A tanning company customer filed a class action lawsuit against West Bend Mutual Insurance Company’s insured, Krishna Schaumberg Tan, Inc. The customer alleged Krishna violated Illinois’ Biometric Information Privacy Act, 740 ILCS 14/1, et seq., (BIPA) by scanning customers’ fingerprints and disclosing biometric information containing those fingerprints to an out-of-state third-party vendor. Krisha tendered the lawsuit to West Bend and requested a defense. West Bend had issued two businessowners’ liability policies to Krishna.

West Bend filed a declaratory judgment action contending that it did not owe a duty to defend Krishna against the class action lawsuit. First, West Bend argued that the class action compliant did not allege a publication of material that violates a person right of privacy. West Bend argued the Illinois Supreme Court has defined publication as communication to the public at large, not to a single party, as had occurred here. Second, it alternatively argued that the policies’ violation of statutes exclusion applied and barred West Bend from having to provide coverage to Krishna for the BIPA violations. Krisha argued that sharing biometric identifiers and biometric information with a single party is a publication covered by the policies. Further, Krishna argued that regardless of whether the violation of statutes exception applied, the policies also provided coverage for a violation of BIPA under the Illinois data compromise coverage endorsement of the policies.

The trial court entered summary judgment in Krisna’s favor on its counterclaim, finding that “publication” simply means the dissemination of information and that the sharing of biometric identifiers constitutes a publication within the purview of the policies. The trial court also found that the exclusion for violation of statutes does not apply because the exclusion only applies to statutes that regulate methods of sending information and not the collection, retention, disclosure, and destruction of biometric identifiers and information. West Bend appealed, and the appellate court (1st Dist.) affirmed. The Illinois Supreme Court then allowed West Bend’s petition for leave to appeal and affirmed the entry of summary judgment for Krishna.

The West Bend policies defined “personal injury” as an injury “other than a bodily injury” that arises out of an “oral or written publication of material that violates a person’s right of privacy.” The Supreme Court found the complaint alleged a “personal injury,” other than a “bodily injury” in that it alleged emotional upset, mental anguish, and mental injury when Krishna disclosed biometric identifiers and biometric information in violation of the right to privacy under BIPA.

The Court then looked to whether Krishna’s sharing of biometric identifiers and biometric information with the out-of-state third-party vendor was a “publication” that violated the customers’ right to privacy. The West Bend policies did not define “publication.” The Supreme Court, after considering dictionaries, treatises, and the Restatement, concluded that the term “publication” has at least two definitions and means both the communication of information to a single party and the communication of information to the public at large. When a term has multiple reasonable definitions or is subject to more than one reasonable interpretation within the context in which it appears, it is ambiguous. The Court, therefore, strictly construed the term against West Bend, as the insurer who drafted the policies. Accordingly, the Court adopted the construction used by Krishna as the insured and construed the terms publication to include a communication with a single party, like the out-of-state vendor.

The West Bend policy also failed to define the term “privacy.” BIPA codifies (1) an individual’s right to privacy in their biometric identifiers (such as fingerprints, retina or iris scans, voiceprints, or scans of hand or face geometry), and (2) an individual’s right to privacy in their biometric information. The Supreme Court found that BIPA protects a secrecy interest – the right of an individual to keep his or her personal identifying information like fingerprints secret. Disclosing a person’s biometric identifiers or information without their consent or knowledge, therefore, necessarily violates that person’s right to privacy in biometric information. Accordingly, the allegation that Krisha shared biometric identifiers and information with the third-party vendor alleged a potential violation of the right to privacy within the purview of West Bend’s policies.

Having made all these findings, the Court concluded that West Bend had a duty to defend. This did not, however, end the Court’s inquiry in that West Bend asserted the policies’ violation of statutes exclusion barred coverage because the exclusion applies to statutes that prohibit the communicating of information and BIPA limits the communication of information. The exclusion, however, specifically listed certain statutes to which the West Bend policies do not apply – the TCPA (which regulates the use of certain methods of communication), CAN-SPAM (which regulates electronic mail) and statutes “other than” the TCPA or CAN-SPAM that prohibit or limit the communication of information. The Court construed the violation of statues exclusion to apply only to statutes like the TCPA and the CAN-SPAM act, i.e., those which regulate methods of communication. BIPA, however, does not regulate methods of communication but rather the collection, use, safeguarding, handling, storage, retention, and destruction of information, which is fundamentally different from the two statutes mentioned in the policies’ exclusion. The exclusion, therefore, is inapplicable.

The opinion underscores the unique features of the protections offered by BIPA in the context of the already broad duty to defend. It remains to be seen whether more and more policies will include BIPA-specific exclusions.

West Bend Mut. Ins. Co. v. Krishna Schaumburg Tan, Inc., 2021 IL 125978 (May 20, 2021).