge Insurance Co. v. Swiderski Electronics Inc.,[4] argued that publication requires a communication to the public at large, rather than to just one outside vendor. The court rejected that argument, holding that the plain meaning of publication "include[s] both the broad sharing of information to multiple recipients that the court viewed [as] a 'publication' in Valley Forge and a more limited sharing of information with a single third party." The West Bend court also rejected the insurer's reliance on the so-called violation of statutes exclusion, which excludes coverage for injuries "arising directly or indirectly out of any action or omission that violates or is alleged to violate" the Telephone Consumer Protection Act, the Controlling the Assault of Non-Solicited Pornography and Marketing Act or "any statute, ordinance or regulation that prohibits or limits the sending, transmitting, communication or distribution of material or information." Looking to the title of the exclusion — "violation of statutes that govern emails, fax, phone calls or other methods of sending material or information" — the court reasoned that the exclusion only applied to statutes governing certain methods of communications, rather than statutes like BIPA that limit whether a company can collect or use information in the first place. Despite the pro-policyholder decision from the West Bend court, insurers have continued to deny claims related to defense of BIPA actions. Insurers, in the coverage litigation arising from those denials, have sought to retread old ground, but have also come up with a bevy of new arguments. While many of those cases appear to have settled before resolution,[5] one pending case in the U.S. District Court for the Northern District of Illinois raises interesting issues for policyholders. In that case, American Family Mutual Insurance Co. SI v. Schmitt South Eola LLC, the insurer recently moved for summary judgment on its complaint seeking a declaratory judgment that it had no duty to defend a McDonald's franchisee.[6] The franchisee tendered its defense to American Family after it was sued by an employee who alleged the franchisee required employees to punch in and out of work using a fingerprint or handprint scan in violation of BIPA. In its motion, American Family makes two main arguments. First, it claims that the franchisee does not satisfy the basic requirement for coverage: demonstrating a personal and advertising injury, defined as an "oral or written publication, in any matter, of material that violates a person's right of privacy." In so arguing, American Family insists that, in light of the Illinois Supreme Court's decision in Valley Forge, West Bend is wrongly decided. In the alternative, and more creatively, American Family attempts to distinguish West Bend. Whereas in West Bend, the plaintiff in the underlying BIPA action alleged that the tanning salon shared her fingerprints with a third-party vendor, American Family claims that there are not similar allegations against the McDonald's franchisee. In other words, according to American Family, even under the more expansive definition of "publication" in West Bend, the franchisee does not qualify for coverage. Second, American Family relies on a three separate exclusions: (1) the employment-related practices
exclusion; (2) the violation of statutes exclusion; and (3) the access or disclosure exclusion. It is a bedrock principle of insurance law that "[i]t is the insurer's burden to show a claim falls within a provision of the policy that excludes coverage, and an exclusion relied upon to deny coverage must be free and clear from doubt."[7] While the violation of statutes argument asks a federal district court to ignore the Illinois appellate court's interpretation of Illinois law in West Bend, there are no reported decision adjudicating the other two exclusions in the BIPA context. The franchisee's liability policy excluded injury arising out of employment-related practices, policies, act or omissions. According to American Family, the underlying BIPA allegations — which center on the employer's time clock system — unmistakably arise out of the franchisee's employment-related practices and policies. A close reading of the policy calls into question American Family's logic. The full exclusion is addressed toward injuries to a person arising out of the employer's: • Refusal to employ that person; • Termination of that person's employment; or • Employment-related practices, policies, acts or omissions, such as coercion, demotion, evaluation, reassignment, discipline, defamation, harassment, humiliation or discrimination directed at that person. Read in its full context, the employment-related practices exclusion American Family cites appears targeted at decisions around hiring, firing and employee evaluation. Indeed, the cases American Family cites demonstrate as much.[8] In the case of the franchisee, it may be a stretch for the insurer to argue that a time clock policy, unrelated to hiring or firing, could qualify as an employment-related practice in this context, particularly given the insurer's burden to prove an exclusion applies. Finally, American Family cites an "access or disclosure of confidential or personal information and data- reliability" exclusion. The full policy language excludes injuries "[a]rising out of any access to or disclosure of any person or organization's confidential or personal information, including patents, trade secrets, processing methods, customer lists, financial information, credit card information, health information or any other type of nonpublic information." Even if biometric information like fingerprints could, in this circumstance, reasonably be characterized as nonpublic information, policyholders can respond that the exclusion's language appears targeted at a lawsuit arising out of a data breach — for example, a hacking incident that reveals trade secrets or credit card information. Contrast that with a clock-in process in which the employee knowingly participates, and in which there is no allegation anyone other than the employer or vendor obtained access to the time clock data.
The context of the "access or disclosure of confidential or personal information and data-reliability" exclusion, interpreted narrowly as required by Illinois law, indicates that it may not clearly cover biometric information provided by an employee, even if the collection and use of that information allegedly violates BIPA. While insurers and policyholders will doubtless be paying close attention to the policyholder's opposition to — and ultimately, the court's resolution of — American Family's summary judgment motion, there are already lessons to learn from the litigation. At the outset, it is clear that insurers are not conceding that coverage exists even in light of the court's decision in West Bend. Policyholders should continue to thoughtfully review policy language and seek out the most expansive available coverage, particularly if they utilize biometric information in the course of their business. Insureds should consider whether they have or can obtain coverage available within a range of available insurance products, including employment practices liability, cyber liability, general liability, directors and officers, technology errors and omissions, and media liability insurance policies. Next, policyholders facing BIPA litigation should carefully evaluate whether the underlying lawsuit alleges disclosure of biometric information to a third party — in other words, whether the suit alleges publication. Under West Bend, the clearer the disclosure, the better argument the policyholder has that the basic requirements for coverage are met. Finally, as always, policyholders should closely analyze any exclusions that might apply to BIPA liability — for example, the employment practices and data reliability exclusions cited by American Family. While it is the insurer's burden to show an exclusion bars coverage — and so far, courts have not accepted insurers' arguments to exclude BIPA liability — insurers will undoubtedly continue to focus on exclusions as a basis for denying coverage, particularly in light of West Bend's conclusion that BIPA actions can satisfy the threshold requirement of a personal injury. Caroline Meneau is a partner and Michael Linden is an associate at Jenner & Block LLP. The opinions expressed are those of the author(s) and do not necessarily reflect the views of the firm, its clients or Portfolio Media Inc., or any of its or their respective affiliates. This article is for general information purposes and is not intended to be and should not be taken as legal advice. [1] 740 ILCS 14/1 et seq. [2] 129 N.E.3d 1197, 1206 (Ill. 2019). [3] W. Bend. Mut. Ins. Co. v. Krishna Schaumburg Tan, Inc., 2020 IL App (1st) 191834, at *P24 (Mar. 20, 2020). [4] 223 Ill. 2d 352, 367 (2006). [5] See, e.g., Am. Fam. Mut. Ins. Co., S.I. v. McEssy Inv. Co., No. 1:20-cv-05591 Dkt. 7 (N.D. Ill. Oct. 15, 2020); Am. Guar. & Liab. Ins. Co. v. Toms King, LLC, No. 2020-CH-04472 (Cir. Ct. Cook Cnty. Aug 25,
2020); Church Mut. Ins. Co. v. Triad Senior Living, Inc., No. 1:19-cv-07599 Dkt. 18 (N.D. Ill. Feb. 6, 2020). [6] Am. Fam. Mut. Ins. Co., S.I. v. Schmitt South Eola, LLC, No. 1:20-cv-01872 Dkt. 47-1 (N.D. Ill. Dec. 30, 2020). [7] W. Bend. Mut. Ins. Co. v. Rosemont Exposition Servs., 378 Ill. App. 3d 478, 486 (1st Dist. 2007). [8] See, e.g., id. (applying exclusion because the defamatory statement in the action for which the employer sought insurance coverage "was perpetrated to provide the grounds" to fire the employee).
You can also read