In what is likely to be one of many court rulings to come regarding the scope of an insurer’s duty to defend an insured in a biometric privacy lawsuit, the Illinois First District Court of Appeals recently weighed in on this issue. In West Bend Mut. Ins. Co. v. Krishna Schaumburg Tan, Inc., 2020 IL App (1st) 191834, the court determined that West Bend Mutual Insurance Company owed a duty to defend its insured in an underlying lawsuit filed under the Illinois Biometric Information Privacy Act (“BIPA”). The complete opinion can be found here

In that case, Krishna, a franchisee of L.A. Tan Enterprises, was sued for allegedly violating BIPA. According to the underlying complaint, Krishna’s customers were required to have their fingerprints scanned to verify their identification. The plaintiff further alleged that after having her fingerprints scanned by Krishna, the company failed to provide her with, or obtain, a written release allowing Krishna to disclose her biometric data to any third party. She claimed that Krishna disclosed her biometric information to a third-party vendor without her consent.

Krishna sought coverage from West Bend for the lawsuit under two insurance policies West Bend had issued to Krishna. West Bend defended Krishna in the underlying lawsuit pursuant to a reservation of rights. Subsequently, West Bend filed a declaratory judgment action seeking a declaration that it owed no duty to defend or indemnify Krishna in the underlying lawsuit. West Bend alleged that the underlying lawsuit did not trigger coverage because the plaintiff’s underlying allegations did not describe a “personal injury,” her allegations did not implicate a data compromise endorsement contained in one of the policies, and coverage was barred by the policies’ violation of statutes exclusion. In response, Krishna filed a counterclaim, arguing that it was entitled to coverage in the underlying lawsuit and damages under Section 155 of the Insurance Code for vexatious and unreasonable delay in providing coverage. Ultimately, the trial court granted Krishna’s motion for summary judgment in part, concluding that West Bend owed a duty to defend Krishna in the underlying lawsuit, but denying the section of the motion seeking damages under Section 155.

On appeal, the court first examined whether the underlying complaint allegations were encompassed by the policies’ definition of “personal injury.” The policies indicated that West Bend would pay “those sums that [Krishna] becomes legally obligated to pay as damages because of *** ‘personal injury’ ***” and that West Bend would have a duty to defend Krishna against “any ‘suit’ seeking those damages.” The policies defined “personal injury” to include any injury arising out of “[o]ral or written publication of material that violates a person’s right of privacy.” Krishna argued that the plaintiff in the underlying lawsuit alleged an injury arising from publication because she claimed that Krishna violated BIPA by providing her fingerprint data to a third-party vendor. West Bend argued that publication required communication of information to the public at large, not just to a single third-party. 

Because the policies did not define the term “publication,” the court gave the term its “plain, ordinary, and popular meaning.” Relying on guidance from the Illinois Second District Appellate Court’s holding in Valley Forge Ins. Co. v. Swiderski Elecs., Inc., 359 Ill. App. 3d 872 (2d Dist. 2005), the Oxford English Dictionary, and Black’s Law Dictionary, the court concluded that the term publication includes both the broad sharing of information to multiple recipients and a more limited sharing with a single third-party. According to the court, had West Bend intended for the term to apply only to communication of information to a large group of people, it could have explicitly defined it as such in its policies. 

West Bend further argued that the policies’ violation of statutes exclusion applied to prohibit coverage. That exclusion indicated that coverage did not apply to “*** ’personal injury’ *** arising directly or indirectly out of any act or omission that violates or is alleged to violate:

  1. The Telephone Consumer Protection Act (TCPA) ***
  2. The CAN-SPAM ACT of 2003 ***
  3. Any statute, ordinance or regulation *** that prohibits or limits the sending, transmitting, communicating or distribution of material or information.”  

According to West Bend, the underlying lawsuit alleged a violation of BIPA, a statute it characterized as prohibiting or limiting the sending of material or information, namely an individual’s biometric information or identifier. Section 14/15(d) of BIPA expressly provides that “[n]o private entity in possession of a biometric identifier or biometric information may disclose, redisclose, or otherwise disseminate a person’s or a customer’s biometric identifier or biometric information” unless at least one of four conditions is met. 

In rejecting this argument, the court cited the full title of the policies’ exclusion, “Violation of Statutes That Govern E-Mails, Fax, Phone Calls or Other Method of Sending Material or Information,” as evidence that the exclusion applied only to statutes that govern certain methods of communication, not to statutes that limit the sending or sharing of information. The text of the exclusion also expressly referred to certain statutes – TCPA and CAN-SPAM – that regulate certain methods of communication. Based upon the exclusion’s title and specific references to TCPA and CAN-SPAM, the court reasoned that the final, “catchall” provision of the exclusion was meant to encompass any state or local statutes, rules, or ordinances that, like the TCPA and CAN-SPAM, regulated methods of communication.  Based upon this interpretation of the exclusion, the court determined that it did not apply to bar coverage for the underlying lawsuit. According to the court, BIPA does not regulate methods of communication, but rather, regulates the collection, use, safeguarding, handling, storage, retention, and destruction of biometric identifiers and information. 740 ILCS 14/5(g).

Because the court found that the underlying complaint allegations triggered West Bend’s duty to defend Krishna, it did not examine whether West Bend owed coverage under an endorsement contained in one of the policies titled “Illinois Data Compromise Coverage.” Krishna, however, relied upon the endorsement to argue that it was entitled to damages under Section 155 of the Illinois Insurance Code. The endorsement provided “Additional Coverage” for “personal data compromise” under certain conditions. The policy defined “personal data compromise” to include disposal or abandonment of personally identifiable information or personally sensitive information without appropriate safeguards such as shredding or destruction, provided that the failure to use appropriate safeguards was accidental and not reckless or deliberate. 

Under Section 155, an insured may collect attorneys’ fees and costs where an insurer creates a vexatious and unreasonable delay in settling a claim. Where a bona fide coverage dispute exists, sanctions under Section 155 are inappropriate.  Krishna argued that the underlying complaint alleged a personal data compromise by disposal of the plaintiff’s personally identifying or personally sensitive information to a third-party without appropriate safeguards. Krishna claimed that appropriate safeguards would have entailed following the data protection requirements of BIPA and that negligent failure to take note of changes in the law was “accidental.” The court concluded that a bona fide coverage dispute existed and, therefore, Krishna was not entitled to Section 155 damages. The court reasoned that Krishna’s argument for coverage hinged on an interpretation of “disposal” as including Krishna’s deliberate sharing of the underlying plaintiff’s information, an interpretation that “safeguards such as shedding or destruction” included following new legal requirements contained in BIPA, and the term “accidental” meant failure to remain informed of changes in the law (i.e., the enactment of BIPA).

As lawsuits continued to be filed under BIPA, courts likely will see an increasing number of insurance coverage disputes concerning the duty to defend and indemnify in BIPA lawsuits. For example, American Family Mutual Insurance Company recently filed a declaratory judgment action in the District Court for the Northern District of Illinois, seeking a declaration that it does not owe a duty to defend certain companies named in an underlying BIPA lawsuit. That case involves some of the arguments raised in the West Bend case, including whether a violation of state statutes exclusion applies, but American Family also raises arguments not addressed in West Bend. The case is American Family Mut. Ins. Co. SI v. Amore Enterprises, Inc., No. 1:20-cv-01659. If courts continue to rule that insurers have a duty to defend companies named in BIPA lawsuits, as in West Bend, the already significant number of BIPA filings is likely to increase as well.